blackbasta | 48976d7bf38cca4e952507e9ab27e3874ca01092eed53d0fde89c5966e9533bb

Reason

Machine shutdown

General

Target

48976d7bf38cca4e952507e9ab27e3874ca01092eed53d0fde89c5966e9533bb.exe
Size

555KB
MD5

eff424376edca5680b90ea9fedad163d
SHA1

3c13c1e54d2d7991c1c3452ae89888a8e7a47763
SHA256

48976d7bf38cca4e952507e9ab27e3874ca01092eed53d0fde89c5966e9533bb
SHA512

5acc904da2b8f3371a5696194b4a6fa7c3e735b0bbe74a507efb56782e6fc604f9bd3abf7a3af5f57325c7115de3ac9cd499086430d0d4fbe81b46a57539f068
SSDEEP

12288:Y4LNVuczF0QdQsJlehKRwYgJcViFYvgNv+5jGbRFhVoj4d:xvn2sJlBRwYgJcVNE+5jU8j4

Score

10^/10

blackbasta evasion ransomware

Malware Config

Signatures

Black Basta
A ransomware family targeting Windows and Linux ESXi first seen in February 2022.
ransomware blackbasta
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
920	bcdedit.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	48976d7bf38cca4e952507e9ab27e3874ca01092eed53d0fde89c5966e9533bb.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dlaksjdoiwq.jpg"	48976d7bf38cca4e952507e9ab27e3874ca01092eed53d0fde89c5966e9533bb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
2304	vssadmin.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "174"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.basta	48976d7bf38cca4e952507e9ab27e3874ca01092eed53d0fde89c5966e9533bb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.basta\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fkdjsadasd.ico"	48976d7bf38cca4e952507e9ab27e3874ca01092eed53d0fde89c5966e9533bb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.basta\DefaultIcon	48976d7bf38cca4e952507e9ab27e3874ca01092eed53d0fde89c5966e9533bb.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeBackupPrivilege	4936	vssvc.exe
Token: SeRestorePrivilege	4936	vssvc.exe
Token: SeAuditPrivilege	4936	vssvc.exe
Token: SeShutdownPrivilege	1792	shutdown.exe
Token: SeRemoteShutdownPrivilege	1792	shutdown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4416	LogonUI.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3192 wrote to memory of 2200	3192	48976d7bf38cca4e952507e9ab27e3874ca01092eed53d0fde89c5966e9533bb.exe	82
PID 3192 wrote to memory of 2200	3192	48976d7bf38cca4e952507e9ab27e3874ca01092eed53d0fde89c5966e9533bb.exe	82
PID 3192 wrote to memory of 2200	3192	48976d7bf38cca4e952507e9ab27e3874ca01092eed53d0fde89c5966e9533bb.exe	82
PID 2200 wrote to memory of 2304	2200	cmd.exe	84
PID 2200 wrote to memory of 2304	2200	cmd.exe	84
PID 3192 wrote to memory of 4332	3192	48976d7bf38cca4e952507e9ab27e3874ca01092eed53d0fde89c5966e9533bb.exe	87
PID 3192 wrote to memory of 4332	3192	48976d7bf38cca4e952507e9ab27e3874ca01092eed53d0fde89c5966e9533bb.exe	87
PID 3192 wrote to memory of 4332	3192	48976d7bf38cca4e952507e9ab27e3874ca01092eed53d0fde89c5966e9533bb.exe	87
PID 3192 wrote to memory of 920	3192	48976d7bf38cca4e952507e9ab27e3874ca01092eed53d0fde89c5966e9533bb.exe	89
PID 3192 wrote to memory of 920	3192	48976d7bf38cca4e952507e9ab27e3874ca01092eed53d0fde89c5966e9533bb.exe	89
PID 3192 wrote to memory of 1004	3192	48976d7bf38cca4e952507e9ab27e3874ca01092eed53d0fde89c5966e9533bb.exe	93
PID 3192 wrote to memory of 1004	3192	48976d7bf38cca4e952507e9ab27e3874ca01092eed53d0fde89c5966e9533bb.exe	93
PID 3192 wrote to memory of 1004	3192	48976d7bf38cca4e952507e9ab27e3874ca01092eed53d0fde89c5966e9533bb.exe	93
PID 1004 wrote to memory of 1792	1004	cmd.exe	94
PID 1004 wrote to memory of 1792	1004	cmd.exe	94
PID 1004 wrote to memory of 1792	1004	cmd.exe	94

C:\Users\Admin\AppData\Local\Temp\48976d7bf38cca4e952507e9ab27e3874ca01092eed53d0fde89c5966e9533bb.exe
"C:\Users\Admin\AppData\Local\Temp\48976d7bf38cca4e952507e9ab27e3874ca01092eed53d0fde89c5966e9533bb.exe"
1⤵
- Checks computer location settings
- Sets desktop wallpaper using registry
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3192
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2200
- - C:\Windows\system32\vssadmin.exe
    C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2304
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\vssadmin.exe delete shadows /all /quiet
  2⤵
  PID:4332
- C:\Windows\system32\bcdedit.exe
  C:\Windows\SysNative\bcdedit.exe /set safeboot network
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:920
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C shutdown -r -f -t 0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1004
- - C:\Windows\SysWOW64\shutdown.exe
    shutdown -r -f -t 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1792

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4936

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39cd055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4416