Overview

overview

10

Static

static

3

solara.exe

windows10-ltsc 2021-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    solara.exe

  • Size

    5.0MB

  • Sample

    250223-b56gmstlgt

  • MD5

    490c2bb3790ac4202ab4ba700e2058a7

  • SHA1

    25de62792ba828dab9e74edf121bdf8e8ff0f0f2

  • SHA256

    d1a7c1e5ecdc4376b07913434048d2625def43e46504715a7a6600505319ad51

  • SHA512

    59fecb83e64abdc5da339cb1506832418ccf99d5c0bf5c46e2359b7f4674381784e3d621df0bebc107e17d728c8ec6ba672f5e5e88a7183c562541bb7a56d1bf

  • SSDEEP

    98304:FtNUK2yL5IrA3ocpcRDL+O14UndAtax4bmtQHgNByxuq4aX7lvECX+e0+Y:FzU5yt53oUIX+ggtax4bKQHgN/arpE4+

Score
10/10
blackbastabootkitdefense_evasiondiscoveryexecutionimpactpersistenceransomware

Malware Config

Extracted

Path

C:\Program Files (x86)\instructions_read_me.txt

Family

blackbasta

Ransom Note
ATTENTION! Your network has been breached and all data was encrypted. Please contact us at: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ Login ID: 7ab0444a-f73c-4ab0-b3a9-4c2ead84ecf1 *!* To access .onion websites download and install Tor Browser at: https://www.torproject.org/ (Tor Browser is not related to us) *!* To restore all your PCs and get your network working again, follow these instructions: - Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency. Please follow these simple rules to avoid data corruption: - Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - Do not hire a recovery company. They can't decrypt without the key. They also don't care about your business. They believe that they are good negotiators, but it is not. They usually fail. So speak for yourself. Waiting you in a chat.
URLs

https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/

Targets

    • Target

      solara.exe

    • Size

      5.0MB

    • MD5

      490c2bb3790ac4202ab4ba700e2058a7

    • SHA1

      25de62792ba828dab9e74edf121bdf8e8ff0f0f2

    • SHA256

      d1a7c1e5ecdc4376b07913434048d2625def43e46504715a7a6600505319ad51

    • SHA512

      59fecb83e64abdc5da339cb1506832418ccf99d5c0bf5c46e2359b7f4674381784e3d621df0bebc107e17d728c8ec6ba672f5e5e88a7183c562541bb7a56d1bf

    • SSDEEP

      98304:FtNUK2yL5IrA3ocpcRDL+O14UndAtax4bmtQHgNByxuq4aX7lvECX+e0+Y:FzU5yt53oUIX+ggtax4bKQHgN/arpE4+

    Score
    10/10
    blackbastabootkitdefense_evasiondiscoveryexecutionimpactpersistenceransomware

    • Black Basta

      A ransomware family targeting Windows and Linux ESXi first seen in February 2022.

      ransomwareblackbasta

    • Blackbasta family

      blackbasta

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Modifies file permissions

      discovery

    • Adds Run key to start application

      persistence

    • File and Directory Permissions Modification: Windows File and Directory Permissions Modification

      defense_evasion

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2
T1059

JavaScript

1
T1059.007

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Direct Volume Access

1
T1006

File and Directory Permissions Modification

2
T1222

Windows File and Directory Permissions Modification

1
T1222.001

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Modify Registry

1
T1112

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Credential Access

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

2
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2
T1490

Tasks