Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    konets.exe

  • Size

    17KB

  • Sample

    240810-pw7j8stfmc

  • MD5

    6a178845e4b33de30efcdcf7b4e128be

  • SHA1

    2f144879ef702ce6fe75515240c9add67b5945ea

  • SHA256

    41b93a574bb612aa155054a537fe86be308ece7c10764a1f57ce01f894848f7c

  • SHA512

    c1e6db9afb21263b47466636d23775a6aaa88a43903fdfa26952b831bc369cef59ae9200ee0466c7869e748192756d19ed6c717403a05622cc3a0ef0104574a8

  • SSDEEP

    192:v6e44RTHEdAppUxevrtachyQpYtXz3usVccmDesQ5tf3XNGlraivR5uQpI:v6eFZLpuABbyQCRq6sW2amNp

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\README.txt

Ransom Note
~~~ Your files have been encrypted! ~~~ Using advanced AES256 encryption technique your databases, documents, photos and other important files have been encrypted. See for yourself! look at any file with .kon extension. You cannot recover these files yourself. Do not waste your time. Nobody can recover your files. Only we can! We can decrypt these files, we can guarantee that your files can be decrypted, but you have little time. Payment for the decryption is ~$70 We can restore your systems in less than 6 hours if you pay now. However, we will not decrypt your system if: - You go to police and report us. >>> If you report us AFTER decryption, we WILL attack you again!!! <<< Do not delete or modify encrypted files, it will cause problems when recovery! Send the personal ID to [email protected] We will provide payment information, once payment is done, we will send you a decryptor! >>> Your personal ID: 5ZY4-HSUI-YKHT-PFPN <<<

Targets

    • Target

      konets.exe

    • Size

      17KB

    • MD5

      6a178845e4b33de30efcdcf7b4e128be

    • SHA1

      2f144879ef702ce6fe75515240c9add67b5945ea

    • SHA256

      41b93a574bb612aa155054a537fe86be308ece7c10764a1f57ce01f894848f7c

    • SHA512

      c1e6db9afb21263b47466636d23775a6aaa88a43903fdfa26952b831bc369cef59ae9200ee0466c7869e748192756d19ed6c717403a05622cc3a0ef0104574a8

    • SSDEEP

      192:v6e44RTHEdAppUxevrtachyQpYtXz3usVccmDesQ5tf3XNGlraivR5uQpI:v6eFZLpuABbyQCRq6sW2amNp

    • Renames multiple (4956) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Drops file in Drivers directory

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks