Analysis Overview
SHA256
a82e496b7b5279cb6b93393ec167dd3f50aff1557366784b25f9e51cb23689d9
Threat Level: Known bad
The file 2025-05-15_7dd26568049fac1b87f676ecfaac9ba0_black-basta was found to be: Known bad.
Malicious Activity Summary
Renames multiple (1998) files with added filename extension
Renames multiple (1794) files with added filename extension
Drops startup file
Credentials from Password Stores: Windows Credential Manager
Reads user/profile data of web browsers
Drops desktop.ini file(s)
Unsigned PE
Browser Information Discovery
Uses Volume Shadow Copy service COM API
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-05-15 10:00
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-05-15 10:00
Reported
2025-05-15 10:02
Platform
win10v2004-20250502-en
Max time kernel
104s
Max time network
133s
Command Line
Signatures
Renames multiple (1998) files with added filename extension
Credentials from Password Stores: Windows Credential Manager
Reads user/profile data of web browsers
Drops desktop.ini file(s)
Browser Information Discovery
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2025-05-15_7dd26568049fac1b87f676ecfaac9ba0_black-basta.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2025-05-15_7dd26568049fac1b87f676ecfaac9ba0_black-basta.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5748 wrote to memory of 2236 | N/A | C:\Users\Admin\AppData\Local\Temp\2025-05-15_7dd26568049fac1b87f676ecfaac9ba0_black-basta.exe | C:\Windows\SYSTEM32\cmd.exe |
| PID 5748 wrote to memory of 2236 | N/A | C:\Users\Admin\AppData\Local\Temp\2025-05-15_7dd26568049fac1b87f676ecfaac9ba0_black-basta.exe | C:\Windows\SYSTEM32\cmd.exe |
| PID 2236 wrote to memory of 5256 | N/A | C:\Windows\SYSTEM32\cmd.exe | C:\Windows\System32\wbem\WMIC.exe |
| PID 2236 wrote to memory of 5256 | N/A | C:\Windows\SYSTEM32\cmd.exe | C:\Windows\System32\wbem\WMIC.exe |
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\2025-05-15_7dd26568049fac1b87f676ecfaac9ba0_black-basta.exe
"C:\Users\Admin\AppData\Local\Temp\2025-05-15_7dd26568049fac1b87f676ecfaac9ba0_black-basta.exe"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{673558B5-759B-4BD5-BA52-8727D3E65B12}'" delete
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{673558B5-759B-4BD5-BA52-8727D3E65B12}'" delete
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
memory/5748-0-0x00007FF759B30000-0x00007FF759DAE000-memory.dmp
C:\Users\Admin\3D Objects\R3ADM3.txt
| MD5 | ca19ceff115a711c97c33cbf96689799 |
| SHA1 | 961db57bf552f85d3d39e45c22d4a9caf37c3ad3 |
| SHA256 | b9c01687b6ecedaa599818cc316b6a10894cc076bdddd88c961c2ef2cc205a9d |
| SHA512 | b2e894687fedf476db5ef99b3ba3b1ff5c800bd065f7208328ea8fc45c5b5696517f66addde1485a7a229b29baa83d9d183157ef5d50b2145f3371f2396a952f |
memory/5748-5534-0x00007FF759B30000-0x00007FF759DAE000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-05-15 10:00
Reported
2025-05-15 10:02
Platform
win11-20250502-en
Max time kernel
103s
Max time network
106s
Command Line
Signatures
Renames multiple (1794) files with added filename extension
Credentials from Password Stores: Windows Credential Manager
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\R3ADM3.txt | C:\Users\Admin\AppData\Local\Temp\2025-05-15_7dd26568049fac1b87f676ecfaac9ba0_black-basta.exe | N/A |
Reads user/profile data of web browsers
Drops desktop.ini file(s)
Browser Information Discovery
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2025-05-15_7dd26568049fac1b87f676ecfaac9ba0_black-basta.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2025-05-15_7dd26568049fac1b87f676ecfaac9ba0_black-basta.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3508 wrote to memory of 2456 | N/A | C:\Users\Admin\AppData\Local\Temp\2025-05-15_7dd26568049fac1b87f676ecfaac9ba0_black-basta.exe | C:\Windows\SYSTEM32\cmd.exe |
| PID 3508 wrote to memory of 2456 | N/A | C:\Users\Admin\AppData\Local\Temp\2025-05-15_7dd26568049fac1b87f676ecfaac9ba0_black-basta.exe | C:\Windows\SYSTEM32\cmd.exe |
| PID 2456 wrote to memory of 3192 | N/A | C:\Windows\SYSTEM32\cmd.exe | C:\Windows\System32\wbem\WMIC.exe |
| PID 2456 wrote to memory of 3192 | N/A | C:\Windows\SYSTEM32\cmd.exe | C:\Windows\System32\wbem\WMIC.exe |
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\2025-05-15_7dd26568049fac1b87f676ecfaac9ba0_black-basta.exe
"C:\Users\Admin\AppData\Local\Temp\2025-05-15_7dd26568049fac1b87f676ecfaac9ba0_black-basta.exe"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5D071824-99E8-45D2-B3E0-72700A95821C}'" delete
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5D071824-99E8-45D2-B3E0-72700A95821C}'" delete
Network
Files
memory/3508-0-0x00007FF7E67D0000-0x00007FF7E6A4E000-memory.dmp
C:\Users\Public\R3ADM3.txt
| MD5 | ca19ceff115a711c97c33cbf96689799 |
| SHA1 | 961db57bf552f85d3d39e45c22d4a9caf37c3ad3 |
| SHA256 | b9c01687b6ecedaa599818cc316b6a10894cc076bdddd88c961c2ef2cc205a9d |
| SHA512 | b2e894687fedf476db5ef99b3ba3b1ff5c800bd065f7208328ea8fc45c5b5696517f66addde1485a7a229b29baa83d9d183157ef5d50b2145f3371f2396a952f |
memory/3508-5018-0x00007FF7E67D0000-0x00007FF7E6A4E000-memory.dmp