Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
VirusShare_99e83f42796e5390063243810c0629de
-
Size
184KB
-
Sample
240610-nylvwahf6w
-
MD5
99e83f42796e5390063243810c0629de
-
SHA1
a97c9cdff2002fc328a933df1ae3bc67508814ee
-
SHA256
722d3afa33d79b277e4198517084248b25db8dc90207b5ee4fff76dfa2b19fb5
-
SHA512
ecc5e1e8fe8b36dbf2326e182772ca852e155f8deb5562e3ff707538c5b24961c16a44b26737efbd09cc6d38683cf51c1a363e2668c27f7453ffea21eb0a7a2c
-
SSDEEP
3072:jFIkQ7yjaILMvzovwBB82T/NyG86ry6BSTqQ+hvVdhCL9juDEDsj/RR:pjLMswHHQG86ry6BSGLVAjuv
Static task
static1
Behavioral task
behavioral1
Sample
VirusShare_99e83f42796e5390063243810c0629de.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
VirusShare_99e83f42796e5390063243810c0629de.exe
Resource
win10v2004-20240508-en
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\+REcovER+xfkps+.txt
http://i5ndw.titlecorta.at/6A4CE9A63B39ECC8
http://d34fa.lasmeio.com/6A4CE9A63B39ECC8
http://2gdb4.leoraorage.at/6A4CE9A63B39ECC8
http://k7tlx3ghr3m4n2tu.onion/6A4CE9A63B39ECC8
Extracted
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\+REcovER+xfkps+.html
http://i5ndw.titlecorta.at/6A4CE9A63B39ECC8</a>
http://d34fa.lasmeio.com/6A4CE9A63B39ECC8</a></a>
http://2gdb4.leoraorage.at/6A4CE9A63B39ECC8</a>
http://k7tlx3ghr3m4n2tu.onion/6A4CE9A63B39ECC8
Extracted
C:\Program Files\7-Zip\Lang\+REcovER+uhmfj+.txt
http://i5ndw.titlecorta.at/B5EC285F737BD644
http://d34fa.lasmeio.com/B5EC285F737BD644
http://2gdb4.leoraorage.at/B5EC285F737BD644
http://k7tlx3ghr3m4n2tu.onion/B5EC285F737BD644
Extracted
C:\Program Files\7-Zip\Lang\+REcovER+uhmfj+.html
http://i5ndw.titlecorta.at/B5EC285F737BD644</a>
http://d34fa.lasmeio.com/B5EC285F737BD644</a></a>
http://2gdb4.leoraorage.at/B5EC285F737BD644</a>
http://k7tlx3ghr3m4n2tu.onion/B5EC285F737BD644
Targets
-
-
Target
VirusShare_99e83f42796e5390063243810c0629de
-
Size
184KB
-
MD5
99e83f42796e5390063243810c0629de
-
SHA1
a97c9cdff2002fc328a933df1ae3bc67508814ee
-
SHA256
722d3afa33d79b277e4198517084248b25db8dc90207b5ee4fff76dfa2b19fb5
-
SHA512
ecc5e1e8fe8b36dbf2326e182772ca852e155f8deb5562e3ff707538c5b24961c16a44b26737efbd09cc6d38683cf51c1a363e2668c27f7453ffea21eb0a7a2c
-
SSDEEP
3072:jFIkQ7yjaILMvzovwBB82T/NyG86ry6BSTqQ+hvVdhCL9juDEDsj/RR:pjLMswHHQG86ry6BSGLVAjuv
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-