Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

15/04/2024, 10:50

240415-mxdmfacf29 10

15/04/2024, 07:11

240415-hzw5cahc99 10

General

  • Target

    1d854192e5aac93a950c60e013a8f08283ad81f841dd90da9326198f37c8adda.zip

  • Size

    395KB

  • Sample

    240415-hzw5cahc99

  • MD5

    6a8760c3dcdc871834f0c8f2d3b3b6ae

  • SHA1

    d80be7a264d4c972ca4b1eeafa96c8356143ec62

  • SHA256

    dd2b75cb2df230a562fb1d1cac43a847b63bf6658ac7fe36de316fbd2bc5610a

  • SHA512

    55014e365c3e1d1cc5ca49d69c8268b7bac2e328dd2d8e055367a3b523d3a87cef7ead5e3ba22661f5fad118317adb9149441d5779fd1b2d99e15334c6f24d0f

  • SSDEEP

    6144:2rfXp6yVdyYcH2t4qAdfGWkyPr6B7e5y72pe0Awa8yyVz9IrU4F5lDU0mddT46XD:a6y76RfGrPi5Q2Hy0RIrUaX4zf2MP

Malware Config

Extracted

Path

C:\Users\Admin\Contacts\Readme.txt

Ransom Note
Attention Tax payer: All Your files have been locked with ransomware by law enforcement for violating cyber laws. All of your important documents, photos, and videos have been encrypted and cannot be accessed without a decryption key. This is a serious offense and you must pay a fine to unlock your files. To unlock your files, follow these instructions: 1. Contact us on telegram = @Lawinfo19 2. We will tell about you problem 3. You need us to pay a amount for your criminal activity 4. Use the decryption key to unlock your files. If you fail to comply with these instructions, the fine will increase and your files will be permanently deleted. Do not attempt to remove the ransomware or tamper with your files. Any attempts to do so will result in the permanent loss of your data. We understand the inconvenience this may cause, but it is necessary to ensure that cyber laws are not violated. We apologize for any inconvenience and hope to resolve this matter as soon as possible. Sincerely, Law Enforcement

Targets

    • Target

      1d854192e5aac93a950c60e013a8f08283ad81f841dd90da9326198f37c8adda

    • Size

      767KB

    • MD5

      ae2f422a1ca6558ca6dd723c1b351b7a

    • SHA1

      eeec0b0012f1b6c41a70f6f13d2ec01e0b3ef6ad

    • SHA256

      1d854192e5aac93a950c60e013a8f08283ad81f841dd90da9326198f37c8adda

    • SHA512

      30a0ea93646669e6b2aac357e36c558da8fbd166435cc05d33daf80e01d12c4dfa903e6532ff0e58c47faee12c63998aa2313bb2e73650878f3d050654c751c3

    • SSDEEP

      12288:WMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9Ks:WnsJ39LyjbJkQFMhmC+6GD9R

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Renames multiple (456) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v15

Tasks