Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike

  • Size

    624KB

  • Sample

    241001-qm6f9a1gjk

  • MD5

    602d720f1184d2ad739568cbf6403331

  • SHA1

    c5f349be3ed0591acbe52160cb6bf5acbfbfb91f

  • SHA256

    6b807f9f7c8f24f436b0bab25cb38583bf4c051ea779fcdbb215af8a9a7f64de

  • SHA512

    9e4a83ed0d329b79b79f75e493af4457bbd7999293ddd3d5c7010701cfc3a28c84d99a3bffbbcfaadad5a1dd8daf927202dd8911246f3ff2f94f57860f7ad653

  • SSDEEP

    12288:GhdW6SX6bEpZqRMsHcrnjjZV9StQ5Hs5yFAgks8B4lDBJsH3Jt5+REn8Ic04qKYb:kB36aAJmVSvGWEcXvvKw4IRRs3WPOFTJ

Malware Config

Extracted

Path

F:\!!!READ_ME_MEDUSA!!!.txt

Ransom Note
$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ $$$\ $$$ |$$ _____|$$ __$$\ $$ | $$ |$$ __$$\ $$ __$$\ $$$$\ $$$$ |$$ | $$ | $$ |$$ | $$ |$$ / \__|$$ / $$ | $$\$$\$$ $$ |$$$$$\ $$ | $$ |$$ | $$ |\$$$$$$\ $$$$$$$$ | $$ \$$$ $$ |$$ __| $$ | $$ |$$ | $$ | \____$$\ $$ __$$ | $$ |\$ /$$ |$$ | $$ | $$ |$$ | $$ |$$\ $$ |$$ | $$ | $$ | \_/ $$ |$$$$$$$$\ $$$$$$$ |\$$$$$$ |\$$$$$$ |$$ | $$ | \__| \__|\________|\_______/ \______/ \______/ \__| \__| -----------------------------[ Hello, EFI !!! ]-------------------------- Sorry to interrupt your busy business. WHAT HAPPEND? ------------------------------------------------------------ 1. We have PENETRATE your network and COPIED data. We have penetrated your entire network and researched all about your data. And we have copied terabytes of all your confidential data and uploaded to private storage. * You're running a highly valued business and your data was very crucial. 2. We have ENCRYPTED your files. While you are reading this message, it means your files and data has been ENCRYPTED by world's strongest ransomware. Your files have encrypted with new military-grade encryption algorithm and you can not decrypt your files. But don't worry, we can decrypt your files. There is only one possible way to get back your computers and servers, keep your privacy safe - CONTACT us via LIVE CHAT and pay for the special MEDUSA DECRYPTOR and DECRYPTION KEYs. This MEDUSA DECRYPTOR will restore your entire network within less than 1 business day. WHAT GUARANTEES? --------------------------------------------------------------- We can post all of your critial data to the public and send emails to your competitors. We have professional OSINTs and media team for leak data to telegram, facebook, twitter channels and top news websites. You can easily search about us. You can suffer significant problems due to disastrous consequences, leading to loss of valuable intellectual property and other sensitive information, costly incident response efforts, information misuse/abuse, loss of customer trust, brand and reputational damage, and legal and regulatory issues. After paying for the data breach and decryption, we guarantee that your data will never be leaked and make everything silent, this is also for our reputation. YOU should be AWARE! --------------------------------------------------------------- We will speak only with an authorized person. It can be the CEO, top management etc. In case you ar not such a person - DON'T CONTACT US! Your decisions and action can result in serious harm to your company! Inform your supervisors and stay calm! If you do not contact us within 48 hours, We will start publish your case to our official blog and everybody will start notice your incident! --------------------[ Telegram channel ]-------------------- https://t.me/+yXOcSjVjI9tjM2E0 --------------------[ Official blog tor address ]-------------------- Using TOR Browser(https://www.torproject.org/download/): http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/ http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/ CONTACT US! ----------------------[ Your company live chat address ]--------------------------- Using TOR Browser(https://www.torproject.org/download/): http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c Backup Mirrors: http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c --------------------[ Or Use Tox Chat Program(https://utox.org/uTox_win64.exe) ]-------------------- Add user with our tox ID : 061AA6BDE8F6DE6C92F0D6E077359BF6911FCAF80030E82B3A3DB65E63C8011343D34F956FEC Our support email: ( [email protected] ) Company identification hash: da23e1305d2c642e0f67eddf2cd80d0ef5422b2f37bf502fbdd19aff0257b67b
URLs

https://t.me/+yXOcSjVjI9tjM2E0

http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/

http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion/

http://uyku4o2yg34ekvjtszg6gu7cvjzm6hyszhtu7c55iyuzhpr4k5knewyd.onion/a77c24570a19cb51d434a89d9e7c6e9c

http://5ar4vuckm3k7osdlzskqkaqmqr4jjpmdikuotmlpkrbsxx7ard3xetyd.onion/a77c24570a19cb51d434a89d9e7c6e9c

Targets

    • Target

      2024-10-01_602d720f1184d2ad739568cbf6403331_avoslocker_cobalt-strike

    • Size

      624KB

    • MD5

      602d720f1184d2ad739568cbf6403331

    • SHA1

      c5f349be3ed0591acbe52160cb6bf5acbfbfb91f

    • SHA256

      6b807f9f7c8f24f436b0bab25cb38583bf4c051ea779fcdbb215af8a9a7f64de

    • SHA512

      9e4a83ed0d329b79b79f75e493af4457bbd7999293ddd3d5c7010701cfc3a28c84d99a3bffbbcfaadad5a1dd8daf927202dd8911246f3ff2f94f57860f7ad653

    • SSDEEP

      12288:GhdW6SX6bEpZqRMsHcrnjjZV9StQ5Hs5yFAgks8B4lDBJsH3Jt5+REn8Ic04qKYb:kB36aAJmVSvGWEcXvvKw4IRRs3WPOFTJ

    • Medusa Ransomware

      Ransomware first identified in 2022 that is distinct from the similarly named ransomware family MedusaLocker.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Renames multiple (8855) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Network Share Discovery

      Attempt to gather information on host network.

MITRE ATT&CK Enterprise v15

Tasks