Analysis
-
max time kernel
8s -
max time network
7s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-12-2024 12:01
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bebd409c8fae76c16040bcd69eed914520d3660ab2da057955e0fe6bef65bda1.bin.dll
Resource
win7-20240903-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
bebd409c8fae76c16040bcd69eed914520d3660ab2da057955e0fe6bef65bda1.bin.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
bebd409c8fae76c16040bcd69eed914520d3660ab2da057955e0fe6bef65bda1.bin.dll
-
Size
1023KB
-
MD5
d231f7e053b711e99a40c1070992064f
-
SHA1
2a59f88f51fbe966382e2b82b22bdd6981240cb7
-
SHA256
bebd409c8fae76c16040bcd69eed914520d3660ab2da057955e0fe6bef65bda1
-
SHA512
d4778c696c87ad918e798413bf4ab535cbed6ffaf411635b3ee86b8be48e3fc1c35ae78f1514ce015ea56527cccd679a1cdaa2498514891f16b045e022fb3c7d
-
SSDEEP
12288:XlouFyOk1C+SWYgeWYg955/155/sxw5USG2eaumYIhg8/X1lBYK4o1TpzkBmbzyu:XlouFyOkY+lYKDyKIRQboJXhKTnVrf
Score
10/10
Malware Config
Extracted
Path
C:\Program Files (x86)\instructions_read_me.txt
Family
blackbasta
Ransom Note
ATTENTION!
Your network has been breached and all data was encrypted. Please contact us at:
https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Login ID: 5e80b250-815a-4062-8ac0-3ef4881feb08
*!* To access .onion websites download and install Tor Browser at:
https://www.torproject.org/ (Tor Browser is not related to us)
*!* To restore all your PCs and get your network working again, follow these instructions:
- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.
Please follow these simple rules to avoid data corruption:
- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption.
- Do not hire a recovery company. They can't decrypt without the key.
They also don't care about your business. They believe that they are
good negotiators, but it is not. They usually fail. So speak for yourself.
Waiting you in a chat.
URLs
https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Signatures
-
Black Basta
A ransomware family targeting Windows and Linux ESXi first seen in February 2022.
-
Blackbasta family
-
Renames multiple (294) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Windows Defender\fr-FR\OfflineScannerShell.exe.mui rundll32.exe File opened for modification C:\Program Files\Windows Defender\uk-UA\ProtectionManagement.dll.mui rundll32.exe File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\instructions_read_me.txt rundll32.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftEdge.Stable_92.0.902.67_neutral__8wekyb3d8bbwe\AppxSignature.p7x rundll32.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml rundll32.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Photos.Viewer.Plugins.Native.dll rundll32.exe File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\instructions_read_me.txt rundll32.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\AppxSignature.p7x rundll32.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\fonts\TwemojiMozilla.ttf rundll32.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.Threading.Tasks.Parallel.dll rundll32.exe File opened for modification C:\Program Files\VideoLAN\VLC\libvlccore.dll rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\de.txt rundll32.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\AdaptiveCards.Rendering.Uwp.dll rundll32.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\AudienceNetwork.winmd rundll32.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_2019.729.2301.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml rundll32.exe File created C:\Program Files\Internet Explorer\instructions_read_me.txt rundll32.exe File created C:\Program Files\Windows Photo Viewer\instructions_read_me.txt rundll32.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml rundll32.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\AppxSignature.p7x rundll32.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\ThirdPartyNotices.txt rundll32.exe File created C:\Program Files\Windows Media Player\es-ES\instructions_read_me.txt rundll32.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\AppxManifest.xml rundll32.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Inbox.winmd rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\tk.txt rundll32.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00.UWPDesktop_14.0.27629.0_x64__8wekyb3d8bbwe\logo.png rundll32.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\AppxSignature.p7x rundll32.exe File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe rundll32.exe File created C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\instructions_read_me.txt rundll32.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppxSignature.p7x rundll32.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\xboxservices.config rundll32.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\RuntimeConfiguration.dll rundll32.exe File opened for modification C:\Program Files\Internet Explorer\en-US\iexplore.exe.mui rundll32.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\richedim.dll rundll32.exe File opened for modification C:\Program Files\Java\jre-1.8\Welcome.html rundll32.exe File created C:\Program Files\WindowsApps\Microsoft.UI.Xaml.2.0_2.1810.18004.0_x64__8wekyb3d8bbwe\instructions_read_me.txt rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\va.txt rundll32.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.Linq.Expressions.dll rundll32.exe File opened for modification C:\Program Files\7-Zip\7zCon.sfx rundll32.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml rundll32.exe File created C:\Program Files\Windows Security\BrowserCore\instructions_read_me.txt rundll32.exe File created C:\Program Files\Uninstall Information\instructions_read_me.txt rundll32.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\View3D.ResourceResolver.exe rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\ast.txt rundll32.exe File created C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_neutral_~_8wekyb3d8bbwe\instructions_read_me.txt rundll32.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\AppSettingsCppCX.dll rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\br.txt rundll32.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\AppxManifest.xml rundll32.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\instructions_read_me.txt rundll32.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x rundll32.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_2019.904.1644.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml rundll32.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\resources.pri rundll32.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.Diagnostics.Tools.dll rundll32.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.Reflection.dll rundll32.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_2019.807.41.0_neutral_~_8wekyb3d8bbwe\instructions_read_me.txt rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\pa-in.txt rundll32.exe File opened for modification C:\Program Files\Windows Defender\uk-UA\EppManifest.dll.mui rundll32.exe File opened for modification C:\Program Files\Java\jdk-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt rundll32.exe File opened for modification C:\Program Files\Windows Defender\fr-FR\MsMpRes.dll.mui rundll32.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxSignature.p7x rundll32.exe File opened for modification C:\Program Files\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui rundll32.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\AppxSignature.p7x rundll32.exe File opened for modification C:\Program Files\InstallDismount.xlsb rundll32.exe File created C:\Program Files\Microsoft Office\instructions_read_me.txt rundll32.exe -
Modifies registry class 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.2bcqxjztt\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fkdjsadasd.ico" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.2bcqxjztt\DefaultIcon rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.2bcqxjztt rundll32.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 2288 NOTEPAD.EXE
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\bebd409c8fae76c16040bcd69eed914520d3660ab2da057955e0fe6bef65bda1.bin.dll,#11⤵
- Drops file in Program Files directory
- Modifies registry class
PID:4856
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\instructions_read_me.txt1⤵
- Opens file in notepad (likely ransom note)
PID:2288
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD50183004b53b0e8e81c0e2a177e7387a5
SHA12b5e4d8a4e2f84747331698f03533b5ce0e5e92a
SHA25677d2e21055427e33d3cc39d22d75d6744ae44a69057d75430703797309eb655c
SHA5121d28dbd5424560be1f7a6f6a9d703597b829c9de7af34c4a90efa70c32955af3cc46619819ef2fd34b9e1cc83cce1df179b42eae1c8f2bfb1d3ff8400131ff3c