Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    VoiceMod-Full-Version-Setup.zip

  • Size

    27.5MB

  • Sample

    240730-kazv2szela

  • MD5

    877eb37ea80f10570de05fb3b9b4b290

  • SHA1

    85559ff8c2a3a346e2da1d53051f213469cb386c

  • SHA256

    2bad639d0a1f90525ad56b31641b3bd5fe1310079d1e6abd6bc7889cdc1ff3f5

  • SHA512

    f2e224d03cf210f228f9ae2f4597653bf82a001a4650b0645c64adfe9df829b9691c1bd393cdecb90bfb681c002138dd098cff0cede1bb0805f625ba9e78407e

  • SSDEEP

    786432:MSmSdoK5sxdV0OrywXGvgW2OHDjRom/pEdiN:bmoVGxdV0O7It2OjjRHxck

Malware Config

Extracted

Path

C:\3R9qG8i3Z.README.txt

Ransom Note
~~~ PC Locker 3.0 by Mr.Robot~~~ >>>> Your data are stolen and encrypted To get your files back you will have to pay a one-time fee of $45 in bitcoin or monero. >>>> You need contact us and decrypt one file for free on these platforms with your personal DECRYPTION ID Contact the following account on telegram @mr_robot_unlock or paste this link in your browser https://t.me/mr_robot_unlock >>>> Your personal DECRYPTION ID: 4B75BFA39AA770FC90BEF8DD0B1639FE >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> Warning! If you do not pay the ransom you will not receive you files NO EXCEPTIONS! >>>> Warning! Any attempt to negotiate or you don't want to pay is INSTANT BLOCK! >>>> Advertisement Would you like to earn thousands of dollars $$$ ? We sell mentorship for stealers, DDOS and ransomware. We only work with professionals and people with money DO NOT WASTE OUR TIME.
URLs

https://t.me/mr_robot_unlock

Extracted

Path

C:\3R9qG8i3Z.README.txt

Ransom Note
~~~ PC Locker 3.0 by Mr.Robot~~~ >>>> Your data are stolen and encrypted To get your files back you will have to pay a one-time fee of $45 in bitcoin or monero. >>>> You need contact us and decrypt one file for free on these platforms with your personal DECRYPTION ID Contact the following account on telegram @mr_robot_unlock or paste this link in your browser https://t.me/mr_robot_unlock >>>> Your personal DECRYPTION ID: 4B75BFA39AA770FC59CC762BBFD3B285 >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> Warning! If you do not pay the ransom you will not receive you files NO EXCEPTIONS! >>>> Warning! Any attempt to negotiate or you don't want to pay is INSTANT BLOCK! >>>> Advertisement Would you like to earn thousands of dollars $$$ ? We sell mentorship for stealers, DDOS and ransomware. We only work with professionals and people with money DO NOT WASTE OUR TIME.
URLs

https://t.me/mr_robot_unlock

Targets

    • Target

      VoiceMod-Full-Version-Setup/Voicemod_setup.exe

    • Size

      146KB

    • MD5

      3d49478072bf18339ef810c8ea7546b2

    • SHA1

      c1047d72d4cdce21af4bb989ad1bee437edb7f80

    • SHA256

      e3300e30997c5a355f02ca6972711b2ca843d00a393b62c75818a43c27ff128d

    • SHA512

      f47f6a1c51b92cc34a1dc264bc2b151690f1c314c5f97b08530e9efd6929c860985f9410f411cb31e0f3acd75b8969e4791ca9fb080901f6f4cb70322255a91c

    • SSDEEP

      3072:A6glyuxE4GsUPnliByocWepU0DxwbL2LUnPaZw:A6gDBGpvEByocWeTDxOL2LScw

    • Renames multiple (570) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Deletes itself

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks