Overview

overview

10

Static

static

3

file.dll

windows7-x64

10

file.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    05-02-2025 16:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.dll

  • Size

    524KB

  • MD5

    20d03f8272648fa3fd31e222b8e2220f

  • SHA1

    ac20624e8aff3d4f9c42a8e2ddd493250e631f47

  • SHA256

    1391c20a26f248f7c602f20096bf1886cfe7e4d151602a1258a9bbe7c02c1c80

  • SHA512

    3bcfde35141671b4de022ae2423d020e53de35075c9a2c0a2dde45dc993364543af443dc97e6d3cc96c9a1d34533d6adb50c2495a23b5c4de97f64b3176ebd70

  • SSDEEP

    12288:SwCt9ZABL6wADs7yjyYTW3nMxIg/NmGta1WeGcvc4OulNI:AHUADs+jVW3nMxIKMOa1Wpecule

Score
10/10
blackbastacredential_accessdefense_evasiondiscoveryexecutionimpactransomwarespywarestealer

Malware Config

Extracted

Path

C:\ProgramData\readme.txt

Ransom Note
Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom You can contact us and decrypt one file for free on this TOR site (you should download and install TOR browser first https://torproject.org) https://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion/ Your company id for log in: 41bdf082-8936-4e21-9f70-5446160a730f
URLs

https://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion/

Signatures

  • Black Basta

    A ransomware family targeting Windows and Linux ESXi first seen in February 2022.

    ransomwareblackbasta
  • Blackbasta family
    blackbasta
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (9699) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Interacts with shadow copies 3 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\file.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2132
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\file.dll,#1
      2⤵
      • Drops desktop.ini file(s)
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2640
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3040
        • C:\Windows\system32\vssadmin.exe
          C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:2188
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\Windows\System32\vssadmin.exe delete shadows /all /quiet
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2652
        • C:\Windows\SysWOW64\vssadmin.exe
          C:\Windows\System32\vssadmin.exe delete shadows /all /quiet
          4⤵
          • System Location Discovery: System Language Discovery
          • Interacts with shadow copies
          PID:2472
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2688

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\readme.txt
    Filesize

    394B

    MD5

    b17425a4db71b2ef8b7decd01038e502

    SHA1

    7e761bce96cc3033dec3a1c61d2672c6fbae3718

    SHA256

    36c359b9db03e7a6df3c37a25b16c53a71d6a866e6332faf203f19ddbfc1ed68

    SHA512

    fbe107f9275231e2e2dbbd80475d51e641a38fd24241366c3af0ed14d0f383bd9de731f2ed8b355c40a68008a6d80dbfb4008e06fd2538483bb8388c7085f636

    Download Submit

  • C:\Users\Public\Music\Sample Music\Kalimba.mp3.basta
    Filesize

    8.0MB

    MD5

    5764e3c7ba402d6f44243ac0def47b09

    SHA1

    777ca77a03f3240ac601b5b1e19e96ebf4ef1f05

    SHA256

    9a1f48248d5fa07c02660a9040dbc11a5d92e8d0c5351b6401f4f8a4374a57b2

    SHA512

    546d9ac6fb18f72e2deb4ca24d0e742d95e2bdfc97877d9ea5c6a06f8b60d220a40d9079ff818a3d03956d6ebdfbc947031fcd2b76fe78dabcd26150cad953fc

    Download Submit

  • C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3.basta
    Filesize

    3.9MB

    MD5

    392887151458042842709216c4aa391c

    SHA1

    1fee8fd668610cc025d1fe952013983566eaf229

    SHA256

    1fcaf99e53d59351b3d7cbf2fddf9a99c3e314db8483a7a8b2ef2a684d5acda0

    SHA512

    21ec0d3e757e99813c37f10d9dc3fecefdcd7954d5f823872374cd541ceca254e8c1c8e6c56bf5cbf70ef03a4578ef8f8fb75c22ff25d9cd20b6207f518e56cd

    Download Submit

  • C:\Users\Public\Music\Sample Music\Sleep Away.mp3.basta
    Filesize

    4.6MB

    MD5

    c5e32dfe3056608545fe76561e2d069e

    SHA1

    81f7df1705b2304466cfc7d3ebb7a25ec08899e1

    SHA256

    193f3d43963d887d9eba3bd7fab14cf60fb7ea2200b8e2f67c861f74a8e027e9

    SHA512

    26db8a96022e541f2415028f38716141df6517d7d58e77211cf5fb0e42d5f4ca6e52800952b59cd2c0105b0a149f56e2a471ce9612d831871a83290305607857

    Download Submit

  • C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg.basta
    Filesize

    859KB

    MD5

    be62bebf065677a4146659613e3f8fce

    SHA1

    746487715131b8f58d312c287f24a16c57931277

    SHA256

    9f028d702a2e37613d918bd033c6e34641983d00e034ad105d4fce4bef09d46c

    SHA512

    4cd3e7e2e23ae4938b566a53fc7190fa08b65f8674d108691a489fec0d30452d6cf7a8725bea45b55be6c00e2e489364958942bd094a3a226c2fe52e4a9904c7

    Download Submit

  • C:\Users\Public\Pictures\Sample Pictures\Desert.jpg.basta
    Filesize

    826KB

    MD5

    ba62778aa6e38a952a67e0646627c000

    SHA1

    62fadc2d5b30b6503ecf6e7bc3687763a4133294

    SHA256

    82d14b5079fc87e3a47b5a8f630bfe8d5d7616bc82fef2dc735a90bed1363362

    SHA512

    4ee5cfe09cd8a8e390bc75062225bde2908f601a7e695ceedaeadee0974053980c321e6ab5a9460031854d4aa953fbdf6e0692d392e040651107d0bc97e467dd

    Download Submit

  • C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg.basta
    Filesize

    581KB

    MD5

    27d5d66a38fe2a3b6614222cfdad3142

    SHA1

    23e11194ccf163e9843e50b81c64926323a3842e

    SHA256

    9c9bb1f197ff862abebc5b25a22eb2394697e34cd618f431a26d5e3b4e138161

    SHA512

    26c9df579d4f5c5c4b6fa9133f4af98f22bc6be2fb15e1335589e7f99e7404c7ccd9fc6699dd295996136ad2ea22c8eda02548eb5b1ce0882648880a71dbbb4e

    Download Submit

  • C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg.basta
    Filesize

    758KB

    MD5

    538cfd5736c0dc6327bbcfc29374ac35

    SHA1

    54114dee1f6e1098d837ad9f69f8158227aac5d1

    SHA256

    efb5bd47a3d2fb4377effa1ea07cf7c9ba6c13dd977043940f040ede8536a3c2

    SHA512

    6ead5e25f0be4ce63a1df0ac3b837721faa3a20c4a607a92579a110736e31fb90f7125201459da53780ec279a6ec919cdb72ad653c74ba5e6467564aba7e69e3

    Download Submit

  • C:\Users\Public\Pictures\Sample Pictures\Koala.jpg.basta
    Filesize

    763KB

    MD5

    feb2aee59668cd7e2acf9b94a87dfa14

    SHA1

    1b8b5386e4b56ea154a32a8797ec8ec751bcac20

    SHA256

    6482a8d88c06ecce257b2605ba97e1304ffc7485a4285bb406d00bd755a96c7f

    SHA512

    98fb5909d655e68c4da7a380dff0c777fcdc7543f7c33f9016aefb265c011df4137798663b8215e1cabcb1a29b81f910e821fcad55dc97df93f8a437001f4950

    Download Submit

  • C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg.basta
    Filesize

    548KB

    MD5

    f056b50c0eb3ff23e402b704a5d6846c

    SHA1

    6c7db91e86c35710660c8ec89dda1d9706d94da5

    SHA256

    9c02961633f27853b924fa42ca371fc060b9df7c9ceace7cc8f1492bed49c3b1

    SHA512

    02e70f010373494305568163c5b1361744541b2559e9320cd209802d22ce9ae5ac7a5827557b38393125e3fcb0342970aa547a07b962ecd066bc36d5d8f659d4

    Download Submit

  • C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg.basta
    Filesize

    760KB

    MD5

    02e0603c6a57bc9125a124015506d4e2

    SHA1

    2994ffe13d794e9545fa7fb70d5b0bfdfb0d6800

    SHA256

    2bf1f96ca498c0dd84fd533c2cf3153f15c6ddbace1c9cc87ef7e4cd88806487

    SHA512

    769bb3e03d56bcbc8765f0e889cb725fd79b170bcdef9b258c8c722e63b88bb7dd8897118f7ba785e9c93ace5ed8a73c0e3de6e14944e2d89d2767cdd0889969

    Download Submit

  • C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg.basta
    Filesize

    606KB

    MD5

    3f14b1887efd673cac451729a182eca9

    SHA1

    441eaba48674c374b58bfc199c43fbc9ef222515

    SHA256

    d768e447751800cb8fd8a77618faffe8fea1f63d09d9efcf9a6fad7d0a4e0ae5

    SHA512

    d92abed9f60d5b78bc304447cf35b317626a58221ea9c6aec56ab87453776802e054565f2b4471c17407409c0e2af990e92ba2df9b2add551d589992477ac1c1

    Download Submit

  • C:\Users\Public\Videos\Sample Videos\Wildlife.wmv.basta
    Filesize

    25.0MB

    MD5

    b8e73da87cd49f48d0ff905a82aca219

    SHA1

    c1a24e4ce6d132abebfb9bfeab991d6432a9fb54

    SHA256

    94e09e74f3ffbbed6cca86763020dbddfbe6a368f2e08ee2bae4347d52dffb3d

    SHA512

    cd9b49072d217856694bf80224e3302f9e4db038e7bcc4975c551bc63b108a4e504dc0736154c5cf1b87df632a494d50a33588b91201020a58ac07ca92ecc6c4

    Download Submit