blackbasta | 2a94525ad06751b4795f47254c22469ee60ed473b3bf193f6d2ffd704c6d4bd4

Analysis

max time kernel
58s
max time network
4s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 15:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15d891d682d73514401f65f0bd769d27f777462c31c7815e1a0fe119a41ea739.exe
Size

649KB
MD5

90e69700399e2b75d7e09b84185640c7
SHA1

cce479af71b73f1d0c5226b87894aeb5c24aeed2
SHA256

15d891d682d73514401f65f0bd769d27f777462c31c7815e1a0fe119a41ea739
SHA512

5bdcecad4af71631278e7d00fd9056a6b62be6212e7f7e00d75e08207ca41fbe3e075ca0699cc963039deb5190225bde16a5522b5ca6c7d943e3b5df80750ceb
SSDEEP

12288:4ofNGhJvRjVUWEFvScnf316z/OF/NqDxf4qLO1BhwTkwJcqea4VOF:4ofNGhJvRJGf3oJ9f4qLqBhsJveg

Score

10^/10

blackbasta persistence ransomware

Malware Config

Extracted

Path

C:\Program Files\instructions_read_me.txt

Family

blackbasta

Ransom Note

Hello! If you are reading this, it means we have encrypted your data and took your files. DO NOT PANIC! Yes, this is bad news, but we will have a good ones as well. YES, this is entirely fixable! Our name is BlackBasta Syndicate, and we are the largest, most advanced, and most prolific organized group currently existing. We are the ultimate cyber tradecraft with a credential record of taking down the most advanced, high-profile, and defended companies one can ever imagine. You can Google us later; what you need to know now is that we are business people just like you. We have your data and encrypted your files, but in less than an hour, we can put things back on track: if you pay for our recovery services, you get a decryptor, the data will be deleted from all of our systems and returned to you, and we will give you a security report explaining how we got you. Please contact us at: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ Login: 94351e51-1b7a-4b52-8170-a8c42c418cac This is a link to a secure chat. We will talk there. Inside that chat, we will share a second designated link that only your special team will be able to see. For now, think about the following. This incident hits your network and is stopping you from operating properly. The sooner you get back on track, the better it is. See you in the secure chat.

URLs

https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/

Signatures

Black Basta
A ransomware family targeting Windows and Linux ESXi first seen in February 2022.
ransomware blackbasta
Blackbasta family
blackbasta
Renames multiple (1807) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Skype = "C:\\Users\\Admin\\AppData\\Local\\Temp\\15d891d682d73514401f65f0bd769d27f777462c31c7815e1a0fe119a41ea739.exe"	15d891d682d73514401f65f0bd769d27f777462c31c7815e1a0fe119a41ea739.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Mail\oeimport.dll	15d891d682d73514401f65f0bd769d27f777462c31c7815e1a0fe119a41ea739.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt	15d891d682d73514401f65f0bd769d27f777462c31c7815e1a0fe119a41ea739.exe
File created	C:\Program Files\Windows Sidebar\ja-JP\instructions_read_me.txt	15d891d682d73514401f65f0bd769d27f777462c31c7815e1a0fe119a41ea739.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\IPOLK.DLL	15d891d682d73514401f65f0bd769d27f777462c31c7815e1a0fe119a41ea739.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Small_News.jpg	15d891d682d73514401f65f0bd769d27f777462c31c7815e1a0fe119a41ea739.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java_crw_demo.dll	15d891d682d73514401f65f0bd769d27f777462c31c7815e1a0fe119a41ea739.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\en-US\PurblePlace.exe.mui	15d891d682d73514401f65f0bd769d27f777462c31c7815e1a0fe119a41ea739.exe
File opened for modification	C:\Program Files\Internet Explorer\jsdbgui.dll	15d891d682d73514401f65f0bd769d27f777462c31c7815e1a0fe119a41ea739.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00932_.WMF	15d891d682d73514401f65f0bd769d27f777462c31c7815e1a0fe119a41ea739.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\MSB1XTOR.DLL	15d891d682d73514401f65f0bd769d27f777462c31c7815e1a0fe119a41ea739.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEMANAGED.DLL	15d891d682d73514401f65f0bd769d27f777462c31c7815e1a0fe119a41ea739.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\es-ES\instructions_read_me.txt	15d891d682d73514401f65f0bd769d27f777462c31c7815e1a0fe119a41ea739.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\logsession.dll	15d891d682d73514401f65f0bd769d27f777462c31c7815e1a0fe119a41ea739.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD01196_.WMF	15d891d682d73514401f65f0bd769d27f777462c31c7815e1a0fe119a41ea739.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-conio-l1-1-0.dll	15d891d682d73514401f65f0bd769d27f777462c31c7815e1a0fe119a41ea739.exe
File created	C:\Program Files (x86)\Reference Assemblies\instructions_read_me.txt	15d891d682d73514401f65f0bd769d27f777462c31c7815e1a0fe119a41ea739.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PPTICO.EXE	15d891d682d73514401f65f0bd769d27f777462c31c7815e1a0fe119a41ea739.exe
File opened for modification	C:\Program Files\Java\jre7\bin\sunec.dll	15d891d682d73514401f65f0bd769d27f777462c31c7815e1a0fe119a41ea739.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00154_.GIF	15d891d682d73514401f65f0bd769d27f777462c31c7815e1a0fe119a41ea739.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-environment-l1-1-0.dll	15d891d682d73514401f65f0bd769d27f777462c31c7815e1a0fe119a41ea739.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01761_.WMF	15d891d682d73514401f65f0bd769d27f777462c31c7815e1a0fe119a41ea739.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\REVERSE.DLL	15d891d682d73514401f65f0bd769d27f777462c31c7815e1a0fe119a41ea739.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\EXLIRMV.XML	15d891d682d73514401f65f0bd769d27f777462c31c7815e1a0fe119a41ea739.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\fr-FR\WMPMediaSharing.dll.mui	15d891d682d73514401f65f0bd769d27f777462c31c7815e1a0fe119a41ea739.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_SelectionSubpictureA.png	15d891d682d73514401f65f0bd769d27f777462c31c7815e1a0fe119a41ea739.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\photoedge_selectionsubpicture.png	15d891d682d73514401f65f0bd769d27f777462c31c7815e1a0fe119a41ea739.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\instructions_read_me.txt	15d891d682d73514401f65f0bd769d27f777462c31c7815e1a0fe119a41ea739.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	15d891d682d73514401f65f0bd769d27f777462c31c7815e1a0fe119a41ea739.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui	15d891d682d73514401f65f0bd769d27f777462c31c7815e1a0fe119a41ea739.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\instructions_read_me.txt	15d891d682d73514401f65f0bd769d27f777462c31c7815e1a0fe119a41ea739.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\MpAsDesc.dll.mui	15d891d682d73514401f65f0bd769d27f777462c31c7815e1a0fe119a41ea739.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\ja-JP\Sidebar.exe.mui	15d891d682d73514401f65f0bd769d27f777462c31c7815e1a0fe119a41ea739.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\cloud_Thumbnail.bmp	15d891d682d73514401f65f0bd769d27f777462c31c7815e1a0fe119a41ea739.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	15d891d682d73514401f65f0bd769d27f777462c31c7815e1a0fe119a41ea739.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\MS.CGM	15d891d682d73514401f65f0bd769d27f777462c31c7815e1a0fe119a41ea739.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	15d891d682d73514401f65f0bd769d27f777462c31c7815e1a0fe119a41ea739.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\sqlxmlx.dll	15d891d682d73514401f65f0bd769d27f777462c31c7815e1a0fe119a41ea739.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00171_.GIF	15d891d682d73514401f65f0bd769d27f777462c31c7815e1a0fe119a41ea739.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00231_.WMF	15d891d682d73514401f65f0bd769d27f777462c31c7815e1a0fe119a41ea739.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSClientDataMgr\MSCDM.DLL	15d891d682d73514401f65f0bd769d27f777462c31c7815e1a0fe119a41ea739.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	15d891d682d73514401f65f0bd769d27f777462c31c7815e1a0fe119a41ea739.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSClientManifest.man	15d891d682d73514401f65f0bd769d27f777462c31c7815e1a0fe119a41ea739.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwrenalm.dat	15d891d682d73514401f65f0bd769d27f777462c31c7815e1a0fe119a41ea739.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\msaddsr.dll	15d891d682d73514401f65f0bd769d27f777462c31c7815e1a0fe119a41ea739.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_videoinset.png	15d891d682d73514401f65f0bd769d27f777462c31c7815e1a0fe119a41ea739.exe
File created	C:\Program Files\Windows NT\Accessories\es-ES\instructions_read_me.txt	15d891d682d73514401f65f0bd769d27f777462c31c7815e1a0fe119a41ea739.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mshwjpnr.dll	15d891d682d73514401f65f0bd769d27f777462c31c7815e1a0fe119a41ea739.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	15d891d682d73514401f65f0bd769d27f777462c31c7815e1a0fe119a41ea739.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\msado25.tlb	15d891d682d73514401f65f0bd769d27f777462c31c7815e1a0fe119a41ea739.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SENDTO.DLL	15d891d682d73514401f65f0bd769d27f777462c31c7815e1a0fe119a41ea739.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02141_.WMF	15d891d682d73514401f65f0bd769d27f777462c31c7815e1a0fe119a41ea739.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	15d891d682d73514401f65f0bd769d27f777462c31c7815e1a0fe119a41ea739.exe
File opened for modification	C:\Program Files\Windows Mail\de-DE\WinMail.exe.mui	15d891d682d73514401f65f0bd769d27f777462c31c7815e1a0fe119a41ea739.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	15d891d682d73514401f65f0bd769d27f777462c31c7815e1a0fe119a41ea739.exe
File opened for modification	C:\Program Files\Java\jre7\bin\wsdetect.dll	15d891d682d73514401f65f0bd769d27f777462c31c7815e1a0fe119a41ea739.exe
File created	C:\Program Files\Windows Defender\instructions_read_me.txt	15d891d682d73514401f65f0bd769d27f777462c31c7815e1a0fe119a41ea739.exe
File opened for modification	C:\Program Files\Windows Media Player\en-US\WMPDMCCore.dll.mui	15d891d682d73514401f65f0bd769d27f777462c31c7815e1a0fe119a41ea739.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MEDCAT.DLL	15d891d682d73514401f65f0bd769d27f777462c31c7815e1a0fe119a41ea739.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InkObj.dll	15d891d682d73514401f65f0bd769d27f777462c31c7815e1a0fe119a41ea739.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01630_.WMF	15d891d682d73514401f65f0bd769d27f777462c31c7815e1a0fe119a41ea739.exe
File opened for modification	C:\Program Files\Windows Mail\en-US\msoeres.dll.mui	15d891d682d73514401f65f0bd769d27f777462c31c7815e1a0fe119a41ea739.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\instructions_read_me.txt	15d891d682d73514401f65f0bd769d27f777462c31c7815e1a0fe119a41ea739.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\imjplm.dll	15d891d682d73514401f65f0bd769d27f777462c31c7815e1a0fe119a41ea739.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsrom.xml	15d891d682d73514401f65f0bd769d27f777462c31c7815e1a0fe119a41ea739.exe

Modifies registry class 3 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.kg0l3jigq\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fkdjsadasd.ico"	15d891d682d73514401f65f0bd769d27f777462c31c7815e1a0fe119a41ea739.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.kg0l3jigq\DefaultIcon	15d891d682d73514401f65f0bd769d27f777462c31c7815e1a0fe119a41ea739.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.kg0l3jigq	15d891d682d73514401f65f0bd769d27f777462c31c7815e1a0fe119a41ea739.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2336	15d891d682d73514401f65f0bd769d27f777462c31c7815e1a0fe119a41ea739.exe
2336	15d891d682d73514401f65f0bd769d27f777462c31c7815e1a0fe119a41ea739.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 1840	2336	15d891d682d73514401f65f0bd769d27f777462c31c7815e1a0fe119a41ea739.exe	31
PID 2336 wrote to memory of 1840	2336	15d891d682d73514401f65f0bd769d27f777462c31c7815e1a0fe119a41ea739.exe	31
PID 2336 wrote to memory of 1840	2336	15d891d682d73514401f65f0bd769d27f777462c31c7815e1a0fe119a41ea739.exe	31

C:\Users\Admin\AppData\Local\Temp\15d891d682d73514401f65f0bd769d27f777462c31c7815e1a0fe119a41ea739.exe
"C:\Users\Admin\AppData\Local\Temp\15d891d682d73514401f65f0bd769d27f777462c31c7815e1a0fe119a41ea739.exe"
1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
  2⤵
  PID:1840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\instructions_read_me.txt

Filesize
1KB

MD5
474f9f8e33d15810aeae38d13b7022f2

SHA1
855c8e02a569de0af43349ebf8709f9085f7e1a4

SHA256
a2d05305ced99c19bcf8ee2b9bf0de7436738efa4c5113a1fba4157ab3360c66

SHA512
5aea1d996d13359c8a9b17c5c2b43e3443daed6d66774dbc3cfe6324b17dee74725df67c92b5e97c98a3c2b9a0e4a014f6eec7e028ae60c7daed9c53883f923a

Download Submit