Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
HkObDPju6Z.exe

Overview

General Information

Sample Name:HkObDPju6Z.exe
Analysis ID:886219
MD5:6441d7260944bcedc5958c5c8a05d16d
SHA1:46257982840493eca90e051ff1749e7040895584
SHA256:723d1cf3d74fb3ce95a77ed9dff257a78c8af8e67a82963230dd073781074224
Infos:

Detection

BlackBasta
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected BlackBasta ransomware
Found ransom note / readme
Found Tor onion address
Machine Learning detection for sample
Contains functionality to modify clipboard data
May disable shadow drive data (uses vssadmin)
Writes a notice file (html or txt) to demand a ransom
Deletes shadow drive data (may be related to ransomware)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Abnormal high CPU Usage
AV process strings found (often used to terminate AV products)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Tries to load missing DLLs
Contains functionality to read the PEB
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

  • System is w10x64native
  • HkObDPju6Z.exe (PID: 332 cmdline: C:\Users\user\Desktop\HkObDPju6Z.exe MD5: 6441D7260944BCEDC5958C5C8A05D16D)
    • cmd.exe (PID: 312 cmdline: C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • vssadmin.exe (PID: 8948 cmdline: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet MD5: B58073DB8892B67A672906C9358020EC)
    • cmd.exe (PID: 3944 cmdline: cmd.exe /c start /MAX notepad.exe c:\instructions_read_me.txt MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7328 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • notepad.exe (PID: 1352 cmdline: notepad.exe c:\instructions_read_me.txt MD5: E92D3A824A0578A50D2DD81B5060145F)
  • HkObDPju6Z.exe (PID: 1508 cmdline: "C:\Users\user\Desktop\HkObDPju6Z.exe" MD5: 6441D7260944BCEDC5958C5C8A05D16D)
    • cmd.exe (PID: 3292 cmdline: C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2452 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • vssadmin.exe (PID: 4644 cmdline: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet MD5: B58073DB8892B67A672906C9358020EC)
  • HkObDPju6Z.exe (PID: 5560 cmdline: "C:\Users\user\Desktop\HkObDPju6Z.exe" MD5: 6441D7260944BCEDC5958C5C8A05D16D)
    • cmd.exe (PID: 1808 cmdline: C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • vssadmin.exe (PID: 8264 cmdline: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet MD5: B58073DB8892B67A672906C9358020EC)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
Black Basta"Black Basta" is a new ransomware strain discovered during April 2022 - looks in dev since at least early February 2022 - and due to their ability to quickly amass new victims and the style of their negotiations, this is likely not a new operation but rather a rebrand of a previous top-tier ransomware gang that brought along their affiliates.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.blackbasta
No configs have been found
SourceRuleDescriptionAuthorStrings
0000000A.00000003.22756871962.00000000028F0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_BlackBastaYara detected BlackBasta ransomwareJoe Security
    0000001E.00000002.27586886931.0000000003343000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_BlackBastaYara detected BlackBasta ransomwareJoe Security
      00000003.00000003.22575159083.0000000002F20000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_BlackBastaYara detected BlackBasta ransomwareJoe Security
        0000000E.00000003.22839485707.0000000002980000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_BlackBastaYara detected BlackBasta ransomwareJoe Security
          0000000E.00000002.22856927512.0000000002A90000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_BlackBastaYara detected BlackBasta ransomwareJoe Security
            Click to see the 5 entries
            SourceRuleDescriptionAuthorStrings
            10.3.HkObDPju6Z.exe.28f0000.0.raw.unpackJoeSecurity_BlackBastaYara detected BlackBasta ransomwareJoe Security
              14.3.HkObDPju6Z.exe.2980000.0.unpackJoeSecurity_BlackBastaYara detected BlackBasta ransomwareJoe Security
                14.2.HkObDPju6Z.exe.2a90000.1.raw.unpackJoeSecurity_BlackBastaYara detected BlackBasta ransomwareJoe Security
                  10.2.HkObDPju6Z.exe.2a40000.1.raw.unpackJoeSecurity_BlackBastaYara detected BlackBasta ransomwareJoe Security
                    3.3.HkObDPju6Z.exe.2f20000.0.raw.unpackJoeSecurity_BlackBastaYara detected BlackBasta ransomwareJoe Security
                      Click to see the 5 entries
                      No Sigma rule has matched
                      No Snort rule has matched

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Source: HkObDPju6Z.exeReversingLabs: Detection: 59%
                      Source: HkObDPju6Z.exeVirustotal: Detection: 69%Perma Link
                      Source: HkObDPju6Z.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_02A7ECB0 CryptAcquireContextA,CryptAcquireContextA,GetLastError,CryptAcquireContextA,CryptAcquireContextA,SetLastError,CryptAcquireContextA,
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_02A7F280 CryptReleaseContext,
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_02A7F390 CryptGenRandom,CryptReleaseContext,
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_02AEA750 CryptReleaseContext,
                      Source: HkObDPju6Z.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Google\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Internet Explorer\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Microsoft Office\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Microsoft Office 15\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Microsoft Update Health Tools\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Mozilla Firefox\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\MSBuild\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Realtek\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Reference Assemblies\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\ruxim\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Uninstall Information\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\UNP\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Defender\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Defender Advanced Threat Protection\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Mail\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Media Player\instructions_read_me.txt