Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    141s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    21/09/2021, 11:13

General

  • Target

    BlackSun.ps1

  • Size

    56KB

  • MD5

    3ebab71cb71ca5c475202f401de008c8

  • SHA1

    e0afcf804394abd43ad4723a0feb147f10e589cd

  • SHA256

    e5429f2e44990b3d4e249c566fbf19741e671c0e40b809f87248d9ec9114bef9

  • SHA512

    0f748020d922ae0ace575267cbbaf80c2818e37a20f3556f4192c896b5c4c5eb270b1e6e88562bad74771bfef81a3ce1ebfab7ac571ba459976bf7b2bd2fdfa6

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\BlackSun_README.txt

Ransom Note
*** BlackSun PROJECT *** All your data has been encrypted. Documents, photos, databases, backups. HOW CAN I GET MY DATA BACK? Your data is not destroyed. your data are however encrypted with SSL encryption, the only way to decrypt them is to have the decryption code and software. don't try to decrypt the files by yourself, you will damage them and make the recovery impossible. HOW CAN I GET THE DECRYPTION SOFTWARE? To get the software you will have to pay a certain amount of money. (10.000 euro in Monero Cryptocurrency) You need to contact us at this email: [email protected] and we will tell you how to pay. You have 10 days starting from now.

Signatures

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\BlackSun.ps1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:808
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /u /c "dir /a-d /b /s C:\ > C:\Users\Admin\AppData\Local\Temp\BlackSun_TMPALL"
      2⤵
        PID:68
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:688
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:2036
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1676

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/688-745-0x000001F91CF06000-0x000001F91CF08000-memory.dmp

      Filesize

      8KB

    • memory/688-740-0x000001F91CF03000-0x000001F91CF05000-memory.dmp

      Filesize

      8KB

    • memory/688-737-0x000001F91CF00000-0x000001F91CF02000-memory.dmp

      Filesize

      8KB

    • memory/808-338-0x000001A4445A0000-0x000001A4445A1000-memory.dmp

      Filesize

      4KB

    • memory/808-118-0x000001A442100000-0x000001A442101000-memory.dmp

      Filesize

      4KB

    • memory/808-515-0x000001A444AD0000-0x000001A444AD1000-memory.dmp

      Filesize

      4KB

    • memory/808-676-0x000001A4445F0000-0x000001A4445F1000-memory.dmp

      Filesize

      4KB

    • memory/808-696-0x000001A4445F0000-0x000001A4445F1000-memory.dmp

      Filesize

      4KB

    • memory/808-339-0x000001A4421B8000-0x000001A4421BA000-memory.dmp

      Filesize

      8KB

    • memory/808-122-0x000001A4421B0000-0x000001A4421B2000-memory.dmp

      Filesize

      8KB

    • memory/808-514-0x000001A444740000-0x000001A444741000-memory.dmp

      Filesize

      4KB

    • memory/808-121-0x000001A4423C0000-0x000001A4423C1000-memory.dmp

      Filesize

      4KB

    • memory/808-152-0x000001A4421B6000-0x000001A4421B8000-memory.dmp

      Filesize

      8KB

    • memory/808-123-0x000001A4421B3000-0x000001A4421B5000-memory.dmp

      Filesize

      8KB

    • memory/2036-744-0x000002C4688E3000-0x000002C4688E5000-memory.dmp

      Filesize

      8KB

    • memory/2036-742-0x000002C4688E0000-0x000002C4688E2000-memory.dmp

      Filesize

      8KB

    • memory/2036-800-0x000002C4688E6000-0x000002C4688E8000-memory.dmp

      Filesize

      8KB