Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

7

risen_exe_...b5.exe

windows7-x64

10

risen_exe_...b5.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5

  • Size

    149KB

  • Sample

    240515-ta25vagg57

  • MD5

    0444b3d690823924667302cfae1f0655

  • SHA1

    737d0d001e60ce20c8f35a2bbac0f4d525b96174

  • SHA256

    3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5

  • SHA512

    5dacf16ce60bb5191708de906a920ab63fa3d5458fc7331013d8c3997beae802f0ea4b318392b1c4c6e15417a15423661e6bb4cb072adb33338493b1aac2c57d

  • SSDEEP

    3072:wz5vBHTp2Obwai/tge32Vhh53u8rrsusAkeOe494flyntoGNout:wtvBlZc/tZ3yh53u8rg/AkFe4ufkntVZ

Score
10/10
defense_evasionevasionexecutionimpactransomwaretrojanupx

Malware Config

Extracted

Path

C:\ProgramData\$Risen_Guide.hta

Ransom Note
All Your Important Files Have Been Encrypted NOTE We have also taken your critical documents and files from different parts of your network, which we will leak or sell if there is no cooperation from your side. Our operators have been monitoring your business for a while, when we say these documents are critical, we mean it. We await for your response before the deadline ends, After that we will continue the process of leaking or selling your documents. We assure you that this won't happen if you cooperate with us. CONTACT US For more instructions, to save your files and your business, contact us by : Email address : [email protected] , TELEGRAM:@tokyosupp didn't get any response in 24 hours ? use : [email protected] Leave subject as your machine id " AAFJKAF8XA " If you didn't get any respond within 72 hours use our blog to contact us, therefore we can create another way for you to contact your cryptor as soon as possible. http://s2wk77h653qn54csf4gp52orhem4y72dgxsquxulf255pcymazeepbyd.onion/ ATTENTION Do not rename or change info of any file, in case of any changes in files after encryption there is a huge risk for making it unusable Do not pay any amount of money before receiving decrypted test files there might be many middle man services out there whom will contact us for your case and they will make a profit by adding a sort of money to the fixed price any attempts for decrypting your files through third party softwares will cause permanent damage to following files and permanent data loss there will be a deadline until your data get sold or leaked by our team,you better corporate with us before the following deadline otherwise we will proceed to sell or leak your data without any past warnings
URLs

http://s2wk77h653qn54csf4gp52orhem4y72dgxsquxulf255pcymazeepbyd.onion/

Targets

    • Target

      risen_exe_3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5

    • Size

      149KB

    • MD5

      0444b3d690823924667302cfae1f0655

    • SHA1

      737d0d001e60ce20c8f35a2bbac0f4d525b96174

    • SHA256

      3b685f4a59211225997256a5cd900f44953bba276b6eb92545966b35b6ef89b5

    • SHA512

      5dacf16ce60bb5191708de906a920ab63fa3d5458fc7331013d8c3997beae802f0ea4b318392b1c4c6e15417a15423661e6bb4cb072adb33338493b1aac2c57d

    • SSDEEP

      3072:wz5vBHTp2Obwai/tge32Vhh53u8rrsusAkeOe494flyntoGNout:wtvBlZc/tZ3yh53u8rg/AkFe4ufkntVZ

    Score
    10/10
    defense_evasionevasionexecutionimpactransomwaretrojanupx

    • Deletes NTFS Change Journal

      The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.

      ransomware

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • UAC bypass

      evasiontrojan

    • Clears Windows event logs

      evasionransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Renames multiple (2898) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Disables Task Manager via registry modification

      evasion

    • Disables use of System Restore points

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks whether UAC is enabled

      evasiontrojan

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

Scheduled Task/Job

1
T1053

Windows Management Instrumentation

1
T1047

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Indicator Removal

4
T1070

File Deletion

3
T1070.004

Modify Registry

4
T1112

Credential Access

Discovery

Peripheral Device Discovery

2
T1120

Query Registry

4
T1012

Remote System Discovery

1
T1018

System Information Discovery

5
T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Data Destruction

1
T1485

Defacement

1
T1491

Inhibit System Recovery

6
T1490

Tasks