Analysis

  • max time kernel
    19s
  • max time network
    68s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    26-04-2022 20:20

General

  • Target

    5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa.exe

  • Size

    563KB

  • MD5

    3f400f30415941348af21d515a2fc6a3

  • SHA1

    bd0bf9c987288ca434221d7d81c54a47e913600a

  • SHA256

    5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa

  • SHA512

    0d4c3ee8807bbbf635ce2d1ce1b747c23cc2724ff999580169e5514c7c97109083bea169bd6a5f8be35f3b679bb8446839fcc7a38f78503658eda306bec69154

  • SSDEEP

    12288:TFx0B/O7JxPzW9JPlHKtxYRkG7zLfpXE6SbJ:Rx7zW9JPlGskG1v

Malware Config

Signatures

  • Black Basta

    A ransomware family targeting Windows and Linux ESXi first seen in February 2022.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies data under HKEY_USERS 15 IoCs
  • Modifies registry class 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa.exe
    "C:\Users\Admin\AppData\Local\Temp\5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa.exe"
    1⤵
    • Checks computer location settings
    • Sets desktop wallpaper using registry
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4780
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3328
      • C:\Windows\system32\vssadmin.exe
        C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:3284
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Windows\System32\vssadmin.exe delete shadows /all /quiet
      2⤵
        PID:2516
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c bcdedit /set safeboot network
        2⤵
          PID:2912
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Windows\System32\bcdedit.exe /set safeboot network
          2⤵
            PID:3864
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\bcdedit.exe /set safeboot network
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:3348
            • C:\Windows\system32\bcdedit.exe
              C:\Windows\SysNative\bcdedit.exe /set safeboot network
              3⤵
              • Modifies boot configuration data using bcdedit
              PID:2848
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /C shutdown -r -f -t 0
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:3584
            • C:\Windows\SysWOW64\shutdown.exe
              shutdown -r -f -t 0
              3⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:3212
        • C:\Windows\system32\vssvc.exe
          C:\Windows\system32\vssvc.exe
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1900
        • C:\Windows\system32\LogonUI.exe
          "LogonUI.exe" /flags:0x4 /state0:0xa39f3055 /state1:0x41c64e6d
          1⤵
          • Modifies data under HKEY_USERS
          • Suspicious use of SetWindowsHookEx
          PID:4960

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads