Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    VirusShare_2159f467a156a355c527f8816dc99375

  • Size

    350KB

  • Sample

    240610-mtx7nsgg53

  • MD5

    2159f467a156a355c527f8816dc99375

  • SHA1

    41dd19f62208901d4dd454d084382dc408fc0bf1

  • SHA256

    2de0e8bfc87c75268fc4dd06971cfa4eaa6ef0703a92b07e8a3d1d78473e2758

  • SHA512

    14eb7a5bae2f09b7a11682689677d4ad61b83a81c0bb64d880d97cd858147ad5362038b3ccf67a7e3958aa06105e71f81b6cab01b01f5edf527efeabaf468874

  • SSDEEP

    6144:zqjAgHiAy4sYQwxmE8r3M9NQbkN4PYITd/FP1i2/ph80vVy98G2fms7L:zXopy41mEaM9+b3PFNFlhTy98G2eqL

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\-!RecOveR!-sxduh++.Txt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com +)/99*&)!7(8?!6' &15&.!?4%/6>2# ------- +)/99*&)!7(8?!6' &15&.!?4%/6>2# What's the matter with your files? Your data was secured using a strong encryption with RSA-4096. Use the link down below to find additional information on the encryption keys using RSA-4096 https://en.wikipedia.org/wiki/RSA_(cryptosystem) What exactly that means? +)/99*&)!7(8?!6' &15&.!?4%/6>2# ------- +)/99*&)!7(8?!6' &15&.!?4%/6>2# It means that on a structural level your files have been transformed . You won't be able to use , read , see or work with them anymore . In other words they are useless , however , there is possibility to restore them with our help . +)/99*&)!7(8?!6' &15&.!?4%/6>2# ----- +)/99*&)!7(8?!6' &15&.!?4%/6>2# What exactly happened to your files ??? !!! Two personal RSA-4096 keys were generated for your PC/Laptop; one key is public, another key is private. !!! All your data and files were encrypted by the means of the public key , which you received over the web . !!! In order to decrypt your data and gain access to your computer you need a private key and a decryption software, which can be found on one of our secret servers. !!! What should you do next ??? +)/99*&)!7(8?!6' &15&.!?4%/6>2# ----- +)/99*&)!7(8?!6' &15&.!?4%/6>2# In case you have valuable files , we advise you to act fast as there is no other option rather than paying in order to get back your data. In order to obtain specific instructions , please access your personal homepage by choosing one of the few addresses down below : http://k47d3.proporr.com/DCC74656A122B45C http://wor4d.slewirk.at/DCC74656A122B45C http://kbv5s.kylepasse.at/DCC74656A122B45C +)/99*&)!7(8?!6' &15&.!?4%/6>2# ----- +)/99*&)!7(8?!6' &15&.!?4%/6>2# If you can't access your personal homepage or the addresses are not working, complete the following steps: *** Download and Install TOR Browser - http://www.torproject.org/projects/torbrowser.html.en *** Run TOR Browser Insert link in the address bar - yyhn7fpvq44cqcu3.onion/DCC74656A122B45C +)/99*&)!7(8?!6' &15&.!?4%/6>2#----IMPORTANT*****************INFORMATION---------+)/99*&)!7(8?!6' &15&.!?4%/6>2# Your personal homepages http://k47d3.proporr.com/DCC74656A122B45C http://wor4d.slewirk.at/DCC74656A122B45C http://kbv5s.kylepasse.at/DCC74656A122B45C Your personal homepage Tor-Browser yyhn7fpvq44cqcu3.onion/DCC74656A122B45C Your personal ID DCC74656A122B45C +)/99*&)!7(8?!6' &15&.!?4%/6>2# ----- +)/99*&)!7(8?!6' &15&.!?4%/6>2#
URLs

