Analysis
-
max time kernel
35s -
max time network
43s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
-
submitted
07-08-2023 20:43
Errors
Reason
Machine shutdown
General
-
Target
rufus.exe
-
Size
1.2MB
-
MD5
9b46fd720844076511d94496aac2b47f
-
SHA1
5be995e55f304e753116c5d38bac665a51539ebd
-
SHA256
9635c91adf7f8ee699b4b1b63d7342f3c732dfea9896cc0a67d9789b08577b5f
-
SHA512
2eb03c14a9824fc941073433921a984f34d82025544fc933bcdbc0ba4eb031e827eea178297cd3af9ad56cd806acbea5d69b9faa033a56c16b8e01d608b18730
-
SSDEEP
24576:oU1QcXKGCqN80AkGDU77N973AiZza4Wm7ZgqvenydUCAxik:oUNxH7N9zAV6YxP
Score
10/10
Malware Config
Signatures
-
Black Basta
A ransomware family targeting Windows and Linux ESXi first seen in February 2022.
-
Black Basta payload 3 IoCs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies data under HKEY_USERS 15 IoCs
-
Modifies registry class 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 26 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\rufus.exe"C:\Users\Admin\AppData\Local\Temp\rufus.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\rufus.exeOMC_BC2⤵
- Sets desktop wallpaper using registry
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\vssadmin.exe delete shadows /all /quiet3⤵
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\SysNative\bcdedit.exe /set safeboot network3⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C shutdown -r -f -t 03⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\shutdown.exeshutdown -r -f -t 04⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3943855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
584KB
-
Filesize
584KB
-
Filesize
584KB