blackbasta | 1a8a283732f920d34233eac14ab03d681f3837b2e759df4ff1dd383249074e46

Analysis

max time kernel
62s
max time network
64s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03/12/2022, 06:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a8a283732f920d34233eac14ab03d681f3837b2e759df4ff1dd383249074e46.exe
Size

461KB
MD5

b1c520938a92644d0831b33df52d9e73
SHA1

73d59c49596575a9bb08b87f28ebc7e7f8afec10
SHA256

1a8a283732f920d34233eac14ab03d681f3837b2e759df4ff1dd383249074e46
SHA512

5b513d9701cb6441a0fb33858dd616f10fe1332a2c70725ed1b568032428cbdffad2f2d8cb4dab0503f31dec7cb7d367ae98135c483e28037e66f97280dcd33f
SSDEEP

12288:mXmpJhb0veHINIDfaQ/lHYkVeUlkIDXQxlPnpkcEgNa:m8JhCeHywhkOAxVn6cEh

Score

10^/10

blackbasta ransomware

Malware Config

Extracted

Path

C:\odt\readme.txt

Ransom Note

Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom You can contact us and decrypt one file for free on this TOR site (you should download and install TOR browser first https://torproject.org) https://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion/ Your company id for log in: 533cd596-1fa4-477e-ae86-935498094e86

