blackbasta | c532d28f9700abba1a4803c3a9d886c8c4fb26f84cf2399c533d68cfdcec4fa7

Analysis

max time kernel
42s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/11/2022, 07:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c532d28f9700abba1a4803c3a9d886c8c4fb26f84cf2399c533d68cfdcec4fa7.exe
Size

910KB
MD5

fe8dae06d4b9165c6be675e184bfaca9
SHA1

5244f99411acdf30ca6832b2e6352afdd68c88f3
SHA256

c532d28f9700abba1a4803c3a9d886c8c4fb26f84cf2399c533d68cfdcec4fa7
SHA512

33bdc3839ac944be9c6a5f6f16dc5ba3bfd8c0da66aa6772e5d4306234028e9fc6da871c9a4d65a3ce64a768404f5ea37c5d1fc3f1093f1826448711028a2552
SSDEEP

12288:0/YpRRbRftUf8S7DMbrhL+52971/XtnP1APDoEqb9CSnrzKTJnIii1be9hnU3Mue:RJbXK7Du8gDPWPUECf8ade0aldNYlA

Score

10^/10

blackbasta ransomware

Malware Config

Signatures

Black Basta
A ransomware family targeting Windows and Linux ESXi first seen in February 2022.
ransomware blackbasta

Black Basta payload 7 IoCs

resource	yara_rule
behavioral1/memory/2016-60-0x0000000000080000-0x000000000010E000-memory.dmp	family_blackbasta
behavioral1/memory/2016-62-0x0000000000080000-0x000000000010E000-memory.dmp	family_blackbasta
behavioral1/memory/2016-63-0x0000000000080000-0x000000000010E000-memory.dmp	family_blackbasta
behavioral1/memory/2016-66-0x00000000000B684B-mapping.dmp	family_blackbasta
behavioral1/memory/2016-65-0x0000000000080000-0x000000000010E000-memory.dmp	family_blackbasta
behavioral1/memory/2016-71-0x0000000000080000-0x000000000010E000-memory.dmp	family_blackbasta
behavioral1/memory/2016-76-0x0000000000080000-0x000000000010E000-memory.dmp	family_blackbasta

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1812 set thread context of 2016	1812	c532d28f9700abba1a4803c3a9d886c8c4fb26f84cf2399c533d68cfdcec4fa7.exe	28

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1284	2016	WerFault.exe	28

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1812 wrote to memory of 2016	1812	c532d28f9700abba1a4803c3a9d886c8c4fb26f84cf2399c533d68cfdcec4fa7.exe	28
PID 1812 wrote to memory of 2016	1812	c532d28f9700abba1a4803c3a9d886c8c4fb26f84cf2399c533d68cfdcec4fa7.exe	28
PID 1812 wrote to memory of 2016	1812	c532d28f9700abba1a4803c3a9d886c8c4fb26f84cf2399c533d68cfdcec4fa7.exe	28
PID 1812 wrote to memory of 2016	1812	c532d28f9700abba1a4803c3a9d886c8c4fb26f84cf2399c533d68cfdcec4fa7.exe	28
PID 1812 wrote to memory of 2016	1812	c532d28f9700abba1a4803c3a9d886c8c4fb26f84cf2399c533d68cfdcec4fa7.exe	28
PID 1812 wrote to memory of 2016	1812	c532d28f9700abba1a4803c3a9d886c8c4fb26f84cf2399c533d68cfdcec4fa7.exe	28
PID 1812 wrote to memory of 2016	1812	c532d28f9700abba1a4803c3a9d886c8c4fb26f84cf2399c533d68cfdcec4fa7.exe	28
PID 1812 wrote to memory of 2016	1812	c532d28f9700abba1a4803c3a9d886c8c4fb26f84cf2399c533d68cfdcec4fa7.exe	28
PID 1812 wrote to memory of 2016	1812	c532d28f9700abba1a4803c3a9d886c8c4fb26f84cf2399c533d68cfdcec4fa7.exe	28
PID 1812 wrote to memory of 2016	1812	c532d28f9700abba1a4803c3a9d886c8c4fb26f84cf2399c533d68cfdcec4fa7.exe	28
PID 1812 wrote to memory of 2016	1812	c532d28f9700abba1a4803c3a9d886c8c4fb26f84cf2399c533d68cfdcec4fa7.exe	28
PID 2016 wrote to memory of 1284	2016	c532d28f9700abba1a4803c3a9d886c8c4fb26f84cf2399c533d68cfdcec4fa7.exe	30
PID 2016 wrote to memory of 1284	2016	c532d28f9700abba1a4803c3a9d886c8c4fb26f84cf2399c533d68cfdcec4fa7.exe	30
PID 2016 wrote to memory of 1284	2016	c532d28f9700abba1a4803c3a9d886c8c4fb26f84cf2399c533d68cfdcec4fa7.exe	30
PID 2016 wrote to memory of 1284	2016	c532d28f9700abba1a4803c3a9d886c8c4fb26f84cf2399c533d68cfdcec4fa7.exe	30

C:\Users\Admin\AppData\Local\Temp\c532d28f9700abba1a4803c3a9d886c8c4fb26f84cf2399c533d68cfdcec4fa7.exe
"C:\Users\Admin\AppData\Local\Temp\c532d28f9700abba1a4803c3a9d886c8c4fb26f84cf2399c533d68cfdcec4fa7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1812
- C:\Users\Admin\AppData\Local\Temp\c532d28f9700abba1a4803c3a9d886c8c4fb26f84cf2399c533d68cfdcec4fa7.exe
  OMC_BC
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2016
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 164
    3⤵
    - Program crash
    PID:1284

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1812-54-0x0000000076411000-0x0000000076413000-memory.dmp

Filesize
8KB

Download
memory/2016-55-0x0000000000080000-0x000000000010E000-memory.dmp

Filesize
568KB

Download
memory/2016-56-0x0000000000080000-0x000000000010E000-memory.dmp

Filesize
568KB

Download
memory/2016-58-0x0000000000080000-0x000000000010E000-memory.dmp

Filesize
568KB

Download
memory/2016-60-0x0000000000080000-0x000000000010E000-memory.dmp

Filesize
568KB

Download
memory/2016-62-0x0000000000080000-0x000000000010E000-memory.dmp

Filesize
568KB

Download
memory/2016-63-0x0000000000080000-0x000000000010E000-memory.dmp

Filesize
568KB

Download
memory/2016-65-0x0000000000080000-0x000000000010E000-memory.dmp

Filesize
568KB

Download
memory/2016-71-0x0000000000080000-0x000000000010E000-memory.dmp

Filesize
568KB

Download
memory/2016-76-0x0000000000080000-0x000000000010E000-memory.dmp

Filesize
568KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads