Analysis

  • max time kernel
    150s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/07/2025, 12:14

General

  • Target

    2025-07-04_5d6942bd6a9ccfb91decd41c99f5da06_black-basta_elex_hijackloader.exe

  • Size

    3.5MB

  • MD5

    5d6942bd6a9ccfb91decd41c99f5da06

  • SHA1

    5f370b021d18c8370d12bd174a020aab2eb2cbbc

  • SHA256

    92303b9b7a0262fd2c3abeecfd095c1c98f668c4770fcf938a6f616df6512167

  • SHA512

    8283f4bf76cba484f52eb8db7ded58abb6b23d3a185574ddf0dfa44de58819895cd6d432e32a34fd2c9192e062f7262a743204016a85e44783433956a83d3f15

  • SSDEEP

    49152:E3vmHGcnO2EvU/bMvo/SHEif5YL8NnjSTjNCWTPp8N7s8SJGV:kTvUko/Sz6j0I8Ni4

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3468
      • C:\Users\Admin\AppData\Local\Temp\2025-07-04_5d6942bd6a9ccfb91decd41c99f5da06_black-basta_elex_hijackloader.exe
        "C:\Users\Admin\AppData\Local\Temp\2025-07-04_5d6942bd6a9ccfb91decd41c99f5da06_black-basta_elex_hijackloader.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2700
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:5284
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:1704
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a78D9.bat
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1044
          • C:\Users\Admin\AppData\Local\Temp\2025-07-04_5d6942bd6a9ccfb91decd41c99f5da06_black-basta_elex_hijackloader.exe
            "C:\Users\Admin\AppData\Local\Temp\2025-07-04_5d6942bd6a9ccfb91decd41c99f5da06_black-basta_elex_hijackloader.exe"
            4⤵
            • Executes dropped EXE
            PID:5892
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Drops startup file
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:5500
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2564
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:5332
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:5372
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:3876

    Network

          MITRE ATT&CK Enterprise v16

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files\7-Zip\7z.exe

            Filesize

            582KB

            MD5

            e91aad40a128091cfee6656529c83627

            SHA1

            d3825464c21121efc5af7055d5f518b3c54571fd

            SHA256

            201ce0df64df1d7550a74ee7ea3ecf6a7c490a56097c58fbef5c0e35109f3d15

            SHA512

            8cccf9079ecb12138a5050eef040e3a9db505c34f9be26bdbd41a3b12cb73621e1857226fb880516157d6d8bf88dfa4bd2effdbef4abbd66d576d1048cc49138

          • C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

            Filesize

            488KB

            MD5

            82f6aefcb50e9692e917d67101816fce

            SHA1

            77f7f24b24b32ad2961c5741785411b9f8837f3d

            SHA256

            856e8e1c084f2cb0a8c4f37ebfa5464baaaace15561c0b45c84aea77aa403185

            SHA512

            8f63f6515abd3ce603cfbe0c76e4c4c7e3b86a55da32caf1ffb5dd981b3d7f4e941d6cb73bc4839ecc6de143388cf1702338e10cd0e84cbf37b3eccf8e341be6

          • C:\Users\Admin\AppData\Local\Temp\$$a78D9.bat

            Filesize

            776B

            MD5

            70bccc554409f28008eeaabaa5c5b64e

            SHA1

            f08354f19d8b5576c9591ae358ec3810d9eae655

            SHA256

            b91496d0e4b675430b75f55d2d3417f481beb3105ca082a41434a40345f16a99

            SHA512

            8c0713e514d05b6bb72a35896e356d69b354090b5d1b0d81504deb5249545beabf40e647b7aed906d56b83c9bfd71284649f9fa068dbaf56817654b7b6aa89ba

          • C:\Users\Admin\AppData\Local\Temp\2025-07-04_5d6942bd6a9ccfb91decd41c99f5da06_black-basta_elex_hijackloader.exe.exe

            Filesize

            3.4MB

            MD5

            d54e48d4768da60c8c28af49d2862ee7

            SHA1

            f8b3c4da6f32415b818620e72ab336c61718c513

            SHA256

            dfe2196b65b511c1be709d705825603d40508ba6e918b8060c191773bbdec837

            SHA512

            a15bed6fae6b2cd461fc5a62ad6418fe01ada1f53ea7bd917afdb86290c9a931510834da369aeb1b543d344c4ddaacb547d389a681ab2c1e868830a7fd4b679d

          • C:\Windows\Logo1_.exe

            Filesize

            33KB

            MD5

            7de07edab6197ce57b13d5c2023b50f0

            SHA1

            7ab332534cd3d48520a12b64288d0acd084b8af7

            SHA256

            9869744e834a5c91ec81d61a5ca28519d54729961647c1bf598a51df6b0b8a46

            SHA512

            30bd587b3dec96ec7a9a0f5a5213b83f9fabfcc26d31d886a30f9820e627af9e6477a6c2491a5be62aa50d993329ab6510a8b05df4e633fe08286f0d474c5ea1

          • F:\$RECYCLE.BIN\S-1-5-21-3951986358-4006919840-1009690842-1000\_desktop.ini

            Filesize

            8B

            MD5

            6ef23bccadc81fb82d7eeecab7166eed

            SHA1

            379fb55375f791483209d02402c6c359fe6afc12

            SHA256

            da5498ac44fd5b5f97353e6f28c673c28985ae25330f183b90a1a20b4bf4e85a

            SHA512

            6e10f0bfc5983272d128dfe59f9868a59098e8ae388e55a0ab9f25d85b1c979728b295f39bef985bb7ef8ff1bc9b14c5f315ead269b8cefb4aaa2e82ca0cf5b1

          • memory/2700-10-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

          • memory/2700-0-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

          • memory/5500-18-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

          • memory/5500-1659-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

          • memory/5500-11-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

          • memory/5500-6990-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

          • memory/5500-10130-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB