Analysis

  • max time kernel
    149s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250619-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250619-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/07/2025, 12:09

General

  • Target

    2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe

  • Size

    1.7MB

  • MD5

    e37be1089c7fab683aad8eba3d1056b1

  • SHA1

    553834e528d3c3e08057a3825cf63fa7687c13a3

  • SHA256

    273c547c2f03d92388f8b8a2c953814e2f0d850428123fe8d076976767935be8

  • SHA512

    b31c32bb72f7911c8b2e3c12508d5a9e887d60eff4cfde68b374cfe3892b6490217bdd1017ed50b1e1d0d6e40386df73fa3b8b04e57e5dcd1c994060a80fe3a9

  • SSDEEP

    24576:SmzSJw6X23ttqFjSxeEY3oouRRdL+wf40m9v17YDdOJyAUw61+:SmzSJw/eEY3aj5TfDm9N7GdOQZ1

Malware Config

Signatures

  • Renames multiple (257) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Drops file in Drivers directory 3 IoCs
  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3452
      • C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe
        "C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe"
        2⤵
        • Drops file in Drivers directory
        • Adds Run key to start application
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1972
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4720
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:1532
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8CBF.bat
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2544
          • C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe
            "C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe"
            4⤵
            • Executes dropped EXE
            PID:4712
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Drops file in Drivers directory
          • Executes dropped EXE
          • Adds Run key to start application
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3276
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1076
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:1880
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1600
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2612
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\Windows\uninstall\rundl132.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4088
        • C:\Windows\uninstall\rundl132.exe
          C:\Windows\uninstall\rundl132.exe
          3⤵
          • Drops file in Drivers directory
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:4240

    Network

          MITRE ATT&CK Enterprise v16

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\RCX2F41.tmp

            Filesize

            94KB

            MD5

            42abd6418c18632af368b5f00d30ed6b

            SHA1

            24c4ffbbc4a2f1aa8639fc06bf378c8fadaea939

            SHA256

            eedef1c34f09db98366600f36622049a2d7572f7ce92d1b3a8d504f8806a4bbd

            SHA512

            af420b0c8736f40994b14e576cc7acb661442a13036d6fab8dcffbcde2a1a786d4c9d5efa116e4e21d5de108c3d4f39a32e02d53b78218396eb7681731a99b88

          • C:\Program Files (x86)\Google\Update\RCX2FF3.tmp

            Filesize

            91KB

            MD5

            1fba2715ae2d2ce107c85ac8606e36e5

            SHA1

            2b5272f8aab4f4ea246dc923c2090371dc4cb921

            SHA256

            649f9b5ff0e324ddb544058c9bad0872e89a72766b8abf0840dbb504bcb8099f

            SHA512

            2410930a03a5577eb899bbbae7b100c3793765c27dca2356693095632834dc402c99f8f60c995c32b09044ab65dcf4d3d4931d37a3cd726eaeb1f050a978fa09

          • C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\RCX30F4.tmp

            Filesize

            103KB

            MD5

            cf1795d577bbf2e80bf0efd93d91effa

            SHA1

            dea26943ec8212f5d8ffa8880e04cc80f49f765a

            SHA256

            93103455a5ba410d2a730c3a453d4fb21ca9b3cb3841f08ff4ecb2aa95b181a4

            SHA512

            8998c2fa87e009b206b5e17a5e00a32886b9c8963255401f5ee29d21050ff1cc959448cc3aa7b02a2b0e35d292919697063ee86542d3c48fe13439dc67867154

          • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\RCX3044.tmp

            Filesize

            118KB

            MD5

            dde25734ea4e682bea092bbabae511c5

            SHA1

            869c1d3c957e51e80393d00156be1b52046e5da9

            SHA256

            bff943ae1447badd683a293249a81ecc438dbd9100b98aa7b0b910d8e3bfb906

            SHA512

            1d4758ab813cf248ff7c5d7f927984708e73216072532bdcc23770af99172a63c665b3ab23b45b5cdda12d848b9f0bf82a5cff86ccad8acb8b22c76b206c1864

          • C:\Program Files (x86)\Mozilla Maintenance Service\RCX32D1.tmp

            Filesize

            100KB

            MD5

            e65d32f7b7fdd5d71b47bb0d978be3fb

            SHA1

            610cf8160c9be206a03e214c1817375d3d00d35a

            SHA256

            42afb65cf5e2135050a35c36171195f1ba6b5c34b9e920b0b9edb907c5de420e

            SHA512

            c33bbeb02077828a3bd7ed7861768373523c205f3dd53e9e69b7a7dcd9f665ded4eb857be7398d8af7abb08a5065a2dd457272f3d3b10d850d181e2fc20db352

          • C:\Program Files\7-Zip\RCX220C.tmp

            Filesize

            91KB

            MD5

            4389811b49284e06042f88e80b46d0c3

            SHA1

            1ae13c15927cee471080e1f57458e8484938ed30

            SHA256

            a53608ecec5158f888a3ce8363f9b71839495656104717281a817678b01fe70c

            SHA512

            bcbdb71f5c87922da1b44a310cc7d60f546883eea530d4fbb73f61a09b363dfaaf47f078f7d65f8a63b09566f73a7c937e6e0d3f8a04ff119efcc7168321e49b

          • C:\Program Files\Java\jdk-1.8\bin\RCX22FC.tmp

            Filesize

            92KB

            MD5

            31ee44bbaab8e799a8c8481ceb1fc3dc

            SHA1

            d2032040b871a6bde19411132a9303c0c80041a1

            SHA256

            6852953f0de0f88dce6964f5eee76f1da94ddaf83bea292b3dc2be0f92d51aca

            SHA512

            b0fd36658523e6de9566586778d7f9fc5209745278bb84dc9b0a16d3fba429f32301b02eecb120af3fb82004e04f816f6d2d7ff3be7ff437eadf2a8a6285ec40

          • C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe.Exe

            Filesize

            4.3MB

            MD5

            8553786eeb74ad0108cbc6088633f422

            SHA1

            1c126143005ae9698904e637d7a71c42ae55583e

            SHA256

            12dc8fb700d3a68b22d66fa0866ed50db715c7aa707d0bf5bac390102337e7c0

            SHA512

            9e2cc02842391f282e302a11e817b926e907111d5507fae433dfc29b037d52d89f5c2d4b3bbe46501f1e61ba3527663446354ff8394b7ec1efb8c405c22e7545

          • C:\Program Files\Mozilla Firefox\RCX261E.tmp

            Filesize

            91KB

            MD5

            cc25207fbe38a021e4888d2f74f1521b

            SHA1

            38baa7e66b2e3b13e3305422a56d7e02116a696d

            SHA256

            d27d7402232716b563183e79023aed19d240952326cb8c97e50cfd89a874b438

            SHA512

            6f0c4d35697dfa68387a6fd9e7fb98c97b630d440ac490819fee6924be093dbaba13df41dc7f23cc0c23ab427b6f4cdefa28350ef70f7727cc24d858936ad421

          • C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RCX36F8.tmp

            Filesize

            92KB

            MD5

            ae140b54368c51b6e8930493db4cee22

            SHA1

            52064bf58c1d9fb9f463587213b78f345375c924

            SHA256

            b0a46de4ecd585d695d00b6e952b01c6933034d3e4de47093bb42cd7d0f302e5

            SHA512

            ebadc7c358a041d700e4248e0ee5fe306d9fa24de59df3c2cc531eee331b696daf5cb0d99fbd9fc8c25765b850397aa3e7205f7d376d42b2c29ab69c061c976e

          • C:\Users\Admin\AppData\Local\Temp\$$a8CBF.bat

            Filesize

            830B

            MD5

            b792e02cc89f64619452eb4f4e5e15d2

            SHA1

            6424b29546fd3fbccd736a945f4ca03f326dc424

            SHA256

            3d6def87069cd7200c95d1f13b4ed820279235f50daf2eca0187725c1373f41e

            SHA512

            8f1d8b2b21b6b3919c5c7ae7dd552c3c78f2d6e8339a680ac4ec4f0765005eab241d1201a1b9b8c977517763ed93de985039e6345fb6129c78567543e4a98a51

          • C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe.exe

            Filesize

            1.7MB

            MD5

            cca5f1a4afe1a8c35b880549b7c63a81

            SHA1

            0a9e9f2b3eec58b0e5ddcdb0ec87777334ed2976

            SHA256

            0e466adcd2306c77b3b56c2b117efb948f022d2d2a9e153cbfa23632f7332efe

            SHA512

            f844c5a42204947a10aaaaa7a6ae24cabd6f8e8802c12050a5ec4f8b1edb6f011317a78c902a31a4801e4087a1dc54458a5d36190fc5f6d855c278eb1e86fefc

          • C:\Windows\Logo1_.exe

            Filesize

            93KB

            MD5

            158256700cf45ccb837c95bdcc23deb9

            SHA1

            15015b19f7de288090b945bf41565aad334206e9

            SHA256

            a3e00a8beb5ae7fac43bd717d283691286141d3cf038d90630849dd21d1baa1a

            SHA512

            67c4e13f7e4b44b932f6e588adce291df60749d9e183b169e7b48d812e3d99b5afb11fddc625fe9c38f88795a86e815c3d9171ccfd768a10fad14653e0a45aa6

          • C:\Windows\system32\drivers\etc\hosts

            Filesize

            842B

            MD5

            6f4adf207ef402d9ef40c6aa52ffd245

            SHA1

            4b05b495619c643f02e278dede8f5b1392555a57

            SHA256

            d9704dab05e988be3e5e7b7c020bb9814906d11bb9c31ad80d4ed1316f6bc94e

            SHA512

            a6306bd200a26ea78192ae5b00cc49cfab3fba025fe7233709a4e62db0f9ed60030dce22b34afe57aad86a098c9a8c44e080cedc43227cb87ef4690baec35b47

          • memory/1972-10-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/3276-20-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/3276-663-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/3276-1314-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/4240-14-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB