Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
398a2a77f0399f0847d224921c35af02502f20579a1d3a5c4641fe158f0354e1
-
Size
280KB
-
Sample
220625-lww7qafedq
-
MD5
61b57f81ee04299f8ba3c16d15505363
-
SHA1
13001b7875921a5ec553f11cc7c2e2f129179ef9
-
SHA256
398a2a77f0399f0847d224921c35af02502f20579a1d3a5c4641fe158f0354e1
-
SHA512
ce9326ae5cf48a739ea1b373e4f926804f07ded2bd476400474885c2548f3b56f5f33af2b193e6dbe1d6f5666c1ec506a8a80268582770cbb35b97e1e8a9b78e
Static task
static1
Behavioral task
behavioral1
Sample
398a2a77f0399f0847d224921c35af02502f20579a1d3a5c4641fe158f0354e1.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
398a2a77f0399f0847d224921c35af02502f20579a1d3a5c4641fe158f0354e1.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
C:\$Recycle.Bin\S-1-5-21-1819626980-2277161760-1023733287-1000\_ReCoVeRy_+cekqr.txt
teslacrypt
http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/91FD58431223EEE6
http://gfkuwflbhsjdabnu4nfukerfqwlfwr4rw.ringbalor.com/91FD58431223EEE6
http://oehknf74ohqlfnpq9rhfgcq93g.hateflux.com/91FD58431223EEE6
http://xlowfznrg4wf7dli.ONION/91FD58431223EEE6
Extracted
C:\$Recycle.Bin\S-1-5-21-1819626980-2277161760-1023733287-1000\_ReCoVeRy_+cekqr.html
Extracted
C:\$Recycle.Bin\S-1-5-21-1809750270-3141839489-3074374771-1000\_ReCoVeRy_+vqnhc.txt
teslacrypt
http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/A32F763A7DF42F5
http://gfkuwflbhsjdabnu4nfukerfqwlfwr4rw.ringbalor.com/A32F763A7DF42F5
http://oehknf74ohqlfnpq9rhfgcq93g.hateflux.com/A32F763A7DF42F5
http://xlowfznrg4wf7dli.ONION/A32F763A7DF42F5
Extracted
C:\$Recycle.Bin\S-1-5-21-1809750270-3141839489-3074374771-1000\_ReCoVeRy_+vqnhc.html
Targets
-
-
Target
398a2a77f0399f0847d224921c35af02502f20579a1d3a5c4641fe158f0354e1
-
Size
280KB
-
MD5
61b57f81ee04299f8ba3c16d15505363
-
SHA1
13001b7875921a5ec553f11cc7c2e2f129179ef9
-
SHA256
398a2a77f0399f0847d224921c35af02502f20579a1d3a5c4641fe158f0354e1
-
SHA512
ce9326ae5cf48a739ea1b373e4f926804f07ded2bd476400474885c2548f3b56f5f33af2b193e6dbe1d6f5666c1ec506a8a80268582770cbb35b97e1e8a9b78e
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
suricata: ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
suricata: ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-