62f718a3981aae16539de2cb0ab69ce3dffcf0b078104d057bd2d570976d4bbb

Analysis

max time kernel
103s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
31/03/2025, 15:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-31_f92333fb5f480f7bfff7776ac4c45987_black-basta.exe
Size

4.7MB
MD5

f92333fb5f480f7bfff7776ac4c45987
SHA1

d805b39b2a0e71a5e447bd9503655d632b34c1d3
SHA256

62f718a3981aae16539de2cb0ab69ce3dffcf0b078104d057bd2d570976d4bbb
SHA512

44dc298a91f89bb5f2f9de01de0080e1f355e02be338cad16e5e569b29187312714059bc161a00e39baddfebd61f8af2a8430c0a8723db3d595f92671340aa6d
SSDEEP

98304:Q8oAq1R4/6eW3oAOQ2Ld8R4XW/2XPoaenCJvoV2y7h2zr:Q8b/6pgLdU4mraXJvmI

Score

7^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	2025-03-31_f92333fb5f480f7bfff7776ac4c45987_black-basta.exe

Executes dropped EXE 1 IoCs

pid	Process
5860	QQMusicExternal.exe

Loads dropped DLL 5 IoCs

pid	Process
5860	QQMusicExternal.exe
5860	QQMusicExternal.exe
5860	QQMusicExternal.exe
5860	QQMusicExternal.exe
5860	QQMusicExternal.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	QQMusicExternal.exe
File opened (read-only)	\??\M:	QQMusicExternal.exe
File opened (read-only)	\??\N:	QQMusicExternal.exe
File opened (read-only)	\??\S:	QQMusicExternal.exe
File opened (read-only)	\??\Y:	QQMusicExternal.exe
File opened (read-only)	\??\B:	QQMusicExternal.exe
File opened (read-only)	\??\E:	QQMusicExternal.exe
File opened (read-only)	\??\G:	QQMusicExternal.exe
File opened (read-only)	\??\L:	QQMusicExternal.exe
File opened (read-only)	\??\P:	QQMusicExternal.exe
File opened (read-only)	\??\Z:	QQMusicExternal.exe
File opened (read-only)	\??\I:	QQMusicExternal.exe
File opened (read-only)	\??\O:	QQMusicExternal.exe
File opened (read-only)	\??\Q:	QQMusicExternal.exe
File opened (read-only)	\??\R:	QQMusicExternal.exe
File opened (read-only)	\??\T:	QQMusicExternal.exe
File opened (read-only)	\??\U:	QQMusicExternal.exe
File opened (read-only)	\??\V:	QQMusicExternal.exe
File opened (read-only)	\??\W:	QQMusicExternal.exe
File opened (read-only)	\??\H:	QQMusicExternal.exe
File opened (read-only)	\??\J:	QQMusicExternal.exe
File opened (read-only)	\??\X:	QQMusicExternal.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	QQMusicExternal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	QQMusicExternal.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	QQMusicExternal.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1536	ipconfig.exe
3276	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5860	QQMusicExternal.exe
5860	QQMusicExternal.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
4224	mmc.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2268	2025-03-31_f92333fb5f480f7bfff7776ac4c45987_black-basta.exe
Token: 33	5056	mmc.exe
Token: SeIncBasePriorityPrivilege	5056	mmc.exe
Token: 33	5056	mmc.exe
Token: SeIncBasePriorityPrivilege	5056	mmc.exe
Token: 33	4224	mmc.exe
Token: SeIncBasePriorityPrivilege	4224	mmc.exe
Token: 33	4224	mmc.exe
Token: SeIncBasePriorityPrivilege	4224	mmc.exe
Token: SeDebugPrivilege	5860	QQMusicExternal.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2268	2025-03-31_f92333fb5f480f7bfff7776ac4c45987_black-basta.exe
2268	2025-03-31_f92333fb5f480f7bfff7776ac4c45987_black-basta.exe
5056	mmc.exe
5056	mmc.exe
4224	mmc.exe
4224	mmc.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 3108	2268	2025-03-31_f92333fb5f480f7bfff7776ac4c45987_black-basta.exe	90
PID 2268 wrote to memory of 3108	2268	2025-03-31_f92333fb5f480f7bfff7776ac4c45987_black-basta.exe	90
PID 3108 wrote to memory of 1536	3108	cmd.exe	92
PID 3108 wrote to memory of 1536	3108	cmd.exe	92
PID 2268 wrote to memory of 2772	2268	2025-03-31_f92333fb5f480f7bfff7776ac4c45987_black-basta.exe	93
PID 2268 wrote to memory of 2772	2268	2025-03-31_f92333fb5f480f7bfff7776ac4c45987_black-basta.exe	93
PID 2772 wrote to memory of 2004	2772	cmd.exe	95
PID 2772 wrote to memory of 2004	2772	cmd.exe	95
PID 2772 wrote to memory of 5400	2772	cmd.exe	96
PID 2772 wrote to memory of 5400	2772	cmd.exe	96
PID 5056 wrote to memory of 2936	5056	mmc.exe	106
PID 5056 wrote to memory of 2936	5056	mmc.exe	106
PID 4224 wrote to memory of 5860	4224	mmc.exe	109
PID 4224 wrote to memory of 5860	4224	mmc.exe	109
PID 4224 wrote to memory of 5860	4224	mmc.exe	109
PID 5860 wrote to memory of 1316	5860	QQMusicExternal.exe	110
PID 5860 wrote to memory of 1316	5860	QQMusicExternal.exe	110
PID 5860 wrote to memory of 1316	5860	QQMusicExternal.exe	110
PID 1316 wrote to memory of 3276	1316	cmd.exe	112
PID 1316 wrote to memory of 3276	1316	cmd.exe	112
PID 1316 wrote to memory of 3276	1316	cmd.exe	112

C:\Users\Admin\AppData\Local\Temp\2025-03-31_f92333fb5f480f7bfff7776ac4c45987_black-basta.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-31_f92333fb5f480f7bfff7776ac4c45987_black-basta.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ipconfig /all
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3108
- - C:\Windows\system32\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:1536
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh interface ip show config | netsh -f C:\ProgramData\Microsoft\Windows\Templates\bxXuu.xml
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Windows\system32\netsh.exe
    netsh interface ip show config
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:2004
- - C:\Windows\system32\netsh.exe
    netsh -f C:\ProgramData\Microsoft\Windows\Templates\bxXuu.xml
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:5400

C:\Windows\system32\mmc.exe
C:\Windows\system32\mmc.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5056
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy /b C:\ProgramData\Microsoft\Windows\Templates\4tDrH\H1Fr1~c\p+C:\ProgramData\Microsoft\Windows\Templates\4tDrH\H1Fr1~c\w C:\ProgramData\Microsoft\Windows\Templates\4tDrH\H1Fr1~c\QQMusicCommon.dll
  2⤵
  PID:2936

C:\Windows\system32\mmc.exe
C:\Windows\system32\mmc.exe -Embedding
1⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4224
- C:\ProgramData\Microsoft\Windows\Templates\4tDrH\H1Fr1~c\QQMusicExternal.exe
  "C:\ProgramData\Microsoft\Windows\Templates\4tDrH\H1Fr1~c\QQMusicExternal.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5860
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ipconfig /all
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1316
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /all
      4⤵
      System Location Discovery: System Language Discovery
      Gathers network information
      PID:3276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\2zgio2.url

Filesize
108B

MD5
c0114ec15e140520aba6e506bd15111d

SHA1
e291d37a9e7d9fc89d3e78bceee6731149f3ffb3

SHA256
567884b0746fc7c755fcf5548210f35029d936e89577986a9f7593f29001a1a7

SHA512
403b6fa577d9b52838920073d6b51ab456c539a5cf6e875105abfab8479f87fe0eb97ff97c11d01c5448a439d58d61c79758129b88f20eeaf9d96a7152e41b37

Download Submit
C:\ProgramData\Microsoft\Windows\Templates\4tDrH\H1Fr1~c\ExceptCatch.dll

Filesize
208KB

MD5
a847740f73ed4de5760b180512ca082c

SHA1
b6b40b15cb80c2e5782c09d16b70d2d12a6cd6e9

SHA256
6f2671a222a316b48c63f5200e42f81923cec015158cc2af75ccad2aa0b779c8

SHA512
4625ec80056a3352ad0604aa7efd19ebf8fe58e8fef6c5ddb7af707d2e487987e23b73f2953b728d7f8dd759ea9f82b84eaba6f1797c4bd8f1f3bc356f0bab67

Download Submit
C:\ProgramData\Microsoft\Windows\Templates\4tDrH\H1Fr1~c\HN.txt

Filesize
179KB

MD5
5ecaacba9209741d5d83fadf59bdb82c

SHA1
481d9ef701ae6bf6ba0a1dfef0700a3e113e071f

SHA256
9d6e2370d734fbd5daaf235b2ab05cff893ae74410336077d559370369a024cf

SHA512
4dce958cbbf2b9c465abb52e9100b751be548482d9f7b0f2ced308466ff2fb47663227d51476df4db52c0efb50e218bc01f043de9690fbc9ff909ac94da62c7f

Download Submit
C:\ProgramData\Microsoft\Windows\Templates\4tDrH\H1Fr1~c\QQMusicCommon.dll

Filesize
2.4MB

MD5
d37f6534f7365e767e439e3b7368fc6b

SHA1
3e431785aa23260be3ee4153d6113b18bb8df8a6

SHA256
ba474e941a4daa9a77db2b5f62ca930505a559d5efb464151de06f479ffbc9ed

SHA512
4de418058dbae3f5e0565ec859994f41e5e8e1feac6f2e0b1f1aee17020e84873d4694a80d3270eb88f75c51c9bb22c6dc7e53c70cb1b22585356473f343dbe6

Download Submit
C:\ProgramData\Microsoft\Windows\Templates\4tDrH\H1Fr1~c\QQMusicExternal.exe

Filesize
147KB

MD5
f306692275b3e5922fa67a5e6a80fc6d

SHA1
7129e3869ad4bf7ddca35cd48aecd5a5cd7d80fe

SHA256
939906e9aae53726e4e43ef5265da9578637808b641b4d515eb56ded9310050c

SHA512
98ded8fb8e4fdcc6b7e7a25d0963468029952af5909444916ffb6c009950b2727fb1f2c594489621fbb6fb909da8d2f810624c6cf845a3a79a87a1ba3c8c0d3c

Download Submit
C:\ProgramData\Microsoft\Windows\Templates\4tDrH\H1Fr1~c\mmkv.dll

Filesize
279KB

MD5
56f39f0c55e80859f2ba0380985ca290

SHA1
516cc673acf6ab63087ef2d127b16592a9ef8ff6

SHA256
e7a1b88f81139ee2e53957ae0210af702667e003bb48115761ceec883c57f8dc

SHA512
69c996a65bb19d33a8c4e9c4fc725f3266504dd381c991b1312d2022dafd6a9a002cedb19c4514da34b5d36418263c95219c7215d27fa38eca47529a157b589c

Download Submit
C:\ProgramData\Microsoft\Windows\Templates\4tDrH\H1Fr1~c\msvcp140.dll

Filesize
429KB

MD5
cfbdf284c12056347e6773cb3949fbba

SHA1
ad3fa5fbbc4296d4a901ea94460762faf3d6a2b8

SHA256
bbecdfda2551b01aa16005c88305982c360a9fb9ba3d9be2fb15f2e9c6eb809f

SHA512
2f24eac94d51f8f28c8e6b6234ca2e481e0f8f1a73df62766ff4f5640480377fb2c4a469babedb87d303503994b469e570aaf725e16da6f9b2d6a77f15b4623f

Download Submit
C:\ProgramData\Microsoft\Windows\Templates\4tDrH\H1Fr1~c\p

Filesize
1.2MB

MD5
734f82ec7f43e6e5fbbe8d4e678d4f4a

SHA1
0cd5c550e44c28e1c96fa4b99c9d7031a684e10f

SHA256
817bdcb65381de4e9e86425154814a2bb0e179979e2abea828f41dc56fb5a81e

SHA512
fa498766293cca0740e627b60a1d39178faca3559f16bb2c6d62ef39ee1f29c16c76ecf15ca09d1da167ecbe8a05eeae8b97da2f9a6d8d23bdc9a15ec232921e

Download Submit
C:\ProgramData\Microsoft\Windows\Templates\4tDrH\H1Fr1~c\vcruntime140.dll

Filesize
81KB

MD5
8e65e033799eb9fd46bc5c184e7d1b85

SHA1
e1cc5313be1f7df4c43697f8f701305585fe4e71

SHA256
be38a38e22128af9a529af33d1f02dd24b2a344d29175939e229cf3a280673e4

SHA512
e0207fe2c327e7a66c42f23b3cbabc771d3819275dc970a9fa82d7af5f26606685644b8ea511f87ec511eb3a086a9506adec96c01c1b80b788c253bd0d459fbd

Download Submit
C:\ProgramData\Microsoft\Windows\Templates\4tDrH\H1Fr1~c\w

Filesize
1.2MB

MD5
3bdd5d44cddb78061fd189634120a1c4

SHA1
f5ebd9c82c55d0c968be8de4360d0c69a28ab411

SHA256
1df981e28826412174dc9a4e83f29536acb5c8fc6fb94d12b1659c7d4c2e48a4

SHA512
0dab3d1ff59bf64eab00955851e2dce18d1d816c3986dd6a5ce1a718a1ff8dc22a8f528cb1e89e920716d425a831b9e0f6cfa3a9f9b771b628ac0cf1b0804c9f

Download Submit
memory/2268-12-0x0000000180000000-0x00000001801FC000-memory.dmp

Filesize
2.0MB

Download
memory/2268-3-0x0000000180000000-0x00000001801FC000-memory.dmp

Filesize
2.0MB

Download
memory/2268-0-0x0000000180000000-0x00000001801FC000-memory.dmp

Filesize
2.0MB

Download
memory/2268-2-0x0000000180000000-0x00000001801FC000-memory.dmp

Filesize
2.0MB

Download
memory/2268-43-0x0000000180000000-0x00000001801FC000-memory.dmp

Filesize
2.0MB

Download
memory/5860-29-0x000000006F770000-0x000000006F780000-memory.dmp

Filesize
64KB

Download
memory/5860-33-0x0000000002F30000-0x0000000002F99000-memory.dmp

Filesize
420KB

Download
memory/5860-32-0x0000000002F30000-0x0000000002F99000-memory.dmp

Filesize
420KB

Download
memory/5860-42-0x0000000002F30000-0x0000000002F99000-memory.dmp

Filesize
420KB

Download
memory/5860-31-0x0000000002F30000-0x0000000002F99000-memory.dmp

Filesize
420KB

Download
memory/5860-44-0x0000000002F30000-0x0000000002F99000-memory.dmp

Filesize
420KB

Download
memory/5860-45-0x0000000002F30000-0x0000000002F99000-memory.dmp

Filesize
420KB

Download
memory/5860-46-0x0000000002F30000-0x0000000002F99000-memory.dmp

Filesize
420KB

Download
memory/5860-47-0x0000000002F30000-0x0000000002F99000-memory.dmp

Filesize
420KB

Download