Analysis
-
max time kernel
150s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
04/07/2025, 12:14
Static task
static1
General
-
Target
2025-07-04_5d6942bd6a9ccfb91decd41c99f5da06_black-basta_elex_hijackloader.exe
-
Size
3.5MB
-
MD5
5d6942bd6a9ccfb91decd41c99f5da06
-
SHA1
5f370b021d18c8370d12bd174a020aab2eb2cbbc
-
SHA256
92303b9b7a0262fd2c3abeecfd095c1c98f668c4770fcf938a6f616df6512167
-
SHA512
8283f4bf76cba484f52eb8db7ded58abb6b23d3a185574ddf0dfa44de58819895cd6d432e32a34fd2c9192e062f7262a743204016a85e44783433956a83d3f15
-
SSDEEP
49152:E3vmHGcnO2EvU/bMvo/SHEif5YL8NnjSTjNCWTPp8N7s8SJGV:kTvUko/Sz6j0I8Ni4
Malware Config
Signatures
-
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe -
Executes dropped EXE 2 IoCs
pid Process 5500 Logo1_.exe 5892 2025-07-04_5d6942bd6a9ccfb91decd41c99f5da06_black-basta_elex_hijackloader.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ja-jp\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\pl-pl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\hu-hu\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\ink\uk-UA\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad\attachments\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\zh_TW\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\eu-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\de-de\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files-select\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\nb-no\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\mn\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\WidevineCdm\_platform_specific\win_x64\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\zh-cn\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\css\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\zh-tw\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ro-ro\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\applet\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PAPYRUS\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example1.Diagnostics\Diagnostics\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fi-fi\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\sk-sk\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\sl-sl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\eu-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pt-br\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\uk-ua\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\sv-se\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\en-gb\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\themes\dark\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\en-ae\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\nl-nl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\zh-tw\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\lua\playlist\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\sv-se\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\fi-fi\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\identity_proxy\win10\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Examples\Calculator\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\sk-sk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\pt-br\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\en-ae\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\VisualElements\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\en-ae\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\themes\dark\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ro-ro\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\root\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\sl-si\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\de-de\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\es-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rundl132.exe 2025-07-04_5d6942bd6a9ccfb91decd41c99f5da06_black-basta_elex_hijackloader.exe File created C:\Windows\Logo1_.exe 2025-07-04_5d6942bd6a9ccfb91decd41c99f5da06_black-basta_elex_hijackloader.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\Dll.dll Logo1_.exe -
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_5d6942bd6a9ccfb91decd41c99f5da06_black-basta_elex_hijackloader.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Logo1_.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2700 2025-07-04_5d6942bd6a9ccfb91decd41c99f5da06_black-basta_elex_hijackloader.exe 2700 2025-07-04_5d6942bd6a9ccfb91decd41c99f5da06_black-basta_elex_hijackloader.exe 2700 2025-07-04_5d6942bd6a9ccfb91decd41c99f5da06_black-basta_elex_hijackloader.exe 2700 2025-07-04_5d6942bd6a9ccfb91decd41c99f5da06_black-basta_elex_hijackloader.exe 2700 2025-07-04_5d6942bd6a9ccfb91decd41c99f5da06_black-basta_elex_hijackloader.exe 2700 2025-07-04_5d6942bd6a9ccfb91decd41c99f5da06_black-basta_elex_hijackloader.exe 2700 2025-07-04_5d6942bd6a9ccfb91decd41c99f5da06_black-basta_elex_hijackloader.exe 2700 2025-07-04_5d6942bd6a9ccfb91decd41c99f5da06_black-basta_elex_hijackloader.exe 2700 2025-07-04_5d6942bd6a9ccfb91decd41c99f5da06_black-basta_elex_hijackloader.exe 2700 2025-07-04_5d6942bd6a9ccfb91decd41c99f5da06_black-basta_elex_hijackloader.exe 2700 2025-07-04_5d6942bd6a9ccfb91decd41c99f5da06_black-basta_elex_hijackloader.exe 2700 2025-07-04_5d6942bd6a9ccfb91decd41c99f5da06_black-basta_elex_hijackloader.exe 2700 2025-07-04_5d6942bd6a9ccfb91decd41c99f5da06_black-basta_elex_hijackloader.exe 2700 2025-07-04_5d6942bd6a9ccfb91decd41c99f5da06_black-basta_elex_hijackloader.exe 2700 2025-07-04_5d6942bd6a9ccfb91decd41c99f5da06_black-basta_elex_hijackloader.exe 2700 2025-07-04_5d6942bd6a9ccfb91decd41c99f5da06_black-basta_elex_hijackloader.exe 2700 2025-07-04_5d6942bd6a9ccfb91decd41c99f5da06_black-basta_elex_hijackloader.exe 2700 2025-07-04_5d6942bd6a9ccfb91decd41c99f5da06_black-basta_elex_hijackloader.exe 2700 2025-07-04_5d6942bd6a9ccfb91decd41c99f5da06_black-basta_elex_hijackloader.exe 2700 2025-07-04_5d6942bd6a9ccfb91decd41c99f5da06_black-basta_elex_hijackloader.exe 2700 2025-07-04_5d6942bd6a9ccfb91decd41c99f5da06_black-basta_elex_hijackloader.exe 2700 2025-07-04_5d6942bd6a9ccfb91decd41c99f5da06_black-basta_elex_hijackloader.exe 2700 2025-07-04_5d6942bd6a9ccfb91decd41c99f5da06_black-basta_elex_hijackloader.exe 2700 2025-07-04_5d6942bd6a9ccfb91decd41c99f5da06_black-basta_elex_hijackloader.exe 2700 2025-07-04_5d6942bd6a9ccfb91decd41c99f5da06_black-basta_elex_hijackloader.exe 2700 2025-07-04_5d6942bd6a9ccfb91decd41c99f5da06_black-basta_elex_hijackloader.exe 5500 Logo1_.exe 5500 Logo1_.exe 5500 Logo1_.exe 5500 Logo1_.exe 5500 Logo1_.exe 5500 Logo1_.exe 5500 Logo1_.exe 5500 Logo1_.exe 5500 Logo1_.exe 5500 Logo1_.exe 5500 Logo1_.exe 5500 Logo1_.exe 5500 Logo1_.exe 5500 Logo1_.exe 5500 Logo1_.exe 5500 Logo1_.exe 5500 Logo1_.exe 5500 Logo1_.exe 5500 Logo1_.exe 5500 Logo1_.exe 5500 Logo1_.exe 5500 Logo1_.exe 5500 Logo1_.exe 5500 Logo1_.exe 5500 Logo1_.exe 5500 Logo1_.exe 5500 Logo1_.exe 5500 Logo1_.exe 5500 Logo1_.exe 5500 Logo1_.exe 5500 Logo1_.exe 5500 Logo1_.exe 5500 Logo1_.exe 5500 Logo1_.exe 5500 Logo1_.exe 5500 Logo1_.exe 5500 Logo1_.exe 5500 Logo1_.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2700 wrote to memory of 5284 2700 2025-07-04_5d6942bd6a9ccfb91decd41c99f5da06_black-basta_elex_hijackloader.exe 84 PID 2700 wrote to memory of 5284 2700 2025-07-04_5d6942bd6a9ccfb91decd41c99f5da06_black-basta_elex_hijackloader.exe 84 PID 2700 wrote to memory of 5284 2700 2025-07-04_5d6942bd6a9ccfb91decd41c99f5da06_black-basta_elex_hijackloader.exe 84 PID 5284 wrote to memory of 1704 5284 net.exe 86 PID 5284 wrote to memory of 1704 5284 net.exe 86 PID 5284 wrote to memory of 1704 5284 net.exe 86 PID 2700 wrote to memory of 1044 2700 2025-07-04_5d6942bd6a9ccfb91decd41c99f5da06_black-basta_elex_hijackloader.exe 87 PID 2700 wrote to memory of 1044 2700 2025-07-04_5d6942bd6a9ccfb91decd41c99f5da06_black-basta_elex_hijackloader.exe 87 PID 2700 wrote to memory of 1044 2700 2025-07-04_5d6942bd6a9ccfb91decd41c99f5da06_black-basta_elex_hijackloader.exe 87 PID 2700 wrote to memory of 5500 2700 2025-07-04_5d6942bd6a9ccfb91decd41c99f5da06_black-basta_elex_hijackloader.exe 88 PID 2700 wrote to memory of 5500 2700 2025-07-04_5d6942bd6a9ccfb91decd41c99f5da06_black-basta_elex_hijackloader.exe 88 PID 2700 wrote to memory of 5500 2700 2025-07-04_5d6942bd6a9ccfb91decd41c99f5da06_black-basta_elex_hijackloader.exe 88 PID 5500 wrote to memory of 2564 5500 Logo1_.exe 89 PID 5500 wrote to memory of 2564 5500 Logo1_.exe 89 PID 5500 wrote to memory of 2564 5500 Logo1_.exe 89 PID 2564 wrote to memory of 5332 2564 net.exe 92 PID 2564 wrote to memory of 5332 2564 net.exe 92 PID 2564 wrote to memory of 5332 2564 net.exe 92 PID 1044 wrote to memory of 5892 1044 cmd.exe 93 PID 1044 wrote to memory of 5892 1044 cmd.exe 93 PID 5500 wrote to memory of 5372 5500 Logo1_.exe 94 PID 5500 wrote to memory of 5372 5500 Logo1_.exe 94 PID 5500 wrote to memory of 5372 5500 Logo1_.exe 94 PID 5372 wrote to memory of 3876 5372 net.exe 96 PID 5372 wrote to memory of 3876 5372 net.exe 96 PID 5372 wrote to memory of 3876 5372 net.exe 96 PID 5500 wrote to memory of 3468 5500 Logo1_.exe 56 PID 5500 wrote to memory of 3468 5500 Logo1_.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3468
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_5d6942bd6a9ccfb91decd41c99f5da06_black-basta_elex_hijackloader.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_5d6942bd6a9ccfb91decd41c99f5da06_black-basta_elex_hijackloader.exe"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5284 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
PID:1704
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a78D9.bat3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_5d6942bd6a9ccfb91decd41c99f5da06_black-basta_elex_hijackloader.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_5d6942bd6a9ccfb91decd41c99f5da06_black-basta_elex_hijackloader.exe"4⤵
- Executes dropped EXE
PID:5892
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5500 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵
- System Location Discovery: System Language Discovery
PID:5332
-
-
-
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5372 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵
- System Location Discovery: System Language Discovery
PID:3876
-
-
-
-
Network
MITRE ATT&CK Enterprise v16
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
582KB
MD5e91aad40a128091cfee6656529c83627
SHA1d3825464c21121efc5af7055d5f518b3c54571fd
SHA256201ce0df64df1d7550a74ee7ea3ecf6a7c490a56097c58fbef5c0e35109f3d15
SHA5128cccf9079ecb12138a5050eef040e3a9db505c34f9be26bdbd41a3b12cb73621e1857226fb880516157d6d8bf88dfa4bd2effdbef4abbd66d576d1048cc49138
-
Filesize
488KB
MD582f6aefcb50e9692e917d67101816fce
SHA177f7f24b24b32ad2961c5741785411b9f8837f3d
SHA256856e8e1c084f2cb0a8c4f37ebfa5464baaaace15561c0b45c84aea77aa403185
SHA5128f63f6515abd3ce603cfbe0c76e4c4c7e3b86a55da32caf1ffb5dd981b3d7f4e941d6cb73bc4839ecc6de143388cf1702338e10cd0e84cbf37b3eccf8e341be6
-
Filesize
776B
MD570bccc554409f28008eeaabaa5c5b64e
SHA1f08354f19d8b5576c9591ae358ec3810d9eae655
SHA256b91496d0e4b675430b75f55d2d3417f481beb3105ca082a41434a40345f16a99
SHA5128c0713e514d05b6bb72a35896e356d69b354090b5d1b0d81504deb5249545beabf40e647b7aed906d56b83c9bfd71284649f9fa068dbaf56817654b7b6aa89ba
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_5d6942bd6a9ccfb91decd41c99f5da06_black-basta_elex_hijackloader.exe.exe
Filesize3.4MB
MD5d54e48d4768da60c8c28af49d2862ee7
SHA1f8b3c4da6f32415b818620e72ab336c61718c513
SHA256dfe2196b65b511c1be709d705825603d40508ba6e918b8060c191773bbdec837
SHA512a15bed6fae6b2cd461fc5a62ad6418fe01ada1f53ea7bd917afdb86290c9a931510834da369aeb1b543d344c4ddaacb547d389a681ab2c1e868830a7fd4b679d
-
Filesize
33KB
MD57de07edab6197ce57b13d5c2023b50f0
SHA17ab332534cd3d48520a12b64288d0acd084b8af7
SHA2569869744e834a5c91ec81d61a5ca28519d54729961647c1bf598a51df6b0b8a46
SHA51230bd587b3dec96ec7a9a0f5a5213b83f9fabfcc26d31d886a30f9820e627af9e6477a6c2491a5be62aa50d993329ab6510a8b05df4e633fe08286f0d474c5ea1
-
Filesize
8B
MD56ef23bccadc81fb82d7eeecab7166eed
SHA1379fb55375f791483209d02402c6c359fe6afc12
SHA256da5498ac44fd5b5f97353e6f28c673c28985ae25330f183b90a1a20b4bf4e85a
SHA5126e10f0bfc5983272d128dfe59f9868a59098e8ae388e55a0ab9f25d85b1c979728b295f39bef985bb7ef8ff1bc9b14c5f315ead269b8cefb4aaa2e82ca0cf5b1