Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

sample.html

windows7-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    sample

  • Size

    618KB

  • Sample

    250327-fvl3gaxxcw

  • MD5

    af8cec81deb0208b8605a889a59bd26d

  • SHA1

    48a20f787fc0db6f6bee2337674ddcb9ece1648b

  • SHA256

    9196467735372f002396284182af87af8e3d58698e9bb23eb06fdaf8810de866

  • SHA512

    497cf9257cac86e03eddd7ed4882a0aa758b6a8056f4561aeac8cbaf78a864ae3e3c82b25a3f043abb08331a4e6b5f827a98e6ceb6a0a1b8002269748efdd209

  • SSDEEP

    6144:kluxADxAtxAqxAjxAaxA6xA4xANxALxAU5vLGddzuZtcu:kkxgx4xzx8xjxvxbx2xqxt5TG/zsb

Score
10/10
badrabbitmimikatztroldeshbootkitdefense_evasiondiscoveryexecutionimpactmacromacro_on_actionpersistenceransomwarespywarestealertrojanupx

Malware Config

Extracted

Path

C:\MSOCache\!satana!.txt

Ransom Note
You had bad luck.There was crypting of all your files in a FS bootkit virus <!SATANA!> To decrypt you need send on this E-mail: [email protected] your private code: A3D90235E1136671AB1195C6078184FF and pay on a Bitcoin Wallet: XjU81vkJn4kExpBE2r92tcA3zXVdbfux6T total 0,5 btc After that during 1 - 2 days the software will be sent to you - decryptor - and the necessary instructions. All changes in hardware configurations of your computer can make the decryption of your files absolutely impossible! Decryption of your files is possible only on your PC! Recovery is possible during 7 days, after which the program - decryptor - can not ask for the necessary signature from a public certificate server. Please contact via e-mail, which you can find as yet in the form of a text document in a folder with encrypted files, as well as in the name of all encrypted files.If you do not appreciate your files we recommend you format all your disks and reinstall the system. Read carefully this warning as it is no longer able to see at startup of the computer. We remind once again- it is all serious! Do not touch the configuration of your computer! E-mail: [email protected] - this is our mail CODE: A3D90235E1136671AB1195C6078184FF this is code; you must send BTC: XjU81vkJn4kExpBE2r92tcA3zXVdbfux6T here need to pay 0,5 bitcoins How to pay on the Bitcoin wallet you can easily find on the Internet. Enter your unlock code, obtained by E-mail here and press "ENTER" to continue the normal download on your computer. Good luck! May God help you! <!SATANA!>

Targets

    • Target

      sample

    • Size

      618KB

    • MD5

      af8cec81deb0208b8605a889a59bd26d

    • SHA1

      48a20f787fc0db6f6bee2337674ddcb9ece1648b

    • SHA256

      9196467735372f002396284182af87af8e3d58698e9bb23eb06fdaf8810de866

    • SHA512

      497cf9257cac86e03eddd7ed4882a0aa758b6a8056f4561aeac8cbaf78a864ae3e3c82b25a3f043abb08331a4e6b5f827a98e6ceb6a0a1b8002269748efdd209

    • SSDEEP

      6144:kluxADxAtxAqxAjxAaxA6xA4xANxALxAU5vLGddzuZtcu:kkxgx4xzx8xjxvxbx2xqxt5TG/zsb

    Score
    10/10
    badrabbitmimikatztroldeshbootkitdefense_evasiondiscoveryexecutionimpactmacromacro_on_actionpersistenceransomwarespywarestealertrojanupx

    • BadRabbit

      Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

      ransomwarebadrabbit

    • Badrabbit family

      badrabbit

    • Mimikatz

      mimikatz is an open source tool to dump credentials on Windows.

      mimikatz

    • Mimikatz family

      mimikatz

    • Modifies visibility of file extensions in Explorer

      defense_evasion

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Troldesh family

      troldesh

    • Troldesh, Shade, Encoder.858

      Troldesh is a ransomware spread by malspam.

      ransomwaretrojantroldesh

    • UAC bypass

      defense_evasiontrojan

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • mimikatz is an open source tool to dump credentials on Windows

    • Downloads MZ/PE file

    • Office macro that triggers on suspicious action

      Office document macro which triggers in special circumstances - often malicious.

      macromacro_on_action

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Direct Volume Access

1
T1006

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Modify Registry

5
T1112

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Query Registry

2
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Inhibit System Recovery

2
T1490

Tasks