General
-
Target
c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.bin
-
Size
2.9MB
-
Sample
221114-e2qhsseg47
-
MD5
ccde3fe374a219ed3a85a0bf548542c3
-
SHA1
c1187fe0eaddee995773d6c66bcb558536e9b62c
-
SHA256
c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40
-
SHA512
94852c04d6f627b35a7486de166648eb43373850b862e1958e676c53fd5dc37103659fe28e2b51f2fffd815ded2745d8793d8158543ff14b1e1f0cafe2a3c63c
-
SSDEEP
49152:4dwE1vCCeShiBHJFIPiEPE3bvk6Ca89388YhwjfJNt/RgaJ2wtb:WwE1253IPiYE3bnCa8Hzj5vwwtb
Behavioral task
behavioral1
Sample
c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
blackcat
- Username:
NANOFOCUS.LOCAL\Administrator - Password:
368CkbIna?#
-
enable_network_discovery
true
-
enable_self_propagation
true
-
enable_set_wallpaper
true
-
extension
mfqssdj
-
note_file_name
RECOVER-${EXTENSION}-FILES.txt
-
note_full_text
>> What happened? Important files on your network was ENCRYPTED and now they have "${EXTENSION}" extension. In order to recover your files you need to follow instructions below. >> Sensitive Data Sensitive data on your system was DOWNLOADED. If you DON'T WANT your sensitive data to be PUBLISHED you have to act quickly. Data includes: - Employees personal data, CVs, DL, SSN. - Complete network map including credentials for local and remote services. - Private financial information including: clients data, bills, budgets, annual reports, bank statements. - Manufacturing documents including: datagrams, schemas, drawings in solidworks format. - Source code. -And more... >> CAUTION DO NOT MODIFY ENCRYPTED FILES YOURSELF. DO NOT USE THIRD PARTY SOFTWARE TO RESTORE YOUR DATA. YOU MAY DAMAGE YOUR FILES, IT WILL RESULT IN PERMANENT DATA LOSS. >> What should I do next? Follow these simple steps to get everything back to normal: 1) Download and install Tor Browser from: https://torproject.org/ 2) Navigate to: http://b4twqa2mvob3s6uvuyfra5xk3qgps2v5kkt7k2qnb7rpdu3j4fkntead.onion/?access-key=${ACCESS_KEY}
Extracted
C:\RECOVER-mfqssdj-FILES.txt
http://b4twqa2mvob3s6uvuyfra5xk3qgps2v5kkt7k2qnb7rpdu3j4fkntead.onion/?access-key=RrffeR4CVartLMYTErq9%2FPVD%2Fz4sez5toskePW0P8urvDeotAomkbpUCg6JYW4MMxbX73YDPXMk3wQW0oSYnXGy5aGuT9ZPXpJKPaE6kYN9nNcxMBi92FcIv80rEpVUY9S5ukN796JGSdG%2BeWBVgx6nvw2vlhogyu35Ht2Iz6r6Zcc4J4mdX6RuzKXu5eny7saSaH0LMN6GYnIUfTF5UMR%2BtUchaTLOHyU5i1FnYeueodio9ECm8BgQ5Hbb3%2BIWlgrlEf4htHAwvPwCn2ld8lheacG87vkFKekfFCGErE5lNgNr12JSohBq1tH%2B3O8gw%2FG86wBsC46qR82KshQKpzQ%3D%3D
Extracted
C:\Users\Admin\Searches\RECOVER-mfqssdj-FILES.txt
http://b4twqa2mvob3s6uvuyfra5xk3qgps2v5kkt7k2qnb7rpdu3j4fkntead.onion/?access-key=cAPELqDsLGJdtvehxxlyhJ5CQfLTSKKFns74YjQWw8fvIQAsq6frqD5lS0BpfvoVGzWMpsUIWeucBxx%2B9aQXvRT29VpQa1fccyBNL3tbjmmLu%2BEatuLhU3NBo8yP6BG63YqpQ4qT%2BUhqJZQxq7iQAnjK8US6q7rWq9LSpaSUZXQRnyQFh7uZHKvSw0K2YpQd2fncQ3BEOTC7nluR0wpowFDYh47FV%2ByccMt6vdK7JgNXAj4DsB5zkE9LDB5tBFp5bVPlhxdp7JxKj9Ct34Epz7T0nIoHAbUMn4efw9SBbC1mCPg3ReiWMh9JANpVY711mSefKfRVokxqiVTXAmycjA%3D%3D
Targets
-
-
Target
c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.bin
-
Size
2.9MB
-
MD5
ccde3fe374a219ed3a85a0bf548542c3
-
SHA1
c1187fe0eaddee995773d6c66bcb558536e9b62c
-
SHA256
c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40
-
SHA512
94852c04d6f627b35a7486de166648eb43373850b862e1958e676c53fd5dc37103659fe28e2b51f2fffd815ded2745d8793d8158543ff14b1e1f0cafe2a3c63c
-
SSDEEP
49152:4dwE1vCCeShiBHJFIPiEPE3bvk6Ca89388YhwjfJNt/RgaJ2wtb:WwE1253IPiYE3bnCa8Hzj5vwwtb
Score10/10-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Modifies boot configuration data using bcdedit
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-