URLs

https://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion/

Signatures

Black Basta
A ransomware family targeting Windows and Linux ESXi first seen in February 2022.
ransomware blackbasta
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\AssertMerge.tif => C:\Users\Admin\Pictures\AssertMerge.tif.basta	1a8a283732f920d34233eac14ab03d681f3837b2e759df4ff1dd383249074e46.exe
File renamed	C:\Users\Admin\Pictures\OptimizeWatch.crw => C:\Users\Admin\Pictures\OptimizeWatch.crw.basta	1a8a283732f920d34233eac14ab03d681f3837b2e759df4ff1dd383249074e46.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dlaksjdoiwq.jpg"	1a8a283732f920d34233eac14ab03d681f3837b2e759df4ff1dd383249074e46.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Internet Explorer\de-DE\iexplore.exe.mui	1a8a283732f920d34233eac14ab03d681f3837b2e759df4ff1dd383249074e46.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe	1a8a283732f920d34233eac14ab03d681f3837b2e759df4ff1dd383249074e46.exe
File created	C:\Program Files (x86)\Common Files\System\Ole DB\readme.txt	1a8a283732f920d34233eac14ab03d681f3837b2e759df4ff1dd383249074e46.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\readme.txt	1a8a283732f920d34233eac14ab03d681f3837b2e759df4ff1dd383249074e46.exe
File created	C:\Program Files\Microsoft Office\root\readme.txt	1a8a283732f920d34233eac14ab03d681f3837b2e759df4ff1dd383249074e46.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.dll	1a8a283732f920d34233eac14ab03d681f3837b2e759df4ff1dd383249074e46.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\readme.txt	1a8a283732f920d34233eac14ab03d681f3837b2e759df4ff1dd383249074e46.exe
File opened for modification	C:\Program Files\Internet Explorer\images\bing.ico	1a8a283732f920d34233eac14ab03d681f3837b2e759df4ff1dd383249074e46.exe
File created	C:\Program Files\Microsoft Office\root\vfs\readme.txt	1a8a283732f920d34233eac14ab03d681f3837b2e759df4ff1dd383249074e46.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml	1a8a283732f920d34233eac14ab03d681f3837b2e759df4ff1dd383249074e46.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\packager.jar	1a8a283732f920d34233eac14ab03d681f3837b2e759df4ff1dd383249074e46.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\tools.jar	1a8a283732f920d34233eac14ab03d681f3837b2e759df4ff1dd383249074e46.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-filesystem-l1-1-0.dll	1a8a283732f920d34233eac14ab03d681f3837b2e759df4ff1dd383249074e46.exe
File created	C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\readme.txt	1a8a283732f920d34233eac14ab03d681f3837b2e759df4ff1dd383249074e46.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\readme.txt	1a8a283732f920d34233eac14ab03d681f3837b2e759df4ff1dd383249074e46.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\Documentation.url	1a8a283732f920d34233eac14ab03d681f3837b2e759df4ff1dd383249074e46.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mraut.dll	1a8a283732f920d34233eac14ab03d681f3837b2e759df4ff1dd383249074e46.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java_crw_demo.dll	1a8a283732f920d34233eac14ab03d681f3837b2e759df4ff1dd383249074e46.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-utility-l1-1-0.dll	1a8a283732f920d34233eac14ab03d681f3837b2e759df4ff1dd383249074e46.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\readme.txt	1a8a283732f920d34233eac14ab03d681f3837b2e759df4ff1dd383249074e46.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\readme.txt	1a8a283732f920d34233eac14ab03d681f3837b2e759df4ff1dd383249074e46.exe
File created	C:\Program Files\Java\jre1.8.0_66\lib\readme.txt	1a8a283732f920d34233eac14ab03d681f3837b2e759df4ff1dd383249074e46.exe
File opened for modification	C:\Program Files\Internet Explorer\fr-FR\ieinstal.exe.mui	1a8a283732f920d34233eac14ab03d681f3837b2e759df4ff1dd383249074e46.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\es-ES\ieinstal.exe.mui	1a8a283732f920d34233eac14ab03d681f3837b2e759df4ff1dd383249074e46.exe
File opened for modification	C:\Program Files\Internet Explorer\ja-JP\ieinstal.exe.mui	1a8a283732f920d34233eac14ab03d681f3837b2e759df4ff1dd383249074e46.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\it-IT\iexplore.exe.mui	1a8a283732f920d34233eac14ab03d681f3837b2e759df4ff1dd383249074e46.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe	1a8a283732f920d34233eac14ab03d681f3837b2e759df4ff1dd383249074e46.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate\readme.txt	1a8a283732f920d34233eac14ab03d681f3837b2e759df4ff1dd383249074e46.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml	1a8a283732f920d34233eac14ab03d681f3837b2e759df4ff1dd383249074e46.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\readme.txt	1a8a283732f920d34233eac14ab03d681f3837b2e759df4ff1dd383249074e46.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\include\jdwpTransport.h	1a8a283732f920d34233eac14ab03d681f3837b2e759df4ff1dd383249074e46.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\readme.txt	1a8a283732f920d34233eac14ab03d681f3837b2e759df4ff1dd383249074e46.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku.txt	1a8a283732f920d34233eac14ab03d681f3837b2e759df4ff1dd383249074e46.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\Welcome.html	1a8a283732f920d34233eac14ab03d681f3837b2e759df4ff1dd383249074e46.exe
File opened for modification	C:\Program Files\BackupWatch.ods	1a8a283732f920d34233eac14ab03d681f3837b2e759df4ff1dd383249074e46.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.en-us.dll	1a8a283732f920d34233eac14ab03d681f3837b2e759df4ff1dd383249074e46.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\IpsMigrationPlugin.dll	1a8a283732f920d34233eac14ab03d681f3837b2e759df4ff1dd383249074e46.exe
File created	C:\Program Files\Mozilla Firefox\readme.txt	1a8a283732f920d34233eac14ab03d681f3837b2e759df4ff1dd383249074e46.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\readme.txt	1a8a283732f920d34233eac14ab03d681f3837b2e759df4ff1dd383249074e46.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvVirtualization.dll	1a8a283732f920d34233eac14ab03d681f3837b2e759df4ff1dd383249074e46.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ka.txt	1a8a283732f920d34233eac14ab03d681f3837b2e759df4ff1dd383249074e46.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	1a8a283732f920d34233eac14ab03d681f3837b2e759df4ff1dd383249074e46.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msado26.tlb	1a8a283732f920d34233eac14ab03d681f3837b2e759df4ff1dd383249074e46.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\readme.txt	1a8a283732f920d34233eac14ab03d681f3837b2e759df4ff1dd383249074e46.exe
File created	C:\Program Files\VideoLAN\VLC\locale\readme.txt	1a8a283732f920d34233eac14ab03d681f3837b2e759df4ff1dd383249074e46.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifestLoc.16.en-us.xml	1a8a283732f920d34233eac14ab03d681f3837b2e759df4ff1dd383249074e46.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvApi.dll	1a8a283732f920d34233eac14ab03d681f3837b2e759df4ff1dd383249074e46.exe
File created	C:\Program Files\Java\jre1.8.0_66\bin\dtplugin\readme.txt	1a8a283732f920d34233eac14ab03d681f3837b2e759df4ff1dd383249074e46.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\RELEASE-NOTES.html	1a8a283732f920d34233eac14ab03d681f3837b2e759df4ff1dd383249074e46.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.71\readme.txt	1a8a283732f920d34233eac14ab03d681f3837b2e759df4ff1dd383249074e46.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\et-EE\readme.txt	1a8a283732f920d34233eac14ab03d681f3837b2e759df4ff1dd383249074e46.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\readme.txt	1a8a283732f920d34233eac14ab03d681f3837b2e759df4ff1dd383249074e46.exe
File created	C:\Program Files\MSBuild\Microsoft\readme.txt	1a8a283732f920d34233eac14ab03d681f3837b2e759df4ff1dd383249074e46.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	1a8a283732f920d34233eac14ab03d681f3837b2e759df4ff1dd383249074e46.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\en-US\hmmapi.dll.mui	1a8a283732f920d34233eac14ab03d681f3837b2e759df4ff1dd383249074e46.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe	1a8a283732f920d34233eac14ab03d681f3837b2e759df4ff1dd383249074e46.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\README.txt	1a8a283732f920d34233eac14ab03d681f3837b2e759df4ff1dd383249074e46.exe
File created	C:\Program Files\Common Files\System\ja-JP\readme.txt	1a8a283732f920d34233eac14ab03d681f3837b2e759df4ff1dd383249074e46.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml	1a8a283732f920d34233eac14ab03d681f3837b2e759df4ff1dd383249074e46.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javafx_iio.dll	1a8a283732f920d34233eac14ab03d681f3837b2e759df4ff1dd383249074e46.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	1a8a283732f920d34233eac14ab03d681f3837b2e759df4ff1dd383249074e46.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\wab32.dll	1a8a283732f920d34233eac14ab03d681f3837b2e759df4ff1dd383249074e46.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVCatalog.dll	1a8a283732f920d34233eac14ab03d681f3837b2e759df4ff1dd383249074e46.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	1a8a283732f920d34233eac14ab03d681f3837b2e759df4ff1dd383249074e46.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
3448	vssadmin.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.basta\DefaultIcon	1a8a283732f920d34233eac14ab03d681f3837b2e759df4ff1dd383249074e46.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.basta	1a8a283732f920d34233eac14ab03d681f3837b2e759df4ff1dd383249074e46.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.basta\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fkdjsadasd.ico"	1a8a283732f920d34233eac14ab03d681f3837b2e759df4ff1dd383249074e46.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	4968	vssvc.exe
Token: SeRestorePrivilege	4968	vssvc.exe
Token: SeAuditPrivilege	4968	vssvc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4072 wrote to memory of 1708	4072	1a8a283732f920d34233eac14ab03d681f3837b2e759df4ff1dd383249074e46.exe	80
PID 4072 wrote to memory of 1708	4072	1a8a283732f920d34233eac14ab03d681f3837b2e759df4ff1dd383249074e46.exe	80
PID 4072 wrote to memory of 1708	4072	1a8a283732f920d34233eac14ab03d681f3837b2e759df4ff1dd383249074e46.exe	80
PID 1708 wrote to memory of 3448	1708	cmd.exe	82
PID 1708 wrote to memory of 3448	1708	cmd.exe	82
PID 4072 wrote to memory of 4308	4072	1a8a283732f920d34233eac14ab03d681f3837b2e759df4ff1dd383249074e46.exe	85
PID 4072 wrote to memory of 4308	4072	1a8a283732f920d34233eac14ab03d681f3837b2e759df4ff1dd383249074e46.exe	85
PID 4072 wrote to memory of 4308	4072	1a8a283732f920d34233eac14ab03d681f3837b2e759df4ff1dd383249074e46.exe	85

C:\Users\Admin\AppData\Local\Temp\1a8a283732f920d34233eac14ab03d681f3837b2e759df4ff1dd383249074e46.exe
"C:\Users\Admin\AppData\Local\Temp\1a8a283732f920d34233eac14ab03d681f3837b2e759df4ff1dd383249074e46.exe"
1⤵
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4072
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1708
- - C:\Windows\system32\vssadmin.exe
    C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:3448
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\vssadmin.exe delete shadows /all /quiet
  2⤵
  PID:4308

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4072-132-0x0000000002DB0000-0x0000000002E18000-memory.dmp

Filesize
416KB

Download
memory/4072-135-0x00000000000F0000-0x000000000017E000-memory.dmp

Filesize
568KB

Download
memory/4072-137-0x00000000000F0000-0x000000000017E000-memory.dmp

Filesize
568KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads