Overview

overview

10

Static

static

3

d9d2838327...7c.exe

windows7-x64

10

d9d2838327...7c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-05-2024 12:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d9d2838327c081a6daf9528c77ff3a8ac88e8ff73521b97d34af0d3da5807e7c.exe

  • Size

    743KB

  • MD5

    b3c9bb42bca62dea8ba72b8c04200ead

  • SHA1

    4a535112c45ea02782a154d271556a324110db52

  • SHA256

    d9d2838327c081a6daf9528c77ff3a8ac88e8ff73521b97d34af0d3da5807e7c

  • SHA512

    721d0f67c552b79ceb8fdef092e75de1308e062c6b783d220f992e5b9c001e07c40b8a416adee5da20292157057e81cfa3eb618d33f0ebd1e89b9d5355fd0a7b

  • SSDEEP

    12288:B9uxWTNaFP2vTXhyy9cetos+cjMHeUT3VBoKfzY5gVNI3Ng+t:B9uxWTo52Thn9ce5675BoIz0gV6dvt

Score
10/10
blackbastadefense_evasionexecutionimpactransomware

Malware Config

Extracted

Path

C:\ProgramData\readme.txt

Ransom Note
Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom You can contact us and decrypt one file for free on this TOR site (you should download and install TOR browser first https://torproject.org) https://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion/ Your company id for log in: 5c33d3df-a9bf-4899-a852-b2d2ce9944ec 
URLs

https://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion/

Signatures

  • Black Basta

    A ransomware family targeting Windows and Linux ESXi first seen in February 2022.

    ransomwareblackbasta
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (2460) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\d9d2838327c081a6daf9528c77ff3a8ac88e8ff73521b97d34af0d3da5807e7c.exe
    "C:\Users\Admin\AppData\Local\Temp\d9d2838327c081a6daf9528c77ff3a8ac88e8ff73521b97d34af0d3da5807e7c.exe"
    1⤵
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4412
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:100
      • C:\Windows\system32\vssadmin.exe
        C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:2744
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Windows\System32\vssadmin.exe delete shadows /all /quiet
      2⤵
        PID:880
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1348
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4112 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:2680

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\readme.txt
        Filesize

        395B

        MD5

        b4a2e3e446d794ab467364956096c047

        SHA1

        7b520a2b0b954a03ffd7fae189f933c94784f1c2

        SHA256

        5c7f7d725ae586b8914eb7e4514a6a52189ca3dc32af6be20d5a404e3f7ff298

        SHA512

        6f7d06b4b8a724372b5e3e6bf0881024bbc7a20a4d7c8b6a588ee65708b2c10a9d1862ae09102aa13eb02f089a1b8152ef87576bc14a953ac004c325594118c1

        Download Submit

      • memory/4412-2590-0x0000000000400000-0x00000000004A4000-memory.dmp

        Filesize

        656KB

        Download

      • memory/4412-5869-0x0000000000400000-0x00000000004A4000-memory.dmp

        Filesize

        656KB

        Download

      • memory/4412-2035-0x0000000000400000-0x00000000004A4000-memory.dmp

        Filesize

        656KB

        Download

      • memory/4412-5-0x0000000000400000-0x00000000004A4000-memory.dmp

        Filesize

        656KB

        Download

      • memory/4412-4-0x0000000000401000-0x0000000000462000-memory.dmp

        Filesize

        388KB

        Download

      • memory/4412-6-0x0000000000720000-0x0000000000722000-memory.dmp

        Filesize

        8KB

        Download

      • memory/4412-7-0x0000000000400000-0x00000000004A4000-memory.dmp

        Filesize

        656KB

        Download

      • memory/4412-1-0x00000000021A0000-0x00000000021E0000-memory.dmp

        Filesize

        256KB

        Download

      • memory/4412-3-0x0000000000400000-0x00000000004A4000-memory.dmp

        Filesize

        656KB

        Download

      • memory/4412-2-0x0000000000400000-0x00000000004A4000-memory.dmp

        Filesize

        656KB

        Download

      • memory/4412-4980-0x0000000000400000-0x00000000004A4000-memory.dmp

        Filesize

        656KB

        Download

      • memory/4412-2675-0x0000000000400000-0x00000000004A4000-memory.dmp

        Filesize

        656KB

        Download

      • memory/4412-5204-0x0000000000400000-0x00000000004A4000-memory.dmp

        Filesize

        656KB

        Download

      • memory/4412-5383-0x00000000021A0000-0x00000000021E0000-memory.dmp

        Filesize

        256KB

        Download

      • memory/4412-5382-0x0000000000400000-0x00000000004A4000-memory.dmp

        Filesize

        656KB

        Download

      • memory/4412-5555-0x0000000000400000-0x00000000004A4000-memory.dmp

        Filesize

        656KB

        Download

      • memory/4412-5556-0x0000000000401000-0x0000000000462000-memory.dmp

        Filesize

        388KB

        Download

      • memory/4412-5868-0x0000000000400000-0x00000000004A4000-memory.dmp

        Filesize

        656KB

        Download

      • memory/4412-0-0x0000000000400000-0x00000000004A4000-memory.dmp

        Filesize

        656KB

        Download