Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike
-
Size
624KB
-
Sample
241001-qm6f9a1gjk
-
MD5
602d720f1184d2ad739568cbf6403331
-
SHA1
c5f349be3ed0591acbe52160cb6bf5acbfbfb91f
-
SHA256
6b807f9f7c8f24f436b0bab25cb38583bf4c051ea779fcdbb215af8a9a7f64de
-
SHA512
9e4a83ed0d329b79b79f75e493af4457bbd7999293ddd3d5c7010701cfc3a28c84d99a3bffbbcfaadad5a1dd8daf927202dd8911246f3ff2f94f57860f7ad653
-
SSDEEP
12288:GhdW6SX6bEpZqRMsHcrnjjZV9StQ5Hs5yFAgks8B4lDBJsH3Jt5+REn8Ic04qKYb:kB36aAJmVSvGWEcXvvKw4IRRs3WPOFTJ
Static task
static1
Behavioral task
behavioral1
Sample
2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike.exe
Resource
win10v2004-20240802-en
Malware Config
Extracted
F:\!!!READ_ME_MEDUSA!!!.txt
https://t.me/+yXOcSjVjI9tjM2E0
http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/
http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/
http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c
Targets
-
-
Target
2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike
-
Size
624KB
-
MD5
602d720f1184d2ad739568cbf6403331
-
SHA1
c5f349be3ed0591acbe52160cb6bf5acbfbfb91f
-
SHA256
6b807f9f7c8f24f436b0bab25cb38583bf4c051ea779fcdbb215af8a9a7f64de
-
SHA512
9e4a83ed0d329b79b79f75e493af4457bbd7999293ddd3d5c7010701cfc3a28c84d99a3bffbbcfaadad5a1dd8daf927202dd8911246f3ff2f94f57860f7ad653
-
SSDEEP
12288:GhdW6SX6bEpZqRMsHcrnjjZV9StQ5Hs5yFAgks8B4lDBJsH3Jt5+REn8Ic04qKYb:kB36aAJmVSvGWEcXvvKw4IRRs3WPOFTJ
-
Medusa Ransomware
Ransomware first identified in 2022 that is distinct from the similarly named ransomware family MedusaLocker.
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (8855) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Credentials from Password Stores: Windows Credential Manager
Suspicious access to Credentials History.
-
Drops startup file
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
MITRE ATT&CK Enterprise v15
Defense Evasion
Direct Volume Access
1Indicator Removal
2File Deletion
2Modify Registry
1Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Discovery
Browser Information Discovery
1Network Share Discovery
1Peripheral Device Discovery
1Query Registry
1Remote System Discovery
1System Information Discovery
1System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1