Overview

overview

10

Static

static

3

BlackBasta_03.bin.exe

windows7-x64

10

BlackBasta_03.bin.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    30-11-2024 00:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    BlackBasta_03.bin.exe

  • Size

    716KB

  • MD5

    ac625552601c190656dcb8cf4c21cd1d

  • SHA1

    acad7a91c2812a0652d62f252774454c217666e9

  • SHA256

    03309c90e6c60a2e3cd44374efa3003ae10cd9e05ba6a39c77aa5289b32cb969

  • SHA512

    9e04dbbc624e808a678e64648dbc12deb286341876ea4590d50f996732dde2b91c6b7defbffcbdd3883c74a98488a0ad26540b364942d3117625770bc4e5e6d3

  • SSDEEP

    12288:nB6xrkyoUKbidQN0M2TNK36YPiCuL1+jZ5tXdAD6x/NJxaZUzrd9gW6PdrO5SAou:nwrkyoUGJJgWQrOUAua

Score
10/10
blackbastacredential_accessdefense_evasiondiscoveryexecutionimpactransomwarespywarestealer

Malware Config

Extracted

Path

C:\ProgramData\readme.txt

Ransom Note
Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom You can contact us and decrypt one file for free on this TOR site (you should download and install TOR browser first https://torproject.org) https://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion/ Your company id for log in: 5f19e2b1-ca23-4d1d-b642-de2543c02742 
URLs

https://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion/

Signatures

  • Black Basta

    A ransomware family targeting Windows and Linux ESXi first seen in February 2022.

    ransomwareblackbasta
  • Blackbasta family
    blackbasta
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (9743) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\BlackBasta_03.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\BlackBasta_03.bin.exe"
    1⤵
    • Drops startup file
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1036
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
      2⤵
        PID:2688
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\Windows\System32\vssadmin.exe delete shadows /all /quiet
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2820
        • C:\Windows\System32\vssadmin.exe
          C:\Windows\System32\vssadmin.exe delete shadows /all /quiet
          3⤵
          • Interacts with shadow copies
          PID:2804
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2312

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\readme.txt
      Filesize

      395B

      MD5

      ff661a42071a777d8fed3b587d062834

      SHA1

      b252a1ec08506c23ff99ba343daf15e5ff69e6b9

      SHA256

      88cdaa00b27e88a0fb1851cbe59d1365ac7b625ff535e1e68451ecf48928da8e

      SHA512

      11c582f053ec64e4e398a8d3c7c5c36fc76deb4a3b9c569ae7475e8c7b1f1673779fac8dfa84eae6bb4f8efee2cde16d186686afa1c4dd5a472366789ec9d6a1

      Download Submit

    • C:\Users\Public\Music\Sample Music\Kalimba.mp3.basta
      Filesize

      8.0MB

      MD5

      0c029f01f18509abae8c55038078a61a

      SHA1

      866f19a335c045df6df40ff7a01c1ef5ae4c2816

      SHA256

      7b47c2032d84ff2ee93959a4d7c9d7115b4ad74baf3cd2dff4e68c4ff494c6f5

      SHA512

      f04407b674dd365e1dc556c74dbd2fcdc2cb3500b8c07ec3ea41fff3fd53f0c4227351a4dab35e676219eb13c1dcc2e353412ddab933382835d1531602427a0b

      Download Submit

    • C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3.basta
      Filesize

      3.9MB

      MD5

      b00986ed3c5c042949b327a00a9a567f

      SHA1

      4412435b9b673952647d39d9e82e165b34baf4c4

      SHA256

      34e05472c8e1ea2aa1291f53d3ea1ae52017b56b5943c4c0e21cf1b45a8fdd16

      SHA512

      3d9de3db5f3f3ebe1c1672af1ae069aec0ccbabe57859c05e4d6de6454985cd393c14c1eb5d6b3d90031c714a5af7e30ca6021d6432b8f50a7eec184f4c8ec27

      Download Submit

    • C:\Users\Public\Music\Sample Music\Sleep Away.mp3.basta
      Filesize

      4.6MB

      MD5

      90248197996883ad7cbdb433c1bbbc16

      SHA1

      86b768588ea46fa2d512079170a1a3da6ef09693

      SHA256

      c415862a3d5b08801414bce5fb16968db8c1a25291abb62952336f9b4b4c970b

      SHA512

      30ec85794a3789489a6a518e99131924816376fc4b93ca1df66b7ae500e57ea742ecdd4cb488c06a15aea82f99c9fd5189d815c5ff193b95631d47ba53990c80

      Download Submit

    • C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg.basta
      Filesize

      859KB

      MD5

      ec705ad732046836c97e5f0e2c679ed8

      SHA1

      2c5a2798b2f0dcdf45c78b19d374354415fb315d

      SHA256

      68bc5302325292e229b0f22e1e419854f8cc37e595e736bf16e600993a4b4806

      SHA512

      4db1d3c0ca618d53f5ec281c878431e592e52f4f3b29b2f1a679981b42634d93def0a62e9e6add30b01cbd57ccac1c67035228d5ff2422e345d90bc993392f9f

      Download Submit

    • C:\Users\Public\Pictures\Sample Pictures\Desert.jpg.basta
      Filesize

      826KB

      MD5

      72f6141cdc4297331f59609c4d3c0a19

      SHA1

      4a4ce0920bc1ece311ff5239df224b6aa309cefd

      SHA256

      f4a08e91a0f4c1e086e3b2344b6cfdcc24083abae31ac1f271879298cd862801

      SHA512

      88f25acdbe41dec133d598e55ded988fc64a95d7acd1a960bfd0d21046d1b1cef2f0ab99cdea147b80d76750e9e93dd5eebfe6162ac93212792938f964f97b0b

      Download Submit

    • C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg.basta
      Filesize

      581KB

      MD5

      80179ec33949167d45cfeab37e349bea

      SHA1

      a91a1c233c50eb333efb4d10abcc43c5dfd9f93a

      SHA256

      bd063815012c916d3a7f6ebc71d7c32fd5459dbf73702f8e885bf8a145a2111b

      SHA512

      aca32ab60c28189c74b22d4975b0f65476013791e5cfb6291f8543ee2243f9e0a292710898a047c258f8b8498d89acc677ef067375bbd448ce1447f83a2f8d17

      Download Submit

    • C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg.basta
      Filesize

      758KB

      MD5

      30e4ed28160e9cc3ba33a9767de4ee64

      SHA1

      34e22a444ec855156ecac4ff92023cf636a5fe53

      SHA256

      bf5800450be6bae2057afecc2ab9b03f5dc27165a4cf5ffeab44fa376f628df4

      SHA512

      bb218d614dc75a204dd9218bdd30571153538008842770ef5db52f6dd889131710cb2633c2473bba6f15272f499663e6a3fc5a9fd64973d07f9dbbbfef278561

      Download Submit

    • C:\Users\Public\Pictures\Sample Pictures\Koala.jpg.basta
      Filesize

      763KB

      MD5

      9e43f3380ee83dec9c27f9b40f7d7c85

      SHA1

      00b25e84788a202ab79e704103c3b23874e83274

      SHA256

      4f7f2e813fce776ed915c4a5a397b7f461bc9479fd5c5775c4880fdbc7c3cdc3

      SHA512

      09ffd656cc0e70cc3c96de48c50bf1469a398951215cfffed8cbe1ca8dc4d7f7531094624bb2fc50d00f19f10d7e4e9447932217f37b2cfb69946e95f1c7459c

      Download Submit

    • C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg.basta
      Filesize

      548KB

      MD5

      bb36b0dd470f80b78ab9fdfd79e37e8b

      SHA1

      0d5f75ea1e84ebe311f506cdac69dfd2a68b6dde

      SHA256

      f0d7d66fbd854a809263adb313f755eff83b17fd134d0cf2e2b60a8ef86b251d

      SHA512

      310740d7ff670804378faf57d89e098f32296ae7f971e6875127951c1ef9183019c5a0696da1fa682019ce41f4036182763d590a77c929d33d334d1fd09b0e6d

      Download Submit

    • C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg.basta
      Filesize

      760KB

      MD5

      7d8f891432a5a3ab5cd8007b440e76a3

      SHA1

      06f933093d02fdef4bf79a144e83399744057ca5

      SHA256

      0f5bf15a2ad52a4159ffe65dd88ca14c76bdd0b5c483dbd583ef2b5323280e54

      SHA512

      78344d09fbb311bca91f646ae8c234a64c0501d875c0695153c4aa6cdd3ef40095c771bd3b421ef3c4a90301c449f5d99345ea7e7e7922efc8e7dda3328d459f

      Download Submit

    • C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg.basta
      Filesize

      606KB

      MD5

      aa91bbbeb01eaf4ccac8692e16f426b8

      SHA1

      5d02f12c9bb87dae7e2fe57b910c743d680bbee4

      SHA256

      72ea21b5ebe3db5ced73218b19673bda06c8f43af9483557465686f8e2771008

      SHA512

      8578bf3536a2448fe6d1324d7527bef3ec0107388983917fa90a38cc28253bc54b32e82eb15cfe92025f49220decfa7a4a7a6f176d6cb48bc351ce2e7fb6773d

      Download Submit

    • C:\Users\Public\Videos\Sample Videos\Wildlife.wmv.basta
      Filesize

      25.0MB

      MD5

      2467a7200d90e7113b3aa306127051c8

      SHA1

      cbffd142af4789b8d0ad41320a273b7cd2e0e9af

      SHA256

      d36b274b79c3de29d511502b8d6d89e2339a4397baf804fb2df679c71bb33ea3

      SHA512

      ecb0dc5ee664626f5df3c1f82c7771dbec2b7edd1b83a70567c448cdacf603e2970085b06f383ab5114b62167d27d6a445267fbce4651815983e93d66f53b727

      Download Submit