Overview

overview

10

Static

static

3

ad04b4b8eb...in.exe

windows7-x64

10

ad04b4b8eb...in.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    14s
  • max time network
    2s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/12/2024, 11:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ad04b4b8eb9fe76ba316335769d5de3d3c221dec5c5506c984a5ba77c2492c0a.bin.exe

  • Size

    890KB

  • MD5

    890962e6b129a2fbd5d7c56fedc68f3f

  • SHA1

    cae5a763110d1802385a537c5fd7cca5500a1811

  • SHA256

    ad04b4b8eb9fe76ba316335769d5de3d3c221dec5c5506c984a5ba77c2492c0a

  • SHA512

    501c501029f2749e9ed787440934ecdd2808e8d707f07d65d7c4a6d3659cdd46200796501ef67ab35f98d4f315469e45ca20fa61212757662951b0cc60007a63

  • SSDEEP

    24576:weMarHAeGkDHFQ2M0Z9MuOQT7sh8/JLVjk:GeGwHF19MuOQchgJLVjk

Score
10/10
blackbastadefense_evasiondiscoveryexecutionimpactpersistenceransomware

Malware Config

Extracted

Path

C:\Program Files (x86)\instructions_read_me.txt

Family

blackbasta

Ransom Note
ATTENTION! Your network has been breached and all data was encrypted. Please contact us at: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ Login ID: 51095f05-2bb8-4b46-9d85-83610c65bdc2 *!* To access .onion websites download and install Tor Browser at: https://www.torproject.org/ (Tor Browser is not related to us) *!* To restore all your PCs and get your network working again, follow these instructions: - Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency. Please follow these simple rules to avoid data corruption: - Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - Do not hire a recovery company. They can't decrypt without the key. They also don't care about your business. They believe that they are good negotiators, but it is not. They usually fail. So speak for yourself. Waiting you in a chat.
URLs

https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/

Signatures

  • Black Basta

    A ransomware family targeting Windows and Linux ESXi first seen in February 2022.

    ransomwareblackbasta
  • Blackbasta family
    blackbasta
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (310) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 3 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\ad04b4b8eb9fe76ba316335769d5de3d3c221dec5c5506c984a5ba77c2492c0a.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\ad04b4b8eb9fe76ba316335769d5de3d3c221dec5c5506c984a5ba77c2492c0a.bin.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3608
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4664
      • C:\Windows\system32\vssadmin.exe
        C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:528
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3616
  • C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\instructions_read_me.txt
    1⤵
    • Opens file in notepad (likely ransom note)
    PID:3516

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\instructions_read_me.txt
    Filesize

    1KB

    MD5

    56a82feafd277c12b2ebbc48a7d96b1b

    SHA1

    89d37649c06e1979f31425b4e0def6f5f01f347a

    SHA256

    d790e19e8f2f0ac6ad9a69561a1d02348924e5f0b7c173213932347fc4e62218

    SHA512

    80676d8565c540e14151424f9fe10c2a1893aa40c58f04c4609e8bfcb04ec3fb617b20db4b9a56060f1966b09d92f58d9ba0e6af9d48daab7b9bd3d3bf9dce8c

    Download Submit