blackcat | 7268e5c50844eb4d50565f8455676fb3c4b8ad15e124a796469b33032298d4f4

Resubmissions

22-02-2023 22:16

230222-165deadh24 10

22-02-2023 22:13

230222-15gkysdg99 10

Analysis

max time kernel
1740s
max time network
1222s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
22-02-2023 22:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

326993f7e516c7a9608bb8bdc9a7ae162ca485f70a97ede3fd9ba137878c66e5.exe
Size

11.7MB
MD5

b00b5eb046fe27f645b2a9b7aecc0205
SHA1

cade2b4fd89e611c335edacc749ddc33899b95f2
SHA256

326993f7e516c7a9608bb8bdc9a7ae162ca485f70a97ede3fd9ba137878c66e5
SHA512

6c6fb398886a6d01e6a2608484f99fa35be98d3ada807edd2f539db53887774ffe9cf828aea4f5cca2ace84ce37add0a05d0c8e9d8ed3f4cb453403d695ce69d
SSDEEP

196608:RAzfOpZutBRpns5DV442yHzazu0sGkDEnNffjCi:RdpstBSDVIywky7

Score

10^/10

blackcat ransomware

Malware Config

Signatures

BlackCat
A Rust-based ransomware sold as RaaS first seen in late 2021.
ransomware blackcat

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
5008	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 4 IoCs

pid	Process
4760	WINWORD.EXE
4760	WINWORD.EXE
4712	WINWORD.EXE
4712	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	2376	7zG.exe
Token: 35	2376	7zG.exe
Token: SeSecurityPrivilege	2376	7zG.exe
Token: SeSecurityPrivilege	2376	7zG.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2376	7zG.exe

Suspicious use of SetWindowsHookEx 25 IoCs

pid	Process
4760	WINWORD.EXE
4760	WINWORD.EXE
4760	WINWORD.EXE
4760	WINWORD.EXE
4760	WINWORD.EXE
4760	WINWORD.EXE
4760	WINWORD.EXE
4760	WINWORD.EXE
4760	WINWORD.EXE
4760	WINWORD.EXE
4760	WINWORD.EXE
4760	WINWORD.EXE
4760	WINWORD.EXE
4760	WINWORD.EXE
4760	WINWORD.EXE
4760	WINWORD.EXE
4760	WINWORD.EXE
4760	WINWORD.EXE
4712	WINWORD.EXE
4712	WINWORD.EXE
4712	WINWORD.EXE
4712	WINWORD.EXE
4712	WINWORD.EXE
4712	WINWORD.EXE
4712	WINWORD.EXE

C:\Users\Admin\AppData\Local\Temp\326993f7e516c7a9608bb8bdc9a7ae162ca485f70a97ede3fd9ba137878c66e5.exe
"C:\Users\Admin\AppData\Local\Temp\326993f7e516c7a9608bb8bdc9a7ae162ca485f70a97ede3fd9ba137878c66e5.exe"
1⤵
PID:548

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3592

C:\Users\Admin\AppData\Local\Temp\326993f7e516c7a9608bb8bdc9a7ae162ca485f70a97ede3fd9ba137878c66e5.exe
"C:\Users\Admin\AppData\Local\Temp\326993f7e516c7a9608bb8bdc9a7ae162ca485f70a97ede3fd9ba137878c66e5.exe"
1⤵
PID:808

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\326993f7e516c7a9608bb8bdc9a7ae162ca485f70a97ede3fd9ba137878c66e5\" -spe -an -ai#7zMap32124:208:7zEvent191
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2376

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\InitializeRead.ps1xml
1⤵
- Opens file in notepad (likely ransom note)
PID:5008

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\NewMerge.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4760

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\These.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4712

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json

Filesize
502B

MD5
e0bcf61283333c8aa35de88e4729ba25

SHA1
221ea5e807920b6a9fbc3c3705f0ab0e56a019ef

SHA256
e6666f854fc0b9af91149bc4d50dce334050f68841bfce15ad60f00833e3cd1c

SHA512
8dc181b513a56715c4af2f3cb9af7b96ad208408b091cdd0574e4580a9cea3d07e728631f12c201e02156fa666354c30506f5a52ddc15f86ce6750055de3a5c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.json

Filesize
417B

MD5
c56ff60fbd601e84edd5a0ff1010d584

SHA1
342abb130dabeacde1d8ced806d67a3aef00a749

SHA256
200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c

SHA512
acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.json

Filesize
87B

MD5
e4e83f8123e9740b8aa3c3dfa77c1c04

SHA1
5281eae96efde7b0e16a1d977f005f0d3bd7aad0

SHA256
6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31

SHA512
bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyEventActivityStats.json

Filesize
14B

MD5
6ca4960355e4951c72aa5f6364e459d5

SHA1
2fd90b4ec32804dff7a41b6e63c8b0a40b592113

SHA256
88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3

SHA512
8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.json

Filesize
14B

MD5
6ca4960355e4951c72aa5f6364e459d5

SHA1
2fd90b4ec32804dff7a41b6e63c8b0a40b592113

SHA256
88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3

SHA512
8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db

Filesize
24KB

MD5
b00f3f56c104c94e03cd2ad8452c14e7

SHA1
51b78e45015e0d9d62fbdf31b75a22535a107204

SHA256
ba2b669020334ff01a85bfc900ea4371ea557bd315f154875d9bdfdc16ae8b50

SHA512
93e1609be5bbb414c285f37432ce93294c3d1583ef46c7c6c570c122f0b166c34b0ad87de708005c8af97dee27923ba53395a34c2563cdadf3c0a708848b3525

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
249B

MD5
8c452a1c4da67abaf62c54188d515089

SHA1
c4855e85e45ff1e44ca90f65ce48f9afb94685c4

SHA256
68c0bfab62b691e42fe4de07283b43e76193e82c73ace1e30300ae704988d4b5

SHA512
7ed343706441286f90edcfd869f565765f6998110f0d2e6679f6621a73894615daa4b0044080ed622865ebeb966d258785ac9b818874882084808849cd3c740e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
249B

MD5
3644b24408c2924c349231705e2fa701

SHA1
53a94c5a2c05b4bfb6c4d2273c51c4f250d9999e

SHA256
42fbec986e624ea66a294b7a78b4d52710a14fd465fa0df8436332a0a3deedc8

SHA512
ac6c9c4aae21e9acc633bd66cc82a0e87b7122cdc925be3ffb59869114308be3856cd9ef7a0d55f76e13eb75dc95cac987084e306dc1f011134570847df2261d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
249B

MD5
3644b24408c2924c349231705e2fa701

SHA1
53a94c5a2c05b4bfb6c4d2273c51c4f250d9999e

SHA256
42fbec986e624ea66a294b7a78b4d52710a14fd465fa0df8436332a0a3deedc8

SHA512
ac6c9c4aae21e9acc633bd66cc82a0e87b7122cdc925be3ffb59869114308be3856cd9ef7a0d55f76e13eb75dc95cac987084e306dc1f011134570847df2261d

Download Submit
memory/548-133-0x00000000008D0000-0x000000000148D000-memory.dmp

Filesize
11.7MB

Download
memory/808-134-0x00000000008D0000-0x000000000148D000-memory.dmp

Filesize
11.7MB

Download
memory/4712-180-0x00007FFB14BD0000-0x00007FFB14BE0000-memory.dmp

Filesize
64KB

Download
memory/4712-223-0x00007FFB14BD0000-0x00007FFB14BE0000-memory.dmp

Filesize
64KB

Download
memory/4712-225-0x00007FFB14BD0000-0x00007FFB14BE0000-memory.dmp

Filesize
64KB

Download
memory/4712-226-0x00007FFB14BD0000-0x00007FFB14BE0000-memory.dmp

Filesize
64KB

Download
memory/4712-181-0x00007FFB14BD0000-0x00007FFB14BE0000-memory.dmp

Filesize
64KB

Download
memory/4712-182-0x00007FFB14BD0000-0x00007FFB14BE0000-memory.dmp

Filesize
64KB

Download
memory/4712-183-0x00007FFB14BD0000-0x00007FFB14BE0000-memory.dmp

Filesize
64KB

Download
memory/4712-184-0x00007FFB14BD0000-0x00007FFB14BE0000-memory.dmp

Filesize
64KB

Download
memory/4712-224-0x00007FFB14BD0000-0x00007FFB14BE0000-memory.dmp

Filesize
64KB

Download
memory/4760-141-0x00007FFB12B70000-0x00007FFB12B80000-memory.dmp

Filesize
64KB

Download
memory/4760-140-0x00007FFB12B70000-0x00007FFB12B80000-memory.dmp

Filesize
64KB

Download
memory/4760-139-0x00007FFB14BD0000-0x00007FFB14BE0000-memory.dmp

Filesize
64KB

Download
memory/4760-138-0x00007FFB14BD0000-0x00007FFB14BE0000-memory.dmp

Filesize
64KB

Download
memory/4760-137-0x00007FFB14BD0000-0x00007FFB14BE0000-memory.dmp

Filesize
64KB

Download
memory/4760-136-0x00007FFB14BD0000-0x00007FFB14BE0000-memory.dmp

Filesize
64KB

Download
memory/4760-135-0x00007FFB14BD0000-0x00007FFB14BE0000-memory.dmp

Filesize
64KB

Download
memory/4760-178-0x00007FFB14BD0000-0x00007FFB14BE0000-memory.dmp

Filesize
64KB

Download
memory/4760-176-0x00007FFB14BD0000-0x00007FFB14BE0000-memory.dmp

Filesize
64KB

Download
memory/4760-177-0x00007FFB14BD0000-0x00007FFB14BE0000-memory.dmp

Filesize
64KB

Download
memory/4760-179-0x00007FFB14BD0000-0x00007FFB14BE0000-memory.dmp

Filesize
64KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads