Overview

overview

10

Static

static

10

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Analysis

  • max time kernel
    191s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    14/05/2024, 05:00

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    69192821f8ce4561cf9c9cb494a133584179116cb2e7409bea3e18901a1ca944.exe

  • Size

    550KB

  • MD5

    e52aa8e50c0ccf883b7ab7f0c36bb878

  • SHA1

    f0ae322f5067b20ee89d9826dc806abdd610fb60

  • SHA256

    69192821f8ce4561cf9c9cb494a133584179116cb2e7409bea3e18901a1ca944

  • SHA512

    65e6b735a88a3ab6e4dad015c5de020756d9e60c38e48f71f7fa72a66586b172dccae79e9470d2424639d4ae2307acb187f2c8ae72c782ac5acce02fd9442c78

  • SSDEEP

    12288:lzymiDGnYdnieNfazSqBZg+30ki1+zB8NOUx:lBveNfazSshNi1UK

Score
10/10
blackbastadefense_evasionexecutionimpactransomwarespywarestealer

Malware Config

Extracted

Path

C:\Program Files (x86)\readme.txt

Ransom Note
Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom You can contact us and decrypt one file for free on this TOR site (you should download and install TOR browser first https://torproject.org) https://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion/ Your company id for log in: 460c3c4c-c19d-4567-b16a-a28e49949214 @>B
URLs

https://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion/

Signatures

  • Black Basta

    A ransomware family targeting Windows and Linux ESXi first seen in February 2022.

    ransomwareblackbasta
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (9752) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\69192821f8ce4561cf9c9cb494a133584179116cb2e7409bea3e18901a1ca944.exe
    "C:\Users\Admin\AppData\Local\Temp\69192821f8ce4561cf9c9cb494a133584179116cb2e7409bea3e18901a1ca944.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1300
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2032
      • C:\Windows\system32\vssadmin.exe
        C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:2036
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Windows\System32\vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2688
      • C:\Windows\SysWOW64\vssadmin.exe
        C:\Windows\System32\vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:2556
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2100

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\readme.txt
          Filesize

          402B

          MD5

          c3f7fe775bc1b6c8c2236647c2e8ec60

          SHA1

          05429b9ce635465a0aec1e7186970002c9c29233

          SHA256

          3e141631db263de8f740c0073853b0c4b181a09ec2ddef796859f3150aff4672

          SHA512

          18b275a18b842c0f9c3c776f206b35a6c3927fff00c982dc7f7da27fdca5a5cd959cbb4608e3b2b98a8f5304e9a24211f8fd75c28e8ba7d9d97bb39fdd06b308

          Download Submit

        • C:\Users\Public\Music\Sample Music\Kalimba.mp3.basta
          Filesize

          8.0MB

          MD5

          ed9064caeeced12c16ee10bab365ecda

          SHA1

          a52e7b2554bca15c5ad9be70a2a2ff576ea19b63

          SHA256

          991f295cf0481de2893b72bbb3871737589d2a2dcef2995f48041d5bf444d22f

          SHA512

          9967ae229c282fbd88c5080ac6d6a5685334c7bcc89a5ca2ba2e9c09f195338d107bc1e9d230cb9cba674bbb019c0986ea2a681dea5849dcd149e1264c50fd5a

          Download Submit

        • C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3.basta
          Filesize

          3.9MB

          MD5

          d1ba9eb9a2dba904aab32f821371619e

          SHA1

          e4bc9399bf5db39be9efa5918171de4b88c5ddd3

          SHA256

          2adabe92e5f87fa91b9d2d9318c1a38b14eb5bb23d423ea353685d414fa4a696

          SHA512

          86c5a62bfa080e744202aa68ceacfc8573da56987d6fdef0d26f44798ac4e8238927ab11120f6d92292f081df28bc428ddf2c36d640cf564446f23933eb64968

          Download Submit

        • C:\Users\Public\Music\Sample Music\Sleep Away.mp3.basta
          Filesize

          4.6MB

          MD5

          e63d0ce3551eac055ec652b126fd02e8

          SHA1

          d89f7e35ecc134ec7c89b23acc3438d54b89b1f8

          SHA256

          ae122a4050e9a85f3ca35bac043fe87e7a1f16ef6a57e135b7de7990ceb0bf4a

          SHA512

          ef1ba72623602078cf1c4c211f930f93279a22e33f5f86209cf3b3346d2aef00b7d05d3259d983906cf6ee451711a9b45adba68e9a206fa844e7e32c1cc688dd

          Download Submit

        • C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg.basta
          Filesize

          859KB

          MD5

          ae0751500583eab51dcd139fa497b7cc

          SHA1

          4054f8211bc4910f8a856d6ad36b62ad525f47a7

          SHA256

          559d963ca62c39301d3aafec1967fbf1d5a73789c316fdd7e5e09212df3caa91

          SHA512

          648c9d9978e6688a866da4767e90c06b30b96b9d8413a44c4dcfaadc705c115dd2b50785fe8d4a2c6ac2da10307ad97a3d664f12b6b9ff1c28be5c1d98a5acc5

          Download Submit

        • C:\Users\Public\Pictures\Sample Pictures\Desert.jpg.basta
          Filesize

          826KB

          MD5

          282a0d83ad36f4ac5df6c1893697af3e

          SHA1

          5fdd41933008a4743d771918624dbec194970f8f

          SHA256

          f9eff429f0f09e4b12f175d089dc60889f2e2c1367e8ad4e2f6252f38d2c1e03

          SHA512

          289b3c39a44f73112655071d1d81ed14b7bdbc71e09fc06d8a92a3ad65e30c8647bf627421cf0f5c56abd4eca0e8304854cd8b1e26e9e681ba0c7024c33a6a27

          Download Submit

        • C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg.basta
          Filesize

          581KB

          MD5

          1999f555f9484268c722b335b00f985b

          SHA1

          ef4668ad78fba10dee8e61e2257a0dafafbe3948

          SHA256

          ecd1eb8e1b0508b3ed3662a467cc78a7c19c9e61013116cb3b12984f147f01de

          SHA512

          4a1cb47d08559eeaf9f4adf89fa955aab0a9cf9ef3c622e5cd8f09a89a844eb18a865bbe3734888475ec3c205aba9ea0b363c437511907242b5ac8fe0e18fdf0

          Download Submit

        • C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg.basta
          Filesize

          758KB

          MD5

          9ed4bb313eda97882ba742c479b1f992

          SHA1

          ad674d2b96afbcd46208c939f4709d945697dbeb

          SHA256

          9dba39715c9b243e406d0e6fb885055a1741778941f3ab241ae6c4321bd67f28

          SHA512

          a7f716bb4b980bf7ae58d5472d073eb609766909e1179066052cc0714d6938729e06c6121aebcd18ffb9dec621c96759a3f55ab22eedc361393b06cb5d733d3e

          Download Submit

        • C:\Users\Public\Pictures\Sample Pictures\Koala.jpg.basta
          Filesize

          763KB

          MD5

          275042c53a39bd637c8ed13863c4df93

          SHA1

          22097ac0429ac3eb5ec0aac15e3697d6c04f51c5

          SHA256

          b602d03316d57db339b59ad1c3c2e97f09d65fb0ae7238c9d30a0332a4b7c89b

          SHA512

          41aa14d2851d28536c6dbd18d540545411cf5393565cb524a7a1ee8de1935cbe452072d033dc7943b3e1ddc8a2143087660bffa5708e7130fc01860657508d8f

          Download Submit

        • C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg.basta
          Filesize

          548KB

          MD5

          c56faf013b45aaeffd81881a4a4d1d66

          SHA1

          996c9d530d699e1691080841267d0a47e56d6f31

          SHA256

          f140c185c78b97e5501a9e33c44ca5692a4c69cf871662304474f61be1d1d6ca

          SHA512

          65498c97c74b2bbc657fc28cf76a82309bff06486fd9141d10738c0948562a9b674e1ca8fca9a9f29e33bdf9ca8cd4cc204d453016904abb1a2263ae9252089e

          Download Submit

        • C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg.basta
          Filesize

          760KB

          MD5

          f409ab6a9ed60497e6ba283aace68fdb

          SHA1

          8277a92ba0ee9a0f9128628756e2452b99069010

          SHA256

          ce5f9e25a2e074847322a66cd90d6799ab4209a481e29b3fc0fb9aae6cc1dd24

          SHA512

          cdbf1373d356948cd96a9089baabe296cfbc14fdd3e2e5692ee807261123997f8d851a83f8e3ff548b73ea76a747f64afffea8310c833564057c7e6ac3977f0e

          Download Submit

        • C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg.basta
          Filesize

          606KB

          MD5

          c8785ac2f9d109c4be8993798dc40685

          SHA1

          724c77110f3bcb597a550a8c4a42024dc55a40cd

          SHA256

          15fe0afa1923157d2877c2714960a447efda0de4b567f393cdf4b48b86e898aa

          SHA512

          bc6cd159650fc0319cec75daf8acb9a179b3fb37fdada89743b895a6474a46fdd80aa03d72d594aa0448922cc5e90534a60ee348cbe27dceef7e732a69c940f4

          Download Submit

        • C:\Users\Public\Videos\Sample Videos\Wildlife.wmv.basta
          Filesize

          25.0MB

          MD5

          ed7671e023a034d27ce8b9f96be08fb6

          SHA1

          7edf1f196f16477f24c6a5cb7353cc97852826c4

          SHA256

          95ed64bac1d47d79073e60b035e2609faf092932cdeac7e2f55cd8ed2daefaa6

          SHA512

          a2bc9ceda51a36f5f5f956b93ccdd95ae32cb13cfa787f89a8364635b6ac471d7c2cfdfe387ca9ec8fcfce6f21b84ee055179188db27f3b777640d126e7129dc

          Download Submit