Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

6A19P_razr...ye.exe

windows7-x64

10

6A19P_razr...ye.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    6A19P_razrusheniye.exe

  • Size

    20KB

  • Sample

    240906-s1ydxatgmk

  • MD5

    0989843627697f68330485e08033bc3d

  • SHA1

    c313d0d0476e85b4013436d34641be930c29f394

  • SHA256

    7c1a1513ae242ece2f964779e1aca19db05d2d9804a1e1e61980ece32401ca89

  • SHA512

    48afa380d0726b6660a47857af65668117f363762ad231d0ae120d7d5c37478a0276114002f7a51f99fe8dbf8b26066d1c4be498a4abe042c0358bc6269aab84

  • SSDEEP

    384:ThepVQkCBbX1V/IxzJjWigeY6doSiKkU+aon3TcoUURdT:wpwfIzlgjyriKkdo1U7

Score
10/10
persistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\Videos\README.txt

Ransom Note
~~~ You became victim of the razrusheniye ransomware! ~~~. Using AES-256-CBC encryption, your databases, documents, photos and other important files have been encrypted! This means you will not be able to access them unless you decrypt them. See for yourself! Look at any file with the .raz extension and its content! You cannot recover these files yourself. That's not how cryptography works. Do not waste your time. Nobody can recover your files besides us! If you fulfil the following, you are eligible for a 50% discount! - You do NOT contact ANYONE about this incident. - You contact us in UNDER than 6 hours. We can decrypt these files, we can guarantee that your system will be just as new! Payment for the restoration of your system is $70 (with the 50% discount it's $35) We can restore your systems in less than 6 hours if you pay now. However, we will not decrypt your system if; - You go to police and report us. >>> If you report us AFTER restoration, we WILL attack you again!!! <<< Do not delete or modify encrypted files, it will cause problems when restoring your system! Send the personal ID to [email protected] via email. We will provide payment information, once payment is done, we will sent you a decryptor! If you do not pay, you will NEVER get your data back and sensitive information will be leaked online! By sensitive information we mean passwords, and similar! Q: How can i be sure you won't scam me? A: You can send us 3 files (not bigger than 3MB) and we will decrypt it, and send it back to you. You can then decide if you want to restore the rest by paying $70 (with the 50% discount its $35) >>> Your personal ID is: XXO2-0OVR-DV9B-LOOG-RAW6-EMVL-GGKY-90FO <<<

Extracted

Path

C:\Users\Admin\Pictures\Camera Roll\README.txt

Ransom Note
~~~ You became victim of the razrusheniye ransomware! ~~~. Using AES-256-CBC encryption, your databases, documents, photos and other important files have been encrypted! This means you will not be able to access them unless you decrypt them. See for yourself! Look at any file with the .raz extension and its content! You cannot recover these files yourself. That's not how cryptography works. Do not waste your time. Nobody can recover your files besides us! If you fulfil the following, you are eligible for a 50% discount! - You do NOT contact ANYONE about this incident. - You contact us in UNDER than 6 hours. We can decrypt these files, we can guarantee that your system will be just as new! Payment for the restoration of your system is $70 (with the 50% discount it's $35) We can restore your systems in less than 6 hours if you pay now. However, we will not decrypt your system if; - You go to police and report us. >>> If you report us AFTER restoration, we WILL attack you again!!! <<< Do not delete or modify encrypted files, it will cause problems when restoring your system! Send the personal ID to [email protected] via email. We will provide payment information, once payment is done, we will sent you a decryptor! If you do not pay, you will NEVER get your data back and sensitive information will be leaked online! By sensitive information we mean passwords, and similar! Q: How can i be sure you won't scam me? A: You can send us 3 files (not bigger than 3MB) and we will decrypt it, and send it back to you. You can then decide if you want to restore the rest by paying $70 (with the 50% discount its $35) >>> Your personal ID is: F5GC-T8FC-K8OH-84MB-CERR-7W2S-LZAA-YHN0 <<<

Targets

    • Target

      6A19P_razrusheniye.exe

    • Size

      20KB

    • MD5

      0989843627697f68330485e08033bc3d

    • SHA1

      c313d0d0476e85b4013436d34641be930c29f394

    • SHA256

      7c1a1513ae242ece2f964779e1aca19db05d2d9804a1e1e61980ece32401ca89

    • SHA512

      48afa380d0726b6660a47857af65668117f363762ad231d0ae120d7d5c37478a0276114002f7a51f99fe8dbf8b26066d1c4be498a4abe042c0358bc6269aab84

    • SSDEEP

      384:ThepVQkCBbX1V/IxzJjWigeY6doSiKkU+aon3TcoUURdT:wpwfIzlgjyriKkdo1U7

    Score
    10/10
    persistenceransomwarespywarestealer

    • Renames multiple (4311) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Drops file in Drivers directory

    • Boot or Logon Autostart Execution: Print Processors

      Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.

      persistence

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks