Static task
static1
Behavioral task
behavioral1
Sample
f2b3f1ed693021b20f456a058b86b08abfc4876c7a3ae18aea6e95567fd55b2e.exe
Resource
win7-20220310-en
Behavioral task
behavioral2
Sample
f2b3f1ed693021b20f456a058b86b08abfc4876c7a3ae18aea6e95567fd55b2e.exe
Resource
win10v2004-en-20220113
General
-
Target
b7cb466d1ac75903fff6cc04932d86ec38b4b9af3c1c0b0b4451ba7eaea569c6
-
Size
2.9MB
-
MD5
705290d1ba3237098e1a42596963fbd5
-
SHA1
9046c5895c2886a6950de16287340742e196beb7
-
SHA256
b7cb466d1ac75903fff6cc04932d86ec38b4b9af3c1c0b0b4451ba7eaea569c6
-
SHA512
49ff969b6991b1f9855f64c79944504828510026205622b942739dcc50757c66e1bebdfa94969d4013bfb3aefc9bcbd2595ae7a7c9792089836900e366217507
Malware Config
Extracted
blackcat
- Username:
ctconventions\administrator - Password:
9ThingThousandPortugal^
- Username:
ctconventions\kdanforth - Password:
|>eltaFlyer5
- Username:
ctconventions\whgadmin - Password:
@C232323c
- Username:
ctconventions\glackey - Password:
P@55Me2021$
- Username:
ctconventions\walkergroup - Password:
2EnjoyAnythingCreate
- Username:
ctconventions\ctcc - Password:
CTcc2629
- Username:
ctconventions\MasterAccount - Password:
micros000000
-
enable_network_discovery
true
-
enable_self_propagation
true
-
enable_set_wallpaper
true
-
extension
grp3smk
-
note_file_name
RECOVER-${EXTENSION}-FILES.txt
-
note_full_text
Hello, CTConventions >> What happened? Important files on your network was ENCRYPTED and now they have "${EXTENSION}" extension. In order to recover your files you need to follow instructions below. >> Sensitive Data Sensitive data on your network was DOWNLOADED. If you DON'T WANT your sensitive data to be PUBLISHED you have to act quickly. Data includes: - MICROS DATABASE, Accounting, Drawings - Check Copies, Engineering, HR, Banking Information - Payroll Scan, Sales and Marketing, Financia - And more... >> CAUTION DO NOT MODIFY ENCRYPTED FILES YOURSELF. DO NOT USE THIRD PARTY SOFTWARE TO RESTORE YOUR DATA. YOU MAY DAMAGE YOUR FILES, IT WILL RESULT IN PERMANENT DATA LOSS. >> What should I do next? 1) Download and install Tor Browser from: https://torproject.org/ 2) Navigate to: http://d75itpgjjfe2ys2qivqplbvmw3yyx7o5e4ppt2esit2lluhngulz4hqd.onion/?access-key=${ACCESS_KEY}
Signatures
-
Blackcat family
Files
-
b7cb466d1ac75903fff6cc04932d86ec38b4b9af3c1c0b0b4451ba7eaea569c6.zip
-
f2b3f1ed693021b20f456a058b86b08abfc4876c7a3ae18aea6e95567fd55b2e.exe.exe windows x86
676f66b42797477a467945daedd979f3
Code Sign
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
File Characteristics
IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED
Imports
kernel32
FillConsoleOutputAttribute
FillConsoleOutputCharacterA
SetConsoleCursorPosition
AcquireSRWLockExclusive
AcquireSRWLockShared
AddVectoredExceptionHandler
AttachConsole
CancelIo
CloseHandle
CompareStringOrdinal
CopyFileExW
CreateEventW
CreateFileMappingA
CreateFileW
CreateMutexA
CreateNamedPipeW
CreatePipe
CreateProcessW
CreateThread
CreateToolhelp32Snapshot
DeleteFileW
DeviceIoControl
DuplicateHandle
EnterCriticalSection
ExitProcess
FileTimeToSystemTime
FindClose
FindFirstFileW
FindFirstVolumeW
FindNextFileW
FindNextVolumeW
FindVolumeClose
FormatMessageW
FreeConsole
FreeEnvironmentStringsW
FreeLibrary
GetCommandLineW
GetComputerNameExW
GetComputerNameW
GetConsoleMode
GetConsoleScreenBufferInfo
GetCurrentDirectoryW
GetCurrentProcess
GetCurrentProcessId
GetCurrentThread
GetDriveTypeW
GetEnvironmentStringsW
GetEnvironmentVariableW
GetExitCodeProcess
GetFileInformationByHandle
GetFileInformationByHandleEx
GetFinalPathNameByHandleW
GetFullPathNameW
GetLastError
GetLogicalDrives
GetModuleFileNameW
GetModuleHandleA
GetModuleHandleW
GetOverlappedResult
GetProcAddress
GetProcessHeap
GetStartupInfoA
GetStdHandle
GetSystemDirectoryW
GetSystemInfo
GetSystemTimeAsFileTime
GetTempPathW
GetTimeZoneInformation
GetVolumePathNamesForVolumeNameW
GetWindowsDirectoryW
HeapAlloc
HeapFree
HeapReAlloc
InitializeCriticalSection
LeaveCriticalSection
LoadLibraryA
MapViewOfFile
Module32FirstW
Module32NextW
MoveFileExW
OpenProcess
Process32FirstW
Process32NextW
QueryPerformanceCounter
QueryPerformanceFrequency
ReadConsoleW
ReadFile
ReadProcessMemory
ReleaseMutex
ReleaseSRWLockExclusive
ReleaseSRWLockShared
RemoveDirectoryW
SetConsoleCursorInfo
SetConsoleMode
SetConsoleTextAttribute
SetFileAttributesW
SetFileInformationByHandle
SetFilePointerEx
SetHandleInformation
SetLastError
SetThreadStackGuarantee
SetUnhandledExceptionFilter
SetVolumeMountPointW
Sleep
SwitchToThread
SystemTimeToFileTime
SystemTimeToTzSpecificLocalTime
TerminateProcess
TlsAlloc
TlsGetValue
TlsSetValue
TryEnterCriticalSection
TzSpecificLocalTimeToSystemTime
UnmapViewOfFile
WaitForMultipleObjects
WaitForSingleObject
WaitForSingleObjectEx
Wow64DisableWow64FsRedirection
WriteConsoleW
WriteFile
lstrlenW
DeleteCriticalSection
GetCurrentThreadId
GetTickCount
UnhandledExceptionFilter
VirtualProtect
VirtualQuery
ntdll
NtOpenProcessToken
NtQueryInformationToken
RtlCaptureContext
advapi32
AdjustTokenPrivileges
CloseServiceHandle
ControlService
CreateProcessWithLogonW
EnumDependentServicesW
EnumServicesStatusExW
GetUserNameW
LookupPrivilegeValueW
OpenProcessToken
OpenSCManagerW
OpenServiceW
QueryServiceStatusEx
RegCloseKey
RegOpenKeyExW
RegQueryValueExW
RegSetValueExW
ole32
CoGetObject
CoInitializeEx
CoUninitialize
ws2_32
WSACleanup
WSAGetLastError
WSASocketW
WSAStartup
bind
closesocket
connect
freeaddrinfo
getaddrinfo
ioctlsocket
recv
recvfrom
send
sendto
setsockopt
userenv
GetUserProfileDirectoryW
bcrypt
BCryptGenRandom
user32
SystemParametersInfoW
rstrtmgr
RmEndSession
RmGetList
RmRegisterResources
RmStartSession
shell32
SHTestTokenMembership
netapi32
NetApiBufferFree
NetServerEnum
NetShareEnum
msvcrt
__dllonexit
__getmainargs
__initenv
__lconv_init
__set_app_type
__setusermatherr
_acmdln
_amsg_exit
_cexit
_fmode
_fpreset
_initterm
_iob
_lock
_onexit
_unlock
calloc
ceil
exit
fprintf
free
fwrite
malloc
memcmp
memcpy
memmove
memset
signal
strlen
strncmp
_wcsicmp
abort
atexit
vfprintf
wcscat
wcscat_s
wcscpy
wcscpy_s
wcslen
Sections
.text Size: 1.9MB - Virtual size: 1.9MB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.data Size: 512B - Virtual size: 288B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.rdata Size: 863KB - Virtual size: 863KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.eh_fram Size: 76KB - Virtual size: 76KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.bss Size: - Virtual size: 1KB
IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.idata Size: 7KB - Virtual size: 6KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.CRT Size: 512B - Virtual size: 88B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.tls Size: 512B - Virtual size: 32B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE