Analysis
-
max time kernel
14s -
max time network
2s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18/12/2024, 11:58
Static task
static1
Behavioral task
behavioral1
Sample
ad04b4b8eb9fe76ba316335769d5de3d3c221dec5c5506c984a5ba77c2492c0a.bin.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
ad04b4b8eb9fe76ba316335769d5de3d3c221dec5c5506c984a5ba77c2492c0a.bin.exe
Resource
win10v2004-20241007-en
General
-
Target
ad04b4b8eb9fe76ba316335769d5de3d3c221dec5c5506c984a5ba77c2492c0a.bin.exe
-
Size
890KB
-
MD5
890962e6b129a2fbd5d7c56fedc68f3f
-
SHA1
cae5a763110d1802385a537c5fd7cca5500a1811
-
SHA256
ad04b4b8eb9fe76ba316335769d5de3d3c221dec5c5506c984a5ba77c2492c0a
-
SHA512
501c501029f2749e9ed787440934ecdd2808e8d707f07d65d7c4a6d3659cdd46200796501ef67ab35f98d4f315469e45ca20fa61212757662951b0cc60007a63
-
SSDEEP
24576:weMarHAeGkDHFQ2M0Z9MuOQT7sh8/JLVjk:GeGwHF19MuOQchgJLVjk
Malware Config
Extracted
C:\Program Files (x86)\instructions_read_me.txt
blackbasta
https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Signatures
-
Black Basta
A ransomware family targeting Windows and Linux ESXi first seen in February 2022.
-
Blackbasta family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (310) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Skype = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ad04b4b8eb9fe76ba316335769d5de3d3c221dec5c5506c984a5ba77c2492c0a.bin.exe" ad04b4b8eb9fe76ba316335769d5de3d3c221dec5c5506c984a5ba77c2492c0a.bin.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\StoreExperienceHost.exe ad04b4b8eb9fe76ba316335769d5de3d3c221dec5c5506c984a5ba77c2492c0a.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\AppxSignature.p7x ad04b4b8eb9fe76ba316335769d5de3d3c221dec5c5506c984a5ba77c2492c0a.bin.exe File opened for modification C:\Program Files (x86)\Windows Defender\it-IT\MpAsDesc.dll.mui ad04b4b8eb9fe76ba316335769d5de3d3c221dec5c5506c984a5ba77c2492c0a.bin.exe File created C:\Program Files\Windows Defender\de-DE\instructions_read_me.txt ad04b4b8eb9fe76ba316335769d5de3d3c221dec5c5506c984a5ba77c2492c0a.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.Xml.ReaderWriter.dll ad04b4b8eb9fe76ba316335769d5de3d3c221dec5c5506c984a5ba77c2492c0a.bin.exe File opened for modification C:\Program Files\7-Zip\Lang\hu.txt ad04b4b8eb9fe76ba316335769d5de3d3c221dec5c5506c984a5ba77c2492c0a.bin.exe File opened for modification C:\Program Files\7-Zip\Lang\mr.txt ad04b4b8eb9fe76ba316335769d5de3d3c221dec5c5506c984a5ba77c2492c0a.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.1.7_1.7.25531.0_x64__8wekyb3d8bbwe\clrcompression.dll ad04b4b8eb9fe76ba316335769d5de3d3c221dec5c5506c984a5ba77c2492c0a.bin.exe File created C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\instructions_read_me.txt ad04b4b8eb9fe76ba316335769d5de3d3c221dec5c5506c984a5ba77c2492c0a.bin.exe File opened for modification C:\Program Files\7-Zip\Lang\be.txt ad04b4b8eb9fe76ba316335769d5de3d3c221dec5c5506c984a5ba77c2492c0a.bin.exe File opened for modification C:\Program Files\7-Zip\Lang\lij.txt ad04b4b8eb9fe76ba316335769d5de3d3c221dec5c5506c984a5ba77c2492c0a.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Microsoft.People.Relevance.QueryClient.winmd ad04b4b8eb9fe76ba316335769d5de3d3c221dec5c5506c984a5ba77c2492c0a.bin.exe File created C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\instructions_read_me.txt ad04b4b8eb9fe76ba316335769d5de3d3c221dec5c5506c984a5ba77c2492c0a.