Overview

overview

10

Static

static

3

d9d2838327...7c.exe

windows7-x64

10

d9d2838327...7c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    29-05-2024 12:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d9d2838327c081a6daf9528c77ff3a8ac88e8ff73521b97d34af0d3da5807e7c.exe

  • Size

    743KB

  • MD5

    b3c9bb42bca62dea8ba72b8c04200ead

  • SHA1

    4a535112c45ea02782a154d271556a324110db52

  • SHA256

    d9d2838327c081a6daf9528c77ff3a8ac88e8ff73521b97d34af0d3da5807e7c

  • SHA512

    721d0f67c552b79ceb8fdef092e75de1308e062c6b783d220f992e5b9c001e07c40b8a416adee5da20292157057e81cfa3eb618d33f0ebd1e89b9d5355fd0a7b

  • SSDEEP

    12288:B9uxWTNaFP2vTXhyy9cetos+cjMHeUT3VBoKfzY5gVNI3Ng+t:B9uxWTo52Thn9ce5675BoIz0gV6dvt

Score
10/10
blackbastadefense_evasionexecutionimpactransomware

Malware Config

Extracted

Path

C:\ProgramData\readme.txt

Ransom Note
Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom You can contact us and decrypt one file for free on this TOR site (you should download and install TOR browser first https://torproject.org) https://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion/ Your company id for log in: 5c33d3df-a9bf-4899-a852-b2d2ce9944ec 
URLs

https://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion/

Signatures

  • Black Basta

    A ransomware family targeting Windows and Linux ESXi first seen in February 2022.

    ransomwareblackbasta
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (1345) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Loads dropped DLL 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\d9d2838327c081a6daf9528c77ff3a8ac88e8ff73521b97d34af0d3da5807e7c.exe
    "C:\Users\Admin\AppData\Local\Temp\d9d2838327c081a6daf9528c77ff3a8ac88e8ff73521b97d34af0d3da5807e7c.exe"
    1⤵
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2776
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:940
      • C:\Windows\system32\vssadmin.exe
        C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:2924
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Windows\System32\vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2576
      • C:\Windows\SysWOW64\vssadmin.exe
        C:\Windows\System32\vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:2408
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2948

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\readme.txt
    Filesize

    395B

    MD5

    b4a2e3e446d794ab467364956096c047

    SHA1

    7b520a2b0b954a03ffd7fae189f933c94784f1c2

    SHA256

    5c7f7d725ae586b8914eb7e4514a6a52189ca3dc32af6be20d5a404e3f7ff298

    SHA512

    6f7d06b4b8a724372b5e3e6bf0881024bbc7a20a4d7c8b6a588ee65708b2c10a9d1862ae09102aa13eb02f089a1b8152ef87576bc14a953ac004c325594118c1

    Download Submit

  • \Program Files\Microsoft Office\Office14\VISSHE.DLL
    Filesize

    953KB

    MD5

    2f4759c23abcd639ac3ca7f8fa9480ac

    SHA1

    9a3fece585fa01b7b941e124ead0c39c8ce9bc7c

    SHA256

    6d66fa59407862e0fddfcb36472fe810eb308653321ca0e374ac870f9aa8cec6

    SHA512

    6ab14d6a8d3e9a751d68133e734cc804de2b50a7ef223d484d0f727cdfbd00d48f6e0666c3b86a0daf9ca42c0b726f6c2a088e5bb32c993748abfea7b5904ec6

    Download Submit

  • memory/2776-412-0x0000000000400000-0x00000000004A4000-memory.dmp

    Filesize

    656KB

    Download

  • memory/2776-1255-0x0000000000400000-0x00000000004A4000-memory.dmp

    Filesize

    656KB

    Download

  • memory/2776-8-0x0000000000400000-0x00000000004A4000-memory.dmp

    Filesize

    656KB

    Download

  • memory/2776-5-0x0000000000401000-0x0000000000462000-memory.dmp

    Filesize

    388KB

    Download

  • memory/2776-4-0x0000000000240000-0x0000000000242000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2776-3-0x00000000002D0000-0x0000000000310000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2776-1-0x0000000000400000-0x00000000004A4000-memory.dmp

    Filesize

    656KB

    Download

  • memory/2776-2-0x0000000000400000-0x00000000004A4000-memory.dmp

    Filesize

    656KB

    Download

  • memory/2776-0-0x0000000000400000-0x00000000004A4000-memory.dmp

    Filesize

    656KB

    Download

  • memory/2776-6-0x0000000000400000-0x00000000004A4000-memory.dmp

    Filesize

    656KB

    Download

  • memory/2776-2386-0x0000000000400000-0x00000000004A4000-memory.dmp

    Filesize

    656KB

    Download

  • memory/2776-2481-0x0000000000400000-0x00000000004A4000-memory.dmp

    Filesize

    656KB

    Download

  • memory/2776-7-0x0000000000400000-0x00000000004A4000-memory.dmp

    Filesize

    656KB

    Download

  • memory/2776-2890-0x0000000000400000-0x00000000004A4000-memory.dmp

    Filesize

    656KB

    Download

  • memory/2776-2756-0x0000000000400000-0x00000000004A4000-memory.dmp

    Filesize

    656KB

    Download

  • memory/2776-3487-0x0000000000400000-0x00000000004A4000-memory.dmp

    Filesize

    656KB

    Download

  • memory/2776-3489-0x0000000000400000-0x00000000004A4000-memory.dmp

    Filesize

    656KB

    Download

  • memory/2776-3488-0x00000000002D0000-0x0000000000310000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2776-3491-0x0000000000400000-0x00000000004A4000-memory.dmp

    Filesize

    656KB

    Download

  • memory/2776-3490-0x0000000000401000-0x0000000000462000-memory.dmp

    Filesize

    388KB

    Download