Analysis
-
max time kernel
104s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
15/05/2025, 10:00
Static task
static1
Behavioral task
behavioral1
Sample
2025-05-15_7dd26568049fac1b87f676ecfaac9ba0_black-basta.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral2
Sample
2025-05-15_7dd26568049fac1b87f676ecfaac9ba0_black-basta.exe
Resource
win11-20250502-en
General
-
Target
2025-05-15_7dd26568049fac1b87f676ecfaac9ba0_black-basta.exe
-
Size
1.8MB
-
MD5
7dd26568049fac1b87f676ecfaac9ba0
-
SHA1
bb79502d301ba77745b7dbc5df4269fc7b074cda
-
SHA256
a82e496b7b5279cb6b93393ec167dd3f50aff1557366784b25f9e51cb23689d9
-
SHA512
c2b2f9e4fac7564314de2303ac679f7815633cac9ad049b22cef523c6d42b7314c1a79cc15d002fd092ffb59efe8e1ea5730aa81c1b3b8891d191393c7cafdd8
-
SSDEEP
24576:RwC4IajeMNGoo0spYgY9dMdzXhJulI8pSDiEik1ggICx8mqdsoP+7UI+gGm4Zdlg:RZ5DqQ0P3Ij
Malware Config
Extracted
C:\Users\Admin\3D Objects\R3ADM3.txt
http://jzbhtsuwysslrzi2n5is3gmzsyh6ayhm7jt3xowldhk7rej4dqqubxqd.onion
http://gunrabxbig445sjqa535uaymzerj6fp4nwc6ngc2xughf2pedjdhk4ad.onion
Signatures
-
Renames multiple (1998) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 28 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 2025-05-15_7dd26568049fac1b87f676ecfaac9ba0_black-basta.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 2025-05-15_7dd26568049fac1b87f676ecfaac9ba0_black-basta.exe File opened for modification C:\Users\Admin\Videos\desktop.ini 2025-05-15_7dd26568049fac1b87f676ecfaac9ba0_black-basta.exe File opened for modification C:\Users\Public\desktop.ini 2025-05-15_7dd26568049fac1b87f676ecfaac9ba0_black-basta.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini 2025-05-15_7dd26568049fac1b87f676ecfaac9ba0_black-basta.exe File opened for modification C:\Users\Admin\Links\desktop.ini 2025-05-15_7dd26568049fac1b87f676ecfaac9ba0_black-basta.exe File opened for modification C:\Users\Public\Downloads\desktop.ini 2025-05-15_7dd26568049fac1b87f676ecfaac9ba0_black-basta.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini 2025-05-15_7dd26568049fac1b87f676ecfaac9ba0_black-basta.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini 2025-05-15_7dd26568049fac1b87f676ecfaac9ba0_black-basta.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini 2025-05-15_7dd26568049fac1b87f676ecfaac9ba0_black-basta.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini 2025-05-15_7dd26568049fac1b87f676ecfaac9ba0_black-basta.exe File opened for modification C:\Users\Public\Libraries\desktop.ini 2025-05-15_7dd26568049fac1b87f676ecfaac9ba0_black-basta.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini 2025-05-15_7dd26568049fac1b87f676ecfaac9ba0_black-basta.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini 2025-05-15_7dd26568049fac1b87f676ecfaac9ba0_black-basta.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini 2025-05-15_7dd26568049fac1b87f676ecfaac9ba0_black-basta.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini 2025-05-15_7dd26568049fac1b87f676ecfaac9ba0_black-basta.exe File opened for modification C:\Users\Admin\Documents\desktop.ini 2025-05-15_7dd26568049fac1b87f676ecfaac9ba0_black-basta.exe File opened for modification C:\Users\Admin\Music\desktop.ini 2025-05-15_7dd26568049fac1b87f676ecfaac9ba0_black-basta.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini 2025-05-15_7dd26568049fac1b87f676ecfaac9ba0_black-basta.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini 2025-05-15_7dd26568049fac1b87f676ecfaac9ba0_black-basta.exe File opened for modification C:\Users\Public\Music\desktop.ini 2025-05-15_7dd26568049fac1b87f676ecfaac9ba0_black-basta.exe File opened for modification C:\Users\Public\Pictures\desktop.ini 2025-05-15_7dd26568049fac1b87f676ecfaac9ba0_black-basta.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini 2025-05-15_7dd26568049fac1b87f676ecfaac9ba0_black-basta.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini 2025-05-15_7dd26568049fac1b87f676ecfaac9ba0_black-basta.exe File opened for modification C:\Users\Admin\Searches\desktop.ini 2025-05-15_7dd26568049fac1b87f676ecfaac9ba0_black-basta.exe File opened for modification C:\Users\Public\Desktop\desktop.ini 2025-05-15_7dd26568049fac1b87f676ecfaac9ba0_black-basta.exe File opened for modification C:\Users\Public\Documents\desktop.ini 2025-05-15_7dd26568049fac1b87f676ecfaac9ba0_black-basta.exe File opened for modification C:\Users\Public\Videos\desktop.ini 2025-05-15_7dd26568049fac1b87f676ecfaac9ba0_black-basta.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 5748 2025-05-15_7dd26568049fac1b87f676ecfaac9ba0_black-basta.exe 5748 2025-05-15_7dd26568049fac1b87f676ecfaac9ba0_black-basta.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeBackupPrivilege 2516 vssvc.exe Token: SeRestorePrivilege 2516 vssvc.exe Token: SeAuditPrivilege 2516 vssvc.exe Token: SeIncreaseQuotaPrivilege 5256 WMIC.exe Token: SeSecurityPrivilege 5256 WMIC.exe Token: SeTakeOwnershipPrivilege 5256 WMIC.exe Token: SeLoadDriverPrivilege 5256 WMIC.exe Token: SeSystemProfilePrivilege 5256 WMIC.exe Token: SeSystemtimePrivilege 5256 WMIC.exe Token: SeProfSingleProcessPrivilege 5256 WMIC.exe Token: SeIncBasePriorityPrivilege 5256 WMIC.exe Token: SeCreatePagefilePrivilege 5256 WMIC.exe Token: SeBackupPrivilege 5256 WMIC.exe Token: SeRestorePrivilege 5256 WMIC.exe Token: SeShutdownPrivilege 5256 WMIC.exe Token: SeDebugPrivilege 5256 WMIC.exe Token: SeSystemEnvironmentPrivilege 5256 WMIC.exe Token: SeRemoteShutdownPrivilege 5256 WMIC.exe Token: SeUndockPrivilege 5256 WMIC.exe Token: SeManageVolumePrivilege 5256 WMIC.exe Token: 33 5256 WMIC.exe Token: 34 5256 WMIC.exe Token: 35 5256 WMIC.exe Token: 36 5256 WMIC.exe Token: SeIncreaseQuotaPrivilege 5256 WMIC.exe Token: SeSecurityPrivilege 5256 WMIC.exe Token: SeTakeOwnershipPrivilege 5256 WMIC.exe Token: SeLoadDriverPrivilege 5256 WMIC.exe Token: SeSystemProfilePrivilege 5256 WMIC.exe Token: SeSystemtimePrivilege 5256 WMIC.exe Token: SeProfSingleProcessPrivilege 5256 WMIC.exe Token: SeIncBasePriorityPrivilege 5256 WMIC.exe Token: SeCreatePagefilePrivilege 5256 WMIC.exe Token: SeBackupPrivilege 5256 WMIC.exe Token: SeRestorePrivilege 5256 WMIC.exe Token: SeShutdownPrivilege 5256 WMIC.exe Token: SeDebugPrivilege 5256 WMIC.exe Token: SeSystemEnvironmentPrivilege 5256 WMIC.exe Token: SeRemoteShutdownPrivilege 5256 WMIC.exe Token: SeUndockPrivilege 5256 WMIC.exe Token: SeManageVolumePrivilege 5256 WMIC.exe Token: 33 5256 WMIC.exe Token: 34 5256 WMIC.exe Token: 35 5256 WMIC.exe Token: 36 5256 WMIC.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 5748 wrote to memory of 2236 5748 2025-05-15_7dd26568049fac1b87f676ecfaac9ba0_black-basta.exe 89 PID 5748 wrote to memory of 2236 5748 2025-05-15_7dd26568049fac1b87f676ecfaac9ba0_black-basta.exe 89 PID 2236 wrote to memory of 5256 2236 cmd.exe 91 PID 2236 wrote to memory of 5256 2236 cmd.exe 91 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-05-15_7dd26568049fac1b87f676ecfaac9ba0_black-basta.exe"C:\Users\Admin\AppData\Local\Temp\2025-05-15_7dd26568049fac1b87f676ecfaac9ba0_black-basta.exe"1⤵
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5748 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{673558B5-759B-4BD5-BA52-8727D3E65B12}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{673558B5-759B-4BD5-BA52-8727D3E65B12}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5256
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2516
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5ca19ceff115a711c97c33cbf96689799
SHA1961db57bf552f85d3d39e45c22d4a9caf37c3ad3
SHA256b9c01687b6ecedaa599818cc316b6a10894cc076bdddd88c961c2ef2cc205a9d
SHA512b2e894687fedf476db5ef99b3ba3b1ff5c800bd065f7208328ea8fc45c5b5696517f66addde1485a7a229b29baa83d9d183157ef5d50b2145f3371f2396a952f