Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
2025-01-19_f9b9fca8d0582074c127358a01079b93_mafia
-
Size
225KB
-
Sample
250119-dl6dmstrdj
-
MD5
f9b9fca8d0582074c127358a01079b93
-
SHA1
b8e4f0e7b4389ab5aff7f89444f915c6b59f65fd
-
SHA256
650d7baf827dcb92f8209d003892b068f1cbf615e5149b9c27da88166b6f44e3
-
SHA512
bab1f20ef5199986966d0d55e5c91a213c595a060f8b0b7ae359163b3a72253da7cd434efd91300353e38b40a72ff6e6c4638c7d4a0e1ad66d4b8e449d05e520
-
SSDEEP
3072:9kR7Gqi0YCmfua54i3Yk44qpW6FNplXFbP6BBNzN9nGb08z8E2oySq3SpZ5+JC+:9kl0Ga5uk41pW6Nl1Gn5ngV2fS+Sp2B
Static task
static1
Behavioral task
behavioral1
Sample
2025-01-19_f9b9fca8d0582074c127358a01079b93_mafia.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
2025-01-19_f9b9fca8d0582074c127358a01079b93_mafia.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
F:\$RECYCLE.BIN\KRAB-DECRYPT.txt
http://gandcrabmfe6mnef.onion/53af8216ff661482
Extracted
C:\$Recycle.Bin\KRAB-DECRYPT.txt
http://gandcrabmfe6mnef.onion/e7c86b44e4337006
Targets
-
-
Target
2025-01-19_f9b9fca8d0582074c127358a01079b93_mafia
-
Size
225KB
-
MD5
f9b9fca8d0582074c127358a01079b93
-
SHA1
b8e4f0e7b4389ab5aff7f89444f915c6b59f65fd
-
SHA256
650d7baf827dcb92f8209d003892b068f1cbf615e5149b9c27da88166b6f44e3
-
SHA512
bab1f20ef5199986966d0d55e5c91a213c595a060f8b0b7ae359163b3a72253da7cd434efd91300353e38b40a72ff6e6c4638c7d4a0e1ad66d4b8e449d05e520
-
SSDEEP
3072:9kR7Gqi0YCmfua54i3Yk44qpW6FNplXFbP6BBNzN9nGb08z8E2oySq3SpZ5+JC+:9kl0Ga5uk41pW6Nl1Gn5ngV2fS+Sp2B
-
Gandcrab family
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (269) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Credentials from Password Stores: Windows Credential Manager
Suspicious access to Credentials History.
-
Drops startup file
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
MITRE ATT&CK Enterprise v15
Defense Evasion
Indicator Removal
1File Deletion
1Modify Registry
1Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1