Analysis
-
max time kernel
105s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
30/03/2025, 21:03
Static task
static1
Behavioral task
behavioral1
Sample
2025-03-30_b5b3cfe0287ec45c69472d2f2c9b1ea0_black-basta.exe
Resource
win7-20240903-en
General
-
Target
2025-03-30_b5b3cfe0287ec45c69472d2f2c9b1ea0_black-basta.exe
-
Size
2.7MB
-
MD5
b5b3cfe0287ec45c69472d2f2c9b1ea0
-
SHA1
e1544896b9e25a024f624314db4187805eba54b5
-
SHA256
4d9415d5daf15172f6fcbc577021a932f66da049ca750a73e3506015028b8674
-
SHA512
602aa8482375dcd0e20e21f07f7152f36e1b31e23e1a7372a91b88aba1864f993da3ae86d8b7290d3222c7aba2fff1b03beb370bfbedcfc63f801ce275de4959
-
SSDEEP
49152:JmhzrOZLOIaI6HMaJTtGbADeksRNfuv0P/9QXRNqFsZOxc1isfayXKvITLc66OY2:GzruaI6HMaJTtGb2sxENsoOxc1isCyXV
Malware Config
Signatures
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 17 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe 2025-03-30_b5b3cfe0287ec45c69472d2f2c9b1ea0_black-basta.exe File opened for modification C:\Program Files\7-Zip\7z.exe 2025-03-30_b5b3cfe0287ec45c69472d2f2c9b1ea0_black-basta.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe 2025-03-30_b5b3cfe0287ec45c69472d2f2c9b1ea0_black-basta.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe 2025-03-30_b5b3cfe0287ec45c69472d2f2c9b1ea0_black-basta.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe 2025-03-30_b5b3cfe0287ec45c69472d2f2c9b1ea0_black-basta.exe File opened for modification C:\Program Files\CheckpointEnter.exe 2025-03-30_b5b3cfe0287ec45c69472d2f2c9b1ea0_black-basta.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 2025-03-30_b5b3cfe0287ec45c69472d2f2c9b1ea0_black-basta.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe 2025-03-30_b5b3cfe0287ec45c69472d2f2c9b1ea0_black-basta.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe 2025-03-30_b5b3cfe0287ec45c69472d2f2c9b1ea0_black-basta.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe 2025-03-30_b5b3cfe0287ec45c69472d2f2c9b1ea0_black-basta.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe 2025-03-30_b5b3cfe0287ec45c69472d2f2c9b1ea0_black-basta.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe 2025-03-30_b5b3cfe0287ec45c69472d2f2c9b1ea0_black-basta.exe File opened for modification C:\Program Files\7-Zip\7z.exe 2025-03-30_b5b3cfe0287ec45c69472d2f2c9b1ea0_black-basta.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe 2025-03-30_b5b3cfe0287ec45c69472d2f2c9b1ea0_black-basta.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe 2025-03-30_b5b3cfe0287ec45c69472d2f2c9b1ea0_black-basta.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe 2025-03-30_b5b3cfe0287ec45c69472d2f2c9b1ea0_black-basta.exe File opened for modification C:\Program Files\dotnet\dotnet.exe 2025-03-30_b5b3cfe0287ec45c69472d2f2c9b1ea0_black-basta.exe -
Program crash 4 IoCs
