Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

Win32.KeyPass.zip

windows10-2004-x64

8

Win32.KeyPass.zip

windows10-ltsc 2021-x64

1

Win32.KeyPass.zip

windows11-21h2-x64

4

Win32.KeyPass.exe

windows10-2004-x64

10

Win32.KeyPass.exe

windows10-ltsc 2021-x64

10

Win32.KeyPass.exe

windows11-21h2-x64

10

Resubmissions

31/10/2024, 02:19 UTC

241031-crvzeswkft 10

30/10/2024, 03:56 UTC

241030-ehgrjsvldt 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Win32.KeyPass.zip

  • Size

    1.3MB

  • Sample

    241031-crvzeswkft

  • MD5

    f831ffa7faa4da66482aa252536e1b0f

  • SHA1

    aa305bd6962ebf06e26462d25140691585f85341

  • SHA256

    8f8f3834abab12ebd792487a89e45bdb8c8f41b51f232dfb3edb8e8140c9ff8f

  • SHA512

    3bf39aeb6c52de76aa864fb7d810cb4adbd2c7e0a2b91e8b6865967843044d628ca66a4531c720e5cd75dfb82a371e467f823819c0d9d559bd371efeec1d962a

  • SSDEEP

    24576:k5yq9y9qttzFVPyDcYwohuvh0GsGkjHkevwLfK4uiIP/nMPbcdKK:cH3FVP8hphuF2Hk1LfK4InMLK

Score
10/10
credential_accessdiscoverymotwpersistencephishingransomwarespywarestealer

Malware Config

Extracted

Path

C:\PerfLogs\!!!DECRYPTION__KEYPASS__INFO!!!.txt

Ransom Note
Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .KEYPASS The only method of recovering files is to purchase an decrypt software and unique private key. After purchase you will start decrypt software, enter your unique private key and it will decrypt all your data. Only we can give you this key and only we can recover your files. You need to contact us by e-mail BM-2cUMY51WfNRG8jGrWcMzTASeUGX84yX741@bitmessage.ch send us your personal ID and wait for further instructions. For you to be sure, that we can decrypt your files - you can send us a 1-3 any not very big encrypted files and we will send you back it in a original form FREE. Price for decryption $300. This price avaliable if you contact us first 72 hours. E-mail address to contact us: BM-2cUMY51WfNRG8jGrWcMzTASeUGX84yX741@bitmessage.ch Reserve e-mail address to contact us: keypassdecrypt@india.com Your personal id: 6se9RaIxXF9m70zWmx7nL3bVRp691w4SNY8UCir0
Emails

BM-2cUMY51WfNRG8jGrWcMzTASeUGX84yX741@bitmessage.ch

keypassdecrypt@india.com

Targets

    • Target

      Win32.KeyPass.zip

    • Size

      1.3MB

    • MD5

      f831ffa7faa4da66482aa252536e1b0f

    • SHA1

      aa305bd6962ebf06e26462d25140691585f85341

    • SHA256

      8f8f3834abab12ebd792487a89e45bdb8c8f41b51f232dfb3edb8e8140c9ff8f

    • SHA512

      3bf39aeb6c52de76aa864fb7d810cb4adbd2c7e0a2b91e8b6865967843044d628ca66a4531c720e5cd75dfb82a371e467f823819c0d9d559bd371efeec1d962a

    • SSDEEP

      24576:k5yq9y9qttzFVPyDcYwohuvh0GsGkjHkevwLfK4uiIP/nMPbcdKK:cH3FVP8hphuF2Hk1LfK4InMLK

    Score
    8/10
    discoverymotwphishing

    • Downloads MZ/PE file

    • Mark of the Web detected: This indicates that the page was originally saved or cloned.

      phishingmotw

    • Probable phishing domain

    behavioral1behavioral2behavioral3

    • Target

      Win32.KeyPass.bin

    • Size

      2.8MB

    • MD5

      6999c944d1c98b2739d015448c99a291

    • SHA1

      d9beb50b51c30c02326ea761b5f1ab158c73b12c

    • SHA256

      35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282

    • SHA512

      ab883364a8907636c00a4d263670cd495d0e6c521283d40c68d47398163c6ee6647cfbbc2142005121735d9edf0b414ddac6ea468f30db87018c831eaa327276

    • SSDEEP

      49152:0u1ImfQE5L1PtWHeHoQAOs1dKvHHg/o2S1pj798JGKCO8C/eZRwCr:dzV5JPtWHeHoIs1dGHHx2S1998JGKCOC

    Score
    10/10
    credential_accessdiscoverypersistenceransomwarespywarestealer

    • Renames multiple (12284) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral4behavioral5behavioral6

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.