Analysis

  • max time kernel
    103s
  • max time network
    106s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250502-en
  • resource tags

    arch:x64arch:x86image:win11-20250502-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    15/05/2025, 10:00

General

  • Target

    2025-05-15_7dd26568049fac1b87f676ecfaac9ba0_black-basta.exe

  • Size

    1.8MB

  • MD5

    7dd26568049fac1b87f676ecfaac9ba0

  • SHA1

    bb79502d301ba77745b7dbc5df4269fc7b074cda

  • SHA256

    a82e496b7b5279cb6b93393ec167dd3f50aff1557366784b25f9e51cb23689d9

  • SHA512

    c2b2f9e4fac7564314de2303ac679f7815633cac9ad049b22cef523c6d42b7314c1a79cc15d002fd092ffb59efe8e1ea5730aa81c1b3b8891d191393c7cafdd8

  • SSDEEP

    24576:RwC4IajeMNGoo0spYgY9dMdzXhJulI8pSDiEik1ggICx8mqdsoP+7UI+gGm4Zdlg:RZ5DqQ0P3Ij

Malware Config

Extracted

Path

C:\Users\Public\R3ADM3.txt

Ransom Note
YOUR ALL DATA HAVE BEEN ENCRYPTED! We have encrypted your side entire data. The only way to decrypt your files is to receive the private key and decryption program. To receive the private key and decryption program, you must contact us. We guarantee that you can recover all your files safely and easily. But you have not so enough time. You can decrypt some of your files for free when you contact us. You Only Have 7 Days To Contact Us! How to contact us 1. Download "Tor Browser" and install it. 2. In the "Tor Browser" open this site here : http://jzbhtsuwysslrzi2n5is3gmzsyh6ayhm7jt3xowldhk7rej4dqqubxqd.onion 3. After login with below Client ID to this site and contact Manger Client ID : 681ded4c9edfa0e65fca67c8 You need to contact "Manager" to recover all your data successfully. !!!DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself.We WILL NOT be able to RESTORE them. And also you can get info about us below this url. Data publish : http://gunrabxbig445sjqa535uaymzerj6fp4nwc6ngc2xughf2pedjdhk4ad.onion Don't share your client ID with the third-party guys, you can get scammed by fake decryptors. !!!DANGER !!!
URLs

http://jzbhtsuwysslrzi2n5is3gmzsyh6ayhm7jt3xowldhk7rej4dqqubxqd.onion

http://gunrabxbig445sjqa535uaymzerj6fp4nwc6ngc2xughf2pedjdhk4ad.onion

Signatures

  • Renames multiple (1794) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 27 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 45 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-05-15_7dd26568049fac1b87f676ecfaac9ba0_black-basta.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-05-15_7dd26568049fac1b87f676ecfaac9ba0_black-basta.exe"
    1⤵
    • Drops startup file
    • Drops desktop.ini file(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3508
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5D071824-99E8-45D2-B3E0-72700A95821C}'" delete
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2456
      • C:\Windows\System32\wbem\WMIC.exe
        C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5D071824-99E8-45D2-B3E0-72700A95821C}'" delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3192
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1940

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Public\R3ADM3.txt

          Filesize

          1KB

          MD5

          ca19ceff115a711c97c33cbf96689799

          SHA1

          961db57bf552f85d3d39e45c22d4a9caf37c3ad3

          SHA256

          b9c01687b6ecedaa599818cc316b6a10894cc076bdddd88c961c2ef2cc205a9d

          SHA512

          b2e894687fedf476db5ef99b3ba3b1ff5c800bd065f7208328ea8fc45c5b5696517f66addde1485a7a229b29baa83d9d183157ef5d50b2145f3371f2396a952f

        • memory/3508-0-0x00007FF7E67D0000-0x00007FF7E6A4E000-memory.dmp

          Filesize

          2.5MB

        • memory/3508-5018-0x00007FF7E67D0000-0x00007FF7E6A4E000-memory.dmp

          Filesize

          2.5MB