Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

653da5127b...33.exe

windows7-x64

10

653da5127b...33.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    17s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    03/12/2022, 06:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    653da5127b0ecbc5c373ce510c0d5191f61f2df912c9b6f4989aa3775933bc33.exe

  • Size

    464KB

  • MD5

    1c9880912a1c9229b4c3120dcbfd1322

  • SHA1

    0ae047b7fe5d688638b9a33423c754c911d4dbe4

  • SHA256

    653da5127b0ecbc5c373ce510c0d5191f61f2df912c9b6f4989aa3775933bc33

  • SHA512

    e7df5a6da7ff6d1878bd670e963d80cb060f1e6e5c8c729c0181f1f97ddd0293a0233886e7c8fd6275afc654b99642ba9d756303ebfdee153ba84c024b389fef

  • SSDEEP

    6144:GeafQzobGtL9sNP3IlXt4HSS53/7krnpMIg3D/Io5hTvpKqXy2dlFGYOxEpXir7s:SfQ5tLcSf27FFDXRRdf0UPb

Score
10/10
blackbastaransomware

Malware Config

Extracted

Path

C:\MSOCache\readme.txt

Ransom Note
Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom You can contact us and decrypt one file for free on this TOR site (you should download and install TOR browser first https://torproject.org) https://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion/ Your company id for log in: eeded09d-2ac0-4e69-bf25-875cd524e744
URLs

https://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion/

Signatures

  • Black Basta

    A ransomware family targeting Windows and Linux ESXi first seen in February 2022.

    ransomwareblackbasta
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\653da5127b0ecbc5c373ce510c0d5191f61f2df912c9b6f4989aa3775933bc33.exe
    "C:\Users\Admin\AppData\Local\Temp\653da5127b0ecbc5c373ce510c0d5191f61f2df912c9b6f4989aa3775933bc33.exe"
    1⤵
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:852
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1232
      • C:\Windows\system32\vssadmin.exe
        C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:900
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Windows\System32\vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1560
      • C:\Windows\SysWOW64\vssadmin.exe
        C:\Windows\System32\vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:1188
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1504

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/852-54-0x0000000074E41000-0x0000000074E43000-memory.dmp

    Filesize

    8KB

    Download

  • memory/852-57-0x0000000000130000-0x0000000000198000-memory.dmp

    Filesize

    416KB

    Download

  • memory/852-58-0x00000000010A0000-0x0000000001130000-memory.dmp

    Filesize

    576KB

    Download