Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    dbb4576462391691d879bc2a9977feacd00285364de49b013333d1969b158990

  • Size

    2.2MB

  • Sample

    240723-rs1nmaxfqa

  • MD5

    f02a03c07751001b9d3517fcbdf451f6

  • SHA1

    0e79f20134f733b680a69ebf94a850a515d2339d

  • SHA256

    dbb4576462391691d879bc2a9977feacd00285364de49b013333d1969b158990

  • SHA512

    a45c320e5db711a42560f29179c6716eb33e37cb1328d8cd5612b1a28bee89a8c5af50ccc091d5fb2c0c0473c03c3c8fffa1af9171871fad8ab10627e404935d

  • SSDEEP

    49152:WwwzdHSlpNLyRWCdZIbm3h9Y+TA0BZFgBGiwAEB8Z1QK5lsDyYuZ:WwMH+p9yRhEax9Jc0BTgBGLTmZKK56yz

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\HOW TO BACK FILES.txt

Family

targetcompany

Ransom Note
Hello Your data has been stolen and encrypted We will delete the stolen data and help with the recovery of encrypted files after payment has been made Do not try to change or restore files yourself, this will break them We provide free decryption for any 3 files up to 3MB in size on our website How to contact with us: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: 9FDDF879892C918BF986A456 5) You will see chat, payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: [email protected] Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site.�
URLs

http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin

http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion

Extracted

Path

\Device\HarddiskVolume1\HOW TO BACK FILES.txt

Family

targetcompany

Ransom Note
Hello Your data has been stolen and encrypted We will delete the stolen data and help with the recovery of encrypted files after payment has been made Do not try to change or restore files yourself, this will break them We provide free decryption for any 3 files up to 3MB in size on our website How to contact with us: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: 468C7E7C90EB9E0B71F41E70 5) You will see chat, payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: [email protected] Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site.�
URLs

http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin

http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion

Targets

    • Target

      dbb4576462391691d879bc2a9977feacd00285364de49b013333d1969b158990

    • Size

      2.2MB

    • MD5

      f02a03c07751001b9d3517fcbdf451f6

    • SHA1

      0e79f20134f733b680a69ebf94a850a515d2339d

    • SHA256

      dbb4576462391691d879bc2a9977feacd00285364de49b013333d1969b158990

    • SHA512

      a45c320e5db711a42560f29179c6716eb33e37cb1328d8cd5612b1a28bee89a8c5af50ccc091d5fb2c0c0473c03c3c8fffa1af9171871fad8ab10627e404935d

    • SSDEEP

      49152:WwwzdHSlpNLyRWCdZIbm3h9Y+TA0BZFgBGiwAEB8Z1QK5lsDyYuZ:WwMH+p9yRhEax9Jc0BTgBGLTmZKK56yz

    • TargetCompany,Mallox

      TargetCompany (aka Mallox) is a ransomware which encrypts files using a combination of ChaCha20, AES-128, and Curve25519, first seen in June 2021.

    • Modifies boot configuration data using bcdedit

    • Renames multiple (7228) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks