Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

48976d7bf3...bb.exe

windows7-x64

48976d7bf3...bb.exe

windows10-2004-x64

Analysis

  • max time kernel
    11s
  • max time network
    11s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    15/12/2022, 16:18

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    48976d7bf38cca4e952507e9ab27e3874ca01092eed53d0fde89c5966e9533bb.exe

  • Size

    555KB

  • MD5

    eff424376edca5680b90ea9fedad163d

  • SHA1

    3c13c1e54d2d7991c1c3452ae89888a8e7a47763

  • SHA256

    48976d7bf38cca4e952507e9ab27e3874ca01092eed53d0fde89c5966e9533bb

  • SHA512

    5acc904da2b8f3371a5696194b4a6fa7c3e735b0bbe74a507efb56782e6fc604f9bd3abf7a3af5f57325c7115de3ac9cd499086430d0d4fbe81b46a57539f068

  • SSDEEP

    12288:Y4LNVuczF0QdQsJlehKRwYgJcViFYvgNv+5jGbRFhVoj4d:xvn2sJlBRwYgJcVNE+5jU8j4

Score
10/10
blackbastaevasionransomware

Malware Config

Signatures

  • Black Basta

    A ransomware family targeting Windows and Linux ESXi first seen in February 2022.

    ransomwareblackbasta
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs
    ransomwareevasion
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\48976d7bf38cca4e952507e9ab27e3874ca01092eed53d0fde89c5966e9533bb.exe
    "C:\Users\Admin\AppData\Local\Temp\48976d7bf38cca4e952507e9ab27e3874ca01092eed53d0fde89c5966e9533bb.exe"
    1⤵
    • Sets desktop wallpaper using registry
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1348
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1004
      • C:\Windows\system32\vssadmin.exe
        C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:1212
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Windows\System32\vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:536
      • C:\Windows\SysWOW64\vssadmin.exe
        C:\Windows\System32\vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:1596
    • C:\Windows\system32\bcdedit.exe
      C:\Windows\SysNative\bcdedit.exe /set safeboot network
      2⤵
      • Modifies boot configuration data using bcdedit
      PID:1956
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C shutdown -r -f -t 0
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1968
      • C:\Windows\SysWOW64\shutdown.exe
        shutdown -r -f -t 0
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:952
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1056
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0
    1⤵
      PID:972
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x1
      1⤵
        PID:1380

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/972-62-0x000007FEFBFC1000-0x000007FEFBFC3000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1348-54-0x0000000075881000-0x0000000075883000-memory.dmp

        Filesize

        8KB

        Download