Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    157s
  • max time network
    173s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    30/11/2022, 22:33

General

  • Target

    699aaea1598a034cde7ed88cd8a8a36fd59447e09bddef566357061774c48a76.exe

  • Size

    555KB

  • MD5

    6d5b9675b68bac95b885b4bb294134a1

  • SHA1

    74dbf463be3139a28d9851b3b80c2ecac3e56304

  • SHA256

    699aaea1598a034cde7ed88cd8a8a36fd59447e09bddef566357061774c48a76

  • SHA512

    5bc03425855057dd1f7cd9d5b61c3c895eb1ac48401aa4bd807e56560b149aefe1d9f2c7c73225f0e705923e5e2dd2d65490e1ba668dc788852ebc51f63bbe00

  • SSDEEP

    12288:SW0nwOZKGC9FGKRTyBQPqPgrSrMGu4fGxzWjQ9dGB3K4d:ShwVGKR+BQPqPgKM2GxzMyGhK4

Malware Config

Signatures

  • Black Basta

    A ransomware family targeting Windows and Linux ESXi first seen in February 2022.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies registry class 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\699aaea1598a034cde7ed88cd8a8a36fd59447e09bddef566357061774c48a76.exe
    "C:\Users\Admin\AppData\Local\Temp\699aaea1598a034cde7ed88cd8a8a36fd59447e09bddef566357061774c48a76.exe"
    1⤵
    • Sets desktop wallpaper using registry
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1984
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1572
      • C:\Windows\system32\vssadmin.exe
        C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:940
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Windows\System32\vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1716
      • C:\Windows\SysWOW64\vssadmin.exe
        C:\Windows\System32\vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:560
    • C:\Windows\system32\bcdedit.exe
      C:\Windows\SysNative\bcdedit.exe /set safeboot network
      2⤵
      • Modifies boot configuration data using bcdedit
      PID:2028
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C shutdown -r -f -t 0
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2008
      • C:\Windows\SysWOW64\shutdown.exe
        shutdown -r -f -t 0
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1624
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:904
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0
    1⤵
      PID:1104
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x1
      1⤵
        PID:1728

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1104-62-0x000007FEFBC61000-0x000007FEFBC63000-memory.dmp

        Filesize

        8KB

      • memory/1984-54-0x0000000075041000-0x0000000075043000-memory.dmp

        Filesize

        8KB