Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    readme2.txt.exe

  • Size

    25KB

  • Sample

    240705-wcwf7asdqq

  • MD5

    9f3d97d7cad1f049d92a5e0520004a91

  • SHA1

    6a69fd2813e16e036bba5261375e285244e2a361

  • SHA256

    296e2583c5d91e1c5c4c9f36cdd54ada7ee5e95585a9549799bba6b89f5d4d15

  • SHA512

    ecbadae5a1254bad3851462198454059100b8b78f770e7f8455f6fb80fee3dec586380832a76b1bc0fecd5ee8ad0a62268d8269ab9e555f83bd9a279951d0b69

  • SSDEEP

    768:tEHP8+xiXHShdO28nM41v18bVb/gm3Hrdn:tEHP8+x4SqgZ/X3x

Malware Config

Targets

    • Target

      readme2.txt.exe

    • Size

      25KB

    • MD5

      9f3d97d7cad1f049d92a5e0520004a91

    • SHA1

      6a69fd2813e16e036bba5261375e285244e2a361

    • SHA256

      296e2583c5d91e1c5c4c9f36cdd54ada7ee5e95585a9549799bba6b89f5d4d15

    • SHA512

      ecbadae5a1254bad3851462198454059100b8b78f770e7f8455f6fb80fee3dec586380832a76b1bc0fecd5ee8ad0a62268d8269ab9e555f83bd9a279951d0b69

    • SSDEEP

      768:tEHP8+xiXHShdO28nM41v18bVb/gm3Hrdn:tEHP8+x4SqgZ/X3x

    • Dharma

      Dharma is a ransomware that uses security software installation to hide malicious activities.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Enumerates VirtualBox registry keys

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Looks for VirtualBox Guest Additions in registry

    • Renames multiple (557) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Downloads MZ/PE file

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Deletes itself

    • Drops startup file

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.