blackbasta | 81515e1c72fadae2c4bb15883e0c1d8979b49fd52d8c65ca03e05a75ca6683c9

Analysis

max time kernel
119s
max time network
105s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 06:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

81515e1c72fadae2c4bb15883e0c1d8979b49fd52d8c65ca03e05a75ca6683c9.exe
Size

454KB
MD5

30e360b69234e2f71a80a301ed582400
SHA1

318d227272b198311ef9eb8e6721237c0f90fcd2
SHA256

81515e1c72fadae2c4bb15883e0c1d8979b49fd52d8c65ca03e05a75ca6683c9
SHA512

c5faea951492771eb9847536c03e0287e20d89f3c691861de78ae897ef2aed1c81fe4a4ab80ee49e9c46df516aa99babdae96aedecf94f0ada84681631048e40
SSDEEP

6144:+ZyHOgf1NEoVAtlu8PN8yOqbXaDlnNahH7g5llqocky89guv7J/hSNcPMK7Codus:+vIgtlu8Pcail6bg53LRvuNcVG+GK

Score

10^/10

blackbasta ransomware

Malware Config

Extracted

Path

C:\MSOCache\readme.txt

Ransom Note

Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom You can contact us and decrypt one file for free on this TOR site (you should download and install TOR browser first https://torproject.org) https://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion/ Your company id for log in: aa6b49d0-713d-46fb-b7ac-fb5605e2ac0a

URLs

https://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion/

Signatures

Black Basta
A ransomware family targeting Windows and Linux ESXi first seen in February 2022.
ransomware blackbasta
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dlaksjdoiwq.jpg"	81515e1c72fadae2c4bb15883e0c1d8979b49fd52d8c65ca03e05a75ca6683c9.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\RedoSend.M2V	81515e1c72fadae2c4bb15883e0c1d8979b49fd52d8c65ca03e05a75ca6683c9.exe
File opened for modification	C:\Program Files\SelectUnblock.rtf	81515e1c72fadae2c4bb15883e0c1d8979b49fd52d8c65ca03e05a75ca6683c9.exe
File created	C:\Program Files\Common Files\Services\readme.txt	81515e1c72fadae2c4bb15883e0c1d8979b49fd52d8c65ca03e05a75ca6683c9.exe
File created	C:\Program Files\Common Files\System\readme.txt	81515e1c72fadae2c4bb15883e0c1d8979b49fd52d8c65ca03e05a75ca6683c9.exe
File created	C:\Program Files\Common Files\readme.txt	81515e1c72fadae2c4bb15883e0c1d8979b49fd52d8c65ca03e05a75ca6683c9.exe
File opened for modification	C:\Program Files\ApproveOpen.mpeg	81515e1c72fadae2c4bb15883e0c1d8979b49fd52d8c65ca03e05a75ca6683c9.exe
File opened for modification	C:\Program Files\NewOpen.ps1xml	81515e1c72fadae2c4bb15883e0c1d8979b49fd52d8c65ca03e05a75ca6683c9.exe
File created	C:\Program Files\Mozilla Firefox\readme.txt	81515e1c72fadae2c4bb15883e0c1d8979b49fd52d8c65ca03e05a75ca6683c9.exe
File opened for modification	C:\Program Files\FormatBlock.wma	81515e1c72fadae2c4bb15883e0c1d8979b49fd52d8c65ca03e05a75ca6683c9.exe
File opened for modification	C:\Program Files\ResolveApprove.emf	81515e1c72fadae2c4bb15883e0c1d8979b49fd52d8c65ca03e05a75ca6683c9.exe
File created	C:\Program Files (x86)\Google\readme.txt	81515e1c72fadae2c4bb15883e0c1d8979b49fd52d8c65ca03e05a75ca6683c9.exe
File opened for modification	C:\Program Files\SplitRemove.vst	81515e1c72fadae2c4bb15883e0c1d8979b49fd52d8c65ca03e05a75ca6683c9.exe
File opened for modification	C:\Program Files\StopGroup.mht	81515e1c72fadae2c4bb15883e0c1d8979b49fd52d8c65ca03e05a75ca6683c9.exe
File created	C:\Program Files\Microsoft Office\readme.txt	81515e1c72fadae2c4bb15883e0c1d8979b49fd52d8c65ca03e05a75ca6683c9.exe
File opened for modification	C:\Program Files\AddClose.dwfx	81515e1c72fadae2c4bb15883e0c1d8979b49fd52d8c65ca03e05a75ca6683c9.exe
File opened for modification	C:\Program Files\EnableSend.iso	81515e1c72fadae2c4bb15883e0c1d8979b49fd52d8c65ca03e05a75ca6683c9.exe
File opened for modification	C:\Program Files\RenameJoin.svgz	81515e1c72fadae2c4bb15883e0c1d8979b49fd52d8c65ca03e05a75ca6683c9.exe
File created	C:\Program Files\Microsoft Games\readme.txt	81515e1c72fadae2c4bb15883e0c1d8979b49fd52d8c65ca03e05a75ca6683c9.exe
File opened for modification	C:\Program Files\ShowProtect.vsw	81515e1c72fadae2c4bb15883e0c1d8979b49fd52d8c65ca03e05a75ca6683c9.exe
File created	C:\Program Files (x86)\Microsoft.NET\readme.txt	81515e1c72fadae2c4bb15883e0c1d8979b49fd52d8c65ca03e05a75ca6683c9.exe
File created	C:\Program Files (x86)\MSBuild\readme.txt	81515e1c72fadae2c4bb15883e0c1d8979b49fd52d8c65ca03e05a75ca6683c9.exe
File created	C:\Program Files\Uninstall Information\readme.txt	81515e1c72fadae2c4bb15883e0c1d8979b49fd52d8c65ca03e05a75ca6683c9.exe
File created	C:\Program Files\VideoLAN\readme.txt	81515e1c72fadae2c4bb15883e0c1d8979b49fd52d8c65ca03e05a75ca6683c9.exe
File opened for modification	C:\Program Files\LockInvoke.pot	81515e1c72fadae2c4bb15883e0c1d8979b49fd52d8c65ca03e05a75ca6683c9.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\readme.txt	81515e1c72fadae2c4bb15883e0c1d8979b49fd52d8c65ca03e05a75ca6683c9.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\readme.txt	81515e1c72fadae2c4bb15883e0c1d8979b49fd52d8c65ca03e05a75ca6683c9.exe
File created	C:\Program Files\Internet Explorer\readme.txt	81515e1c72fadae2c4bb15883e0c1d8979b49fd52d8c65ca03e05a75ca6683c9.exe
File opened for modification	C:\Program Files\BlockRepair.mp2v	81515e1c72fadae2c4bb15883e0c1d8979b49fd52d8c65ca03e05a75ca6683c9.exe
File opened for modification	C:\Program Files\CheckpointEdit.dib	81515e1c72fadae2c4bb15883e0c1d8979b49fd52d8c65ca03e05a75ca6683c9.exe
File opened for modification	C:\Program Files\UnprotectPublish.docx	81515e1c72fadae2c4bb15883e0c1d8979b49fd52d8c65ca03e05a75ca6683c9.exe
File opened for modification	C:\Program Files\UnpublishRepair.mpeg2	81515e1c72fadae2c4bb15883e0c1d8979b49fd52d8c65ca03e05a75ca6683c9.exe
File created	C:\Program Files\readme.txt	81515e1c72fadae2c4bb15883e0c1d8979b49fd52d8c65ca03e05a75ca6683c9.exe
File created	C:\Program Files (x86)\readme.txt	81515e1c72fadae2c4bb15883e0c1d8979b49fd52d8c65ca03e05a75ca6683c9.exe
File opened for modification	C:\Program Files\ExpandUnlock.mpv2	81515e1c72fadae2c4bb15883e0c1d8979b49fd52d8c65ca03e05a75ca6683c9.exe
File opened for modification	C:\Program Files\LockBlock.vssm	81515e1c72fadae2c4bb15883e0c1d8979b49fd52d8c65ca03e05a75ca6683c9.exe
File opened for modification	C:\Program Files\DismountStart.xsl	81515e1c72fadae2c4bb15883e0c1d8979b49fd52d8c65ca03e05a75ca6683c9.exe
File opened for modification	C:\Program Files\InitializeStep.wmx	81515e1c72fadae2c4bb15883e0c1d8979b49fd52d8c65ca03e05a75ca6683c9.exe
File created	C:\Program Files\Common Files\SpeechEngines\readme.txt	81515e1c72fadae2c4bb15883e0c1d8979b49fd52d8c65ca03e05a75ca6683c9.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	81515e1c72fadae2c4bb15883e0c1d8979b49fd52d8c65ca03e05a75ca6683c9.exe
File opened for modification	C:\Program Files\BackupWait.mpv2	81515e1c72fadae2c4bb15883e0c1d8979b49fd52d8c65ca03e05a75ca6683c9.exe
File opened for modification	C:\Program Files\ConnectRename.ps1	81515e1c72fadae2c4bb15883e0c1d8979b49fd52d8c65ca03e05a75ca6683c9.exe
File created	C:\Program Files (x86)\Common Files\readme.txt	81515e1c72fadae2c4bb15883e0c1d8979b49fd52d8c65ca03e05a75ca6683c9.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\readme.txt	81515e1c72fadae2c4bb15883e0c1d8979b49fd52d8c65ca03e05a75ca6683c9.exe
File created	C:\Program Files\Common Files\Microsoft Shared\readme.txt	81515e1c72fadae2c4bb15883e0c1d8979b49fd52d8c65ca03e05a75ca6683c9.exe
File created	C:\Program Files\MSBuild\readme.txt	81515e1c72fadae2c4bb15883e0c1d8979b49fd52d8c65ca03e05a75ca6683c9.exe
File created	C:\Program Files\Reference Assemblies\readme.txt	81515e1c72fadae2c4bb15883e0c1d8979b49fd52d8c65ca03e05a75ca6683c9.exe
File opened for modification	C:\Program Files\MeasureNew.mht	81515e1c72fadae2c4bb15883e0c1d8979b49fd52d8c65ca03e05a75ca6683c9.exe
File opened for modification	C:\Program Files\ReceiveMerge.asp	81515e1c72fadae2c4bb15883e0c1d8979b49fd52d8c65ca03e05a75ca6683c9.exe
File opened for modification	C:\Program Files\FormatMount.txt	81515e1c72fadae2c4bb15883e0c1d8979b49fd52d8c65ca03e05a75ca6683c9.exe
File opened for modification	C:\Program Files\RevokeGet.vst	81515e1c72fadae2c4bb15883e0c1d8979b49fd52d8c65ca03e05a75ca6683c9.exe
File created	C:\Program Files (x86)\Microsoft Office\readme.txt	81515e1c72fadae2c4bb15883e0c1d8979b49fd52d8c65ca03e05a75ca6683c9.exe
File created	C:\Program Files (x86)\Reference Assemblies\readme.txt	81515e1c72fadae2c4bb15883e0c1d8979b49fd52d8c65ca03e05a75ca6683c9.exe
File opened for modification	C:\Program Files\WaitRegister.wpl	81515e1c72fadae2c4bb15883e0c1d8979b49fd52d8c65ca03e05a75ca6683c9.exe
File created	C:\Program Files (x86)\Adobe\readme.txt	81515e1c72fadae2c4bb15883e0c1d8979b49fd52d8c65ca03e05a75ca6683c9.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\readme.txt	81515e1c72fadae2c4bb15883e0c1d8979b49fd52d8c65ca03e05a75ca6683c9.exe
File created	C:\Program Files (x86)\Uninstall Information\readme.txt	81515e1c72fadae2c4bb15883e0c1d8979b49fd52d8c65ca03e05a75ca6683c9.exe
File created	C:\Program Files\Java\readme.txt	81515e1c72fadae2c4bb15883e0c1d8979b49fd52d8c65ca03e05a75ca6683c9.exe
File opened for modification	C:\Program Files\CloseConfirm.svgz	81515e1c72fadae2c4bb15883e0c1d8979b49fd52d8c65ca03e05a75ca6683c9.exe
File opened for modification	C:\Program Files\UnblockCompress.aiff	81515e1c72fadae2c4bb15883e0c1d8979b49fd52d8c65ca03e05a75ca6683c9.exe
File opened for modification	C:\Program Files\UnlockClear.vbe	81515e1c72fadae2c4bb15883e0c1d8979b49fd52d8c65ca03e05a75ca6683c9.exe
File created	C:\Program Files (x86)\Internet Explorer\readme.txt	81515e1c72fadae2c4bb15883e0c1d8979b49fd52d8c65ca03e05a75ca6683c9.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\readme.txt	81515e1c72fadae2c4bb15883e0c1d8979b49fd52d8c65ca03e05a75ca6683c9.exe
File created	C:\Program Files\DVD Maker\readme.txt	81515e1c72fadae2c4bb15883e0c1d8979b49fd52d8c65ca03e05a75ca6683c9.exe
File opened for modification	C:\Program Files\ExpandConfirm.asx	81515e1c72fadae2c4bb15883e0c1d8979b49fd52d8c65ca03e05a75ca6683c9.exe

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1128	vssadmin.exe
1108	vssadmin.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.basta\DefaultIcon	81515e1c72fadae2c4bb15883e0c1d8979b49fd52d8c65ca03e05a75ca6683c9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.basta	81515e1c72fadae2c4bb15883e0c1d8979b49fd52d8c65ca03e05a75ca6683c9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.basta\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fkdjsadasd.ico"	81515e1c72fadae2c4bb15883e0c1d8979b49fd52d8c65ca03e05a75ca6683c9.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	1872	vssvc.exe
Token: SeRestorePrivilege	1872	vssvc.exe
Token: SeAuditPrivilege	1872	vssvc.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1060 wrote to memory of 2036	1060	81515e1c72fadae2c4bb15883e0c1d8979b49fd52d8c65ca03e05a75ca6683c9.exe	28
PID 1060 wrote to memory of 2036	1060	81515e1c72fadae2c4bb15883e0c1d8979b49fd52d8c65ca03e05a75ca6683c9.exe	28
PID 1060 wrote to memory of 2036	1060	81515e1c72fadae2c4bb15883e0c1d8979b49fd52d8c65ca03e05a75ca6683c9.exe	28
PID 1060 wrote to memory of 2036	1060	81515e1c72fadae2c4bb15883e0c1d8979b49fd52d8c65ca03e05a75ca6683c9.exe	28
PID 2036 wrote to memory of 1128	2036	cmd.exe	30
PID 2036 wrote to memory of 1128	2036	cmd.exe	30
PID 2036 wrote to memory of 1128	2036	cmd.exe	30
PID 2036 wrote to memory of 1128	2036	cmd.exe	30
PID 1060 wrote to memory of 1640	1060	81515e1c72fadae2c4bb15883e0c1d8979b49fd52d8c65ca03e05a75ca6683c9.exe	33
PID 1060 wrote to memory of 1640	1060	81515e1c72fadae2c4bb15883e0c1d8979b49fd52d8c65ca03e05a75ca6683c9.exe	33
PID 1060 wrote to memory of 1640	1060	81515e1c72fadae2c4bb15883e0c1d8979b49fd52d8c65ca03e05a75ca6683c9.exe	33
PID 1060 wrote to memory of 1640	1060	81515e1c72fadae2c4bb15883e0c1d8979b49fd52d8c65ca03e05a75ca6683c9.exe	33
PID 1640 wrote to memory of 1108	1640	cmd.exe	35
PID 1640 wrote to memory of 1108	1640	cmd.exe	35
PID 1640 wrote to memory of 1108	1640	cmd.exe	35
PID 1640 wrote to memory of 1108	1640	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\81515e1c72fadae2c4bb15883e0c1d8979b49fd52d8c65ca03e05a75ca6683c9.exe
"C:\Users\Admin\AppData\Local\Temp\81515e1c72fadae2c4bb15883e0c1d8979b49fd52d8c65ca03e05a75ca6683c9.exe"
1⤵
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1060
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Windows\system32\vssadmin.exe
    C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1128
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1640
- - C:\Windows\SysWOW64\vssadmin.exe
    C:\Windows\System32\vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1108

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1872

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact