blackbasta | c532d28f9700abba1a4803c3a9d886c8c4fb26f84cf2399c533d68cfdcec4fa7

Analysis

max time kernel
61s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
30/11/2022, 23:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c532d28f9700abba1a4803c3a9d886c8c4fb26f84cf2399c533d68cfdcec4fa7.exe
Size

910KB
MD5

fe8dae06d4b9165c6be675e184bfaca9
SHA1

5244f99411acdf30ca6832b2e6352afdd68c88f3
SHA256

c532d28f9700abba1a4803c3a9d886c8c4fb26f84cf2399c533d68cfdcec4fa7
SHA512

33bdc3839ac944be9c6a5f6f16dc5ba3bfd8c0da66aa6772e5d4306234028e9fc6da871c9a4d65a3ce64a768404f5ea37c5d1fc3f1093f1826448711028a2552
SSDEEP

12288:0/YpRRbRftUf8S7DMbrhL+52971/XtnP1APDoEqb9CSnrzKTJnIii1be9hnU3Mue:RJbXK7Du8gDPWPUECf8ade0aldNYlA

Score

10^/10

blackbasta ransomware

Malware Config

Signatures

Black Basta
A ransomware family targeting Windows and Linux ESXi first seen in February 2022.
ransomware blackbasta

Black Basta payload 7 IoCs

resource	yara_rule
behavioral1/memory/1152-60-0x0000000000130000-0x00000000001BE000-memory.dmp	family_blackbasta
behavioral1/memory/1152-62-0x0000000000130000-0x00000000001BE000-memory.dmp	family_blackbasta
behavioral1/memory/1152-63-0x0000000000130000-0x00000000001BE000-memory.dmp	family_blackbasta
behavioral1/memory/1152-65-0x0000000000130000-0x00000000001BE000-memory.dmp	family_blackbasta
behavioral1/memory/1152-66-0x000000000016684B-mapping.dmp	family_blackbasta
behavioral1/memory/1152-71-0x0000000000130000-0x00000000001BE000-memory.dmp	family_blackbasta
behavioral1/memory/1152-76-0x0000000000130000-0x00000000001BE000-memory.dmp	family_blackbasta

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1496 set thread context of 1152	1496	c532d28f9700abba1a4803c3a9d886c8c4fb26f84cf2399c533d68cfdcec4fa7.exe	27

Program crash 1 IoCs

pid	pid_target	Process	procid_target
320	1152	WerFault.exe	27

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1496 wrote to memory of 1152	1496	c532d28f9700abba1a4803c3a9d886c8c4fb26f84cf2399c533d68cfdcec4fa7.exe	27
PID 1496 wrote to memory of 1152	1496	c532d28f9700abba1a4803c3a9d886c8c4fb26f84cf2399c533d68cfdcec4fa7.exe	27
PID 1496 wrote to memory of 1152	1496	c532d28f9700abba1a4803c3a9d886c8c4fb26f84cf2399c533d68cfdcec4fa7.exe	27
PID 1496 wrote to memory of 1152	1496	c532d28f9700abba1a4803c3a9d886c8c4fb26f84cf2399c533d68cfdcec4fa7.exe	27
PID 1496 wrote to memory of 1152	1496	c532d28f9700abba1a4803c3a9d886c8c4fb26f84cf2399c533d68cfdcec4fa7.exe	27
PID 1496 wrote to memory of 1152	1496	c532d28f9700abba1a4803c3a9d886c8c4fb26f84cf2399c533d68cfdcec4fa7.exe	27
PID 1496 wrote to memory of 1152	1496	c532d28f9700abba1a4803c3a9d886c8c4fb26f84cf2399c533d68cfdcec4fa7.exe	27
PID 1496 wrote to memory of 1152	1496	c532d28f9700abba1a4803c3a9d886c8c4fb26f84cf2399c533d68cfdcec4fa7.exe	27
PID 1496 wrote to memory of 1152	1496	c532d28f9700abba1a4803c3a9d886c8c4fb26f84cf2399c533d68cfdcec4fa7.exe	27
PID 1496 wrote to memory of 1152	1496	c532d28f9700abba1a4803c3a9d886c8c4fb26f84cf2399c533d68cfdcec4fa7.exe	27
PID 1496 wrote to memory of 1152	1496	c532d28f9700abba1a4803c3a9d886c8c4fb26f84cf2399c533d68cfdcec4fa7.exe	27
PID 1152 wrote to memory of 320	1152	c532d28f9700abba1a4803c3a9d886c8c4fb26f84cf2399c533d68cfdcec4fa7.exe	29
PID 1152 wrote to memory of 320	1152	c532d28f9700abba1a4803c3a9d886c8c4fb26f84cf2399c533d68cfdcec4fa7.exe	29
PID 1152 wrote to memory of 320	1152	c532d28f9700abba1a4803c3a9d886c8c4fb26f84cf2399c533d68cfdcec4fa7.exe	29
PID 1152 wrote to memory of 320	1152	c532d28f9700abba1a4803c3a9d886c8c4fb26f84cf2399c533d68cfdcec4fa7.exe	29

C:\Users\Admin\AppData\Local\Temp\c532d28f9700abba1a4803c3a9d886c8c4fb26f84cf2399c533d68cfdcec4fa7.exe
"C:\Users\Admin\AppData\Local\Temp\c532d28f9700abba1a4803c3a9d886c8c4fb26f84cf2399c533d68cfdcec4fa7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1496
- C:\Users\Admin\AppData\Local\Temp\c532d28f9700abba1a4803c3a9d886c8c4fb26f84cf2399c533d68cfdcec4fa7.exe
  OMC_BC
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1152
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 164
    3⤵
    - Program crash
    PID:320

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1152-55-0x0000000000130000-0x00000000001BE000-memory.dmp

Filesize
568KB

Download
memory/1152-56-0x0000000000130000-0x00000000001BE000-memory.dmp

Filesize
568KB

Download
memory/1152-58-0x0000000000130000-0x00000000001BE000-memory.dmp

Filesize
568KB

Download
memory/1152-60-0x0000000000130000-0x00000000001BE000-memory.dmp

Filesize
568KB

Download
memory/1152-62-0x0000000000130000-0x00000000001BE000-memory.dmp

Filesize
568KB

Download
memory/1152-63-0x0000000000130000-0x00000000001BE000-memory.dmp

Filesize
568KB

Download
memory/1152-65-0x0000000000130000-0x00000000001BE000-memory.dmp

Filesize
568KB

Download
memory/1152-71-0x0000000000130000-0x00000000001BE000-memory.dmp

Filesize
568KB

Download
memory/1152-76-0x0000000000130000-0x00000000001BE000-memory.dmp

Filesize
568KB

Download
memory/1496-54-0x0000000076BA1000-0x0000000076BA3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads