Analysis

  • max time kernel
    244s
  • max time network
    288s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    14-05-2024 05:00

General

  • Target

    69192821f8ce4561cf9c9cb494a133584179116cb2e7409bea3e18901a1ca944.exe

  • Size

    550KB

  • MD5

    e52aa8e50c0ccf883b7ab7f0c36bb878

  • SHA1

    f0ae322f5067b20ee89d9826dc806abdd610fb60

  • SHA256

    69192821f8ce4561cf9c9cb494a133584179116cb2e7409bea3e18901a1ca944

  • SHA512

    65e6b735a88a3ab6e4dad015c5de020756d9e60c38e48f71f7fa72a66586b172dccae79e9470d2424639d4ae2307acb187f2c8ae72c782ac5acce02fd9442c78

  • SSDEEP

    12288:lzymiDGnYdnieNfazSqBZg+30ki1+zB8NOUx:lBveNfazSshNi1UK

Malware Config

Extracted

Path

C:\ProgramData\readme.txt

Ransom Note
Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom You can contact us and decrypt one file for free on this TOR site (you should download and install TOR browser first https://torproject.org) https://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion/ Your company id for log in: 460c3c4c-c19d-4567-b16a-a28e49949214 @>B
URLs

https://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion/

Signatures

  • Black Basta

    A ransomware family targeting Windows and Linux ESXi first seen in February 2022.

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (10233) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 2 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies registry class 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\69192821f8ce4561cf9c9cb494a133584179116cb2e7409bea3e18901a1ca944.exe
    "C:\Users\Admin\AppData\Local\Temp\69192821f8ce4561cf9c9cb494a133584179116cb2e7409bea3e18901a1ca944.exe"
    1⤵
    • Drops startup file
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:168
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:216
      • C:\Windows\System32\vssadmin.exe
        C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:2924
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Windows\System32\vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1032
      • C:\Windows\SysWOW64\vssadmin.exe
        C:\Windows\System32\vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:4800
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3804

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\Manifest.xml.basta

    Filesize

    3.3MB

    MD5

    3cdf2f65fd0b6c073d940961943e253d

    SHA1

    9af351c5fef8cc3b91fa84529aeb1829185b59dc

    SHA256

    2e92a8a7077111c2a6906efa00b2b8aba5f05f13df876562fb743fbb6210c29b

    SHA512

    c1d2e6063aad9464e5a2de23cfdb9cc1d5ef32bcff5f0ff5631c0bd81aa69cd293f2b0375650bcd94447dc5e516e04a7cdadd0df1ccc6be22606cfdb5731fe4c

  • C:\ProgramData\readme.txt

    Filesize

    402B

    MD5

    c3f7fe775bc1b6c8c2236647c2e8ec60

    SHA1

    05429b9ce635465a0aec1e7186970002c9c29233

    SHA256

    3e141631db263de8f740c0073853b0c4b181a09ec2ddef796859f3150aff4672

    SHA512

    18b275a18b842c0f9c3c776f206b35a6c3927fff00c982dc7f7da27fdca5a5cd959cbb4608e3b2b98a8f5304e9a24211f8fd75c28e8ba7d9d97bb39fdd06b308