blackbasta | 1391c20a26f248f7c602f20096bf1886cfe7e4d151602a1258a9bbe7c02c1c80

Analysis

max time kernel
146s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
05-02-2025 16:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.dll
Size

524KB
MD5

20d03f8272648fa3fd31e222b8e2220f
SHA1

ac20624e8aff3d4f9c42a8e2ddd493250e631f47
SHA256

1391c20a26f248f7c602f20096bf1886cfe7e4d151602a1258a9bbe7c02c1c80
SHA512

3bcfde35141671b4de022ae2423d020e53de35075c9a2c0a2dde45dc993364543af443dc97e6d3cc96c9a1d34533d6adb50c2495a23b5c4de97f64b3176ebd70
SSDEEP

12288:SwCt9ZABL6wADs7yjyYTW3nMxIg/NmGta1WeGcvc4OulNI:AHUADs+jVW3nMxIKMOa1Wpecule

Score

10^/10

blackbasta credential_access defense_evasion discovery execution impact ransomware stealer

Malware Config

Extracted

Path

C:\Recovery\readme.txt

Ransom Note

Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom You can contact us and decrypt one file for free on this TOR site (you should download and install TOR browser first https://torproject.org) https://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion/ Your company id for log in: 41bdf082-8936-4e21-9f70-5446160a730f

URLs

https://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion/

Signatures

Black Basta
A ransomware family targeting Windows and Linux ESXi first seen in February 2022.
ransomware blackbasta
Blackbasta family
blackbasta
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (4404) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dlaksjdoiwq.jpg"	rundll32.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_MAKC2R-ppd.xrm-ms	rundll32.exe
File created	C:\Program Files (x86)\readme.txt	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-pl.xrm-ms	rundll32.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\jdk\colorimaging.md	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win8_RTL.mp4	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp6-ppd.xrm-ms	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\JP2KLib.dll	rundll32.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Transactions.dll	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_PrepidBypass-ul-oob.xrm-ms	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSOARIACAPI.DLL	rundll32.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\it-IT\ShapeCollector.exe.mui	rundll32.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XPath.XDocument.dll	rundll32.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\readme.txt	rundll32.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-interlocked-l1-1-0.dll	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019DemoR_BypassTrial180-ppd.xrm-ms	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Grace-ppd.xrm-ms	rundll32.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\goopdateres_de.dll	rundll32.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\zh-CN\tipresx.dll.mui	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription2-ul-oob.xrm-ms	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_PrepidBypass-ppd.xrm-ms	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\CHART.DLL	rundll32.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-util-l1-1-0.dll	rundll32.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libddummy_plugin.dll	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\jdk\xerces.md	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ONGuide.onepkg	rundll32.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription1-ul-oob.xrm-ms	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Trial-ppd.xrm-ms	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019DemoR_BypassTrial180-ul-oob.xrm-ms	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_Grace-ppd.xrm-ms	rundll32.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\jdk\bcel.md	rundll32.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\readme.txt	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_KMS_Client-ul.xrm-ms	rundll32.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hr\readme.txt	rundll32.exe
File created	C:\Program Files\VideoLAN\VLC\locale\te\readme.txt	rundll32.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ThirdPartyNotices.MSHWLatin.txt	rundll32.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.ThreadPool.dll	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Trial-ul-oob.xrm-ms	rundll32.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ja\readme.txt	rundll32.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.DiagnosticSource.dll	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_KMS_Client_AE-ppd.xrm-ms	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Grace-ppd.xrm-ms	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PPSLAX.DLL	rundll32.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\readme.txt	rundll32.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\SubsystemController.man	rundll32.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\readme.txt	rundll32.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Buffers.dll	rundll32.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Encodings.Web.dll	rundll32.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\readme.txt	rundll32.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsrom.xml	rundll32.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\msinfo32.exe.mui	rundll32.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Private.DataContractSerialization.dll	rundll32.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-utility-l1-1-0.dll	rundll32.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Console.dll	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\MicrosoftEdgeUpdate.exe	rundll32.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\msadcer.dll	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp4-ul-phn.xrm-ms	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Retail-ppd.xrm-ms	rundll32.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\msadox.dll	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_SubTrial-ppd.xrm-ms	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-pl.xrm-ms	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_KMS_Client_AE-ul-oob.xrm-ms	rundll32.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
3136	vssadmin.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.basta	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.basta\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fkdjsadasd.ico"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.basta\DefaultIcon	rundll32.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	5036	vssvc.exe
Token: SeRestorePrivilege	5036	vssvc.exe
Token: SeAuditPrivilege	5036	vssvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 1828	2232	rundll32.exe	83
PID 2232 wrote to memory of 1828	2232	rundll32.exe	83
PID 2232 wrote to memory of 1828	2232	rundll32.exe	83
PID 1828 wrote to memory of 3632	1828	rundll32.exe	85
PID 1828 wrote to memory of 3632	1828	rundll32.exe	85
PID 1828 wrote to memory of 3632	1828	rundll32.exe	85
PID 3632 wrote to memory of 3136	3632	cmd.exe	87
PID 3632 wrote to memory of 3136	3632	cmd.exe	87
PID 1828 wrote to memory of 2556	1828	rundll32.exe	91
PID 1828 wrote to memory of 2556	1828	rundll32.exe	91
PID 1828 wrote to memory of 2556	1828	rundll32.exe	91

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\file.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\file.dll,#1
  2⤵
  - Sets desktop wallpaper using registry
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3632
  - - C:\Windows\system32\vssadmin.exe
      C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:3136
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\vssadmin.exe delete shadows /all /quiet
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2556

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Windows Credential Manager

T1555.004

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact