Overview

overview

10

Static

static

3

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    66s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    05-02-2025 16:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    2.7MB

  • MD5

    80d8379fc7093ec9e24be089ea6fa448

  • SHA1

    7c2da0be48cdf30db35105d5c4fc7759a0c10bf9

  • SHA256

    0c964ac2f65f270eb19982b04ae346e72976bdf19b88ffd2308700dcce2b5ec0

  • SHA512

    abb391bb1c0e909b98fd4eff90360a6490be2b8906190a58a653769d51bdd929d4dc2f5705149bc2782c0843632aa0f55cff652e91293e831c436d0928523f1f

  • SSDEEP

    12288:oyTgj6xwzXu9qvuRrzC2qWx8EsFeZ5I34lMKODiU56:2hu9qGFzC2qWx0eZ5ClbiUE

Score
10/10
blackbastadefense_evasiondiscoveryexecutionimpactransomware

Malware Config

Extracted

Path

C:\ProgramData\readme.txt

Ransom Note
Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom You can contact us and decrypt one file for free on this TOR site (you should download and install TOR browser first https://torproject.org) https://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion/ Your company id for log in: eeded09d-2ac0-4e69-bf25-875cd524e744
URLs

https://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion/

Signatures

  • Black Basta

    A ransomware family targeting Windows and Linux ESXi first seen in February 2022.

    ransomwareblackbasta
  • Blackbasta family
    blackbasta
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (1545) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Interacts with shadow copies 3 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2684
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2152
      • C:\Windows\system32\vssadmin.exe
        C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:2532
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Windows\System32\vssadmin.exe delete shadows /all /quiet
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2732
      • C:\Windows\SysWOW64\vssadmin.exe
        C:\Windows\System32\vssadmin.exe delete shadows /all /quiet
        3⤵
        • System Location Discovery: System Language Discovery
        • Interacts with shadow copies
        PID:2852
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2396
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3504
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding C7A4A05EC185F50EDC86DC1503721799
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3132

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\readme.txt
    Filesize

    394B

    MD5

    48ed743eb5006456d1398ebcd0cf7242

    SHA1

    9a22bf236c17904be8fa08c3434bfad81fd112e2

    SHA256

    05890bd6d236d0ceaf64e43bedbdd4bbe17c620e9241d940a0c9430656f1f17e

    SHA512

    560759ee35bd1f49cc2dd1bb843a5a690a812e24fa28ba38008e1ee31e8fb53684ca23314d80bea74fc1a437c035d3f65d7827f7fec19fa2b562a908cc271d10

    Download Submit

  • C:\Users\Public\Music\Sample Music\Kalimba.mp3.basta
    Filesize

    8.0MB

    MD5

    e6b8a881811c1e95c350df57193a025f

    SHA1

    350ac4917aace8292ffc8b2f3a088fd8f02dd167

    SHA256

    a36fa1dc0516ac45312b1ec8cfe6bc258eb9b600f018aceafc67a7b82e583bf1

    SHA512

    a7b35bb1a7660bfc4050fb4cbabac2af29dea18710ec38c164032aad427b77cec492e3ad06499fd7f91d71d14689f20274c2acfe4286c793560d984f49f126f6

    Download Submit

  • C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3.basta
    Filesize

    3.9MB

    MD5

    72b2cae2d522da1ba23c10cc7ac60eca

    SHA1

    1afb77c120e2ecc6aa84c7141d585f2c7f2f5f08

    SHA256

    015c3c4fefd995b29738e0c8ba76536babf5b20ed1fd0988fabab130e5e602ce

    SHA512

    6b0c064f1c3913faebacedbd3649ba30b83d5d4a0e0d72623d390e9f4da29081fd8cf705cdc26d2cd4416bbf94f0e95b6ce36a8085b6e1b5a81ebb1594d54040

    Download Submit

  • C:\Users\Public\Music\Sample Music\Sleep Away.mp3.basta
    Filesize

    4.6MB

    MD5

    053107b95194d9e389255f77b1a4db9f

    SHA1

    722fdc3b9fed9786b681caf09e6912f5bfc9fabb

    SHA256

    e9c850391342aed4fa819e79b7047c3fb8400e1ff448d2fbe9c87c8c2030627f

    SHA512

    950b2942f91e96fab9224c573ff38bc504d4f584bc4de29164bd0c14ccc74f4c02a41c1e13e2a05047935e1e2217933f5f0a8e49b5c4eb355ac10af19daf44d6

    Download Submit

  • C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg.basta
    Filesize

    859KB

    MD5

    18e0f12200e7f676a8b353f6ada57ff7

    SHA1

    67c57e590ebffab4bb56c8d646c4595490b16520

    SHA256

    77ee41ce2409e5ef81fdec8e610d00e0703228dbe70e4e02382a7655c630d884

    SHA512

    cb9ac85ed5a1d7b126438055dd629922dec0eb444e3b1c925aebe0f9f11879d2830d244c8a857a54f3314c5ad7258cbb3111b499a2c6316dbc10eab5132e3b5f

    Download Submit

  • C:\Users\Public\Pictures\Sample Pictures\Desert.jpg.basta
    Filesize

    826KB

    MD5

    5debe37a9c16fa741f36d22b59035cfa

    SHA1

    a9afdeb1a80d09ad82c223d40a9dccef290e9926

    SHA256

    706064eed0c585ab103ca89476416ac10aba8de3e0bac4c25d534cbf7c9b4e4e

    SHA512

    52a97e3eea6dd8a9dc8ce10535bad1db45c43a581c7e0d0ef5819edb2d537713ef146e7caa757af062d275d428b951a481e425a7de383b816cc70959f911b84c

    Download Submit

  • C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg.basta
    Filesize

    581KB

    MD5

    0a142298f69c79b0156bddddee9fc1ec

    SHA1

    9590bba8118bb145e0f62857b7532b9965e4b4d5

    SHA256

    d16cad1d8ed4c94597c794c07cfe786cd7d6077ee38294692a6c897cee938d2e

    SHA512

    8142ff9c0e08e1edad0721650209498b8d4271e8523d95077a191605a4e5cba7f1e45d238b8d038d8b55d3d24ae8faf8287fbd3995ec58b4458c089c1b71040c

    Download Submit

  • C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg.basta
    Filesize

    758KB

    MD5

    6c2f8cddd882722861acb558aeffd358

    SHA1

    7f633f16cd52579a3c273572ba894edac896e58c

    SHA256

    e769698ee2101f5295caa9cea98de70c115e337659aec691289ba18cb5037e7e

    SHA512

    a350a23e689f07190fa5d4887544b8289c75534e1a58111da22f1e8e6eaa265174270a1b75a6b84ed0c8ddd42baac4a2e1c4ad6087d6ea1de703839b113ecf74

    Download Submit

  • C:\Users\Public\Pictures\Sample Pictures\Koala.jpg.basta
    Filesize

    763KB

    MD5

    88e80d48c3918d9ed648b0cb3834e4c7

    SHA1

    646046d7b12ad2cdc7308c989f6546cc8d9ff6ff

    SHA256

    b43c10597ca498d06206e49b46c6dab771ca95a4252eb36ad720ca041df5fc79

    SHA512

    4f0d623e67cc829788ffc9bc8df2692a9901afeb4426bcc6d4a91baba1f5b0db48e52f84f6440311d126efe311e74a0b081064ed1fae1918b204d324b3a6a668

    Download Submit

  • C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg.basta
    Filesize

    548KB

    MD5

    fc2d2af0b5e79ddfc3c74cb9ceae6f4f

    SHA1

    c64c1d627b592b2d7332208e97cb8c3c54823eff

    SHA256

    5bae0597dc84a413919c08d1b861c764c80ec952919da983be6e9573e547a05f

    SHA512

    b32921e378b2b9b77ec454621b8f5edfb4cc6bec594f677bcd61723add9f6d7e38e169b090976811822f53f2f530459034aaf8b48c9cc744e28bce4674bfff62

    Download Submit

  • C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg.basta
    Filesize

    760KB

    MD5

    79a70a62ac986d773ec82958917e89bf

    SHA1

    f8037c13995ee0e631eb20691a816a3b0023426f

    SHA256

    0d77d3e14d688a0693b3cb3fc75e0ce65671cee2a0e63e178b16db3ebc62ed2b

    SHA512

    e7b97641938e17a23bae767f9726d39b1e327bb268ae2a72c8e20c61d5b205e73c7cdac8d39b5a42c0f93762f0a5a5c93fe41a9131a822b8472816632e2222e3

    Download Submit

  • C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg.basta
    Filesize

    606KB

    MD5

    e51e20d54f808ff5f8abd10f23f23875

    SHA1

    506ebd1996bdf1cefd836e46eb93fd84534a3cb8

    SHA256

    f1b285e3bad2822ac414c2667ed34650328224c5ed80620f93457ac26f79e5e2

    SHA512

    6ea556c680b574cb1a2fa312607eb2de39a7ab2bc043869d9f22e5df2e00f57e52cde0bd75a241d2d7d6510a74d762a0a02577f0467eed3eec9629bb7878ad91

    Download Submit

  • C:\Users\Public\Videos\Sample Videos\Wildlife.wmv.basta
    Filesize

    15.8MB

    MD5

    7a2ae7f4a0e59011482af149707747b2

    SHA1

    f61e6bd319a25d8a9f207de29bb8f87d317c298d

    SHA256

    6f53244c17757132a0ceb98889064f5c897eae98a10ab8b4b88730bed2b6f2c9

    SHA512

    6b42b13fd9be107a49e14a3f71e3fad979abc9be6bd6fccc08c30829c7357832eaa513644e0c252d89de657d04c06301896750b1405eb11f3de5c8427199735b

    Download Submit

  • \Windows\Installer\MSI6E5D.tmp
    Filesize

    257KB

    MD5

    d1f5ce6b23351677e54a245f46a9f8d2

    SHA1

    0d5c6749401248284767f16df92b726e727718ca

    SHA256

    57cb8f01cf553c3886760180d1a74839f2f676640115504485aca9692f577acc

    SHA512

    960e90894e7bedcc89894e77e57e8ee0c99dd2c530d02665e8bbd3a1793eccc1e295c5923d1f37c757fa1158097fbaae70898c16052882d3d210c29ea801b3ba

    Download Submit

  • \Windows\Installer\MSIE90C.tmp
    Filesize

    28KB

    MD5

    85221b3bcba8dbe4b4a46581aa49f760

    SHA1

    746645c92594bfc739f77812d67cfd85f4b92474

    SHA256

    f6e34a4550e499346f5ab1d245508f16bf765ff24c4988984b89e049ca55737f

    SHA512

    060e35c4de14a03a2cda313f968e372291866cc4acd59977d7a48ac3745494abc54df83fff63cf30be4e10ff69a3b3c8b6c38f43ebd2a8d23d6c86fbee7ba87d

    Download Submit

  • \Windows\Installer\MSIF9DA.tmp
    Filesize

    363KB

    MD5

    4a843a97ae51c310b573a02ffd2a0e8e

    SHA1

    063fa914ccb07249123c0d5f4595935487635b20

    SHA256

    727ecf287fb6f4953ee7748913dd559b4f8d3a022fa2ca55bc51cf5886c52086

    SHA512

    905c081552d95b523ecf1155b6c7e157652e5ff00cda30c1c21124d266eb7d305c3398d6832316f403dc45d1b639f1a5a67aea29922cd1a032f52e5247ec55d2

    Download Submit