Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

706F3EEC32...39D.7z

windows7-x64

706F3EEC32...39D.7z

windows10-2004-x64

706F3EEC32...39D.7z

android-10-x64

706F3EEC32...39D.7z

android-13-x64

706F3EEC32...39D.7z

macos-10.15-amd64

706F3EEC32...39D.7z

ubuntu-18.04-amd64

706F3EEC32...39D.7z

debian-9-armhf

706F3EEC32...39D.7z

debian-9-mips

706F3EEC32...39D.7z

debian-9-mipsel

706F3EEC32...9D.exe

windows7-x64

10

706F3EEC32...9D.exe

windows10-2004-x64

10

706F3EEC32...9D.exe

android-11-x64

706F3EEC32...9D.exe

android-13-x64

706F3EEC32...9D.exe

macos-10.15-amd64

706F3EEC32...9D.exe

ubuntu-18.04-amd64

706F3EEC32...9D.exe

debian-9-armhf

706F3EEC32...9D.exe

debian-9-mips

706F3EEC32...9D.exe

debian-9-mipsel

Resubmissions

25/03/2025, 13:19

250325-qkkrrszps5 10

05/02/2025, 11:22

250205-ngk71strbx 10

25/06/2024, 15:43

240625-s6cz6a1gnj 10

25/06/2024, 15:17

240625-sn4p6axdma 10

Analysis

  • max time kernel
    299s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    05/02/2025, 11:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    706F3EEC328E91FF7F66C8F0A2FB9B556325C153A329A2062DC85879C540839D.exe

  • Size

    79KB

  • MD5

    62a1b4d4b461f4eaae91c70727f71604

  • SHA1

    1ced9a7e62aa65faa03eb1ad2bc786e9d9b5f6c2

  • SHA256

    706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d

  • SHA512

    d14f989f5f54663c3ea63526a000e8db5d172046e37f412ed47cd31eb14db071b515b854bbb3ab3d2f41f936b6962583aaa0b3ef1236aa2506148813f66ad542

  • SSDEEP

    1536:DnICS4ArFnRoHhcVyid9EZZoi+zQ95f8IwdON:QZnmqVyq9EN+M95bwE

Score
10/10
blackmatterdiscoveryransomware

Malware Config

Extracted

Path

C:\yHh8Ghp8e.README.txt

Family

blackmatter

Ransom Note
~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What data stolen? From your network was stolen 1000 GB of data. If you do not contact us we will publish all your data in our blog and will send it to the biggest mass media. Blog post link: http://blackmax7su6mbwtcyo3xwtpfxpm356jjqrs34y4crcytpw7mifuedyd.onion/72oJjilhMD/6d067a8741848166fa2ac1e69472280c >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/X3452I2VDTHM30QX >> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.
URLs

http://blackmax7su6mbwtcyo3xwtpfxpm356jjqrs34y4crcytpw7mifuedyd.onion/72oJjilhMD/6d067a8741848166fa2ac1e69472280c

http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/X3452I2VDTHM30QX

Signatures

  • BlackMatter Ransomware

    BlackMatter ransomware group claims to be Darkside and REvil succesor.

    ransomwareblackmatter
  • Blackmatter family
    blackmatter
  • Renames multiple (165) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Control Panel 3 IoCs
    defense_evasion
  • Modifies registry class 20 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    defense_evasionspywaretrojan
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\706F3EEC328E91FF7F66C8F0A2FB9B556325C153A329A2062DC85879C540839D.exe
    C:\Users\Admin\AppData\Local\Temp\706F3EEC328E91FF7F66C8F0A2FB9B556325C153A329A2062DC85879C540839D.exe dsrm -subtree -noprompt -c user"http://+:443"
    1⤵
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2272
    • C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" /p C:\yHh8Ghp8e.README.txt
      2⤵
      • System Location Discovery: System Language Discovery
      • Opens file in notepad (likely ransom note)
      • Suspicious use of WriteProcessMemory
      PID:2892
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:2840
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1308

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Cab2741.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar2773.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\Users\Admin\Documents\CloseRevoke.xps.yHh8Ghp8e
    Filesize

    850KB

    MD5

    41532d153a8a602f500a8d796a2d7303

    SHA1

    dd80e8a55f6bf930103ffa95a55512c112b733c2

    SHA256

    2081eee5125d0ad6c336def74a0b7fd15d2e5621b27ced1a9f4bcb32b20e541f

    SHA512

    4209f0ad9faa3bbcc7f746ea2d68a18b24506c5c6070bce33e5e8bc951ff1a65c6e2a3d1fd1d806ad95829199b66ac2e5c9d614cae1033778fec9f982ab04306

    Download Submit

  • C:\Users\Admin\Documents\InitializeDisable.xps.yHh8Ghp8e
    Filesize

    700KB

    MD5

    3ae852c322f51637c54c34176492cb40

    SHA1

    382b9d82a215e47bcc740bc9b08f3fdbeef423da

    SHA256

    ffad0ac348cc2c2e6f8be94a2b80128be0e96d15a80d3f54387c7e89b465b3af

    SHA512

    b6f18ccb32b58825d0a08ae41f520913e62ec49163823815f36689296596447298a921249ebb9dc8c4c98491491b780e42b180bf0b2b02aa92dc6e44c398ed41

    Download Submit

  • C:\yHh8Ghp8e.README.txt
    Filesize

    1KB

    MD5

    1ba53a2b703aeb54647185c18cc1ddbd

    SHA1

    0bf081ef67e7c9fb4e55c53f56aa332a17740a7a

    SHA256

    74e29716d6211d4c26ab0c3184affef6f275bfbfab2ec4dd4fb776fb76065173

    SHA512

    15f7a5870ad2decf6b09c56a6b5e3f5803e5071749fd4638470c19e02ef1fd0c4438e8f7e62a9f7b8792cd1893e748def44a0a8026f10c4a0268feecae9cf617

    Download Submit

  • memory/2272-0-0x0000000001FD0000-0x0000000002010000-memory.dmp

    Filesize

    256KB

    Download