Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
152s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
30/11/2022, 23:37
Behavioral task
behavioral1
Sample
affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada.exe
Resource
win10v2004-20220901-en
General
-
Target
affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada.exe
-
Size
546KB
-
MD5
adb3cf03e9be744107e61bd7de4c26bd
-
SHA1
cc7ea6bb6787df664adb69022546c42f5f409653
-
SHA256
affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada
-
SHA512
ba7591375768521bf7497a6c9f3c53a7121824ed352edc043dc24ca23dbd55d8c73e37fd96ce32d45aa16b7955a1fff7bcd31f25d22624bab60d598a4e536927
-
SSDEEP
12288:9+qCsxmzj5xiJn+aJ5REfBFW8ciUt0MV5OcIBpwG01:94riJnvJUfBFW8ciMbOc0b0
Malware Config
Extracted
C:\odt\readme.txt
https://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion/
Signatures
-
Black Basta
A ransomware family targeting Windows and Linux ESXi first seen in February 2022.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 7 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\ExpandCompress.png => C:\Users\Admin\Pictures\ExpandCompress.png.basta affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada.exe File renamed C:\Users\Admin\Pictures\OptimizeUnprotect.png => C:\Users\Admin\Pictures\OptimizeUnprotect.png.basta affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada.exe File opened for modification C:\Users\Admin\Pictures\PingSkip.tiff affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada.exe File renamed C:\Users\Admin\Pictures\PingSkip.tiff => C:\Users\Admin\Pictures\PingSkip.tiff.basta affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada.exe File renamed C:\Users\Admin\Pictures\PingSet.png => C:\Users\Admin\Pictures\PingSet.png.basta affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada.exe File renamed C:\Users\Admin\Pictures\SkipFind.tif => C:\Users\Admin\Pictures\SkipFind.tif.basta affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada.exe File renamed C:\Users\Admin\Pictures\CompareSend.crw => C:\Users\Admin\Pictures\CompareSend.crw.basta affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dlaksjdoiwq.jpg" affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\readme.txt affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\CHAKRACORE.DLL affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\readme.txt affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\javafx_font_t2k.dll affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-pl.xrm-ms affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest2-pl.xrm-ms affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Trial-ppd.xrm-ms affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_OEM_Perp-pl.xrm-ms affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada.exe File opened for modification C:\Program Files\Microsoft Office\Office16\OSPP.HTM affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\wsdetect.dll affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-core-localization-l1-2-0.dll affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada.exe File created C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\readme.txt affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription3-ppd.xrm-ms affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Grace-ppd.xrm-ms affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_SubTrial-pl.xrm-ms affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcDemoR_BypassTrial365-ppd.xrm-ms affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\BIPLAT.DLL affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\excel-udf-host.win32.bundle affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\charsets.jar affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-ppd.xrm-ms affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTrial-ul-oob.xrm-ms affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\msoasb.exe.manifest affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp3-ul-phn.xrm-ms affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Trial-pl.xrm-ms affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\GKExcel.dll affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Interceptor.tlb affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada.exe File opened for modification C:\Program Files\7-Zip\descript.ion affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada.exe File opened for modification C:\Program Files\7-Zip\Lang\mng2.txt affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada.exe File opened for modification C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Microsoft.mshtml.dll affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-pl.xrm-ms affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_MAK_AE-pl.xrm-ms affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Trial-ul-oob.xrm-ms affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-private-l1-1-0.dll affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_MAK_AE-ppd.xrm-ms affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp4-ul-phn.xrm-ms affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada.exe File opened for modification C:\Program Files\FormatWait.7z affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-xstate-l2-1-0.dll affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ORGCHART.EXE affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOHEVI.DLL affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Grace-ul-oob.xrm-ms affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\readme.txt affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-stdio-l1-1-0.dll affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-pl.xrm-ms affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\WordR_OEM_Perp-ppd.xrm-ms affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail2-ul-oob.xrm-ms affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Retail-ul-phn.xrm-ms affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\VCRUNTIME140_APP.DLL affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada.exe File opened for modification C:\Program Files\7-Zip\Lang\mk.txt affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada.exe File opened for modification C:\Program Files (x86)\Internet Explorer\en-US\hmmapi.dll.mui affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\jaas_nt.dll affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada.exe File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\native2ascii.exe affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\ir.idl affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Trial-ppd.xrm-ms affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\OFFSYMT.TTF affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTest-ppd.xrm-ms affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada.exe File opened for modification C:\Program Files\7-Zip\Lang\an.txt affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1048 vssadmin.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.basta\DefaultIcon affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.basta affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.basta\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fkdjsadasd.ico" affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeBackupPrivilege 1592 vssvc.exe Token: SeRestorePrivilege 1592 vssvc.exe Token: SeAuditPrivilege 1592 vssvc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4952 wrote to memory of 1004 4952 affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada.exe 83 PID 4952 wrote to memory of 1004 4952 affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada.exe 83 PID 4952 wrote to memory of 1004 4952 affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada.exe 83 PID 1004 wrote to memory of 1048 1004 cmd.exe 85 PID 1004 wrote to memory of 1048 1004 cmd.exe 85 PID 4952 wrote to memory of 1484 4952 affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada.exe 88 PID 4952 wrote to memory of 1484 4952 affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada.exe 88 PID 4952 wrote to memory of 1484 4952 affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada.exe"C:\Users\Admin\AppData\Local\Temp\affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada.exe"1⤵
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Windows\system32\vssadmin.exeC:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:1048
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\vssadmin.exe delete shadows /all /quiet2⤵PID:1484
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1592