blackbasta | 17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90

General

Target

17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90.exe
Size

636KB
MD5

267d5c3137d313ce1a86c2f255a835e6
SHA1

c7a37c0edeffd23777cca44f9b49076be1bd43e6
SHA256

17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90
SHA512

9c119a9f973dae77f2cdd6a855ae45c20660aadc5c592f6d06f6360dd0bb5a380d0ed1fcc23c0cb721da70bcca7d32db46181be675bf0587276d35d6da26a31e
SSDEEP

12288:aEky5bwpy02iRaeXCP2CIcdoKAXMr+Mr+kJZ4:j02iRaeHPcdo18rTrf6

Score

10^/10

blackbasta ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\readme.txt

Family

blackbasta

Ransom Note

All of your files are currently encrypted by no_name_software. These files cannot be recovered by any means without contacting our team directly. DON'T TRY TO RECOVER your data by yourselves. Any attempt to recover your data (including the usage of the additional recovery software) can damage your files. However, if you want to try - we recommend choosing the data of the lowest value. DON'T TRY TO IGNORE us. We've downloaded a pack of your internal data and are ready to publish it on our news website if you do not respond. So it will be better for both sides if you contact us as soon as possible. DON'T TRY TO CONTACT feds or any recovery companies. We have our informants in these structures, so any of your complaints will be immediately directed to us. So if you will hire any recovery company for negotiations or send requests to the police/FBI/investigators, we will consider this as a hostile intent and initiate the publication of whole compromised data immediately. DON'T move or rename your files. These parameters can be used for encryption/decryption process. To prove that we REALLY CAN get your data back - we offer you to decrypt two random files completely free of charge. You can contact our team directly for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) https://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion:80/ Your company id for log in: c98fa42b-3233-45df-bd7c-42529c44cb70 Your company key: 3 of any of your dc through comma. Example: "DC1, DC2, DC3". You can type less if you have no enough YOU SHOULD BE AWARE! We will speak only with an authorized person. It can be the CEO, top management, etc. In case you are not such a person - DON'T CONTACT US! Your decisions and action can result in serious harm to your company! Inform your supervisors and stay calm!

URLs

https://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion:80/

Signatures

Black Basta
A ransomware family targeting Windows and Linux ESXi first seen in February 2022.
ransomware blackbasta
Renames multiple (356) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Control Panel\Desktop\Wallpaper	17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90.exe

Drops file in Program Files directory 64 IoCs

Processes:

17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90.exe

description	ioc	process
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-heap-l1-1-0.dllencrypted	17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txtencrypted	17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ps.txtencrypted	17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz.txtencrypted	17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\SolitaireMCE.lnkencrypted	17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exeencrypted	17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90.exe
File opened for modification	C:\Program Files\Mozilla Firefox\softokn3.dllencrypted	17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txtencrypted	17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txtencrypted	17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\THIRDPARTYLICENSEREADME.txtencrypted	17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90.exe
File opened for modification	C:\Program Files\Mozilla Firefox\postSigningDataencrypted	17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txtencrypted	17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exeencrypted	17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nss3.dllencrypted	17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l1-2-0.dllencrypted	17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90.exe
File opened for modification	C:\Program Files\Mozilla Firefox\omni.jaencrypted	17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txtencrypted	17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90.exe
File opened for modification	C:\Program Files\7-Zip\Lang\id.txtencrypted	17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txtencrypted	17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txtencrypted	17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-conio-l1-1-0.dllencrypted	17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txtencrypted	17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l2-1-0.dllencrypted	17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exeencrypted	17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txtencrypted	17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txtencrypted	17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sa.txtencrypted	17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90.exe
File opened for modification	C:\Program Files\7-Zip\Lang\th.txtencrypted	17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90.exe
File opened for modification	C:\Program Files\Mozilla Firefox\installation_telemetry.jsonencrypted	17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ta.txtencrypted	17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txtencrypted	17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90.exe
File opened for modification	C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txtencrypted	17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90.exe
File opened for modification	C:\Program Files\DenyClose.regencrypted	17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90.exe
File opened for modification	C:\Program Files\7-Zip\7-zip32.dllencrypted	17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90.exe
File opened for modification	C:\Program Files\Mozilla Firefox\install.logencrypted	17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txtencrypted	17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90.exe
File opened for modification	C:\Program Files\Mozilla Firefox\msvcp140.dllencrypted	17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exeencrypted	17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nl.txtencrypted	17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sv.txtencrypted	17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\Mahjong.dllencrypted	17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90.exe
File opened for modification	C:\Program Files\Mozilla Firefox\d3dcompiler_47.dllencrypted	17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90.exe
File opened for modification	C:\Program Files\Mozilla Firefox\mozavutil.dllencrypted	17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90.exe
File opened for modification	C:\Program Files\7-Zip\Lang\en.tttencrypted	17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exeencrypted	17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.VisualElementsManifest.xmlencrypted	17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txtencrypted	17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txtencrypted	17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\Chess.dllencrypted	17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90.exe
File opened for modification	C:\Program Files\SuspendRegister.sqlencrypted	17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-time-l1-1-0.dllencrypted	17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku-ckb.txtencrypted	17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\README.htmlencrypted	17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90.exe
File opened for modification	C:\Program Files\7-Zip\History.txtencrypted	17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90.exe
File opened for modification	C:\Program Files\Mozilla Firefox\AccessibleHandler.dllencrypted	17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90.exe
File opened for modification	C:\Program Files\Mozilla Firefox\xul.dllencrypted	17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\THIRDPARTYLICENSEREADME-JAVAFX.txtencrypted	17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90.exe
File opened for modification	C:\Program Files\Mozilla Firefox\ipcclientcerts.dllencrypted	17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\PurblePlace.exeencrypted	17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-core-localization-l1-2-0.dllencrypted	17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exeencrypted	17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txtencrypted	17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txtencrypted	17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txtencrypted	17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1620 NOTEPAD.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

