Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

885c935f89...18.exe

windows7-x64

10

885c935f89...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    885c935f89580c98444c64b2710378d2_JaffaCakes118

  • Size

    1016KB

  • Sample

    240811-a9l35a1flg

  • MD5

    885c935f89580c98444c64b2710378d2

  • SHA1

    ec3a9cde30a280b825f9603ed6d2f346a24e27d5

  • SHA256

    c0c99b141b014c8e2a5c586586ae9dc01fd634ea977e2714fbef62d7626eb3fb

  • SHA512

    4f2c306cf06d09e6cf776c2a2947239982d27a058b4104875d00c8a623a8ceafeeba8a5b1afdf86c841aa0972f235556f7214e28c4fd8d1936237520c388c0be

  • SSDEEP

    24576:LibnUPR2bYg1yiwKZycSQLyMTNuSBOpFhA8ld8Wm8/uyA:ubCR2bIoyqG4ZBObd8WmRyA

Score
10/10
defense_evasiondiscoveryevasionexecutionimpactransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Public\Desktop\HELP_SECURITY_EVENT.html

Ransom Note
.sz40<br><style>.container{position:relative;text-align: center;}.top-right{position:absolute;top:20px;left:50%;transform:translate(-50%, -50%);}</style><table align ="center" width="50%" style="border:1px solid red;"><tr><div class="container"><img width="50%" height="90" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAoAAAAQCAIAAACgHXkXAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAAEpJREFUeNpiYMALGFdYWuORZvn95Qs+6Z8fPuKT/vX9O17Df/zAq/vnT7zSv3/jNRyvv1n+UCQNMfw/WliSphunNCMTMwPZACDAAM86GalyBR+JAAAAAElFTkSuQmCC"/><div class="top-right"><h1><p style="color:#FFD700">Lorenz ransomware</p></h1></div><th><td><b>Good day</b>!<br>We have download and encrypted all your company files!<br><br>We did this using hybrid RSA - 2048 public key encryption.It basically means there is no way to decrypt your files without the private key.<br>The private key is stored on our server.<br><br>Indeed, we can recover your files. You just have to pay us before the deadline.<br>If you don't, the private key will be securely erased from our server, you lose encrypted files forever and we will publish all the contents of your company includes databases with SSN and diagnosis, correspondence, invoice's, signature's, confidential medical history's, balance sheet's etc. on the internet, send it to mass media and your customers.<br><br> Leave your contact mail to <b>http://egypghtljedbs3x3ui45tfhosakzb376epl7baq2ruzfyewcypswhgqd.onion/index.php</b> (it's Tor site, use Tor Browser <b>https://www.torproject.org/download/</b>) to get instructions and key to restore all your files. <br>Or leave your contact mail to decrypt 2 files for free.<br> After payment will recieve, we securely delete all your files from our servers.<br> <b>Deadline: 02.15.2021</b><b><br><br><b>WARNING!</b> Antivirus software, police or anyone can't decrypt your files. Also any attemps to modify files may damaged them and even we won't be able to recover them.<br><br></td></th></tr></table>

Targets

    • Target

      885c935f89580c98444c64b2710378d2_JaffaCakes118

    • Size

      1016KB

    • MD5

      885c935f89580c98444c64b2710378d2

    • SHA1

      ec3a9cde30a280b825f9603ed6d2f346a24e27d5

    • SHA256

      c0c99b141b014c8e2a5c586586ae9dc01fd634ea977e2714fbef62d7626eb3fb

    • SHA512

      4f2c306cf06d09e6cf776c2a2947239982d27a058b4104875d00c8a623a8ceafeeba8a5b1afdf86c841aa0972f235556f7214e28c4fd8d1936237520c388c0be

    • SSDEEP

      24576:LibnUPR2bYg1yiwKZycSQLyMTNuSBOpFhA8ld8Wm8/uyA:ubCR2bIoyqG4ZBObd8WmRyA

    Score
    10/10
    defense_evasiondiscoveryevasionexecutionimpactransomwarespywarestealer

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Clears Windows event logs

      evasionransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Renames multiple (315) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Indicator Removal: Clear Persistence

      Clear artifacts associated with previously established persistence like scheduletasks on a host.

      defense_evasion
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks