Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    80s
  • max time network
    87s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/11/2022, 22:30

General

  • Target

    15abbff9fbce7f5782c1654775938dcd2ce0a8ebd683a008547f8a4e421888c4.exe

  • Size

    545KB

  • MD5

    6a202e9a95f58938d02385e31d43ed87

  • SHA1

    53628c7a155ccb7af1135140083939018d3587f1

  • SHA256

    15abbff9fbce7f5782c1654775938dcd2ce0a8ebd683a008547f8a4e421888c4

  • SHA512

    c6684838b84499dc97c75f33c1d3be29c654b90d2f0293c33af6a986facc8a673275a0f33a82f43aa1a8e67684b07092e462b1e2c309450a9ec0486ec7b4a7d1

  • SSDEEP

    12288:tM9fIMGezCq1kWOgb/VPFAQxSNJ4krheZfIVWRkn8oXdd6:hbq1kWJb9PFAQxgJheZfY8gdI

Score
10/10

Malware Config

Extracted

Path

C:\odt\readme.txt

Ransom Note
Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom You can contact us and decrypt one file for free on this TOR site (you should download and install TOR browser first https://torproject.org) https://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion/ Your company id for log in: ea3d3d33-1635-47f7-a1a4-0078267b30bb
URLs

https://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion/

Signatures

  • Black Basta

    A ransomware family targeting Windows and Linux ESXi first seen in February 2022.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies registry class 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\15abbff9fbce7f5782c1654775938dcd2ce0a8ebd683a008547f8a4e421888c4.exe
    "C:\Users\Admin\AppData\Local\Temp\15abbff9fbce7f5782c1654775938dcd2ce0a8ebd683a008547f8a4e421888c4.exe"
    1⤵
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1848
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4784
      • C:\Windows\system32\vssadmin.exe
        C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:4932
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Windows\System32\vssadmin.exe delete shadows /all /quiet
      2⤵
        PID:2860
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3404

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads