Analysis
-
max time kernel
17s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
23-08-2024 19:50
Static task
static1
Behavioral task
behavioral1
Sample
3d8713641264c41cd6784c5569c1447299fba88633070e40e70bb3ae2b4c5a4e.exe
Resource
win11-20240802-en
General
-
Target
3d8713641264c41cd6784c5569c1447299fba88633070e40e70bb3ae2b4c5a4e.exe
-
Size
928KB
-
MD5
2dc4adf06247b4ed9031a53ef910626c
-
SHA1
789437e946b3e8d1ccd14ee70e42c7d89ba054b2
-
SHA256
3d8713641264c41cd6784c5569c1447299fba88633070e40e70bb3ae2b4c5a4e
-
SHA512
9e6eaa4b27e2d6bc1306c33e74465256fab086972680d3a0014cafca8f22bbf865ffaa0f81332ffef83287252faf2ca0c7f369d11412b19ffb57e8e72ea5e0ae
-
SSDEEP
24576:oUY29aeV/XqzB+qv6w8zJx/W2nz9dPOmX:oUYMPqzFvT8/W2nznP
Malware Config
Signatures
-
Black Basta
A ransomware family targeting Windows and Linux ESXi first seen in February 2022.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dlaksjdoiwq.jpg" 3d8713641264c41cd6784c5569c1447299fba88633070e40e70bb3ae2b4c5a4e.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1524 1116 WerFault.exe 80 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3d8713641264c41cd6784c5569c1447299fba88633070e40e70bb3ae2b4c5a4e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 4352 vssadmin.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.basta\DefaultIcon 3d8713641264c41cd6784c5569c1447299fba88633070e40e70bb3ae2b4c5a4e.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.basta 3d8713641264c41cd6784c5569c1447299fba88633070e40e70bb3ae2b4c5a4e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.basta\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fkdjsadasd.ico" 3d8713641264c41cd6784c5569c1447299fba88633070e40e70bb3ae2b4c5a4e.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeBackupPrivilege 5012 vssvc.exe Token: SeRestorePrivilege 5012 vssvc.exe Token: SeAuditPrivilege 5012 vssvc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1116 wrote to memory of 844 1116 3d8713641264c41cd6784c5569c1447299fba88633070e40e70bb3ae2b4c5a4e.exe 83 PID 1116 wrote to memory of 844 1116 3d8713641264c41cd6784c5569c1447299fba88633070e40e70bb3ae2b4c5a4e.exe 83 PID 1116 wrote to memory of 844 1116 3d8713641264c41cd6784c5569c1447299fba88633070e40e70bb3ae2b4c5a4e.exe 83 PID 844 wrote to memory of 4352 844 cmd.exe 85 PID 844 wrote to memory of 4352 844 cmd.exe 85 PID 1116 wrote to memory of 2924 1116 3d8713641264c41cd6784c5569c1447299fba88633070e40e70bb3ae2b4c5a4e.exe 88 PID 1116 wrote to memory of 2924 1116 3d8713641264c41cd6784c5569c1447299fba88633070e40e70bb3ae2b4c5a4e.exe 88 PID 1116 wrote to memory of 2924 1116 3d8713641264c41cd6784c5569c1447299fba88633070e40e70bb3ae2b4c5a4e.exe 88 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\3d8713641264c41cd6784c5569c1447299fba88633070e40e70bb3ae2b4c5a4e.exe"C:\Users\Admin\AppData\Local\Temp\3d8713641264c41cd6784c5569c1447299fba88633070e40e70bb3ae2b4c5a4e.exe"1⤵
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Windows\system32\vssadmin.exeC:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:4352
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\vssadmin.exe delete shadows /all /quiet2⤵
- System Location Discovery: System Language Discovery
PID:2924
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 5722⤵
- Program crash
PID:1524
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5012
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1116 -ip 11161⤵PID:4264