6d63f87c804c21583c292e68471c7ddd97734960615eb515369e3a44ec775864

Analysis

max time kernel
103s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
30/03/2025, 20:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-30_642f571f3290eb6f7340f708654623ce_black-basta.exe
Size

18.6MB
MD5

642f571f3290eb6f7340f708654623ce
SHA1

486c5c01c61d1588a273f00976b12e85c7804d79
SHA256

6d63f87c804c21583c292e68471c7ddd97734960615eb515369e3a44ec775864
SHA512

3b352f616a7df689ecc53ef6762acb9c80db60adb87b78b785c1b10a96c670c993eeaa851a1e3c15d3324b4ae64c78ab22fcd9353c47f83c3316bb640d5926c4
SSDEEP

393216:EvrUXNi5ShR4uwohGaMntuZ/lZ0y8sfBIfNCLxKg5wQ2z7hR99gzaZf2Mf/g:EvrUXN8Q2eQa/nbLpIfIxKgaz7j9SaJ4

Score

7^/10

discovery pyinstaller

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	2025-03-30_642f571f3290eb6f7340f708654623ce_black-basta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	Nitro Generator 2020.exe

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Process.exe	Nitro Generator 2020.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Nitro Generator 2020.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Nitro Generator 2020.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bypass.exe	Nitro Generator 2020.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bypass.exe	Nitro Generator 2020.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Process.exe	Nitro Generator 2020.exe

Executes dropped EXE 7 IoCs

pid	Process
3944	Nitro Generator 2020.exe
1952	99de8c6a-6374-4508-bd2f-b4ea64131e73.exe
5472	Nitro Generator 2020.exe
4744	Nitro Generator 2020.exe
4680	Nitro Generator 2020.exe
1096	Bypass.exe
5512	Defender.exe

Loads dropped DLL 20 IoCs

pid	Process
5472	Nitro Generator 2020.exe
5472	Nitro Generator 2020.exe
5472	Nitro Generator 2020.exe
5472	Nitro Generator 2020.exe
5472	Nitro Generator 2020.exe
5472	Nitro Generator 2020.exe
5472	Nitro Generator 2020.exe
5472	Nitro Generator 2020.exe
5472	Nitro Generator 2020.exe
5472	Nitro Generator 2020.exe
4680	Nitro Generator 2020.exe
4680	Nitro Generator 2020.exe
4680	Nitro Generator 2020.exe
4680	Nitro Generator 2020.exe
4680	Nitro Generator 2020.exe
4680	Nitro Generator 2020.exe
4680	Nitro Generator 2020.exe
4680	Nitro Generator 2020.exe
4680	Nitro Generator 2020.exe
4680	Nitro Generator 2020.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
32	discord.com
33	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
26	icanhazip.com

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1096	Bypass.exe
1096	Bypass.exe

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral2/files/0x000700000002430b-7.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Defender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-03-30_642f571f3290eb6f7340f708654623ce_black-basta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	99de8c6a-6374-4508-bd2f-b4ea64131e73.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: 35	5472	Nitro Generator 2020.exe
Token: 35	4680	Nitro Generator 2020.exe
Token: SeDebugPrivilege	1952	99de8c6a-6374-4508-bd2f-b4ea64131e73.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 868 wrote to memory of 3944	868	2025-03-30_642f571f3290eb6f7340f708654623ce_black-basta.exe	88
PID 868 wrote to memory of 3944	868	2025-03-30_642f571f3290eb6f7340f708654623ce_black-basta.exe	88
PID 868 wrote to memory of 1952	868	2025-03-30_642f571f3290eb6f7340f708654623ce_black-basta.exe	90
PID 868 wrote to memory of 1952	868	2025-03-30_642f571f3290eb6f7340f708654623ce_black-basta.exe	90
PID 868 wrote to memory of 1952	868	2025-03-30_642f571f3290eb6f7340f708654623ce_black-basta.exe	90
PID 3944 wrote to memory of 5472	3944	Nitro Generator 2020.exe	92
PID 3944 wrote to memory of 5472	3944	Nitro Generator 2020.exe	92
PID 5472 wrote to memory of 4744	5472	Nitro Generator 2020.exe	93
PID 5472 wrote to memory of 4744	5472	Nitro Generator 2020.exe	93
PID 4744 wrote to memory of 4680	4744	Nitro Generator 2020.exe	98
PID 4744 wrote to memory of 4680	4744	Nitro Generator 2020.exe	98
PID 4680 wrote to memory of 1096	4680	Nitro Generator 2020.exe	99
PID 4680 wrote to memory of 1096	4680	Nitro Generator 2020.exe	99
PID 1096 wrote to memory of 5512	1096	Bypass.exe	101
PID 1096 wrote to memory of 5512	1096	Bypass.exe	101
PID 1096 wrote to memory of 5512	1096	Bypass.exe	101

C:\Users\Admin\AppData\Local\Temp\2025-03-30_642f571f3290eb6f7340f708654623ce_black-basta.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-30_642f571f3290eb6f7340f708654623ce_black-basta.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:868
- C:\Users\Admin\AppData\Roaming\Nitro Generator 2020.exe
  "C:\Users\Admin\AppData\Roaming\Nitro Generator 2020.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3944
- - C:\Users\Admin\AppData\Roaming\Nitro Generator 2020.exe
    "C:\Users\Admin\AppData\Roaming\Nitro Generator 2020.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5472
  - - C:\Users\Admin\AppData\Roaming\Nitro Generator 2020.exe
      "C:\Users\Admin\AppData\Roaming\Nitro Generator 2020.exe" C:\Users\Admin\AppData\Roaming\Nitro Generator 2020.exe asadmin
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4744
    - - C:\Users\Admin\AppData\Roaming\Nitro Generator 2020.exe
        
        "C:\Users\Admin\AppData\Roaming\Nitro Generator 2020.exe" C:\Users\Admin\AppData\Roaming\Nitro Generator 2020.exe asadmin
        5⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4680
      - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bypass.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bypass.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of WriteProcessMemory
        
        PID:1096
        
        C:\Users\Admin\AppData\Local\Temp\Defender.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Defender.exe" /D
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5512
- C:\Users\Admin\AppData\Roaming\99de8c6a-6374-4508-bd2f-b4ea64131e73.exe
  "C:\Users\Admin\AppData\Roaming\99de8c6a-6374-4508-bd2f-b4ea64131e73.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Defender.exe

Filesize
802KB

MD5
ac34ba84a5054cd701efad5dd14645c9

SHA1
dc74a9fd5560b7c7a0fc9d183de9d676e92b9e8b

SHA256
c576f7f55c4c0304b290b15e70a638b037df15c69577cd6263329c73416e490e

SHA512
df491306a3c8ddb580b7cca1dce9e22a87fd43ca3632f3630cdcbe114bef243e847b2ce774d688f6e142516f2e0fc49d30fad7c7168e627523da21e2fe06836a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39442\Startup.exe.manifest

Filesize
1KB

MD5
bbb05f741e8ebaeaec6f5f2aa7d6e07c

SHA1
06a2e93657905d71eca6dd5720b9d953bbb0667e

SHA256
1386464fc421e3958e51a4b121bbe186afcb0b99e334175bc5127e09b08e0400

SHA512
10d6ca493be3b38fb48b5e5379d352e9604c9094f717498838ccbb1578d2d10a4337c8f95defa4517da952e390a2d3291bcdab7393ceebbb4ab2953d02df2473

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39442\VCRUNTIME140.dll

Filesize
87KB

MD5
0e675d4a7a5b7ccd69013386793f68eb

SHA1
6e5821ddd8fea6681bda4448816f39984a33596b

SHA256
bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1

SHA512
cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39442\_bz2.pyd

Filesize
87KB

MD5
f8770b9ea04aeb0b98eb1fab2a1bde84

SHA1
7ac83db9bbc35231e917d522e1140bbacb855aa1

SHA256
18e66c3a2104da1c338c40d7e249382f054e1e76e5a85e481d13052fd62c6cd9

SHA512
7803517b89bfdc027691e495be089466f3aa80bb1efb770ec4619740b9f30ece28ca8bc2d8efabdafbf04fae68a3e24fffa7b4c5e91e3a0a07b1909065ce3924

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39442\_hashlib.pyd

Filesize
38KB

MD5
7391051923fee611c474fcfbf3f7f548

SHA1
5f284a87c18900515606a952bf2476e0c42066ad

SHA256
02753c507c95d2d434fa6499cfd6390ec98bffac6799d664148297334ea25575

SHA512
a3567bad9dc165af0359076f13ba1d0da68c9105e6555589a433a74644eebd082ce508d444a701d2a89910ed2a09adeff15f144f43075174f77ccb29ce8d4ff3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39442\_lzma.pyd

Filesize
251KB

MD5
e5fa638b1374685dbaf5beb12f67d71a

SHA1
1a7d171f66e88da4686f51d25094d85f2dd1577f

SHA256
d58fc7163b58d96a7718733dec3562eb998a17100982bf7453782d01ca27ffd9

SHA512
be71f7050834c631ee12e32f78542156e09f8dfb6b8aa425db9a7267b45175caceb56805db382d85cff80ea9633bcc2c52ac7175cdd33a85002458650c399812

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39442\base_library.zip

Filesize
767KB

MD5
6241f8903bbda113d9a9ae741f424299

SHA1
cc5bbe7a03e9a5a68166cce83492e6c7485b02ed

SHA256
05b80290f9a95c44bcae6a385f4d2b085864035b917784e235e0e7312e62aca3

SHA512
f8e09834c65f9784d94d4ded165c8f51d2c5c70159f588aa65fb2b332dcb69d3746a516b0973390cfca4ac2a3d7ba1fe12c2beb3e2df5c424ce24ff28f29227d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39442\libcrypto-1_1.dll

Filesize
3.2MB

MD5
925b0753ee5a1ffafe647f988683b0a2

SHA1
7f1862d04c8c8d7c69f9865b462f0e995e25aab5

SHA256
95e3e9a86da6de563340b419962fc05f59038f32924b79d59e121bdd5e260a3a

SHA512
1e06e5d0177789175fb3f9bcac5a85a8caf1cc1609797ef823a56f420a01904b4cde240aabe0df42c57a0f3f6c69385f16539f01cf54632bd2894cd56f956bfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39442\python37.dll

Filesize
3.6MB

MD5
5d8c22938d89077f64537a9d09cf6fd5

SHA1
15971f1b4bc2420eafbd40b0cd3fc4d2af204ec4

SHA256
8eb835d88e72e998b82916fb20a252af615d6e641827e013411239d115d5dd69

SHA512
dbd1febd18e29eab046b98f6b970e35e040adddead81561c0d165a1353a124d1dc26f3b3f5aa9ef0cb8e813baa8fc706514c0350c6428f25c5e5c050773b7d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39442\pythoncom37.dll

Filesize
541KB

MD5
b691d4343a65c45e03c00a9029f7b7f9

SHA1
cf592072646988abbaf19a6ba54ba95aebce9c18

SHA256
5470beb85cf49b448aca2fa27579156f8daa39695a8aca43dbc48f1ce94114e0

SHA512
190101a3eb6673440a0b1b3b271af26286beff9bca2fe3a659f79aaeb26863ee90cccbd1f58960d6e6a98a3acb0e08682dddf47b6544dc647dcb8c34aa37f632

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39442\pywintypes37.dll

Filesize
135KB

MD5
b0311d2d5b68b5cb4c2f0ef6ce979515

SHA1
ea0c07ee8e02480874edd3dc4e83639cb3af7cff

SHA256
5062e390147cafffa49fc8cde73a4b2202d5bf3d96be9e90da5d13ccd47a378c

SHA512
63614e0d1f28a65560500714d87d55fdabffccb34d7a4e51fa85a77b284f282e3f2c6f038e83afe58252b848097b39d4e8bbff26737e8e93733ebb2f9b84b41c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39442\win32api.pyd

Filesize
129KB

MD5
d7bbe61c16e5ddca921067da7f1a0c3f

SHA1
1d5489ede516b64fa7aefd5448c4e22db2225a24

SHA256
4a3baf28066c641fcd86c963b33981af4299e407d8c462f5b2e85e85e108b37c

SHA512
cc7d2bdc8a71e71b57cc3c30e14b9c6ccf06d278acaea07cce59d102f3d8be8dd5179edb116df667f562fd0220818d63c92d6b15bdb530d4501b44089cf08791

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39442\win32com\shell\shell.pyd

Filesize
513KB

MD5
240f0f72b6de9d93906c56a07c45af4b

SHA1
e290bdb379e7cd0506e609753285a8c78413cd42

SHA256
543f27d5dbdc3a83342d8f1fee85932bb75e3ff160bc1f4f31f955db4a20a933

SHA512
a166800e5c0541fa48c01ec171533d98f8d28e2f26dadd1a389984677f21bf3cf5d5d34558e3b7a5a26e5ded3694c0a3a33c7a7f79291d6cd11259b1c44bf245

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47442\Bypass.exe

Filesize
3.4MB

MD5
78cc9696e350e5a0ae2398ca5f49ae9d

SHA1
bfd6387cc984bb8e07933894591044df1bb9fcc8

SHA256
149a242df5e2b74a45710be05cbc73ed3bb00fbb7859bd811fa161ec23ea862e

SHA512
909a469aaa04a2ec40f9ad774916fc6b757ae10a2f7a606bb8966cf56c93ff91d62a3a86e8544397276f16d9f9e53bf5ea8f2c267cd71c96b96df467352fb01b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47442\Microsoft Edge.exe

Filesize
6.6MB

MD5
b8da3374cf325a6c6aaafe05462c890b

SHA1
be4a295de469b6707e24a3257ac79dccccd63ac9

SHA256
2b61a6c0c9fe5143a336a8584176031af0d9eb02c9164c888b0cf78083d6af83

SHA512
57c07a3aa27386cb88e284f2fdec4810f0c7d0c5bc45883c0ffb6f2bc4fab9df927246a8cf20b17e0e81a6be9ace6cde4ea0a7386f13e2f5122806d9b467c3e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47442\Process.exe

Filesize
5KB

MD5
1e018965ce02ee403612abcd35aebfbc

SHA1
01a6fccfdd472d34cc7a3572a3144e85d6a92efa

SHA256
9d10dfb37692719201babe784364cf0620411145c0483aaf073272ca8e0e81c3

SHA512
7ccf5542aabcb94f5218bbd2319d7ba9b54f90ac39cc042a5c2255efeb15afa79f30bc42723c93a3df667dbc186f6eeb12ea2244947fd54aec1f9ccf1107063e

Download Submit
C:\Users\Admin\AppData\Roaming\99de8c6a-6374-4508-bd2f-b4ea64131e73.exe

Filesize
6KB

MD5
2927214ed99769acdabf14b3c02a302d

SHA1
ea0495992c64acc462e7c0b794c56ce26d1cddd1

SHA256
85cbf7e363245524c0f38f7fd770f8e1af313c8e679c5f4a77d4ea13150bf37e

SHA512
b08b5041f0559be45287ba69414a5548da88dac22e075f0c7acab113902c52d08e415e2fd789f2f568fcf2c47f156da303455863184a09f850877edd74d5faef

Download Submit
C:\Users\Admin\AppData\Roaming\Nitro Generator 2020.exe

Filesize
18.5MB

MD5
bcd25da82792f693b98584193eadd554

SHA1
dcd571563221ca033bc4f19240c881bbe674e350

SHA256
5cc57fbf19df75243dd93d0e18eefa4fdd77009d76629927c41cf0969c4c7690

SHA512
4e7d39e1a44478a361574aec78f571b79717b94e960a4a1365dffe1daa793abbea0c9f28ffda244cf650329fd585f18c759614e72df480bd040ea11746b79305

Download Submit
memory/868-1-0x0000000075450000-0x0000000075A01000-memory.dmp

Filesize
5.7MB

Download
memory/868-35-0x0000000075450000-0x0000000075A01000-memory.dmp

Filesize
5.7MB

Download
memory/868-2-0x0000000075450000-0x0000000075A01000-memory.dmp

Filesize
5.7MB

Download
memory/868-0-0x0000000075452000-0x0000000075453000-memory.dmp

Filesize
4KB

Download
memory/1096-150-0x00007FF6E9F50000-0x00007FF6EAE2E000-memory.dmp

Filesize
14.9MB

Download
memory/1096-151-0x00007FF6E9F50000-0x00007FF6EAE2E000-memory.dmp

Filesize
14.9MB

Download
memory/1096-152-0x00007FF6E9F50000-0x00007FF6EAE2E000-memory.dmp

Filesize
14.9MB

Download
memory/1096-154-0x00007FF6E9F50000-0x00007FF6EAE2E000-memory.dmp

Filesize
14.9MB

Download
memory/1096-167-0x00007FF6E9F50000-0x00007FF6EAE2E000-memory.dmp

Filesize
14.9MB

Download
memory/1952-32-0x0000000000C50000-0x0000000000C58000-memory.dmp

Filesize
32KB

Download
memory/1952-34-0x00000000055B0000-0x0000000005616000-memory.dmp

Filesize
408KB

Download
memory/1952-33-0x000000007262E000-0x000000007262F000-memory.dmp

Filesize
4KB

Download