Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

15/02/2022, 03:50

220215-ed4qhsafe5 10

15/02/2022, 02:39

220215-c5e55acbcm 10

General

  • Target

    53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe

  • Size

    129KB

  • Sample

    220215-ed4qhsafe5

  • MD5

    ed2fd6050340ecc464621137c7add3ad

  • SHA1

    07adc67a3c72e76127ced9c0d72cea32b40d5c55

  • SHA256

    53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62

  • SHA512

    b8aff1b7953baf328f3b076afe81318c940925d71bbfec70987b5c9cc660baba747166506e453b88aa8212a887229cfa4e01c85d157d0b1a051c8e3ad0813e44

Malware Config

Extracted

Path

C:\Users\Admin\How to decrypt files.txt

Family

targetcompany

Ransom Note
Your personal identifier: CAR8FNNCXM All files on Carone and Company Inc network have been encrypted due to insufficient security. The only way to quickly and reliably regain access to your files is to contact us. The price depends on how fast you write to us. In other cases, you risk losing your time and access to data. Usually time is much more valuable than money. In addition to encryption, we downloaded 700 gb of data from your network, which, if we do not negotiate, could fall into the hands of third parties and cause damage to your reputation. FAQ Q: How to contact us A: * Download Tor Browser - https://www.torproject.org/ * Open link in Tor Browser http://jnjorcburoayrwfrmnq3czngju76wdjyuyufqaep6joutvidohuh24ad.onion/contact * Follow the instructions on the website. Q: What guarantees? A: Before paying, we can decrypt several of your test files. Files should not contain valuable information. Q: Can I decrypt my data for free or through intermediaries? A: Use third party programs and intermediaries at your own risk. Third party software may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price or you can become a victim of a scam. �
URLs

http://jnjorcburoayrwfrmnq3czngju76wdjyuyufqaep6joutvidohuh24ad.onion/contact

Targets

    • Target

      53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62.exe

    • Size

      129KB

    • MD5

      ed2fd6050340ecc464621137c7add3ad

    • SHA1

      07adc67a3c72e76127ced9c0d72cea32b40d5c55

    • SHA256

      53d606ea6cea8fba9ca4fdd1af411c1212ad20678cd22a43697c4b8e9b371f62

    • SHA512

      b8aff1b7953baf328f3b076afe81318c940925d71bbfec70987b5c9cc660baba747166506e453b88aa8212a887229cfa4e01c85d157d0b1a051c8e3ad0813e44

    • TargetCompany

      Ransomware which encrypts files using a combination of ChaCha20, AES-128, and Curve25519, first seen in June 2021.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Enterprise v6

Tasks