Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    185s
  • max time network
    258s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    30/11/2022, 23:37

General

  • Target

    affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada.exe

  • Size

    546KB

  • MD5

    adb3cf03e9be744107e61bd7de4c26bd

  • SHA1

    cc7ea6bb6787df664adb69022546c42f5f409653

  • SHA256

    affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada

  • SHA512

    ba7591375768521bf7497a6c9f3c53a7121824ed352edc043dc24ca23dbd55d8c73e37fd96ce32d45aa16b7955a1fff7bcd31f25d22624bab60d598a4e536927

  • SSDEEP

    12288:9+qCsxmzj5xiJn+aJ5REfBFW8ciUt0MV5OcIBpwG01:94riJnvJUfBFW8ciMbOc0b0

Score
10/10

Malware Config

Extracted

Path

C:\MSOCache\readme.txt

Ransom Note
Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom You can contact us and decrypt one file for free on this TOR site (you should download and install TOR browser first https://torproject.org) https://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion/ Your company id for log in: 05d09847-9593-4dc6-95aa-61587e40e103
URLs

https://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion/

Signatures

  • Black Basta

    A ransomware family targeting Windows and Linux ESXi first seen in February 2022.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies registry class 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada.exe
    "C:\Users\Admin\AppData\Local\Temp\affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada.exe"
    1⤵
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:572
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:772
      • C:\Windows\system32\vssadmin.exe
        C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:1872
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Windows\System32\vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:808
      • C:\Windows\SysWOW64\vssadmin.exe
        C:\Windows\System32\vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:972
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:776

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/572-54-0x0000000075C11000-0x0000000075C13000-memory.dmp

    Filesize

    8KB