Overview

overview

10

Static

static

BlackSun.ps1

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    141s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    21-09-2021 11:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    BlackSun.ps1

  • Size

    56KB

  • MD5

    3ebab71cb71ca5c475202f401de008c8

  • SHA1

    e0afcf804394abd43ad4723a0feb147f10e589cd

  • SHA256

    e5429f2e44990b3d4e249c566fbf19741e671c0e40b809f87248d9ec9114bef9

  • SHA512

    0f748020d922ae0ace575267cbbaf80c2818e37a20f3556f4192c896b5c4c5eb270b1e6e88562bad74771bfef81a3ce1ebfab7ac571ba459976bf7b2bd2fdfa6

Score
10/10
ransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\BlackSun_README.txt

Ransom Note
*** BlackSun PROJECT *** All your data has been encrypted. Documents, photos, databases, backups. HOW CAN I GET MY DATA BACK? Your data is not destroyed. your data are however encrypted with SSL encryption, the only way to decrypt them is to have the decryption code and software. don't try to decrypt the files by yourself, you will damage them and make the recovery impossible. HOW CAN I GET THE DECRYPTION SOFTWARE? To get the software you will have to pay a certain amount of money. (10.000 euro in Monero Cryptocurrency) You need to contact us at this email: bsprj1020@protonmail.com and we will tell you how to pay. You have 10 days starting from now.
Emails

bsprj1020@protonmail.com

Signatures

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\BlackSun.ps1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:808
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /u /c "dir /a-d /b /s C:\ > C:\Users\Admin\AppData\Local\Temp\BlackSun_TMPALL"
      2⤵
        PID:68
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:688
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:2036
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1676

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\BlackSun_FILESON_LOCAL_C
      MD5

      d60eade6366500b2a4a08ecfc4a03380

      SHA1

      2f0bf15eb8e297e95625fe9ce5b843370955c2a5

      SHA256

      807d5710a89d653a901b9923469d805e689be1aa21ce67805ef0e7d2e101935c

      SHA512

      7747f07c199b94717dd4e5224ce648942dff2dbe6deab0757eab56ddef8740b61020d0345f0b27f6a3b0220741249b511ae007ea3bfc9f63d6b858f44cff723b

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\BlackSun_TMPALL
      MD5

      e6f333c68a8a32e9ac00606716fad104

      SHA1

      3ba3e79c923053e95ff10b8ef1def0492a60f95d

      SHA256

      0dc760539b61b0985d1a1277da677a79bdec9c54e99e5198b2eb7ff5bc4096b3

      SHA512

      dc48d96a62b720c3fff5a65347f1a77a376cf0de7462d1b1ec9641c12d99169424be5557278dc6c65ae19b5f8cdc579ba6960e157216cb6c018e10351027481d

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\public.cert
      MD5

      380a8b1bf3594761239b99c669ec7ef6

      SHA1

      ba0557e24b2b37457481198d45fc169714c39436

      SHA256

      77117e1466f4df2532744f597e582570e57463509e059a8e2ce2452c8eb4def2

      SHA512

      7a6aa5cc87eb0415f16ea0e5c567819c1facc9838d0678733a8e224fc41bb86afe3d83e1e6e5975e95fe0e8712f9088ed3b1821c1395648cbaa6c80b16979a03

      Download Submit
    • memory/68-342-0x0000000000000000-mapping.dmp
      Download
    • memory/688-745-0x000001F91CF06000-0x000001F91CF08000-memory.dmp
      Filesize

      8KB

      Download
    • memory/688-740-0x000001F91CF03000-0x000001F91CF05000-memory.dmp
      Filesize

      8KB

      Download
    • memory/688-737-0x000001F91CF00000-0x000001F91CF02000-memory.dmp
      Filesize

      8KB

      Download
    • memory/688-708-0x0000000000000000-mapping.dmp
      Download
    • memory/808-338-0x000001A4445A0000-0x000001A4445A1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/808-118-0x000001A442100000-0x000001A442101000-memory.dmp
      Filesize

      4KB

      Download
    • memory/808-515-0x000001A444AD0000-0x000001A444AD1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/808-676-0x000001A4445F0000-0x000001A4445F1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/808-696-0x000001A4445F0000-0x000001A4445F1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/808-339-0x000001A4421B8000-0x000001A4421BA000-memory.dmp
      Filesize

      8KB

      Download
    • memory/808-122-0x000001A4421B0000-0x000001A4421B2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/808-514-0x000001A444740000-0x000001A444741000-memory.dmp
      Filesize

      4KB

      Download
    • memory/808-121-0x000001A4423C0000-0x000001A4423C1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/808-152-0x000001A4421B6000-0x000001A4421B8000-memory.dmp
      Filesize

      8KB

      Download
    • memory/808-123-0x000001A4421B3000-0x000001A4421B5000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2036-744-0x000002C4688E3000-0x000002C4688E5000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2036-742-0x000002C4688E0000-0x000002C4688E2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2036-800-0x000002C4688E6000-0x000002C4688E8000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2036-719-0x0000000000000000-mapping.dmp
      Download