Analysis
-
max time kernel
10s -
max time network
14s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
07-02-2023 18:38
Behavioral task
behavioral1
Sample
5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa.exe
Resource
win10v2004-20220812-en
Errors
General
-
Target
5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa.exe
-
Size
563KB
-
MD5
3f400f30415941348af21d515a2fc6a3
-
SHA1
bd0bf9c987288ca434221d7d81c54a47e913600a
-
SHA256
5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa
-
SHA512
0d4c3ee8807bbbf635ce2d1ce1b747c23cc2724ff999580169e5514c7c97109083bea169bd6a5f8be35f3b679bb8446839fcc7a38f78503658eda306bec69154
-
SSDEEP
12288:TFx0B/O7JxPzW9JPlHKtxYRkG7zLfpXE6SbJ:Rx7zW9JPlGskG1v
Malware Config
Signatures
-
Black Basta
A ransomware family targeting Windows and Linux ESXi first seen in February 2022.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs
pid Process 2944 bcdedit.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dlaksjdoiwq.jpg" 5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 5076 vssadmin.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "174" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.basta\DefaultIcon 5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.basta 5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.basta\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fkdjsadasd.ico" 5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeBackupPrivilege 204 vssvc.exe Token: SeRestorePrivilege 204 vssvc.exe Token: SeAuditPrivilege 204 vssvc.exe Token: SeShutdownPrivilege 1392 shutdown.exe Token: SeRemoteShutdownPrivilege 1392 shutdown.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2640 LogonUI.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 2088 wrote to memory of 1840 2088 5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa.exe 81 PID 2088 wrote to memory of 1840 2088 5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa.exe 81 PID 2088 wrote to memory of 1840 2088 5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa.exe 81 PID 1840 wrote to memory of 5076 1840 cmd.exe 83 PID 1840 wrote to memory of 5076 1840 cmd.exe 83 PID 2088 wrote to memory of 3740 2088 5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa.exe 86 PID 2088 wrote to memory of 3740 2088 5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa.exe 86 PID 2088 wrote to memory of 3740 2088 5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa.exe 86 PID 2088 wrote to memory of 1440 2088 5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa.exe 88 PID 2088 wrote to memory of 1440 2088 5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa.exe 88 PID 2088 wrote to memory of 1440 2088 5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa.exe 88 PID 2088 wrote to memory of 752 2088 5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa.exe 91 PID 2088 wrote to memory of 752 2088 5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa.exe 91 PID 2088 wrote to memory of 752 2088 5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa.exe 91 PID 2088 wrote to memory of 2148 2088 5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa.exe 93 PID 2088 wrote to memory of 2148 2088 5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa.exe 93 PID 2088 wrote to memory of 2148 2088 5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa.exe 93 PID 2148 wrote to memory of 2944 2148 cmd.exe 95 PID 2148 wrote to memory of 2944 2148 cmd.exe 95 PID 2088 wrote to memory of 540 2088 5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa.exe 96 PID 2088 wrote to memory of 540 2088 5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa.exe 96 PID 2088 wrote to memory of 540 2088 5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa.exe 96 PID 540 wrote to memory of 1392 540 cmd.exe 98 PID 540 wrote to memory of 1392 540 cmd.exe 98 PID 540 wrote to memory of 1392 540 cmd.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa.exe"C:\Users\Admin\AppData\Local\Temp\5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa.exe"1⤵
- Checks computer location settings
- Sets desktop wallpaper using registry
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Windows\system32\vssadmin.exeC:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:5076
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\vssadmin.exe delete shadows /all /quiet2⤵PID:3740
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c bcdedit /set safeboot network2⤵PID:1440
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\bcdedit.exe /set safeboot network2⤵PID:752
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysNative\bcdedit.exe /set safeboot network2⤵
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\system32\bcdedit.exeC:\Windows\SysNative\bcdedit.exe /set safeboot network3⤵
- Modifies boot configuration data using bcdedit
PID:2944
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C shutdown -r -f -t 02⤵
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Windows\SysWOW64\shutdown.exeshutdown -r -f -t 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:1392
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:204
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa39dd855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2640