blackbasta | b8463c09f968d938c4722febb7342f2e9babc2deba004f0945892ad297214b31

Analysis

max time kernel
145s
max time network
18s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 15:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

basta/start.bat
Size

33B
MD5

34eee3ee267d4f5e0ec60e5ad8fac9e1
SHA1

d522e7e32849c1bc5e6f7665aa59e642f8fdcda0
SHA256

9eebdef38366ca977bf24574af2c996ccfb19ace6f317bf52c91aacaebe1a090
SHA512

6587491e3d725e8fad82ef3b9b915694cf54227d37d3be735f71a67c1710969c68ced5b9baf5cd877baf6d54312b386c077ed691ec769d4f74acb054a8967b93

Score

10^/10

blackbasta ransomware

Malware Config

Extracted

Path

C:\Program Files\instructions_read_me.txt

Family

blackbasta

Ransom Note

ATTENTION! Your network has been breached and all data was encrypted. Please contact us at: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ Login ID: 3dd718a3-db04-485f-b882-250349c8a4de *!* To access .onion websites download and install Tor Browser at: https://www.torproject.org/ (Tor Browser is not related to us) *!* To restore all your PCs and get your network working again, follow these instructions: - Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency. Please follow these simple rules to avoid data corruption: - Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - Do not hire a recovery company. They can't decrypt without the key. They also don't care about your business. They believe that they are good negotiators, but it is not. They usually fail. So speak for yourself. Waiting you in a chat.

URLs

https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/

Signatures

Black Basta
A ransomware family targeting Windows and Linux ESXi first seen in February 2022.
ransomware blackbasta
Blackbasta family
blackbasta
Renames multiple (1652) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Update\instructions_read_me.txt	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\en-US\Chess.exe.mui	rundll32.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	rundll32.exe
File opened for modification	C:\Program Files\Java\jre7\bin\j2pcsc.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice-install.log	rundll32.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\es-ES\mpvis.dll.mui	rundll32.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Tanspecks.jpg	rundll32.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msado21.tlb	rundll32.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\msxactps.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_iw.dll	rundll32.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\PhotoAcq.dll	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL	rundll32.exe
File created	C:\Program Files\Windows Media Player\en-US\instructions_read_me.txt	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\DLGSETP.DLL	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PTXT9.DLL	rundll32.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_widescreen_Thumbnail.bmp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN01545_.WMF	rundll32.exe
File opened for modification	C:\Program Files\Common Files\System\en-US\wab32res.dll.mui	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	rundll32.exe
File created	C:\Program Files (x86)\Common Files\System\MSMAPI\instructions_read_me.txt	rundll32.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_sl.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Installed_resources14.xss	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\NPSPWRAP.DLL	rundll32.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\msdaprsr.dll	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\msado21.tlb	rundll32.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\sbdrop.dll	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\THIRDPARTYLICENSEREADME-JAVAFX.txt	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\EMSMDB32.DLL	rundll32.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\de-DE\WMPMediaSharing.dll.mui	rundll32.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\instructions_read_me.txt	rundll32.exe
File created	C:\Program Files\Windows NT\Accessories\es-ES\instructions_read_me.txt	rundll32.exe
File opened for modification	C:\Program Files\PingExpand.rle	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Couture.thmx	rundll32.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe	rundll32.exe
File opened for modification	C:\Program Files\Java\jre7\bin\nio.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSO.DLL	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\fr-FR\Mahjong.exe.mui	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l1-2-0.dll	rundll32.exe
File opened for modification	C:\Program Files\Windows Mail\en-US\msoeres.dll.mui	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Verve.thmx	rundll32.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\de-DE\WinMail.exe.mui	rundll32.exe
File created	C:\Program Files\Common Files\System\msadc\instructions_read_me.txt	rundll32.exe
File created	C:\Program Files\Microsoft Games\More Games\ja-JP\instructions_read_me.txt	rundll32.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\DiagnosticsTap.dll.mui	rundll32.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\MpEvMsg.dll.mui	rundll32.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipscat.xml	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\msvcr100.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00037_.GIF	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00130_.WMF	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSOUC.EXE	rundll32.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\instructions_read_me.txt	rundll32.exe
File created	C:\Program Files\Microsoft Games\More Games\fr-FR\instructions_read_me.txt	rundll32.exe
File opened for modification	C:\Program Files\Windows Journal\it-IT\PDIALOG.exe.mui	rundll32.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color120.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\IPEDITOR.DLL	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\it-IT\Minesweeper.exe.mui	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\Shvl.dll	rundll32.exe
File opened for modification	C:\Program Files\Windows Media Player\mpvis.DLL	rundll32.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\settings.ini	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GKPowerPoint.dll	rundll32.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.7wdojib58	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.7wdojib58\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fkdjsadasd.ico"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.7wdojib58\DefaultIcon	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1656 wrote to memory of 2744	1656	cmd.exe	30
PID 1656 wrote to memory of 2744	1656	cmd.exe	30
PID 1656 wrote to memory of 2744	1656	cmd.exe	30

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\basta\start.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Windows\system32\rundll32.exe
  rundll32 basta.dll,#1
  2⤵
  - Drops file in Program Files directory
  - Modifies registry class
  PID:2744

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\instructions_read_me.txt

Filesize
1KB

MD5
4ba06d41a13bc5f4ddc71cf6a48cf231

SHA1
d83c4640b36339549130fcb008c6f5c8a6d67676

SHA256
8e29eb9f02be51cbdc99f8ec9b90fb29f47806f9ca804590de548d5e06f47db5

SHA512
9fe3e0546ece1c74b2b3f188fafb024309bb1048ce997c334a6fed9b9638f11aa0dc99784546241fc28893b207a239ed21f8189a51bd801bc65334bd082da88c

Download Submit