Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    ransomware pt2 (pass=infected).7z

  • Size

    2.6MB

  • Sample

    240716-mvb1ts1fre

  • MD5

    40d6a650f5fc25a357424053603299d0

  • SHA1

    e1df234d875116dcccfcbbaa61e10e71cc0c04ec

  • SHA256

    e0f3a73cc2ebb6ccab7a039d15f375816f6a08d7dc4e4729eda4a4deadcfe0b5

  • SHA512

    e4860b4e8ec2cb3904c79665c0aa3ea6e0cc1b31cba94021d1e5f8c15643639652df27a7fc148b2b231983aef9778189aba8a2230f20929f09264ebc460e5751

  • SSDEEP

    49152:6jbHRT7LcnrOBW3I7nKpIrBKs7ZWtlw+/J37vA1T6mkcM7tU23mLR8:prOQCnyIrxulr3zAAe4tOK

Malware Config

Extracted

Path

C:\Program Files\How To Restore Files.txt

Ransom Note
Important !!! Your personal id - RWAftqGS3vTccoze Warning: all your files are infected with an unknown virus. To decrypt your files, you need to contact at [email protected]. The decoder card is received by bitcoin. You can buy bitcoins from the following links://blockchain.info/wallet Do not try to restore files your self, this will lead to the loss of files forever GUARANTEES!!! You can send us 2-3 encoded files. And attach for testing, we will return them to you for FREE

Extracted

Path

C:\Program Files (x86)\How To Restore Files.txt

Ransom Note
Important !!! Your personal id - puTpFwE9gE6TmSNT Warning: all your files are infected with an unknown virus. To decrypt your files, you need to contact at [email protected]. The decoder card is received by bitcoin. You can buy bitcoins from the following links://blockchain.info/wallet Do not try to restore files your self, this will lead to the loss of files forever GUARANTEES!!! You can send us 2-3 encoded files. And attach for testing, we will return them to you for FREE

Extracted

Path

C:\Program Files (x86)\How To Restore Files.txt

Ransom Note
Important !!! Your personal id - jM3KwgPSEBG5g2LL Warning: all your files are infected with an unknown virus. To decrypt your files, you need to contact at [email protected]. The decoder card is received by bitcoin. You can buy bitcoins from the following links://blockchain.info/wallet Do not try to restore files your self, this will lead to the loss of files forever GUARANTEES!!! You can send us 2-3 encoded files. And attach for testing, we will return them to you for FREE

Extracted

Path

F:\$RECYCLE.BIN\S-1-5-21-3434294380-2554721341-1919518612-1000\How To Restore Files.txt

Ransom Note
Important !!! Your personal id - 2Tul67p5RpwBjNfD Warning: all your files are infected with an unknown virus. To decrypt your files, you need to contact at [email protected]. The decoder card is received by bitcoin. You can buy bitcoins from the following links://blockchain.info/wallet Do not try to restore files your self, this will lead to the loss of files forever GUARANTEES!!! You can send us 2-3 encoded files. And attach for testing, we will return them to you for FREE

Targets

    • Target

      GrandCrabV5.0.1.bin

    • Size

      2.7MB

    • MD5

      49c158ee65b32cb7f4ca6a769c90bfc0

    • SHA1

      f047d2888c29ee711a9ca627d09f0ddce343c54a

    • SHA256

      b4902aa2802656f873111b272c03ad93ca2dd53c0c612b9d310c982f4afa497b

    • SHA512

      be908bdcd1ae14bd9270a7a4733992a4da440a1326860453f525da2472335b6095094905a89eb833dd2254060cdbf33ce42700c41d8e9075f182f2e8d6fd1001

    • SSDEEP

      49152:N3HyN3QjIm2ANy2NiNQFgFb89Va15682uwgL0KviZiHAtLFTmo9h2A:lHrjIhmiN2V9EvzoKviZFJh2

    • Renames multiple (3347) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Event Triggered Execution: Image File Execution Options Injection

    • Manipulates Digital Signatures

      Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

    • Target

      Ransomware.bin

    • Size

      878KB

    • MD5

      7f29dfc164eff93e11d230a621901145

    • SHA1

      1d9f10518b95315cdc648ba415335ab510804f3e

    • SHA256

      e75e6de7b10900b328ff8f80504a191874ee8c45ca6df94c7ceb59e62cbb15ca

    • SHA512

      0deeca68a6b0449daf33f86c9d0be54bf6c681583618f717cd9cb949a6d9b0a6bb339184df2fc9f21c6f36a8ac9f0e0a80f7b9416b985b1be6ef6149e1978678

    • SSDEEP

      12288:DCdOy3vVrKxR5CXbNjAOxK/j2n+4YG/6c1mFFja3mXgcjfRlgsUBga4TibtQ:DCdxte/80jYLT3U1jfsWaAibtQ

    Score
    6/10
    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Target

      fcr.bin

    • Size

      10KB

    • MD5

      f1927e7f90416bf39fc7991bbc57e1b3

    • SHA1

      2367249568ca4a34f8824a9313b03d16d1d7c0bc

    • SHA256

      539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505

    • SHA512

      a0ac1811c8944165ba1939e40fe965bba3f7473819cb6f5d1cd4b4e7c203685baec055a6c73359dd1b3ddc79cb05b42d8c7541c29ea466120233423c5a5fcc60

    • SSDEEP

      192:yrj2/2OzcYKNEmkmTjtiIKZIF/2oQlLkMBBm4C:j/2OzcJNEmkmTjkI/92oQjBU7

    • UAC bypass

    • Clears Windows event logs

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Renames multiple (10125) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks