Analysis

  • max time kernel
    149s
  • max time network
    104s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250619-en
  • resource tags

    arch:x64arch:x86image:win11-20250619-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    04/07/2025, 12:09

General

  • Target

    2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe

  • Size

    1.7MB

  • MD5

    e37be1089c7fab683aad8eba3d1056b1

  • SHA1

    553834e528d3c3e08057a3825cf63fa7687c13a3

  • SHA256

    273c547c2f03d92388f8b8a2c953814e2f0d850428123fe8d076976767935be8

  • SHA512

    b31c32bb72f7911c8b2e3c12508d5a9e887d60eff4cfde68b374cfe3892b6490217bdd1017ed50b1e1d0d6e40386df73fa3b8b04e57e5dcd1c994060a80fe3a9

  • SSDEEP

    24576:SmzSJw6X23ttqFjSxeEY3oouRRdL+wf40m9v17YDdOJyAUw61+:SmzSJw/eEY3aj5TfDm9N7GdOQZ1

Malware Config

Signatures

  • Renames multiple (256) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Drops file in Drivers directory 3 IoCs
  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3264
      • C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe
        "C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe"
        2⤵
        • Drops file in Drivers directory
        • Adds Run key to start application
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:536
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:6100
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2168
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a79C4.bat
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4020
          • C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe
            "C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe"
            4⤵
            • Executes dropped EXE
            PID:3172
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Drops file in Drivers directory
          • Executes dropped EXE
          • Adds Run key to start application
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1464
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3092
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:5780
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3460
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:4856
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\Windows\uninstall\rundl132.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:6092
        • C:\Windows\uninstall\rundl132.exe
          C:\Windows\uninstall\rundl132.exe
          3⤵
          • Drops file in Drivers directory
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:5288

    Network

          MITRE ATT&CK Enterprise v16

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RCX1984.tmp

            Filesize

            156KB

            MD5

            c41bb9cefac868d0fa09898933b44049

            SHA1

            b6034d44fbd235d92ac5a8dc5cc1af21d3e88086

            SHA256

            a689b767857bf0b1b30b8c7d243782c6b26e660b022073b3ec564f5d23a278cb

            SHA512

            029af8ebc2631d0362ce52cb0bcbbce57a86d7985324701783db85d1247503188b6dc8feffff2067a9b11598f8b30606c79855a6ff741bdf05c1b98501323cd9

          • C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\RCX1B8A.tmp

            Filesize

            94KB

            MD5

            42abd6418c18632af368b5f00d30ed6b

            SHA1

            24c4ffbbc4a2f1aa8639fc06bf378c8fadaea939

            SHA256

            eedef1c34f09db98366600f36622049a2d7572f7ce92d1b3a8d504f8806a4bbd

            SHA512

            af420b0c8736f40994b14e576cc7acb661442a13036d6fab8dcffbcde2a1a786d4c9d5efa116e4e21d5de108c3d4f39a32e02d53b78218396eb7681731a99b88

          • C:\Program Files (x86)\Google\Update\RCX1C1D.tmp

            Filesize

            91KB

            MD5

            1fba2715ae2d2ce107c85ac8606e36e5

            SHA1

            2b5272f8aab4f4ea246dc923c2090371dc4cb921

            SHA256

            649f9b5ff0e324ddb544058c9bad0872e89a72766b8abf0840dbb504bcb8099f

            SHA512

            2410930a03a5577eb899bbbae7b100c3793765c27dca2356693095632834dc402c99f8f60c995c32b09044ab65dcf4d3d4931d37a3cd726eaeb1f050a978fa09

          • C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\RCX1D1E.tmp

            Filesize

            103KB

            MD5

            cf1795d577bbf2e80bf0efd93d91effa

            SHA1

            dea26943ec8212f5d8ffa8880e04cc80f49f765a

            SHA256

            93103455a5ba410d2a730c3a453d4fb21ca9b3cb3841f08ff4ecb2aa95b181a4

            SHA512

            8998c2fa87e009b206b5e17a5e00a32886b9c8963255401f5ee29d21050ff1cc959448cc3aa7b02a2b0e35d292919697063ee86542d3c48fe13439dc67867154

          • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\RCX1C6D.tmp

            Filesize

            118KB

            MD5

            dde25734ea4e682bea092bbabae511c5

            SHA1

            869c1d3c957e51e80393d00156be1b52046e5da9

            SHA256

            bff943ae1447badd683a293249a81ecc438dbd9100b98aa7b0b910d8e3bfb906

            SHA512

            1d4758ab813cf248ff7c5d7f927984708e73216072532bdcc23770af99172a63c665b3ab23b45b5cdda12d848b9f0bf82a5cff86ccad8acb8b22c76b206c1864

          • C:\Program Files\7-Zip\RCXF3E.tmp

            Filesize

            91KB

            MD5

            15beeb489f50a52c6c383d9ba297a30f

            SHA1

            ebf6f2ddbcf4906de755c33439aba8d6129c4412

            SHA256

            2011a62b52abbf698504bb5acda15d7fe115ed464311a80f5ae7a49cc3367133

            SHA512

            78c3f1d7872f2f9c331c6bc15f96b4d30e698a9ff2dfd0f2514ef1eccfcae148cb889806bd88f0b33f6c247d425da2329771187aa84c7c9c49b79b968bd7d8b9

          • C:\Program Files\Java\jdk-1.8\bin\RCX1001.tmp

            Filesize

            92KB

            MD5

            31ee44bbaab8e799a8c8481ceb1fc3dc

            SHA1

            d2032040b871a6bde19411132a9303c0c80041a1

            SHA256

            6852953f0de0f88dce6964f5eee76f1da94ddaf83bea292b3dc2be0f92d51aca

            SHA512

            b0fd36658523e6de9566586778d7f9fc5209745278bb84dc9b0a16d3fba429f32301b02eecb120af3fb82004e04f816f6d2d7ff3be7ff437eadf2a8a6285ec40

          • C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\RCX11C6.tmp

            Filesize

            91KB

            MD5

            815d89fb8fecaf4255602b12142f0162

            SHA1

            8977cd9e441a4af07df70c08465367d0f69866ff

            SHA256

            94928b91b3a30ac1e1c4f037ba8294943b7b2d1286df3b994c0d28d2d50a8ee7

            SHA512

            7ab583ee8d330b0a2fc71ab64649759e25858c23b707801ab5d8aa7b811ce4f37edd048728daac5b7790a11c72f744fec37dda418f7ae0adff6310592e6fa0b9

          • C:\Program Files\Mozilla Firefox\uninstall\RCX123B.tmp

            Filesize

            100KB

            MD5

            e65d32f7b7fdd5d71b47bb0d978be3fb

            SHA1

            610cf8160c9be206a03e214c1817375d3d00d35a

            SHA256

            42afb65cf5e2135050a35c36171195f1ba6b5c34b9e920b0b9edb907c5de420e

            SHA512

            c33bbeb02077828a3bd7ed7861768373523c205f3dd53e9e69b7a7dcd9f665ded4eb857be7398d8af7abb08a5065a2dd457272f3d3b10d850d181e2fc20db352

          • C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe.Exe

            Filesize

            545KB

            MD5

            2b080b07c5d28342b014c7af3f3b5f69

            SHA1

            62fd16564225a347fc2e6de8eb0bf5fcf487287b

            SHA256

            e5b0ca86c43d3244a8850d29173e0a016ceffe1d0f904ad8f5e5091d6bbae7b3

            SHA512

            dfeb721ec85b81d4a70444d55d17902e03f4fad2624717c84eafa63a2ee0bbaf4012cddf978e9e514f716f22dbe137a2c8911d97f8a63f6fd37ed5708b3c6bb7

          • C:\Users\Admin\AppData\Local\Temp\$$a79C4.bat

            Filesize

            830B

            MD5

            78bd4d9c81bf1eeea16059b5b4dea671

            SHA1

            8b46b92aedb70d876dcd67d6ed23418be7f4eae5

            SHA256

            6610be08b0ee01fc2688dba0256632b1f338a8aa27e8eb97d674dde4656efda0

            SHA512

            8362d2dff9afca2e54681e1ec9aa4037be8fcf573bf2269583f5316d3fae7b0f7bb9fe49da48fbd72e20d49462205ee410a585a429e9e6070e5c2bf7391fa31d

          • C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe.exe

            Filesize

            1.7MB

            MD5

            cca5f1a4afe1a8c35b880549b7c63a81

            SHA1

            0a9e9f2b3eec58b0e5ddcdb0ec87777334ed2976

            SHA256

            0e466adcd2306c77b3b56c2b117efb948f022d2d2a9e153cbfa23632f7332efe

            SHA512

            f844c5a42204947a10aaaaa7a6ae24cabd6f8e8802c12050a5ec4f8b1edb6f011317a78c902a31a4801e4087a1dc54458a5d36190fc5f6d855c278eb1e86fefc

          • C:\Windows\Logo1_.exe

            Filesize

            93KB

            MD5

            158256700cf45ccb837c95bdcc23deb9

            SHA1

            15015b19f7de288090b945bf41565aad334206e9

            SHA256

            a3e00a8beb5ae7fac43bd717d283691286141d3cf038d90630849dd21d1baa1a

            SHA512

            67c4e13f7e4b44b932f6e588adce291df60749d9e183b169e7b48d812e3d99b5afb11fddc625fe9c38f88795a86e815c3d9171ccfd768a10fad14653e0a45aa6

          • C:\Windows\system32\drivers\etc\hosts

            Filesize

            842B

            MD5

            6f4adf207ef402d9ef40c6aa52ffd245

            SHA1

            4b05b495619c643f02e278dede8f5b1392555a57

            SHA256

            d9704dab05e988be3e5e7b7c020bb9814906d11bb9c31ad80d4ed1316f6bc94e

            SHA512

            a6306bd200a26ea78192ae5b00cc49cfab3fba025fe7233709a4e62db0f9ed60030dce22b34afe57aad86a098c9a8c44e080cedc43227cb87ef4690baec35b47

          • memory/536-10-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/1464-20-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/1464-659-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/1464-1317-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/5288-14-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB