Analysis
-
max time kernel
148s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
19-10-2022 10:40
Static task
static1
Behavioral task
behavioral1
Sample
a083060d38984e7c6f36dcd2c57ec1aa3f50f9c201c8538257c8cbf2b3217e96.exe
Resource
win7-20220901-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
a083060d38984e7c6f36dcd2c57ec1aa3f50f9c201c8538257c8cbf2b3217e96.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
a083060d38984e7c6f36dcd2c57ec1aa3f50f9c201c8538257c8cbf2b3217e96.exe
-
Size
720KB
-
MD5
0c69e91c2f54978ae3103b26686b2610
-
SHA1
3e3b113a5ab64e03ffe86e0fa9a2163816f9ecdf
-
SHA256
a083060d38984e7c6f36dcd2c57ec1aa3f50f9c201c8538257c8cbf2b3217e96
-
SHA512
7f4be495be8d9bc4bf825a2846d1888e93f137820c172488febfba13e06f83eb5ce7d0873d752cc9627e6a613dc137c2e8b8d9519f2339c1a6dd7f6c82b66212
-
SSDEEP
12288:9yufBWp/QcYqt+QxxbxgU532BjZak//A6/NLaBCfwYkijMsZ2rEIaOtZBQipEen7:9yufBWpW3/k6M7tZBLpEelW3it
Score
10/10
Malware Config
Extracted
Path
C:\MSOCache\readme.txt
Ransom Note
Your data are stolen and encrypted
The data will be published on TOR website if you do not pay the ransom
You can contact us and decrypt one file for free on this TOR site
(you should download and install TOR browser first https://torproject.org)
https://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion/
Your company id for log in: ea3d3d33-1635-47f7-a1a4-0078267b30bb
URLs
https://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion/
Signatures
-
Black Basta
A ransomware family targeting Windows and Linux ESXi first seen in February 2022.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 5 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\MeasureSelect.png => C:\Users\Admin\Pictures\MeasureSelect.png.basta a083060d38984e7c6f36dcd2c57ec1aa3f50f9c201c8538257c8cbf2b3217e96.exe File opened for modification C:\Users\Admin\Pictures\DebugUnlock.tiff a083060d38984e7c6f36dcd2c57ec1aa3f50f9c201c8538257c8cbf2b3217e96.exe File renamed C:\Users\Admin\Pictures\DebugUnlock.tiff => C:\Users\Admin\Pictures\DebugUnlock.tiff.basta a083060d38984e7c6f36dcd2c57ec1aa3f50f9c201c8538257c8cbf2b3217e96.exe File renamed C:\Users\Admin\Pictures\ExitUnregister.tif => C:\Users\Admin\Pictures\ExitUnregister.tif.basta a083060d38984e7c6f36dcd2c57ec1aa3f50f9c201c8538257c8cbf2b3217e96.exe File renamed C:\Users\Admin\Pictures\StopPush.png => C:\Users\Admin\Pictures\StopPush.png.basta a083060d38984e7c6f36dcd2c57ec1aa3f50f9c201c8538257c8cbf2b3217e96.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dlaksjdoiwq.jpg" a083060d38984e7c6f36dcd2c57ec1aa3f50f9c201c8538257c8cbf2b3217e96.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\hwrdeslm.dat a083060d38984e7c6f36dcd2c57ec1aa3f50f9c201c8538257c8cbf2b3217e96.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\hwresmlm.dat a083060d38984e7c6f36dcd2c57ec1aa3f50f9c201c8538257c8cbf2b3217e96.exe File opened for modification C:\Program Files\Java\jre7\bin\javaw.exe a083060d38984e7c6f36dcd2c57ec1aa3f50f9c201c8538257c8cbf2b3217e96.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\readme.txt a083060d38984e7c6f36dcd2c57ec1aa3f50f9c201c8538257c8cbf2b3217e96.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\OrangeCircles.jpg a083060d38984e7c6f36dcd2c57ec1aa3f50f9c201c8538257c8cbf2b3217e96.exe File opened for modification C:\Program Files\Java\jre7\bin\hprof.dll a083060d38984e7c6f36dcd2c57ec1aa3f50f9c201c8538257c8cbf2b3217e96.exe File opened for modification C:\Program Files\DVD Maker\fieldswitch.ax a083060d38984e7c6f36dcd2c57ec1aa3f50f9c201c8538257c8cbf2b3217e96.exe File opened for modification C:\Program Files\Internet Explorer\perf_nt.dll a083060d38984e7c6f36dcd2c57ec1aa3f50f9c201c8538257c8cbf2b3217e96.exe File created C:\Program Files\Microsoft Games\Hearts\readme.txt a083060d38984e7c6f36dcd2c57ec1aa3f50f9c201c8538257c8cbf2b3217e96.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ACCDDSLM.DLL a083060d38984e7c6f36dcd2c57ec1aa3f50f9c201c8538257c8cbf2b3217e96.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll a083060d38984e7c6f36dcd2c57ec1aa3f50f9c201c8538257c8cbf2b3217e96.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\[email protected] a083060d38984e7c6f36dcd2c57ec1aa3f50f9c201c8538257c8cbf2b3217e96.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\readme.txt a083060d38984e7c6f36dcd2c57ec1aa3f50f9c201c8538257c8cbf2b3217e96.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00021_.GIF a083060d38984e7c6f36dcd2c57ec1aa3f50f9c201c8538257c8cbf2b3217e96.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-heap-l1-1-0.dll a083060d38984e7c6f36dcd2c57ec1aa3f50f9c201c8538257c8cbf2b3217e96.exe File opened for modification C:\Program Files\Mozilla Firefox\xul.dll a083060d38984e7c6f36dcd2c57ec1aa3f50f9c201c8538257c8cbf2b3217e96.exe File opened for modification C:\Program Files\Common Files\System\DirectDB.dll a083060d38984e7c6f36dcd2c57ec1aa3f50f9c201c8538257c8cbf2b3217e96.exe File opened for modification C:\Program Files\Internet Explorer\jsdebuggeride.dll a083060d38984e7c6f36dcd2c57ec1aa3f50f9c201c8538257c8cbf2b3217e96.exe File opened for modification C:\Program Files (x86)\Internet Explorer\DiagnosticsTap.dll a083060d38984e7c6f36dcd2c57ec1aa3f50f9c201c8538257c8cbf2b3217e96.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\subscription.xsd a083060d38984e7c6f36dcd2c57ec1aa3f50f9c201c8538257c8cbf2b3217e96.exe File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\sqlcecompact35.dll a083060d38984e7c6f36dcd2c57ec1aa3f50f9c201c8538257c8cbf2b3217e96.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\COPYRIGHT a083060d38984e7c6f36dcd2c57ec1aa3f50f9c201c8538257c8cbf2b3217e96.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe a083060d38984e7c6f36dcd2c57ec1aa3f50f9c201c8538257c8cbf2b3217e96.exe File opened for modification C:\Program Files (x86)\Common Files\System\msadc\adcjavas.inc a083060d38984e7c6f36dcd2c57ec1aa3f50f9c201c8538257c8cbf2b3217e96.exe File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\msxactps.dll a083060d38984e7c6f36dcd2c57ec1aa3f50f9c201c8538257c8cbf2b3217e96.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00163_.GIF a083060d38984e7c6f36dcd2c57ec1aa3f50f9c201c8538257c8cbf2b3217e96.exe File opened for modification C:\Program Files\Java\jre7\LICENSE a083060d38984e7c6f36dcd2c57ec1aa3f50f9c201c8538257c8cbf2b3217e96.exe File created C:\Program Files (x86)\Common Files\Adobe AIR\Versions\readme.txt a083060d38984e7c6f36dcd2c57ec1aa3f50f9c201c8538257c8cbf2b3217e96.exe File opened for modification C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\msdatasrc.dll a083060d38984e7c6f36dcd2c57ec1aa3f50f9c201c8538257c8cbf2b3217e96.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\MS.EPS a083060d38984e7c6f36dcd2c57ec1aa3f50f9c201c8538257c8cbf2b3217e96.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\PROOF\MSWDS_EN.LEX a083060d38984e7c6f36dcd2c57ec1aa3f50f9c201c8538257c8cbf2b3217e96.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ACCDDS.DLL a083060d38984e7c6f36dcd2c57ec1aa3f50f9c201c8538257c8cbf2b3217e96.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\javafx-doclet.jar a083060d38984e7c6f36dcd2c57ec1aa3f50f9c201c8538257c8cbf2b3217e96.exe File opened for modification C:\Program Files\Java\jre7\bin\javafx-font.dll a083060d38984e7c6f36dcd2c57ec1aa3f50f9c201c8538257c8cbf2b3217e96.exe File created C:\Program Files\VideoLAN\VLC\locale\ar\readme.txt a083060d38984e7c6f36dcd2c57ec1aa3f50f9c201c8538257c8cbf2b3217e96.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_ro.dll a083060d38984e7c6f36dcd2c57ec1aa3f50f9c201c8538257c8cbf2b3217e96.exe File created C:\Program Files (x86)\Common Files\System\msadc\ja-JP\readme.txt a083060d38984e7c6f36dcd2c57ec1aa3f50f9c201c8538257c8cbf2b3217e96.exe File opened for modification C:\Program Files\7-Zip\7zCon.sfx a083060d38984e7c6f36dcd2c57ec1aa3f50f9c201c8538257c8cbf2b3217e96.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\readme.txt a083060d38984e7c6f36dcd2c57ec1aa3f50f9c201c8538257c8cbf2b3217e96.exe File opened for modification C:\Program Files\Java\jre7\bin\jfr.dll a083060d38984e7c6f36dcd2c57ec1aa3f50f9c201c8538257c8cbf2b3217e96.exe File created C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\readme.txt a083060d38984e7c6f36dcd2c57ec1aa3f50f9c201c8538257c8cbf2b3217e96.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\OrangeCircles.jpg a083060d38984e7c6f36dcd2c57ec1aa3f50f9c201c8538257c8cbf2b3217e96.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\readme.txt a083060d38984e7c6f36dcd2c57ec1aa3f50f9c201c8538257c8cbf2b3217e96.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Civic.thmx a083060d38984e7c6f36dcd2c57ec1aa3f50f9c201c8538257c8cbf2b3217e96.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\readme.txt a083060d38984e7c6f36dcd2c57ec1aa3f50f9c201c8538257c8cbf2b3217e96.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WPEQU532.DLL a083060d38984e7c6f36dcd2c57ec1aa3f50f9c201c8538257c8cbf2b3217e96.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00167_.GIF a083060d38984e7c6f36dcd2c57ec1aa3f50f9c201c8538257c8cbf2b3217e96.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00174_.GIF a083060d38984e7c6f36dcd2c57ec1aa3f50f9c201c8538257c8cbf2b3217e96.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\hwrespsh.dat a083060d38984e7c6f36dcd2c57ec1aa3f50f9c201c8538257c8cbf2b3217e96.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI.DLL a083060d38984e7c6f36dcd2c57ec1aa3f50f9c201c8538257c8cbf2b3217e96.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.jpg a083060d38984e7c6f36dcd2c57ec1aa3f50f9c201c8538257c8cbf2b3217e96.exe File created C:\Program Files\VideoLAN\VLC\locale\ca\readme.txt a083060d38984e7c6f36dcd2c57ec1aa3f50f9c201c8538257c8cbf2b3217e96.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\InkDiv.dll a083060d38984e7c6f36dcd2c57ec1aa3f50f9c201c8538257c8cbf2b3217e96.exe File opened for modification C:\Program Files\Internet Explorer\perfcore.dll a083060d38984e7c6f36dcd2c57ec1aa3f50f9c201c8538257c8cbf2b3217e96.exe File created C:\Program Files\Microsoft Games\Solitaire\de-DE\readme.txt a083060d38984e7c6f36dcd2c57ec1aa3f50f9c201c8538257c8cbf2b3217e96.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PAPYRUS\readme.txt a083060d38984e7c6f36dcd2c57ec1aa3f50f9c201c8538257c8cbf2b3217e96.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Filters\readme.txt a083060d38984e7c6f36dcd2c57ec1aa3f50f9c201c8538257c8cbf2b3217e96.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\White_Chocolate.jpg a083060d38984e7c6f36dcd2c57ec1aa3f50f9c201c8538257c8cbf2b3217e96.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe a083060d38984e7c6f36dcd2c57ec1aa3f50f9c201c8538257c8cbf2b3217e96.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00158_.GIF a083060d38984e7c6f36dcd2c57ec1aa3f50f9c201c8538257c8cbf2b3217e96.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Soft Blue.htm a083060d38984e7c6f36dcd2c57ec1aa3f50f9c201c8538257c8cbf2b3217e96.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CONCRETE\readme.txt a083060d38984e7c6f36dcd2c57ec1aa3f50f9c201c8538257c8cbf2b3217e96.exe File created C:\Program Files (x86)\Microsoft Office\Templates\readme.txt a083060d38984e7c6f36dcd2c57ec1aa3f50f9c201c8538257c8cbf2b3217e96.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OEMPRINT.CAT a083060d38984e7c6f36dcd2c57ec1aa3f50f9c201c8538257c8cbf2b3217e96.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2032 vssadmin.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.basta\DefaultIcon a083060d38984e7c6f36dcd2c57ec1aa3f50f9c201c8538257c8cbf2b3217e96.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.basta a083060d38984e7c6f36dcd2c57ec1aa3f50f9c201c8538257c8cbf2b3217e96.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.basta\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fkdjsadasd.ico" a083060d38984e7c6f36dcd2c57ec1aa3f50f9c201c8538257c8cbf2b3217e96.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeBackupPrivilege 1168 vssvc.exe Token: SeRestorePrivilege 1168 vssvc.exe Token: SeAuditPrivilege 1168 vssvc.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 832 wrote to memory of 1272 832 a083060d38984e7c6f36dcd2c57ec1aa3f50f9c201c8538257c8cbf2b3217e96.exe 29 PID 832 wrote to memory of 1272 832 a083060d38984e7c6f36dcd2c57ec1aa3f50f9c201c8538257c8cbf2b3217e96.exe 29 PID 832 wrote to memory of 1272 832 a083060d38984e7c6f36dcd2c57ec1aa3f50f9c201c8538257c8cbf2b3217e96.exe 29 PID 832 wrote to memory of 2040 832 a083060d38984e7c6f36dcd2c57ec1aa3f50f9c201c8538257c8cbf2b3217e96.exe 31 PID 832 wrote to memory of 2040 832 a083060d38984e7c6f36dcd2c57ec1aa3f50f9c201c8538257c8cbf2b3217e96.exe 31 PID 832 wrote to memory of 2040 832 a083060d38984e7c6f36dcd2c57ec1aa3f50f9c201c8538257c8cbf2b3217e96.exe 31 PID 2040 wrote to memory of 2032 2040 cmd.exe 33 PID 2040 wrote to memory of 2032 2040 cmd.exe 33 PID 2040 wrote to memory of 2032 2040 cmd.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\a083060d38984e7c6f36dcd2c57ec1aa3f50f9c201c8538257c8cbf2b3217e96.exe"C:\Users\Admin\AppData\Local\Temp\a083060d38984e7c6f36dcd2c57ec1aa3f50f9c201c8538257c8cbf2b3217e96.exe"1⤵
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet2⤵PID:1272
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\System32\vssadmin.exeC:\Windows\System32\vssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2032
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1168