Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

URLScan

urlscan

1

https://bastains.com...

windows10-2004-x64

10

Analysis

  • max time kernel
    900s
  • max time network
    844s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/12/2024, 04:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://bastains.com/click.php?key=5ethf9grt8e5728e381w&cid=1734754266100010TUSTV62601R284R8204Reb90Rd317Re354Rc5f5Rc4396Ve1&cost=0.001236819&zone=8999102-1356418374-4269441498&campaign=418400220

Score
10/10
blackbastadiscoveryransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Family

blackbasta

Ransom Note
{"account_id_migration_state":2,"account_tracker_service_last_update":"13379489325731208","alternate_error_pages":{"backup":true},"autocomplete":{"retention_policy_last_version":92},"autofill":{"orphan_rows_removed":true},"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false,"should_reset_check_default_browser":false,"window_placement":{"bottom":670,"left":10,"maximized":true,"right":1060,"top":10,"work_area_bottom":680,"work_area_left":0,"work_area_right":1280,"work_area_top":0}},"browser_content_container_height":609,"browser_content_container_width":1280,"browser_content_container_x":0,"browser_content_container_y":71,"countryid_at_install":21843,"custom_links":{"list":[]},"data_reduction":{"daily_original_length":["0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","1918"],"daily_received_length":["0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","1918"],"last_update_date":"13372732800000000","this_week_number":2868,"this_week_services_downstream_foreground_kb":{"112189210":1,"67541500":3}},"default_apps_install_state":3,"domain_diversity":{"last_reporting_timestamp":"13379489325731208"},"download":{"directory_upgrade":true},"dual_engine":{"consumer_sitelist_location":"","consumer_sitelist_version":"","profile_id":"FZ3AMVMR","shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_version":""},"edge":{"profile_sso_info":{"aad_sso_algo_state":1,"is_first_profile":true},"profile_sso_option":1,"services":{"signin_scoped_device_id":"838d42f1-3787-4c16-b9fb-b94c578733b5"}},"extensions":{"alerts":{"initialized":true},"chrome_url_overrides":{},"last_chrome_version":"92.0.902.67","pinned_extension_migration":true,"pinned_extensions":[]},"family_safety":{"activity_reporting_enabled":false,"web_filtering_enabled":false},"http_original_content_length":"1918","http_received_content_length":"1918","intl":{"selected_languages":"en-US,en"},"language_model_counters":{"en":1},"media":{"device_id_salt":"F469084D7FE702753CCA7CE230A4B955","engagement":{"schema_version":4}},"media_router":{"receiver_id_hash_token":"9oX1fm0c5pIwiRHg0rxRIkMCaVHUkMins08jD1JhwnthBTrySZ6Q4lDCSAzwVrMp4ZPvQFnlqKCH1Y9YdmD2Dg=="},"ntp":{"num_personal_suggestions":1},"nurturing":{"recommended_settings_variants":-1},"plugins":{"plugins_list":[]},"privacy_sandbox":{"preferences_reconciled":true},"profile":{"avatar_bubble_tutorial_shown":2,"avatar_index":20,"content_settings":{"enable_quiet_permission_ui_enabling_method":{"notifications":2},"exceptions":{"accessibility_events":{},"app_banner":{},"ar":{},"auto_select_certificate":{},"automatic_downloads":{},"autoplay":{},"background_sync":{},"bluetooth_chooser_data":{},"bluetooth_guard":{},"bluetooth_scanning":{},"camera_pan_tilt_zoom":{},"clear_browsing_data_cookies_exceptions":{},"client_hints":{},"clipboard":{},"cookies":{},"durable_storage":{},"file_handling":{},"file_system_access_chooser_data":{},"file_system_last_picked_directory":{},"file_system_read_guard":{},"file_system_write_guard":{},"font_access":{},"geolocation":{},"hid_chooser_data":{},"hid_guard":{},"idle_detection":{},"images":{},"important_site_info":{},"insecure_private_network":{},"installed_web_app_metadata":{},"intent_picker_auto_display":{},"javascript":{},"legacy_cookie_access":{},"media_engagement":{},"media_stream_camera":{},"media_stream_mic":{},"midi_sysex":{},"mixed_script":{},"nfc":{},"notifications":{},"password_protection":{},"payment_handler":{},"permission_autoblocking_data":{},"permission_autorevocation_data":{},"popups":{},"ppapi_broker":{},"protected_media_identifier":{},"protocol_handler":{},"safe_browsing_url_check_data":{},"sensors":{},"serial_chooser_data":{},"serial_guard":{},"site_engagement":{"https://bastains.com:443,*":{"expiration":"0","last_modified":"13379489326983208","model":0,"setting":{"decayModifiedScore":3.0,"lastEngagementTime":1.3379489326983208e+16,"lastShortcutLaunchTime":0.0,"pointsAddedToday":3.0,"rawScore":3.0}}},"sleeping_tabs":{},"sound":{},"ssl_cert_decisions":{},"storage_access":{},"subresource_filter":{},"subresource_filter_data":{},"token_binding":{},"trackers":{},"trackers_data":{},"tracking_org_exceptions":{},"tracking_org_relationships":{},"usb_chooser_data":{},"usb_guard":{},"vr":{},"webid_request":{},"webid_share":{},"window_placement":{}},"pref_version":1},"created_by_version":"92.0.902.67","creation_time":"13372766137324229","edge_profile_id":"623ef47b-3b19-49de-a895-b24db9349e5d","exit_type":"Crashed","has_seen_signin_fre":false,"icon_version":15,"last_engagement_time":"13379489326983208","managed_user_id":"","name":"Profile 1","observed_session_time":{"feedback_rating_in_product_help_observed_session_time_key_92.0.902.67":4.0}},"reset_prepopulated_engines":false,"safebrowsing":{"event_timestamps":{},"metrics_last_log_time":"13379489325"},"sessions":{"event_log":[{"tab_count":0,"time":"13372766137527229","type":2,"window_count":0},{"crashed":false,"time":"13372769247256571","type":0},{"tab_count":1,"time":"13372769251833112","type":2,"window_count":1},{"crashed":false,"time":"13379489325636631","type":0}],"session_data_status":1},"settings":{"a11y":{"caretbrowsing":{"enabled":false}}},"signin":{"DiceMigrationComplete":true,"allowed":true},"spellcheck":{"dictionaries":["en-US"]},"sync":{"autofill":true,"bookmarks":true,"collections":true,"collections_edge_re_evaluated":true,"collections_edge_supported":true,"edge_account_type":0,"extensions":true,"extensions_edge_supported":true,"history_edge_supported":true,"keep_everything_synced":false,"passwords":true,"preferences":true,"requested":false,"tabs":false,"tabs_edge_supported":true,"typed_urls":false},"translate_site_blacklist_with_time":{},"unified_consent":{"migration_state":10},"user_experience_metrics":{"personalization_data_consent_enabled_last_known_value":false},"web_apps":{"did_migrate_default_chrome_apps":[],"last_preinstall_synchronize_version":"92","system_web_app_failure_count":0,"system_web_app_last_attempted_language":"en-US","system_web_app_last_attempted_update":"92.0.902.67","system_web_app_last_installed_language":"en-US","system_web_app_last_update":"92.0.902.67"}}

Signatures

  • Black Basta

    A ransomware family targeting Windows and Linux ESXi first seen in February 2022.

    ransomwareblackbasta
  • Blackbasta family
    blackbasta
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://bastains.com/click.php?key=5ethf9grt8e5728e381w&cid=1734754266100010TUSTV62601R284R8204Reb90Rd317Re354Rc5f5Rc4396Ve1&cost=0.001236819&zone=8999102-1356418374-4269441498&campaign=418400220
    1⤵
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1708
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8236046f8,0x7ff823604708,0x7ff823604718
      2⤵
        PID:1368
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,17892028735145380159,18344199112204101055,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
        2⤵
          PID:1088
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,17892028735145380159,18344199112204101055,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:2812
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,17892028735145380159,18344199112204101055,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2860 /prefetch:8
          2⤵
            PID:1064
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,17892028735145380159,18344199112204101055,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
            2⤵
              PID:1096
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,17892028735145380159,18344199112204101055,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
              2⤵
                PID:1384
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,17892028735145380159,18344199112204101055,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4764 /prefetch:1
                2⤵
                  PID:3908
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,17892028735145380159,18344199112204101055,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4836 /prefetch:1
                  2⤵
                    PID:2284
                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,17892028735145380159,18344199112204101055,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5212 /prefetch:8
                    2⤵
                      PID:4844
                    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,17892028735145380159,18344199112204101055,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5212 /prefetch:8
                      2⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:4716
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,17892028735145380159,18344199112204101055,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4136 /prefetch:1
                      2⤵
                        PID:724
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,17892028735145380159,18344199112204101055,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3964 /prefetch:1
                        2⤵
                          PID:4036
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,17892028735145380159,18344199112204101055,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1720 /prefetch:2
                          2⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:4752
                      • C:\Windows\System32\CompPkgSrv.exe
                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                        1⤵
                          PID:3236
                        • C:\Windows\System32\CompPkgSrv.exe
                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                          1⤵
                            PID:4360

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                            Filesize

                            152B

                            MD5

                            dc058ebc0f8181946a312f0be99ed79c

                            SHA1

                            0c6f376ed8f2d4c275336048c7c9ef9edf18bff0

                            SHA256

                            378701e87dcff90aa092702bc299859d6ae8f7e313f773bf594f81df6f40bf6a

                            SHA512

                            36e0de64a554762b28045baebf9f71930c59d608f8d05c5faf8906d62eaf83f6d856ef1d1b38110e512fbb1a85d3e2310be11a7f679c6b5b3c62313cc7af52aa

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                            Filesize

                            152B

                            MD5

                            a0486d6f8406d852dd805b66ff467692

                            SHA1

                            77ba1f63142e86b21c951b808f4bc5d8ed89b571

                            SHA256

                            c0745fd195f3a51b27e4d35a626378a62935dccebefb94db404166befd68b2be

                            SHA512

                            065a62032eb799fade5fe75f390e7ab3c9442d74cb8b520d846662d144433f39b9186b3ef3db3480cd1d1d655d8f0630855ed5d6e85cf157a40c38a19375ed8a

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                            Filesize

                            96B

                            MD5

                            43517a2696cbba22cdaffe851d3e46ce

                            SHA1

                            b22837f05d784cfb3eb4500094cf388389072eed

                            SHA256

                            f9d9fd45b673af23cb95aa2692ba9717d4ebab3f753ece29cc846ec9f52631c4

                            SHA512

                            5aa3130b24bad4206dcb31eb3fe800b9e38719a361d9f93676773165d2795310fe546fe695f302ffb878ae6a053e5c01f3043873f932de19031028e1a2cf6424

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                            Filesize

                            505B

                            MD5

                            0250c60205857dfe70cadbadd1f75a5a

                            SHA1

                            8da4c2ece94f27f892431ca38eb631a2b7ad0194

                            SHA256

                            19bc7f12002290e24d181e42043584deb8ff9966359b5f416019045f5932c1ba

                            SHA512

                            30d267f182c2c39e8565ae41dba2242143e01360a51cde115c738804934dbf9af14e707f6699c6e67190693ca5796bade10120c94a5dd6bf5f67fa18e850a7c0

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                            Filesize

                            5KB

                            MD5

                            d0b1ebb2f0e555f2728edfaf48ad1fdf

                            SHA1

                            714391e8bf1481b8a497baab9bdfe311f0e7bf04

                            SHA256

                            99c1ca33610db2b41d44eaaa2784f3d13f39c924e4f474a72bcbe3fb637b9b67

                            SHA512

                            0190e8ae444bb6d6b505155c4794652335b89412e4bf8511ac0bf3436c5f26ff74bc962280759cfd2457402803e1dba08c21a63d9fb89f5498cac5e9b02d3702

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                            Filesize

                            6KB

                            MD5

                            334c242539935e90da368c92bb1cab51

                            SHA1

                            3aeeab53e15bb0477e6ae9f7de69042a60a0351d

                            SHA256

                            38b65385b649fe31f323e1ab18b3cad49a618fef35018cd2b98b03a3912a4101

                            SHA512

                            d2be194909921eb88357f46c65767c285a7ad2fce79a91f605f18c85825b425c9be7da9d2c50036423411f74906406cbd22b881b41672baaa013daaaaf75cb4e

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                            Filesize

                            16B

                            MD5

                            6752a1d65b201c13b62ea44016eb221f

                            SHA1

                            58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                            SHA256

                            0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                            SHA512

                            9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                            Filesize

                            10KB

                            MD5

                            3bb8d03f5a9a5f87511a86a152ddb620

                            SHA1

                            91a0e13e917cccf0f0c937a54994439df6140e04

                            SHA256

                            e125badf8923771d4798f9230140b83532e18cc3dac0ce18e2edf8735b713c2f

                            SHA512

                            b28475263ac82639713dd19d1750daf9c5ae1a862f0f666fd58e9b89c2f020a569f787f4df042ff72c581339886557059997cfd56f411f641befdf6a98c94047

                            Download Submit