Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    7b379458349f338d22093bb634b60b867d7fd1873cbd7c65c445f08e73cbb1f6

  • Size

    143KB

  • Sample

    221223-jwbvnsgb55

  • MD5

    6307838a9cef952321a44cc3e189213e

  • SHA1

    2b3fea431f342c7b8bcff4b89715002e44d662c7

  • SHA256

    7b379458349f338d22093bb634b60b867d7fd1873cbd7c65c445f08e73cbb1f6

  • SHA512

    3b31e14fdfa6ecd33a0086b3db84ac1b0fef97a40cb82115007c69680e201c22bb638af4a4255dd21a2219e1143f1c940b4308d618467d9f0f22b0bab40cf18d

  • SSDEEP

    1536:4uFohxL86e7tnkZXYklWXuiMqeGKPPRxPv8/0JS1CjhSlUUbvF7kFrWyaBvEEUAX:4RhxktIWTMqPKPPH1yUUB4kVUXsB/

Score
10/10

Malware Config

Extracted

Path

C:\!-Recovery_Instructions-!.html

Ransom Note
<!DOCTYPE html> <html lang="en"> <head> <meta charset='utf-8'> <meta name='viewport' content='width=device-width,initial-scale=1'> <title></title> <style> html, body { background-color: #1a1a1a; } body { padding-top: 1rem !important; font-size: 1.3rem; color: white; } #text h2 { font-size: 2rem; font-weight: 600; line-height: 1.125; } .container { max-width: 1152px; flex-grow: 1; margin: 0 auto; position: relative; width: auto; } .box { background-color: #242424; display: block; padding: 1.25rem; border: 1px solid #303030; } a { color: #00b4d8; text-decoration: none; } a:hover { text-decoration: underline; } li { margin-bottom: 10px; } </style> </head> <body> <div class='container'> <div class='box'> <div id='text'> <h2>If you get this message, your network was hacked!</h2> <p>After we gained full access to your servers, we first downloaded a large amount of sensitive data and then encrypted all the data stored on them.</p> <p>That includes personal information on your clients, partners, your personnel, accounting documents, and other crucial files that are necessary for your company to work normally.</p> <p>We used modern complicated algorithms, so you or any recovery service will not be able to decrypt files without our help, wasting time on these attempts instead of negotiations can be fatal for your company.</p> <p>Make sure to act within <span style='color:#f4a261;'>72</span> hours or the negotiations will be considered failed!</p> <p>Inform your superior management about what's going on.</p> <p> Contact us for price and get decryption software.</p> <p> Contact us by email:<p> <h2>[email protected]</h2> </p>If you will get no answer within 24 hours contact us by our alternate emails:</p> <h2>[email protected]</h2> </p>To verify the possibility of the recovery of your files we can decrypted 1-3 file for free.</p> </p>Attach file to the letter (no more than 5Mb).</p> <h2>If you and us succeed the negotiations we will grant you:</h2> <ul> <li>complete confidentiality, we will keep in secret any information regarding to attack, your company will act as if nothing had happened.</li> <li>comprehensive information about vulnerabilities of your network and security report.</li> <li>software and instructions to decrypt all the data that was encrypted.</li> <li>all sensitive downloaded data will be permanently deleted from our cloud storage and we will provide an erasure log.</li> </ul> <h2>Our options if you act like nothing's happening, refuse to make a deal or fail the negotiations:</h2> <ul> <li>inform the media and independent journalists about what happened to your servers. To prove it we'll publish a chunk of private data that you should have ciphered if you care about potential breaches. Moreover, your company will inevitably take decent reputational loss which is hard to assess precisely.</li> <li>inform your clients, employees, partners by phone, e-mail, sms and social networks that you haven't prevent their data leakage. You will violate laws about private data protection.</li> <li>start DDOS attack on you website and infrastructures.</li> <li>personal data stored will be put on sale on the Darknet to find anyone interested to buy useful information regarding your company. It could be data mining agencies or your market competitors.</li> <li>publish all the discovered vulnerabilities found in your network, so anyone will do anything with it.</li> </ul> <h2>Why pay us?</h2> <p>We care about our reputation. You are welcome to google our cases up and be sure that we don't have a single case of failure to provide what we promissed.</p> <p>Turning this issue to a bug bounty will save your private information, reputation and will allow you to use the security report and avoid this kind of situations in future.</p> <h2>Your personal ID</p> 5895F1A733F35BED991FE804E85A4A519A051EACDF0BCD775FB7F35C596AE7 2BE77A91B9092FC9B751B0F827BA5D5CA5D4F4430A0F2B83A86975D2499CD7 D75EB1956C60D0E9E9C1BCF23F285794B2FDAB94105C1108AD58633866E9B8 59625CA695BE49EF8464E3DC7E37E80FD82C06BE49480671D38F153D26D2CC 1D868632537C1990CF622C66387FE2342AF0B1E9F1964A7794504DAE3CF17E 51ADB486D1AC699DD75A143E4B7A6EB08B2C5AA78741088624ABA59F243992 9998F02572D93B68F7ABE0737B3A20E614EE12A6DBBEBFA3F8E27C831F9352 C8B6B8CD085446814BA90529BC74267BAED44762C02A7D89D149B318D8C8DC 6C8EC77C5521AAA20771CE6499F24FB2F9B8729683AE97F203957F70E84DB5 7BCD23E7739A6D3BAC0CC7F3942FC09E17FAB4A0D7B27F6DB65CB46B47BC8B FEC0E4AF966DC0D0B14378D5EE8344F82B098CD40FA2FE10C10DABB179F992 5C9BA271ED4413F9E810C50099C0F5ECD65FE8B8921A4D6AF4E2CF5A9099C4 849414D64FAA9782F37627F53D30BA80449AD6F23874EF09231FF597F30483 96A19C4B31C1DFF15770D0173A7C61D2805C116C47B784FA5E3EAFE73AF35F EB55748537DF013E9E61CA717BFCAC4DF971ED9ECC9C5F489BADB8C2C35B2E 3C01053414F8B74DE7C6B861CC327FB7ECD2652E0C673B518ED81FD401279A 96CE6E559B18CFADA49C2B7EA9C640FBB0A92AECA1F62DD0EE8BC9B704AD82 ED105F4192A049374B5D6CF35E99CCA2A0076D0AFE21063E897A22B846C569 6D849BECC3B74C199C1834FA1CDDFEF3280E59AF96D4E193726CA61D86EDAD AF71C40A68A1EE135AD6323B1E3BCEF53B0A1299EB7A3804EEFF65C272A6CB 7BAAE8594879EC0938BAEF9E8A5DEAD8E47A3939E6D6439EAC7F3EA2A3087A 7523320D698D94E4E992CC569FCF7FDA1733AF51D4FAABB541556897DF4601 788F1FC9E4A7A39B02A827902B2764691CFBFAE857A4346019D860BE87CAC8 3B412FAAF4FF95D19A142D01968A9F4C32D2A37E80ADF361B638E0F597B9A0 D5DA3DDF31BE2A3B516D4BF6EE979E755ADEDD4D4A3BE241EB68253C047CCB 0CA073D742F3CE5B9A6ADD7E3E2EFF1BBE14E965CAFFDF2B2376F3168CE81D 3401
Emails

