blackbasta | cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa

Analysis

max time kernel
24s
max time network
28s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
30/11/2022, 23:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
Size

543KB
MD5

f05dac112cd3174c385d10158b6080fb
SHA1

579b245a6609903d804f957083b9e0b2ed145f5a
SHA256

cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa
SHA512

213891e6f5a16726a86c51eb67e8c4cf8bcf7d2b6a688c13614145445180f5458f808d124e5e398da2335a8c4484709c6124d4268bed1335d6338b733bb51a55
SSDEEP

12288:z1DTMHixr1moQqUiXINDl/m1s6BQio67VlAU:BzmoQqUiXw2s6yiVxR

Score

10^/10

blackbasta ransomware

Malware Config

Extracted

Path

C:\readme.txt

Ransom Note

Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom You can contact us and decrypt one file for free on this TOR site (you should download and install TOR browser first https://torproject.org) https://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion:80/ Your company id for log in: ba7a7058-3531-4b67-bae6-d602e9110361

URLs

https://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion:80/

Signatures

Black Basta
A ransomware family targeting Windows and Linux ESXi first seen in February 2022.
ransomware blackbasta
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dlaksjdoiwq.jpg"	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\SearchStart.wmv	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-utility-l1-1-0.dll	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\hmmapi.dll	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File created	C:\Program Files\Internet Explorer\readme.txt	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\readme.txt	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File opened for modification	C:\Program Files\Microsoft Office\ThinAppXManifest.xml	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\readme.txt	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File created	C:\Program Files (x86)\Google\Update\Download\readme.txt	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-core-localization-l1-2-0.dll	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File created	C:\Program Files\Mozilla Firefox\readme.txt	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File created	C:\Program Files\7-Zip\Lang\readme.txt	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\readme.txt	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File created	C:\Program Files (x86)\Common Files\System\en-US\readme.txt	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File created	C:\Program Files (x86)\Google\readme.txt	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File opened for modification	C:\Program Files\ExportExit.vbe	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ja.txt	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File created	C:\Program Files (x86)\Google\Temp\readme.txt	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spc.txt	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\Documentation.url	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\readme.txt	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\uninstall.log	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File opened for modification	C:\Program Files\GrantProtect.ini	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File created	C:\Program Files\Common Files\System\msadc\readme.txt	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\readme.txt	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File created	C:\Program Files\Common Files\DESIGNER\readme.txt	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File opened for modification	C:\Program Files\RequestUnprotect.ttf	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\COPYRIGHT	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\readme.txt	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pa-in.txt	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-heap-l1-1-0.dll	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nssckbi.dll	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File opened for modification	C:\Program Files\Internet Explorer\images\bing.ico	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File opened for modification	C:\Program Files\Microsoft Office\FileSystemMetadata.xml	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File created	C:\Program Files\Google\Chrome\readme.txt	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\readme.txt	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File created	C:\Program Files\VideoLAN\VLC\hrtfs\readme.txt	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File created	C:\Program Files\Common Files\microsoft shared\TextConv\readme.txt	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File created	C:\Program Files\Microsoft Office\root\fre\readme.txt	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File created	C:\Program Files\Microsoft Office\root\loc\readme.txt	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\Welcome.html	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File created	C:\Program Files\Google\readme.txt	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File created	C:\Program Files\Microsoft Office\root\vreg\readme.txt	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File created	C:\Program Files\Common Files\readme.txt	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File opened for modification	C:\Program Files\ExportUnpublish.mp4	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File created	C:\Program Files (x86)\Google\Update\readme.txt	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File created	C:\Program Files (x86)\MSBuild\readme.txt	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File opened for modification	C:\Program Files\Mozilla Firefox\Accessible.tlb	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-environment-l1-1-0.dll	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File created	C:\Program Files\Common Files\microsoft shared\Source Engine\readme.txt	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File created	C:\Program Files\VideoLAN\VLC\skins\readme.txt	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File created	C:\Program Files (x86)\Microsoft.NET\readme.txt	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File opened for modification	C:\Program Files\EditApprove.ppsx	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
4928	vssadmin.exe

Modifies registry class 3 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.basta\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fkdjsadasd.ico"	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.basta\DefaultIcon	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.basta	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	4168	vssvc.exe
Token: SeRestorePrivilege	4168	vssvc.exe
Token: SeAuditPrivilege	4168	vssvc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 5068 wrote to memory of 3944	5068	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe	82
PID 5068 wrote to memory of 3944	5068	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe	82
PID 5068 wrote to memory of 3944	5068	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe	82
PID 3944 wrote to memory of 4928	3944	cmd.exe	84
PID 3944 wrote to memory of 4928	3944	cmd.exe	84
PID 5068 wrote to memory of 1384	5068	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe	87
PID 5068 wrote to memory of 1384	5068	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe	87
PID 5068 wrote to memory of 1384	5068	cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe	87

C:\Users\Admin\AppData\Local\Temp\cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe
"C:\Users\Admin\AppData\Local\Temp\cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa.exe"
1⤵
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5068
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3944
- - C:\Windows\system32\vssadmin.exe
    C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:4928
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\vssadmin.exe delete shadows /all /quiet
  2⤵
  PID:1384

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4168

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact