blackbasta | 2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6

Analysis

max time kernel
77s
max time network
90s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 05:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
Size

470KB
MD5

1a873fc3f0faa8cc2838bef59067d7d7
SHA1

5b3d6b3be96c95b9d95d5d97f60943888f332d46
SHA256

2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6
SHA512

35d2a4c17c23681fc5855dee2864041deb5ae17fffc9b71d25ad3a2484e92f272b5a779fe22dc0cf893972298c284ca3f19053cbcf2e99efbbc597b6cc769c68
SSDEEP

6144:99TB6rsikfe/YEJCksf9ljAdxil5UmMDS0sqw7qp1t/RUJ1XqQQVkgbDI+6MZ5Ot:Nhfeh7kjuslymV7qPVgllAkgbD6Xz

Score

10^/10

blackbasta ransomware

Malware Config

Extracted

Path

C:\MSOCache\readme.txt

Ransom Note

Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom You can contact us and decrypt one file for free on this TOR site (you should download and install TOR browser first https://torproject.org) https://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion/ Your company id for log in: eeded09d-2ac0-4e69-bf25-875cd524e744

URLs

https://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion/

Signatures

Black Basta
A ransomware family targeting Windows and Linux ESXi first seen in February 2022.
ransomware blackbasta
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dlaksjdoiwq.jpg"	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Internet Explorer\readme.txt	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File opened for modification	C:\Program Files\JoinSave.mhtml	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File created	C:\Program Files\Internet Explorer\ja-JP\readme.txt	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-utility-l1-1-0.dll	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-multibyte-l1-1-0.dll	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File created	C:\Program Files (x86)\Internet Explorer\fr-FR\readme.txt	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe.sig	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File opened for modification	C:\Program Files\Internet Explorer\msdbg2.dll	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\readme.txt	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File opened for modification	C:\Program Files\Mozilla Firefox\d3dcompiler_47.dll	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\F12Tools.dll	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-core-processthreads-l1-1-1.dll	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File opened for modification	C:\Program Files\Mozilla Firefox\lgpllibs.dll	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File created	C:\Program Files (x86)\Common Files\Services\readme.txt	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File created	C:\Program Files\DVD Maker\ja-JP\readme.txt	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.VisualElementsManifest.xml	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\readme.txt	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File opened for modification	C:\Program Files\7-Zip\7-zip32.dll	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File created	C:\Program Files\Microsoft Games\Chess\readme.txt	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File opened for modification	C:\Program Files\Mozilla Firefox\msvcp140.dll	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File created	C:\Program Files (x86)\Microsoft Office\Stationery\readme.txt	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\jsdbgui.dll	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File created	C:\Program Files\Mozilla Firefox\readme.txt	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\readme.txt	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-convert-l1-1-0.dll	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-private-l1-1-0.dll	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File opened for modification	C:\Program Files\Mozilla Firefox\dependentlibs.list	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File opened for modification	C:\Program Files\Mozilla Firefox\removed-files	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File created	C:\Program Files\Common Files\System\readme.txt	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File opened for modification	C:\Program Files\7-Zip\descript.ion	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File opened for modification	C:\Program Files\FormatUnlock.vsdm	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File opened for modification	C:\Program Files\SyncWrite.tif	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File created	C:\Program Files\DVD Maker\Shared\readme.txt	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File created	C:\Program Files\Google\Chrome\readme.txt	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File created	C:\Program Files\Microsoft Games\Solitaire\readme.txt	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File opened for modification	C:\Program Files\Mozilla Firefox\omni.ja	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File opened for modification	C:\Program Files\DVD Maker\rtstreamsource.ax	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File opened for modification	C:\Program Files\Internet Explorer\jsdbgui.dll	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File created	C:\Program Files\Microsoft Games\Mahjong\readme.txt	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File created	C:\Program Files (x86)\Internet Explorer\ja-JP\readme.txt	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File opened for modification	C:\Program Files\Mozilla Firefox\softokn3.dll	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File opened for modification	C:\Program Files\Internet Explorer\sqmapi.dll	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nss3.dll	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nssckbi.dll	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\jsprofilerui.dll	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File opened for modification	C:\Program Files\BlockRemove.pptm	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File created	C:\Program Files (x86)\Internet Explorer\it-IT\readme.txt	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\readme.txt	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File opened for modification	C:\Program Files\DVD Maker\soniccolorconverter.ax	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\msdbg2.dll	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File created	C:\Program Files\Common Files\Services\readme.txt	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File created	C:\Program Files\DVD Maker\es-ES\readme.txt	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\JSProfilerCore.dll	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\networkinspection.dll	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File created	C:\Program Files\MSBuild\readme.txt	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File opened for modification	C:\Program Files\SaveMeasure.vstx	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File opened for modification	C:\Program Files\Internet Explorer\DiagnosticsHub.DataWarehouse.dll	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File opened for modification	C:\Program Files\Internet Explorer\F12Resources.dll	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File opened for modification	C:\Program Files\Internet Explorer\IEShims.dll	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1284	vssadmin.exe
1992	vssadmin.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.basta\DefaultIcon	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.basta	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.basta\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fkdjsadasd.ico"	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	1220	vssvc.exe
Token: SeRestorePrivilege	1220	vssvc.exe
Token: SeAuditPrivilege	1220	vssvc.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 964 wrote to memory of 1884	964	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe	28
PID 964 wrote to memory of 1884	964	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe	28
PID 964 wrote to memory of 1884	964	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe	28
PID 964 wrote to memory of 1884	964	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe	28
PID 1884 wrote to memory of 1992	1884	cmd.exe	30
PID 1884 wrote to memory of 1992	1884	cmd.exe	30
PID 1884 wrote to memory of 1992	1884	cmd.exe	30
PID 1884 wrote to memory of 1992	1884	cmd.exe	30
PID 964 wrote to memory of 1152	964	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe	33
PID 964 wrote to memory of 1152	964	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe	33
PID 964 wrote to memory of 1152	964	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe	33
PID 964 wrote to memory of 1152	964	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe	33
PID 1152 wrote to memory of 1284	1152	cmd.exe	35
PID 1152 wrote to memory of 1284	1152	cmd.exe	35
PID 1152 wrote to memory of 1284	1152	cmd.exe	35
PID 1152 wrote to memory of 1284	1152	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
"C:\Users\Admin\AppData\Local\Temp\2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe"
1⤵
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:964
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1884
- - C:\Windows\system32\vssadmin.exe
    C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1992
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1152
- - C:\Windows\SysWOW64\vssadmin.exe
    C:\Windows\System32\vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1284

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1220

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact