Analysis
-
max time kernel
114s -
max time network
132s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241211-en -
resource tags
-
submitted
21-12-2024 15:17
General
-
Target
b.zip
-
Size
446KB
-
MD5
985b24da5760a2acb663944336ac96fa
-
SHA1
5750ff42866f4ebf885c4eba2d346e656c19b1d0
-
SHA256
b8463c09f968d938c4722febb7342f2e9babc2deba004f0945892ad297214b31
-
SHA512
b1c1248390de5c847033fe3b098bfe257c296add90ad0ec2d885ccc7545ee9799e0cbf6e48402b87d361070af1c71ee13c0e90900f2679f99c2ba17cd4ea7009
-
SSDEEP
12288:boutuJQIn872o78fwwHqo5C8nDDCLu/ou7I0ngv0Y:bhsJQo87QfUo5CkDOLr8bBY
Malware Config
Extracted
C:\Program Files (x86)\instructions_read_me.txt
blackbasta
https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Signatures
-
Black Basta
A ransomware family targeting Windows and Linux ESXi first seen in February 2022.
-
Blackbasta family
-
Renames multiple (3444) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Loads dropped DLL 1 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Modifies registry class 4 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\b.zip"1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\basta\start.bat" "1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32 basta.dll,#12⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\instructions_read_me.txt1⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD54ba06d41a13bc5f4ddc71cf6a48cf231
SHA1d83c4640b36339549130fcb008c6f5c8a6d67676
SHA2568e29eb9f02be51cbdc99f8ec9b90fb29f47806f9ca804590de548d5e06f47db5
SHA5129fe3e0546ece1c74b2b3f188fafb024309bb1048ce997c334a6fed9b9638f11aa0dc99784546241fc28893b207a239ed21f8189a51bd801bc65334bd082da88c
-
Filesize
1023KB
MD508378cd36fdbf69dba24d14393ad564d
SHA1c698e08ff114499e9fecf39fcbf23f652f1cdad8
SHA256764b1117262d33f0a69b4f4c72fad607b7c71c262f60b9b2b35a21e7f4967786
SHA512ef831fc12ad4831e180c9e5e9babbf1a2d8675a918992fc6f5306447b30e12de63e5034124e31a2d9517db4322e7aaf4a01cecf3239f2c6f6d459358849ef197
-
Filesize
97KB
MD5891e3c7a06345ebab055018e8e1db4cd
SHA1dea5c9a337fbf317a86950379b13390ad5db8276
SHA2566f9e46f3296724de2d0a3770ed515aef04b7cb05e7c327108b404db110d6b1ad
SHA512fef7e6387dacff36f720149811559c5f4bf637ceebf02263a792d319e0428670d8ec3aabfd0174b47f1d5605289fd0285ee1466d47ec2e338181a5dc9bfcabfc
-
Filesize
97KB
MD5d1aeba7da7bfd4a4cf48c6ca8157bac4
SHA1fa63cc0f362fea62f8247013d5faf5f432134297
SHA2563a2aada6f0b6cdc0642c11129d67e409b0b77583eec1b04ae8e365046acd47bf
SHA5124c6ee02f19a7320d156a5cd5f18281cc45f1874c1694c8d89c8620d9b1237ba94bbdee73da361699ba97645ebd42729a6ac8d62bcc53481ad8a0bcb55eb4eb1f
-
Filesize
33B
MD534eee3ee267d4f5e0ec60e5ad8fac9e1
SHA1d522e7e32849c1bc5e6f7665aa59e642f8fdcda0
SHA2569eebdef38366ca977bf24574af2c996ccfb19ace6f317bf52c91aacaebe1a090
SHA5126587491e3d725e8fad82ef3b9b915694cf54227d37d3be735f71a67c1710969c68ced5b9baf5cd877baf6d54312b386c077ed691ec769d4f74acb054a8967b93
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB