blackcat | 65b331074f906c46057da085ffdd1d98b61632a3e996cd252d4548a5e4c6bb10

Resubmissions

29-12-2022 04:38

221229-e9sm5acd27 10

29-12-2022 04:35

10-11-2022 11:04

10-11-2022 11:03

10-11-2022 11:00

10-11-2022 10:58

Analysis

max time kernel
151s
max time network
42s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
10-11-2022 11:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
Size

2.6MB
MD5

bb266486ee8ac70c0687989e02cefa14
SHA1

11203786b17bb3873d46acae32a898c8dac09850
SHA256

0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479
SHA512

a167779fc95a5cf0a3eff86211e9e08c282470e050b17ae62c7499a82ea59b3447446eafea9d7b5c5ba833b7a2d060f76530b00509dd5ff7904a0735d83e14c4
SSDEEP

49152:rEqvaaAjc2hdKjb8WXqE1PiEbE/TKMt3/RgaJ2wW4PRT8O1:rbyaALKjwWXV1P9oVvwwW4JT8

Score

10^/10

blackcat discovery evasion ransomware trojan

Malware Config

Extracted

Path

C:\RECOVER-sykffle-FILES.txt

Ransom Note

>> Introduction Important files on your system was ENCRYPTED and now they have have "sykffle" extension. In order to recover your files you need to follow instructions below. >> Sensitive Data Sensitive data on your system was DOWNLOADED and it will be PUBLISHED if you refuse to cooperate. Data includes: - Employees personal data, CVs, DL, SSN. - Complete network map including credentials for local and remote services. - Financial information including clients data, bills, budgets, annual reports, bank statements. - Complete datagrams/schemas/drawings for manufacturing in solidworks format - And more... Private preview is published here: http://zujgzbu5y64xbmvc42addp4lxkoosb4tslf5mehnh7pvqjpwxn5gokyd.onion/b21e1fb6-ff88-425b-8339-3523179a1e3e/886cf430a907bbe9a3fd38fb704d524dbd199c1b042ad6f65dc72ad78704e21 >> CAUTION DO NOT MODIFY FILES YOURSELF. DO NOT USE THIRD PARTY SOFTWARE TO RESTORE YOUR DATA. YOU MAY DAMAGE YOUR FILES, IT WILL RESULT IN PERMANENT DATA LOSS. YOUR DATA IS STRONGLY ENCRYPTED, YOU CAN NOT DECRYPT IT WITHOUT CIPHER KEY. >> Recovery procedure Follow these simple steps to get in touch and recover your data: 1) Download and install Tor Browser from: https://torproject.org/ 2) Navigate to: http://mu75ltv3lxd24dbyu6gtvmnwybecigs5auki7fces437xvvflzva2nqd.onion/?access-key=WkFKUyjkqKGeFE4i4Nuu027UkHI%2F8dehprcQjK46N2vz5VBwAnYMtZTbPAdKNzLzUomwVPd2KceFeGkWAIBe0UhU37JmkGIPsczITF1YJyvtlj5xAzJgXaKTaL46Twfeb%2Bd2eNSSZdGwsDEfKEtZtZSCitd99ostxfEyRbbdWfYpYD1avrPKiD79K61E0ga3c97G9azgUl5g735DhkwtuwY4gkdjOca4jUM07RAd0k38at5D3B8CtOnJUPCScYfwEnbj8SahgJ4bXgoq9zEYtgZfX39ACVzijcIE2DjdIVz8lSxGgZBIgWdJzH5SV5qoLLVRqg7OKI%2F5Ys7uC6%2BHCA%3D%3D

URLs

http://zujgzbu5y64xbmvc42addp4lxkoosb4tslf5mehnh7pvqjpwxn5gokyd.onion/b21e1fb6-ff88-425b-8339-3523179a1e3e/886cf430a907bbe9a3fd38fb704d524dbd199c1b042ad6f65dc72ad78704e21

http://mu75ltv3lxd24dbyu6gtvmnwybecigs5auki7fces437xvvflzva2nqd.onion/?access-key=WkFKUyjkqKGeFE4i4Nuu027UkHI%2F8dehprcQjK46N2vz5VBwAnYMtZTbPAdKNzLzUomwVPd2KceFeGkWAIBe0UhU37JmkGIPsczITF1YJyvtlj5xAzJgXaKTaL46Twfeb%2Bd2eNSSZdGwsDEfKEtZtZSCitd99ostxfEyRbbdWfYpYD1avrPKiD79K61E0ga3c97G9azgUl5g735DhkwtuwY4gkdjOca4jUM07RAd0k38at5D3B8CtOnJUPCScYfwEnbj8SahgJ4bXgoq9zEYtgZfX39ACVzijcIE2DjdIVz8lSxGgZBIgWdJzH5SV5qoLLVRqg7OKI%2F5Ys7uC6%2BHCA%3D%3D

Extracted

Family

blackcat

Credentials

Username:
KELLERSUPPLY\Administrator
Password:
d@gw00d

Username:
KELLERSUPPLY\AdminRecovery
Password:
K3ller!$Supp1y

Username:
.\Administrator
Password:
d@gw00d

Username:
.\Administrator
Password:
K3ller!$Supp1y

Attributes

enable_network_discovery
true
enable_self_propagation
false
enable_set_wallpaper
true
extension
sykffle
note_file_name
RECOVER-${EXTENSION}-FILES.txt
note_full_text
>> Introduction Important files on your system was ENCRYPTED and now they have have "${EXTENSION}" extension. In order to recover your files you need to follow instructions below. >> Sensitive Data Sensitive data on your system was DOWNLOADED and it will be PUBLISHED if you refuse to cooperate. Data includes: - Employees personal data, CVs, DL, SSN. - Complete network map including credentials for local and remote services. - Financial information including clients data, bills, budgets, annual reports, bank statements. - Complete datagrams/schemas/drawings for manufacturing in solidworks format - And more... Private preview is published here: http://zujgzbu5y64xbmvc42addp4lxkoosb4tslf5mehnh7pvqjpwxn5gokyd.onion/b21e1fb6-ff88-425b-8339-3523179a1e3e/886cf430a907bbe9a3fd38fb704d524dbd199c1b042ad6f65dc72ad78704e21 >> CAUTION DO NOT MODIFY FILES YOURSELF. DO NOT USE THIRD PARTY SOFTWARE TO RESTORE YOUR DATA. YOU MAY DAMAGE YOUR FILES, IT WILL RESULT IN PERMANENT DATA LOSS. YOUR DATA IS STRONGLY ENCRYPTED, YOU CAN NOT DECRYPT IT WITHOUT CIPHER KEY. >> Recovery procedure Follow these simple steps to get in touch and recover your data: 1) Download and install Tor Browser from: https://torproject.org/ 2) Navigate to: http://mu75ltv3lxd24dbyu6gtvmnwybecigs5auki7fces437xvvflzva2nqd.onion/?access-key=${ACCESS_KEY}

rsa_pubkey.plain

Signatures

BlackCat
A Rust-based ransomware sold as RaaS first seen in late 2021.
ransomware blackcat
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 5 IoCs

pid	Process
460	Process not Found
1428	alg.exe
1620	aspnet_state.exe
2024	mscorsvw.exe
1476	mscorsvw.exe

Modifies extensions of user files 17 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\PushUnregister.raw => C:\Users\Admin\Pictures\PushUnregister.raw.sykffle	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened for modification	C:\Users\Admin\Pictures\ShowGrant.tiff.sykffle	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File renamed	C:\Users\Admin\Pictures\MountGrant.raw => C:\Users\Admin\Pictures\MountGrant.raw.sykffle	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened for modification	C:\Users\Admin\Pictures\ExpandGet.png.sykffle	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File renamed	C:\Users\Admin\Pictures\StopSet.tiff => C:\Users\Admin\Pictures\StopSet.tiff.sykffle	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File renamed	C:\Users\Admin\Pictures\ExpandGet.png => C:\Users\Admin\Pictures\ExpandGet.png.sykffle	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened for modification	C:\Users\Admin\Pictures\MountGrant.raw.sykffle	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File renamed	C:\Users\Admin\Pictures\ShowGrant.tiff => C:\Users\Admin\Pictures\ShowGrant.tiff.sykffle	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File renamed	C:\Users\Admin\Pictures\UnblockExit.tif => C:\Users\Admin\Pictures\UnblockExit.tif.sykffle	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File renamed	C:\Users\Admin\Pictures\UpdateGet.tiff => C:\Users\Admin\Pictures\UpdateGet.tiff.sykffle	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened for modification	C:\Users\Admin\Pictures\StopSet.tiff	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened for modification	C:\Users\Admin\Pictures\UpdateGet.tiff	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened for modification	C:\Users\Admin\Pictures\PushUnregister.raw.sykffle	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened for modification	C:\Users\Admin\Pictures\StopSet.tiff.sykffle	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened for modification	C:\Users\Admin\Pictures\UnblockExit.tif.sykffle	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened for modification	C:\Users\Admin\Pictures\UpdateGet.tiff.sykffle	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened for modification	C:\Users\Admin\Pictures\ShowGrant.tiff	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe

Loads dropped DLL 3 IoCs

pid	Process
460	Process not Found
460	Process not Found
460	Process not Found

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-999675638-2867687379-27515722-1000	alg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-999675638-2867687379-27515722-1000\EnableNotifications = "0"	alg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	alg.exe
File opened (read-only)	\??\F:	alg.exe
File opened (read-only)	\??\L:	alg.exe
File opened (read-only)	\??\O:	alg.exe
File opened (read-only)	\??\Q:	alg.exe
File opened (read-only)	\??\U:	alg.exe
File opened (read-only)	\??\X:	alg.exe
File opened (read-only)	\??\Z:	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened (read-only)	\??\K:	alg.exe
File opened (read-only)	\??\J:	alg.exe
File opened (read-only)	\??\P:	alg.exe
File opened (read-only)	\??\W:	alg.exe
File opened (read-only)	\??\G:	alg.exe
File opened (read-only)	\??\I:	alg.exe
File opened (read-only)	\??\M:	alg.exe
File opened (read-only)	\??\N:	alg.exe
File opened (read-only)	\??\S:	alg.exe
File opened (read-only)	\??\T:	alg.exe
File opened (read-only)	\??\V:	alg.exe
File opened (read-only)	\??\Y:	alg.exe
File opened (read-only)	\??\E:	alg.exe
File opened (read-only)	\??\H:	alg.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system32\searchindexer.exe	alg.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	alg.exe
File opened for modification	\??\c:\windows\system32\ieetwcollector.exe	alg.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	alg.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	alg.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	alg.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	alg.exe
File opened for modification	\??\c:\windows\system32\locator.exe	alg.exe
File opened for modification	\??\c:\windows\system32\vds.exe	alg.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	alg.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	alg.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened for modification	\??\c:\windows\system32\alg.exe	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File created	\??\c:\windows\system32\qlcelfif.tmp	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File created	\??\c:\windows\SysWOW64\fngpdphf.tmp	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	alg.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	alg.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	alg.exe
File opened for modification	\??\c:\windows\system32\ui0detect.exe	alg.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	alg.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\WallPaper = "C:\\Users\\Admin\\Desktop\\RECOVER-sykffle-FILES.txt.png"	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\RECOVER-sykffle-FILES.txt.png"	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	alg.exe
File created	\??\c:\program files (x86)\microsoft office\office14\hdbofgap.tmp	alg.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	alg.exe
File created	\??\c:\program files (x86)\mozilla maintenance service\gohadkgo.tmp	alg.exe
File created	\??\c:\program files (x86)\common files\microsoft shared\source engine\glfakhcg.tmp	alg.exe
File opened for modification	\??\c:\program files\google\chrome\Application\89.0.4389.114\elevation_service.exe	alg.exe
File created	\??\c:\program files\google\chrome\Application\89.0.4389.114\ofikenpf.tmp	alg.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	alg.exe
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe	alg.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	alg.exe

Drops file in Windows directory 23 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe	alg.exe
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	alg.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	alg.exe
File created	\??\c:\windows\microsoft.net\framework64\v4.0.30319\npfbhiol.tmp	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	alg.exe
File created	\??\c:\windows\microsoft.net\framework\v4.0.30319\gnpqnnmh.tmp	alg.exe
File opened for modification	\??\c:\windows\ehome\ehsched.exe	alg.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe	alg.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	alg.exe
File created	\??\c:\windows\microsoft.net\framework\v2.0.50727\qahidbjd.tmp	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework64\v2.0.50727\menqbggn.tmp	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1972	vssadmin.exe
236	vssadmin.exe

Modifies Control Panel 1 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\WallpaperStyle = "0"	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
784	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
1428	alg.exe
1428	alg.exe
1428	alg.exe
1428	alg.exe
1428	alg.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1992	WMIC.exe
Token: SeSecurityPrivilege	1992	WMIC.exe
Token: SeTakeOwnershipPrivilege	1992	WMIC.exe
Token: SeLoadDriverPrivilege	1992	WMIC.exe
Token: SeSystemProfilePrivilege	1992	WMIC.exe
Token: SeSystemtimePrivilege	1992	WMIC.exe
Token: SeProfSingleProcessPrivilege	1992	WMIC.exe
Token: SeIncBasePriorityPrivilege	1992	WMIC.exe
Token: SeCreatePagefilePrivilege	1992	WMIC.exe
Token: SeBackupPrivilege	1992	WMIC.exe
Token: SeRestorePrivilege	1992	WMIC.exe
Token: SeShutdownPrivilege	1992	WMIC.exe
Token: SeDebugPrivilege	1992	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1992	WMIC.exe
Token: SeRemoteShutdownPrivilege	1992	WMIC.exe
Token: SeUndockPrivilege	1992	WMIC.exe
Token: SeManageVolumePrivilege	1992	WMIC.exe
Token: 33	1992	WMIC.exe
Token: 34	1992	WMIC.exe
Token: 35	1992	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1992	WMIC.exe
Token: SeSecurityPrivilege	1992	WMIC.exe
Token: SeTakeOwnershipPrivilege	1992	WMIC.exe
Token: SeLoadDriverPrivilege	1992	WMIC.exe
Token: SeSystemProfilePrivilege	1992	WMIC.exe
Token: SeSystemtimePrivilege	1992	WMIC.exe
Token: SeProfSingleProcessPrivilege	1992	WMIC.exe
Token: SeIncBasePriorityPrivilege	1992	WMIC.exe
Token: SeCreatePagefilePrivilege	1992	WMIC.exe
Token: SeBackupPrivilege	1992	WMIC.exe
Token: SeRestorePrivilege	1992	WMIC.exe
Token: SeShutdownPrivilege	1992	WMIC.exe
Token: SeDebugPrivilege	1992	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1992	WMIC.exe
Token: SeRemoteShutdownPrivilege	1992	WMIC.exe
Token: SeUndockPrivilege	1992	WMIC.exe
Token: SeManageVolumePrivilege	1992	WMIC.exe
Token: 33	1992	WMIC.exe
Token: 34	1992	WMIC.exe
Token: 35	1992	WMIC.exe
Token: SeBackupPrivilege	1048	vssvc.exe
Token: SeRestorePrivilege	1048	vssvc.exe
Token: SeAuditPrivilege	1048	vssvc.exe
Token: SeTakeOwnershipPrivilege	784	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
Token: SeTakeOwnershipPrivilege	1428	alg.exe
Token: SeBackupPrivilege	1056	vssvc.exe
Token: SeRestorePrivilege	1056	vssvc.exe
Token: SeAuditPrivilege	1056	vssvc.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 784 wrote to memory of 2008	784	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe	26
PID 784 wrote to memory of 2008	784	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe	26
PID 784 wrote to memory of 2008	784	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe	26
PID 784 wrote to memory of 2008	784	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe	26
PID 2008 wrote to memory of 1992	2008	cmd.exe	28
PID 2008 wrote to memory of 1992	2008	cmd.exe	28
PID 2008 wrote to memory of 1992	2008	cmd.exe	28
PID 2008 wrote to memory of 1992	2008	cmd.exe	28
PID 784 wrote to memory of 1704	784	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe	30
PID 784 wrote to memory of 1704	784	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe	30
PID 784 wrote to memory of 1704	784	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe	30
PID 784 wrote to memory of 1704	784	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe	30
PID 1704 wrote to memory of 1876	1704	cmd.exe	32
PID 1704 wrote to memory of 1876	1704	cmd.exe	32
PID 1704 wrote to memory of 1876	1704	cmd.exe	32
PID 1704 wrote to memory of 1876	1704	cmd.exe	32
PID 784 wrote to memory of 948	784	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe	33
PID 784 wrote to memory of 948	784	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe	33
PID 784 wrote to memory of 948	784	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe	33
PID 784 wrote to memory of 948	784	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe	33
PID 948 wrote to memory of 1292	948	cmd.exe	35
PID 948 wrote to memory of 1292	948	cmd.exe	35
PID 948 wrote to memory of 1292	948	cmd.exe	35
PID 948 wrote to memory of 1292	948	cmd.exe	35
PID 784 wrote to memory of 1260	784	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe	36
PID 784 wrote to memory of 1260	784	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe	36
PID 784 wrote to memory of 1260	784	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe	36
PID 784 wrote to memory of 1260	784	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe	36
PID 784 wrote to memory of 1712	784	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe	37
PID 784 wrote to memory of 1712	784	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe	37
PID 784 wrote to memory of 1712	784	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe	37
PID 784 wrote to memory of 1712	784	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe	37
PID 1712 wrote to memory of 1540	1712	cmd.exe	40
PID 1712 wrote to memory of 1540	1712	cmd.exe	40
PID 1712 wrote to memory of 1540	1712	cmd.exe	40
PID 1712 wrote to memory of 1540	1712	cmd.exe	40
PID 1260 wrote to memory of 1972	1260	cmd.exe	41
PID 1260 wrote to memory of 1972	1260	cmd.exe	41
PID 1260 wrote to memory of 1972	1260	cmd.exe	41
PID 784 wrote to memory of 1040	784	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe	42
PID 784 wrote to memory of 1040	784	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe	42
PID 784 wrote to memory of 1040	784	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe	42
PID 784 wrote to memory of 1040	784	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe	42
PID 1040 wrote to memory of 684	1040	cmd.exe	44
PID 1040 wrote to memory of 684	1040	cmd.exe	44
PID 1040 wrote to memory of 684	1040	cmd.exe	44
PID 1040 wrote to memory of 684	1040	cmd.exe	44
PID 784 wrote to memory of 1864	784	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe	53
PID 784 wrote to memory of 1864	784	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe	53
PID 784 wrote to memory of 1864	784	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe	53
PID 784 wrote to memory of 1864	784	0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe	53
PID 1864 wrote to memory of 236	1864	cmd.exe	55
PID 1864 wrote to memory of 236	1864	cmd.exe	55
PID 1864 wrote to memory of 236	1864	cmd.exe	55

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	alg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	alg.exe

C:\Users\Admin\AppData\Local\Temp\0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
C:\Users\Admin\AppData\Local\Temp\0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe -a 12345
1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:784
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c "wmic csproduct get UUID"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic csproduct get UUID
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1992
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c "fsutil behavior set SymlinkEvaluation R2L:1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1704
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil behavior set SymlinkEvaluation R2L:1
    3⤵
    PID:1876
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c "fsutil behavior set SymlinkEvaluation R2R:1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:948
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil behavior set SymlinkEvaluation R2R:1
    3⤵
    PID:1292
- C:\Windows\system32\cmd.exe
  "cmd" /c "vssadmin.exe delete shadows /all /quiet"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1260
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1972
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c "reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v MaxMpxCt /d 65535 /t REG_DWORD /f"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1712
- - C:\Windows\SysWOW64\reg.exe
    reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v MaxMpxCt /d 65535 /t REG_DWORD /f
    3⤵
    PID:1540
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c "arp -a"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1040
- - C:\Windows\SysWOW64\ARP.EXE
    arp -a
    3⤵
    PID:684
- C:\Windows\system32\cmd.exe
  "cmd" /c "vssadmin.exe delete shadows /all /quiet"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1864
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:236

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1048

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1428

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:1620

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2024

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1476

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1056

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
480KB

MD5
5bca6f4857826ff2901eda39fd710bd1

SHA1
fd814be2aa8df18f90f3ec31fa26260df7236200

SHA256
80a9bda429a5c76b76cdf015087109a571ba7db71a15bac7c8b83cae12ef3498

SHA512
3053e0ac9c006e5f9f646d4e2879b503eb3f2d46b760ea0c5fd04f9d5b576e6f4db68e97aff342af7f47b8abef8649e3188fcf71bccb894c73589bda0c943343

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
480KB

MD5
5bca6f4857826ff2901eda39fd710bd1

SHA1
fd814be2aa8df18f90f3ec31fa26260df7236200

SHA256
80a9bda429a5c76b76cdf015087109a571ba7db71a15bac7c8b83cae12ef3498

SHA512
3053e0ac9c006e5f9f646d4e2879b503eb3f2d46b760ea0c5fd04f9d5b576e6f4db68e97aff342af7f47b8abef8649e3188fcf71bccb894c73589bda0c943343

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
435KB

MD5
f8639d41ae80ead51d45a093999fcc8b

SHA1
255101214989a2020da36147d8461b4194bb5458

SHA256
0e0e3fe0037ecdb6033e4b636789591e8cb76fa074fafb6e5f81188fad61c7d5

SHA512
0ec71b65b414d7a213038799436a24910aad6c5f9edf59b358a9458cd4b10bbbe337fceed8c1f736853e5530433c1d63801e856cc35d6d55ed04977bb79e803c

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
457KB

MD5
f1544d92f3c9712e4484881aee84787b

SHA1
bef06acfe631a3d75a526145c931b3220607974c

SHA256
b5e5ff04870683b8eb6ba3755421ea948903516fa3761af88a459c7f97e879bb

SHA512
e40ccfab377c7ec07c72c4af4b93f5d614419ecd03cc344ddc066c3ef5cf51f912d6cd69c12a5c87969c3d42dd3f399f7e141fa15d0ec20fd9d0ad3e1841c24e

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
457KB

MD5
f1544d92f3c9712e4484881aee84787b

SHA1
bef06acfe631a3d75a526145c931b3220607974c

SHA256
b5e5ff04870683b8eb6ba3755421ea948903516fa3761af88a459c7f97e879bb

SHA512
e40ccfab377c7ec07c72c4af4b93f5d614419ecd03cc344ddc066c3ef5cf51f912d6cd69c12a5c87969c3d42dd3f399f7e141fa15d0ec20fd9d0ad3e1841c24e

Download Submit
C:\Windows\System32\alg.exe

Filesize
476KB

MD5
3e0e09f14b992bfa4b83ff926fc40f91

SHA1
37a307306cde1582f46c23d20d666dead19651df

SHA256
092889af33fddcd1cbf60686680aee5da1e2060ae1a6f92612553d8176edb2e1

SHA512
ed65e93246f4effbbff229af0c847f1c9c9e50082f1ac79e31b94ff252431a188dbe9bc5f487c8d550ab6b5e1cd6014708117e7b1ec6a42f9d4b71acbdcdd19c

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
480KB

MD5
5bca6f4857826ff2901eda39fd710bd1

SHA1
fd814be2aa8df18f90f3ec31fa26260df7236200

SHA256
80a9bda429a5c76b76cdf015087109a571ba7db71a15bac7c8b83cae12ef3498

SHA512
3053e0ac9c006e5f9f646d4e2879b503eb3f2d46b760ea0c5fd04f9d5b576e6f4db68e97aff342af7f47b8abef8649e3188fcf71bccb894c73589bda0c943343

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
480KB

MD5
5bca6f4857826ff2901eda39fd710bd1

SHA1
fd814be2aa8df18f90f3ec31fa26260df7236200

SHA256
80a9bda429a5c76b76cdf015087109a571ba7db71a15bac7c8b83cae12ef3498

SHA512
3053e0ac9c006e5f9f646d4e2879b503eb3f2d46b760ea0c5fd04f9d5b576e6f4db68e97aff342af7f47b8abef8649e3188fcf71bccb894c73589bda0c943343

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
435KB

MD5
f8639d41ae80ead51d45a093999fcc8b

SHA1
255101214989a2020da36147d8461b4194bb5458

SHA256
0e0e3fe0037ecdb6033e4b636789591e8cb76fa074fafb6e5f81188fad61c7d5

SHA512
0ec71b65b414d7a213038799436a24910aad6c5f9edf59b358a9458cd4b10bbbe337fceed8c1f736853e5530433c1d63801e856cc35d6d55ed04977bb79e803c

Download Submit
\Windows\System32\alg.exe

Filesize
476KB

MD5
3e0e09f14b992bfa4b83ff926fc40f91

SHA1
37a307306cde1582f46c23d20d666dead19651df

SHA256
092889af33fddcd1cbf60686680aee5da1e2060ae1a6f92612553d8176edb2e1

SHA512
ed65e93246f4effbbff229af0c847f1c9c9e50082f1ac79e31b94ff252431a188dbe9bc5f487c8d550ab6b5e1cd6014708117e7b1ec6a42f9d4b71acbdcdd19c

Download Submit
memory/784-54-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/784-67-0x0000000075FC1000-0x0000000075FC3000-memory.dmp

Filesize
8KB

Download
memory/784-68-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/784-91-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/784-75-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/1428-92-0x00000000FFA00000-0x00000000FFACF000-memory.dmp

Filesize
828KB

Download
memory/1428-72-0x00000000FFA00000-0x00000000FFACF000-memory.dmp

Filesize
828KB

Download
memory/1428-71-0x00000000FFA00000-0x00000000FFACF000-memory.dmp

Filesize
828KB

Download
memory/1428-80-0x00000000FFA00000-0x00000000FFACF000-memory.dmp

Filesize
828KB

Download
memory/1476-90-0x0000000010000000-0x00000000100D2000-memory.dmp

Filesize
840KB

Download
memory/1476-85-0x0000000010000000-0x00000000100D2000-memory.dmp

Filesize
840KB

Download
memory/1620-93-0x000000013FE90000-0x000000013FF58000-memory.dmp

Filesize
800KB

Download
memory/1620-76-0x000000013FE90000-0x000000013FF58000-memory.dmp

Filesize
800KB

Download
memory/2024-89-0x0000000010000000-0x00000000100A5000-memory.dmp

Filesize
660KB

Download
memory/2024-79-0x0000000010000000-0x00000000100A5000-memory.dmp

Filesize
660KB

Download
memory/2024-78-0x0000000010000000-0x00000000100A5000-memory.dmp

Filesize
660KB

Download