2000 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

ehshell.exe

pid process

2860 ehshell.exe

pid	process
1620	NOTEPAD.EXE

pid	process
2000	WINWORD.EXE

pid	process
2860	ehshell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

ehshell.exeAUDIODG.EXE

description	pid	process
Token: SeDebugPrivilege	2860	ehshell.exe
Token: 33	1172	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1172	AUDIODG.EXE
Token: 33	1172	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1172	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

2000 WINWORD.EXE
2000 WINWORD.EXE
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

pid	process
2000	WINWORD.EXE
2000	WINWORD.EXE

C:\Users\Admin\AppData\Local\Temp\17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90.exe
"C:\Users\Admin\AppData\Local\Temp\17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90.exe"
1⤵
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
PID:2468

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\readme.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1620

C:\Windows\eHome\ehshell.exe
"C:\Windows\eHome\ehshell.exe" /prefetch:1003 "C:\Users\Admin\Desktop\LockExpand.DVR"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2860

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x5a4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1172

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1140

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\Documents\Files.docx"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2000
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1312

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\readme.txt

Filesize
1KB

MD5
040ae5c2bdd54884b227cdf4e078ddb9

SHA1
9e9664a02b14214082beb31e839180ce9500b40b

SHA256
5f8d967a475fb1170cbdfe5173af63c1d19a0751f823cf4a3de594bcab3f517a

SHA512
fee91e14b5a87099804a8ff41706e97b5861c55eca45cda87c14a9e057710dc0d41b677295dc363a6a2337688bd4ceb6ddc176ff10d75c100c1450dd36e1e41f

Download Submit
memory/2000-428-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2000-429-0x00000000716DD000-0x00000000716E8000-memory.dmp

Filesize
44KB

Download
memory/2000-427-0x000000002F270000-0x000000002F3CD000-memory.dmp

Filesize
1.4MB

Download
memory/2860-414-0x000000001EA10000-0x000000001EAAE000-memory.dmp

Filesize
632KB

Download
memory/2860-417-0x00000000021B0000-0x0000000002230000-memory.dmp

Filesize
512KB

Download
memory/2860-408-0x000000001DB70000-0x000000001E178000-memory.dmp

Filesize
6.0MB

Download
memory/2860-409-0x000000001E180000-0x000000001E304000-memory.dmp

Filesize
1.5MB

Download
memory/2860-410-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

Filesize
9.6MB

Download
memory/2860-411-0x000000001AFC0000-0x000000001AFC1000-memory.dmp

Filesize
4KB

Download
memory/2860-412-0x00000000021B0000-0x0000000002230000-memory.dmp

Filesize
512KB

Download
memory/2860-413-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

Filesize
9.6MB

Download
memory/2860-405-0x00000000021B0000-0x0000000002230000-memory.dmp

Filesize
512KB

Download
memory/2860-415-0x000000001EAB0000-0x000000001EB68000-memory.dmp

Filesize
736KB

Download
memory/2860-416-0x00000000021B0000-0x0000000002230000-memory.dmp

Filesize
512KB

Download
memory/2860-407-0x00000000021B0000-0x0000000002230000-memory.dmp

Filesize
512KB

Download
memory/2860-418-0x00000000021B0000-0x0000000002230000-memory.dmp

Filesize
512KB

Download
memory/2860-419-0x00000000021B0000-0x0000000002230000-memory.dmp

Filesize
512KB

Download
memory/2860-421-0x000000001E950000-0x000000001E987000-memory.dmp

Filesize
220KB

Download
memory/2860-423-0x000000001B0E0000-0x000000001B0EA000-memory.dmp

Filesize
40KB

Download
memory/2860-422-0x000000001B0E0000-0x000000001B0EA000-memory.dmp

Filesize
40KB

Download
memory/2860-425-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

Filesize
9.6MB

Download
memory/2860-426-0x00000000021B0000-0x0000000002230000-memory.dmp

Filesize
512KB

Download
memory/2860-404-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

Filesize
9.6MB

Download
memory/2860-403-0x00000000021B0000-0x0000000002230000-memory.dmp

Filesize
512KB

Download
memory/2860-402-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads