Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

f725792a5e...1f.exe

windows7-x64

10

f725792a5e...1f.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f

  • Size

    718KB

  • Sample

    221226-m3htcacg89

  • MD5

    d7a24de75b761cb98f580dafda4ba885

  • SHA1

    86dc51cfc817937f9525b8aa2fa71e918288a44d

  • SHA256

    f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f

  • SHA512

    c3fd50a296b4d251a614816756eb17632779c0ef0e72826d9d276ccae8b1689ca0523a22027509ce20bf125f858f713b08967ae55501c457bc9d8fca956b0e9e

  • SSDEEP

    12288:YuLRIEFPULfzlsH5HCSSv5zEWptZ/Vlt:YeRIEF6zlsu5AWptRVlt

Score
10/10
evasionpersistenceransomwaretrojan

Malware Config

Extracted

Path

C:\ProgramData\#BlackHunt_ReadMe.hta

Ransom Note
YOUR WHOLE NETWORK HAS BEEN PENETRATED BY Black Hunt ! We also have uploaded your sensitive data, which we Will leak or sell in case of no cooperation! Restore your data possible only buying private key from us ATTENTION remember, there are many middle man services out there pretending that they can recover or decrypt your files , whom neither will contact us or scam you, Remember we are first and last solution for your files otherwise you will only waste money and time trying to decrypt your files without our decryptor and through third party softwares will make your files completely useless, there is no third party decryptor since we are the only key holders we have uploaded many critical data and information from your machines , we won't leak or sell any of them in Case of successful Corporation, however if we don't hear from you in 14 days we will either sell or leak your data in many forums Remain all of your files untouched, do not change their name, extension and... CONTACT US Your system is offline. in order to contact us you can email this address [email protected] this ID ( fTzI0OtPuLCVZME3 ) for the title of your email. If you weren't able to contact us whitin 24 hours please email: [email protected] Check your data situation in http://sdjf982lkjsdvcjlksaf2kjhlksvvnktyoiasuc92lf.onion
URLs

http://sdjf982lkjsdvcjlksaf2kjhlksvvnktyoiasuc92lf.onion

Extracted

Path

C:\ProgramData\#BlackHunt_ReadMe.hta

Ransom Note
YOUR WHOLE NETWORK HAS BEEN PENETRATED BY Black Hunt ! We also have uploaded your sensitive data, which we Will leak or sell in case of no cooperation! Restore your data possible only buying private key from us ATTENTION remember, there are many middle man services out there pretending that they can recover or decrypt your files , whom neither will contact us or scam you, Remember we are first and last solution for your files otherwise you will only waste money and time trying to decrypt your files without our decryptor and through third party softwares will make your files completely useless, there is no third party decryptor since we are the only key holders we have uploaded many critical data and information from your machines , we won't leak or sell any of them in Case of successful Corporation, however if we don't hear from you in 14 days we will either sell or leak your data in many forums Remain all of your files untouched, do not change their name, extension and... CONTACT US Your system is offline. in order to contact us you can email this address [email protected] this ID ( u5xdXjHizdoubvsA ) for the title of your email. If you weren't able to contact us whitin 24 hours please email: [email protected] Check your data situation in http://sdjf982lkjsdvcjlksaf2kjhlksvvnktyoiasuc92lf.onion
URLs

http://sdjf982lkjsdvcjlksaf2kjhlksvvnktyoiasuc92lf.onion

Targets

    • Target

      f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f

    • Size

      718KB

    • MD5

      d7a24de75b761cb98f580dafda4ba885

    • SHA1

      86dc51cfc817937f9525b8aa2fa71e918288a44d

    • SHA256

      f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f

    • SHA512

      c3fd50a296b4d251a614816756eb17632779c0ef0e72826d9d276ccae8b1689ca0523a22027509ce20bf125f858f713b08967ae55501c457bc9d8fca956b0e9e

    • SSDEEP

      12288:YuLRIEFPULfzlsH5HCSSv5zEWptZ/Vlt:YeRIEF6zlsu5AWptRVlt

    Score
    10/10
    evasionpersistenceransomwaretrojan

    • Deletes NTFS Change Journal

      The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.

      ransomware

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • UAC bypass

      evasiontrojan

    • Clears Windows event logs

      evasionransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Disables Task Manager via registry modification

      evasion

    • Disables use of System Restore points

      evasion

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks