blackbasta | 2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6

Analysis

max time kernel
89s
max time network
110s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03/12/2022, 05:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
Size

470KB
MD5

1a873fc3f0faa8cc2838bef59067d7d7
SHA1

5b3d6b3be96c95b9d95d5d97f60943888f332d46
SHA256

2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6
SHA512

35d2a4c17c23681fc5855dee2864041deb5ae17fffc9b71d25ad3a2484e92f272b5a779fe22dc0cf893972298c284ca3f19053cbcf2e99efbbc597b6cc769c68
SSDEEP

6144:99TB6rsikfe/YEJCksf9ljAdxil5UmMDS0sqw7qp1t/RUJ1XqQQVkgbDI+6MZ5Ot:Nhfeh7kjuslymV7qPVgllAkgbD6Xz

Score

10^/10

blackbasta ransomware

Malware Config

Extracted

Path

C:\odt\readme.txt

Ransom Note

Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom You can contact us and decrypt one file for free on this TOR site (you should download and install TOR browser first https://torproject.org) https://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion/ Your company id for log in: eeded09d-2ac0-4e69-bf25-875cd524e744

URLs

https://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion/

Signatures

Black Basta
A ransomware family targeting Windows and Linux ESXi first seen in February 2022.
ransomware blackbasta
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dlaksjdoiwq.jpg"	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\readme.txt	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File opened for modification	C:\Program Files\Common Files\Services\verisign.bmp	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File opened for modification	C:\Program Files\SplitUnpublish.contact	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\COPYRIGHT	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sl.txt	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\THIRDPARTYLICENSEREADME-JAVAFX.txt	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\npvlc.dll	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\THANKS.txt	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File opened for modification	C:\Program Files\Internet Explorer\fr-FR\iexplore.exe.mui	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File created	C:\Program Files\Mozilla Firefox\fonts\readme.txt	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File created	C:\Program Files (x86)\Internet Explorer\fr-FR\readme.txt	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File opened for modification	C:\Program Files\Mozilla Firefox\msvcp140.dll	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mk.txt	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\VideoLAN Website.url	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\de-DE\ieinstal.exe.mui	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File created	C:\Program Files (x86)\Internet Explorer\readme.txt	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File opened for modification	C:\Program Files\Mozilla Firefox\xul.dll	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File created	C:\Program Files (x86)\Internet Explorer\de-DE\readme.txt	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File created	C:\Program Files (x86)\Google\Update\readme.txt	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku-ckb.txt	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File created	C:\Program Files (x86)\Google\CrashReports\readme.txt	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-hang-ui.exe	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\adodb.dll	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File opened for modification	C:\Program Files\MovePublish.bmp	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-3102-0000-1000-0000000FF1CE.xml	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File created	C:\Program Files (x86)\Internet Explorer\it-IT\readme.txt	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nssckbi.dll	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File created	C:\Program Files\Common Files\System\ado\readme.txt	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File opened for modification	C:\Program Files\FindSearch.vsdx	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-math-l1-1-0.dll	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ro.txt	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\LICENSE	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\release	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.common.16.xml	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File created	C:\Program Files\Java\jdk1.8.0_66\readme.txt	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\NEWS.txt	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File opened for modification	C:\Program Files\7-Zip\descript.ion	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l1-2-0.dll	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File opened for modification	C:\Program Files\Mozilla Firefox\softokn3.dll	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\readme.txt	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File created	C:\Program Files\Java\readme.txt	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File created	C:\Program Files\Internet Explorer\en-US\readme.txt	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File created	C:\Program Files\Mozilla Firefox\browser\readme.txt	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File opened for modification	C:\Program Files\Mozilla Firefox\mozavutil.dll	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\en-US\iexplore.exe.mui	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\it-IT\iexplore.exe.mui	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File opened for modification	C:\Program Files\AddConnect.xps	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File opened for modification	C:\Program Files\ExitRepair.mp4	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File opened for modification	C:\Program Files\Mozilla Firefox\install.log	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
File created	C:\Program Files (x86)\Common Files\System\es-ES\readme.txt	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
4280	vssadmin.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.basta	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.basta\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fkdjsadasd.ico"	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.basta\DefaultIcon	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	5032	vssvc.exe
Token: SeRestorePrivilege	5032	vssvc.exe
Token: SeAuditPrivilege	5032	vssvc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3824 wrote to memory of 4932	3824	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe	80
PID 3824 wrote to memory of 4932	3824	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe	80
PID 3824 wrote to memory of 4932	3824	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe	80
PID 4932 wrote to memory of 4280	4932	cmd.exe	82
PID 4932 wrote to memory of 4280	4932	cmd.exe	82
PID 3824 wrote to memory of 1076	3824	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe	85
PID 3824 wrote to memory of 1076	3824	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe	85
PID 3824 wrote to memory of 1076	3824	2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe	85

C:\Users\Admin\AppData\Local\Temp\2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe
"C:\Users\Admin\AppData\Local\Temp\2327018dab0e3beaed2123bcb5392405ab1e502dfa72a5a32c2c164346bb9bc6.exe"
1⤵
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3824
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4932
- - C:\Windows\system32\vssadmin.exe
    C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:4280
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\vssadmin.exe delete shadows /all /quiet
  2⤵
  PID:1076

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5032

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact