Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe

  • Size

    225KB

  • Sample

    221018-q6r3zagac7

  • MD5

    eae3f9f84a8b6756db599963aa4f49d1

  • SHA1

    c40909226c102ceb3cf97e9037c590f1623af013

  • SHA256

    0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028

  • SHA512

    dddcee2f12c1a0d8f0dd9a95e4b8f0841519361880d280beab3befd4afcebdecc9b8a32b1aedb9b9f542a22f6dc7c00af3afff93a0dc588f80d6a292a5a96602

  • SSDEEP

    6144:pROGJmXiQwAP5GXJHcTV50DErd5xgTw7ozFz254W:pROYeiQwAIHLD6GcoxfW

Malware Config

Extracted

Path

C:\README.html

Ransom Note
<html><head><title>Venus</title><style type = "text/css">*{padding:0;margin:0}p{color:white}.f{background-color:#ff7c00;width:100%;margin-left:auto;margin-right:auto;height:100%}.c h1{color:white;line-height:80px}.r{word-break:break-all;float:left;width:100%;text-align:center}</style></head><body><div class="f"><div class="c"><h1 align="center">&lt;&lt;&lt;Venus&gt;&gt;&gt;</h1></div><div class="r"><p></br></br></br></br><strong>We downloaded and encrypted your data.</strong></br>Only we can decrypt your data.<br><strong>IMPORTANT!</strong><br> If you, your programmers or your friends would try to help you to decrypt the files it can cause data loss even after you pay.<br> In this case we will not be able to help you.<br>Do not play with files.</p><p>Do not rename encrypted files.<br>Do not try to decrypt your data using third party software, it may cause permanent data loss.<br>Decryption of your files with the help of third parties may cause increased price or you can become a victim of a scam.</br>-----------------------------------------------------</br>Contact and send this file to us:<br><strong><br>email:[email protected]<br>tox:9DA3D60F51FB83B539BA0CC79B6D4BE83003F8E7A294B531B6EA05102486855ADEEFFF5A90C8<br>jabber:[email protected]</strong><br><br>VuXokCcRnGJ2yw1dZ6DSt2jUohdnWW8KeowQwBbwdk7wARjPe+d30uevttyHMflR cX9/hcqhmWo/pHxNWKV+d8L8knMWRqxHVV6fs7GhER9U7hUlT2z1gKh9G2XVCCwR 1jPkAGWhsMBySLy+O9iVwwFipgVOnbcXsa/yzQixONEkJtoHVkotigpAW7zTR7ez Ejsw7SmtkSVWf8s77lUtqn0D8PKHIaUWmBSSJ+bxYuXJeqT5LI2eiDDOOM+fS+FQ kfbddqrAIJrRXWqI8AjEjEvrQgkE33LR2XPwlffyMNufN1sTJ4YX0kF+0evJKTdW 8LIiKKcCHBvnQm2npEyZqmElCZSrBsacGVlc8HVK2qvuOqd1H2YM/f5nKam77uQK Ch8/DJAsFdWAMQJjPaD4Nuukk9HwynamHd/+wQSRou4698HrDtxR/894LzhtB3bW lSwk5/l7fnAqx5eQheyzbdWblVeFZUL5SX6nrAgbzLPSp1rz/cwfWGVMn280YeIX U5Z7ntHPXBoCPUSD1M9lFuLmRNTGNvY9jpslx/7iF/Nj3p06P2/hXh6GEkPirUTt eSJSHB7FZ4O6POr7E2jVqTo/aYkVpqh95U6XOE1nROEDkNECxFv2t14oBXQUoppv ZeXXPSKZPjEIo0+Q </p></div></body></html></html></body></html>
Emails

us:<br><strong><br>email:[email protected]<br>tox:9DA3D60F51FB83B539BA0CC79B6D4BE83003F8E7A294B531B6EA05102486855ADEEFFF5A90C8<br>jabber:[email protected]</strong><br><br>VuXokCcRnGJ2yw1dZ6DSt2jUohdnWW8KeowQwBbwdk7wARjPe+d30uevttyHMflR

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\5415296051972527219.hta

Ransom Note
<<<Venus>>> We downloaded and encrypted your data.Only we can decrypt your data.IMPORTANT! If you, your programmers or your friends would try to help you to decrypt the files it can cause data loss even after you pay. In this case we will not be able to help you. Do not play with files. Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price or you can become a victim of a scam.-----------------------------------------------------Contact and send this file to us: email:[email protected] tox:9DA3D60F51FB83B539BA0CC79B6D4BE83003F8E7A294B531B6EA05102486855ADEEFFF5A90C8 jabber:[email protected]
Emails

email:[email protected]

jabber:[email protected]

Targets

    • Target

      0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028.exe

    • Size

      225KB

    • MD5

      eae3f9f84a8b6756db599963aa4f49d1

    • SHA1

      c40909226c102ceb3cf97e9037c590f1623af013

    • SHA256

      0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028

    • SHA512

      dddcee2f12c1a0d8f0dd9a95e4b8f0841519361880d280beab3befd4afcebdecc9b8a32b1aedb9b9f542a22f6dc7c00af3afff93a0dc588f80d6a292a5a96602

    • SSDEEP

      6144:pROGJmXiQwAP5GXJHcTV50DErd5xgTw7ozFz254W:pROYeiQwAIHLD6GcoxfW

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v6

Tasks