Analysis
-
max time kernel
139s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
28-10-2024 02:09
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1354254499b2e3353708747d36c334074f40c1f726ea7590384f2192c972f8c3.dll
Resource
win7-20240903-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
1354254499b2e3353708747d36c334074f40c1f726ea7590384f2192c972f8c3.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
1354254499b2e3353708747d36c334074f40c1f726ea7590384f2192c972f8c3.dll
-
Size
1023KB
-
MD5
53a7c9b7ae1309fa2fda3cd9cd04d35d
-
SHA1
0376101a6ba19ae78e70aa8ac355f73d2ba623ad
-
SHA256
1354254499b2e3353708747d36c334074f40c1f726ea7590384f2192c972f8c3
-
SHA512
7950bf1455471f4c881d9b432a7bfdb31cc4e667a9c2c3acf59d1940b0604bb04493ea5b2dddba44be5665e8c9006c7d0c0a234c64d4d8fca4061e3467363e27
-
SSDEEP
12288:MaltsKTwLqC5SWYgeWYg955/155/QUrTaUHx2eP9RJbBDv6cTWPb9lWzpk+hMry/:MaltsKTwLB5k5PbG7pf6BadFmCxvzO
Score
10/10
Malware Config
Extracted
Path
C:\Program Files\instructions_read_me.txt
Family
blackbasta
Ransom Note
ATTENTION!
Your network has been breached and all data was encrypted. Please contact us at:
https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Login ID: 56da98ec-b499-4ad2-b5d3-efd4f05df352
*!* To access .onion websites download and install Tor Browser at:
https://www.torproject.org/ (Tor Browser is not related to us)
*!* To restore all your PCs and get your network working again, follow these instructions:
- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.
Please follow these simple rules to avoid data corruption:
- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption.
- Do not hire a recovery company. They can't decrypt without the key.
They also don't care about your business. They believe that they are
good negotiators, but it is not. They usually fail. So speak for yourself.
Waiting you in a chat.
URLs
https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Signatures
-
Black Basta
A ransomware family targeting Windows and Linux ESXi first seen in February 2022.
-
Blackbasta family
-
Renames multiple (9720) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI rundll32.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR3B.GIF rundll32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\CHICAGO.XSL rundll32.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\instructions_read_me.txt rundll32.exe File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\sqlceer35EN.dll rundll32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL096.XML rundll32.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libgain_plugin.dll rundll32.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_display_plugin.dll rundll32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\SIST02.XSL rundll32.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_right.png rundll32.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\instructions_read_me.txt rundll32.exe File opened for modification C:\Program Files\Windows Journal\fr-FR\jnwmon.dll.mui rundll32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287642.JPG rundll32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\FLYER.DPV rundll32.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\ShapeCollector.exe.mui rundll32.exe File opened for modification C:\Program Files\ConvertSave.pot rundll32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SSGEN.DLL rundll32.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.Aero.dll rundll32.exe File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\js\instructions_read_me.txt rundll32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLOOK.DEV.HXS rundll32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD15185_.GIF rundll32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WebToolImages16x16.jpg rundll32.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.Linq.Resources.dll rundll32.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_dot.png rundll32.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Brunei rundll32.exe File created C:\Program Files (x86)\Microsoft Analysis Services\instructions_read_me.txt rundll32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00052_.GIF rundll32.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\info.png rundll32.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\trusted.libraries rundll32.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\instructions_read_me.txt rundll32.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSClientDataMgr\MSCDM.DLL rundll32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03466_.WMF rundll32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\NVBELL.NET.XML rundll32.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\1033\instructions_read_me.txt rundll32.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\es-ES\Mahjong.exe.mui rundll32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14883_.GIF rundll32.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\feature.properties rundll32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Lime\TAB_ON.GIF rundll32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_Earthy.gif rundll32.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_lv.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\SendMail.api rundll32.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.Services.Design.resources.dll rundll32.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\ParentMenuButtonIcon.png rundll32.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CANYON\CANYON.INF rundll32.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-multiview.jar rundll32.exe File opened for modification C:\Program Files\Windows Journal\es-ES\Journal.exe.mui rundll32.exe File created C:\Program Files\Java\jdk1.7.0_80\db\instructions_read_me.txt rundll32.exe File opened for modification C:\Program Files\Java\jre7\bin\rmid.exe rundll32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02390_.WMF rundll32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0086420.WMF rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll rundll32.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\gadget.xml rundll32.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\InkObj.dll.mui rundll32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Places\RADAR.WAV rundll32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0287005.WMF rundll32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\1 Top.accdt rundll32.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\css\instructions_read_me.txt rundll32.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host_ja.jar rundll32.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jdwp.dll rundll32.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_blue_snow.png rundll32.exe File created C:\Program Files\Microsoft Games\FreeCell\instructions_read_me.txt rundll32.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\hwrdeush.dat rundll32.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\settings.html rundll32.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\baseAltGr_rtl.xml rundll32.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN\instructions_read_me.txt rundll32.exe -
Modifies registry class 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.y11o7dcib\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fkdjsadasd.ico" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.y11o7dcib\DefaultIcon rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.y11o7dcib rundll32.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 1972 notepad.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2348 wrote to memory of 2056 2348 rundll32.exe 33 PID 2348 wrote to memory of 2056 2348 rundll32.exe 33 PID 2348 wrote to memory of 2056 2348 rundll32.exe 33 PID 2056 wrote to memory of 1972 2056 cmd.exe 35 PID 2056 wrote to memory of 1972 2056 cmd.exe 35 PID 2056 wrote to memory of 1972 2056 cmd.exe 35
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1354254499b2e3353708747d36c334074f40c1f726ea7590384f2192c972f8c3.dll,#11⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\system32\cmd.execmd.exe /c start /MAX notepad.exe c:\instructions_read_me.txt2⤵
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\system32\notepad.exenotepad.exe c:\instructions_read_me.txt3⤵
- Opens file in notepad (likely ransom note)
PID:1972
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5726ce44468fd2f6ae38e2e4bf2baee96
SHA173afb5947c8ad295ea6b1b70826402346c070935
SHA256b54d6dde66a659069e69c8bac9af629b40f4907c1fc7b9fc1f76d5eb42384e50
SHA512b26709072cc866150c492f92a6a1483a8582f6145cf8cfc10230797c9e0960e063fda58e2741ae1ed88ded0480184b2264b59d1554030df0cfd8afa2ca8c5113