http://k47d3.proporr.com/DCC74656A122B45C

http://wor4d.slewirk.at/DCC74656A122B45C

http://kbv5s.kylepasse.at/DCC74656A122B45C

http://yyhn7fpvq44cqcu3.onion/DCC74656A122B45C

Extracted

Path

C:\Program Files\Common Files\DESIGNER\-!RecOveR!-wxdkm++.Txt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com '+!6*&078)!=&6'6<>5&7$?4('6>2'- ------- '+!6*&078)!=&6'6<>5&7$?4('6>2'- What's the matter with your files? Your data was secured using a strong encryption with RSA-4096. Use the link down below to find additional information on the encryption keys using RSA-4096 https://en.wikipedia.org/wiki/RSA_(cryptosystem) What exactly that means? '+!6*&078)!=&6'6<>5&7$?4('6>2'- ------- '+!6*&078)!=&6'6<>5&7$?4('6>2'- It means that on a structural level your files have been transformed . You won't be able to use , read , see or work with them anymore . In other words they are useless , however , there is possibility to restore them with our help . '+!6*&078)!=&6'6<>5&7$?4('6>2'- ----- '+!6*&078)!=&6'6<>5&7$?4('6>2'- What exactly happened to your files ??? !!! Two personal RSA-4096 keys were generated for your PC/Laptop; one key is public, another key is private. !!! All your data and files were encrypted by the means of the public key , which you received over the web . !!! In order to decrypt your data and gain access to your computer you need a private key and a decryption software, which can be found on one of our secret servers. !!! What should you do next ??? '+!6*&078)!=&6'6<>5&7$?4('6>2'- ----- '+!6*&078)!=&6'6<>5&7$?4('6>2'- In case you have valuable files , we advise you to act fast as there is no other option rather than paying in order to get back your data. In order to obtain specific instructions , please access your personal homepage by choosing one of the few addresses down below : http://k47d3.proporr.com/225A1510AD1888A7 http://wor4d.slewirk.at/225A1510AD1888A7 http://kbv5s.kylepasse.at/225A1510AD1888A7 '+!6*&078)!=&6'6<>5&7$?4('6>2'- ----- '+!6*&078)!=&6'6<>5&7$?4('6>2'- If you can't access your personal homepage or the addresses are not working, complete the following steps: *** Download and Install TOR Browser - http://www.torproject.org/projects/torbrowser.html.en *** Run TOR Browser Insert link in the address bar - yyhn7fpvq44cqcu3.onion/225A1510AD1888A7 '+!6*&078)!=&6'6<>5&7$?4('6>2'-----IMPORTANT*****************INFORMATION---------'+!6*&078)!=&6'6<>5&7$?4('6>2'- Your personal homepages http://k47d3.proporr.com/225A1510AD1888A7 http://wor4d.slewirk.at/225A1510AD1888A7 http://kbv5s.kylepasse.at/225A1510AD1888A7 Your personal homepage Tor-Browser yyhn7fpvq44cqcu3.onion/225A1510AD1888A7 Your personal ID 225A1510AD1888A7 '+!6*&078)!=&6'6<>5&7$?4('6>2'- ----- '+!6*&078)!=&6'6<>5&7$?4('6>2'-
URLs

http://k47d3.proporr.com/225A1510AD1888A7

http://wor4d.slewirk.at/225A1510AD1888A7

http://kbv5s.kylepasse.at/225A1510AD1888A7

http://yyhn7fpvq44cqcu3.onion/225A1510AD1888A7

Targets

    • Target

      VirusShare_2159f467a156a355c527f8816dc99375

    • Size

      350KB

    • MD5

      2159f467a156a355c527f8816dc99375

    • SHA1

      41dd19f62208901d4dd454d084382dc408fc0bf1

    • SHA256

      2de0e8bfc87c75268fc4dd06971cfa4eaa6ef0703a92b07e8a3d1d78473e2758

    • SHA512

      14eb7a5bae2f09b7a11682689677d4ad61b83a81c0bb64d880d97cd858147ad5362038b3ccf67a7e3958aa06105e71f81b6cab01b01f5edf527efeabaf468874

    • SSDEEP

      6144:zqjAgHiAy4sYQwxmE8r3M9NQbkN4PYITd/FP1i2/ph80vVy98G2fms7L:zXopy41mEaM9+b3PFNFlhTy98G2eqL

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks