Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

a54ef676ed...cN.exe

windows7-x64

10

a54ef676ed...cN.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a54ef676ed88e1b7a5c61f7cb652ef0bfd59cff076e7c45e535c19f742a3216cN.exe

  • Size

    767KB

  • Sample

    250224-r32nnsxqy4

  • MD5

    cace46a66add9416a9657af4819556f0

  • SHA1

    c847bd2a4657be55ce0ff7069ae8e16d5878f09e

  • SHA256

    a54ef676ed88e1b7a5c61f7cb652ef0bfd59cff076e7c45e535c19f742a3216c

  • SHA512

    e985c7dad6614e7d54a6f4b1a8ceb5882908abdbda2f189ed3e7894575f4207c702a1d3fc8defdc31b3fd264a31630a5027f530b59f35c85ae783f593eef6b7b

  • SSDEEP

    12288:7GqN/XdctpVtkMtsyDqBQ0tA3nyF0Fh0zJmViYV5yvQX05oWI:lNcBtkUqBQ0tknx5yIXgoWI

Score
10/10
jigsawbootkitdefense_evasiondiscoverypersistenceransomwarespywarestealer

Malware Config

Targets

    • Target

      a54ef676ed88e1b7a5c61f7cb652ef0bfd59cff076e7c45e535c19f742a3216cN.exe

    • Size

      767KB

    • MD5

      cace46a66add9416a9657af4819556f0

    • SHA1

      c847bd2a4657be55ce0ff7069ae8e16d5878f09e

    • SHA256

      a54ef676ed88e1b7a5c61f7cb652ef0bfd59cff076e7c45e535c19f742a3216c

    • SHA512

      e985c7dad6614e7d54a6f4b1a8ceb5882908abdbda2f189ed3e7894575f4207c702a1d3fc8defdc31b3fd264a31630a5027f530b59f35c85ae783f593eef6b7b

    • SSDEEP

      12288:7GqN/XdctpVtkMtsyDqBQ0tA3nyF0Fh0zJmViYV5yvQX05oWI:lNcBtkUqBQ0tknx5yIXgoWI

    Score
    10/10
    jigsawbootkitdefense_evasiondiscoverypersistenceransomwarespywarestealer

    • Jigsaw Ransomware

      Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.

      ransomwarejigsaw

    • Jigsaw family

      jigsaw

    • Renames multiple (2006) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Disables Task Manager via registry modification

      defense_evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks