blackbasta | 9635c91adf7f8ee699b4b1b63d7342f3c732dfea9896cc0a67d9789b08577b5f

Reason

Machine shutdown

General

Target

rufus.exe
Size

1.2MB
MD5

9b46fd720844076511d94496aac2b47f
SHA1

5be995e55f304e753116c5d38bac665a51539ebd
SHA256

9635c91adf7f8ee699b4b1b63d7342f3c732dfea9896cc0a67d9789b08577b5f
SHA512

2eb03c14a9824fc941073433921a984f34d82025544fc933bcdbc0ba4eb031e827eea178297cd3af9ad56cd806acbea5d69b9faa033a56c16b8e01d608b18730
SSDEEP

24576:oU1QcXKGCqN80AkGDU77N973AiZza4Wm7ZgqvenydUCAxik:oUNxH7N9zAV6YxP

Score

10^/10

blackbasta evasion ransomware

Malware Config

Signatures

Black Basta
A ransomware family targeting Windows and Linux ESXi first seen in February 2022.
ransomware blackbasta

Black Basta payload 3 IoCs

resource	yara_rule
behavioral2/memory/4052-133-0x0000000000900000-0x0000000000992000-memory.dmp	family_blackbasta
behavioral2/memory/4052-138-0x0000000000900000-0x0000000000992000-memory.dmp	family_blackbasta
behavioral2/memory/4052-142-0x0000000000900000-0x0000000000992000-memory.dmp	family_blackbasta

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
1288	bcdedit.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dlaksjdoiwq.jpg"	rufus.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4328 set thread context of 4052	4328	rufus.exe	89

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
3764	vssadmin.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "194"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.basta\DefaultIcon	rufus.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.basta	rufus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.basta\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fkdjsadasd.ico"	rufus.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeBackupPrivilege	2836	vssvc.exe
Token: SeRestorePrivilege	2836	vssvc.exe
Token: SeAuditPrivilege	2836	vssvc.exe
Token: SeShutdownPrivilege	2256	shutdown.exe
Token: SeRemoteShutdownPrivilege	2256	shutdown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4084	LogonUI.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 4328 wrote to memory of 4052	4328	rufus.exe	89
PID 4328 wrote to memory of 4052	4328	rufus.exe	89
PID 4328 wrote to memory of 4052	4328	rufus.exe	89
PID 4328 wrote to memory of 4052	4328	rufus.exe	89
PID 4328 wrote to memory of 4052	4328	rufus.exe	89
PID 4328 wrote to memory of 4052	4328	rufus.exe	89
PID 4328 wrote to memory of 4052	4328	rufus.exe	89
PID 4328 wrote to memory of 4052	4328	rufus.exe	89
PID 4328 wrote to memory of 4052	4328	rufus.exe	89
PID 4328 wrote to memory of 4052	4328	rufus.exe	89
PID 4052 wrote to memory of 4888	4052	rufus.exe	91
PID 4052 wrote to memory of 4888	4052	rufus.exe	91
PID 4052 wrote to memory of 4888	4052	rufus.exe	91
PID 4888 wrote to memory of 3764	4888	cmd.exe	93
PID 4888 wrote to memory of 3764	4888	cmd.exe	93
PID 4052 wrote to memory of 5028	4052	rufus.exe	96
PID 4052 wrote to memory of 5028	4052	rufus.exe	96
PID 4052 wrote to memory of 5028	4052	rufus.exe	96
PID 4052 wrote to memory of 1288	4052	rufus.exe	98
PID 4052 wrote to memory of 1288	4052	rufus.exe	98
PID 4052 wrote to memory of 4204	4052	rufus.exe	101
PID 4052 wrote to memory of 4204	4052	rufus.exe	101
PID 4052 wrote to memory of 4204	4052	rufus.exe	101
PID 4204 wrote to memory of 2256	4204	cmd.exe	103
PID 4204 wrote to memory of 2256	4204	cmd.exe	103
PID 4204 wrote to memory of 2256	4204	cmd.exe	103

C:\Users\Admin\AppData\Local\Temp\rufus.exe
"C:\Users\Admin\AppData\Local\Temp\rufus.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4328
- C:\Users\Admin\AppData\Local\Temp\rufus.exe
  OMC_BC
  2⤵
  - Sets desktop wallpaper using registry
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4052
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4888
  - - C:\Windows\system32\vssadmin.exe
      C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:3764
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\vssadmin.exe delete shadows /all /quiet
    3⤵
    PID:5028
- - C:\Windows\system32\bcdedit.exe
    C:\Windows\SysNative\bcdedit.exe /set safeboot network
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1288
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C shutdown -r -f -t 0
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4204
  - - C:\Windows\SysWOW64\shutdown.exe
      shutdown -r -f -t 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2256

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2836

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3943855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

2

T1070

File Deletion

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Inhibit System Recovery

3

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4052-133-0x0000000000900000-0x0000000000992000-memory.dmp

Filesize
584KB

Download
memory/4052-138-0x0000000000900000-0x0000000000992000-memory.dmp

Filesize
584KB

Download
memory/4052-142-0x0000000000900000-0x0000000000992000-memory.dmp

Filesize
584KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads