Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

30/07/2024, 19:09

240730-xtvrnaybqd 10

30/07/2024, 18:49

240730-xgql6stanq 10

General

  • Target

    http://185.215.113.101

  • Sample

    240730-xgql6stanq

Malware Config

Extracted

Path

C:\d093fD6aI.README.txt

Ransom Note
~~~ LockBit 5.01 the world's fastest ransomware since 2019~~~ >>>> Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom BTC amount 0.01 = up to 12hr BTC amount 0.02 = up to 24hr BTC amount 0.1 = up 48 hr BTC amount 0 , deleted all files from you PC, and post all infirmation to public. where send BTC: bc1qm7sg7p2jkgthv7pkjy856sh9lr5x3yrpzv099d :not valid after 07/23/2024 10PM EST. Time just 12 hr, after everythink will be removed You can buy them on the exchange or at an ATM https://coinatmradar.com. You can find the addresses here buy with credit or debet card online https://www.moonpay.com/buy. You have 12 hours for the transfer, 24 hours for the amount of 0.02, and of course, you can always wait 48 hours and pay 0.1. After that, send a request with confirmation to TOX , faster way! You can contact us using Tox messenger without registration and SMS https://tox.chat/download.html. Using Tox messenger, we will never know your real name, it means your privacy is guaranteed. If you want to contact us, tox. Tox ID LockBitSupp: B90F5C1EC3C13400F6D0B22B772C5FAB086F8C41A0C87B92A8B3C7F2ECBBCE191A455140273E
URLs

https://coinatmradar.com

https://www.moonpay.com/buy

https://tox.chat/download.html

Targets

    • Target

      http://185.215.113.101

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

    • Rule to detect Lockbit 3.0 ransomware Windows payload

    • Renames multiple (642) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks