Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    underground_19476853362.zip

  • Size

    263KB

  • Sample

    241022-s1h9zssbre

  • MD5

    2e221450145b4cc518dde3dab8a9a16b

  • SHA1

    f1dc9ed7ac09f4e49b3405d9f8a5889d29e40c9e

  • SHA256

    6b8f437952b810764ae0e7350f427a254bdd38e2d24ae5bde008d0bc2f9e766c

  • SHA512

    2511a577e7ba70298dfdfaf00f71bbfe9fcff121a67f98c5bc7261652d5bdb933f19889260a89591e565d69ac30073dd3ef95048ffa38515bdca4b23a7ea66b9

  • SSDEEP

    3072:E7C6CZRdxz5gme1ySYC6dE6xWVbS9DI7OrUcUPKlnphkJVZ8JmqpMKVFoDBsoulQ:dtJgRi7IpSdVrURuWJ72ZKTBQr3WDVd

Malware Config

Extracted

Path

C:\Program Files\7-Zip\!!readme!!!.txt

Family

underground

Ransom Note
The Underground team welcomes you! We would like to inform that your network has been tested by us for vulnerabilities. Poor network security could cause your data to be lost forever. Your files are currently encrypted, they can be restored to their original state with a decryptor key that only we have. The key is in a single copy on our server. Attempting to recover data by your own efforts may result in data loss. It is important not to change their current state. Each file additionally has a unique cipher, which you can restore only with our help. We also examined your infrastructure and downloaded the most sensitive data. The list of hosts from which the information was downloaded: - 172.16.10.77 (NBA230.tpa.local) - 172.16.10.51 (SBAFS02.TPA.LOCAL) - 172.16.10.75 (NBA191.tpa.local) - 172.16.10.85 (NBA235.tpa.local) - 172.16.10.87 (NBA254.tpa.local) - 10.10.10.30 Synology (access via OpenVPN 46.29.3.77:1194) ---------------------------------- -email communications with clients that contain confidential agreements -accounting and tax reports for each client -audit documents -companys and clients financial documents -clients passports/ID's and private information -documents contain privileged and confidential information -password-protected documents from a bank -payroll data -company financial and performance data -employees personal information (Tc Identification Numbers) The total amount of downloaded information more than 200 Gb If you do not contact us within 3 days, or we cannot reach an agreement, all data will be published on a site that no one can block. Confidential data can be helpful for your competitors, enemies and darknet market hackers from over the world. The consequences will be unpredictable and the process cannot be stopped. Information about data leaks is bound to get into the media. Your company's reputation will be damaged. We value and respect every business, including yours. Therefore, we suggest you avoid further negative consequences and return to your work as soon as possible. We guarantee a fair and confidential deal in the shortest possible time. You will not only receive a decryptor, but also a description of your network vulnerabilities and information security recommendations. If necessary, you will be provided with qualified data recovery assistance. You can trust us! Reputation is important to everyone. As a proof of our statements, we are ready to restore some files for free and demonstrate how our product works. Best regards, Underground team ! Contacts for communication via chat: login to your account (Tor Browser) http://undgrddapc4reaunnrdrmnagvdelqfvmgycuvilgwb5uxm25sxawaoqd.onion/ your login: TPA your password: 7knCN#zQo@zuDZi your ID: dc6cb895e1681c716fcbbea57a8417a2
URLs

http://undgrddapc4reaunnrdrmnagvdelqfvmgycuvilgwb5uxm25sxawaoqd.onion/

Targets

    • Target

      02de715f147fa4365150fbc1f576622026cc4f60cc1316b5c3052dbeac72ec3f

    • Size

      483KB

    • MD5

      85e91593b75daba22988bb251400853a

    • SHA1

      713d55c60af03c21afb7a37ccc49e17b9a06e257

    • SHA256

      02de715f147fa4365150fbc1f576622026cc4f60cc1316b5c3052dbeac72ec3f

    • SHA512

      9be6bd0d7606182e162bafbc2f369c3bd24a5edf3b2a35c726cb92a22c44f6aab17c64367753a01e600adb3dec91eb3f3de1dcee46dae10d872d7b1c9f6d4112

    • SSDEEP

      6144:SlbX0Y1DgsOKCGHqC4InJnPm14HaQ/L8VfefRIUcwC/19KKNQA0EQrB2z/sG8d:Slrbe9GCInJPmOHOVfC7i14Gv0EQrB

    • Underground Team

      Underground Team is a ransomware first seen in July 2023 that is primarily distriuted via exploting vulnerabilities.

    • Clears Windows event logs

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Drops desktop.ini file(s)

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

MITRE ATT&CK Enterprise v15

Tasks