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\GameBarTasks.winmd ad04b4b8eb9fe76ba316335769d5de3d3c221dec5c5506c984a5ba77c2492c0a.bin.exe File created C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\instructions_read_me.txt ad04b4b8eb9fe76ba316335769d5de3d3c221dec5c5506c984a5ba77c2492c0a.bin.exe File opened for modification C:\Program Files (x86)\Windows Media Player\Media Renderer\DMR_120.png ad04b4b8eb9fe76ba316335769d5de3d3c221dec5c5506c984a5ba77c2492c0a.bin.exe File opened for modification C:\Program Files\Windows Media Player\Media Renderer\DMR_120.png ad04b4b8eb9fe76ba316335769d5de3d3c221dec5c5506c984a5ba77c2492c0a.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\resources.pri ad04b4b8eb9fe76ba316335769d5de3d3c221dec5c5506c984a5ba77c2492c0a.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.Net.WebSockets.Client.dll ad04b4b8eb9fe76ba316335769d5de3d3c221dec5c5506c984a5ba77c2492c0a.bin.exe File opened for modification C:\Program Files\7-Zip\Lang\mk.txt ad04b4b8eb9fe76ba316335769d5de3d3c221dec5c5506c984a5ba77c2492c0a.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\clrcompression.dll ad04b4b8eb9fe76ba316335769d5de3d3c221dec5c5506c984a5ba77c2492c0a.bin.exe File created C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\instructions_read_me.txt ad04b4b8eb9fe76ba316335769d5de3d3c221dec5c5506c984a5ba77c2492c0a.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Microsoft.Apps.People.BackgroundTasks.winmd ad04b4b8eb9fe76ba316335769d5de3d3c221dec5c5506c984a5ba77c2492c0a.bin.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\MpAsDesc.dll.mui ad04b4b8eb9fe76ba316335769d5de3d3c221dec5c5506c984a5ba77c2492c0a.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.ComponentModel.DataAnnotations.dll ad04b4b8eb9fe76ba316335769d5de3d3c221dec5c5506c984a5ba77c2492c0a.bin.exe File opened for modification C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt ad04b4b8eb9fe76ba316335769d5de3d3c221dec5c5506c984a5ba77c2492c0a.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\SpeedSelectionSlider.xbf ad04b4b8eb9fe76ba316335769d5de3d3c221dec5c5506c984a5ba77c2492c0a.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Xbox.Foundation.Media.dll ad04b4b8eb9fe76ba316335769d5de3d3c221dec5c5506c984a5ba77c2492c0a.bin.exe File opened for modification C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Microsoft.stdformat.dll ad04b4b8eb9fe76ba316335769d5de3d3c221dec5c5506c984a5ba77c2492c0a.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Processing.Ndi.Lib.UWP.x64.dll ad04b4b8eb9fe76ba316335769d5de3d3c221dec5c5506c984a5ba77c2492c0a.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\CircularProgressBar.xbf ad04b4b8eb9fe76ba316335769d5de3d3c221dec5c5506c984a5ba77c2492c0a.bin.exe File created C:\Program Files (x86)\Windows Multimedia Platform\instructions_read_me.txt ad04b4b8eb9fe76ba316335769d5de3d3c221dec5c5506c984a5ba77c2492c0a.bin.exe File opened for modification C:\Program Files\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui ad04b4b8eb9fe76ba316335769d5de3d3c221dec5c5506c984a5ba77c2492c0a.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.Reflection.dll ad04b4b8eb9fe76ba316335769d5de3d3c221dec5c5506c984a5ba77c2492c0a.bin.exe File opened for modification C:\Program Files (x86)\Windows Media Player\it-IT\wmplayer.exe.mui ad04b4b8eb9fe76ba316335769d5de3d3c221dec5c5506c984a5ba77c2492c0a.bin.exe File created C:\Program Files (x86)\Windows Defender\instructions_read_me.txt ad04b4b8eb9fe76ba316335769d5de3d3c221dec5c5506c984a5ba77c2492c0a.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxSignature.p7x ad04b4b8eb9fe76ba316335769d5de3d3c221dec5c5506c984a5ba77c2492c0a.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.IO.Compression.ZipFile.dll ad04b4b8eb9fe76ba316335769d5de3d3c221dec5c5506c984a5ba77c2492c0a.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\resources.pri ad04b4b8eb9fe76ba316335769d5de3d3c221dec5c5506c984a5ba77c2492c0a.bin.exe File opened for modification C:\Program Files (x86)\Windows Media Player\en-US\wmpnssci.dll.mui ad04b4b8eb9fe76ba316335769d5de3d3c221dec5c5506c984a5ba77c2492c0a.bin.exe File opened for modification C:\Program Files\Windows Defender\it-IT\OfflineScannerShell.exe.mui ad04b4b8eb9fe76ba316335769d5de3d3c221dec5c5506c984a5ba77c2492c0a.bin.exe File opened for modification C:\Program Files\Windows Media Player\Media Renderer\DMR_120.jpg ad04b4b8eb9fe76ba316335769d5de3d3c221dec5c5506c984a5ba77c2492c0a.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\omrautimm.dll ad04b4b8eb9fe76ba316335769d5de3d3c221dec5c5506c984a5ba77c2492c0a.bin.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_2019.716.2313.0_neutral_~_8wekyb3d8bbwe\instructions_read_me.txt ad04b4b8eb9fe76ba316335769d5de3d3c221dec5c5506c984a5ba77c2492c0a.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\KnownGameList.bin ad04b4b8eb9fe76ba316335769d5de3d3c221dec5c5506c984a5ba77c2492c0a.bin.exe File opened for modification C:\Program Files\Mozilla Firefox\dependentlibs.list ad04b4b8eb9fe76ba316335769d5de3d3c221dec5c5506c984a5ba77c2492c0a.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onresim.dll ad04b4b8eb9fe76ba316335769d5de3d3c221dec5c5506c984a5ba77c2492c0a.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Lumia.VideoTk.dll ad04b4b8eb9fe76ba316335769d5de3d3c221dec5c5506c984a5ba77c2492c0a.bin.exe File opened for modification C:\Program Files\7-Zip\Lang\az.txt ad04b4b8eb9fe76ba316335769d5de3d3c221dec5c5506c984a5ba77c2492c0a.bin.exe File created C:\Program Files\Mozilla Firefox\uninstall\instructions_read_me.txt ad04b4b8eb9fe76ba316335769d5de3d3c221dec5c5506c984a5ba77c2492c0a.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\e_sqlite3.dll ad04b4b8eb9fe76ba316335769d5de3d3c221dec5c5506c984a5ba77c2492c0a.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Microsoft.People.Relevance.dll ad04b4b8eb9fe76ba316335769d5de3d3c221dec5c5506c984a5ba77c2492c0a.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\AppxBlockMap.xml ad04b4b8eb9fe76ba316335769d5de3d3c221dec5c5506c984a5ba77c2492c0a.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\avfilter-7_ms.dll ad04b4b8eb9fe76ba316335769d5de3d3c221dec5c5506c984a5ba77c2492c0a.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Microsoft_WebMediaExtensions.winmd ad04b4b8eb9fe76ba316335769d5de3d3c221dec5c5506c984a5ba77c2492c0a.bin.exe File opened for modification C:\Program Files\7-Zip\Lang\mng2.txt ad04b4b8eb9fe76ba316335769d5de3d3c221dec5c5506c984a5ba77c2492c0a.bin.exe File opened for modification C:\Program Files\Java\jdk-1.8\jvisualvm.txt ad04b4b8eb9fe76ba316335769d5de3d3c221dec5c5506c984a5ba77c2492c0a.bin.exe File opened for modification C:\Program Files\Windows Defender\it-IT\ProtectionManagement.mfl ad04b4b8eb9fe76ba316335769d5de3d3c221dec5c5506c984a5ba77c2492c0a.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.Numerics.dll ad04b4b8eb9fe76ba316335769d5de3d3c221dec5c5506c984a5ba77c2492c0a.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\UtilitiesCpp.dll ad04b4b8eb9fe76ba316335769d5de3d3c221dec5c5506c984a5ba77c2492c0a.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\TimeControls.winmd ad04b4b8eb9fe76ba316335769d5de3d3c221dec5c5506c984a5ba77c2492c0a.bin.exe File opened for modification C:\Program Files (x86)\Internet Explorer\de-DE\iexplore.exe.mui ad04b4b8eb9fe76ba316335769d5de3d3c221dec5c5506c984a5ba77c2492c0a.bin.exe File opened for modification C:\Program Files\7-Zip\Lang\de.txt ad04b4b8eb9fe76ba316335769d5de3d3c221dec5c5506c984a5ba77c2492c0a.bin.exe File opened for modification C:\Program Files\7-Zip\Lang\fy.txt ad04b4b8eb9fe76ba316335769d5de3d3c221dec5c5506c984a5ba77c2492c0a.bin.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ad04b4b8eb9fe76ba316335769d5de3d3c221dec5c5506c984a5ba77c2492c0a.bin.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 528 vssadmin.exe -
Modifies registry class 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.atzsknswj\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fkdjsadasd.ico" ad04b4b8eb9fe76ba316335769d5de3d3c221dec5c5506c984a5ba77c2492c0a.bin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.atzsknswj\DefaultIcon ad04b4b8eb9fe76ba316335769d5de3d3c221dec5c5506c984a5ba77c2492c0a.bin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.atzsknswj ad04b4b8eb9fe76ba316335769d5de3d3c221dec5c5506c984a5ba77c2492c0a.bin.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 3516 NOTEPAD.EXE -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeBackupPrivilege 3616 vssvc.exe Token: SeRestorePrivilege 3616 vssvc.exe Token: SeAuditPrivilege 3616 vssvc.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 3608 wrote to memory of 4664 3608 ad04b4b8eb9fe76ba316335769d5de3d3c221dec5c5506c984a5ba77c2492c0a.bin.exe 83 PID 3608 wrote to memory of 4664 3608 ad04b4b8eb9fe76ba316335769d5de3d3c221dec5c5506c984a5ba77c2492c0a.bin.exe 83 PID 3608 wrote to memory of 4664 3608 ad04b4b8eb9fe76ba316335769d5de3d3c221dec5c5506c984a5ba77c2492c0a.bin.exe 83 PID 4664 wrote to memory of 528 4664 cmd.exe 85 PID 4664 wrote to memory of 528 4664 cmd.exe 85 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad04b4b8eb9fe76ba316335769d5de3d3c221dec5c5506c984a5ba77c2492c0a.bin.exe"C:\Users\Admin\AppData\Local\Temp\ad04b4b8eb9fe76ba316335769d5de3d3c221dec5c5506c984a5ba77c2492c0a.bin.exe"1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3608 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4664 -
C:\Windows\system32\vssadmin.exeC:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:528
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3616
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\instructions_read_me.txt1⤵
- Opens file in notepad (likely ransom note)
PID:3516
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD556a82feafd277c12b2ebbc48a7d96b1b
SHA189d37649c06e1979f31425b4e0def6f5f01f347a
SHA256d790e19e8f2f0ac6ad9a69561a1d02348924e5f0b7c173213932347fc4e62218
SHA51280676d8565c540e14151424f9fe10c2a1893aa40c58f04c4609e8bfcb04ec3fb617b20db4b9a56060f1966b09d92f58d9ba0e6af9d48daab7b9bd3d3bf9dce8c