blackbasta | 1dd04aab97d6b65ac93ae3e8cfb4d3175d99f5b0395418abeb771d2db364cd3c

Analysis

max time kernel
152s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03/12/2022, 06:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1dd04aab97d6b65ac93ae3e8cfb4d3175d99f5b0395418abeb771d2db364cd3c.exe
Size

463KB
MD5

5edfa63f8223527b790d7f47ec29ad48
SHA1

d4c544274ea89f1d10cb5b4c7ac54ebbb72b2651
SHA256

1dd04aab97d6b65ac93ae3e8cfb4d3175d99f5b0395418abeb771d2db364cd3c
SHA512

d29a03cd0f2f7a114b866ae923d458c96d3653bc104cd640d67a02d5d6a9eb51cd503eec45811b8379e543af9ba561ee9f89c279cbd3233e4d28662c692a6d8b
SSDEEP

12288:CegEga9b161lmK0IgvcjTxIn5FV6NFVINaZcR9JXy:CegEFm1wK01vcjannV6NFca49JXy

Score

10^/10

blackbasta ransomware

Malware Config

Extracted

Path

C:\odt\readme.txt

Ransom Note

Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom You can contact us and decrypt one file for free on this TOR site (you should download and install TOR browser first https://torproject.org) https://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion/ Your company id for log in: aa6b49d0-713d-46fb-b7ac-fb5605e2ac0a

URLs

https://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion/

Signatures

Black Basta
A ransomware family targeting Windows and Linux ESXi first seen in February 2022.
ransomware blackbasta
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 10 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\RenameStep.tif => C:\Users\Admin\Pictures\RenameStep.tif.basta	1dd04aab97d6b65ac93ae3e8cfb4d3175d99f5b0395418abeb771d2db364cd3c.exe
File renamed	C:\Users\Admin\Pictures\StartSubmit.png => C:\Users\Admin\Pictures\StartSubmit.png.basta	1dd04aab97d6b65ac93ae3e8cfb4d3175d99f5b0395418abeb771d2db364cd3c.exe
File renamed	C:\Users\Admin\Pictures\TraceRevoke.png => C:\Users\Admin\Pictures\TraceRevoke.png.basta	1dd04aab97d6b65ac93ae3e8cfb4d3175d99f5b0395418abeb771d2db364cd3c.exe
File opened for modification	C:\Users\Admin\Pictures\AddPublish.tiff	1dd04aab97d6b65ac93ae3e8cfb4d3175d99f5b0395418abeb771d2db364cd3c.exe
File renamed	C:\Users\Admin\Pictures\AddPublish.tiff => C:\Users\Admin\Pictures\AddPublish.tiff.basta	1dd04aab97d6b65ac93ae3e8cfb4d3175d99f5b0395418abeb771d2db364cd3c.exe
File renamed	C:\Users\Admin\Pictures\RepairImport.raw => C:\Users\Admin\Pictures\RepairImport.raw.basta	1dd04aab97d6b65ac93ae3e8cfb4d3175d99f5b0395418abeb771d2db364cd3c.exe
File renamed	C:\Users\Admin\Pictures\UpdatePublish.png => C:\Users\Admin\Pictures\UpdatePublish.png.basta	1dd04aab97d6b65ac93ae3e8cfb4d3175d99f5b0395418abeb771d2db364cd3c.exe
File renamed	C:\Users\Admin\Pictures\ConvertSave.tif => C:\Users\Admin\Pictures\ConvertSave.tif.basta	1dd04aab97d6b65ac93ae3e8cfb4d3175d99f5b0395418abeb771d2db364cd3c.exe
File renamed	C:\Users\Admin\Pictures\HideOut.raw => C:\Users\Admin\Pictures\HideOut.raw.basta	1dd04aab97d6b65ac93ae3e8cfb4d3175d99f5b0395418abeb771d2db364cd3c.exe
File renamed	C:\Users\Admin\Pictures\RedoBackup.crw => C:\Users\Admin\Pictures\RedoBackup.crw.basta	1dd04aab97d6b65ac93ae3e8cfb4d3175d99f5b0395418abeb771d2db364cd3c.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dlaksjdoiwq.jpg"	1dd04aab97d6b65ac93ae3e8cfb4d3175d99f5b0395418abeb771d2db364cd3c.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	1dd04aab97d6b65ac93ae3e8cfb4d3175d99f5b0395418abeb771d2db364cd3c.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\readme.txt	1dd04aab97d6b65ac93ae3e8cfb4d3175d99f5b0395418abeb771d2db364cd3c.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msadomd28.tlb	1dd04aab97d6b65ac93ae3e8cfb4d3175d99f5b0395418abeb771d2db364cd3c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe	1dd04aab97d6b65ac93ae3e8cfb4d3175d99f5b0395418abeb771d2db364cd3c.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\New_Skins.url	1dd04aab97d6b65ac93ae3e8cfb4d3175d99f5b0395418abeb771d2db364cd3c.exe
File opened for modification	C:\Program Files\ReceiveRemove.ogg	1dd04aab97d6b65ac93ae3e8cfb4d3175d99f5b0395418abeb771d2db364cd3c.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\readme.txt	1dd04aab97d6b65ac93ae3e8cfb4d3175d99f5b0395418abeb771d2db364cd3c.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\readme.txt	1dd04aab97d6b65ac93ae3e8cfb4d3175d99f5b0395418abeb771d2db364cd3c.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	1dd04aab97d6b65ac93ae3e8cfb4d3175d99f5b0395418abeb771d2db364cd3c.exe
File created	C:\Program Files\Microsoft Office\root\loc\readme.txt	1dd04aab97d6b65ac93ae3e8cfb4d3175d99f5b0395418abeb771d2db364cd3c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\hwrlatinlm.dat	1dd04aab97d6b65ac93ae3e8cfb4d3175d99f5b0395418abeb771d2db364cd3c.exe
File created	C:\Program Files\Java\jdk1.8.0_66\db\bin\readme.txt	1dd04aab97d6b65ac93ae3e8cfb4d3175d99f5b0395418abeb771d2db364cd3c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstatd.exe	1dd04aab97d6b65ac93ae3e8cfb4d3175d99f5b0395418abeb771d2db364cd3c.exe
File created	C:\Program Files\MSBuild\readme.txt	1dd04aab97d6b65ac93ae3e8cfb4d3175d99f5b0395418abeb771d2db364cd3c.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\stdole.dll	1dd04aab97d6b65ac93ae3e8cfb4d3175d99f5b0395418abeb771d2db364cd3c.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\oledb32.dll	1dd04aab97d6b65ac93ae3e8cfb4d3175d99f5b0395418abeb771d2db364cd3c.exe
File created	C:\Program Files\Common Files\DESIGNER\readme.txt	1dd04aab97d6b65ac93ae3e8cfb4d3175d99f5b0395418abeb771d2db364cd3c.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-core-processthreads-l1-1-1.dll	1dd04aab97d6b65ac93ae3e8cfb4d3175d99f5b0395418abeb771d2db364cd3c.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\libvlc.dll	1dd04aab97d6b65ac93ae3e8cfb4d3175d99f5b0395418abeb771d2db364cd3c.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\readme.txt	1dd04aab97d6b65ac93ae3e8cfb4d3175d99f5b0395418abeb771d2db364cd3c.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\readme.txt	1dd04aab97d6b65ac93ae3e8cfb4d3175d99f5b0395418abeb771d2db364cd3c.exe
File opened for modification	C:\Program Files\Internet Explorer\hmmapi.dll	1dd04aab97d6b65ac93ae3e8cfb4d3175d99f5b0395418abeb771d2db364cd3c.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	1dd04aab97d6b65ac93ae3e8cfb4d3175d99f5b0395418abeb771d2db364cd3c.exe
File opened for modification	C:\Program Files\Mozilla Firefox\qipcap64.dll	1dd04aab97d6b65ac93ae3e8cfb4d3175d99f5b0395418abeb771d2db364cd3c.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	1dd04aab97d6b65ac93ae3e8cfb4d3175d99f5b0395418abeb771d2db364cd3c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipshrv.xml	1dd04aab97d6b65ac93ae3e8cfb4d3175d99f5b0395418abeb771d2db364cd3c.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	1dd04aab97d6b65ac93ae3e8cfb4d3175d99f5b0395418abeb771d2db364cd3c.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt	1dd04aab97d6b65ac93ae3e8cfb4d3175d99f5b0395418abeb771d2db364cd3c.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml	1dd04aab97d6b65ac93ae3e8cfb4d3175d99f5b0395418abeb771d2db364cd3c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-process-l1-1-0.dll	1dd04aab97d6b65ac93ae3e8cfb4d3175d99f5b0395418abeb771d2db364cd3c.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\oledbvbs.inc	1dd04aab97d6b65ac93ae3e8cfb4d3175d99f5b0395418abeb771d2db364cd3c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ms-my.dll	1dd04aab97d6b65ac93ae3e8cfb4d3175d99f5b0395418abeb771d2db364cd3c.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fi-FI\readme.txt	1dd04aab97d6b65ac93ae3e8cfb4d3175d99f5b0395418abeb771d2db364cd3c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe	1dd04aab97d6b65ac93ae3e8cfb4d3175d99f5b0395418abeb771d2db364cd3c.exe
File created	C:\Program Files\Uninstall Information\readme.txt	1dd04aab97d6b65ac93ae3e8cfb4d3175d99f5b0395418abeb771d2db364cd3c.exe
File created	C:\Program Files (x86)\Common Files\readme.txt	1dd04aab97d6b65ac93ae3e8cfb4d3175d99f5b0395418abeb771d2db364cd3c.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\readme.txt	1dd04aab97d6b65ac93ae3e8cfb4d3175d99f5b0395418abeb771d2db364cd3c.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	1dd04aab97d6b65ac93ae3e8cfb4d3175d99f5b0395418abeb771d2db364cd3c.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\it-IT\ieinstal.exe.mui	1dd04aab97d6b65ac93ae3e8cfb4d3175d99f5b0395418abeb771d2db364cd3c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmap.exe	1dd04aab97d6b65ac93ae3e8cfb4d3175d99f5b0395418abeb771d2db364cd3c.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.165.21\readme.txt	1dd04aab97d6b65ac93ae3e8cfb4d3175d99f5b0395418abeb771d2db364cd3c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIntegration.dll	1dd04aab97d6b65ac93ae3e8cfb4d3175d99f5b0395418abeb771d2db364cd3c.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\pt-PT\readme.txt	1dd04aab97d6b65ac93ae3e8cfb4d3175d99f5b0395418abeb771d2db364cd3c.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\msdatl3.dll	1dd04aab97d6b65ac93ae3e8cfb4d3175d99f5b0395418abeb771d2db364cd3c.exe
File created	C:\Program Files\Common Files\System\en-US\readme.txt	1dd04aab97d6b65ac93ae3e8cfb4d3175d99f5b0395418abeb771d2db364cd3c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\readme.txt	1dd04aab97d6b65ac93ae3e8cfb4d3175d99f5b0395418abeb771d2db364cd3c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\StreamServer.dll	1dd04aab97d6b65ac93ae3e8cfb4d3175d99f5b0395418abeb771d2db364cd3c.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\readme.txt	1dd04aab97d6b65ac93ae3e8cfb4d3175d99f5b0395418abeb771d2db364cd3c.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sl.txt	1dd04aab97d6b65ac93ae3e8cfb4d3175d99f5b0395418abeb771d2db364cd3c.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msador15.dll	1dd04aab97d6b65ac93ae3e8cfb4d3175d99f5b0395418abeb771d2db364cd3c.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\readme.txt	1dd04aab97d6b65ac93ae3e8cfb4d3175d99f5b0395418abeb771d2db364cd3c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sk-sk.dll	1dd04aab97d6b65ac93ae3e8cfb4d3175d99f5b0395418abeb771d2db364cd3c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\tipskins.dll	1dd04aab97d6b65ac93ae3e8cfb4d3175d99f5b0395418abeb771d2db364cd3c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ja-jp.dll	1dd04aab97d6b65ac93ae3e8cfb4d3175d99f5b0395418abeb771d2db364cd3c.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\readme.txt	1dd04aab97d6b65ac93ae3e8cfb4d3175d99f5b0395418abeb771d2db364cd3c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\cpprestsdk.dll	1dd04aab97d6b65ac93ae3e8cfb4d3175d99f5b0395418abeb771d2db364cd3c.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\readme.txt	1dd04aab97d6b65ac93ae3e8cfb4d3175d99f5b0395418abeb771d2db364cd3c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe	1dd04aab97d6b65ac93ae3e8cfb4d3175d99f5b0395418abeb771d2db364cd3c.exe
File created	C:\Program Files (x86)\Internet Explorer\es-ES\readme.txt	1dd04aab97d6b65ac93ae3e8cfb4d3175d99f5b0395418abeb771d2db364cd3c.exe
File opened for modification	C:\Program Files\Mozilla Firefox\vcruntime140.dll	1dd04aab97d6b65ac93ae3e8cfb4d3175d99f5b0395418abeb771d2db364cd3c.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-core-synch-l1-2-0.dll	1dd04aab97d6b65ac93ae3e8cfb4d3175d99f5b0395418abeb771d2db364cd3c.exe
File created	C:\Program Files\Common Files\System\Ole DB\readme.txt	1dd04aab97d6b65ac93ae3e8cfb4d3175d99f5b0395418abeb771d2db364cd3c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipshi.xml	1dd04aab97d6b65ac93ae3e8cfb4d3175d99f5b0395418abeb771d2db364cd3c.exe
File created	C:\Program Files\Common Files\System\Ole DB\en-US\readme.txt	1dd04aab97d6b65ac93ae3e8cfb4d3175d99f5b0395418abeb771d2db364cd3c.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
5048	vssadmin.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.basta\DefaultIcon	1dd04aab97d6b65ac93ae3e8cfb4d3175d99f5b0395418abeb771d2db364cd3c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.basta	1dd04aab97d6b65ac93ae3e8cfb4d3175d99f5b0395418abeb771d2db364cd3c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.basta\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fkdjsadasd.ico"	1dd04aab97d6b65ac93ae3e8cfb4d3175d99f5b0395418abeb771d2db364cd3c.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	4980	vssvc.exe
Token: SeRestorePrivilege	4980	vssvc.exe
Token: SeAuditPrivilege	4980	vssvc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4012 wrote to memory of 4724	4012	1dd04aab97d6b65ac93ae3e8cfb4d3175d99f5b0395418abeb771d2db364cd3c.exe	80
PID 4012 wrote to memory of 4724	4012	1dd04aab97d6b65ac93ae3e8cfb4d3175d99f5b0395418abeb771d2db364cd3c.exe	80
PID 4012 wrote to memory of 4724	4012	1dd04aab97d6b65ac93ae3e8cfb4d3175d99f5b0395418abeb771d2db364cd3c.exe	80
PID 4724 wrote to memory of 5048	4724	cmd.exe	82
PID 4724 wrote to memory of 5048	4724	cmd.exe	82
PID 4012 wrote to memory of 2032	4012	1dd04aab97d6b65ac93ae3e8cfb4d3175d99f5b0395418abeb771d2db364cd3c.exe	85
PID 4012 wrote to memory of 2032	4012	1dd04aab97d6b65ac93ae3e8cfb4d3175d99f5b0395418abeb771d2db364cd3c.exe	85
PID 4012 wrote to memory of 2032	4012	1dd04aab97d6b65ac93ae3e8cfb4d3175d99f5b0395418abeb771d2db364cd3c.exe	85

C:\Users\Admin\AppData\Local\Temp\1dd04aab97d6b65ac93ae3e8cfb4d3175d99f5b0395418abeb771d2db364cd3c.exe
"C:\Users\Admin\AppData\Local\Temp\1dd04aab97d6b65ac93ae3e8cfb4d3175d99f5b0395418abeb771d2db364cd3c.exe"
1⤵
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4012
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4724
- - C:\Windows\system32\vssadmin.exe
    C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:5048
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\vssadmin.exe delete shadows /all /quiet
  2⤵
  PID:2032

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4980

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4012-132-0x0000000002E10000-0x0000000002E78000-memory.dmp

Filesize
416KB

Download
memory/4012-134-0x0000000000DA0000-0x0000000000E2E000-memory.dmp

Filesize
568KB

Download
memory/4012-137-0x0000000000DA0000-0x0000000000E2E000-memory.dmp

Filesize
568KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads