blackbasta | cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa

Analysis

max time kernel
29s
max time network
30s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30/11/2022, 23:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
Size

543KB
MD5

f05dac112cd3174c385d10158b6080fb
SHA1

579b245a6609903d804f957083b9e0b2ed145f5a
SHA256

cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa
SHA512

213891e6f5a16726a86c51eb67e8c4cf8bcf7d2b6a688c13614145445180f5458f808d124e5e398da2335a8c4484709c6124d4268bed1335d6338b733bb51a55
SSDEEP

12288:z1DTMHixr1moQqUiXINDl/m1s6BQio67VlAU:BzmoQqUiXw2s6yiVxR

Score

10^/10

blackbasta ransomware

Malware Config

Extracted

Path

C:\readme.txt

Ransom Note

Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom You can contact us and decrypt one file for free on this TOR site (you should download and install TOR browser first https://torproject.org) https://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion:80/ Your company id for log in: ba7a7058-3531-4b67-bae6-d602e9110361

URLs

https://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion:80/

Signatures

Black Basta
A ransomware family targeting Windows and Linux ESXi first seen in February 2022.
ransomware blackbasta
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dlaksjdoiwq.jpg"	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\InitializeRestart.rtf	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-time-l1-1-0.dll	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File opened for modification	C:\Program Files\Internet Explorer\Timeline.dll	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File opened for modification	C:\Program Files\Mozilla Firefox\freebl3.dll	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File opened for modification	C:\Program Files\DVD Maker\fieldswitch.ax	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\readme.txt	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File created	C:\Program Files\readme.txt	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File created	C:\Program Files\Google\readme.txt	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File created	C:\Program Files\Microsoft Games\readme.txt	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File created	C:\Program Files\Microsoft Games\Purble Place\readme.txt	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-stdio-l1-1-0.dll	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File opened for modification	C:\Program Files\DVD Maker\directshowtap.ax	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File opened for modification	C:\Program Files\Internet Explorer\DiagnosticsHub_is.dll	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File created	C:\Program Files\Internet Explorer\de-DE\readme.txt	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe.sig	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File opened for modification	C:\Program Files\FindFormat.emf	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File opened for modification	C:\Program Files\ImportEnable.pptm	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File opened for modification	C:\Program Files\UnprotectImport.css	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File opened for modification	C:\Program Files\StepWrite.gif	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File created	C:\Program Files\Common Files\Microsoft Shared\readme.txt	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File created	C:\Program Files\Internet Explorer\ja-JP\readme.txt	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File opened for modification	C:\Program Files\DVD Maker\WMM2CLIP.dll	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\readme.txt	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File opened for modification	C:\Program Files\DVD Maker\OmdBase.dll	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l2-1-0.dll	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File opened for modification	C:\Program Files\CloseOut.mht	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File created	C:\Program Files (x86)\Microsoft.NET\readme.txt	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File created	C:\Program Files\Google\Chrome\readme.txt	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File created	C:\Program Files\Mozilla Firefox\defaults\readme.txt	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File created	C:\Program Files (x86)\Microsoft Office\readme.txt	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.ini	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File created	C:\Program Files\DVD Maker\en-US\readme.txt	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File opened for modification	C:\Program Files\Internet Explorer\msdbg2.dll	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File opened for modification	C:\Program Files\GroupPop.avi	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File created	C:\Program Files\Common Files\SpeechEngines\readme.txt	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-core-localization-l1-2-0.dll	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-string-l1-1-0.dll	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File created	C:\Program Files\Microsoft Games\FreeCell\readme.txt	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File created	C:\Program Files\Microsoft Games\Hearts\readme.txt	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File created	C:\Program Files\Mozilla Firefox\browser\readme.txt	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File opened for modification	C:\Program Files\TestDebug.odt	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File opened for modification	C:\Program Files\DVD Maker\sonicsptransform.ax	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.cfg	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\readme.txt	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File opened for modification	C:\Program Files\CopyRequest.ico	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File opened for modification	C:\Program Files\HideProtect.001	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File opened for modification	C:\Program Files\UseFind.vsdx	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\readme.txt	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-math-l1-1-0.dll	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File opened for modification	C:\Program Files\MountPop.asf	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File opened for modification	C:\Program Files\Internet Explorer\F12Resources.dll	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File created	C:\Program Files\7-Zip\Lang\readme.txt	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l1-2-0.dll	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File opened for modification	C:\Program Files\Mozilla Firefox\libGLESv2.dll	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File opened for modification	C:\Program Files\DebugTrace.midi	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File opened for modification	C:\Program Files\PopFind.mpv2	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File created	C:\Program Files\Microsoft Games\More Games\readme.txt	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File opened for modification	C:\Program Files\Mozilla Firefox\IA2Marshal.dll	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File opened for modification	C:\Program Files\ConfirmSubmit.pps	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1080	vssadmin.exe
1132	vssadmin.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.basta\DefaultIcon	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.basta	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.basta\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fkdjsadasd.ico"	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	1776	vssvc.exe
Token: SeRestorePrivilege	1776	vssvc.exe
Token: SeAuditPrivilege	1776	vssvc.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 604	2020	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe	27
PID 2020 wrote to memory of 604	2020	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe	27
PID 2020 wrote to memory of 604	2020	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe	27
PID 2020 wrote to memory of 604	2020	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe	27
PID 604 wrote to memory of 1080	604	cmd.exe	29
PID 604 wrote to memory of 1080	604	cmd.exe	29
PID 604 wrote to memory of 1080	604	cmd.exe	29
PID 604 wrote to memory of 1080	604	cmd.exe	29
PID 2020 wrote to memory of 960	2020	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe	32
PID 2020 wrote to memory of 960	2020	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe	32
PID 2020 wrote to memory of 960	2020	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe	32
PID 2020 wrote to memory of 960	2020	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe	32
PID 960 wrote to memory of 1132	960	cmd.exe	34
PID 960 wrote to memory of 1132	960	cmd.exe	34
PID 960 wrote to memory of 1132	960	cmd.exe	34
PID 960 wrote to memory of 1132	960	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
"C:\Users\Admin\AppData\Local\Temp\cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe"
1⤵
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:604
- - C:\Windows\system32\vssadmin.exe
    C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1080
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:960
- - C:\Windows\SysWOW64\vssadmin.exe
    C:\Windows\System32\vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1132

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1776

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact