Overview

overview

10

Static

static

10

731adcf2d7...61.exe

windows10-1703-x64

10

Analysis

  • max time kernel
    125s
  • max time network
    133s
  • platform
    windows10-1703_x64
  • resource
    win10-20230703-en
  • resource tags

    arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
  • submitted
    04-07-2023 10:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    731adcf2d7fb61a8335e23dbee2436249e5d5753977ec465754c6b699e9bf161.exe

  • Size

    2.9MB

  • MD5

    173c4085c23080d9fb19280cc507d28d

  • SHA1

    a186c08d3d10885ebb129b1a0d8ea0da056fc362

  • SHA256

    731adcf2d7fb61a8335e23dbee2436249e5d5753977ec465754c6b699e9bf161

  • SHA512

    626c4dbc60988566446e2e59840953cb53ec9ad64914ab2758519941f60aa27db9ff574a188cf32039690f1f34a6834f8c3804f2aa1f89b409d9a98c07ea8267

  • SSDEEP

    49152:rAnCsMZjVpVbl4D5GzNMFsl4UROAUc1y32ZxJFi4N1/RgaJ2w1M:rAnCs8pVblGyNM+l4UxUc1BhFDvww1M

Score
10/10
blackcatransomware

Malware Config

Extracted

Family

blackcat

Credentials
  • Username:
    CREDITONE\Administrator
  • Password:
    K3ny@2009
  • Username:
    CREDITONE\bexec
  • Password:
    CloneD1sk4Song$%
  • Username:
    CREDITONE\KLarry
  • Password:
    Kl..2021
  • Username:
    CREDITONE\BKuhl
  • Password:
    Gromit2021!
  • Username:
    CREDITONE\rlopez
  • Password:
    Victoria7856!
  • Username:
    CREDITONE\EJaramilla
  • Password:
    1LoveVeros4
  • Username:
    .\Administrator
  • Password:
    $fiji12$
Attributes
  • enable_network_discovery

    true

  • enable_self_propagation

    true

  • enable_set_wallpaper

    true

  • extension

    7954i9r

  • note_file_name

    RECOVER-${EXTENSION}-FILES.txt

  • note_full_text

    >> Introduction Important files on your system was ENCRYPTED and now they have have "${EXTENSION}" extension. In order to recover your files you need to follow instructions below. >> Sensitive Data Sensitive data on your system was DOWNLOADED and it will be PUBLISHED if you refuse to cooperate. Data includes: - Employees personal data, CVs, DL, SSN. - Complete network map including credentials for local and remote services. - Financial information including clients data, bills, budgets, annual reports, bank statements. - Complete datagrams/schemas/drawings for manufacturing in solidworks format - And more... Private preview is published here: http://alphvmmm27o3abo3r2mlmjrpdmzle3rykajqc5xsj7j7ejksbpsa36ad.onion/336eb50d-ebf8-436b-937d-ec075de46e7f/419ef3f950d9f346cf86db56db453539dcd51567ea871728e78dbc9918c7efeb >> CAUTION DO NOT MODIFY FILES YOURSELF. DO NOT USE THIRD PARTY SOFTWARE TO RESTORE YOUR DATA. YOU MAY DAMAGE YOUR FILES, IT WILL RESULT IN PERMANENT DATA LOSS. YOUR DATA IS STRONGLY ENCRYPTED, YOU CAN NOT DECRYPT IT WITHOUT CIPHER KEY. >> Recovery procedure Follow these simple steps to get in touch and recover your data: 1) Download and install Tor Browser from: https://torproject.org/ 2) Navigate to: http://sty5r4hhb5oihbq2mwevrofdiqbgesi66rvxr5sr573xgvtuvr4cs5yd.onion/?access-key=${ACCESS_KEY}

rsa_pubkey.plain

Signatures

  • BlackCat

    A Rust-based ransomware sold as RaaS first seen in late 2021.

    ransomwareblackcat
  • Modifies registry class 13 IoCs
  • Opens file in notepad (likely ransom note) 2 IoCs
    ransomware
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 41 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\731adcf2d7fb61a8335e23dbee2436249e5d5753977ec465754c6b699e9bf161.exe
    "C:\Users\Admin\AppData\Local\Temp\731adcf2d7fb61a8335e23dbee2436249e5d5753977ec465754c6b699e9bf161.exe"
    1⤵
      PID:2192
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1660
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\ReadLock.kix
        2⤵
        • Opens file in notepad (likely ransom note)
        • Suspicious use of FindShellTrayWindow
        PID:4140
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4000
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:520
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RedoStart.ex_
        2⤵
        • Opens file in notepad (likely ransom note)
        PID:1320

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2192-122-0x0000000000400000-0x00000000006F3000-memory.dmp

      Filesize

      2.9MB

      Download