Analysis
-
max time kernel
19s -
max time network
68s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
26-04-2022 20:20
Static task
static1
Behavioral task
behavioral1
Sample
5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa.exe
Resource
win10v2004-20220414-en
General
-
Target
5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa.exe
-
Size
563KB
-
MD5
3f400f30415941348af21d515a2fc6a3
-
SHA1
bd0bf9c987288ca434221d7d81c54a47e913600a
-
SHA256
5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa
-
SHA512
0d4c3ee8807bbbf635ce2d1ce1b747c23cc2724ff999580169e5514c7c97109083bea169bd6a5f8be35f3b679bb8446839fcc7a38f78503658eda306bec69154
-
SSDEEP
12288:TFx0B/O7JxPzW9JPlHKtxYRkG7zLfpXE6SbJ:Rx7zW9JPlGskG1v
Malware Config
Signatures
-
Black Basta
A ransomware family targeting Windows and Linux ESXi first seen in February 2022.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs
pid Process 2848 bcdedit.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation 5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dlaksjdoiwq.jpg" 5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 3284 vssadmin.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "82" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.basta\DefaultIcon 5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.basta 5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.basta\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fkdjsadasd.ico" 5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeBackupPrivilege 1900 vssvc.exe Token: SeRestorePrivilege 1900 vssvc.exe Token: SeAuditPrivilege 1900 vssvc.exe Token: SeShutdownPrivilege 3212 shutdown.exe Token: SeRemoteShutdownPrivilege 3212 shutdown.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4960 LogonUI.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 4780 wrote to memory of 3328 4780 5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa.exe 86 PID 4780 wrote to memory of 3328 4780 5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa.exe 86 PID 4780 wrote to memory of 3328 4780 5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa.exe 86 PID 3328 wrote to memory of 3284 3328 cmd.exe 88 PID 3328 wrote to memory of 3284 3328 cmd.exe 88 PID 4780 wrote to memory of 2516 4780 5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa.exe 91 PID 4780 wrote to memory of 2516 4780 5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa.exe 91 PID 4780 wrote to memory of 2516 4780 5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa.exe 91 PID 4780 wrote to memory of 2912 4780 5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa.exe 93 PID 4780 wrote to memory of 2912 4780 5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa.exe 93 PID 4780 wrote to memory of 2912 4780 5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa.exe 93 PID 4780 wrote to memory of 3864 4780 5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa.exe 95 PID 4780 wrote to memory of 3864 4780 5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa.exe 95 PID 4780 wrote to memory of 3864 4780 5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa.exe 95 PID 4780 wrote to memory of 3348 4780 5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa.exe 98 PID 4780 wrote to memory of 3348 4780 5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa.exe 98 PID 4780 wrote to memory of 3348 4780 5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa.exe 98 PID 3348 wrote to memory of 2848 3348 cmd.exe 100 PID 3348 wrote to memory of 2848 3348 cmd.exe 100 PID 4780 wrote to memory of 3584 4780 5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa.exe 101 PID 4780 wrote to memory of 3584 4780 5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa.exe 101 PID 4780 wrote to memory of 3584 4780 5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa.exe 101 PID 3584 wrote to memory of 3212 3584 cmd.exe 103 PID 3584 wrote to memory of 3212 3584 cmd.exe 103 PID 3584 wrote to memory of 3212 3584 cmd.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa.exe"C:\Users\Admin\AppData\Local\Temp\5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa.exe"1⤵
- Checks computer location settings
- Sets desktop wallpaper using registry
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4780 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:3328 -
C:\Windows\system32\vssadmin.exeC:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:3284
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\vssadmin.exe delete shadows /all /quiet2⤵PID:2516
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c bcdedit /set safeboot network2⤵PID:2912
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\bcdedit.exe /set safeboot network2⤵PID:3864
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysNative\bcdedit.exe /set safeboot network2⤵
- Suspicious use of WriteProcessMemory
PID:3348 -
C:\Windows\system32\bcdedit.exeC:\Windows\SysNative\bcdedit.exe /set safeboot network3⤵
- Modifies boot configuration data using bcdedit
PID:2848
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C shutdown -r -f -t 02⤵
- Suspicious use of WriteProcessMemory
PID:3584 -
C:\Windows\SysWOW64\shutdown.exeshutdown -r -f -t 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:3212
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1900
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa39f3055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4960