Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
157s -
max time network
173s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
30/11/2022, 22:33
Static task
static1
Behavioral task
behavioral1
Sample
699aaea1598a034cde7ed88cd8a8a36fd59447e09bddef566357061774c48a76.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
699aaea1598a034cde7ed88cd8a8a36fd59447e09bddef566357061774c48a76.exe
Resource
win10v2004-20220812-en
General
-
Target
699aaea1598a034cde7ed88cd8a8a36fd59447e09bddef566357061774c48a76.exe
-
Size
555KB
-
MD5
6d5b9675b68bac95b885b4bb294134a1
-
SHA1
74dbf463be3139a28d9851b3b80c2ecac3e56304
-
SHA256
699aaea1598a034cde7ed88cd8a8a36fd59447e09bddef566357061774c48a76
-
SHA512
5bc03425855057dd1f7cd9d5b61c3c895eb1ac48401aa4bd807e56560b149aefe1d9f2c7c73225f0e705923e5e2dd2d65490e1ba668dc788852ebc51f63bbe00
-
SSDEEP
12288:SW0nwOZKGC9FGKRTyBQPqPgrSrMGu4fGxzWjQ9dGB3K4d:ShwVGKR+BQPqPgKM2GxzMyGhK4
Malware Config
Signatures
-
Black Basta
A ransomware family targeting Windows and Linux ESXi first seen in February 2022.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs
pid Process 2028 bcdedit.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dlaksjdoiwq.jpg" 699aaea1598a034cde7ed88cd8a8a36fd59447e09bddef566357061774c48a76.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 560 vssadmin.exe 940 vssadmin.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.basta\DefaultIcon 699aaea1598a034cde7ed88cd8a8a36fd59447e09bddef566357061774c48a76.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.basta 699aaea1598a034cde7ed88cd8a8a36fd59447e09bddef566357061774c48a76.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.basta\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fkdjsadasd.ico" 699aaea1598a034cde7ed88cd8a8a36fd59447e09bddef566357061774c48a76.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeBackupPrivilege 904 vssvc.exe Token: SeRestorePrivilege 904 vssvc.exe Token: SeAuditPrivilege 904 vssvc.exe Token: SeShutdownPrivilege 1624 shutdown.exe Token: SeRemoteShutdownPrivilege 1624 shutdown.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1984 wrote to memory of 1572 1984 699aaea1598a034cde7ed88cd8a8a36fd59447e09bddef566357061774c48a76.exe 27 PID 1984 wrote to memory of 1572 1984 699aaea1598a034cde7ed88cd8a8a36fd59447e09bddef566357061774c48a76.exe 27 PID 1984 wrote to memory of 1572 1984 699aaea1598a034cde7ed88cd8a8a36fd59447e09bddef566357061774c48a76.exe 27 PID 1984 wrote to memory of 1572 1984 699aaea1598a034cde7ed88cd8a8a36fd59447e09bddef566357061774c48a76.exe 27 PID 1572 wrote to memory of 940 1572 cmd.exe 29 PID 1572 wrote to memory of 940 1572 cmd.exe 29 PID 1572 wrote to memory of 940 1572 cmd.exe 29 PID 1572 wrote to memory of 940 1572 cmd.exe 29 PID 1984 wrote to memory of 1716 1984 699aaea1598a034cde7ed88cd8a8a36fd59447e09bddef566357061774c48a76.exe 32 PID 1984 wrote to memory of 1716 1984 699aaea1598a034cde7ed88cd8a8a36fd59447e09bddef566357061774c48a76.exe 32 PID 1984 wrote to memory of 1716 1984 699aaea1598a034cde7ed88cd8a8a36fd59447e09bddef566357061774c48a76.exe 32 PID 1984 wrote to memory of 1716 1984 699aaea1598a034cde7ed88cd8a8a36fd59447e09bddef566357061774c48a76.exe 32 PID 1716 wrote to memory of 560 1716 cmd.exe 34 PID 1716 wrote to memory of 560 1716 cmd.exe 34 PID 1716 wrote to memory of 560 1716 cmd.exe 34 PID 1716 wrote to memory of 560 1716 cmd.exe 34 PID 1984 wrote to memory of 2028 1984 699aaea1598a034cde7ed88cd8a8a36fd59447e09bddef566357061774c48a76.exe 36 PID 1984 wrote to memory of 2028 1984 699aaea1598a034cde7ed88cd8a8a36fd59447e09bddef566357061774c48a76.exe 36 PID 1984 wrote to memory of 2028 1984 699aaea1598a034cde7ed88cd8a8a36fd59447e09bddef566357061774c48a76.exe 36 PID 1984 wrote to memory of 2028 1984 699aaea1598a034cde7ed88cd8a8a36fd59447e09bddef566357061774c48a76.exe 36 PID 1984 wrote to memory of 2008 1984 699aaea1598a034cde7ed88cd8a8a36fd59447e09bddef566357061774c48a76.exe 38 PID 1984 wrote to memory of 2008 1984 699aaea1598a034cde7ed88cd8a8a36fd59447e09bddef566357061774c48a76.exe 38 PID 1984 wrote to memory of 2008 1984 699aaea1598a034cde7ed88cd8a8a36fd59447e09bddef566357061774c48a76.exe 38 PID 1984 wrote to memory of 2008 1984 699aaea1598a034cde7ed88cd8a8a36fd59447e09bddef566357061774c48a76.exe 38 PID 2008 wrote to memory of 1624 2008 cmd.exe 40 PID 2008 wrote to memory of 1624 2008 cmd.exe 40 PID 2008 wrote to memory of 1624 2008 cmd.exe 40 PID 2008 wrote to memory of 1624 2008 cmd.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\699aaea1598a034cde7ed88cd8a8a36fd59447e09bddef566357061774c48a76.exe"C:\Users\Admin\AppData\Local\Temp\699aaea1598a034cde7ed88cd8a8a36fd59447e09bddef566357061774c48a76.exe"1⤵
- Sets desktop wallpaper using registry
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\system32\vssadmin.exeC:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:940
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\SysWOW64\vssadmin.exeC:\Windows\System32\vssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:560
-
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\SysNative\bcdedit.exe /set safeboot network2⤵
- Modifies boot configuration data using bcdedit
PID:2028
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C shutdown -r -f -t 02⤵
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\shutdown.exeshutdown -r -f -t 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:1624
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:904
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵PID:1104
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵PID:1728