Overview

overview

10

Static

static

8

trojan/1.exe

windows7_x64

10

trojan/1.exe

windows10-2004_x64

10

trojan/10.exe

windows7_x64

10

trojan/10.exe

windows10-2004_x64

8

trojan/2.exe

windows7_x64

3

trojan/2.exe

windows10-2004_x64

5

trojan/3.exe

windows7_x64

10

trojan/3.exe

windows10-2004_x64

10

trojan/4.exe

windows7_x64

8

trojan/4.exe

windows10-2004_x64

8

trojan/5.exe

windows7_x64

8

trojan/5.exe

windows10-2004_x64

8

trojan/6.exe

windows7_x64

10

trojan/6.exe

windows10-2004_x64

10

trojan/7.exe

windows7_x64

10

trojan/7.exe

windows10-2004_x64

10

trojan/8.exe

windows7_x64

trojan/8.exe

windows10-2004_x64

10

trojan/9.exe

windows7_x64

8

trojan/9.exe

windows10-2004_x64

8

Analysis

  • max time kernel
    198s
  • max time network
    50s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    07-07-2022 09:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    trojan/6.exe

  • Size

    156KB

  • MD5

    eba85b706259f4dc0aec06a6a024609a

  • SHA1

    94873e77bd5b7e5d6bd9e5af40eca26c2c56e0b7

  • SHA256

    ae121f28c05037d09f85f8b7ef9930f2d62c8f0e6e6a8d7ff092932ddbb1ad23

  • SHA512

    1679216a9e3c4665bc79332847759829e3c280bfe9f3ab70d1c7289346a302ff543fa4f88bc3e449c5d8b9eb4b03e96dd50c1f13877f4d4287ab4c63a0b2542e

Score
10/10
blackoutevasionpersistenceransomware

Malware Config

Extracted

Path

C:\$Recycle.Bin\README_6060147.txt

Family

blackout

Ransom Note
Hello!! All your files have been encrypted.. Your Id: Y0zqdgTFO6mJwFNzLuvuk86F3lszkfPzBRFyEWsWRbDbFk0+mOTRpub+bSQUQ53quJuVUNssIWpiZRhCoNaobcapFz8ZXEJYQtkvrWINsc2wHjpyuf3fB/vE3OVsH3UmvnPkoVHL4LNky965r8/zNA+GGAHELDTMSL7oSOh8lTEYot2YxT52+nsD1YGYKXRJMWc4lsqo5pMMnfEQr06382myHHSddHUN2EBHR9UjdqPN9vaV0CgaYxD7r4NiT6vkcQgFHe1+NAD2md8UsrT4dQ7A/FqXpG0HjIEmXvy0SA3iKOW6W9HN8xed6ecZMxGsKYJqqc07hIGyheOxJhcn4w++ZW4tVVNfNjA2MDE0N19BZG1pbl83LzcvMjAyMiAxMToyNzo0MCBBTV9XaW4gN19ibHV0NV82 To decrypt your files, write to email: decrypted8@bigmir.net or mitoplent@safe-mail.net In the letter, send your Id and 2 small encrypted files for trial decryption. If you dont get answer from decrypted8@bigmir.net or mitoplent@safe-mail.net in 72 hours, you need to install tor browser, you can download it here: https://www.torproject.org/download/download.html.en After installation, open the tor browser to website: http://t5vj34iny72dpdu4.onion and follow the instructions. Do not try restore files without our help, this is useless, and can destroy you data permanetly. However, the files can be recovered even after the removal of our program and even after reinstalling the operating system. Download the decoding video here: https://content.screencast.com/users/tywlgpwg/folders/Default/media/3c1aeb4c-5386-41df-8eee-346487877522/decryption.avi
Emails

decrypted8@bigmir.net

mitoplent@safe-mail.net
URLs

http://t5vj34iny72dpdu4.onion

https://content.screencast.com/users/tywlgpwg/folders/Default/media/3c1aeb4c-5386-41df-8eee-346487877522/decryption.avi

Signatures

  • Blackout

    Ransomware family identified in early 2020.

    ransomwareblackout
  • Disables Task Manager via registry modification
    evasion
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 4 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\trojan\6.exe
    "C:\Users\Admin\AppData\Local\Temp\trojan\6.exe"
    1⤵
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1976

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1976-54-0x0000000000D40000-0x0000000000D70000-memory.dmp
    Filesize

    192KB

    Download
  • memory/1976-55-0x000007FEFB751000-0x000007FEFB753000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1976-56-0x0000000000480000-0x000000000048A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/1976-57-0x000000001A847000-0x000000001A866000-memory.dmp
    Filesize

    124KB

    Download