pid pid_target Process procid_target 6040 5432 WerFault.exe 84 5860 5432 WerFault.exe 84 3604 5156 WerFault.exe 88 4384 5156 WerFault.exe 88 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-03-30_b5b3cfe0287ec45c69472d2f2c9b1ea0_black-basta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-03-30_b5b3cfe0287ec45c69472d2f2c9b1ea0_black-basta.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 5432 2025-03-30_b5b3cfe0287ec45c69472d2f2c9b1ea0_black-basta.exe 5432 2025-03-30_b5b3cfe0287ec45c69472d2f2c9b1ea0_black-basta.exe 5156 2025-03-30_b5b3cfe0287ec45c69472d2f2c9b1ea0_black-basta.exe 5156 2025-03-30_b5b3cfe0287ec45c69472d2f2c9b1ea0_black-basta.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 5432 wrote to memory of 5156 5432 2025-03-30_b5b3cfe0287ec45c69472d2f2c9b1ea0_black-basta.exe 88 PID 5432 wrote to memory of 5156 5432 2025-03-30_b5b3cfe0287ec45c69472d2f2c9b1ea0_black-basta.exe 88 PID 5432 wrote to memory of 5156 5432 2025-03-30_b5b3cfe0287ec45c69472d2f2c9b1ea0_black-basta.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-03-30_b5b3cfe0287ec45c69472d2f2c9b1ea0_black-basta.exe"C:\Users\Admin\AppData\Local\Temp\2025-03-30_b5b3cfe0287ec45c69472d2f2c9b1ea0_black-basta.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5432 -
C:\Users\Admin\AppData\Local\Temp\2025-03-30_b5b3cfe0287ec45c69472d2f2c9b1ea0_black-basta.exe"C:\Users\Admin\AppData\Local\Temp\2025-03-30_b5b3cfe0287ec45c69472d2f2c9b1ea0_black-basta.exe"2⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5156 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5156 -s 4163⤵
- Program crash
PID:3604
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5156 -s 4323⤵
- Program crash
PID:4384
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5432 -s 4602⤵
- Program crash
PID:6040
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5432 -s 4602⤵
- Program crash
PID:5860
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5432 -ip 54321⤵PID:5256
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 5432 -ip 54321⤵PID:1060
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5156 -ip 51561⤵PID:1404
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5156 -ip 51561⤵PID:1556
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
976KB
MD58707f286d3f8ba555fa9d854ac9a5081
SHA141dad29baf015cc3b94598d4f830634a5a928a5e
SHA256062bd2114d216adc79ed58505bc02d5ecb8f095f188e294e0b602dc845d6c677
SHA512a152ef1ab121813e7f47e5ff5868fbeadc1db5cc13669933437e416c77c4fbde88d56cdec035a69a40e45c52e9d78357244ff24effee7dc7e0b1e608e424816f
-
Filesize
2.7MB
MD5b5b3cfe0287ec45c69472d2f2c9b1ea0
SHA1e1544896b9e25a024f624314db4187805eba54b5
SHA2564d9415d5daf15172f6fcbc577021a932f66da049ca750a73e3506015028b8674
SHA512602aa8482375dcd0e20e21f07f7152f36e1b31e23e1a7372a91b88aba1864f993da3ae86d8b7290d3222c7aba2fff1b03beb370bfbedcfc63f801ce275de4959
-
Filesize
1.2MB
MD5fa1d7965a8cc9b71967329991c87842a
SHA133b4713bc704c6562a077de88a5f04b54eac7fff
SHA256f93601be6bce1283840d5f59cb8a92d68aae82c3c8c078494dbd7ce1d413ff37
SHA5126aa62d9080203fe06997cd5599b55bf00338331ac537f1ad0841366cb991a44b2850da0796b3597ca031786a93a2231f6e209e4703725de8b6b98d611fb27a2c
-
Filesize
1.2MB
MD52fc59aa41fbccf02436bc992d5f46511
SHA192edb987b358de8e2f8edf58e275e127026bca17
SHA2564f32e58c8d67d177529286b00a784706d3e8a9731653d8a686f73ebb3767207d
SHA512362cab4044e92fad598fa792359d99dadf1e2e39d2c75ed1285eca505e86bb652b830a5088de3270ff2caa27091d722ae2084cccb4157f837a6eba08481db392
-
Filesize
512KB
MD5f17c45349962ba1cb0716b0547fe1abb
SHA186d77868f9e16adaf71a1115b7739d2c66a4eb13
SHA2569ad5484276f6e4342e2b423d6390c9426e74c6a3e47ce4b46523e9fe09b1fb42
SHA512b6efda56e5b994bde4792b1ee68d6225d8b5966bcfd0546a7fa857d6d5a31da6915d09fab7c42f1ffdceca657a14acb29e992ee48f2f80d3b5926bad6fdd3cd6
-
Filesize
2.6MB
MD5aa37482c65da92de1c26c8edb07fc1f6
SHA1e56852500639d5a8a982d0e32c3e06b569ffccae
SHA256b2b46f68fd44359ad7f909ad19e4b45e3f62dc1dac5a2e5cf0b0ea02eff18156
SHA5127ecf8579e1f741993b028c3108aade6d992565c2febc91affd66952726e07bef2dd50c3daf001f0dab63f0563e1effa4ddaf5752f4850e863b76b636c92d8be7
-
Filesize
784KB
MD5acddccbee295d6af8b75ad6a6f284fcd
SHA11976db56f34b6f5c9ea9240599487de08f1616e0
SHA25617bbc59af2eb3984f596aeb631f7d793a73b8a99dff16198cd3c96dc14e04a80
SHA5125c8acd076dcbc2b8cbda6fd2b4485ddbc6d286a47361ef9a802d0b32e5a8156b58a3efc9e48c82e71463c3d4edb6b53ae6c18e99ef54497c8c67a0526e541225
-
Filesize
550KB
MD5db89d002488de07d6f5a37df9b5685df
SHA1270e10a322ea5239b147687a2ff4fffc52153a72
SHA25600e9a597a59acec31b0505a88b88dba3fe99fd80cf5161049028f351d3714c14
SHA5122f92bed7feda2a83625850ba73fa125e19a7be04af85621d1e16d3ef2aa8969d8b346872847f29054739896a9184f1b3d33a9a2805648c2996763e951b73a615
-
Filesize
4.4MB
MD5116c7080a3442e77abf29c4c42af8944
SHA197e9c3b878579bd406b405b934a0febe1c020539
SHA2567b1e251a55b6f990ac1205c938d7273b94eb737eace22a89e649fd086b7dbc81
SHA512ae589927909d78c01170196968ece0b455a6329e7a70f3aa87e5a2a5b895c0905823c681a7dc6fc9ac4e7d7cf268603f6e249d5cc74847c797426a4db54980b1
-
Filesize
861KB
MD5e81c1a202930e81b921e8bea2251ad24
SHA172440d06324d9679903d1239ab9da15203fecbcb
SHA256c96cec64624f28e3f9f919ea98a1db2dfcca1e2403c2290345d8fc9b056177e3
SHA512eeccac69217a2d621c7d538c94446de186da05f6e6dc18393b30ca75ad515c0498653c9c91f6df028ea750942f77d0d4157b632f22a1650ff81af07754eeed4c
-
Filesize
23.8MB
MD5ee99819cb2a00a47498d1493ef3b9d78
SHA196eca495a39709e87a8673ee66f24feb67bcaf88
SHA2560756a287d8fda6fd427fb708dca91a2473773f4d87092234af432d1320bbf63f
SHA51238d58c8c67ccbd0a86a44b6fae0e65ea8a9ce97f9d0829970bf793bc24e1d848fd3de685a24a5935ab43ac8660cff084a46ed4db43121c5361091a767cbdd8a4
-
Filesize
646KB
MD53bc3f772bd67659133552d529305f146
SHA163def4031aa0cdef47a2c835b1dba96f71949741
SHA256496fa1a81a855feb405a2c70c00319c39a8bb521e3f11cb69c88e4562f7c533e
SHA512be3d5bd6398aa6a159329f3683fba9615e66bad3650cadbe43381d9445fa69d54351188eb5b979a21dfd17e7fb41c5123bc3523d1f4e8dfb9c949f0f5e8d06a6