Overview

overview

10

Static

static

3

BlackBit.exe

windows7-x64

10

BlackBit.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    207s
  • max time network
    32s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    10/06/2023, 16:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    BlackBit.exe

  • Size

    499KB

  • MD5

    7ef84720d7b30286bff9483fe53bba62

  • SHA1

    b8dbb845cc37fa555d5a3f52e4bbb76aa2be0933

  • SHA256

    9763da5ee688a2391599a22638a84cbc7f99e32cd6865eac4621cc427f6c3a63

  • SHA512

    3dde93035b9824256613ba4d93cafa9f43c037953d26ca9390bbda8feca477c0fe149bee4730362cee3b0b2d89ca825bba7243d43665adc8c5272863a33f718e

  • SSDEEP

    12288:Dh1Lk70Tnvjcg27dWy1fX6qOLzvkLek4v+KXdPeA:fk70TrcbT56qOHv31PJv

Score
10/10
evasionransomwaretrojan

Malware Config

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies Windows Firewall 1 TTPs 2 IoCs
    evasion
  • Drops startup file 3 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 44 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\BlackBit.exe
    "C:\Users\Admin\AppData\Local\Temp\BlackBit.exe"
    1⤵
    • Modifies Windows Defender Real-time Protection settings
    • Drops startup file
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2000
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /CREATE /SC ONLOGON /TN BlackBit /TR C:\Users\Admin\AppData\Roaming\winlogon.exe /RU SYSTEM /RL HIGHEST /F
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1736
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /CREATE /SC ONLOGON /TN BlackBit /TR C:\Users\Admin\AppData\Roaming\winlogon.exe /RU SYSTEM /RL HIGHEST /F
        3⤵
        • Creates scheduled task(s)
        PID:1592
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rs4a2t13\rs4a2t13.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1992
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES536E.tmp" "c:\ProgramData\CSC352E94E7E50442B5962F1A7C2F2BD21.TMP"
        3⤵
          PID:1164
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2020
        • C:\Windows\SysWOW64\vssadmin.exe
          vssadmin delete shadows /all /quiet
          3⤵
          • Interacts with shadow copies
          PID:1232
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C wbadmin DELETE SYSTEMSTATEBACKUP
        2⤵
          PID:1040
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1760
          • C:\Windows\SysWOW64\Wbem\WMIC.exe
            wmic shadowcopy delete
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1620
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
          2⤵
            PID:1532
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
            2⤵
              PID:636
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /C netsh advfirewall set currentprofile state off
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:1772
              • C:\Windows\SysWOW64\netsh.exe
                netsh advfirewall set currentprofile state off
                3⤵
                • Modifies Windows Firewall
                PID:1856
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /C netsh firewall set opmode mode=disable
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:872
              • C:\Windows\SysWOW64\netsh.exe
                netsh firewall set opmode mode=disable
                3⤵
                • Modifies Windows Firewall
                PID:1728
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
              2⤵
                PID:856
            • C:\Windows\system32\vssvc.exe
              C:\Windows\system32\vssvc.exe
              1⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:828

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\ProgramData\n2m2luwa.exe
              Filesize

              108KB

              MD5

              6aad6c003cf15ec5c54a44bddc28db3b

              SHA1

              d54048eed832182d038fe8632f171eca8749b7ee

              SHA256

              eaea0759a7b943a011aad783df6d534ccc8cbcf92569aae19748a3ff371c477f

              SHA512

              fce08c03ebcef3d59262bdda3e726612e3c89f0d3af1766045dc908696afe89d82d2840753d7db6e397dd3763901bea33ecd85e68f2064cb072b1e6c5e9f9253

              Download Submit

            • C:\ProgramData\winlogon.exe
              Filesize

              499KB

              MD5

              7ef84720d7b30286bff9483fe53bba62

              SHA1

              b8dbb845cc37fa555d5a3f52e4bbb76aa2be0933

              SHA256

              9763da5ee688a2391599a22638a84cbc7f99e32cd6865eac4621cc427f6c3a63

              SHA512

              3dde93035b9824256613ba4d93cafa9f43c037953d26ca9390bbda8feca477c0fe149bee4730362cee3b0b2d89ca825bba7243d43665adc8c5272863a33f718e

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\RES536E.tmp
              Filesize

              105KB

              MD5

              4d33cdd0e302133ff98fdab6d8f6407e

              SHA1

              24662ca733af7562cb29a76196c3e80f7e703ea7

              SHA256

              3d66a454ee42f1489908f5cdc042786c5533136133e8803f8a442e8309e8ff75

              SHA512

              dcb44963dad715717ed776ed02f689215f43618db46faed9b4a5b0d96381edf1cc1d5c2df10f507dfa0cbcb5af320225cb78fb2da6907742762ffd621ccd401b

              Download Submit

            • \??\c:\ProgramData\CSC352E94E7E50442B5962F1A7C2F2BD21.TMP
              Filesize

              103KB

              MD5

              e60417cf16af88f18c2aa37c148c519f

              SHA1

              ec4e402124009bc6439cce1fcba15771ba79afe5

              SHA256

              d603bd10222c5a64a727f97c52f210fc242112080193d1894f92cf163b3c7ccf

              SHA512

              c2a9ac466aadb865831146e2c0f1756929505ead55ec4350c0f00d1c4402f02cce41140da9d672748cbbb36eb87c0e8fb14b8d8b37760d798bf70ef37648afb3

              Download Submit

            • \??\c:\Users\Admin\AppData\Local\Temp\rs4a2t13\rs4a2t13.0.cs
              Filesize

              1KB

              MD5

              99629ddb21e98a50dd5243a184d3639b

              SHA1

              f3b24cf085b18d4673415968f49a48125156b8fe

              SHA256

              6d0d3df5ae257a29f15b38d28677a7d552d6af3d6318fab86d2e885ab9c5e6f6

              SHA512

              02ef972fb5d9d06e5cd2bc94949dc0229de28d9f64aa0489a2c24cc3ed4a5f814f5e0705376a929aa7d07f9f41d0d6e1291264ead792080f1cbdc0fef8b47182

              Download Submit

            • \??\c:\Users\Admin\AppData\Local\Temp\rs4a2t13\rs4a2t13.cmdline
              Filesize

              236B

              MD5

              d09f8bbbf31f93ea2dd793cd62111f9c

              SHA1

              0da4b384ec4b19cabb0b64308a07a0184e09c217

              SHA256

              c0d57336530c5e61bf31c0a7b9e51ba12162042675afc4514524a54e558be083

              SHA512

              fa80417c6680199c09cfff517737afd985db947269ff4981d61f13d03b5dc36844beb73cd5caa2bd63a57924a9f0f46ff4058e339dd48ed8a82102dddcffd159

              Download Submit

            • \??\c:\Users\Admin\AppData\Local\Temp\wxpmdsht.ico
              Filesize

              102KB

              MD5

              305c2042777e67710483e58acc04ac2c

              SHA1

              d68e4090e313e6b814ca795980c2bc054df78a77

              SHA256

              f9ddf619ca0266055744c2beca77673aa41702104b459a0f55de3945196b6c50

              SHA512

              0e55fe1cacda339cbe207d51f7d3be2e008fc3013520ce863967443332d6647c80d48959a84c5885f53c9b6cf66046e4b9065c840b35d1975bbec63b7fc24203

              Download Submit

            • memory/2000-87-0x0000000004780000-0x0000000004825000-memory.dmp

              Filesize

              660KB

              Download

            • memory/2000-95-0x0000000004780000-0x0000000004825000-memory.dmp

              Filesize

              660KB

              Download

            • memory/2000-59-0x0000000004780000-0x0000000004825000-memory.dmp

              Filesize

              660KB

              Download

            • memory/2000-61-0x0000000004780000-0x0000000004825000-memory.dmp

              Filesize

              660KB

              Download

            • memory/2000-63-0x0000000004780000-0x0000000004825000-memory.dmp

              Filesize

              660KB

              Download

            • memory/2000-65-0x0000000004780000-0x0000000004825000-memory.dmp

              Filesize

              660KB

              Download

            • memory/2000-67-0x0000000004780000-0x0000000004825000-memory.dmp

              Filesize

              660KB

              Download

            • memory/2000-69-0x0000000004780000-0x0000000004825000-memory.dmp

              Filesize

              660KB

              Download

            • memory/2000-72-0x0000000004860000-0x00000000048A0000-memory.dmp

              Filesize

              256KB

              Download

            • memory/2000-74-0x0000000004780000-0x0000000004825000-memory.dmp

              Filesize

              660KB

              Download

            • memory/2000-75-0x0000000004860000-0x00000000048A0000-memory.dmp

              Filesize

              256KB

              Download

            • memory/2000-77-0x0000000004780000-0x0000000004825000-memory.dmp

              Filesize

              660KB

              Download

            • memory/2000-71-0x0000000004780000-0x0000000004825000-memory.dmp

              Filesize

              660KB

              Download

            • memory/2000-79-0x0000000004780000-0x0000000004825000-memory.dmp

              Filesize

              660KB

              Download

            • memory/2000-81-0x0000000004780000-0x0000000004825000-memory.dmp

              Filesize

              660KB

              Download

            • memory/2000-83-0x0000000004780000-0x0000000004825000-memory.dmp

              Filesize

              660KB

              Download

            • memory/2000-85-0x0000000004780000-0x0000000004825000-memory.dmp

              Filesize

              660KB

              Download

            • memory/2000-56-0x0000000004780000-0x0000000004825000-memory.dmp

              Filesize

              660KB

              Download

            • memory/2000-89-0x0000000004780000-0x0000000004825000-memory.dmp

              Filesize

              660KB

              Download

            • memory/2000-91-0x0000000004780000-0x0000000004825000-memory.dmp

              Filesize

              660KB

              Download

            • memory/2000-93-0x0000000004780000-0x0000000004825000-memory.dmp

              Filesize

              660KB

              Download

            • memory/2000-57-0x0000000004780000-0x0000000004825000-memory.dmp

              Filesize

              660KB

              Download

            • memory/2000-97-0x0000000004780000-0x0000000004825000-memory.dmp

              Filesize

              660KB

              Download

            • memory/2000-99-0x0000000004780000-0x0000000004825000-memory.dmp

              Filesize

              660KB

              Download

            • memory/2000-101-0x0000000004780000-0x0000000004825000-memory.dmp

              Filesize

              660KB

              Download

            • memory/2000-103-0x0000000004780000-0x0000000004825000-memory.dmp

              Filesize

              660KB

              Download

            • memory/2000-105-0x0000000004780000-0x0000000004825000-memory.dmp

              Filesize

              660KB

              Download

            • memory/2000-107-0x0000000004780000-0x0000000004825000-memory.dmp

              Filesize

              660KB

              Download

            • memory/2000-109-0x0000000004780000-0x0000000004825000-memory.dmp

              Filesize

              660KB

              Download

            • memory/2000-111-0x0000000004780000-0x0000000004825000-memory.dmp

              Filesize

              660KB

              Download

            • memory/2000-113-0x0000000004780000-0x0000000004825000-memory.dmp

              Filesize

              660KB

              Download

            • memory/2000-115-0x0000000004780000-0x0000000004825000-memory.dmp

              Filesize

              660KB

              Download

            • memory/2000-117-0x0000000004780000-0x0000000004825000-memory.dmp

              Filesize

              660KB

              Download

            • memory/2000-119-0x0000000004780000-0x0000000004825000-memory.dmp

              Filesize

              660KB

              Download

            • memory/2000-121-0x0000000004780000-0x0000000004825000-memory.dmp

              Filesize

              660KB

              Download

            • memory/2000-3337-0x0000000004860000-0x00000000048A0000-memory.dmp

              Filesize

              256KB

              Download

            • memory/2000-3344-0x00000000055C0000-0x00000000055F8000-memory.dmp

              Filesize

              224KB

              Download

            • memory/2000-3351-0x0000000004860000-0x00000000048A0000-memory.dmp

              Filesize

              256KB

              Download

            • memory/2000-55-0x0000000004780000-0x000000000482A000-memory.dmp

              Filesize

              680KB

              Download

            • memory/2000-54-0x00000000048A0000-0x000000000494C000-memory.dmp

              Filesize

              688KB

              Download

            • memory/2000-3352-0x0000000004860000-0x00000000048A0000-memory.dmp

              Filesize

              256KB

              Download

            • memory/2000-3353-0x0000000004860000-0x00000000048A0000-memory.dmp

              Filesize

              256KB

              Download

            • memory/2000-3364-0x0000000004860000-0x00000000048A0000-memory.dmp

              Filesize

              256KB

              Download