blackcat | 0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479

Resubmissions

25-09-2023 22:55

230925-2wd9xadh33 10

25-09-2023 22:53

25-09-2023 13:16

25-09-2023 13:05

25-09-2023 13:00

Analysis

max time kernel
231s
max time network
232s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
25-09-2023 13:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

blackcat.exe
Size

2.6MB
MD5

bb266486ee8ac70c0687989e02cefa14
SHA1

11203786b17bb3873d46acae32a898c8dac09850
SHA256

0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479
SHA512

a167779fc95a5cf0a3eff86211e9e08c282470e050b17ae62c7499a82ea59b3447446eafea9d7b5c5ba833b7a2d060f76530b00509dd5ff7904a0735d83e14c4
SSDEEP

49152:rEqvaaAjc2hdKjb8WXqE1PiEbE/TKMt3/RgaJ2wW4PRT8O1:rbyaALKjwWXV1P9oVvwwW4JT8

Score

10^/10

blackcat discovery evasion ransomware trojan

Malware Config

Extracted

Family

blackcat

Credentials

Username:
KELLERSUPPLY\Administrator
Password:
d@gw00d

Username:
KELLERSUPPLY\AdminRecovery
Password:
K3ller!$Supp1y

Username:
.\Administrator
Password:
d@gw00d

Username:
.\Administrator
Password:
K3ller!$Supp1y

Attributes

enable_network_discovery
true
enable_self_propagation
false
enable_set_wallpaper
true
extension
sykffle
note_file_name
RECOVER-${EXTENSION}-FILES.txt
note_full_text
>> Introduction Important files on your system was ENCRYPTED and now they have have "${EXTENSION}" extension. In order to recover your files you need to follow instructions below. >> Sensitive Data Sensitive data on your system was DOWNLOADED and it will be PUBLISHED if you refuse to cooperate. Data includes: - Employees personal data, CVs, DL, SSN. - Complete network map including credentials for local and remote services. - Financial information including clients data, bills, budgets, annual reports, bank statements. - Complete datagrams/schemas/drawings for manufacturing in solidworks format - And more... Private preview is published here: http://zujgzbu5y64xbmvc42addp4lxkoosb4tslf5mehnh7pvqjpwxn5gokyd.onion/b21e1fb6-ff88-425b-8339-3523179a1e3e/886cf430a907bbe9a3fd38fb704d524dbd199c1b042ad6f65dc72ad78704e21 >> CAUTION DO NOT MODIFY FILES YOURSELF. DO NOT USE THIRD PARTY SOFTWARE TO RESTORE YOUR DATA. YOU MAY DAMAGE YOUR FILES, IT WILL RESULT IN PERMANENT DATA LOSS. YOUR DATA IS STRONGLY ENCRYPTED, YOU CAN NOT DECRYPT IT WITHOUT CIPHER KEY. >> Recovery procedure Follow these simple steps to get in touch and recover your data: 1) Download and install Tor Browser from: https://torproject.org/ 2) Navigate to: http://mu75ltv3lxd24dbyu6gtvmnwybecigs5auki7fces437xvvflzva2nqd.onion/?access-key=${ACCESS_KEY}

rsa_pubkey.plain

Extracted

Path

C:\RECOVER-sykffle-FILES.txt

Ransom Note

>> Introduction Important files on your system was ENCRYPTED and now they have have "sykffle" extension. In order to recover your files you need to follow instructions below. >> Sensitive Data Sensitive data on your system was DOWNLOADED and it will be PUBLISHED if you refuse to cooperate. Data includes: - Employees personal data, CVs, DL, SSN. - Complete network map including credentials for local and remote services. - Financial information including clients data, bills, budgets, annual reports, bank statements. - Complete datagrams/schemas/drawings for manufacturing in solidworks format - And more... Private preview is published here: http://zujgzbu5y64xbmvc42addp4lxkoosb4tslf5mehnh7pvqjpwxn5gokyd.onion/b21e1fb6-ff88-425b-8339-3523179a1e3e/886cf430a907bbe9a3fd38fb704d524dbd199c1b042ad6f65dc72ad78704e21 >> CAUTION DO NOT MODIFY FILES YOURSELF. DO NOT USE THIRD PARTY SOFTWARE TO RESTORE YOUR DATA. YOU MAY DAMAGE YOUR FILES, IT WILL RESULT IN PERMANENT DATA LOSS. YOUR DATA IS STRONGLY ENCRYPTED, YOU CAN NOT DECRYPT IT WITHOUT CIPHER KEY. >> Recovery procedure Follow these simple steps to get in touch and recover your data: 1) Download and install Tor Browser from: https://torproject.org/ 2) Navigate to: http://mu75ltv3lxd24dbyu6gtvmnwybecigs5auki7fces437xvvflzva2nqd.onion/?access-key=ofxtqXVtehGhd%2FM1%2BW7n5iVIrnzOVt755SYbzReOqI%2F1ElZBG5zJZcTql1uTWKKuwijscCtpsridvGYEEyKb6OMd5pUha5Epi0suGlWVMF7byOWYdDzy4m1OMNDiDe%2FB71Y8PGgjo4wm7%2BtZ0VQaoWYJV39%2Fqe%2Be0ihkF0InbZisFct8d5A5Vx20e3nC9q%2BjYpxYKAUyLyW6brsiP1KtLXT%2B1XweQ2Nk8nDMgVlN1X5hR3TfU1%2Fi0yj8S5WopqVMRJGF6Xi6NhX%2FTdUExjZ63ylEqtLUSFOQaYiKedGN4UBRDuVgHJVzMdzKHsqHCYrpvCNEP3q4nOXxKzImvBt2Fw%3D%3D

URLs

http://zujgzbu5y64xbmvc42addp4lxkoosb4tslf5mehnh7pvqjpwxn5gokyd.onion/b21e1fb6-ff88-425b-8339-3523179a1e3e/886cf430a907bbe9a3fd38fb704d524dbd199c1b042ad6f65dc72ad78704e21

http://mu75ltv3lxd24dbyu6gtvmnwybecigs5auki7fces437xvvflzva2nqd.onion/?access-key=ofxtqXVtehGhd%2FM1%2BW7n5iVIrnzOVt755SYbzReOqI%2F1ElZBG5zJZcTql1uTWKKuwijscCtpsridvGYEEyKb6OMd5pUha5Epi0suGlWVMF7byOWYdDzy4m1OMNDiDe%2FB71Y8PGgjo4wm7%2BtZ0VQaoWYJV39%2Fqe%2Be0ihkF0InbZisFct8d5A5Vx20e3nC9q%2BjYpxYKAUyLyW6brsiP1KtLXT%2B1XweQ2Nk8nDMgVlN1X5hR3TfU1%2Fi0yj8S5WopqVMRJGF6Xi6NhX%2FTdUExjZ63ylEqtLUSFOQaYiKedGN4UBRDuVgHJVzMdzKHsqHCYrpvCNEP3q4nOXxKzImvBt2Fw%3D%3D

Signatures

BlackCat
A Rust-based ransomware sold as RaaS first seen in late 2021.
ransomware blackcat
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (146) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 2 IoCs

pid	Process
5844	alg.exe
6096	DiagnosticsHub.StandardCollector.Service.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-2344688013-2965468717-2034126-1000	alg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-2344688013-2965468717-2034126-1000\EnableNotifications = "0"	alg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	alg.exe
File opened (read-only)	\??\N:	alg.exe
File opened (read-only)	\??\Q:	alg.exe
File opened (read-only)	\??\R:	alg.exe
File opened (read-only)	\??\V:	alg.exe
File opened (read-only)	\??\Y:	alg.exe
File opened (read-only)	\??\E:	alg.exe
File opened (read-only)	\??\J:	alg.exe
File opened (read-only)	\??\K:	alg.exe
File opened (read-only)	\??\M:	alg.exe
File opened (read-only)	\??\P:	alg.exe
File opened (read-only)	\??\Z:	blackcat.exe
File opened (read-only)	\??\H:	alg.exe
File opened (read-only)	\??\O:	alg.exe
File opened (read-only)	\??\U:	alg.exe
File opened (read-only)	\??\G:	alg.exe
File opened (read-only)	\??\I:	alg.exe
File opened (read-only)	\??\S:	alg.exe
File opened (read-only)	\??\T:	alg.exe
File opened (read-only)	\??\W:	alg.exe
File opened (read-only)	\??\X:	alg.exe

Drops file in System32 directory 41 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system32\snmptrap.exe	alg.exe
File opened for modification	\??\c:\windows\system32\openssh\ssh-agent.exe	alg.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	alg.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	blackcat.exe
File opened for modification	\??\c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe	blackcat.exe
File created	\??\c:\windows\system32\diagsvcs\iaglhkll.tmp	blackcat.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	alg.exe
File opened for modification	\??\c:\windows\system32\tieringengineservice.exe	alg.exe
File opened for modification	\??\c:\windows\system32\alg.exe	blackcat.exe
File opened for modification	\??\c:\windows\system32\Appvclient.exe	blackcat.exe
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	blackcat.exe
File created	\??\c:\windows\system32\oimhealj.tmp	blackcat.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	blackcat.exe
File opened for modification	\??\c:\windows\SysWOW64\diagsvcs\diagnosticshub.standardcollector.service.exe	blackcat.exe
File created	\??\c:\windows\system32\poidhcef.tmp	alg.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	alg.exe
File opened for modification	\??\c:\windows\system32\spectrum.exe	alg.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	alg.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	blackcat.exe
File created	\??\c:\windows\SysWOW64\ehcmlemk.tmp	blackcat.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	blackcat.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	alg.exe
File opened for modification	\??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe	alg.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	blackcat.exe
File created	\??\c:\windows\system32\kokfgeqo.tmp	blackcat.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	blackcat.exe
File opened for modification	\??\c:\windows\system32\Appvclient.exe	alg.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	alg.exe
File opened for modification	\??\c:\windows\system32\locator.exe	alg.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	blackcat.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	alg.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	alg.exe
File opened for modification	\??\c:\windows\system32\sensordataservice.exe	alg.exe
File opened for modification	\??\c:\windows\system32\sgrmbroker.exe	alg.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	blackcat.exe
File opened for modification	\??\c:\windows\SysWOW64\Appvclient.exe	blackcat.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	alg.exe
File opened for modification	\??\c:\windows\system32\Agentservice.exe	alg.exe
File opened for modification	\??\c:\windows\system32\vds.exe	alg.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	alg.exe
File created	\??\c:\windows\SysWOW64\fcakdopl.tmp	blackcat.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\Desktop\WallPaper = "C:\\Users\\Admin\\Desktop\\RECOVER-sykffle-FILES.txt.png"	blackcat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\RECOVER-sykffle-FILES.txt.png"	blackcat.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	alg.exe
File created	\??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\depcfdgi.tmp	alg.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	alg.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\source engine\ose.exe	alg.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	alg.exe
File opened for modification	\??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.exe	alg.exe
File opened for modification	\??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\elevation_service.exe	alg.exe
File created	\??\c:\program files (x86)\mozilla maintenance service\olhcopjc.tmp	alg.exe
File created	\??\c:\program files\common files\microsoft shared\source engine\fnffckac.tmp	alg.exe
File created	\??\c:\program files\google\chrome\Application\106.0.5249.119\bmkkfahp.tmp	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	alg.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	alg.exe

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
3892	vssadmin.exe
6060	vssadmin.exe

Modifies Control Panel 1 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\Desktop\WallpaperStyle = "0"	blackcat.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3888	blackcat.exe
3888	blackcat.exe
5844	alg.exe
5844	alg.exe
5844	alg.exe
5844	alg.exe
5844	alg.exe
5844	alg.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
648	Process not Found
648	Process not Found

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3236	WMIC.exe
Token: SeSecurityPrivilege	3236	WMIC.exe
Token: SeTakeOwnershipPrivilege	3236	WMIC.exe
Token: SeLoadDriverPrivilege	3236	WMIC.exe
Token: SeSystemProfilePrivilege	3236	WMIC.exe
Token: SeSystemtimePrivilege	3236	WMIC.exe
Token: SeProfSingleProcessPrivilege	3236	WMIC.exe
Token: SeIncBasePriorityPrivilege	3236	WMIC.exe
Token: SeCreatePagefilePrivilege	3236	WMIC.exe
Token: SeBackupPrivilege	3236	WMIC.exe
Token: SeRestorePrivilege	3236	WMIC.exe
Token: SeShutdownPrivilege	3236	WMIC.exe
Token: SeDebugPrivilege	3236	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3236	WMIC.exe
Token: SeRemoteShutdownPrivilege	3236	WMIC.exe
Token: SeUndockPrivilege	3236	WMIC.exe
Token: SeManageVolumePrivilege	3236	WMIC.exe
Token: 33	3236	WMIC.exe
Token: 34	3236	WMIC.exe
Token: 35	3236	WMIC.exe
Token: 36	3236	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3236	WMIC.exe
Token: SeSecurityPrivilege	3236	WMIC.exe
Token: SeTakeOwnershipPrivilege	3236	WMIC.exe
Token: SeLoadDriverPrivilege	3236	WMIC.exe
Token: SeSystemProfilePrivilege	3236	WMIC.exe
Token: SeSystemtimePrivilege	3236	WMIC.exe
Token: SeProfSingleProcessPrivilege	3236	WMIC.exe
Token: SeIncBasePriorityPrivilege	3236	WMIC.exe
Token: SeCreatePagefilePrivilege	3236	WMIC.exe
Token: SeBackupPrivilege	3236	WMIC.exe
Token: SeRestorePrivilege	3236	WMIC.exe
Token: SeShutdownPrivilege	3236	WMIC.exe
Token: SeDebugPrivilege	3236	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3236	WMIC.exe
Token: SeRemoteShutdownPrivilege	3236	WMIC.exe
Token: SeUndockPrivilege	3236	WMIC.exe
Token: SeManageVolumePrivilege	3236	WMIC.exe
Token: 33	3236	WMIC.exe
Token: 34	3236	WMIC.exe
Token: 35	3236	WMIC.exe
Token: 36	3236	WMIC.exe
Token: SeBackupPrivilege	2972	vssvc.exe
Token: SeRestorePrivilege	2972	vssvc.exe
Token: SeAuditPrivilege	2972	vssvc.exe
Token: SeTakeOwnershipPrivilege	3888	blackcat.exe
Token: SeBackupPrivilege	6128	vssvc.exe
Token: SeRestorePrivilege	6128	vssvc.exe
Token: SeAuditPrivilege	6128	vssvc.exe
Token: SeTakeOwnershipPrivilege	5844	alg.exe

Suspicious use of WriteProcessMemory 47 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 4192	2392	cmd.exe	109
PID 2392 wrote to memory of 4192	2392	cmd.exe	109
PID 2392 wrote to memory of 4192	2392	cmd.exe	109
PID 2392 wrote to memory of 3888	2392	cmd.exe	116
PID 2392 wrote to memory of 3888	2392	cmd.exe	116
PID 2392 wrote to memory of 3888	2392	cmd.exe	116
PID 3888 wrote to memory of 4084	3888	blackcat.exe	117
PID 3888 wrote to memory of 4084	3888	blackcat.exe	117
PID 3888 wrote to memory of 4084	3888	blackcat.exe	117
PID 4084 wrote to memory of 3236	4084	cmd.exe	119
PID 4084 wrote to memory of 3236	4084	cmd.exe	119
PID 4084 wrote to memory of 3236	4084	cmd.exe	119
PID 3888 wrote to memory of 4892	3888	blackcat.exe	121
PID 3888 wrote to memory of 4892	3888	blackcat.exe	121
PID 3888 wrote to memory of 4892	3888	blackcat.exe	121
PID 4892 wrote to memory of 2784	4892	cmd.exe	123
PID 4892 wrote to memory of 2784	4892	cmd.exe	123
PID 4892 wrote to memory of 2784	4892	cmd.exe	123
PID 3888 wrote to memory of 940	3888	blackcat.exe	124
PID 3888 wrote to memory of 940	3888	blackcat.exe	124
PID 3888 wrote to memory of 940	3888	blackcat.exe	124
PID 940 wrote to memory of 4120	940	cmd.exe	126
PID 940 wrote to memory of 4120	940	cmd.exe	126
PID 940 wrote to memory of 4120	940	cmd.exe	126
PID 3888 wrote to memory of 4520	3888	blackcat.exe	127
PID 3888 wrote to memory of 4520	3888	blackcat.exe	127
PID 3888 wrote to memory of 4172	3888	blackcat.exe	129
PID 3888 wrote to memory of 4172	3888	blackcat.exe	129
PID 3888 wrote to memory of 4172	3888	blackcat.exe	129
PID 4172 wrote to memory of 4216	4172	cmd.exe	131
PID 4172 wrote to memory of 4216	4172	cmd.exe	131
PID 4172 wrote to memory of 4216	4172	cmd.exe	131
PID 4520 wrote to memory of 3892	4520	cmd.exe	132
PID 4520 wrote to memory of 3892	4520	cmd.exe	132
PID 3888 wrote to memory of 2656	3888	blackcat.exe	133
PID 3888 wrote to memory of 2656	3888	blackcat.exe	133
PID 3888 wrote to memory of 2656	3888	blackcat.exe	133
PID 2656 wrote to memory of 2704	2656	cmd.exe	136
PID 2656 wrote to memory of 2704	2656	cmd.exe	136
PID 2656 wrote to memory of 2704	2656	cmd.exe	136
PID 2392 wrote to memory of 5756	2392	cmd.exe	139
PID 2392 wrote to memory of 5756	2392	cmd.exe	139
PID 2392 wrote to memory of 5756	2392	cmd.exe	139
PID 3888 wrote to memory of 5984	3888	blackcat.exe	142
PID 3888 wrote to memory of 5984	3888	blackcat.exe	142
PID 5984 wrote to memory of 6060	5984	cmd.exe	145
PID 5984 wrote to memory of 6060	5984	cmd.exe	145

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	alg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	alg.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\blackcat.exe
"C:\Users\Admin\AppData\Local\Temp\blackcat.exe"
1⤵
PID:4240

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4452

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Users\Admin\AppData\Local\Temp\blackcat.exe
  blackcat.exe -h
  2⤵
  PID:4192
- C:\Users\Admin\AppData\Local\Temp\blackcat.exe
  blackcat.exe -a 1234567
  2⤵
  - Enumerates connected drives
  - Drops file in System32 directory
  - Sets desktop wallpaper using registry
  - Modifies Control Panel
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3888
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c "wmic csproduct get UUID"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4084
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic csproduct get UUID
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3236
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c "fsutil behavior set SymlinkEvaluation R2L:1"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4892
  - - C:\Windows\SysWOW64\fsutil.exe
      fsutil behavior set SymlinkEvaluation R2L:1
      4⤵
      PID:2784
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c "fsutil behavior set SymlinkEvaluation R2R:1"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:940
  - - C:\Windows\SysWOW64\fsutil.exe
      fsutil behavior set SymlinkEvaluation R2R:1
      4⤵
      PID:4120
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /c "vssadmin.exe delete shadows /all /quiet"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4520
  - - C:\Windows\system32\vssadmin.exe
      vssadmin.exe delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:3892
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c "reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v MaxMpxCt /d 65535 /t REG_DWORD /f"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4172
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v MaxMpxCt /d 65535 /t REG_DWORD /f
      4⤵
      PID:4216
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c "arp -a"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2656
  - - C:\Windows\SysWOW64\ARP.EXE
      arp -a
      4⤵
      PID:2704
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /c "vssadmin.exe delete shadows /all /quiet"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5984
  - - C:\Windows\system32\vssadmin.exe
      vssadmin.exe delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:6060
- C:\Users\Admin\AppData\Local\Temp\blackcat.exe
  blackcat.exe -a 1234567 -v
  2⤵
  PID:5756

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2972

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:5844

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:6096

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\RECOVER-sykffle-FILES.txt

Filesize
1KB

MD5
f6d2c5d57446513c2a436bddb4f63677

SHA1
b55be652ac43c3d2b6331909fe6c1e70d3bd05a5

SHA256
3f3faba3698e26d6041fbe38f7b09799e69ef8be768bac16677e7cf436e6fa1c

SHA512
553be901cd147ad5527c029bceb534dd5fe5cc27ca803cde640929e7a3b713d114fbd91d65144788390bc20a3933bbcbe4acf3043891c2329cd2958e24c1d937

Download Submit
C:\Users\Admin\AppData\Local\kkennjrk\ddnboabb.tmp

Filesize
629KB

MD5
641e14bdd76f764345559915409fc6e4

SHA1
6b557ccbb84c217d759f0c7331246d129ba0af1c

SHA256
0a792eb9445f8583592f16d7245e904f2dfddec803d387f944d0b14fd4b873b2

SHA512
78084ffb8e7e41de6f7d1153f2878c4f3c5e5448ca9b3d1f17c0f6a91bb76da7533f6e1c285067090081e4e1a5d163027213a1b057ee9cdc76c7e7f70153e321

Download Submit
C:\Users\Admin\Desktop\RECOVER-sykffle-FILES.txt.png

Filesize
3KB

MD5
ec07ab4d75267d39784da0611b8d26d0

SHA1
3dd155942a4993a7887b0d70e033b3f3a9e5653a

SHA256
b61e68e4ded886db073e2e35ef51b6cf09de3ed4c3413e7dc8077b200f89e26c

SHA512
7d36b50ca2992e0ea0ad7211cde1bc52d1b981dd87a4fcd6743a3037e91ac46e456889b6e8eec6d452374e00bd0e7664a4c0fbf895f99dfabb5ba166d7a8fe01

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
491KB

MD5
cd1eb5b634f5c5120572b25a2a6fc3ba

SHA1
60b8d0aa8419eacf45a17ebc3047b3bbf6ce25fe

SHA256
ea629b78bc2dd29e7e1912902776b3a4addfd6db00fea26263598c530c0cb836

SHA512
098c68f5cdc24af5880c5f9fecb5ee0b5818fd834b7b9605c02c1295dbffb7de00cbc5aae025e3d18ce89e4e9898bf05ba2b9e7bd2c730a3ec0c43a8ac680562

Download Submit
C:\Windows\System32\alg.exe

Filesize
493KB

MD5
f735228d32ee2fb4411801ec76d64287

SHA1
907dceb89040435c59351f47970728d41828e859

SHA256
c468db0f7f0e425f2debc7bf80a22ebca25a26ae4ae89e5ebf404645f463509e

SHA512
56597577b40c9f4c49fe2737c930bc0531c459d62e272819644edd2439ed58f1d9d4e5bdd5abeb4feb708f1a33c76dac49d817282dd3038cadd15e409270a4a8

Download Submit
C:\Windows\System32\poidhcef.tmp

Filesize
1.0MB

MD5
a94df13668fbaec337f0c9dc4c47b19c

SHA1
feecbba9cbdc62c474f2038e6c671a9769728273

SHA256
f7a9ed7ea05145aa030e18bf6dce344348961992089244189fbbe7b1b2e64c7b

SHA512
9c5416ac9112b4aa8322962d4809b707ddde023f7b1043e4d0765dd83451b5a0f06cfa37f6fe8980d9de03100fab26230e18633584c829349ed4131ece1eb90d

Download Submit
\??\c:\windows\system32\Appvclient.exe

Filesize
1.1MB

MD5
5bb277ab96d27ea34cd766641ac7f4e5

SHA1
d26ba6c9e0773eb2b0cf431f03f4daad3396fede

SHA256
e97ad0c034994e5c346e30f1319c191d7aa4359f8dd0631dde40860ca9db5c4e

SHA512
decbe8367e93b3595021284b6a61f544724b278bf769a42dd7fb8d536291447ea908e4be17659551f876c5ce44f9f88a3ca14fbe8e62dc2d1fc3ad6dbeb51e68

Download Submit
memory/3888-7-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/3888-443-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/3888-445-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/3888-446-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/3888-442-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/3888-460-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/3888-6-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/3888-645-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/4192-3-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/4192-4-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/4240-0-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/4240-1-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/4240-2-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/5844-467-0x0000000140000000-0x00000001400D5000-memory.dmp

Filesize
852KB

Download
memory/5844-646-0x0000000140000000-0x00000001400D5000-memory.dmp

Filesize
852KB

Download
memory/5844-648-0x0000000140000000-0x00000001400D5000-memory.dmp

Filesize
852KB

Download
memory/6096-496-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/6096-660-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download