Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil
-
Size
122KB
-
Sample
230514-jfhchsbb42
-
MD5
38bb6d3370e91deee960c8aeb6b0a50e
-
SHA1
ba9e23c4f6e7435e90e92ffef836386053c04ca3
-
SHA256
8ece3ce00a84b7365b96487f215cbbea379a8df57ed7c23a2add8758858fba6e
-
SHA512
532b5f6d68b2526250d1c307cf265b84985ce4c4bc4b00a3c6c05edb051bcc6fa06b64c987de1279746a2c5d91c951aa6c4820546cf2985a1e6d608c0a011b22
-
SSDEEP
1536:hxOUyl20w8bVZQ40iMSO1fY+iUyQs2r8t5p1ySotICS4A6UdSJOfTo4QVvA3T2+g:hMhQNDEtb3AirfTz0vAVR/6
Behavioral task
behavioral1
Sample
2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
C:\Recovery\yq7er5k-readme.txt
http://dnpscnbaix6nkwvystl3yxglz7nteicqrou3t75tpcc5532cztc46qyd.onion/
https://www.coveware.com/blog/2019/7/15/ransomware-amounts-rise-3x-in-q2-as-ryuk-amp-sodinokibi-spread
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/A5EB7190918517BE
http://decoder.re/A5EB7190918517BE
Targets
-
-
Target
2023-05-13_38bb6d3370e91deee960c8aeb6b0a50e_revil
-
Size
122KB
-
MD5
38bb6d3370e91deee960c8aeb6b0a50e
-
SHA1
ba9e23c4f6e7435e90e92ffef836386053c04ca3
-
SHA256
8ece3ce00a84b7365b96487f215cbbea379a8df57ed7c23a2add8758858fba6e
-
SHA512
532b5f6d68b2526250d1c307cf265b84985ce4c4bc4b00a3c6c05edb051bcc6fa06b64c987de1279746a2c5d91c951aa6c4820546cf2985a1e6d608c0a011b22
-
SSDEEP
1536:hxOUyl20w8bVZQ40iMSO1fY+iUyQs2r8t5p1ySotICS4A6UdSJOfTo4QVvA3T2+g:hMhQNDEtb3AirfTz0vAVR/6
Score10/10-
Modifies Windows Firewall
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-