blackbasta | 62e63388953bb30669b403867a3ac2c8130332cf78133f7fd4a7f23cdc939087

Resubmissions

09-03-2024 13:55

240309-q77j2saa7s 10

09-03-2024 12:43

240309-pya9tafh65 10

Analysis

max time kernel
103s
max time network
137s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09-03-2024 12:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BOULEVARD.exe
Size

885KB
MD5

497ef4779c6770e4497adf0bc71655f1
SHA1

328a8793323f11c1d0c5f3ddedf4ae10caafb063
SHA256

62e63388953bb30669b403867a3ac2c8130332cf78133f7fd4a7f23cdc939087
SHA512

35c2c131a84205ecda974fc0cdf93db38184547586c28671379b13b98311289459b5b87c6c8ffa3233ccd42953d4faef47e27195ecd40011cc72cbf3b3e5af35
SSDEEP

24576:pAWf/LUup7zmMl8tOKnvwYQ62jaeekMEoBmn64:pTUS2Ml8trnvwYQ62japkMEQS64

Score

10^/10

blackbasta persistence ransomware

Malware Config

Extracted

Path

C:\Program Files\instructions_read_me.txt

Family

blackbasta

Ransom Note

ATTENTION! Your network has been breached and all data was encrypted. Please contact us at: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ Login ID: 91ff2d86-ecd6-429f-9cfe-ef43ac53155b *!* To access .onion websites download and install Tor Browser at: https://www.torproject.org/ (Tor Browser is not related to us) *!* To restore all your PCs and get your network working again, follow these instructions: - Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency. Please follow these simple rules to avoid data corruption: - Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - Do not hire a recovery company. They can't decrypt without the key. They also don't care about your business. They believe that they are good negotiators, but it is not. They usually fail. So speak for yourself. Waiting you in a chat.

URLs

https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/

Signatures

Black Basta
A ransomware family targeting Windows and Linux ESXi first seen in February 2022.
ransomware blackbasta
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

BOULEVARD.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\Skype = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BOULEVARD.exe"	BOULEVARD.exe

Drops file in Program Files directory 64 IoCs

Processes:

BOULEVARD.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\Lang\ku.txt	BOULEVARD.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui	BOULEVARD.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\VPREVIEW.EXE	BOULEVARD.exe
File created	C:\Program Files (x86)\Windows NT\instructions_read_me.txt	BOULEVARD.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	BOULEVARD.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	BOULEVARD.exe
File opened for modification	C:\Program Files\Windows Media Player\en-US\wmlaunch.exe.mui	BOULEVARD.exe
File created	C:\Program Files\Windows Sidebar\fr-FR\instructions_read_me.txt	BOULEVARD.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OFFXML.DLL	BOULEVARD.exe
File opened for modification	C:\Program Files\Internet Explorer\F12Tools.dll	BOULEVARD.exe
File opened for modification	C:\Program Files\Windows Journal\Templates\Graph.jtp	BOULEVARD.exe
File opened for modification	C:\Program Files\SuspendRevoke.ps1	BOULEVARD.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uk.txt	BOULEVARD.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	BOULEVARD.exe
File opened for modification	C:\Program Files\Windows Media Player\Media Renderer\DMR_120.png	BOULEVARD.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSOCFUIUTILITIESDLL.DLL	BOULEVARD.exe
File opened for modification	C:\Program Files\Windows Media Player\wmprph.exe	BOULEVARD.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\de-DE\WinMail.exe.mui	BOULEVARD.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\ja-JP\wmlaunch.exe.mui	BOULEVARD.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OISAPP.DLL	BOULEVARD.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\instructions_read_me.txt	BOULEVARD.exe
File created	C:\Program Files\Uninstall Information\instructions_read_me.txt	BOULEVARD.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	BOULEVARD.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\mset7ge.kic	BOULEVARD.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\mscss7en.dll	BOULEVARD.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\WMPDMCCore.dll	BOULEVARD.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SCNPST64.DLL	BOULEVARD.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwrdeslm.dat	BOULEVARD.exe
File opened for modification	C:\Program Files\DisconnectTest.tif	BOULEVARD.exe
File opened for modification	C:\Program Files\Internet Explorer\MemoryAnalyzer.dll	BOULEVARD.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONBttnPPT.dll	BOULEVARD.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MpEvMsg.dll.mui	BOULEVARD.exe
File created	C:\Program Files\Windows Media Player\it-IT\instructions_read_me.txt	BOULEVARD.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\bdcmetadata.xsd	BOULEVARD.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OLMAPI32.DLL	BOULEVARD.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEIRM.XML	BOULEVARD.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\TableTextServiceSimplifiedShuangPin.txt	BOULEVARD.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsdan.xml	BOULEVARD.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\IPSEventLogMsg.dll	BOULEVARD.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sa.txt	BOULEVARD.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSClientManifest.man	BOULEVARD.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\es-ES\wmpnssui.dll.mui	BOULEVARD.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Notebook.jpg	BOULEVARD.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GKExcel.dll	BOULEVARD.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\tiptsf.dll	BOULEVARD.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\sbdrop.dll	BOULEVARD.exe
File opened for modification	C:\Program Files\Windows Media Player\es-ES\WMPDMCCore.dll.mui	BOULEVARD.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Executive.thmx	BOULEVARD.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	BOULEVARD.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\de-DE\WMPDMC.exe.mui	BOULEVARD.exe
File opened for modification	C:\Program Files\Windows Mail\it-IT\msoeres.dll.mui	BOULEVARD.exe
File opened for modification	C:\Program Files\Windows Media Player\fr-FR\WMPDMC.exe.mui	BOULEVARD.exe
File opened for modification	C:\Program Files\Mozilla Firefox\mozavutil.dll	BOULEVARD.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwruklm.dat	BOULEVARD.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Civic.thmx	BOULEVARD.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.SharePoint.BusinessData.Administration.Client.xml	BOULEVARD.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OMML2MML.XSL	BOULEVARD.exe
File created	C:\Program Files (x86)\Windows Mail\it-IT\instructions_read_me.txt	BOULEVARD.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.cfg	BOULEVARD.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Media Renderer\DMR_48.png	BOULEVARD.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ACCVDT.DLL	BOULEVARD.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\fr-FR\WinMail.exe.mui	BOULEVARD.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe	BOULEVARD.exe
File opened for modification	C:\Program Files\Mozilla Firefox\Accessible.tlb	BOULEVARD.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exechrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

2444 vssadmin.exe

pid	process
2444	vssadmin.exe

Modifies registry class 3 IoCs

Processes:

BOULEVARD.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.pmnqvv85c\DefaultIcon	BOULEVARD.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.pmnqvv85c	BOULEVARD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pmnqvv85c\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fkdjsadasd.ico"	BOULEVARD.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

BOULEVARD.exechrome.exe

pid process

2036 BOULEVARD.exe
2612 chrome.exe
2612 chrome.exe

pid	process
2036	BOULEVARD.exe
2612	chrome.exe
2612	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

vssvc.exechrome.exechrome.exe

description	pid	process
Token: SeBackupPrivilege	2944	vssvc.exe
Token: SeRestorePrivilege	2944	vssvc.exe
Token: SeAuditPrivilege	2944	vssvc.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe

pid	process
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exe

pid	process
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

BOULEVARD.execmd.exechrome.exechrome.exe

description	pid	process	target process
PID 2036 wrote to memory of 2756	2036	BOULEVARD.exe	cmd.exe
PID 2036 wrote to memory of 2756	2036	BOULEVARD.exe	cmd.exe
PID 2036 wrote to memory of 2756	2036	BOULEVARD.exe	cmd.exe
PID 2036 wrote to memory of 2756	2036	BOULEVARD.exe	cmd.exe
PID 2756 wrote to memory of 2444	2756	cmd.exe	vssadmin.exe
PID 2756 wrote to memory of 2444	2756	cmd.exe	vssadmin.exe
PID 2756 wrote to memory of 2444	2756	cmd.exe	vssadmin.exe
PID 2756 wrote to memory of 2444	2756	cmd.exe	vssadmin.exe
PID 2612 wrote to memory of 2524	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 2524	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 2524	2612	chrome.exe	chrome.exe
PID 2636 wrote to memory of 2444	2636	chrome.exe	chrome.exe
PID 2636 wrote to memory of 2444	2636	chrome.exe	chrome.exe
PID 2636 wrote to memory of 2444	2636	chrome.exe	chrome.exe
PID 2612 wrote to memory of 1728	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 1728	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 1728	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 1728	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 1728	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 1728	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 1728	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 1728	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 1728	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 1728	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 1728	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 1728	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 1728	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 1728	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 1728	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 1728	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 1728	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 1728	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 1728	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 1728	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 1728	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 1728	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 1728	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 1728	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 1728	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 1728	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 1728	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 1728	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 1728	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 1728	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 1728	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 1728	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 1728	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 1728	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 1728	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 1728	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 1728	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 1728	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 1728	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 1220	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 1220	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 1220	2612	chrome.exe	chrome.exe
PID 2636 wrote to memory of 888	2636	chrome.exe	chrome.exe
PID 2636 wrote to memory of 888	2636	chrome.exe	chrome.exe
PID 2636 wrote to memory of 888	2636	chrome.exe	chrome.exe
PID 2636 wrote to memory of 888	2636	chrome.exe	chrome.exe
PID 2636 wrote to memory of 888	2636	chrome.exe	chrome.exe
PID 2636 wrote to memory of 888	2636	chrome.exe	chrome.exe
PID 2636 wrote to memory of 888	2636	chrome.exe	chrome.exe
PID 2636 wrote to memory of 888	2636	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\BOULEVARD.exe
"C:\Users\Admin\AppData\Local\Temp\BOULEVARD.exe"
1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Windows\system32\vssadmin.exe
    C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2444

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2944

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7209758,0x7fef7209768,0x7fef7209778
  2⤵
  PID:2524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1060 --field-trial-handle=1236,i,12398755591861985570,7925789876241089699,131072 /prefetch:2
  2⤵
  PID:1728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1440 --field-trial-handle=1236,i,12398755591861985570,7925789876241089699,131072 /prefetch:8
  2⤵
  PID:1220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1600 --field-trial-handle=1236,i,12398755591861985570,7925789876241089699,131072 /prefetch:8
  2⤵
  PID:2784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2240 --field-trial-handle=1236,i,12398755591861985570,7925789876241089699,131072 /prefetch:1
  2⤵
  PID:760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2252 --field-trial-handle=1236,i,12398755591861985570,7925789876241089699,131072 /prefetch:1
  2⤵
  PID:1120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1536 --field-trial-handle=1236,i,12398755591861985570,7925789876241089699,131072 /prefetch:2
  2⤵
  PID:2988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3208 --field-trial-handle=1236,i,12398755591861985570,7925789876241089699,131072 /prefetch:1
  2⤵
  PID:2136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3988 --field-trial-handle=1236,i,12398755591861985570,7925789876241089699,131072 /prefetch:8
  2⤵
  PID:1812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4100 --field-trial-handle=1236,i,12398755591861985570,7925789876241089699,131072 /prefetch:8
  2⤵
  PID:1056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1804 --field-trial-handle=1236,i,12398755591861985570,7925789876241089699,131072 /prefetch:8
  2⤵
  PID:1744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7209758,0x7fef7209768,0x7fef7209778
  2⤵
  PID:2444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1064 --field-trial-handle=1268,i,7695437117034536097,18115615584340862644,131072 /prefetch:2
  2⤵
  PID:888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1392 --field-trial-handle=1268,i,7695437117034536097,18115615584340862644,131072 /prefetch:8
  2⤵
  PID:1900

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\Application\chrome.exe

Filesize
2.8MB

MD5
095092f4e746810c5829038d48afd55a

SHA1
246eb3d41194dddc826049bbafeb6fc522ec044a

SHA256
2f606012843d144610dc7be55d1716d5d106cbc6acbce57561dc0e62c38b8588

SHA512
7f36fc03bfed0f3cf6ac3406c819993bf995e4f8c26a7589e9032c14b5a9c7048f5567f77b3b15f946c5282fc0be6308a92eab7879332d74c400d0c139ce8400

Download Submit
C:\Program Files\Microsoft Office\Office14\NAMEEXT.DLL

Filesize
152KB

MD5
6db7e717fe8f2c2f53e631f0ef33c823

SHA1
fb06557661b7c836316a56d334c0ed94911ca505

SHA256
68f8e26cc5a07dc718723430bbc73523a96fc419f3ec03fec75546e3f7e23cf4

SHA512
90c4755783f3738464691d0d8e7f2bdd3747c23434188a63976bd6158bf96ba0e434bc21f4451d524c7038143d07a95af8f5a4e8e565465b025bd851716b37bd

Download Submit
C:\Program Files\Microsoft Office\Office14\OLKFSTUB.DLL

Filesize
253KB

MD5
a0ff2f08daff76f1a84acf483029d158

SHA1
70845edd1b2c83ce961e5957d4e818e874aace91

SHA256
e5823d2c31211d198a2c569571616a008734b3ce69f18a13a44bd1d136f394d7

SHA512
a6cd1db2fbc5447b49b69b7436487121806960bcb19dc50f4e2647ae230da42f8fed71ae5aefd194c82260e8492e9271290d548f7b989d9b03ebce808466a3ac

Download Submit
C:\Program Files\Microsoft Office\Office14\ONFILTER.DLL

Filesize
1.5MB

MD5
39902da4018e390ea0f65d20a1a36f41

SHA1
3ef747587c023c42e3db49e08ee0046251b7005c

SHA256
2be969af6cf1e730e2bf37646add179ed1d83904a16dc04b7f9c1d7f37492b7d

SHA512
d4b47cd838e7b69019d68ee1e37e3277a700c119fa8e8a0af01ab2925aeafb99d7fb19ec3e7226ca894109d2213bb9048cd042f32a7cc2b19fbc76f2004b63a0

Download Submit
C:\Program Files\instructions_read_me.txt

Filesize
1KB

MD5
48fd4f0bdadd9e2a934c4aef789f7e13

SHA1
7e5c99a356f4fac0b9e538f8a2a8927d1c0c6850

SHA256
f1e74dfde27137949c2352cb782ed6b2d5cf5fcd2ad6fc1f6e91f2f89649e29e

SHA512
17ac0d35284095eea40c68a7d1ac2fb0eb7d19b429ffc072a4b4504a8b80ba7297958cf205a176fd3c651d18f8ba01e2b41f3155715c9e20a34b474e36cc4cb2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\3b849fdb-d53b-4741-87f6-7c9fad917324.tmp

Filesize
132KB

MD5
58e124949c76c2dc5aee8d4e22cebf3f

SHA1
380888ba868f90b4fd41d11390804ebde6d75cd8

SHA256
f3f572cf34e7e2d91f6a0a4dfb19cac199a9f84ecf424853e7d803311320bd31

SHA512
d2c3c135d9d0798abdbe3aaac994727c56b4bfb8c4ad30a75f20565ff2579c835ac06f557d25d333777a4b3aa80de8c4869e9bd32b14a8ff8adeaa45ffe8be5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
1736ac0190cb9b7b9fd40d1c09d851c9

SHA1
d068076a9e56e87b93598315d69b27340fd5729a

SHA256
68a788eb721331191f7196b7bb0a9b458c2e45ad9cfa7a1f30e0d6b279f64cba

SHA512
ab8bca4ac6892377d835469dbf3a4cbed11e8e426821b6c88de8a61b3aeaa6d762db03d3f0b32bc2b895d7c97b3feb328167bf2503d6ef85c4fd93f5daa01703

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\1506b9c5-e33d-4cc6-99a0-c13fd30a4baa.tmp

Filesize
4KB

MD5
ff7db2871442c39f3a8d2f95b3fec92d

SHA1
93a22bdc24ff7fff140303153f68d93df46c1807

SHA256
f55b594b342a6f03a682a4db9d859b30d220946ec365f6a4e7727e29ddbcf630

SHA512
34eeb1e4ec24b2a7a6160d29d5c4c3feec1adf031947b1e9c5aa72bbe1577461371a35e719781884973047916ef88a260a32b3deb71caf7305b2d50852ee42da

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
00c56a8279ca599d4a7d640085e883bb

SHA1
e34443dcf71b51ee4979ced1ae7eec1b365510de

SHA256
22d8aa790762778c4dbbe1e5a57ed47c82f9bdee2633327942d1541f9f40b09a

SHA512
6c30fab0915b5f555d759a02d34e48fafeaff7c4ecd69936ed70e9014c8a7177b30fd7dc8f71324040e2d12641044b982e48c061ffdf2262e3b2bf6fb2ecfdcb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
259KB

MD5
3f17ae2cde656273275c3fa5afa15ef4

SHA1
bc2151c29b3c95def0eb7c48e8453fa5c7087223

SHA256
79f1281b757e31594e6bd9896058f99aa408fdcafa7a02c2bc840ad3ad28e00d

SHA512
ecec104c955b4fef39d3709bb4807bb14adf4c77e8f48d734455893bd40f6f4e03beb964c57252dbdbe90142f8798a2e4ddd9341d0442763d253a14553ab283d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
259KB

MD5
fc6e5bc575239530586f62fe0d888472

SHA1
96aa1576a222d672ffcd2e6388fe3f98edf8acee

SHA256
a7c3c7064ff29b426d9e9b48baa300319bb4ab54695d3880c14e962b9f6ca182

SHA512
9dcb735edc042010390b565708b26d4c58eef66d247f35cfe97df47015172e94f7be946479b4d74872a80ccdaa9d1f097471b6e20f5d32728fed06228f33b481

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
131KB

MD5
809f12aa843cbe946a0d887280aa78ab

SHA1
c1dde1824e210784e81752fb2b721fa1bb04692b

SHA256
1a261341225ac21fef42e48692bb2d4ff5b0645711f59bca636e17de1f3aa54f

SHA512
6ca78335ae900000ff0095fa2434669b21e5e1ca2e4108ac0d4d539363f268e6d8e76cdee2df482cfb6a6d60ad1c2389d9338e6d054d3f07a5d167aa83516d06

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
260KB

MD5
c9372a5f7e76d16123faf084af44398d

SHA1
945af300bf897eb45e99f82c3f5886392908b8dc

SHA256
809a36ffa0c550e4df2b6c5c34a607dff6225d0b017aed4dc07dbfe48f483845

SHA512
d75368e2a728c226c0c7d54d4b2b77ee9861d7a2dfecdce1da450fa5a95918c4ffa55a0b46af599a9159b7a0a4071e67de35e979baa5178267b64890985a0c04

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations

Filesize
86B

MD5
f732dbed9289177d15e236d0f8f2ddd3

SHA1
53f822af51b014bc3d4b575865d9c3ef0e4debde

SHA256
2741df9ee9e9d9883397078f94480e9bc1d9c76996eec5cfe4e77929337cbe93

SHA512
b64e5021f32e26c752fcba15a139815894309b25644e74ceca46a9aa97070bca3b77ded569a9bfd694193d035ba75b61a8d6262c8e6d5c4d76b452b38f5150a4

Download Submit
\??\pipe\crashpad_2612_LNYIUFOABFLNMEUO

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit