Overview
overview
10Static
static
8trojan/1.exe
windows7_x64
10trojan/1.exe
windows10-2004_x64
10trojan/10.exe
windows7_x64
10trojan/10.exe
windows10-2004_x64
8trojan/2.exe
windows7_x64
3trojan/2.exe
windows10-2004_x64
5trojan/3.exe
windows7_x64
10trojan/3.exe
windows10-2004_x64
10trojan/4.exe
windows7_x64
8trojan/4.exe
windows10-2004_x64
8trojan/5.exe
windows7_x64
8trojan/5.exe
windows10-2004_x64
8trojan/6.exe
windows7_x64
10trojan/6.exe
windows10-2004_x64
10trojan/7.exe
windows7_x64
10trojan/7.exe
windows10-2004_x64
10trojan/8.exe
windows7_x64
trojan/8.exe
windows10-2004_x64
10trojan/9.exe
windows7_x64
8trojan/9.exe
windows10-2004_x64
8Analysis
-
max time kernel
198s -
max time network
50s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
07-07-2022 09:24
Static task
static1
Behavioral task
behavioral1
Sample
trojan/1.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
trojan/1.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
trojan/10.exe
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
trojan/10.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral5
Sample
trojan/2.exe
Resource
win7-20220414-en
Behavioral task
behavioral6
Sample
trojan/2.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral7
Sample
trojan/3.exe
Resource
win7-20220414-en
Behavioral task
behavioral8
Sample
trojan/3.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral9
Sample
trojan/4.exe
Resource
win7-20220414-en
Behavioral task
behavioral10
Sample
trojan/4.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral11
Sample
trojan/5.exe
Resource
win7-20220414-en
Behavioral task
behavioral12
Sample
trojan/5.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral13
Sample
trojan/6.exe
Resource
win7-20220414-en
Behavioral task
behavioral14
Sample
trojan/6.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral15
Sample
trojan/7.exe
Resource
win7-20220414-en
Behavioral task
behavioral16
Sample
trojan/7.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral17
Sample
trojan/8.exe
Resource
win7-20220414-en
Behavioral task
behavioral18
Sample
trojan/8.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral19
Sample
trojan/9.exe
Resource
win7-20220414-en
Behavioral task
behavioral20
Sample
trojan/9.exe
Resource
win10v2004-20220414-en
General
-
Target
trojan/6.exe
-
Size
156KB
-
MD5
eba85b706259f4dc0aec06a6a024609a
-
SHA1
94873e77bd5b7e5d6bd9e5af40eca26c2c56e0b7
-
SHA256
ae121f28c05037d09f85f8b7ef9930f2d62c8f0e6e6a8d7ff092932ddbb1ad23
-
SHA512
1679216a9e3c4665bc79332847759829e3c280bfe9f3ab70d1c7289346a302ff543fa4f88bc3e449c5d8b9eb4b03e96dd50c1f13877f4d4287ab4c63a0b2542e
Malware Config
Extracted
C:\$Recycle.Bin\README_6060147.txt
blackout
decrypted8@bigmir.net
mitoplent@safe-mail.net
http://t5vj34iny72dpdu4.onion
https://content.screencast.com/users/tywlgpwg/folders/Default/media/3c1aeb4c-5386-41df-8eee-346487877522/decryption.avi
Signatures
-
Blackout
Ransomware family identified in early 2020.
-
Disables Task Manager via registry modification
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
6.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\6.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Adobe\\6.exe" 6.exe -
Drops desktop.ini file(s) 4 IoCs
Processes:
6.exedescription ioc process File created C:\Users\Admin\Contacts\desktop.ini 6.exe File created C:\Users\Admin\Desktop\desktop.ini 6.exe File created C:\Users\Admin\Documents\desktop.ini 6.exe File created C:\Users\Admin\Downloads\desktop.ini 6.exe -
Drops file in Program Files directory 2 IoCs
Processes:
6.exedescription ioc process File created C:\Program Files (x86)\README_6060147.txt 6.exe File created C:\Program Files\README_6060147.txt 6.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
6.exepid process 1976 6.exe 1976 6.exe 1976 6.exe 1976 6.exe 1976 6.exe 1976 6.exe 1976 6.exe 1976 6.exe 1976 6.exe 1976 6.exe 1976 6.exe 1976 6.exe 1976 6.exe 1976 6.exe 1976 6.exe 1976 6.exe 1976 6.exe 1976 6.exe 1976 6.exe 1976 6.exe 1976 6.exe 1976 6.exe 1976 6.exe 1976 6.exe 1976 6.exe 1976 6.exe 1976 6.exe 1976 6.exe 1976 6.exe 1976 6.exe 1976 6.exe 1976 6.exe 1976 6.exe 1976 6.exe 1976 6.exe 1976 6.exe 1976 6.exe 1976 6.exe 1976 6.exe 1976 6.exe 1976 6.exe 1976 6.exe 1976 6.exe 1976 6.exe 1976 6.exe 1976 6.exe 1976 6.exe 1976 6.exe 1976 6.exe 1976 6.exe 1976 6.exe 1976 6.exe 1976 6.exe 1976 6.exe 1976 6.exe 1976 6.exe 1976 6.exe 1976 6.exe 1976 6.exe 1976 6.exe 1976 6.exe 1976 6.exe 1976 6.exe 1976 6.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
6.exedescription pid process Token: SeDebugPrivilege 1976 6.exe
Processes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1976-54-0x0000000000D40000-0x0000000000D70000-memory.dmpFilesize
192KB
-
memory/1976-55-0x000007FEFB751000-0x000007FEFB753000-memory.dmpFilesize
8KB
-
memory/1976-56-0x0000000000480000-0x000000000048A000-memory.dmpFilesize
40KB
-
memory/1976-57-0x000000001A847000-0x000000001A866000-memory.dmpFilesize
124KB