Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 08:10
Static task
static1
Behavioral task
behavioral1
Sample
7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe
Resource
win10v2004-20220414-en
General
-
Target
7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe
-
Size
543KB
-
MD5
998022b70d83c6de68e5bdf94e0f8d71
-
SHA1
b87a947f3e85701fcdadd733e9b055a65a3b1308
-
SHA256
7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a
-
SHA512
2744b77f951bd2bb34b094dd3b54fcf8f7dca76e03c745809edc045749c814c7d88c9ddd69ad684a1c156716afae76b5ebec3f932d0f2a72b242878134f65647
Malware Config
Extracted
C:\readme.txt
https://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion:80/
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exedescription ioc process File renamed C:\Users\Admin\Pictures\SubmitInitialize.tif => C:\Users\Admin\Pictures\SubmitInitialize.tif.basta 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File renamed C:\Users\Admin\Pictures\RequestConvert.raw => C:\Users\Admin\Pictures\RequestConvert.raw.basta 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dlaksjdoiwq.jpg" 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe -
Drops file in Program Files directory 64 IoCs
Processes:
7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exedescription ioc process File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\hwrlatinlm.dat 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\fontconfig.properties.src 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File created C:\Program Files\Microsoft Office\root\Office16\FPA_f14\readme.txt 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ORGCHART.EXE 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui.xml 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\hprof.dll 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\readme.txt 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\wsgen.exe 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\meta-index 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-ppd.xrm-ms 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\NPSPWRAP.DLL 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files\Microsoft Office\root\rsod\excelmui.msi.16.en-us.tree.dat 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\cmm\CIEXYZ.pf 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ORGCHART.CHM 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Grace-ppd.xrm-ms 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-ppd.xrm-ms 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File created C:\Program Files\VideoLAN\VLC\locale\nn\readme.txt 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdateres_ca-Es-VALENCIA.dll 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_F_COL.HXK 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files\Common Files\System\msadc\msadce.dll 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_PrepidBypass-ul-oob.xrm-ms 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_Subscription-ul-oob.xrm-ms 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART14.BDR 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File created C:\Program Files (x86)\Google\Temp\readme.txt 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VC\msdia90.dll 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_Subscription-pl.xrm-ms 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\WebView2Loader.dll 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Bibliography\Author2XML.XSL 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\COPYRIGHT 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-pl.xrm-ms 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\WordVL_MAK-ul-phn.xrm-ms 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files\7-Zip\Lang\ka.txt 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File created C:\Program Files\Common Files\System\msadc\ja-JP\readme.txt 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\dcpr.dll 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-heap-l1-1-0.dll 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files\7-Zip\Lang\sa.txt 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription3-ul-oob.xrm-ms 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\msdatt.dll 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdateres_sr-Latn-RS.dll 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_pwa_launcher.exe 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\include\jawt.h 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ExcelFloatieXLEditTextModel.bin 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files\7-Zip\Lang\lt.txt 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File created C:\Program Files\Common Files\microsoft shared\VSTO\readme.txt 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File created C:\Program Files\Common Files\microsoft shared\ink\fr-FR\readme.txt 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\ir.idl 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-runtime-l1-1-0.dll 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\msotd.exe 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AGM.dll 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmiregistry.exe 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\SkypeForBusinessVDI2019_eula.txt 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-ppd.xrm-ms 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_KMS_Client-ppd.xrm-ms 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_MAK_AE-pl.xrm-ms 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\TextConversionModule.dll 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\msdasql.dll 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_sl.dll 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate64.exe 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription-ppd.xrm-ms 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File created C:\Program Files\Microsoft Office\root\Office16\MEDIA\readme.txt 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\it-IT\InputPersonalization.exe.mui 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files\Common Files\System\msadc\it-IT\msdaremr.dll.mui 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_BypassTrial180-ul-oob.xrm-ms 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 5104 vssadmin.exe -
Modifies registry class 3 IoCs
Processes:
7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.basta\DefaultIcon 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.basta 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.basta\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fkdjsadasd.ico" 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 3148 vssvc.exe Token: SeRestorePrivilege 3148 vssvc.exe Token: SeAuditPrivilege 3148 vssvc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.execmd.exedescription pid process target process PID 2128 wrote to memory of 4160 2128 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe cmd.exe PID 2128 wrote to memory of 4160 2128 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe cmd.exe PID 2128 wrote to memory of 4160 2128 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe cmd.exe PID 4160 wrote to memory of 5104 4160 cmd.exe vssadmin.exe PID 4160 wrote to memory of 5104 4160 cmd.exe vssadmin.exe PID 2128 wrote to memory of 4488 2128 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe cmd.exe PID 2128 wrote to memory of 4488 2128 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe cmd.exe PID 2128 wrote to memory of 4488 2128 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe"C:\Users\Admin\AppData\Local\Temp\7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a.exe"1⤵
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\vssadmin.exe delete shadows /all /quiet2⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken