Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
141s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
21/09/2021, 11:13
Static task
static1
Behavioral task
behavioral1
Sample
BlackSun.ps1
Resource
win10v20210408
0 signatures
0 seconds
General
-
Target
BlackSun.ps1
-
Size
56KB
-
MD5
3ebab71cb71ca5c475202f401de008c8
-
SHA1
e0afcf804394abd43ad4723a0feb147f10e589cd
-
SHA256
e5429f2e44990b3d4e249c566fbf19741e671c0e40b809f87248d9ec9114bef9
-
SHA512
0f748020d922ae0ace575267cbbaf80c2818e37a20f3556f4192c896b5c4c5eb270b1e6e88562bad74771bfef81a3ce1ebfab7ac571ba459976bf7b2bd2fdfa6
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\Desktop\BlackSun_README.txt
Ransom Note
*** BlackSun PROJECT ***
All your data has been encrypted. Documents, photos, databases, backups.
HOW CAN I GET MY DATA BACK?
Your data is not destroyed.
your data are however encrypted with SSL encryption, the only way to decrypt them is to have the decryption code and software.
don't try to decrypt the files by yourself, you will damage them and make the recovery impossible.
HOW CAN I GET THE DECRYPTION SOFTWARE?
To get the software you will have to pay a certain amount of money. (10.000 euro in Monero Cryptocurrency)
You need to contact us at this email: [email protected] and we will tell you how to pay. You have 10 days starting from now.
Emails
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 808 powershell.exe 808 powershell.exe 808 powershell.exe 808 powershell.exe 808 powershell.exe 808 powershell.exe 688 powershell.exe 688 powershell.exe 688 powershell.exe 2036 powershell.exe 2036 powershell.exe 688 powershell.exe 688 powershell.exe 688 powershell.exe 2036 powershell.exe 2036 powershell.exe 2036 powershell.exe 2036 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 808 powershell.exe Token: SeIncreaseQuotaPrivilege 808 powershell.exe Token: SeSecurityPrivilege 808 powershell.exe Token: SeTakeOwnershipPrivilege 808 powershell.exe Token: SeLoadDriverPrivilege 808 powershell.exe Token: SeSystemProfilePrivilege 808 powershell.exe Token: SeSystemtimePrivilege 808 powershell.exe Token: SeProfSingleProcessPrivilege 808 powershell.exe Token: SeIncBasePriorityPrivilege 808 powershell.exe Token: SeCreatePagefilePrivilege 808 powershell.exe Token: SeBackupPrivilege 808 powershell.exe Token: SeRestorePrivilege 808 powershell.exe Token: SeShutdownPrivilege 808 powershell.exe Token: SeDebugPrivilege 808 powershell.exe Token: SeSystemEnvironmentPrivilege 808 powershell.exe Token: SeRemoteShutdownPrivilege 808 powershell.exe Token: SeUndockPrivilege 808 powershell.exe Token: SeManageVolumePrivilege 808 powershell.exe Token: 33 808 powershell.exe Token: 34 808 powershell.exe Token: 35 808 powershell.exe Token: 36 808 powershell.exe Token: SeIncreaseQuotaPrivilege 808 powershell.exe Token: SeSecurityPrivilege 808 powershell.exe Token: SeTakeOwnershipPrivilege 808 powershell.exe Token: SeLoadDriverPrivilege 808 powershell.exe Token: SeSystemProfilePrivilege 808 powershell.exe Token: SeSystemtimePrivilege 808 powershell.exe Token: SeProfSingleProcessPrivilege 808 powershell.exe Token: SeIncBasePriorityPrivilege 808 powershell.exe Token: SeCreatePagefilePrivilege 808 powershell.exe Token: SeBackupPrivilege 808 powershell.exe Token: SeRestorePrivilege 808 powershell.exe Token: SeShutdownPrivilege 808 powershell.exe Token: SeDebugPrivilege 808 powershell.exe Token: SeSystemEnvironmentPrivilege 808 powershell.exe Token: SeRemoteShutdownPrivilege 808 powershell.exe Token: SeUndockPrivilege 808 powershell.exe Token: SeManageVolumePrivilege 808 powershell.exe Token: 33 808 powershell.exe Token: 34 808 powershell.exe Token: 35 808 powershell.exe Token: 36 808 powershell.exe Token: SeBackupPrivilege 1676 vssvc.exe Token: SeRestorePrivilege 1676 vssvc.exe Token: SeAuditPrivilege 1676 vssvc.exe Token: SeIncreaseQuotaPrivilege 808 powershell.exe Token: SeSecurityPrivilege 808 powershell.exe Token: SeTakeOwnershipPrivilege 808 powershell.exe Token: SeLoadDriverPrivilege 808 powershell.exe Token: SeSystemProfilePrivilege 808 powershell.exe Token: SeSystemtimePrivilege 808 powershell.exe Token: SeProfSingleProcessPrivilege 808 powershell.exe Token: SeIncBasePriorityPrivilege 808 powershell.exe Token: SeCreatePagefilePrivilege 808 powershell.exe Token: SeBackupPrivilege 808 powershell.exe Token: SeRestorePrivilege 808 powershell.exe Token: SeShutdownPrivilege 808 powershell.exe Token: SeDebugPrivilege 808 powershell.exe Token: SeSystemEnvironmentPrivilege 808 powershell.exe Token: SeRemoteShutdownPrivilege 808 powershell.exe Token: SeUndockPrivilege 808 powershell.exe Token: SeManageVolumePrivilege 808 powershell.exe Token: 33 808 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 808 wrote to memory of 68 808 powershell.exe 70 PID 808 wrote to memory of 68 808 powershell.exe 70 PID 808 wrote to memory of 688 808 powershell.exe 79 PID 808 wrote to memory of 688 808 powershell.exe 79 PID 808 wrote to memory of 2036 808 powershell.exe 81 PID 808 wrote to memory of 2036 808 powershell.exe 81
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\BlackSun.ps11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /u /c "dir /a-d /b /s C:\ > C:\Users\Admin\AppData\Local\Temp\BlackSun_TMPALL"2⤵PID:68
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Suspicious behavior: EnumeratesProcesses
PID:688
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2036
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1676