Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    1c479a22f8c67aa1042d3f51d7b90e336fd025b0e8004bb1a34af067ff797fbe

  • Size

    752KB

  • Sample

    240514-qct1gagg52

  • MD5

    cc358ecddfda2fa50bdf9fe5953d48e3

  • SHA1

    c11c56a1ab2651e93068e94ef144fb3d35ca10f3

  • SHA256

    1c479a22f8c67aa1042d3f51d7b90e336fd025b0e8004bb1a34af067ff797fbe

  • SHA512

    a6009d7481ba7cb149a0db25eaaf170bc04d89db3a44b8d24a0465efc413f1261c75cdfed41f246786a424d01c26ab22ba7242be15f51930e4d1ddd96e74d850

  • SSDEEP

    12288:Wwfln/Rt8y4yrT/1X5wfRQopB/h43h7T5ndaSvH92b2Zzfmwof80eoobBz:WwfFZt8y4yTFCfRQoDh4355ndcb9wO2

Malware Config

Extracted

Path

C:\Users\Public\Desktop\README_LOCKED.txt

Ransom Note
Greetings! There was a significant flaw in the security system of your company. You should be thankful that the flaw was exploited by serious people and not some rookies. They would have damaged all of your data by mistake or for fun. Your files are encrypted with the strongest military algorithms RSA4096 and AES-256. Without our special decoder it is impossible to restore the data. Attempts to restore your data with third party software as Photorec, RannohDecryptor etc. will lead to irreversible destruction of your data. To confirm our honest intentions. Send us 2-3 different random files and you will get them decrypted. It can be from different computers on your network to be sure that our decoder decrypts everything. Sample files we unlock for free (files should not be related to any kind of backups). We exclusively have decryption software for your situation DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME the encrypted files. DO NOT MOVE the encrypted files. This may lead to the impossibility of recovery of the certain files. The payment has to be made in Bitcoins. The final price depends on how fast you contact us. As soon as we receive the payment you will get the decryption tool and instructions on how to improve your systems security To get information on the price of the decoder contact us at: [email protected] [email protected]

Extracted

Path

C:\Users\Public\Desktop\README_LOCKED.txt

Ransom Note
Greetings! There was a significant flaw in the security system of your company. You should be thankful that the flaw was exploited by serious people and not some rookies. They would have damaged all of your data by mistake or for fun. Your files are encrypted with the strongest military algorithms RSA4096 and AES-256. Without our special decoder it is impossible to restore the data. Attempts to restore your data with third party software as Photorec, RannohDecryptor etc. will lead to irreversible destruction of your data. To confirm our honest intentions. Send us 2-3 different random files and you will get them decrypted. It can be from different computers on your network to be sure that our decoder decrypts everything. Sample files we unlock for free (files should not be related to any kind of backups). We exclusively have decryption software for your situation DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME the encrypted files. DO NOT MOVE the encrypted files. This may lead to the impossibility of recovery of the certain files. The payment has to be made in Bitcoins. The final price depends on how fast you contact us. As soon as we receive the payment you will get the decryption tool and instructions on how to improve your systems security To get information on the price of the decoder contact us at: [email protected] [email protected]

Extracted

Path

C:\Users\Public\Desktop\README_LOCKED.txt

Ransom Note
Greetings! There was a significant flaw in the security system of your company. You should be thankful that the flaw was exploited by serious people and not some rookies. They would have damaged all of your data by mistake or for fun. Your files are encrypted with the strongest military algorithms RSA4096 and AES-256. Without our special decoder it is impossible to restore the data. Attempts to restore your data with third party software as Photorec, RannohDecryptor etc. will lead to irreversible destruction of your data. To confirm our honest intentions. Send us 2-3 different random files and you will get them decrypted. It can be from different computers on your network to be sure that our decoder decrypts everything. Sample files we unlock for free (files should not be related to any kind of backups). We exclusively have decryption software for your situation DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME the encrypted files. DO NOT MOVE the encrypted files. This may lead to the impossibility of recovery of the certain files. The payment has to be made in Bitcoins. The final price depends on how fast you contact us. As soon as we receive the payment you will get the decryption tool and instructions on how to improve your systems security To get information on the price of the decoder contact us at: [email protected] [email protected]

Extracted

Path

C:\Users\Public\Desktop\README_LOCKED.txt

Ransom Note
Greetings! There was a significant flaw in the security system of your company. You should be thankful that the flaw was exploited by serious people and not some rookies. They would have damaged all of your data by mistake or for fun. Your files are encrypted with the strongest military algorithms RSA4096 and AES-256. Without our special decoder it is impossible to restore the data. Attempts to restore your data with third party software as Photorec, RannohDecryptor etc. will lead to irreversible destruction of your data. To confirm our honest intentions. Send us 2-3 different random files and you will get them decrypted. It can be from different computers on your network to be sure that our decoder decrypts everything. Sample files we unlock for free (files should not be related to any kind of backups). We exclusively have decryption software for your situation DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME the encrypted files. DO NOT MOVE the encrypted files. This may lead to the impossibility of recovery of the certain files. The payment has to be made in Bitcoins. The final price depends on how fast you contact us. As soon as we receive the payment you will get the decryption tool and instructions on how to improve your systems security To get information on the price of the decoder contact us at:

Targets

    • Target

      a-7/crypto-locker-1.4.4.1-a7-Runtime/bin/decrypt-a7.exe

    • Size

      949KB

    • MD5

      06921f50200d5f4c14ed2b5c778774ae

    • SHA1

      96afb847777743595f7a7c412da6c3425e95cfd4

    • SHA256

      d007e599337296b1c90d51396952fd07151acf479f2504768fa5f04d07fec760

    • SHA512

      a944745c44bc38aef847cd74647edcd5127d8792dfd7f87133bc593ba747fdddb431223000234ccaa60598387b7465da0dea770fb84dadce6bd870a4ccd7eaeb

    • SSDEEP

      24576:WpiXhwGNyLRuBHs8AmDDXw9QXwnXiee0EBZAoHt+:+iXy+Hs8AmSinBZAoHt+

    Score
    1/10
    • Target

      a-7/crypto-locker-1.4.4.1-a7-Runtime/bin/encrypt-a7.exe

    • Size

      1.2MB

    • MD5

      66b9f03ccf1b0c4b2dad55d3f60b040c

    • SHA1

      d330988c7baf1ca42ac40a9990a5626894c628c4

    • SHA256

      2ce4984a74a36dcdc380c435c9495241db4ca7e107fc2ba50d2fe775fb6b73ce

    • SHA512

      c61a75ad69165d3ee6140553b945b2739e2380678fc2fbb0b6df4dd71fef3a3cb1d5f8edf306da119c7be36d9f19a1c6aee208b03472d0f5791ae4c591b0c47b

    • SSDEEP

      24576:LuUKt2yozDn6ptlc71LGIsubFK7cjvzYwZDwisVTtgpTph2K/:CUKthozDn6XlAFfjvzBSPT6pTphT/

    • LockerGoga

      LockerGoga is a ransomware that is primarily used in targeted, disruptive attacks.

    • Renames multiple (3285) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Target

      a-8/crypto-locker-1.4.4.1-a8-Runtime/bin/decrypt-a8.exe

    • Size

      949KB

    • MD5

      18af697495b3cc93bb9847dc24568795

    • SHA1

      814d196c47318e19faebe7452c5d35a6ea62e1af

    • SHA256

      b5430088a5c947327f5974863d56d86a26a223081a0ba4805131bb036a0e7872

    • SHA512

      6f87a67ec71018979d9b3f890873935109ed657c1f75bdbd3300398327c45380ea576acd2e2e18afe7fb4fde27657d8b2522afb01c8415e3e1d4d6dc2063268d

    • SSDEEP

      24576:ypiXhwGNyLRuBHs8AmDDXw9QXwnXiee03BdAoHt+:CiXy+Hs8AmSiMBdAoHt+

    Score
    1/10
    • Target

      a-8/crypto-locker-1.4.4.1-a8-Runtime/bin/encrypt-a8.exe

    • Size

      1.2MB

    • MD5

      d31b5a2c8a26296a207a1528ee6d9258

    • SHA1

      9a2a152dee5276ad5dd8340fa8a59025754f7b6d

    • SHA256

      d866e83d3f09768f47133eb94050dafff597631a9b1894e6cfe7174d23a4528f

    • SHA512

      7b79dda826f4fafbcd19437da1a42b26442e44c6d51e52c36e5804f9705380ff3fe626a94788876076701d38443d521fe195218d1d5c0acdf95595cab666e642

    • SSDEEP

      24576:buUKt2yozDn6ptlc71LGIsubFK7cjvzYwZDwisVTtgATpbpK/:SUKthozDn6XlAFfjvzBSPT6ATpbc/

    • LockerGoga

      LockerGoga is a ransomware that is primarily used in targeted, disruptive attacks.

    • Renames multiple (4594) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Target

      a-9/crypto-locker-1.4.4.1-a9-Runtime/bin/decrypt-a9.exe

    • Size

      949KB

    • MD5

      7b229af4af11067bae852f99a7de58f9

    • SHA1

      748b64147607c904093909085f24518cc35f5a28

    • SHA256

      0d1159c9bd4a9a8f81190c2269e8be28b0dd51a2198ef47a9c6daa4e7d9fcd2f

    • SHA512

      5d4770b840313c0512ca97572f46803ccc966906f3595c662608fbceedff62da2bd1fb8bff1542243bdd99639b2db37e21a5403c59622f061fb07662c64e853e

    • SSDEEP

      24576:TpiXhwGNyLRuBHs8AmDDXw9QXwnXiee0WBiAoHt+:9iXy+Hs8AmSiJBiAoHt+

    Score
    1/10
    • Target

      a-9/crypto-locker-1.4.4.1-a9-Runtime/bin/encrypt-a9.exe

    • Size

      1.2MB

    • MD5

      f59c149db98488ac6b8d621a3d13aeb2

    • SHA1

      1da2bd0c0864a2eb4fc43ca93c383e28f5ba461a

    • SHA256

      6aa73f492b4dc52322ae8443a730c279c621a99dae4e8cb873c7a96dd4c6561f

    • SHA512

      df8e731262c175d5a32ae5cfb8604813adae361c283c39464c9566377067fb1990466797495039d3e3a9d70324f05b47da17a2b92663cf0152321ac8634b6134

    • SSDEEP

      24576:ieUKt2yozDn6ptlov1LGIsubFK7cjvzAwZDwisVTtk8TpQWK/:bUKthozDn6XlIFfjvz5SPTu8TpQz/

    • LockerGoga

      LockerGoga is a ransomware that is primarily used in targeted, disruptive attacks.

    • Renames multiple (3196) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

MITRE ATT&CK Enterprise v15

Tasks