Overview
overview
10Static
static
8trojan/1.exe
windows7_x64
10trojan/1.exe
windows10-2004_x64
10trojan/10.exe
windows7_x64
10trojan/10.exe
windows10-2004_x64
8trojan/2.exe
windows7_x64
3trojan/2.exe
windows10-2004_x64
5trojan/3.exe
windows7_x64
10trojan/3.exe
windows10-2004_x64
10trojan/4.exe
windows7_x64
8trojan/4.exe
windows10-2004_x64
8trojan/5.exe
windows7_x64
8trojan/5.exe
windows10-2004_x64
8trojan/6.exe
windows7_x64
10trojan/6.exe
windows10-2004_x64
10trojan/7.exe
windows7_x64
10trojan/7.exe
windows10-2004_x64
10trojan/8.exe
windows7_x64
trojan/8.exe
windows10-2004_x64
10trojan/9.exe
windows7_x64
8trojan/9.exe
windows10-2004_x64
8Analysis
-
max time kernel
207s -
max time network
233s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
07-07-2022 09:24
Static task
static1
Behavioral task
behavioral1
Sample
trojan/1.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
trojan/1.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
trojan/10.exe
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
trojan/10.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral5
Sample
trojan/2.exe
Resource
win7-20220414-en
Behavioral task
behavioral6
Sample
trojan/2.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral7
Sample
trojan/3.exe
Resource
win7-20220414-en
Behavioral task
behavioral8
Sample
trojan/3.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral9
Sample
trojan/4.exe
Resource
win7-20220414-en
Behavioral task
behavioral10
Sample
trojan/4.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral11
Sample
trojan/5.exe
Resource
win7-20220414-en
Behavioral task
behavioral12
Sample
trojan/5.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral13
Sample
trojan/6.exe
Resource
win7-20220414-en
Behavioral task
behavioral14
Sample
trojan/6.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral15
Sample
trojan/7.exe
Resource
win7-20220414-en
Behavioral task
behavioral16
Sample
trojan/7.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral17
Sample
trojan/8.exe
Resource
win7-20220414-en
Behavioral task
behavioral18
Sample
trojan/8.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral19
Sample
trojan/9.exe
Resource
win7-20220414-en
Behavioral task
behavioral20
Sample
trojan/9.exe
Resource
win10v2004-20220414-en
General
-
Target
trojan/6.exe
-
Size
156KB
-
MD5
eba85b706259f4dc0aec06a6a024609a
-
SHA1
94873e77bd5b7e5d6bd9e5af40eca26c2c56e0b7
-
SHA256
ae121f28c05037d09f85f8b7ef9930f2d62c8f0e6e6a8d7ff092932ddbb1ad23
-
SHA512
1679216a9e3c4665bc79332847759829e3c280bfe9f3ab70d1c7289346a302ff543fa4f88bc3e449c5d8b9eb4b03e96dd50c1f13877f4d4287ab4c63a0b2542e
Malware Config
Extracted
C:\$Recycle.Bin\README_8713028.txt
blackout
decrypted8@bigmir.net
mitoplent@safe-mail.net
http://t5vj34iny72dpdu4.onion
https://content.screencast.com/users/tywlgpwg/folders/Default/media/3c1aeb4c-5386-41df-8eee-346487877522/decryption.avi
Signatures
-
Blackout
Ransomware family identified in early 2020.
-
Disables Task Manager via registry modification
-
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
6.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\RenameEnable.tiff 6.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
6.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\6.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Adobe\\6.exe" 6.exe -
Drops desktop.ini file(s) 16 IoCs
Processes:
6.exedescription ioc process File created C:\Users\Admin\Videos\desktop.ini 6.exe File created C:\Users\Admin\Favorites\Links\desktop.ini 6.exe File created C:\Users\Admin\Music\desktop.ini 6.exe File created C:\Users\Admin\OneDrive\desktop.ini 6.exe File created C:\Users\Admin\Pictures\Camera Roll\desktop.ini 6.exe File created C:\Users\Admin\Pictures\desktop.ini 6.exe File created C:\Users\Admin\Saved Games\desktop.ini 6.exe File created C:\Users\Admin\Contacts\desktop.ini 6.exe File created C:\Users\Admin\Desktop\desktop.ini 6.exe File created C:\Users\Admin\Downloads\desktop.ini 6.exe File created C:\Users\Admin\Links\desktop.ini 6.exe File created C:\Users\Admin\3D Objects\desktop.ini 6.exe File created C:\Users\Admin\Favorites\desktop.ini 6.exe File created C:\Users\Admin\Documents\desktop.ini 6.exe File created C:\Users\Admin\Pictures\Saved Pictures\desktop.ini 6.exe File created C:\Users\Admin\Searches\desktop.ini 6.exe -
Drops file in Program Files directory 2 IoCs
Processes:
6.exedescription ioc process File created C:\Program Files (x86)\README_8713028.txt 6.exe File created C:\Program Files\README_8713028.txt 6.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
6.exepid process 1780 6.exe 1780 6.exe 1780 6.exe 1780 6.exe 1780 6.exe 1780 6.exe 1780 6.exe 1780 6.exe 1780 6.exe 1780 6.exe 1780 6.exe 1780 6.exe 1780 6.exe 1780 6.exe 1780 6.exe 1780 6.exe 1780 6.exe 1780 6.exe 1780 6.exe 1780 6.exe 1780 6.exe 1780 6.exe 1780 6.exe 1780 6.exe 1780 6.exe 1780 6.exe 1780 6.exe 1780 6.exe 1780 6.exe 1780 6.exe 1780 6.exe 1780 6.exe 1780 6.exe 1780 6.exe 1780 6.exe 1780 6.exe 1780 6.exe 1780 6.exe 1780 6.exe 1780 6.exe 1780 6.exe 1780 6.exe 1780 6.exe 1780 6.exe 1780 6.exe 1780 6.exe 1780 6.exe 1780 6.exe 1780 6.exe 1780 6.exe 1780 6.exe 1780 6.exe 1780 6.exe 1780 6.exe 1780 6.exe 1780 6.exe 1780 6.exe 1780 6.exe 1780 6.exe 1780 6.exe 1780 6.exe 1780 6.exe 1780 6.exe 1780 6.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
6.exedescription pid process Token: SeDebugPrivilege 1780 6.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\trojan\6.exe"C:\Users\Admin\AppData\Local\Temp\trojan\6.exe"1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken