Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    ee036f333a0c4a24d9aa09848e635639e481695a9209474900eb71c9e453256b.bin.exe

  • Size

    225KB

  • Sample

    221016-y3t26aabe4

  • MD5

    0e8476b3c4099a42baca7f16ca8253e6

  • SHA1

    e044edce8646124ddc39906e6fb6f02eaff16161

  • SHA256

    ee036f333a0c4a24d9aa09848e635639e481695a9209474900eb71c9e453256b

  • SHA512

    afeeda4d83a38e0ef3307fac88a63ed197a305501c84622151e07be17bd38d8d07ff91c36c832f5574c86165573940258c0d18f681e8346bf869089891b1021a

  • SSDEEP

    6144:hRAvJmXbQwAPnZXJAc4V50DErB5xgTw7ozFz254W:hRAxebQwAPAkDWGcoxfW

Malware Config

Extracted

Path

C:\README.html

Ransom Note
<html><head><title>Venus</title><style type = "text/css">*{padding:0;margin:0}p{color:white}.f{background-color:#ff7c00;width:100%;margin-left:auto;margin-right:auto;height:100%}.c h1{color:white;line-height:80px}.r{word-break:break-all;float:left;width:100%;text-align:center}</style></head><body><div class="f"><div class="c"><h1 align="center">&lt;&lt;&lt;Venus&gt;&gt;&gt;</h1></div><div class="r"><p></br></br></br></br><strong>We downloaded and encrypted your data.</strong></br>Only we can decrypt your data.<br><strong>IMPORTANT!</strong><br> If you, your programmers or your friends would try to help you to decrypt the files it can cause data loss even after you pay.<br> In this case we will not be able to help you.<br>Do not play with files.</p><p>Do not rename encrypted files.<br>Do not try to decrypt your data using third party software, it may cause permanent data loss.<br>Decryption of your files with the help of third parties may cause increased price or you can become a victim of a scam.</br>-----------------------------------------------------</br>Contact and send this file to us:<br><strong><br>email:[email protected]<br>email:[email protected]<br>skype live:.cid.2eb1968719a82d39</strong><br><br>s80wjEQVP1lU6JkyuLp43JwVoUEo13afb2Uoc52uCRcebFsmXDdsBAsD4Ec6bjqF ntAijo6WuyN8w8ZYLOuxwFb8qXa/4JMm5B9gPxslzhoIbvoTAgq8yoKLIf+MrIAg SVbzsHqlLbSrUJf7tNa4cs4rUlckstyxlFJDsvzkafr3iMsQdqbWpHG9i90ttN3k 3w/mZshBj9vbSjK435ojCxu9v+QcvN/yojMsWQtb1uts8mKibQo4uFfdukMtKgrj H7o6Ewu8dex1goGoZqLfgWPih+OvMAgQvYp+IaalzIWHCh9v1fmRQQPF15X7xb6m eo+vvs8Q0kOkaheZZ4/XXvTT+vFwymckT/s33+bksOOysFlSrmUaXvSi4Prp8NnP mXQk+KXfC+qb5qFZS2FveuvPnfHuQIneLaA0lOb7huSYPFdFxXWKnKMjVXTc65Tr o17+nbc74WNiPAqwZiJDRwKsjz1nRBpIiuLOUKiwTxzGXjB5kTH5V9SWqK3QvLiv rZw4yxyB9u0jUiF26SjZfTVDMQYHS2ddKPaWmHzM3ykH72yzLOgmiSB7RNO0cvY6 +z3nUg9qsxwe14mgJSqOpbaBsAPntFWVaAOXfhZOJ59BrWRX/+E6r6fEe0LuswAQ tTa3d+NZgg== </p></div></body></html></html></body></html>
Emails

us:<br><strong><br>email:[email protected]<br>email:[email protected]<br>skype

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\6414290911972527219.hta

Ransom Note
<<<Venus>>> We downloaded and encrypted your data.Only we can decrypt your data.IMPORTANT! If you, your programmers or your friends would try to help you to decrypt the files it can cause data loss even after you pay. In this case we will not be able to help you. Do not play with files. Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price or you can become a victim of a scam.-----------------------------------------------------Contact and send this file to us: email:[email protected] email:[email protected] skype live:.cid.2eb1968719a82d39
Emails

email:[email protected]

email:[email protected]

Targets

    • Target

      ee036f333a0c4a24d9aa09848e635639e481695a9209474900eb71c9e453256b.bin.exe

    • Size

      225KB

    • MD5

      0e8476b3c4099a42baca7f16ca8253e6

    • SHA1

      e044edce8646124ddc39906e6fb6f02eaff16161

    • SHA256

      ee036f333a0c4a24d9aa09848e635639e481695a9209474900eb71c9e453256b

    • SHA512

      afeeda4d83a38e0ef3307fac88a63ed197a305501c84622151e07be17bd38d8d07ff91c36c832f5574c86165573940258c0d18f681e8346bf869089891b1021a

    • SSDEEP

      6144:hRAvJmXbQwAPnZXJAc4V50DErB5xgTw7ozFz254W:hRAxebQwAPAkDWGcoxfW

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v6

Tasks