Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    ZagreuS.Ransom_se.bin.exe

  • Size

    803KB

  • Sample

    230306-yktcxaeb5y

  • MD5

    99885a3cd64212e5d210c9db4bcae5b1

  • SHA1

    806d2c572e6b247a6d899ad4af840ecbf1f968f6

  • SHA256

    537a2fd4d214a212df06fb73b19ba945672eaf18d64cc30d8e99ab6a0d7cb9ba

  • SHA512

    f6b5ad9d4bd9c797a1b27c6c078d2a605cd24be6fbcb30016a0b81d00081d6695b29b0ab4bc9e66438eb3769c51df9920d9da8d6260cbc45c52cfb140fea0ab0

  • SSDEEP

    12288:bDCpAivL03RuebsXkA4uHP/LoyP2VNp6DHpeH+vJxbLWXKy1ypdQhjE+FwSoh:n2ghuebsYuHP/syP+WpeH+zLuBhQSoh

Malware Config

Extracted

Path

C:\Users\Admin\Videos\HELP_DECRYPT_YOUR_FILES.txt

Ransom Note
Oops All Of your important files were encrypted Like document pictures videos etc.. Don't worry, you can return all your files! All your files, documents, photos, databases and other important files are encrypted by a strong encryption. How to recover files? RSA is a asymmetric cryptographic algorithm, you need one key for encryption and one key for decryption so you need private key to recover your files. It’s not possible to recover your files without private key. The only method of recovering files is to purchase an unique private key.Only we can give you this key and only we can recover your files. What guarantees you have? As evidence, you can send us 1 file to decrypt by email We will send you a recovery file Prove that we can decrypt your file Please You must follow these steps carefully to decrypt your files: Send $980 worth of bitcoin to wallet: bc1qzpa3j6qse5xfxft2xy7h2phq04wq9pk66lllz5 after payment,we will send you Decryptor software contact email: [email protected] Your personal ID: l9rsxWQ4FQj+KtDUMBLxCV3reEul4MJnpemRj1HM1dM8LYtOqfb5G3vuZQTz8NIMD3Qi5VD1o2nos69sHnCZiYw/ZMYwd47k/BDHsXN1o0KxjaulXWd4aL8M4hpIn6TG3z/ms4zA3Y+0h92tSeW3FfKFRsA2nZKVUZkXvCBe9kw=

Targets

    • Target

      ZagreuS.Ransom_se.bin.exe

    • Size

      803KB

    • MD5

      99885a3cd64212e5d210c9db4bcae5b1

    • SHA1

      806d2c572e6b247a6d899ad4af840ecbf1f968f6

    • SHA256

      537a2fd4d214a212df06fb73b19ba945672eaf18d64cc30d8e99ab6a0d7cb9ba

    • SHA512

      f6b5ad9d4bd9c797a1b27c6c078d2a605cd24be6fbcb30016a0b81d00081d6695b29b0ab4bc9e66438eb3769c51df9920d9da8d6260cbc45c52cfb140fea0ab0

    • SSDEEP

      12288:bDCpAivL03RuebsXkA4uHP/LoyP2VNp6DHpeH+vJxbLWXKy1ypdQhjE+FwSoh:n2ghuebsYuHP/syP+WpeH+zLuBhQSoh

    • UAC bypass

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks