Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd

  • Size

    147KB

  • Sample

    230112-qc385sga56

  • MD5

    75256873a03f4a4bc073185f48c1097c

  • SHA1

    e9023061def67ba21c09826fadc1607fd7f71d88

  • SHA256

    068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd

  • SHA512

    4b718093ad42d7b7b72498dfcbcfd1b39c980ef44e999b7035e6bfe6b782aad6b7553832f1efee45003d9b0c56bf2e408ca55082c550ac4faa19f199f366dede

  • SSDEEP

    3072:s6glyuxE4GsUPnliByocWepvdHFdjFpZ/fgyVF0dj:s6gDBGpvEByocWetdHZ/fgKF0

Malware Config

Extracted

Path

C:\cHpfiXA9s.README.txt

Ransom Note
~~~ XeqtR Ransomeware The world's fastest ransomware ~~~ >>>> Your data is now stolen and encrypted, pleaes read the following carefully, as it is in your best interest. We are sorry to inform you that a Ransomware Virus has taken control of your computer. ALL of your important files and folders on your computer have been encrypted with a military grade encryption algorithm. Your documents, videos, images and every other forms of data are now inaccessible and completely locked, and cannot be unlocked without the sole decryption key, in which we are the ONLY ones in possession of this key. This key is currently being stored on a remote server. To acquire this key and have all files restored, transfer the amount of 500 USD in the cryptocurrency BITCOIN to the below specified bitcoin wallet address before the time runs out. Once you have read this you now have 36 hours until your files are lost forever. If you fail to take action within this time window, the decryption key will be destroyed and access to your files will be permanently lost. If you are not familiar with cryptocurrency and bitcoin, just do a google search, visit bitcoin.org, go on your mobile to Cash App, or pretty much just ask someone and most likely they can explain it. Once again, 500 USD in the form of Bitcoin to this wallet address bc1q8wqyacjzzvrn57d2g7aj35lnr5r8fqv0dn0394 The second you have sent the bitcoin and the transaction verifies another text file will appear on your desktop with the website to get your key, and the simple instructions on how to use it to get your files back. 36 hours starts now, we suggest you do not waste time. For any reason you should need customer service, email [email protected]

Targets

    • Target

      068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd

    • Size

      147KB

    • MD5

      75256873a03f4a4bc073185f48c1097c

    • SHA1

      e9023061def67ba21c09826fadc1607fd7f71d88

    • SHA256

      068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd

    • SHA512

      4b718093ad42d7b7b72498dfcbcfd1b39c980ef44e999b7035e6bfe6b782aad6b7553832f1efee45003d9b0c56bf2e408ca55082c550ac4faa19f199f366dede

    • SSDEEP

      3072:s6glyuxE4GsUPnliByocWepvdHFdjFpZ/fgyVF0dj:s6gDBGpvEByocWetdHZ/fgKF0

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks