Analysis
-
max time kernel
150s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 08:10
Static task
static1
Behavioral task
behavioral1
Sample
7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe
Resource
win10v2004-20220414-en
General
-
Target
7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe
-
Size
543KB
-
MD5
998022b70d83c6de68e5bdf94e0f8d71
-
SHA1
b87a947f3e85701fcdadd733e9b055a65a3b1308
-
SHA256
7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a
-
SHA512
2744b77f951bd2bb34b094dd3b54fcf8f7dca76e03c745809edc045749c814c7d88c9ddd69ad684a1c156716afae76b5ebec3f932d0f2a72b242878134f65647
Malware Config
Extracted
C:\readme.txt
https://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion:80/
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 7 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exedescription ioc process File renamed C:\Users\Admin\Pictures\BackupExport.tif => C:\Users\Admin\Pictures\BackupExport.tif.basta 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File renamed C:\Users\Admin\Pictures\ClearGet.tiff => C:\Users\Admin\Pictures\ClearGet.tiff.basta 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File renamed C:\Users\Admin\Pictures\DisableWait.tif => C:\Users\Admin\Pictures\DisableWait.tif.basta 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File renamed C:\Users\Admin\Pictures\ConvertToReceive.png => C:\Users\Admin\Pictures\ConvertToReceive.png.basta 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File renamed C:\Users\Admin\Pictures\ShowSwitch.raw => C:\Users\Admin\Pictures\ShowSwitch.raw.basta 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File renamed C:\Users\Admin\Pictures\UseMove.raw => C:\Users\Admin\Pictures\UseMove.raw.basta 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Users\Admin\Pictures\ClearGet.tiff 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dlaksjdoiwq.jpg" 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe -
Drops file in Program Files directory 64 IoCs
Processes:
7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exedescription ioc process File created C:\Program Files (x86)\Microsoft Office\Office14\AccessWeb\readme.txt 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\readme.txt 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PPINTL.DLL 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE05930_.WMF 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0240695.WMF 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files\ResolveUnlock.m3u 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101856.BMP 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152568.WMF 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_no.dll 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01145_.WMF 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341439.JPG 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\EXPTOOWS.XLA 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File created C:\Program Files\DVD Maker\readme.txt 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files\Common Files\System\msadc\msadcs.dll 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Help\msitss55.dll 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02412K.JPG 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0215086.WMF 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0304933.WMF 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\readme.txt 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\webcompat-reporter@mozilla.org.xpi 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\MSB1STAR.DLL 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.BR.XML 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00256_.WMF 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01701_.WMF 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\mshwjpnr.dll 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Stationery\1033\JUNGLE.GIF 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01154_.WMF 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PARNT_02.MID 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files\Microsoft Office\Office14\INLAUNCH.DLL 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LEVEL\readme.txt 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD19828_.WMF 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\EAST_01.MID 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107302.WMF 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01298_.GIF 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files\DVD Maker\rtstreamsource.ax 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OUTLCTL.DLL 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\ahclient.dll 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File created C:\Program Files\Java\jre7\bin\server\readme.txt 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STUDIO\readme.txt 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files (x86)\Common Files\System\ado\msado25.tlb 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE05869_.WMF 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0199283.WMF 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEMANAGED.DLL 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\readme.txt 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files\Common Files\System\ado\msado20.tlb 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGPICCAP.DPV 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107280.WMF 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0289430.JPG 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\FORMCTL.POC 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\STORYBB.DPV 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File created C:\Program Files\Common Files\System\msadc\readme.txt 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File created C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\readme.txt 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN02122_.WMF 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\EXCEL_COL.HXC 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\BillingStatement.xltx 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386120.JPG 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01213K.JPG 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Angles.xml 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01332U.BMP 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_SelectionSubpictureA.png 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00985_.WMF 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 1224 vssadmin.exe 1564 vssadmin.exe -
Modifies registry class 3 IoCs
Processes:
7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.basta\DefaultIcon 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.basta 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.basta\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fkdjsadasd.ico" 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1220 vssvc.exe Token: SeRestorePrivilege 1220 vssvc.exe Token: SeAuditPrivilege 1220 vssvc.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.execmd.execmd.exedescription pid process target process PID 1744 wrote to memory of 1680 1744 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe cmd.exe PID 1744 wrote to memory of 1680 1744 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe cmd.exe PID 1744 wrote to memory of 1680 1744 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe cmd.exe PID 1744 wrote to memory of 1680 1744 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe cmd.exe PID 1680 wrote to memory of 1224 1680 cmd.exe vssadmin.exe PID 1680 wrote to memory of 1224 1680 cmd.exe vssadmin.exe PID 1680 wrote to memory of 1224 1680 cmd.exe vssadmin.exe PID 1680 wrote to memory of 1224 1680 cmd.exe vssadmin.exe PID 1744 wrote to memory of 1560 1744 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe cmd.exe PID 1744 wrote to memory of 1560 1744 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe cmd.exe PID 1744 wrote to memory of 1560 1744 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe cmd.exe PID 1744 wrote to memory of 1560 1744 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe cmd.exe PID 1560 wrote to memory of 1564 1560 cmd.exe vssadmin.exe PID 1560 wrote to memory of 1564 1560 cmd.exe vssadmin.exe PID 1560 wrote to memory of 1564 1560 cmd.exe vssadmin.exe PID 1560 wrote to memory of 1564 1560 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe"C:\Users\Admin\AppData\Local\Temp\7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe"1⤵
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exeC:\Windows\System32\vssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1224-56-0x0000000000000000-mapping.dmp
-
memory/1560-57-0x0000000000000000-mapping.dmp
-
memory/1564-58-0x0000000000000000-mapping.dmp
-
memory/1680-55-0x0000000000000000-mapping.dmp
-
memory/1744-54-0x0000000075761000-0x0000000075763000-memory.dmpFilesize
8KB