<h2>[email protected]</h2>

<h2>[email protected]</h2>

Extracted

Path

C:\!-Recovery_Instructions-!.html

Ransom Note
<!DOCTYPE html> <html lang="en"> <head> <meta charset='utf-8'> <meta name='viewport' content='width=device-width,initial-scale=1'> <title></title> <style> html, body { background-color: #1a1a1a; } body { padding-top: 1rem !important; font-size: 1.3rem; color: white; } #text h2 { font-size: 2rem; font-weight: 600; line-height: 1.125; } .container { max-width: 1152px; flex-grow: 1; margin: 0 auto; position: relative; width: auto; } .box { background-color: #242424; display: block; padding: 1.25rem; border: 1px solid #303030; } a { color: #00b4d8; text-decoration: none; } a:hover { text-decoration: underline; } li { margin-bottom: 10px; } </style> </head> <body> <div class='container'> <div class='box'> <div id='text'> <h2>If you get this message, your network was hacked!</h2> <p>After we gained full access to your servers, we first downloaded a large amount of sensitive data and then encrypted all the data stored on them.</p> <p>That includes personal information on your clients, partners, your personnel, accounting documents, and other crucial files that are necessary for your company to work normally.</p> <p>We used modern complicated algorithms, so you or any recovery service will not be able to decrypt files without our help, wasting time on these attempts instead of negotiations can be fatal for your company.</p> <p>Make sure to act within <span style='color:#f4a261;'>72</span> hours or the negotiations will be considered failed!</p> <p>Inform your superior management about what's going on.</p> <p> Contact us for price and get decryption software.</p> <p> Contact us by email:<p> <h2>[email protected]</h2> </p>If you will get no answer within 24 hours contact us by our alternate emails:</p> <h2>[email protected]</h2> </p>To verify the possibility of the recovery of your files we can decrypted 1-3 file for free.</p> </p>Attach file to the letter (no more than 5Mb).</p> <h2>If you and us succeed the negotiations we will grant you:</h2> <ul> <li>complete confidentiality, we will keep in secret any information regarding to attack, your company will act as if nothing had happened.</li> <li>comprehensive information about vulnerabilities of your network and security report.</li> <li>software and instructions to decrypt all the data that was encrypted.</li> <li>all sensitive downloaded data will be permanently deleted from our cloud storage and we will provide an erasure log.</li> </ul> <h2>Our options if you act like nothing's happening, refuse to make a deal or fail the negotiations:</h2> <ul> <li>inform the media and independent journalists about what happened to your servers. To prove it we'll publish a chunk of private data that you should have ciphered if you care about potential breaches. Moreover, your company will inevitably take decent reputational loss which is hard to assess precisely.</li> <li>inform your clients, employees, partners by phone, e-mail, sms and social networks that you haven't prevent their data leakage. You will violate laws about private data protection.</li> <li>start DDOS attack on you website and infrastructures.</li> <li>personal data stored will be put on sale on the Darknet to find anyone interested to buy useful information regarding your company. It could be data mining agencies or your market competitors.</li> <li>publish all the discovered vulnerabilities found in your network, so anyone will do anything with it.</li> </ul> <h2>Why pay us?</h2> <p>We care about our reputation. You are welcome to google our cases up and be sure that we don't have a single case of failure to provide what we promissed.</p> <p>Turning this issue to a bug bounty will save your private information, reputation and will allow you to use the security report and avoid this kind of situations in future.</p> <h2>Your personal ID</p> F53CA982CBFF028296099233D4A852597EDD72E851B5C651F18A07F7862BFA 82AE1A76E22F5934AF2868BA98C25948DBD42282151F7E8BE75259D8B812D5 16AEE49B3E081FDDDEC5760E01820D175735B4124EF828F669699409202894 A79DE559FF2B3761BE59DF6B3E2727A30CBA11985A2A09A82816EA8C9F7BB1 F3917635895D31EAC5F32144107FF2F50618E2254A62DD76648165CF39F497 1489AC980B41FDA39A06B294AEC8D2EED20C39D258FA31239BA4C1F4BA47EB F8755BEF2A88410D6B9EE494A4EE88CAD588B703024EFFCD249EF0DF1ED4BE 49ECBD6CA9EC907201C50E11B7C84568D2F0612073032D23079EB3EA974597 6B56D07513F90F13456045C8163B5BE2EEEEE07BEFCA5C2CDA75623938CCCB 87E4845EDF3482DB9F720F1A38BC26FAA508D98BC230C6984BF87BB5475766 78DCB87EFEF1DFE543E01005C5FD0DC125671B0B7D040A76E514C7D26D93C5 092D4165169474C49D9BDC1C40E1996A56BF180A34A55BE2B1668EC3E2BD61 E8F2CE333D8D51DD100482FBCF34AAF6E7AB484AA365D92142426C43C7AA30 4D3623138C3AFAEA22095513D823626C7B1802B1CC1D13BFFF0B08DDEE0DD4 72889413E557BEDC606D038F35E82B8B07D2EE129A8B98EA181B33CFA8230C 17B6036679E4BDF910C4E423E2F56BC86A0340C4765BA4424CBB5AABC7A37E FF673EC7901297355B5F522C18E1D8839FB5CEC5B8C2A2BED626974B03D7BC 9DC8E98900D649AA99639062AB4EA9B27C48A16E9D000B99797C857D14A767 CDB05E1042C94ACE612BBF00C0D559BD9ACAE60EAC655A7B769679E3E0136B 440564422279438621D32E362C98A9C4FE2786160D49AD61A5360653266CE6 3D658FA8E831653DCCA3D249C8019C2414A4339C9CE6D7839733FC8A919B3D B3702ED2308F49FE84C6E684B4D7E6CEA023E437D5FC9D1ABFE36C4C1DF842 7CA11DA5C62811A134190F75E233BFDE6B2E165FE2EA5A61CA9513098E30CF 41875BB0F26BFAC0C1EE2569BD96BDD4316B9BEA7783329C6649BC2171A936 998E70ACBEF4B16BE95956BAFBA5F1680650743627465B7D7CEC745685B691 7F613FF37FDD60A4C0A42FC9A276FC15210118B014AB17BB0F476FB94C96BD F701
Emails

<h2>[email protected]</h2>

<h2>[email protected]</h2>

Targets

    • Target

      7b379458349f338d22093bb634b60b867d7fd1873cbd7c65c445f08e73cbb1f6

    • Size

      143KB

    • MD5

      6307838a9cef952321a44cc3e189213e

    • SHA1

      2b3fea431f342c7b8bcff4b89715002e44d662c7

    • SHA256

      7b379458349f338d22093bb634b60b867d7fd1873cbd7c65c445f08e73cbb1f6

    • SHA512

      3b31e14fdfa6ecd33a0086b3db84ac1b0fef97a40cb82115007c69680e201c22bb638af4a4255dd21a2219e1143f1c940b4308d618467d9f0f22b0bab40cf18d

    • SSDEEP

      1536:4uFohxL86e7tnkZXYklWXuiMqeGKPPRxPv8/0JS1CjhSlUUbvF7kFrWyaBvEEUAX:4RhxktIWTMqPKPPH1yUUB4kVUXsB/

    Score
    10/10
    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Enterprise v6

Tasks