3cec4fe1f4f4af3d6f87a2518cb6e08f860e376991aca16726d62aae61b9ffc4

General

Target

2025-03-30_b5d908c3544220670f79c8d432c2ff80_black-basta.exe
Size

5.5MB
MD5

b5d908c3544220670f79c8d432c2ff80
SHA1

cab4a4a71a98508ec15d064eb8da356560f54ace
SHA256

3cec4fe1f4f4af3d6f87a2518cb6e08f860e376991aca16726d62aae61b9ffc4
SHA512

963933cd63bd8d532c6a526ce4399596659a4a07fc31abeba332408dd8b7c01f6304db459dcd889632da051bedd68c48d4cc8087fbcc6c70f8ccc38b54c03cf5
SSDEEP

98304:GzruaI6HMaJTtGbXUzcvAAAz1/0YVGDzmZTKvzruaI6HMaJTtGbh:raI6HMaJTtGbkNAMLVGDz8TK+aI6HMaM

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2025-03-30_b5d908c3544220670f79c8d432c2ff80_black-basta.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2025-03-30_b5d908c3544220670f79c8d432c2ff80_black-basta.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2025-03-30_b5d908c3544220670f79c8d432c2ff80_black-basta.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2025-03-30_b5d908c3544220670f79c8d432c2ff80_black-basta.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2025-03-30_b5d908c3544220670f79c8d432c2ff80_black-basta.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2025-03-30_b5d908c3544220670f79c8d432c2ff80_black-basta.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2025-03-30_b5d908c3544220670f79c8d432c2ff80_black-basta.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2025-03-30_b5d908c3544220670f79c8d432c2ff80_black-basta.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2025-03-30_b5d908c3544220670f79c8d432c2ff80_black-basta.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2025-03-30_b5d908c3544220670f79c8d432c2ff80_black-basta.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2025-03-30_b5d908c3544220670f79c8d432c2ff80_black-basta.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3396	1320	WerFault.exe	85
1664	1320	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-03-30_b5d908c3544220670f79c8d432c2ff80_black-basta.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1320	2025-03-30_b5d908c3544220670f79c8d432c2ff80_black-basta.exe
1320	2025-03-30_b5d908c3544220670f79c8d432c2ff80_black-basta.exe

C:\Users\Admin\AppData\Local\Temp\2025-03-30_b5d908c3544220670f79c8d432c2ff80_black-basta.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-30_b5d908c3544220670f79c8d432c2ff80_black-basta.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1320
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1320 -s 400
  2⤵
  - Program crash
  PID:3396
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1320 -s 488
  2⤵
  - Program crash
  PID:1664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1320 -ip 1320
1⤵
PID:4368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1320 -ip 1320
1⤵
PID:3748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\pUc7E09.tmp

Filesize
1010KB

MD5
05927910e74ed5f4581ea2a70e31b5cf

SHA1
6128f834d59c671ffd4550a64a44a1bfcc38f89f

SHA256
c610624588659cb5544b1367b6bf944f4d5ec2f7be51c51bdb6dda3724d31110

SHA512
65c13433a18ebc5571e1fd3b0119935e601ee84306f1ea4e3e5b2a01032489e31086221513380f546240329dbfff1611a544ee19e3da36b1b3c9989a2e055a29

Download Submit
C:\Users\Admin\AppData\Local\Temp\pUc7E4B.tmp

Filesize
5.5MB

MD5
b5d908c3544220670f79c8d432c2ff80

SHA1
cab4a4a71a98508ec15d064eb8da356560f54ace

SHA256
3cec4fe1f4f4af3d6f87a2518cb6e08f860e376991aca16726d62aae61b9ffc4

SHA512
963933cd63bd8d532c6a526ce4399596659a4a07fc31abeba332408dd8b7c01f6304db459dcd889632da051bedd68c48d4cc8087fbcc6c70f8ccc38b54c03cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\pUc98E1.tmp

Filesize
2.6MB

MD5
b87f29308fb9914335f49c7d3daaec31

SHA1
4914eaad5629a03c867393f9ea73f1c340b558c4

SHA256
746adcdd418ca5fe6af8ea6bed27273c5634094d176fcdafcd90c07ef95f8765

SHA512
a10084e02c8c5d00dbbf5f0534a02383b320550245b286becda730d51ae6918bff885444fa554f871c7b5e705516701a7522a1780b4222894d8c375e2cad9b4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\pUcA046.tmp

Filesize
743KB

MD5
9938d2154764a30cef1b4b618b9dde7a

SHA1
45c76ba9e736c241a17b7d2f8e27b9eefab241d1

SHA256
3183a400261d724eb9653ddab2fee7b71f6a78718f4f6fe1c5258e9c9ecac9a7

SHA512
0c9bc94d7f181342b532f4c8fc0e3e8ee636c7a0c9aac15122c30cfef6e6e26866ed6a16d1efc953b347c14d4ecf1dc24db4cb80d9ab3e15f58f25f3e4aeef92

Download Submit
C:\Users\Admin\AppData\Local\Temp\pUcAE27.tmp

Filesize
5.3MB

MD5
7ca5a6210470f8f944846f142f47d17a

SHA1
0c093be6dc2c488c37bc9d21cced5823bc17095e

SHA256
dda00a066ce2ab742e916c548a324b650d079cabc27411d47e5dbe9a0bab511c

SHA512
2a49cab281b32e096fbc7c00703365a53db7229b9139230b2850fa93fbf79ac1c289eff20b6a5ef15a915446fe7a95e3264344a16f669be19f3f7703a73a681e

Download Submit
memory/1320-105-0x0000000000400000-0x0000000000985000-memory.dmp

Filesize
5.5MB

Download
memory/1320-183-0x0000000000400000-0x0000000000985000-memory.dmp

Filesize
5.5MB

Download

Analysis

Sharing