Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
23-07-2024 01:51
General
-
Target
3d8713641264c41cd6784c5569c1447299fba88633070e40e70bb3ae2b4c5a4e.exe
-
Size
928KB
-
MD5
2dc4adf06247b4ed9031a53ef910626c
-
SHA1
789437e946b3e8d1ccd14ee70e42c7d89ba054b2
-
SHA256
3d8713641264c41cd6784c5569c1447299fba88633070e40e70bb3ae2b4c5a4e
-
SHA512
9e6eaa4b27e2d6bc1306c33e74465256fab086972680d3a0014cafca8f22bbf865ffaa0f81332ffef83287252faf2ca0c7f369d11412b19ffb57e8e72ea5e0ae
-
SSDEEP
24576:oUY29aeV/XqzB+qv6w8zJx/W2nz9dPOmX:oUYMPqzFvT8/W2nznP
Malware Config
Extracted
C:\ProgramData\readme.txt
https://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion/
Signatures
-
Black Basta
A ransomware family targeting Windows and Linux ESXi first seen in February 2022.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (9693) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops startup file 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 1 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies registry class 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\3d8713641264c41cd6784c5569c1447299fba88633070e40e70bb3ae2b4c5a4e.exe"C:\Users\Admin\AppData\Local\Temp\3d8713641264c41cd6784c5569c1447299fba88633070e40e70bb3ae2b4c5a4e.exe"1⤵
- Drops startup file
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exeC:\Windows\System32\vssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
394B
MD5b17425a4db71b2ef8b7decd01038e502
SHA17e761bce96cc3033dec3a1c61d2672c6fbae3718
SHA25636c359b9db03e7a6df3c37a25b16c53a71d6a866e6332faf203f19ddbfc1ed68
SHA512fbe107f9275231e2e2dbbd80475d51e641a38fd24241366c3af0ed14d0f383bd9de731f2ed8b355c40a68008a6d80dbfb4008e06fd2538483bb8388c7085f636
-
Filesize
8.0MB
MD5a6f88beca1862b79180da321f6fca28e
SHA18d93cc97b61eeb208b1d290e1df1068658b80578
SHA256a5d4773508aba1f6ce9a72af64c21f8d2997ff6e8f032ed74c28d6ee9b2ea863
SHA512ff5a938e0a6207a9be72ab53625fb93b8e595b3e85efb326ec6fd6bf130535094a1ae66eba0e1fefaa48439728a9c157c79bfd0ee5e967a77b4e74f99fc09183
-
Filesize
3.9MB
MD5def9c8929b2b0493a083cb9d6a9e2036
SHA1eb7757a9721c7f675aa7b2ade36417981f609882
SHA256636dc7b795c53ac3b860a8661dfd16d529450ef2c8b35c269f6ad3fab68a4913
SHA512d99fecb9dc313d20b46b1807f871809baea83fc67ac99c65279c26df07740a7c615e3fc6a183c1912e2f764da37cdaefe8c0740237b6de7ae4dd55b15a0afdfd
-
Filesize
859KB
MD5d782d15f88e93160fb60c6c846497f82
SHA1f54a2001439e2ce4f5664db1f9c5e300aa1a2256
SHA2560d1b48b792abc6f0b7e25042e76e99bb180cd35d2a8e59d264d40de575361281
SHA512e0d3ceb900ad6425dcfa933d0daae6a68b1945e563f9efb2e824f8a361642055144b326d13112ff074e5e0f71d50aa2a537f080c2ce36dae57684daa23a6cc59
-
Filesize
826KB
MD5b2187ed8550dafea1d1636a463dcea18
SHA1d82054ec4790e897cc426e66532e5a023c449bfa
SHA2566dd263b597a38fd34856473ba45c3327710d7badc230b929080afe8af5ce4f22
SHA512306d605d0aa72b8230ace8bcca8c004e2c9844e30d3e8246687df09f37e1ca230a200dbc4498c53e3ca1de717e704477fa381dbcfed09c685314492561500e63
-
Filesize
581KB
MD5ccb1fc2eb8e00c84485f95ecc1d83753
SHA1c272ab3a035f4388de94b74dd30e49cc9c556011
SHA25674441e2c1883f43e4f24e4f253993c591ab92b0a445d26b841905bdcaf18c017
SHA5129c18c54238c4ee12a0f07aedb4f3794e7882685d8ebdd3e2ce0caff635c892b83b62c593ebd6c813927e05cbd4215547054a9820947b1bf07447e9206322659e
-
Filesize
758KB
MD5dca281828c34ba1f0c126fe77f0d3faa
SHA1099773c5b09900f66ada1652b49985b1ee7fe1e2
SHA256cfe7513bbec52ff5f9f7200f0007d6cac3c274199ac9e5a35aa239c93d4bf2be
SHA512533219298192057277757b758d3ed10a632648756228a6e8cefd932cbda97cca62348b26984aa136640676d1bf94866de6ad0336738101b45d3cd25b308f0433
-
Filesize
763KB
MD57bf528698858ffcbea5bd95b64b2f14a
SHA1c0a75c379f0dc8ca309708b003c523321db17129
SHA256ba417bb2cd9a5ba35fc12846985d1e3cd3f429929ef946cd2e16f895764234c9
SHA512b76828e4c7bfa1c87ab524a7d1846b414ccebdbb044213b541ad010615cd9a2fa8abdaff6d3cdfe569e9f94800d8c3c9e2f607b65ba1e027453df66c7e7235c2
-
Filesize
548KB
MD5e06b37e0a3c05f48481c282cfc3f9ba5
SHA1f38dc37ee2289978181919bb234161ce45d61415
SHA256c826456515775341a1062b4ddb77fae4f5dc15dd70f57074f32f061274ecbc0d
SHA512d09b544ef74c855794efa9c7939c523cf9c3c843e6535f1991aac1fca7f67ef8923623bf258ccefe78c9be3c005a6a03bf6db83fe125ed50320759c49c9735f8
-
Filesize
760KB
MD585396b8a0ab016b1d07cfc1f9018e6f2
SHA15ce0401172063fc8392939bfefcb9f1aea563728
SHA2561451dae1fbd305020509725a91d79e67c759cb3b08ce3386f7af1a190c064f36
SHA512d43079718a5615aa859037480a34293dbefdec85bb34eb520f99dc2c27f67714e08a0a4eac9b95f95f9f23a50f486c3ec5da168b4a467ea8bd173d78ca290d17
-
Filesize
606KB
MD5dd0fd3c9df7df15eaad3d1e1e55faf2c
SHA1720247d079b14e559bed85de5cb3a81355078da3
SHA2563d9134e7b2a108cf245e39c7dd906b6990ab55ff732e99fb5930e3e67607dc2f
SHA512d0f99f6fe62fc311ab8e195ce280c356ce760b02a1fee77bc55621e601b4abe060fea29422d3e3949f917daeee3e99adcc9cacf9f44f21724db7af982af5beca
-
Filesize
25.0MB
MD563920ac3866b6a8b10d3d4eaf52899fc
SHA1ecffd7d5ee6dd7f02e73322909ea1ddcb8901efd
SHA256eab15bf96dc73f71dbf62be321f6200b637835b0019ba4670ebb6070673aa6c3
SHA5125b66ea29206dfb18750213d8e7d2fd2bf97d51ad5858b34361f1a1dd2ed546b26cae355012fbcd8097ed06a55e19f9d090929d5494bb454fe7e70177920533a5
-
Filesize
568KB
-
Filesize
568KB
-
Filesize
568KB
-
Filesize
568KB
-
Filesize
568KB
-
Filesize
568KB
-
Filesize
568KB
-
Filesize
568KB
-
Filesize
568KB
-
Filesize
568KB
-
Filesize
568KB
-
Filesize
568KB
-
Filesize
568KB
-
Filesize
568KB
-
Filesize
568KB
-
Filesize
568KB
-
Filesize
568KB
-
Filesize
568KB
-
Filesize
568KB
-
Filesize
568KB
-
Filesize
568KB
-
Filesize
568KB
-
Filesize
568KB
-
Filesize
568KB
-
Filesize
568KB
-
Filesize
568KB
-
Filesize
568KB
-
Filesize
568KB
-
Filesize
568KB
-
Filesize
568KB
-
Filesize
568KB
