Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

2023-06-05...ry.exe

windows7-x64

10

2023-06-05...ry.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2023-06-05_9d8e89b9385730b406a3a1aca542568d_neshta_wannacry

  • Size

    877KB

  • Sample

    230606-jyhq1adc4t

  • MD5

    9d8e89b9385730b406a3a1aca542568d

  • SHA1

    e681e7b38ddfcfecc5574b893b30ba5744c04bb9

  • SHA256

    2bbff41fc9130ce1d19babdbe120a44a4d3c40d08b6ffd0edc65a3a71da41ebf

  • SHA512

    4a947d095d2c463292e9e8f67497e3d73fb63721a3e1aef83f93f617381b7b4dc951e9dc27b0a46e5b724446dd8d18ab0e69cb92849e644154ce4ee4c2bbd790

  • SSDEEP

    12288:VNsvP/BulDVh+OqcAJCDSnuvVjt7wce7KpTOpdBdNd9Rkv9i2cNJoWg+h6/j/dxX:haNu/iJNolNQ+00

Score
10/10
chaosneshtaevasionpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\How to Recovery.bat

Ransom Note
!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure that we have a decryptor and it works, you can decrypt one file for free. But this file should be of not valuable! Attention do not try to decrypt the times, they may break and we will not be able to decrypt it. -----------------------------------Note-------------------------------------------------------------- You have only 72 hours from the moment when an encryption was done to purchase an unique private key. $1000 for the payment 1. First You need to Payment on BTC Address:- 2. BTC Address:- 33j4JbAEzZwWGgA2MxBARD7zprJuNDP2hP 3. Email:- [email protected] and [email protected] 4. And if you Payment complete then Send me proof with your id 5. In message please write your ID and wait your answer. (D38B065D520F2AE957C3)
Wallets

33j4JbAEzZwWGgA2MxBARD7zprJuNDP2hP

Targets

    • Target

      2023-06-05_9d8e89b9385730b406a3a1aca542568d_neshta_wannacry

    • Size

      877KB

    • MD5

      9d8e89b9385730b406a3a1aca542568d

    • SHA1

      e681e7b38ddfcfecc5574b893b30ba5744c04bb9

    • SHA256

      2bbff41fc9130ce1d19babdbe120a44a4d3c40d08b6ffd0edc65a3a71da41ebf

    • SHA512

      4a947d095d2c463292e9e8f67497e3d73fb63721a3e1aef83f93f617381b7b4dc951e9dc27b0a46e5b724446dd8d18ab0e69cb92849e644154ce4ee4c2bbd790

    • SSDEEP

      12288:VNsvP/BulDVh+OqcAJCDSnuvVjt7wce7KpTOpdBdNd9Rkv9i2cNJoWg+h6/j/dxX:haNu/iJNolNQ+00

    Score
    10/10
    chaosneshtaevasionpersistenceransomwarespywarestealer

    • Chaos

      Ransomware family first seen in June 2021.

      ransomwarechaos

    • Chaos Ransomware

    • Detect Neshta payload

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

      persistencespywareneshta

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Disables Task Manager via registry modification

      evasion

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

      persistence

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks