Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
dbb4576462391691d879bc2a9977feacd00285364de49b013333d1969b158990
-
Size
2.2MB
-
Sample
240723-rs1nmaxfqa
-
MD5
f02a03c07751001b9d3517fcbdf451f6
-
SHA1
0e79f20134f733b680a69ebf94a850a515d2339d
-
SHA256
dbb4576462391691d879bc2a9977feacd00285364de49b013333d1969b158990
-
SHA512
a45c320e5db711a42560f29179c6716eb33e37cb1328d8cd5612b1a28bee89a8c5af50ccc091d5fb2c0c0473c03c3c8fffa1af9171871fad8ab10627e404935d
-
SSDEEP
49152:WwwzdHSlpNLyRWCdZIbm3h9Y+TA0BZFgBGiwAEB8Z1QK5lsDyYuZ:WwMH+p9yRhEax9Jc0BTgBGLTmZKK56yz
Static task
static1
Behavioral task
behavioral1
Sample
dbb4576462391691d879bc2a9977feacd00285364de49b013333d1969b158990.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
dbb4576462391691d879bc2a9977feacd00285364de49b013333d1969b158990.exe
Resource
win10v2004-20240709-en
Malware Config
Extracted
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\HOW TO BACK FILES.txt
targetcompany
http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin
http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion
Extracted
\Device\HarddiskVolume1\HOW TO BACK FILES.txt
targetcompany
http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin
http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion
Targets
-
-
Target
dbb4576462391691d879bc2a9977feacd00285364de49b013333d1969b158990
-
Size
2.2MB
-
MD5
f02a03c07751001b9d3517fcbdf451f6
-
SHA1
0e79f20134f733b680a69ebf94a850a515d2339d
-
SHA256
dbb4576462391691d879bc2a9977feacd00285364de49b013333d1969b158990
-
SHA512
a45c320e5db711a42560f29179c6716eb33e37cb1328d8cd5612b1a28bee89a8c5af50ccc091d5fb2c0c0473c03c3c8fffa1af9171871fad8ab10627e404935d
-
SSDEEP
49152:WwwzdHSlpNLyRWCdZIbm3h9Y+TA0BZFgBGiwAEB8Z1QK5lsDyYuZ:WwMH+p9yRhEax9Jc0BTgBGLTmZKK56yz
-
TargetCompany,Mallox
TargetCompany (aka Mallox) is a ransomware which encrypts files using a combination of ChaCha20, AES-128, and Curve25519, first seen in June 2021.
-
Modifies boot configuration data using bcdedit
-
Renames multiple (7228) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-