Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

81515e1c72...c9.exe

windows7-x64

10

81515e1c72...c9.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    22s
  • max time network
    44s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/12/2022, 06:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    81515e1c72fadae2c4bb15883e0c1d8979b49fd52d8c65ca03e05a75ca6683c9.exe

  • Size

    454KB

  • MD5

    30e360b69234e2f71a80a301ed582400

  • SHA1

    318d227272b198311ef9eb8e6721237c0f90fcd2

  • SHA256

    81515e1c72fadae2c4bb15883e0c1d8979b49fd52d8c65ca03e05a75ca6683c9

  • SHA512

    c5faea951492771eb9847536c03e0287e20d89f3c691861de78ae897ef2aed1c81fe4a4ab80ee49e9c46df516aa99babdae96aedecf94f0ada84681631048e40

  • SSDEEP

    6144:+ZyHOgf1NEoVAtlu8PN8yOqbXaDlnNahH7g5llqocky89guv7J/hSNcPMK7Codus:+vIgtlu8Pcail6bg53LRvuNcVG+GK

Score
10/10
blackbastaransomware

Malware Config

Extracted

Path

C:\odt\readme.txt

Ransom Note
Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom You can contact us and decrypt one file for free on this TOR site (you should download and install TOR browser first https://torproject.org) https://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion/ Your company id for log in: aa6b49d0-713d-46fb-b7ac-fb5605e2ac0a
URLs

https://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion/

Signatures

  • Black Basta

    A ransomware family targeting Windows and Linux ESXi first seen in February 2022.

    ransomwareblackbasta
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\81515e1c72fadae2c4bb15883e0c1d8979b49fd52d8c65ca03e05a75ca6683c9.exe
    "C:\Users\Admin\AppData\Local\Temp\81515e1c72fadae2c4bb15883e0c1d8979b49fd52d8c65ca03e05a75ca6683c9.exe"
    1⤵
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4384
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4260
      • C:\Windows\system32\vssadmin.exe
        C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:2848
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Windows\System32\vssadmin.exe delete shadows /all /quiet
      2⤵
        PID:3208
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2840

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/4384-134-0x00000000029C0000-0x0000000002A28000-memory.dmp

      Filesize

      416KB

      Download

    • memory/4384-135-0x00000000004B0000-0x0000000000540000-memory.dmp

      Filesize

      576KB

      Download

    • memory/4384-137-0x00000000004B0000-0x0000000000540000-memory.dmp

      Filesize

      576KB

      Download