blackcat | 0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479

Analysis

max time kernel
601s
max time network
487s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
18/10/2022, 09:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

blackcat.exe
Size

2.6MB
MD5

bb266486ee8ac70c0687989e02cefa14
SHA1

11203786b17bb3873d46acae32a898c8dac09850
SHA256

0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479
SHA512

a167779fc95a5cf0a3eff86211e9e08c282470e050b17ae62c7499a82ea59b3447446eafea9d7b5c5ba833b7a2d060f76530b00509dd5ff7904a0735d83e14c4
SSDEEP

49152:rEqvaaAjc2hdKjb8WXqE1PiEbE/TKMt3/RgaJ2wW4PRT8O1:rbyaALKjwWXV1P9oVvwwW4JT8

Score

10^/10

blackcat discovery evasion ransomware trojan

Malware Config

Extracted

Path

C:\Users\Admin\Searches\RECOVER-sykffle-FILES.txt

Ransom Note

>> Introduction Important files on your system was ENCRYPTED and now they have have "sykffle" extension. In order to recover your files you need to follow instructions below. >> Sensitive Data Sensitive data on your system was DOWNLOADED and it will be PUBLISHED if you refuse to cooperate. Data includes: - Employees personal data, CVs, DL, SSN. - Complete network map including credentials for local and remote services. - Financial information including clients data, bills, budgets, annual reports, bank statements. - Complete datagrams/schemas/drawings for manufacturing in solidworks format - And more... Private preview is published here: http://zujgzbu5y64xbmvc42addp4lxkoosb4tslf5mehnh7pvqjpwxn5gokyd.onion/b21e1fb6-ff88-425b-8339-3523179a1e3e/886cf430a907bbe9a3fd38fb704d524dbd199c1b042ad6f65dc72ad78704e21 >> CAUTION DO NOT MODIFY FILES YOURSELF. DO NOT USE THIRD PARTY SOFTWARE TO RESTORE YOUR DATA. YOU MAY DAMAGE YOUR FILES, IT WILL RESULT IN PERMANENT DATA LOSS. YOUR DATA IS STRONGLY ENCRYPTED, YOU CAN NOT DECRYPT IT WITHOUT CIPHER KEY. >> Recovery procedure Follow these simple steps to get in touch and recover your data: 1) Download and install Tor Browser from: https://torproject.org/ 2) Navigate to: http://mu75ltv3lxd24dbyu6gtvmnwybecigs5auki7fces437xvvflzva2nqd.onion/?access-key=lL8swMvodAg%2FYAyc5utbsRPdxD8bJqfb4qHRoSdT6PwVywXgHBy2zTaT0OO21dClM%2Buit0pHzTNYnv1zE2ogXDnfp7V2AMqRPd4VS5TPNl6fFq%2FBkBb9iuNZqeMaNMx5EpJTNhPqw5UIS%2FGq4T5MLJivk1ZME7D8TSetu6aP5VxuviEkDLGeP%2BaJbkJAKy3VfNOS%2BjO2l%2FJdb2Npd1pbgETH7pUnst12C1sc%2Fmakz7HvLmaB94JeKSWb1ka5TsDmatNPHKQqJ8xmF2%2F0m%2BgTwkycUbF2oDZ4agpgQm6uUQvF7MeGc%2BwC%2B3j5YGB6rrvCxTDaBQgF7D0gFfCtuTBDsg%3D%3D

URLs

http://zujgzbu5y64xbmvc42addp4lxkoosb4tslf5mehnh7pvqjpwxn5gokyd.onion/b21e1fb6-ff88-425b-8339-3523179a1e3e/886cf430a907bbe9a3fd38fb704d524dbd199c1b042ad6f65dc72ad78704e21

http://mu75ltv3lxd24dbyu6gtvmnwybecigs5auki7fces437xvvflzva2nqd.onion/?access-key=lL8swMvodAg%2FYAyc5utbsRPdxD8bJqfb4qHRoSdT6PwVywXgHBy2zTaT0OO21dClM%2Buit0pHzTNYnv1zE2ogXDnfp7V2AMqRPd4VS5TPNl6fFq%2FBkBb9iuNZqeMaNMx5EpJTNhPqw5UIS%2FGq4T5MLJivk1ZME7D8TSetu6aP5VxuviEkDLGeP%2BaJbkJAKy3VfNOS%2BjO2l%2FJdb2Npd1pbgETH7pUnst12C1sc%2Fmakz7HvLmaB94JeKSWb1ka5TsDmatNPHKQqJ8xmF2%2F0m%2BgTwkycUbF2oDZ4agpgQm6uUQvF7MeGc%2BwC%2B3j5YGB6rrvCxTDaBQgF7D0gFfCtuTBDsg%3D%3D

Extracted

Family

blackcat

Credentials

Username:
KELLERSUPPLY\Administrator
Password:
d@gw00d

Username:
KELLERSUPPLY\AdminRecovery
Password:
K3ller!$Supp1y

Username:
.\Administrator
Password:
d@gw00d

Username:
.\Administrator
Password:
K3ller!$Supp1y

Attributes

enable_network_discovery
true
enable_self_propagation
false
enable_set_wallpaper
true
extension
sykffle
note_file_name
RECOVER-${EXTENSION}-FILES.txt
note_full_text
>> Introduction Important files on your system was ENCRYPTED and now they have have "${EXTENSION}" extension. In order to recover your files you need to follow instructions below. >> Sensitive Data Sensitive data on your system was DOWNLOADED and it will be PUBLISHED if you refuse to cooperate. Data includes: - Employees personal data, CVs, DL, SSN. - Complete network map including credentials for local and remote services. - Financial information including clients data, bills, budgets, annual reports, bank statements. - Complete datagrams/schemas/drawings for manufacturing in solidworks format - And more... Private preview is published here: http://zujgzbu5y64xbmvc42addp4lxkoosb4tslf5mehnh7pvqjpwxn5gokyd.onion/b21e1fb6-ff88-425b-8339-3523179a1e3e/886cf430a907bbe9a3fd38fb704d524dbd199c1b042ad6f65dc72ad78704e21 >> CAUTION DO NOT MODIFY FILES YOURSELF. DO NOT USE THIRD PARTY SOFTWARE TO RESTORE YOUR DATA. YOU MAY DAMAGE YOUR FILES, IT WILL RESULT IN PERMANENT DATA LOSS. YOUR DATA IS STRONGLY ENCRYPTED, YOU CAN NOT DECRYPT IT WITHOUT CIPHER KEY. >> Recovery procedure Follow these simple steps to get in touch and recover your data: 1) Download and install Tor Browser from: https://torproject.org/ 2) Navigate to: http://mu75ltv3lxd24dbyu6gtvmnwybecigs5auki7fces437xvvflzva2nqd.onion/?access-key=${ACCESS_KEY}

rsa_pubkey.plain

Signatures

BlackCat
A Rust-based ransomware sold as RaaS first seen in late 2021.
ransomware blackcat
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 3 IoCs

pid	Process
864	alg.exe
1348	DiagnosticsHub.StandardCollector.Service.exe
1424	fxssvc.exe

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\DismountEnter.crw => C:\Users\Admin\Pictures\DismountEnter.crw.sykffle	blackcat.exe
File opened for modification	C:\Users\Admin\Pictures\DismountEnter.crw.sykffle	blackcat.exe
File renamed	C:\Users\Admin\Pictures\SendExport.raw => C:\Users\Admin\Pictures\SendExport.raw.sykffle	blackcat.exe
File opened for modification	C:\Users\Admin\Pictures\SendExport.raw.sykffle	blackcat.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-2891029575-1462575-1165213807-1000	alg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-2891029575-1462575-1165213807-1000\EnableNotifications = "0"	alg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	alg.exe
File opened (read-only)	\??\K:	alg.exe
File opened (read-only)	\??\M:	alg.exe
File opened (read-only)	\??\O:	alg.exe
File opened (read-only)	\??\X:	alg.exe
File opened (read-only)	\??\I:	alg.exe
File opened (read-only)	\??\N:	alg.exe
File opened (read-only)	\??\Q:	alg.exe
File opened (read-only)	\??\R:	alg.exe
File opened (read-only)	\??\Y:	alg.exe
File opened (read-only)	\??\E:	alg.exe
File opened (read-only)	\??\S:	alg.exe
File opened (read-only)	\??\T:	alg.exe
File opened (read-only)	\??\U:	alg.exe
File opened (read-only)	\??\V:	alg.exe
File opened (read-only)	\??\W:	alg.exe
File opened (read-only)	\??\Z:	blackcat.exe
File opened (read-only)	\??\G:	alg.exe
File opened (read-only)	\??\H:	alg.exe
File opened (read-only)	\??\J:	alg.exe
File opened (read-only)	\??\L:	alg.exe
File opened (read-only)	\??\P:	alg.exe

Drops file in System32 directory 41 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system32\svchost.exe	blackcat.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	alg.exe
File opened for modification	\??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe	alg.exe
File opened for modification	\??\c:\windows\system32\sensordataservice.exe	alg.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	alg.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	blackcat.exe
File opened for modification	\??\c:\windows\SysWOW64\diagsvcs\diagnosticshub.standardcollector.service.exe	blackcat.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	alg.exe
File created	\??\c:\windows\system32\idbofabk.tmp	blackcat.exe
File opened for modification	\??\c:\windows\SysWOW64\Appvclient.exe	blackcat.exe
File opened for modification	\??\c:\windows\system32\Appvclient.exe	blackcat.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	blackcat.exe
File opened for modification	\??\c:\windows\system32\sgrmbroker.exe	alg.exe
File opened for modification	\??\c:\windows\system32\tieringengineservice.exe	alg.exe
File created	\??\c:\windows\SysWOW64\lppcioli.tmp	blackcat.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	alg.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	alg.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	alg.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	blackcat.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	alg.exe
File opened for modification	\??\c:\windows\system32\Appvclient.exe	alg.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	alg.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	blackcat.exe
File opened for modification	\??\c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe	blackcat.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	blackcat.exe
File opened for modification	\??\c:\windows\system32\locator.exe	alg.exe
File opened for modification	\??\c:\windows\system32\openssh\ssh-agent.exe	alg.exe
File opened for modification	\??\c:\windows\system32\alg.exe	blackcat.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	blackcat.exe
File created	\??\c:\windows\system32\imedfndp.tmp	blackcat.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	alg.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	alg.exe
File opened for modification	\??\c:\windows\system32\Agentservice.exe	alg.exe
File created	\??\c:\windows\system32\mfhdjpfm.tmp	blackcat.exe
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	blackcat.exe
File created	\??\c:\windows\SysWOW64\pabgkkaa.tmp	blackcat.exe
File created	\??\c:\windows\system32\diagsvcs\ekdfidbh.tmp	blackcat.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	blackcat.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	alg.exe
File opened for modification	\??\c:\windows\system32\spectrum.exe	alg.exe
File opened for modification	\??\c:\windows\system32\vds.exe	alg.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop\WallPaper = "C:\\Users\\Admin\\Desktop\\RECOVER-sykffle-FILES.txt.png"	blackcat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\RECOVER-sykffle-FILES.txt.png"	blackcat.exe

Drops file in Program Files directory 34 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\hlepeenn.tmp	alg.exe
File created	\??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\cpqeljel.tmp	alg.exe
File created	\??\c:\program files (x86)\mozilla maintenance service\iqndbodi.tmp	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File created	\??\c:\program files\common files\microsoft shared\source engine\gljonghp.tmp	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File created	C:\Program Files\7-Zip\cedpmnkl.tmp	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	\??\c:\program files\google\chrome\Application\89.0.4389.114\elevation_service.exe	blackcat.exe
File opened for modification	\??\c:\program files\google\chrome\Application\89.0.4389.114\elevation_service.exe	alg.exe
File created	\??\c:\program files\google\chrome\Application\89.0.4389.114\ebifenpn.tmp	alg.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	alg.exe
File opened for modification	\??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\elevation_service.exe	alg.exe
File created	C:\Program Files\7-Zip\jgpijieg.tmp	alg.exe
File created	C:\Program Files\7-Zip\nccafaqk.tmp	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\mgecidfd.tmp	alg.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\mnmjadqg.tmp	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File created	C:\Program Files\7-Zip\gkooamha.tmp	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\olemadei.tmp	alg.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\source engine\ose.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\occlljkq.tmp	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	blackcat.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	alg.exe

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1068	vssadmin.exe
3864	vssadmin.exe

Modifies Control Panel 1 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop\WallpaperStyle = "0"	blackcat.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2148	blackcat.exe
2148	blackcat.exe
864	alg.exe
864	alg.exe
864	alg.exe
864	alg.exe
864	alg.exe
864	alg.exe
864	alg.exe
864	alg.exe
864	alg.exe
864	alg.exe
864	alg.exe
864	alg.exe
864	alg.exe
864	alg.exe
864	alg.exe
864	alg.exe
864	alg.exe
864	alg.exe
864	alg.exe
864	alg.exe
864	alg.exe
864	alg.exe
864	alg.exe
864	alg.exe
864	alg.exe
864	alg.exe
864	alg.exe
864	alg.exe
864	alg.exe
864	alg.exe
864	alg.exe
864	alg.exe
864	alg.exe
864	alg.exe
864	alg.exe
864	alg.exe
864	alg.exe
864	alg.exe
864	alg.exe
864	alg.exe
864	alg.exe
864	alg.exe
864	alg.exe
864	alg.exe
864	alg.exe
864	alg.exe
864	alg.exe
864	alg.exe
864	alg.exe
864	alg.exe
864	alg.exe
864	alg.exe
864	alg.exe
864	alg.exe
864	alg.exe
864	alg.exe
864	alg.exe
864	alg.exe
864	alg.exe
864	alg.exe
864	alg.exe
864	alg.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 51 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4848	WMIC.exe
Token: SeSecurityPrivilege	4848	WMIC.exe
Token: SeTakeOwnershipPrivilege	4848	WMIC.exe
Token: SeLoadDriverPrivilege	4848	WMIC.exe
Token: SeSystemProfilePrivilege	4848	WMIC.exe
Token: SeSystemtimePrivilege	4848	WMIC.exe
Token: SeProfSingleProcessPrivilege	4848	WMIC.exe
Token: SeIncBasePriorityPrivilege	4848	WMIC.exe
Token: SeCreatePagefilePrivilege	4848	WMIC.exe
Token: SeBackupPrivilege	4848	WMIC.exe
Token: SeRestorePrivilege	4848	WMIC.exe
Token: SeShutdownPrivilege	4848	WMIC.exe
Token: SeDebugPrivilege	4848	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4848	WMIC.exe
Token: SeRemoteShutdownPrivilege	4848	WMIC.exe
Token: SeUndockPrivilege	4848	WMIC.exe
Token: SeManageVolumePrivilege	4848	WMIC.exe
Token: 33	4848	WMIC.exe
Token: 34	4848	WMIC.exe
Token: 35	4848	WMIC.exe
Token: 36	4848	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4848	WMIC.exe
Token: SeSecurityPrivilege	4848	WMIC.exe
Token: SeTakeOwnershipPrivilege	4848	WMIC.exe
Token: SeLoadDriverPrivilege	4848	WMIC.exe
Token: SeSystemProfilePrivilege	4848	WMIC.exe
Token: SeSystemtimePrivilege	4848	WMIC.exe
Token: SeProfSingleProcessPrivilege	4848	WMIC.exe
Token: SeIncBasePriorityPrivilege	4848	WMIC.exe
Token: SeCreatePagefilePrivilege	4848	WMIC.exe
Token: SeBackupPrivilege	4848	WMIC.exe
Token: SeRestorePrivilege	4848	WMIC.exe
Token: SeShutdownPrivilege	4848	WMIC.exe
Token: SeDebugPrivilege	4848	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4848	WMIC.exe
Token: SeRemoteShutdownPrivilege	4848	WMIC.exe
Token: SeUndockPrivilege	4848	WMIC.exe
Token: SeManageVolumePrivilege	4848	WMIC.exe
Token: 33	4848	WMIC.exe
Token: 34	4848	WMIC.exe
Token: 35	4848	WMIC.exe
Token: 36	4848	WMIC.exe
Token: SeBackupPrivilege	3108	vssvc.exe
Token: SeRestorePrivilege	3108	vssvc.exe
Token: SeAuditPrivilege	3108	vssvc.exe
Token: SeTakeOwnershipPrivilege	2148	blackcat.exe
Token: SeTakeOwnershipPrivilege	864	alg.exe
Token: SeAuditPrivilege	1424	fxssvc.exe
Token: SeBackupPrivilege	4592	vssvc.exe
Token: SeRestorePrivilege	4592	vssvc.exe
Token: SeAuditPrivilege	4592	vssvc.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 4696	2148	blackcat.exe	81
PID 2148 wrote to memory of 4696	2148	blackcat.exe	81
PID 2148 wrote to memory of 4696	2148	blackcat.exe	81
PID 4696 wrote to memory of 4848	4696	cmd.exe	83
PID 4696 wrote to memory of 4848	4696	cmd.exe	83
PID 4696 wrote to memory of 4848	4696	cmd.exe	83
PID 2148 wrote to memory of 4180	2148	blackcat.exe	85
PID 2148 wrote to memory of 4180	2148	blackcat.exe	85
PID 2148 wrote to memory of 4180	2148	blackcat.exe	85
PID 4180 wrote to memory of 212	4180	cmd.exe	87
PID 4180 wrote to memory of 212	4180	cmd.exe	87
PID 4180 wrote to memory of 212	4180	cmd.exe	87
PID 2148 wrote to memory of 320	2148	blackcat.exe	88
PID 2148 wrote to memory of 320	2148	blackcat.exe	88
PID 2148 wrote to memory of 320	2148	blackcat.exe	88
PID 320 wrote to memory of 3592	320	cmd.exe	90
PID 320 wrote to memory of 3592	320	cmd.exe	90
PID 320 wrote to memory of 3592	320	cmd.exe	90
PID 2148 wrote to memory of 3232	2148	blackcat.exe	91
PID 2148 wrote to memory of 3232	2148	blackcat.exe	91
PID 2148 wrote to memory of 2152	2148	blackcat.exe	94
PID 2148 wrote to memory of 2152	2148	blackcat.exe	94
PID 2148 wrote to memory of 2152	2148	blackcat.exe	94
PID 3232 wrote to memory of 1068	3232	cmd.exe	95
PID 3232 wrote to memory of 1068	3232	cmd.exe	95
PID 2152 wrote to memory of 1076	2152	cmd.exe	96
PID 2152 wrote to memory of 1076	2152	cmd.exe	96
PID 2152 wrote to memory of 1076	2152	cmd.exe	96
PID 2148 wrote to memory of 3768	2148	blackcat.exe	98
PID 2148 wrote to memory of 3768	2148	blackcat.exe	98
PID 2148 wrote to memory of 3768	2148	blackcat.exe	98
PID 3768 wrote to memory of 4272	3768	cmd.exe	100
PID 3768 wrote to memory of 4272	3768	cmd.exe	100
PID 3768 wrote to memory of 4272	3768	cmd.exe	100
PID 2148 wrote to memory of 2208	2148	blackcat.exe	111
PID 2148 wrote to memory of 2208	2148	blackcat.exe	111
PID 2208 wrote to memory of 3864	2208	cmd.exe	116
PID 2208 wrote to memory of 3864	2208	cmd.exe	116

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	alg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	alg.exe

C:\Users\Admin\AppData\Local\Temp\blackcat.exe
C:\Users\Admin\AppData\Local\Temp\blackcat.exe -a 12345
1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c "wmic csproduct get UUID"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4696
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic csproduct get UUID
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4848
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c "fsutil behavior set SymlinkEvaluation R2L:1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4180
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil behavior set SymlinkEvaluation R2L:1
    3⤵
    PID:212
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c "fsutil behavior set SymlinkEvaluation R2R:1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:320
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil behavior set SymlinkEvaluation R2R:1
    3⤵
    PID:3592
- C:\Windows\SYSTEM32\cmd.exe
  "cmd" /c "vssadmin.exe delete shadows /all /quiet"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3232
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1068
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c "reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v MaxMpxCt /d 65535 /t REG_DWORD /f"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2152
- - C:\Windows\SysWOW64\reg.exe
    reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v MaxMpxCt /d 65535 /t REG_DWORD /f
    3⤵
    PID:1076
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c "arp -a"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3768
- - C:\Windows\SysWOW64\ARP.EXE
    arp -a
    3⤵
    PID:4272
- C:\Windows\SYSTEM32\cmd.exe
  "cmd" /c "vssadmin.exe delete shadows /all /quiet"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2208
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:3864

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3108

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:864

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1348

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2972

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1424

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4592

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
491KB

MD5
76a97d710fa88a93c0e1b8701409b153

SHA1
a738d68e8bdc9285145be7d999b7bd5c388864ef

SHA256
e59ed73e1a5125bb2eb401b6cd307b59b9f42a05307217b6b0535c6446b7c9e6

SHA512
a9c220b026f99a7ce534a31f6f2e76aaee2610aa335ecf2b338c0875bfc503fd4d8b3c1607a55d7f035e77dadbfba2dbc8a9a6e234a80e3cce134453bbe58c31

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.0MB

MD5
f3e3dfb8dceb0ba74ee470c39736411a

SHA1
0ada4c299c931a4b4261360cf680d285325544dc

SHA256
13a2b8e9643b60a5da646a2d7b1d66fd307af032b8c87b77a982dbc3b5be63b0

SHA512
5584d51b2095144f55242d7b00e6fc25689aed2439cb1ecb40bd69c8fd5be507cba2fe5722bf1badc4fd41d22422f4c5ff923ba428fda6de96040494032e4580

Download Submit
C:\Windows\System32\alg.exe

Filesize
493KB

MD5
ab94db71db9b69e8dc22a70de0c6b218

SHA1
bc574693faf9fa814098f5590b8da3a3add615ea

SHA256
cfc49266b09c3c98c2047f16fdb16fe6d77f32e56625e01d9e0a8bfe2828ce34

SHA512
ba1076406bbfa4608144cd5afc16aafb3addde4e99976e31c2ae93c858e28d07fd296eb202fed3d9b0ca866d788c90e3d1e55ebdce59a9e4dbe1c6f94e9a3990

Download Submit
\??\c:\windows\system32\Appvclient.exe

Filesize
1.1MB

MD5
c4e882b73f16e70915604619e33bd1f7

SHA1
05c90977673c8ec969d8d334c7f71e27f5a66033

SHA256
37128f1c046e0b109f20ce2066269223fbd5104ecd6b2fb996ed2896956ef081

SHA512
01d048b016ccb82dabd8a8f55b8b571c3becb6bf93de25ae693d1c3af2de1bc94925a48b62c9d1ad003b758b12f9815ab9c8a70d2aca0759f89748eb99af867b

Download Submit
memory/864-150-0x0000000140000000-0x00000001400D5000-memory.dmp

Filesize
852KB

Download
memory/864-160-0x0000000140000000-0x00000001400D5000-memory.dmp

Filesize
852KB

Download
memory/864-156-0x0000000140000000-0x00000001400D5000-memory.dmp

Filesize
852KB

Download
memory/1348-162-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/1348-152-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/1424-158-0x0000000140000000-0x0000000140160000-memory.dmp

Filesize
1.4MB

Download
memory/1424-159-0x0000000140000000-0x0000000140160000-memory.dmp

Filesize
1.4MB

Download
memory/2148-146-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/2148-147-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/2148-148-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/2148-135-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/2148-161-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/2148-132-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download