General

  • Target

    2a29806f2fe4302bc216d33ce1d96190f78f28e52f55cb9be8642497de72ea57

  • Size

    606KB

  • Sample

    240724-k7eldaybmm

  • MD5

    1f9d222381433d27ec45ec155cca3668

  • SHA1

    8f644d0abfe6d38e8ecd7c048e3dba9cec8556db

  • SHA256

    2a29806f2fe4302bc216d33ce1d96190f78f28e52f55cb9be8642497de72ea57

  • SHA512

    a5226d017b104a029f25ed29316188b27015610c4c89c5b1ab1347c2a894a8d3384b00d92042b3310abedb31489cfc1f12a1cb03e79fb04b6ffe7a9358b2bb86

  • SSDEEP

    12288:p53pdZHQDhgZ3l+CiirtpYNRNPKGOYU/ErfUN+lkbBSoqol5vzjJXOa:p53rZSgZ3l+Arn+GYUKfUvbBSoq4hL

Malware Config

Extracted

Path

C:\ProgramData\readme.txt

Ransom Note
Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom You can contact us and decrypt one file for free on this TOR site (you should download and install TOR browser first https://torproject.org) https://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion/ Your company id for log in: 41bdf082-8936-4e21-9f70-5446160a730f
URLs

https://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion/

Targets

    • Target

      3d8713641264c41cd6784c5569c1447299fba88633070e40e70bb3ae2b4c5a4e.exe

    • Size

      928KB

    • MD5

      2dc4adf06247b4ed9031a53ef910626c

    • SHA1

      789437e946b3e8d1ccd14ee70e42c7d89ba054b2

    • SHA256

      3d8713641264c41cd6784c5569c1447299fba88633070e40e70bb3ae2b4c5a4e

    • SHA512

      9e6eaa4b27e2d6bc1306c33e74465256fab086972680d3a0014cafca8f22bbf865ffaa0f81332ffef83287252faf2ca0c7f369d11412b19ffb57e8e72ea5e0ae

    • SSDEEP

      24576:oUY29aeV/XqzB+qv6w8zJx/W2nz9dPOmX:oUYMPqzFvT8/W2nznP

    • Black Basta

      A ransomware family targeting Windows and Linux ESXi first seen in February 2022.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Renames multiple (9678) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v15

Tasks