Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f

  • Size

    154KB

  • Sample

    240626-pvlldavcrb

  • MD5

    9c0be24942593c11acf79e4dd9af842e

  • SHA1

    49dcaf92f2696a90020f871c9d6123a517a6f393

  • SHA256

    9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f

  • SHA512

    e80e3cac32ddc6cc8e95cfcd990737d665a3d76a080ae44d582714fa39ff3e3bcad121dc0f0c65176f27814ece97242ca09d606ff78a977c5fae634795852fe5

  • SSDEEP

    3072:nbLkONNeZzyz3z9Uup2u8eFzT9ioLj/GHU1ON:bhLeZOzj9B2u1PTO

Malware Config

Extracted

Path

C:\Program Files\7-Zip\!!readme!!!.txt

Ransom Note
The Underground team welcomes you! We would like to inform that your network has been tested by us for vulnerabilities. Poor network security could cause your data to be lost forever, including backups. Your files are currently encrypted, but don't worry, they can be restored to their original state with a decryptor key that only we have. The key is in a single copy on our server. Attempting to recover data by your own efforts may result in data loss. It is important not to change their current state. Each file additionally has a unique cipher, which you can restore only with our help. DO NOT reboot or turn off storage media. If you do not contact us within 3 days, or we cannot reach an agreement, information about data leaks is bound to get into the media. Your company's reputation will be damaged. Sources of downloaded information: 10.100.7.41 - ppbarnetapp01-01.corp.local 10.100.208.35 - PPBARLP286 10.100.208.43 - PPBARLP028 10.100.208.88 - PPBARLP090 10.100.208.100 - PPBARLP062 10.100.208.127 - PPBARLP139 10.100.208.154 - PPBARLP069 10.101.7.150 - PPMADSYN01 10.101.208.10 - PPMADLP712 10.101.208.39 - PPMADLP459 10.101.208.53 - PPMADLP683 10.101.208.60 - PPMADLP115 10.101.208.116 - PPMADLP095 10.101.208.119 - PPMADLP162 10.101.208.128 - PPMADLP442 10.101.208.247 - PPMADLP294 10.101.208.252 - PPMADLP058 10.101.209.106 - PPMADLP730 10.101.209.178 - PPMADLP566 10.108.7.150 - ppmumsyn01.corp.local 10.150.26.60 - PPGERLT029 10.180.80.22 - 005HKPWS1 10.180.159.18 - 031HKUWS3 10.180.172.18 - 001HKUWS4 etc. - financial and legal document of the company since 1987 - documents contain privileged, confidential information, strictly private and confidential - personally identified information about employees (dismissed and working) - (scan: Passports, ID's, addresses, emails, SSN, phone numbers, job offers) - passports of board of directors with notary stamp - NDA Agreements - company accounting and financial data by region - payroll data and commissions - the company's incidents - contracts and all sort of agreements - shareholder agreements and equity documents - business projects - designs and upcoming collections (confidential) - personal data of company's executives Any leak of information may be seriously detrimental to AWWG’s interests and its shareholders. Total size of downloaded data about 200 GB We value and respect every business, including yours. Therefore, we suggest you avoid further negative consequences and return to your work as soon as possible. We guarantee a fair and confidential deal in the shortest possible time. You will not only receive a decryptor, but also a description of your network vulnerabilities and information security recommendations. If necessary, you will be provided with qualified data recovery assistance. You can trust us! Reputation is important to everyone. As a proof of our statements, we are ready to restore some files for free and demonstrate how our product works. Best regards, Underground team ! Contacts for communication via chat: login to your account (Tor Browser) http://ehehqyhw3iev2vfso4vqs7kcrzltfebe5vbimq62p2ja7pslczs3q6qd.onion/ your login: pepejeans your password: lyVYpvXGn3r0Nk7oCgmy ID d449231f234aad731e574c319000bf12 6e8f14b91d7754c8aefb04a1090ec1c7
URLs

http://ehehqyhw3iev2vfso4vqs7kcrzltfebe5vbimq62p2ja7pslczs3q6qd.onion/

Targets

    • Target

      9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f

    • Size

      154KB

    • MD5

      9c0be24942593c11acf79e4dd9af842e

    • SHA1

      49dcaf92f2696a90020f871c9d6123a517a6f393

    • SHA256

      9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f

    • SHA512

      e80e3cac32ddc6cc8e95cfcd990737d665a3d76a080ae44d582714fa39ff3e3bcad121dc0f0c65176f27814ece97242ca09d606ff78a977c5fae634795852fe5

    • SSDEEP

      3072:nbLkONNeZzyz3z9Uup2u8eFzT9ioLj/GHU1ON:bhLeZOzj9B2u1PTO

    • Clears Windows event logs

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Deletes itself

    • Drops desktop.ini file(s)

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

MITRE ATT&CK Enterprise v15

Tasks