Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
18-12-2024 11:59
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
38a5659c98ca7353b656e3542ec336a1e7ecab71febd35491344aca304275a0e.bin.dll
Resource
win7-20240729-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
38a5659c98ca7353b656e3542ec336a1e7ecab71febd35491344aca304275a0e.bin.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
38a5659c98ca7353b656e3542ec336a1e7ecab71febd35491344aca304275a0e.bin.dll
-
Size
827KB
-
MD5
5b46d0066316816969848f1f04632ca2
-
SHA1
1aea30bf9e320d0a75e9b4e059eada88319b2b59
-
SHA256
38a5659c98ca7353b656e3542ec336a1e7ecab71febd35491344aca304275a0e
-
SHA512
e37c0e7332202b3811e0ed476309206ed1812363ea775cbd30d2f4e4400a37b56d0d4d6aeb0c1fc6b1ddbe23a50a111f01c3c9498395a6f747c33cd06c3599af
-
SSDEEP
24576:N9ihT/zGeEfg/g0bmSZq1Fv7L4YiED8h:EGeEfgkSZq1FDkYiEgh
Score
10/10
Malware Config
Extracted
Path
C:\Program Files\instructions_read_me.txt
Family
blackbasta
Ransom Note
ATTENTION!
Your network has been breached and all data was encrypted. Please contact us at:
https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Login ID: 797393f4-70a6-4638-818f-f6e2f15f8d5e
*!* To access .onion websites download and install Tor Browser at:
https://www.torproject.org/ (Tor Browser is not related to us)
*!* To restore all your PCs and get your network working again, follow these instructions:
- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.
Please follow these simple rules to avoid data corruption:
- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption.
- Do not hire a recovery company. They can't decrypt without the key.
They also don't care about your business. They believe that they are
good negotiators, but it is not. They usually fail. So speak for yourself.
Waiting you in a chat.
URLs
https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Signatures
-
Black Basta
A ransomware family targeting Windows and Linux ESXi first seen in February 2022.
-
Blackbasta family
-
Renames multiple (6154) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI rundll32.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15169_.GIF rundll32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099182.WMF rundll32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0285780.WMF rundll32.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\libGLESv2.dll rundll32.exe File opened for modification C:\Program Files\Java\jre7\lib\deploy\messages_ko.properties rundll32.exe File opened for modification C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\MSTTSLoc.dll rundll32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\J0143749.GIF rundll32.exe File opened for modification C:\Program Files\Java\jre7\bin\decora-sse.dll rundll32.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe rundll32.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libadjust_plugin.dll rundll32.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_te.dll rundll32.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\IPSEventLogMsg.dll.mui rundll32.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_ca.dll rundll32.exe File created C:\Program Files\Common Files\System\msadc\de-DE\instructions_read_me.txt rundll32.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\de-DE\ShvlRes.dll.mui rundll32.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libaom_plugin.dll rundll32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0177257.JPG rundll32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\OutSyncPC.ico rundll32.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\instructions_read_me.txt rundll32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00247_.WMF rundll32.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\1047x576black.png rundll32.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_dummy_plugin.dll rundll32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\REFEDIT.DLL rundll32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS01638_.WMF rundll32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PRRT.WMF rundll32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\FiveRules.potx rundll32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB00760L.GIF rundll32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10297_.GIF rundll32.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext.png rundll32.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\instructions_read_me.txt rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\el.txt rundll32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\XIMAGE3B.DLL rundll32.exe File opened for modification C:\Program Files (x86)\Common Files\System\msadc\msaddsr.dll rundll32.exe File opened for modification C:\Program Files\Java\jre7\lib\ext\meta-index rundll32.exe File created C:\Program Files\VideoLAN\VLC\locale\pa\instructions_read_me.txt rundll32.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libscreen_plugin.dll rundll32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Modern.dotx rundll32.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEWDAT.DLL rundll32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0102984.WMF rundll32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153273.WMF rundll32.exe File opened for modification C:\Program Files\DVD Maker\fieldswitch.ax rundll32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00564_.WMF rundll32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02388_.WMF rundll32.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\203x8subpicture.png rundll32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15134_.GIF rundll32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD10289_.GIF rundll32.exe File opened for modification C:\Program Files\Windows Media Player\ja-JP\WMPDMCCore.dll.mui rundll32.exe File opened for modification C:\Program Files\Java\jre7\bin\rmid.exe rundll32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0136865.WMF rundll32.exe File created C:\Program Files (x86)\Common Files\System\ado\fr-FR\instructions_read_me.txt rundll32.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe rundll32.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe rundll32.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\tabskb.dll.mui rundll32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\CHICAGO.XSL rundll32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00683_.WMF rundll32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR44F.GIF rundll32.exe File opened for modification C:\Program Files (x86)\Windows Mail\MSOERES.dll rundll32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH01329_.WMF rundll32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0196142.WMF rundll32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\QP.DPV rundll32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WPULQT98.POC rundll32.exe File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\en-US\msdaorar.dll.mui rundll32.exe File opened for modification C:\Program Files\Windows Journal\es-ES\Journal.exe.mui rundll32.exe File opened for modification C:\Program Files\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui rundll32.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.6hb9bgo67\DefaultIcon rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.6hb9bgo67 rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.6hb9bgo67\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fkdjsadasd.ico" rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1792 wrote to memory of 2084 1792 rundll32.exe 30 PID 1792 wrote to memory of 2084 1792 rundll32.exe 30 PID 1792 wrote to memory of 2084 1792 rundll32.exe 30 PID 1792 wrote to memory of 2084 1792 rundll32.exe 30 PID 1792 wrote to memory of 2084 1792 rundll32.exe 30 PID 1792 wrote to memory of 2084 1792 rundll32.exe 30 PID 1792 wrote to memory of 2084 1792 rundll32.exe 30
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\38a5659c98ca7353b656e3542ec336a1e7ecab71febd35491344aca304275a0e.bin.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\38a5659c98ca7353b656e3542ec336a1e7ecab71febd35491344aca304275a0e.bin.dll,#12⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2084
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5342c19c71aa6304a5610255144cf0a0c
SHA15a0b574c4f1f0996978d65a1ead197e1301163b2
SHA256a67de139250e2435c985b7214d10f38429d97b93ccf61f01cf93061c9178a9a0
SHA51213fd6c2de9e1b8fce83033f9f8a360f702de91ed5cbd11af41c59c22b9ed7b88e83a7632bb8d313ce056a5559df21f8ad79d7de0c74a5f619f02c237af5077a7