b0dea552b8e60015ae41b062602655ebca0b310b677c3428126363b0e0a08476

Analysis

max time kernel
103s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
31/03/2025, 01:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Size

46.2MB
MD5

5ad23c8209fd17a66c6e37436f257a91
SHA1

47afe2053859cf1ebe0f45fa75d0ce77945f89da
SHA256

b0dea552b8e60015ae41b062602655ebca0b310b677c3428126363b0e0a08476
SHA512

cd4dad7b8a37c9e141b4e86cc3b861f5a6250f0c716326b9fe295bc36ce3bf2b42fd9630e47677eac333e02d0358b175007fd0bfd4636836ec4871bec626d3c4
SSDEEP

786432:GVmrjV7eIAtBXcnm0+Hm+vwZW9a3kTxI2Un/Elw4+rTEl4ElUyemgEmtV8r8G:GVmrjV7eIjnP+TYZQaB3Ex+HEpUxkrn

Score

7^/10

defense_evasion discovery privilege_escalation

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1376	MSI968B.tmp

Loads dropped DLL 13 IoCs

pid	Process
3000	MsiExec.exe
3000	MsiExec.exe
3000	MsiExec.exe
212	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
4484	MsiExec.exe
4484	MsiExec.exe
4484	MsiExec.exe
4484	MsiExec.exe
4484	MsiExec.exe
4484	MsiExec.exe
4484	MsiExec.exe
5424	MsiExec.exe
5424	MsiExec.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
File opened (read-only)	\??\P:	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
File opened (read-only)	\??\Q:	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
File opened (read-only)	\??\W:	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
File opened (read-only)	\??\R:	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
File opened (read-only)	\??\V:	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
File opened (read-only)	\??\Z:	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\K:	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
File opened (read-only)	\??\L:	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\H:	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\T:	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
File opened (read-only)	\??\E:	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
File opened (read-only)	\??\N:	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\EZ CD Audio Converter\EZ CD Audio Converter\regid.1995-09.com.example_20b5b899-25ba-4754-96c3-54f90f9645d7.swidtag	MsiExec.exe

Drops file in Windows directory 18 IoCs

description	ioc	Process
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI94B5.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8C62.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8CE0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8E2B.tmp	msiexec.exe
File created	C:\Windows\Installer\e578b48.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8BC5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8DBD.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{583A6AD7-D6C6-4313-9F6A-1140BE7D27BC}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9408.tmp	msiexec.exe
File created	C:\Windows\Installer\e578b4c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI993D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e578b48.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8D3F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI968B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9803.tmp	msiexec.exe

Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs

defense_evasion privilege_escalation

Create Process with Token

T1134.002

pid	Process
1376	MSI968B.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSI968B.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Modifies data under HKEY_USERS 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer\XML Config\{583A6AD7-D6C6-4313-9F6A-1140BE7D27BC}	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Caphyon	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer\XML Config	MsiExec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\27\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer\XML Config\{583A6AD7-D6C6-4313-9F6A-1140BE7D27BC}\C:\ProgramData\regid.1995-09.com.example\regid.1995-09.com.example_20b5b899-25ba-4754-96c3-54f90f9645d7.swidtag = "*"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer\XML Config\{583A6AD7-D6C6-4313-9F6A-1140BE7D27BC}\C:\Program Files (x86)\EZ CD Audio Converter\EZ CD Audio Converter\regid.1995-09.com.example_20b5b899-25ba-4754-96c3-54f90f9645d7.swidtag = "*"	MsiExec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28	msiexec.exe

Modifies registry class 23 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\7DA6A3856C6D3134F9A61104EBD772CB	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7DA6A3856C6D3134F9A61104EBD772CB\Version = "201326593"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7DA6A3856C6D3134F9A61104EBD772CB\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\8DD436A7DD74F054CBC5662268696EB0	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\8DD436A7DD74F054CBC5662268696EB0\7DA6A3856C6D3134F9A61104EBD772CB	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7DA6A3856C6D3134F9A61104EBD772CB\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\EZ CD Audio Converter\\EZ CD Audio Converter 12.0.1.1\\install\\E7D27BC\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7DA6A3856C6D3134F9A61104EBD772CB\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7DA6A3856C6D3134F9A61104EBD772CB\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\7DA6A3856C6D3134F9A61104EBD772CB\MainFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7DA6A3856C6D3134F9A61104EBD772CB\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7DA6A3856C6D3134F9A61104EBD772CB\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7DA6A3856C6D3134F9A61104EBD772CB\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7DA6A3856C6D3134F9A61104EBD772CB\SourceList\PackageName = "Setup.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7DA6A3856C6D3134F9A61104EBD772CB\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7DA6A3856C6D3134F9A61104EBD772CB\ProductName = "EZ CD Audio Converter"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7DA6A3856C6D3134F9A61104EBD772CB\PackageCode = "9A977F221962406478E948CFA1B0D001"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7DA6A3856C6D3134F9A61104EBD772CB\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7DA6A3856C6D3134F9A61104EBD772CB\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7DA6A3856C6D3134F9A61104EBD772CB\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7DA6A3856C6D3134F9A61104EBD772CB\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7DA6A3856C6D3134F9A61104EBD772CB\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\EZ CD Audio Converter\\EZ CD Audio Converter 12.0.1.1\\install\\E7D27BC\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7DA6A3856C6D3134F9A61104EBD772CB	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7DA6A3856C6D3134F9A61104EBD772CB\DeploymentFlags = "3"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3856	msiexec.exe
3856	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	3856	msiexec.exe
Token: SeCreateTokenPrivilege	212	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeAssignPrimaryTokenPrivilege	212	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeLockMemoryPrivilege	212	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeIncreaseQuotaPrivilege	212	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeMachineAccountPrivilege	212	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeTcbPrivilege	212	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeSecurityPrivilege	212	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeTakeOwnershipPrivilege	212	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeLoadDriverPrivilege	212	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeSystemProfilePrivilege	212	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeSystemtimePrivilege	212	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeProfSingleProcessPrivilege	212	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeIncBasePriorityPrivilege	212	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeCreatePagefilePrivilege	212	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeCreatePermanentPrivilege	212	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeBackupPrivilege	212	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeRestorePrivilege	212	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeShutdownPrivilege	212	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeDebugPrivilege	212	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeAuditPrivilege	212	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeSystemEnvironmentPrivilege	212	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeChangeNotifyPrivilege	212	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeRemoteShutdownPrivilege	212	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeUndockPrivilege	212	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeSyncAgentPrivilege	212	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeEnableDelegationPrivilege	212	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeManageVolumePrivilege	212	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeImpersonatePrivilege	212	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeCreateGlobalPrivilege	212	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeCreateTokenPrivilege	212	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeAssignPrimaryTokenPrivilege	212	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeLockMemoryPrivilege	212	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeIncreaseQuotaPrivilege	212	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeMachineAccountPrivilege	212	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeTcbPrivilege	212	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeSecurityPrivilege	212	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeTakeOwnershipPrivilege	212	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeLoadDriverPrivilege	212	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeSystemProfilePrivilege	212	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeSystemtimePrivilege	212	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeProfSingleProcessPrivilege	212	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeIncBasePriorityPrivilege	212	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeCreatePagefilePrivilege	212	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeCreatePermanentPrivilege	212	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeBackupPrivilege	212	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeRestorePrivilege	212	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeShutdownPrivilege	212	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeDebugPrivilege	212	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeAuditPrivilege	212	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeSystemEnvironmentPrivilege	212	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeChangeNotifyPrivilege	212	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeRemoteShutdownPrivilege	212	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeUndockPrivilege	212	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeSyncAgentPrivilege	212	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeEnableDelegationPrivilege	212	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeManageVolumePrivilege	212	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeImpersonatePrivilege	212	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeCreateGlobalPrivilege	212	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeCreateTokenPrivilege	212	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeAssignPrimaryTokenPrivilege	212	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeLockMemoryPrivilege	212	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeIncreaseQuotaPrivilege	212	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
Token: SeMachineAccountPrivilege	212	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
212	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
4680	msiexec.exe
4680	msiexec.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3856 wrote to memory of 3000	3856	msiexec.exe	91
PID 3856 wrote to memory of 3000	3856	msiexec.exe	91
PID 3856 wrote to memory of 3000	3856	msiexec.exe	91
PID 212 wrote to memory of 4680	212	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe	92
PID 212 wrote to memory of 4680	212	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe	92
PID 212 wrote to memory of 4680	212	2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe	92
PID 3856 wrote to memory of 4484	3856	msiexec.exe	93
PID 3856 wrote to memory of 4484	3856	msiexec.exe	93
PID 3856 wrote to memory of 4484	3856	msiexec.exe	93
PID 3856 wrote to memory of 1376	3856	msiexec.exe	96
PID 3856 wrote to memory of 1376	3856	msiexec.exe	96
PID 3856 wrote to memory of 1376	3856	msiexec.exe	96
PID 3856 wrote to memory of 5424	3856	msiexec.exe	97
PID 3856 wrote to memory of 5424	3856	msiexec.exe	97
PID 3856 wrote to memory of 5424	3856	msiexec.exe	97

C:\Users\Admin\AppData\Local\Temp\2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:212
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\EZ CD Audio Converter\EZ CD Audio Converter 12.0.1.1\install\E7D27BC\Setup.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1743143080 "
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  PID:4680

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3856
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 1817585974479D2A7CCA7966DE118D52 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3000
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A28D2D488F7D0F41BC4988A1A9DBE272
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4484
- C:\Windows\Installer\MSI968B.tmp
  "C:\Windows\Installer\MSI968B.tmp" /DontWait /RunAsAdmin /HideWindow "C:\Users\Admin\AppData\Local\Temp\setup.msi"
  2⤵
  - Executes dropped EXE
  - Access Token Manipulation: Create Process with Token
  - System Location Discovery: System Language Discovery
  PID:1376
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 516268824DC5CB6D742378F02256237D E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:5424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Defense Evasion

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e578b4b.rbs

Filesize
1.9MB

MD5
ad355fabb57bfe3dca45e1be952b35f3

SHA1
d41c362f87e69866791144ca34136762f3bdf908

SHA256
67ff42ae97c518650fd33de1b922069d383bb36cd846110da2ba8efe5ed70d73

SHA512
ac0ab4c4186d14780c8614982166cbef9f7c1f1a755c5f0ffe362510afa9e50433284710332879fb32283d76125e22799b46050e937b71e4d4ac3205fce43701

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI885B.tmp

Filesize
997KB

MD5
ee09d6a1bb908b42c05fd0beeb67dfd2

SHA1
1eb7c1304b7bca649c2a5902b18a1ea57ceaa532

SHA256
7bbf611f5e2a16439dc8cd11936f6364f6d5cc0044545c92775da5646afc7752

SHA512
2dd2e4e66d2f2277f031c5f3c829a31c3b29196ab27262c6a8f1896a2113a1be1687c9e8cd9667b89157f099dfb969ef14ae3ea602d4c772e960bc41d39c3d05

Download Submit
C:\Users\Admin\AppData\Local\Temp\pre891A.tmp

Filesize
886KB

MD5
1d51848e7512c27af22cdf0213e11cf5

SHA1
d35ab52e49c82bb72f0ad7c7568035e8a41564e4

SHA256
0b73497f2ad7a4a04f36b8d46816c5404ba828d7feeca90b3abe28599e9c4619

SHA512
b6513f1ab6af820fd139ba5fe5399268077c328b8dbd19471db203f94f6aec2702baaec37209b4056531cab56d54b09f6d446f0f398befa1cc9cd4f77e65e079

Download Submit
C:\Users\Admin\AppData\Roaming\EZ CD Audio Converter\EZ CD Audio Converter 12.0.1.1\install\E7D27BC\Setup.msi

Filesize
3.7MB

MD5
351a6f10aeed68dd1131b2a99545793a

SHA1
8cdfa38ff8e774bc196130a64cbdaa6369c7f385

SHA256
a9fe53323e9c89bb836d8adcb2d1c36d4d1f84373f4277ee14b8df3aa3272e65

SHA512
5417ebf76f311a43d32c82e9662e7b790cc149afd25cd35af75dfbe477099e701b5fa194428a47a001b9c64dae0d4dff779ede6b1b894f9264e4d743437b99bf

Download Submit
C:\Users\Admin\AppData\Roaming\EZ CD Audio Converter\EZ CD Audio Converter 12.0.1.1\install\E7D27BC\TempFolder\setup.msi

Filesize
2.9MB

MD5
a18598ac9402f45ba22cea4f7bdd4782

SHA1
76db003cee073a307a28b8dc2a901d587d014377

SHA256
696736cd779c3e16f75faffffcace334e9b71399b0650cb745d72acf4acfe224

SHA512
7c384fd092162e90005243df9b3497f879f54e91a0e614ffc1ac2b11e119d0cadc7e5a4e3f4d84ab77640f0e8d5a1a326e1eaf5ea4fbc4ac75616d3b84009e8e

Download Submit
C:\Users\Admin\AppData\Roaming\EZ CD Audio Converter\EZ CD Audio Converter 12.0.1.1\install\E7D27BC\TempFolder\setup1.cab

Filesize
39.8MB

MD5
627b5e0d1a432aa6e66ce5dd5af8baa6

SHA1
fafdb61d971f2741eac3a7bbefb754db64bf0c70

SHA256
51d580e3f429a018591ea0df27f13e87efdd0692070ea9104fd1210750ba85e6

SHA512
5aba06618e0ff8cc8544aa1c0fc5b1cd7bee17442e841e82c4e047d6a21c34e1a8a4b6b08f386019e689eecc7e17201b57caa52e5da6a0a501b1bfc6f645a6b1

Download Submit
C:\Windows\Installer\MSI94B5.tmp

Filesize
967KB

MD5
bf6adc8f7e5afea02b8514b3f93dc30b

SHA1
1eea8393c3481d2be5b68af98efe70493dea1b1f

SHA256
5011c2403744c70efa01ce5341a8da118667268d74a0f046a5f7e93290b69529

SHA512
b1bb78aabd5a16c8f88c70e16fae90a15dd426dd014291e82952416c3f6a60413c642c1d46e586079f0a3904f88d53f37195acb2e001c0586f61baf675ffda72

Download Submit
C:\Windows\Installer\MSI968B.tmp

Filesize
411KB

MD5
daefcc204211c3d179eacc0c6ee4bcc6

SHA1
3bfc444a87d30dcc77730ad5bdb65b9593b50925

SHA256
d74b55c93e4991ac882af31978a186a797ac9cde0c93747094e0422106b8d100

SHA512
6aa70b0a48868b3de1dd0a96835db024ae325ae3fc5725567d54369b91c20972c1c3b7c8620f2189784010cf44bb6577a75702ef20f71f4eaf75deaf149492d1

Download Submit