Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
5GrandCrabV5.0.1.exe
windows7-x64
9GrandCrabV5.0.1.exe
windows10-1703-x64
9GrandCrabV5.0.1.exe
windows10-2004-x64
9GrandCrabV5.0.1.exe
windows11-21h2-x64
9Ransomware.exe
windows7-x64
6Ransomware.exe
windows10-1703-x64
6Ransomware.exe
windows10-2004-x64
6Ransomware.exe
windows11-21h2-x64
6fcr.exe
windows7-x64
10fcr.exe
windows10-1703-x64
10fcr.exe
windows10-2004-x64
10fcr.exe
windows11-21h2-x64
10General
-
Target
ransomware pt2 (pass=infected).7z
-
Size
2.6MB
-
Sample
240716-mvb1ts1fre
-
MD5
40d6a650f5fc25a357424053603299d0
-
SHA1
e1df234d875116dcccfcbbaa61e10e71cc0c04ec
-
SHA256
e0f3a73cc2ebb6ccab7a039d15f375816f6a08d7dc4e4729eda4a4deadcfe0b5
-
SHA512
e4860b4e8ec2cb3904c79665c0aa3ea6e0cc1b31cba94021d1e5f8c15643639652df27a7fc148b2b231983aef9778189aba8a2230f20929f09264ebc460e5751
-
SSDEEP
49152:6jbHRT7LcnrOBW3I7nKpIrBKs7ZWtlw+/J37vA1T6mkcM7tU23mLR8:prOQCnyIrxulr3zAAe4tOK
Static task
static1
Behavioral task
behavioral1
Sample
GrandCrabV5.0.1.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
GrandCrabV5.0.1.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
GrandCrabV5.0.1.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral4
Sample
GrandCrabV5.0.1.exe
Resource
win11-20240709-en
Behavioral task
behavioral5
Sample
Ransomware.exe
Resource
win7-20240704-en
Behavioral task
behavioral6
Sample
Ransomware.exe
Resource
win10-20240404-en
Behavioral task
behavioral7
Sample
Ransomware.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral8
Sample
Ransomware.exe
Resource
win11-20240709-en
Behavioral task
behavioral9
Sample
fcr.exe
Resource
win7-20240704-en
Behavioral task
behavioral10
Sample
fcr.exe
Resource
win10-20240611-en
Behavioral task
behavioral11
Sample
fcr.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral12
Sample
fcr.exe
Resource
win11-20240709-en
Malware Config
Extracted
C:\Program Files\How To Restore Files.txt
Extracted
C:\Program Files (x86)\How To Restore Files.txt
Extracted
C:\Program Files (x86)\How To Restore Files.txt
Extracted
F:\$RECYCLE.BIN\S-1-5-21-3434294380-2554721341-1919518612-1000\How To Restore Files.txt
Targets
-
-
Target
GrandCrabV5.0.1.bin
-
Size
2.7MB
-
MD5
49c158ee65b32cb7f4ca6a769c90bfc0
-
SHA1
f047d2888c29ee711a9ca627d09f0ddce343c54a
-
SHA256
b4902aa2802656f873111b272c03ad93ca2dd53c0c612b9d310c982f4afa497b
-
SHA512
be908bdcd1ae14bd9270a7a4733992a4da440a1326860453f525da2472335b6095094905a89eb833dd2254060cdbf33ce42700c41d8e9075f182f2e8d6fd1001
-
SSDEEP
49152:N3HyN3QjIm2ANy2NiNQFgFb89Va15682uwgL0KviZiHAtLFTmo9h2A:lHrjIhmiN2V9EvzoKviZFJh2
Score9/10-
Renames multiple (3347) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Event Triggered Execution: Image File Execution Options Injection
-
Manipulates Digital Signatures
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-
-
-
Target
Ransomware.bin
-
Size
878KB
-
MD5
7f29dfc164eff93e11d230a621901145
-
SHA1
1d9f10518b95315cdc648ba415335ab510804f3e
-
SHA256
e75e6de7b10900b328ff8f80504a191874ee8c45ca6df94c7ceb59e62cbb15ca
-
SHA512
0deeca68a6b0449daf33f86c9d0be54bf6c681583618f717cd9cb949a6d9b0a6bb339184df2fc9f21c6f36a8ac9f0e0a80f7b9416b985b1be6ef6149e1978678
-
SSDEEP
12288:DCdOy3vVrKxR5CXbNjAOxK/j2n+4YG/6c1mFFja3mXgcjfRlgsUBga4TibtQ:DCdxte/80jYLT3U1jfsWaAibtQ
Score6/10-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
-
-
Target
fcr.bin
-
Size
10KB
-
MD5
f1927e7f90416bf39fc7991bbc57e1b3
-
SHA1
2367249568ca4a34f8824a9313b03d16d1d7c0bc
-
SHA256
539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505
-
SHA512
a0ac1811c8944165ba1939e40fe965bba3f7473819cb6f5d1cd4b4e7c203685baec055a6c73359dd1b3ddc79cb05b42d8c7541c29ea466120233423c5a5fcc60
-
SSDEEP
192:yrj2/2OzcYKNEmkmTjtiIKZIF/2oQlLkMBBm4C:j/2OzcJNEmkmTjkI/92oQjBU7
-
Clears Windows event logs
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (10125) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Power Settings
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Image File Execution Options Injection
1Power Settings
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Image File Execution Options Injection
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Direct Volume Access
1Impair Defenses
1Disable or Modify Tools
1Indicator Removal
3File Deletion
2Modify Registry
5Subvert Trust Controls
1SIP and Trust Provider Hijacking
1