Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

01/09/2024, 07:00

240901-hs2fgsvall 5

28/08/2024, 19:09

240828-xt1yns1era 10

28/08/2024, 19:05

240828-xrz9csshnl 10

General

  • Target

    razspy.exe

  • Size

    17KB

  • Sample

    240828-xrz9csshnl

  • MD5

    c9122b326a11741382964a64acbbb43e

  • SHA1

    216bac6bee35ce03407349a23eb6a618bf95082d

  • SHA256

    af3b9d5de82a924b2177d69965dff7cb98f5adca28dd4a50e844d96dadd528d1

  • SHA512

    1fcc4fd64ca6eaeeee0be91d4bc067bed2f5e6716d05a2a74b90e702b1110d8cb81d32995ffededc0a67fc3ed725df3cad8424ddc17a33c7a040902687ab6102

  • SSDEEP

    192:3YQ9IeQOGWJvSdDk9iMeqh6c+e0zigZIkGoskKjgEDkZ5qcL/e3Q5tfuNKA:3YQmeQLWJvlI/DvzAZDg7m39

Malware Config

Extracted

Path

C:\Users\Admin\Videos\README.txt

Ransom Note
~~~ Your files have been encrypted! ~~~. Using advanced AES256 encryption technique your databases, documents, photos and other important files have been encrypted. See for yourself! look at any file with .raz extension. You cannot recover these files yourself. Do not waste your time. Nobody can recover your files. Only we can!. We can decrypt these files, we can guarantee that your files can be decrypted, but you have little time. Payment for the decryption is ~$70 We can restore your systems in less than 6 hours if you pay now. However, we will not decrypt your system if; - You go to police and report us. >>> If you report us AFTER decryption, we WILL attack you again!!!<<< Do not delete or modify encrypted files, it will cause problems when recovery! Sent the personal ID to [email protected] We will provide payment information, once payment is done, we will sent you a decryptor! If you do not pay, we will publish your data online! >>> Your personal ID: WOG0-29LX-3IDM-PY1Y-RALX-RQFW-QBF1-B30T <<<

Extracted

Path

C:\Users\Admin\Pictures\Camera Roll\README.txt

Ransom Note
~~~ Your files have been encrypted! ~~~. Using advanced AES256 encryption technique your databases, documents, photos and other important files have been encrypted. See for yourself! look at any file with .raz extension. You cannot recover these files yourself. Do not waste your time. Nobody can recover your files. Only we can!. We can decrypt these files, we can guarantee that your files can be decrypted, but you have little time. Payment for the decryption is ~$70 We can restore your systems in less than 6 hours if you pay now. However, we will not decrypt your system if; - You go to police and report us. >>> If you report us AFTER decryption, we WILL attack you again!!!<<< Do not delete or modify encrypted files, it will cause problems when recovery! Sent the personal ID to [email protected] We will provide payment information, once payment is done, we will sent you a decryptor! If you do not pay, we will publish your data online! >>> Your personal ID: OBRP-DO7W-KYRM-UQL7-RB6T-DVV9-GO96-E27E <<<

Targets

    • Target

      razspy.exe

    • Size

      17KB

    • MD5

      c9122b326a11741382964a64acbbb43e

    • SHA1

      216bac6bee35ce03407349a23eb6a618bf95082d

    • SHA256

      af3b9d5de82a924b2177d69965dff7cb98f5adca28dd4a50e844d96dadd528d1

    • SHA512

      1fcc4fd64ca6eaeeee0be91d4bc067bed2f5e6716d05a2a74b90e702b1110d8cb81d32995ffededc0a67fc3ed725df3cad8424ddc17a33c7a040902687ab6102

    • SSDEEP

      192:3YQ9IeQOGWJvSdDk9iMeqh6c+e0zigZIkGoskKjgEDkZ5qcL/e3Q5tfuNKA:3YQmeQLWJvlI/DvzAZDg7m39

    • Razr Ransomware

      Detects Razr Ransomware.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Renames multiple (5887) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Boot or Logon Autostart Execution: Print Processors

      Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v15

Tasks