Overview

overview

10

Static

static

10

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Analysis

  • max time kernel
    191s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    14-05-2024 05:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    69192821f8ce4561cf9c9cb494a133584179116cb2e7409bea3e18901a1ca944.exe

  • Size

    550KB

  • MD5

    e52aa8e50c0ccf883b7ab7f0c36bb878

  • SHA1

    f0ae322f5067b20ee89d9826dc806abdd610fb60

  • SHA256

    69192821f8ce4561cf9c9cb494a133584179116cb2e7409bea3e18901a1ca944

  • SHA512

    65e6b735a88a3ab6e4dad015c5de020756d9e60c38e48f71f7fa72a66586b172dccae79e9470d2424639d4ae2307acb187f2c8ae72c782ac5acce02fd9442c78

  • SSDEEP

    12288:lzymiDGnYdnieNfazSqBZg+30ki1+zB8NOUx:lBveNfazSshNi1UK

Score
10/10
blackbastadefense_evasionexecutionimpactransomwarespywarestealer

Malware Config

Extracted

Path

C:\Program Files (x86)\readme.txt

Ransom Note
Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom You can contact us and decrypt one file for free on this TOR site (you should download and install TOR browser first https://torproject.org) https://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion/ Your company id for log in: 460c3c4c-c19d-4567-b16a-a28e49949214 @>B
URLs

https://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion/

Signatures

  • Black Basta

    A ransomware family targeting Windows and Linux ESXi first seen in February 2022.

    ransomwareblackbasta
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (9752) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\69192821f8ce4561cf9c9cb494a133584179116cb2e7409bea3e18901a1ca944.exe
    "C:\Users\Admin\AppData\Local\Temp\69192821f8ce4561cf9c9cb494a133584179116cb2e7409bea3e18901a1ca944.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1300
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2032
      • C:\Windows\system32\vssadmin.exe
        C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:2036
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Windows\System32\vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2688
      • C:\Windows\SysWOW64\vssadmin.exe
        C:\Windows\System32\vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:2556
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2100

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\readme.txt
    Filesize

    402B

    MD5

    c3f7fe775bc1b6c8c2236647c2e8ec60

    SHA1

    05429b9ce635465a0aec1e7186970002c9c29233

    SHA256

    3e141631db263de8f740c0073853b0c4b181a09ec2ddef796859f3150aff4672

    SHA512

    18b275a18b842c0f9c3c776f206b35a6c3927fff00c982dc7f7da27fdca5a5cd959cbb4608e3b2b98a8f5304e9a24211f8fd75c28e8ba7d9d97bb39fdd06b308

    Download Submit

  • C:\Users\Public\Music\Sample Music\Kalimba.mp3.basta
    Filesize

    8.0MB

    MD5

    ed9064caeeced12c16ee10bab365ecda

    SHA1

    a52e7b2554bca15c5ad9be70a2a2ff576ea19b63

    SHA256

    991f295cf0481de2893b72bbb3871737589d2a2dcef2995f48041d5bf444d22f

    SHA512

    9967ae229c282fbd88c5080ac6d6a5685334c7bcc89a5ca2ba2e9c09f195338d107bc1e9d230cb9cba674bbb019c0986ea2a681dea5849dcd149e1264c50fd5a

    Download Submit

  • C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3.basta
    Filesize

    3.9MB

    MD5

    d1ba9eb9a2dba904aab32f821371619e

    SHA1

    e4bc9399bf5db39be9efa5918171de4b88c5ddd3

    SHA256

    2adabe92e5f87fa91b9d2d9318c1a38b14eb5bb23d423ea353685d414fa4a696

    SHA512

    86c5a62bfa080e744202aa68ceacfc8573da56987d6fdef0d26f44798ac4e8238927ab11120f6d92292f081df28bc428ddf2c36d640cf564446f23933eb64968

    Download Submit

  • C:\Users\Public\Music\Sample Music\Sleep Away.mp3.basta
    Filesize

    4.6MB

    MD5

    e63d0ce3551eac055ec652b126fd02e8

    SHA1

    d89f7e35ecc134ec7c89b23acc3438d54b89b1f8

    SHA256

    ae122a4050e9a85f3ca35bac043fe87e7a1f16ef6a57e135b7de7990ceb0bf4a

    SHA512

    ef1ba72623602078cf1c4c211f930f93279a22e33f5f86209cf3b3346d2aef00b7d05d3259d983906cf6ee451711a9b45adba68e9a206fa844e7e32c1cc688dd

    Download Submit

  • C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg.basta
    Filesize

    859KB

    MD5

    ae0751500583eab51dcd139fa497b7cc

    SHA1

    4054f8211bc4910f8a856d6ad36b62ad525f47a7

    SHA256

    559d963ca62c39301d3aafec1967fbf1d5a73789c316fdd7e5e09212df3caa91

    SHA512

    648c9d9978e6688a866da4767e90c06b30b96b9d8413a44c4dcfaadc705c115dd2b50785fe8d4a2c6ac2da10307ad97a3d664f12b6b9ff1c28be5c1d98a5acc5

    Download Submit

  • C:\Users\Public\Pictures\Sample Pictures\Desert.jpg.basta
    Filesize

    826KB

    MD5

    282a0d83ad36f4ac5df6c1893697af3e

    SHA1

    5fdd41933008a4743d771918624dbec194970f8f

    SHA256

    f9eff429f0f09e4b12f175d089dc60889f2e2c1367e8ad4e2f6252f38d2c1e03

    SHA512

    289b3c39a44f73112655071d1d81ed14b7bdbc71e09fc06d8a92a3ad65e30c8647bf627421cf0f5c56abd4eca0e8304854cd8b1e26e9e681ba0c7024c33a6a27

    Download Submit

  • C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg.basta
    Filesize

    581KB

    MD5

    1999f555f9484268c722b335b00f985b

    SHA1

    ef4668ad78fba10dee8e61e2257a0dafafbe3948

    SHA256

    ecd1eb8e1b0508b3ed3662a467cc78a7c19c9e61013116cb3b12984f147f01de

    SHA512

    4a1cb47d08559eeaf9f4adf89fa955aab0a9cf9ef3c622e5cd8f09a89a844eb18a865bbe3734888475ec3c205aba9ea0b363c437511907242b5ac8fe0e18fdf0

    Download Submit

  • C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg.basta
    Filesize

    758KB

    MD5

    9ed4bb313eda97882ba742c479b1f992

    SHA1

    ad674d2b96afbcd46208c939f4709d945697dbeb

    SHA256

    9dba39715c9b243e406d0e6fb885055a1741778941f3ab241ae6c4321bd67f28

    SHA512

    a7f716bb4b980bf7ae58d5472d073eb609766909e1179066052cc0714d6938729e06c6121aebcd18ffb9dec621c96759a3f55ab22eedc361393b06cb5d733d3e

    Download Submit

  • C:\Users\Public\Pictures\Sample Pictures\Koala.jpg.basta
    Filesize

    763KB

    MD5

    275042c53a39bd637c8ed13863c4df93

    SHA1

    22097ac0429ac3eb5ec0aac15e3697d6c04f51c5

    SHA256

    b602d03316d57db339b59ad1c3c2e97f09d65fb0ae7238c9d30a0332a4b7c89b

    SHA512

    41aa14d2851d28536c6dbd18d540545411cf5393565cb524a7a1ee8de1935cbe452072d033dc7943b3e1ddc8a2143087660bffa5708e7130fc01860657508d8f

    Download Submit

  • C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg.basta
    Filesize

    548KB

    MD5

    c56faf013b45aaeffd81881a4a4d1d66

    SHA1

    996c9d530d699e1691080841267d0a47e56d6f31

    SHA256

    f140c185c78b97e5501a9e33c44ca5692a4c69cf871662304474f61be1d1d6ca

    SHA512

    65498c97c74b2bbc657fc28cf76a82309bff06486fd9141d10738c0948562a9b674e1ca8fca9a9f29e33bdf9ca8cd4cc204d453016904abb1a2263ae9252089e

    Download Submit

  • C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg.basta
    Filesize

    760KB

    MD5

    f409ab6a9ed60497e6ba283aace68fdb

    SHA1

    8277a92ba0ee9a0f9128628756e2452b99069010

    SHA256

    ce5f9e25a2e074847322a66cd90d6799ab4209a481e29b3fc0fb9aae6cc1dd24

    SHA512

    cdbf1373d356948cd96a9089baabe296cfbc14fdd3e2e5692ee807261123997f8d851a83f8e3ff548b73ea76a747f64afffea8310c833564057c7e6ac3977f0e

    Download Submit

  • C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg.basta
    Filesize

    606KB

    MD5

    c8785ac2f9d109c4be8993798dc40685

    SHA1

    724c77110f3bcb597a550a8c4a42024dc55a40cd

    SHA256

    15fe0afa1923157d2877c2714960a447efda0de4b567f393cdf4b48b86e898aa

    SHA512

    bc6cd159650fc0319cec75daf8acb9a179b3fb37fdada89743b895a6474a46fdd80aa03d72d594aa0448922cc5e90534a60ee348cbe27dceef7e732a69c940f4

    Download Submit

  • C:\Users\Public\Videos\Sample Videos\Wildlife.wmv.basta
    Filesize

    25.0MB

    MD5

    ed7671e023a034d27ce8b9f96be08fb6

    SHA1

    7edf1f196f16477f24c6a5cb7353cc97852826c4

    SHA256

    95ed64bac1d47d79073e60b035e2609faf092932cdeac7e2f55cd8ed2daefaa6

    SHA512

    a2bc9ceda51a36f5f5f956b93ccdd95ae32cb13cfa787f89a8364635b6ac471d7c2cfdfe387ca9ec8fcfce6f21b84ee055179188db27f3b777640d126e7129dc

    Download Submit