blackbasta | 09bc7247b50a166996b667b9a6e696cfbafa203ffcbec46ad0cca27deacd5c25

Analysis

max time kernel
61s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 06:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

09bc7247b50a166996b667b9a6e696cfbafa203ffcbec46ad0cca27deacd5c25.exe
Size

454KB
MD5

848c0e307336503fda4fd86bb89cc4fd
SHA1

92d43641583917e1f0dbb47569a0a4364f44d41d
SHA256

09bc7247b50a166996b667b9a6e696cfbafa203ffcbec46ad0cca27deacd5c25
SHA512

f9c38f0627ad6250e45d08bbd65a5e58409aa26038409331f7b67a2bc40f0833554185202aa341f7ef8ca32bac88aa815d41cfbfe2071750ff77301feec299ed
SSDEEP

12288:rMiWg4KiCCBfILnvJ8KHJj8Zp3pWF/kP8P:AiWg4jCJbve0A3EJdP

Score

10^/10

blackbasta ransomware

Malware Config

Extracted

Path

C:\MSOCache\readme.txt

Ransom Note

Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom You can contact us and decrypt one file for free on this TOR site (you should download and install TOR browser first https://torproject.org) https://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion/ Your company id for log in: aa6b49d0-713d-46fb-b7ac-fb5605e2ac0a

URLs

https://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion/

Signatures

Black Basta
A ransomware family targeting Windows and Linux ESXi first seen in February 2022.
ransomware blackbasta
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dlaksjdoiwq.jpg"	09bc7247b50a166996b667b9a6e696cfbafa203ffcbec46ad0cca27deacd5c25.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Games\Chess\ja-JP\readme.txt	09bc7247b50a166996b667b9a6e696cfbafa203ffcbec46ad0cca27deacd5c25.exe
File opened for modification	C:\Program Files\Internet Explorer\D3DCompiler_47.dll	09bc7247b50a166996b667b9a6e696cfbafa203ffcbec46ad0cca27deacd5c25.exe
File opened for modification	C:\Program Files\Mozilla Firefox\freebl3.dll	09bc7247b50a166996b667b9a6e696cfbafa203ffcbec46ad0cca27deacd5c25.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\readme.txt	09bc7247b50a166996b667b9a6e696cfbafa203ffcbec46ad0cca27deacd5c25.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	09bc7247b50a166996b667b9a6e696cfbafa203ffcbec46ad0cca27deacd5c25.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\DiagnosticsTap.dll	09bc7247b50a166996b667b9a6e696cfbafa203ffcbec46ad0cca27deacd5c25.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\readme.txt	09bc7247b50a166996b667b9a6e696cfbafa203ffcbec46ad0cca27deacd5c25.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	09bc7247b50a166996b667b9a6e696cfbafa203ffcbec46ad0cca27deacd5c25.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ja.txt	09bc7247b50a166996b667b9a6e696cfbafa203ffcbec46ad0cca27deacd5c25.exe
File opened for modification	C:\Program Files\HideNew.vsw	09bc7247b50a166996b667b9a6e696cfbafa203ffcbec46ad0cca27deacd5c25.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\readme.txt	09bc7247b50a166996b667b9a6e696cfbafa203ffcbec46ad0cca27deacd5c25.exe
File created	C:\Program Files\Internet Explorer\images\readme.txt	09bc7247b50a166996b667b9a6e696cfbafa203ffcbec46ad0cca27deacd5c25.exe
File opened for modification	C:\Program Files\DVD Maker\directshowtap.ax	09bc7247b50a166996b667b9a6e696cfbafa203ffcbec46ad0cca27deacd5c25.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	09bc7247b50a166996b667b9a6e696cfbafa203ffcbec46ad0cca27deacd5c25.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\readme.txt	09bc7247b50a166996b667b9a6e696cfbafa203ffcbec46ad0cca27deacd5c25.exe
File opened for modification	C:\Program Files\DVD Maker\OmdProject.dll	09bc7247b50a166996b667b9a6e696cfbafa203ffcbec46ad0cca27deacd5c25.exe
File opened for modification	C:\Program Files\Internet Explorer\F12Resources.dll	09bc7247b50a166996b667b9a6e696cfbafa203ffcbec46ad0cca27deacd5c25.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sq.txt	09bc7247b50a166996b667b9a6e696cfbafa203ffcbec46ad0cca27deacd5c25.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\readme.txt	09bc7247b50a166996b667b9a6e696cfbafa203ffcbec46ad0cca27deacd5c25.exe
File opened for modification	C:\Program Files\Internet Explorer\ie9props.propdesc	09bc7247b50a166996b667b9a6e696cfbafa203ffcbec46ad0cca27deacd5c25.exe
File opened for modification	C:\Program Files\Internet Explorer\Timeline.dll	09bc7247b50a166996b667b9a6e696cfbafa203ffcbec46ad0cca27deacd5c25.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\readme.txt	09bc7247b50a166996b667b9a6e696cfbafa203ffcbec46ad0cca27deacd5c25.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\Parity.fx	09bc7247b50a166996b667b9a6e696cfbafa203ffcbec46ad0cca27deacd5c25.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ps.txt	09bc7247b50a166996b667b9a6e696cfbafa203ffcbec46ad0cca27deacd5c25.exe
File created	C:\Program Files\Common Files\Services\readme.txt	09bc7247b50a166996b667b9a6e696cfbafa203ffcbec46ad0cca27deacd5c25.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nb.txt	09bc7247b50a166996b667b9a6e696cfbafa203ffcbec46ad0cca27deacd5c25.exe
File created	C:\Program Files\Common Files\System\es-ES\readme.txt	09bc7247b50a166996b667b9a6e696cfbafa203ffcbec46ad0cca27deacd5c25.exe
File opened for modification	C:\Program Files\DVD Maker\it-IT\WMM2CLIP.dll.mui	09bc7247b50a166996b667b9a6e696cfbafa203ffcbec46ad0cca27deacd5c25.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mr.txt	09bc7247b50a166996b667b9a6e696cfbafa203ffcbec46ad0cca27deacd5c25.exe
File opened for modification	C:\Program Files\DVD Maker\it-IT\DVDMaker.exe.mui	09bc7247b50a166996b667b9a6e696cfbafa203ffcbec46ad0cca27deacd5c25.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DissolveNoise.png	09bc7247b50a166996b667b9a6e696cfbafa203ffcbec46ad0cca27deacd5c25.exe
File created	C:\Program Files\Java\readme.txt	09bc7247b50a166996b667b9a6e696cfbafa203ffcbec46ad0cca27deacd5c25.exe
File created	C:\Program Files\Microsoft Games\Purble Place\readme.txt	09bc7247b50a166996b667b9a6e696cfbafa203ffcbec46ad0cca27deacd5c25.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-process-l1-1-0.dll	09bc7247b50a166996b667b9a6e696cfbafa203ffcbec46ad0cca27deacd5c25.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe.sig	09bc7247b50a166996b667b9a6e696cfbafa203ffcbec46ad0cca27deacd5c25.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku.txt	09bc7247b50a166996b667b9a6e696cfbafa203ffcbec46ad0cca27deacd5c25.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\eula.rtf	09bc7247b50a166996b667b9a6e696cfbafa203ffcbec46ad0cca27deacd5c25.exe
File created	C:\Program Files\Microsoft Games\Chess\it-IT\readme.txt	09bc7247b50a166996b667b9a6e696cfbafa203ffcbec46ad0cca27deacd5c25.exe
File opened for modification	C:\Program Files\DVD Maker\it-IT\OmdProject.dll.mui	09bc7247b50a166996b667b9a6e696cfbafa203ffcbec46ad0cca27deacd5c25.exe
File opened for modification	C:\Program Files\DVD Maker\ja-JP\DVDMaker.exe.mui	09bc7247b50a166996b667b9a6e696cfbafa203ffcbec46ad0cca27deacd5c25.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	09bc7247b50a166996b667b9a6e696cfbafa203ffcbec46ad0cca27deacd5c25.exe
File created	C:\Program Files\Reference Assemblies\readme.txt	09bc7247b50a166996b667b9a6e696cfbafa203ffcbec46ad0cca27deacd5c25.exe
File opened for modification	C:\Program Files\SyncExpand.avi	09bc7247b50a166996b667b9a6e696cfbafa203ffcbec46ad0cca27deacd5c25.exe
File opened for modification	C:\Program Files\DVD Maker\Eurosti.TTF	09bc7247b50a166996b667b9a6e696cfbafa203ffcbec46ad0cca27deacd5c25.exe
File opened for modification	C:\Program Files\DVD Maker\OmdBase.dll	09bc7247b50a166996b667b9a6e696cfbafa203ffcbec46ad0cca27deacd5c25.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	09bc7247b50a166996b667b9a6e696cfbafa203ffcbec46ad0cca27deacd5c25.exe
File created	C:\Program Files\Google\readme.txt	09bc7247b50a166996b667b9a6e696cfbafa203ffcbec46ad0cca27deacd5c25.exe
File created	C:\Program Files\Internet Explorer\en-US\readme.txt	09bc7247b50a166996b667b9a6e696cfbafa203ffcbec46ad0cca27deacd5c25.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	09bc7247b50a166996b667b9a6e696cfbafa203ffcbec46ad0cca27deacd5c25.exe
File created	C:\Program Files\MSBuild\Microsoft\readme.txt	09bc7247b50a166996b667b9a6e696cfbafa203ffcbec46ad0cca27deacd5c25.exe
File created	C:\Program Files (x86)\Internet Explorer\fr-FR\readme.txt	09bc7247b50a166996b667b9a6e696cfbafa203ffcbec46ad0cca27deacd5c25.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VC\readme.txt	09bc7247b50a166996b667b9a6e696cfbafa203ffcbec46ad0cca27deacd5c25.exe
File created	C:\Program Files\Google\Chrome\readme.txt	09bc7247b50a166996b667b9a6e696cfbafa203ffcbec46ad0cca27deacd5c25.exe
File opened for modification	C:\Program Files\Internet Explorer\iedvtool.dll	09bc7247b50a166996b667b9a6e696cfbafa203ffcbec46ad0cca27deacd5c25.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-core-processthreads-l1-1-1.dll	09bc7247b50a166996b667b9a6e696cfbafa203ffcbec46ad0cca27deacd5c25.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	09bc7247b50a166996b667b9a6e696cfbafa203ffcbec46ad0cca27deacd5c25.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	09bc7247b50a166996b667b9a6e696cfbafa203ffcbec46ad0cca27deacd5c25.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sl.txt	09bc7247b50a166996b667b9a6e696cfbafa203ffcbec46ad0cca27deacd5c25.exe
File created	C:\Program Files\Microsoft Games\readme.txt	09bc7247b50a166996b667b9a6e696cfbafa203ffcbec46ad0cca27deacd5c25.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\readme.txt	09bc7247b50a166996b667b9a6e696cfbafa203ffcbec46ad0cca27deacd5c25.exe
File created	C:\Program Files\Mozilla Firefox\defaults\readme.txt	09bc7247b50a166996b667b9a6e696cfbafa203ffcbec46ad0cca27deacd5c25.exe
File opened for modification	C:\Program Files\Mozilla Firefox\install.log	09bc7247b50a166996b667b9a6e696cfbafa203ffcbec46ad0cca27deacd5c25.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	09bc7247b50a166996b667b9a6e696cfbafa203ffcbec46ad0cca27deacd5c25.exe
File opened for modification	C:\Program Files\RepairTest.dib	09bc7247b50a166996b667b9a6e696cfbafa203ffcbec46ad0cca27deacd5c25.exe

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1160	vssadmin.exe
1336	vssadmin.exe

Modifies registry class 3 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.basta\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fkdjsadasd.ico"	09bc7247b50a166996b667b9a6e696cfbafa203ffcbec46ad0cca27deacd5c25.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.basta\DefaultIcon	09bc7247b50a166996b667b9a6e696cfbafa203ffcbec46ad0cca27deacd5c25.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.basta	09bc7247b50a166996b667b9a6e696cfbafa203ffcbec46ad0cca27deacd5c25.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	1544	vssvc.exe
Token: SeRestorePrivilege	1544	vssvc.exe
Token: SeAuditPrivilege	1544	vssvc.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1468 wrote to memory of 1124	1468	09bc7247b50a166996b667b9a6e696cfbafa203ffcbec46ad0cca27deacd5c25.exe	27
PID 1468 wrote to memory of 1124	1468	09bc7247b50a166996b667b9a6e696cfbafa203ffcbec46ad0cca27deacd5c25.exe	27
PID 1468 wrote to memory of 1124	1468	09bc7247b50a166996b667b9a6e696cfbafa203ffcbec46ad0cca27deacd5c25.exe	27
PID 1468 wrote to memory of 1124	1468	09bc7247b50a166996b667b9a6e696cfbafa203ffcbec46ad0cca27deacd5c25.exe	27
PID 1124 wrote to memory of 1160	1124	cmd.exe	29
PID 1124 wrote to memory of 1160	1124	cmd.exe	29
PID 1124 wrote to memory of 1160	1124	cmd.exe	29
PID 1124 wrote to memory of 1160	1124	cmd.exe	29
PID 1468 wrote to memory of 616	1468	09bc7247b50a166996b667b9a6e696cfbafa203ffcbec46ad0cca27deacd5c25.exe	32
PID 1468 wrote to memory of 616	1468	09bc7247b50a166996b667b9a6e696cfbafa203ffcbec46ad0cca27deacd5c25.exe	32
PID 1468 wrote to memory of 616	1468	09bc7247b50a166996b667b9a6e696cfbafa203ffcbec46ad0cca27deacd5c25.exe	32
PID 1468 wrote to memory of 616	1468	09bc7247b50a166996b667b9a6e696cfbafa203ffcbec46ad0cca27deacd5c25.exe	32
PID 616 wrote to memory of 1336	616	cmd.exe	34
PID 616 wrote to memory of 1336	616	cmd.exe	34
PID 616 wrote to memory of 1336	616	cmd.exe	34
PID 616 wrote to memory of 1336	616	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\09bc7247b50a166996b667b9a6e696cfbafa203ffcbec46ad0cca27deacd5c25.exe
"C:\Users\Admin\AppData\Local\Temp\09bc7247b50a166996b667b9a6e696cfbafa203ffcbec46ad0cca27deacd5c25.exe"
1⤵
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1468
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1124
- - C:\Windows\system32\vssadmin.exe
    C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1160
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:616
- - C:\Windows\SysWOW64\vssadmin.exe
    C:\Windows\System32\vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1336

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1544

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact