Resubmissions

11-01-2024 18:25

240111-w2nsmsdfgr 10

05-08-2023 18:50

230805-xhb56sdh75 10

General

  • Target

    9f948af3a30f125dcd24d8a628b3a18c66b3d72baede8496ee735cbdfd9cf0c7

  • Size

    1.2MB

  • Sample

    240111-w2nsmsdfgr

  • MD5

    42c15072a8aa222a10d96311969aa77a

  • SHA1

    a87e4a21996a4a35e0b96a19bcd0b6964d459378

  • SHA256

    9f948af3a30f125dcd24d8a628b3a18c66b3d72baede8496ee735cbdfd9cf0c7

  • SHA512

    d48489ac42670749e98a77469a35320621f0597fd2da70fd4407e86d283c62c7ccf8ce67b5a4e20208bd5fd8f826d082e5f6286719eb5a8b098a762abba77184

  • SSDEEP

    24576:9KuyRQZ7taLNQyucw8VQ3QhCtGEiCefenQ83pZkBTz8GE652kt:d2eQob7Q+ZITzqIV

Score
10/10

Malware Config

Extracted

Path

C:\ProgramData\readme.txt

Ransom Note
Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom You can contact us and decrypt one file for free on this TOR site (you should download and install TOR browser first https://torproject.org) https://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion/ Your company id for log in: 9f2cd3ed-1d30-45ac-b47c-7d480426138d 
URLs

https://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion/

Targets

    • Target

      9f948af3a30f125dcd24d8a628b3a18c66b3d72baede8496ee735cbdfd9cf0c7

    • Size

      1.2MB

    • MD5

      42c15072a8aa222a10d96311969aa77a

    • SHA1

      a87e4a21996a4a35e0b96a19bcd0b6964d459378

    • SHA256

      9f948af3a30f125dcd24d8a628b3a18c66b3d72baede8496ee735cbdfd9cf0c7

    • SHA512

      d48489ac42670749e98a77469a35320621f0597fd2da70fd4407e86d283c62c7ccf8ce67b5a4e20208bd5fd8f826d082e5f6286719eb5a8b098a762abba77184

    • SSDEEP

      24576:9KuyRQZ7taLNQyucw8VQ3QhCtGEiCefenQ83pZkBTz8GE652kt:d2eQob7Q+ZITzqIV

    Score
    10/10
    • Black Basta

      A ransomware family targeting Windows and Linux ESXi first seen in February 2022.

    • Black Basta payload

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Renames multiple (595) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Sets desktop wallpaper using registry

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks