Overview

overview

10

Static

static

10

bcr.exe

windows7-x64

10

bcr.exe

windows10-2004-x64

10

Resubmissions

10-01-2023 09:44

230110-lqzewsbc71 10

05-07-2022 13:30

220705-qsa8ashfen 10

Analysis

  • max time kernel
    149s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    10-01-2023 09:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bcr.exe

  • Size

    2.6MB

  • MD5

    aef7f7b98d50e5d6547bc3a2bc13c42d

  • SHA1

    9f323fcb5129f9f1778c669bbdf0021fd959cba0

  • SHA256

    5cfe2f75a9d9319bee2d722a972eb38f3fcb335991f1cfdcb04a9891b1527b87

  • SHA512

    f5da97ab283df2ede46c7ceb4467ac49ec1b8d1d69bdede53efe89962cc70e41f91eeee2e553a269c9402d081c56909ea70c3452183a6128aabca158cfdb7c8f

  • SSDEEP

    49152:UEqvaaAjc2hdKjb8WXqE1PiEbE/TKMt3/RgaJ2wW4PRT8O1:UbyaALKjwWXV1P9oVvwwW4JT8

Score
10/10
blackcatransomware

Malware Config

Extracted

Family

blackcat

Credentials
  • Username:
    KELLERSUPPLY\Administrator
  • Password:
    d@gw00d
  • Username:
    KELLERSUPPLY\AdminRecovery
  • Password:
    K3ller!$Supp1y
  • Username:
    .\Administrator
  • Password:
    d@gw00d
  • Username:
    .\Administrator
  • Password:
    K3ller!$Supp1y
Attributes
  • enable_network_discovery

    true

  • enable_self_propagation

    false

  • enable_set_wallpaper

    true

  • extension

    sykffle

  • note_file_name

    RECOVER-${EXTENSION}-FILES.txt

  • note_full_text

    >> Introduction Important files on your system was ENCRYPTED and now they have have "${EXTENSION}" extension. In order to recover your files you need to follow instructions below. >> Sensitive Data Sensitive data on your system was DOWNLOADED and it will be PUBLISHED if you refuse to cooperate. Data includes: - Employees personal data, CVs, DL, SSN. - Complete network map including credentials for local and remote services. - Financial information including clients data, bills, budgets, annual reports, bank statements. - Complete datagrams/schemas/drawings for manufacturing in solidworks format - And more... Private preview is published here: http://zujgzbu5y64xbmvc42addp4lxkoosb4tslf5mehnh7pvqjpwxn5gokyd.onion/b21e1fb6-ff88-425b-8339-3523179a1e3e/886cf430a907bbe9a3fd38fb704d524dbd199c1b042ad6f65dc72ad78704e21 >> CAUTION DO NOT MODIFY FILES YOURSELF. DO NOT USE THIRD PARTY SOFTWARE TO RESTORE YOUR DATA. YOU MAY DAMAGE YOUR FILES, IT WILL RESULT IN PERMANENT DATA LOSS. YOUR DATA IS STRONGLY ENCRYPTED, YOU CAN NOT DECRYPT IT WITHOUT CIPHER KEY. >> Recovery procedure Follow these simple steps to get in touch and recover your data: 1) Download and install Tor Browser from: https://torproject.org/ 2) Navigate to: http://mu75ltv3lxd24dbyu6gtvmnwybecigs5auki7fces437xvvflzva2nqd.onion/?access-key=${ACCESS_KEY}

rsa_pubkey.plain

Signatures

  • BlackCat

    A Rust-based ransomware sold as RaaS first seen in late 2021.

    ransomwareblackcat
  • Program crash 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bcr.exe
    "C:\Users\Admin\AppData\Local\Temp\bcr.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2016
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 152
      2⤵
      • Program crash
      PID:1496
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:1528
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x184
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:676

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1528-56-0x000007FEFBF41000-0x000007FEFBF43000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2016-55-0x0000000000400000-0x00000000006CA000-memory.dmp

      Filesize

      2.8MB

      Download