Overview

overview

10

Static

static

3

3d87136412...4e.exe

windows7-x64

10

3d87136412...4e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    23-07-2024 16:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3d8713641264c41cd6784c5569c1447299fba88633070e40e70bb3ae2b4c5a4e.exe

  • Size

    928KB

  • MD5

    2dc4adf06247b4ed9031a53ef910626c

  • SHA1

    789437e946b3e8d1ccd14ee70e42c7d89ba054b2

  • SHA256

    3d8713641264c41cd6784c5569c1447299fba88633070e40e70bb3ae2b4c5a4e

  • SHA512

    9e6eaa4b27e2d6bc1306c33e74465256fab086972680d3a0014cafca8f22bbf865ffaa0f81332ffef83287252faf2ca0c7f369d11412b19ffb57e8e72ea5e0ae

  • SSDEEP

    24576:oUY29aeV/XqzB+qv6w8zJx/W2nz9dPOmX:oUYMPqzFvT8/W2nznP

Score
10/10
blackbastadefense_evasiondiscoveryexecutionimpactransomware

Malware Config

Extracted

Path

C:\ProgramData\readme.txt

Ransom Note
Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom You can contact us and decrypt one file for free on this TOR site (you should download and install TOR browser first https://torproject.org) https://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion/ Your company id for log in: 41bdf082-8936-4e21-9f70-5446160a730f
URLs

https://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion/

Signatures

  • Black Basta

    A ransomware family targeting Windows and Linux ESXi first seen in February 2022.

    ransomwareblackbasta
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (7239) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Drops desktop.ini file(s) 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Interacts with shadow copies 3 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\3d8713641264c41cd6784c5569c1447299fba88633070e40e70bb3ae2b4c5a4e.exe
    "C:\Users\Admin\AppData\Local\Temp\3d8713641264c41cd6784c5569c1447299fba88633070e40e70bb3ae2b4c5a4e.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2820
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1868
      • C:\Windows\system32\vssadmin.exe
        C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:2676
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Windows\System32\vssadmin.exe delete shadows /all /quiet
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2544
      • C:\Windows\SysWOW64\vssadmin.exe
        C:\Windows\System32\vssadmin.exe delete shadows /all /quiet
        3⤵
        • System Location Discovery: System Language Discovery
        • Interacts with shadow copies
        PID:2164
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2724

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\readme.txt
    Filesize

    394B

    MD5

    b17425a4db71b2ef8b7decd01038e502

    SHA1

    7e761bce96cc3033dec3a1c61d2672c6fbae3718

    SHA256

    36c359b9db03e7a6df3c37a25b16c53a71d6a866e6332faf203f19ddbfc1ed68

    SHA512

    fbe107f9275231e2e2dbbd80475d51e641a38fd24241366c3af0ed14d0f383bd9de731f2ed8b355c40a68008a6d80dbfb4008e06fd2538483bb8388c7085f636

    Download Submit

  • C:\Users\Public\Music\Sample Music\Kalimba.mp3.basta
    Filesize

    8.0MB

    MD5

    aa04d6ff15f600039b30baf87dcce591

    SHA1

    e0df68e812fe7569a79014b958a92c7b41020b0e

    SHA256

    28c598c098cd96cd859459de67ace2443f2f75ae857145508f0cbf3c96b57695

    SHA512

    73bdb6b3708ccc4f1c391302116beac94c77d0c0a0ff109451ed70d601b99225b677170c1d8472ea40fd1e91a6402e09b348fe4cbe458f18b1ede9564a1962ba

    Download Submit

  • C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3.basta
    Filesize

    3.9MB

    MD5

    8f29d656add122bb17cea08185d26c6b

    SHA1

    fbe6ac75b7dc8e2060a31ad0eae2d7432123df6b

    SHA256

    e6adc7ede3f278779d03477fb344c4c58b1c546e621ed4fbd5155ae96dea6f41

    SHA512

    e31949a71e6e2c9574918af248bfef930ef1450e597946cd31630dd138aa22c0c4f618061e662bfc4243346937ea9a840834e37aa38572637f7315e9892682b9

    Download Submit

  • C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg.basta
    Filesize

    859KB

    MD5

    be2eb9e37901ed24c732dc69a596c0b3

    SHA1

    3752b0dcc3a8765f3fcc6712ecc272ef4b5cb945

    SHA256

    79365ef3228ae7e20bc486f0bf0117cf639c7aa59eeb28a6d805f0587602f430

    SHA512

    d38bf68e9c9ba63deec3a77c84f3f26a2db3bd1d6525efcf49716ed1477ebfe7b2ddecf28ce3f54f75088742b401f6cc47ae7d89d2364741ba84949488dc245c

    Download Submit

  • C:\Users\Public\Pictures\Sample Pictures\Desert.jpg.basta
    Filesize

    826KB

    MD5

    c22d9cb3dcfc63acf46651ff24bb9c27

    SHA1

    619c3188288eb889ebfeb59937a164dde97d2ec0

    SHA256

    9ea0db27ace04f83eac4b9c1cc57a7edba3d5d1415ae7fa146bd2c40ef93affb

    SHA512

    fd33ebe1d032ccfdd8ce6b52a2f4eccee7f7b42faa1164aecf600e3bad4226790339c3b6b9f9e26a53035fab390f62f7a673ad225b8c14b0ed6603d32282fb90

    Download Submit

  • C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg.basta
    Filesize

    581KB

    MD5

    676c4b407a30cd22c286f38f61b6726f

    SHA1

    f5770ad14e433c9c3105e4a5d51f3b0304e7bb11

    SHA256

    0f48d1381c8fd5ec6aeb1c4024e5acc84b6aab5bfb9ff768394cadfe06624448

    SHA512

    90524f62e10489097275b3ee8e86894025d2536a65d9972e61a6ff9d3c0eb6cba7971a85c6e32354c3f891b7e09f57fec6f111e007b2724c89cf72d88f46e896

    Download Submit

  • C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg.basta
    Filesize

    758KB

    MD5

    cabf49cfc8ce6964ba89a10e550080d0

    SHA1

    830723ce5b3a623c8c9eef21a8ca42ac4aef4028

    SHA256

    0cb1cdee54c9c24d241f03fc195434b7e84f32c28897984f254b215940d66288

    SHA512

    4c20399e969724dfa37f4a6b391abdc90f5704c365f519b5d3a329be9ca84986f584b04e92c94b5ac111ffe400f93b96e6b32bcd86ec25b36fbed199a813eb87

    Download Submit

  • C:\Users\Public\Pictures\Sample Pictures\Koala.jpg.basta
    Filesize

    763KB

    MD5

    b25eddbd15cce3cab981d1464a35532b

    SHA1

    5a1f2542e04799f4f94623d51eaf0dea9b377c84

    SHA256

    2a9a31c74b97a0089dab9729198fea2a8e79113d94d8baa902ed743f53b2651b

    SHA512

    453b0710a4380104ab8c965bb36608986349b0b2aee9dd00018b2352382a251880f41898e239104583c2224b772eb7949c16dd9cda636d1582022cd94784ba75

    Download Submit

  • C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg.basta
    Filesize

    548KB

    MD5

    27f1b6191165b37d65ea294e91300d3b

    SHA1

    fb3a0699a2030fa5b0cc3a22bef04b2c5feee0f0

    SHA256

    6b4cda14094a09cc5a948999a4afabc0e1793c533a60e01573bb41c6443649a7

    SHA512

    419096cf3c3c1faa0dcdacca37fc56965142739c47b9cd9ac626010c3d457519aab5e9a37e5d9e9e5179bf819ea6679996f5e43342650d7ac146b0d3abdccc47

    Download Submit

  • C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg.basta
    Filesize

    760KB

    MD5

    535da8512db1e21c4b2dbd3b7799bc2b

    SHA1

    62daf6ed73e316971844534ba9fbffc715708f1e

    SHA256

    a92a461493e18aef7fc0306768af4221d73fb105abb1c37980a0bf4de33eea68

    SHA512

    45ebf291c2c266ef930199119cab724f0e351411f5cff153ddd5af2a9cac7d2347b2ab61ee079417b9c9ee93a3a01d29be29bd199d869ed27cc5b6c712cbc8d1

    Download Submit

  • C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg.basta
    Filesize

    606KB

    MD5

    57c33c4d692eb7194a59dee0d1133466

    SHA1

    ee156a7fa757c69a29576320b88b4e2f002bcc2b

    SHA256

    1189eb852268c406de8073a2fdd0a6bb1587fad36163e8db86b5a60bec736b07

    SHA512

    dfdf894703271b060b9847d2822f61c8413fb6ab00156f78d9cd300e44d866b923189c808aea1d49125922f3edd81da268478c984d64ce66323c9d3770e2711e

    Download Submit

  • C:\Users\Public\Videos\Sample Videos\Wildlife.wmv.basta
    Filesize

    25.0MB

    MD5

    a92df78127e5eaa3f6b180db3411da25

    SHA1

    1be562abfb6220dbd6f269b49dd16e387f650d6e

    SHA256

    ee0278b69bfc0536d783f189f09446369058948b89d7e2bf5717af3991f15369

    SHA512

    e8212c17a960ceb30f8cbdc30625712cabb77cb19081626a1fb6164de9c08c3c7dfc163a6e8e1ad8418096485c3ca770c42179f1dd2d96df0fb453854bac3ee3

    Download Submit

  • memory/2820-0-0x0000000000300000-0x000000000038E000-memory.dmp

    Filesize

    568KB

    Download

  • memory/2820-4-0x0000000000300000-0x000000000038E000-memory.dmp

    Filesize

    568KB

    Download

  • memory/2820-17-0x0000000000300000-0x000000000038E000-memory.dmp

    Filesize

    568KB

    Download

  • memory/2820-18-0x0000000000300000-0x000000000038E000-memory.dmp

    Filesize

    568KB

    Download