Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    VirusShare_a3bf1b20a4e1672fc4dd3dda18b0cc40

  • Size

    705KB

  • Sample

    240610-mbzb1sgc87

  • MD5

    a3bf1b20a4e1672fc4dd3dda18b0cc40

  • SHA1

    3332e2e1a8f9a66e8eb783abf0e17c61904bd380

  • SHA256

    b100643f39c3bf67b08192f2e8004c01002b8a7710c26147e9403d23face91c7

  • SHA512

    5faeb9ee482d62554e6f022c04e6bf7873beec347a96251a4dad3c9276422a7e61b331d1fc7c060dca83752da5e4485771bef3509f9c114675ebb3338a59fcd3

  • SSDEEP

    12288:xcgsFxcCZxlEWJjy93qeD8mN+X6KSUrKzR9wh2UlqdyUs2h63gbBMNKg9t8Siszy:xcpHl7+qVBKmNw/63P/D80mV

Malware Config

Extracted

Path

C:\ProgramData\yxamqxj.html

Ransom Note
Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://jssestaew3e7ao3q.onion.cab or http://jssestaew3e7ao3q.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org. 2. In the Tor Browser open the http://jssestaew3e7ao3q.onion Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. Follow the instructions on the server. The list of your encrypted files: Path File
URLs

http://jssestaew3e7ao3q.onion.cab

http://jssestaew3e7ao3q.tor2web.org

http://jssestaew3e7ao3q.onion

Targets

    • Target

      Factuur4388.PDF.exe

    • Size

      772KB

    • MD5

      95f60b5b36d63307d83e3f3de9675a1d

    • SHA1

      da733991d9618b3a3bb5cc503ba0e860f1e8ea29

    • SHA256

      f9ae18f90c502fc22c826eb8322a907fa6ddd2b38fdc1b10353d123b8910e674

    • SHA512

      de63bb1117043ee0a7fb478c4a2ba3d283d7f3d71f39fdbe357d2aa403f8f4a4e7eafe53595794ef99c35156aedd3854ba2e015b259af573492e90c96e3f34ff

    • SSDEEP

      12288:6sFxcCZxPEWJNy93q0DWm9+X6MSUJKzR9wz2U7qdyys2he3gxNMlKglt8RsrtUvy:bHP7gqXpKGNehe3x3r8CU

    • CTB-Locker

      Ransomware family which uses Tor to hide its C2 communications.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks