Analysis
-
max time kernel
131s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
03-05-2022 14:19
Static task
static1
Behavioral task
behavioral1
Sample
ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e.exe
Resource
win10v2004-20220414-en
General
-
Target
ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e.exe
-
Size
543KB
-
MD5
53fdeb923b1890d29b8f29da77995938
-
SHA1
a996ccd0d58125bf299e89f4c03ff37afdab33fc
-
SHA256
ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e
-
SHA512
7c78e880f3d2dfc163625ff3d0b4676aa6a083dbbeac270520679f6b21d1c449c5af720ca7b9a68b5b3309e2de8d586cfed5d9b3a78d006e6d981a1aaf88c535
-
SSDEEP
12288:M1DTMHixr1moQqUiXINDl/m1s6BQio67VlAU:AzmoQqUiXw2s6yiVxR
Malware Config
Extracted
C:\readme.txt
https://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion:80/
Signatures
-
Black Basta
A ransomware family targeting Windows and Linux ESXi first seen in February 2022.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dlaksjdoiwq.jpg" ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Internet Explorer\ie9props.propdesc ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e.exe File created C:\Program Files\Mozilla Firefox\gmp-clearkey\readme.txt ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.cfg ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e.exe File opened for modification C:\Program Files\UnblockCopy.ps1 ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e.exe File created C:\Program Files\7-Zip\Lang\readme.txt ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e.exe File opened for modification C:\Program Files\7-Zip\License.txt ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-time-l1-1-0.dll ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e.exe File created C:\Program Files (x86)\Internet Explorer\it-IT\readme.txt ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e.exe File opened for modification C:\Program Files\PublishShow.wmv ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e.exe File created C:\Program Files\Microsoft Games\Solitaire\readme.txt ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e.exe File created C:\Program Files\Mozilla Firefox\defaults\readme.txt ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e.exe File opened for modification C:\Program Files\Mozilla Firefox\lgpllibs.dll ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e.exe File opened for modification C:\Program Files\Mozilla Firefox\mozglue.dll ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e.exe File created C:\Program Files (x86)\Common Files\microsoft shared\readme.txt ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e.exe File opened for modification C:\Program Files (x86)\Internet Explorer\DiagnosticsTap.dll ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\readme.txt ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-locale-l1-1-0.dll ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e.exe File opened for modification C:\Program Files\VideoLAN\VLC\readme.txt ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-core-localization-l1-2-0.dll ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieproxy.dll ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e.exe File opened for modification C:\Program Files\DVD Maker\Pipeline.dll ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e.exe File opened for modification C:\Program Files\Mozilla Firefox\msvcp140.dll ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e.exe File created C:\Program Files\readme.txt ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e.exe File created C:\Program Files\Microsoft Office\readme.txt ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e.exe File opened for modification C:\Program Files\ConvertFromReceive.svg ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e.exe File created C:\Program Files\Microsoft Games\Chess\readme.txt ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\readme.txt ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e.exe File created C:\Program Files\Common Files\readme.txt ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e.exe File opened for modification C:\Program Files\7-Zip\descript.ion ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e.exe File opened for modification C:\Program Files\DVD Maker\Eurosti.TTF ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e.exe File created C:\Program Files\Microsoft Games\SpiderSolitaire\readme.txt ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e.exe File created C:\Program Files (x86)\Google\CrashReports\readme.txt ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e.exe File created C:\Program Files (x86)\Google\Policies\readme.txt ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e.exe File opened for modification C:\Program Files\SaveRemove.hta ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e.exe File opened for modification C:\Program Files\7-Zip\7z.dll ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e.exe File opened for modification C:\Program Files\DVD Maker\OmdBase.dll ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e.exe File opened for modification C:\Program Files (x86)\Internet Explorer\networkinspection.dll ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e.exe File created C:\Program Files\DVD Maker\de-DE\readme.txt ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e.exe File opened for modification C:\Program Files\DVD Maker\sonicsptransform.ax ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e.exe File opened for modification C:\Program Files\Mozilla Firefox\xul.dll ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e.exe File opened for modification C:\Program Files\Internet Explorer\networkinspection.dll ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e.exe File opened for modification C:\Program Files\Internet Explorer\pdm.dll ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e.exe File created C:\Program Files\MSBuild\Microsoft\readme.txt ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e.exe File created C:\Program Files\VideoLAN\readme.txt ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e.exe File opened for modification C:\Program Files\RegisterWatch.txt ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e.exe File created C:\Program Files\DVD Maker\en-US\readme.txt ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e.exe File created C:\Program Files (x86)\Common Files\Adobe\readme.txt ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e.exe File opened for modification C:\Program Files (x86)\Internet Explorer\D3DCompiler_47.dll ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e.exe File opened for modification C:\Program Files\Mozilla Firefox\xul.dll.sig ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e.exe File opened for modification C:\Program Files\Mozilla Firefox\application.ini ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e.exe File created C:\Program Files\Reference Assemblies\Microsoft\readme.txt ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\readme.txt ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e.exe File created C:\Program Files\Reference Assemblies\readme.txt ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e.exe File opened for modification C:\Program Files\DVD Maker\fieldswitch.ax ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e.exe File opened for modification C:\Program Files\Mozilla Firefox\IA2Marshal.dll ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e.exe File created C:\Program Files\Common Files\System\readme.txt ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e.exe File opened for modification C:\Program Files\Mozilla Firefox\nssckbi.dll ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e.exe File created C:\Program Files (x86)\Internet Explorer\es-ES\readme.txt ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e.exe File created C:\Program Files (x86)\readme.txt ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e.exe File opened for modification C:\Program Files\TestTrace.easmx ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e.exe File created C:\Program Files\Common Files\Services\readme.txt ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-environment-l1-1-0.dll ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1984 vssadmin.exe 2024 vssadmin.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.basta\DefaultIcon ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.basta ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.basta\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fkdjsadasd.ico" ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeBackupPrivilege 2008 vssvc.exe Token: SeRestorePrivilege 2008 vssvc.exe Token: SeAuditPrivilege 2008 vssvc.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 876 wrote to memory of 1044 876 ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e.exe 28 PID 876 wrote to memory of 1044 876 ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e.exe 28 PID 876 wrote to memory of 1044 876 ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e.exe 28 PID 876 wrote to memory of 1044 876 ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e.exe 28 PID 1044 wrote to memory of 2024 1044 cmd.exe 30 PID 1044 wrote to memory of 2024 1044 cmd.exe 30 PID 1044 wrote to memory of 2024 1044 cmd.exe 30 PID 1044 wrote to memory of 2024 1044 cmd.exe 30 PID 876 wrote to memory of 1528 876 ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e.exe 33 PID 876 wrote to memory of 1528 876 ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e.exe 33 PID 876 wrote to memory of 1528 876 ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e.exe 33 PID 876 wrote to memory of 1528 876 ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e.exe 33 PID 1528 wrote to memory of 1984 1528 cmd.exe 35 PID 1528 wrote to memory of 1984 1528 cmd.exe 35 PID 1528 wrote to memory of 1984 1528 cmd.exe 35 PID 1528 wrote to memory of 1984 1528 cmd.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e.exe"C:\Users\Admin\AppData\Local\Temp\ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e.exe"1⤵
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\system32\vssadmin.exeC:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2024
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\SysWOW64\vssadmin.exeC:\Windows\System32\vssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:1984
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2008