Resubmissions

25-09-2023 22:55

230925-2wd9xadh33 10

25-09-2023 22:53

230925-2t7hnscf3w 10

25-09-2023 13:16

230925-qh75aafa7s 10

25-09-2023 13:05

230925-qbt9vagc74 10

25-09-2023 13:00

230925-p8r1bafa2y 10

General

  • Target

    blackcat.exe

  • Size

    2.6MB

  • Sample

    230925-qh75aafa7s

  • MD5

    bb266486ee8ac70c0687989e02cefa14

  • SHA1

    11203786b17bb3873d46acae32a898c8dac09850

  • SHA256

    0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479

  • SHA512

    a167779fc95a5cf0a3eff86211e9e08c282470e050b17ae62c7499a82ea59b3447446eafea9d7b5c5ba833b7a2d060f76530b00509dd5ff7904a0735d83e14c4

  • SSDEEP

    49152:rEqvaaAjc2hdKjb8WXqE1PiEbE/TKMt3/RgaJ2wW4PRT8O1:rbyaALKjwWXV1P9oVvwwW4JT8

Malware Config

Extracted

Family

blackcat

Credentials
  • Username:
    KELLERSUPPLY\Administrator
  • Password:
    d@gw00d
  • Username:
    KELLERSUPPLY\AdminRecovery
  • Password:
    K3ller!$Supp1y
  • Username:
    .\Administrator
  • Password:
    d@gw00d
  • Username:
    .\Administrator
  • Password:
    K3ller!$Supp1y
Attributes
  • enable_network_discovery

    true

  • enable_self_propagation

    false

  • enable_set_wallpaper

    true

  • extension

    sykffle

  • note_file_name

    RECOVER-${EXTENSION}-FILES.txt

  • note_full_text

    >> Introduction Important files on your system was ENCRYPTED and now they have have "${EXTENSION}" extension. In order to recover your files you need to follow instructions below. >> Sensitive Data Sensitive data on your system was DOWNLOADED and it will be PUBLISHED if you refuse to cooperate. Data includes: - Employees personal data, CVs, DL, SSN. - Complete network map including credentials for local and remote services. - Financial information including clients data, bills, budgets, annual reports, bank statements. - Complete datagrams/schemas/drawings for manufacturing in solidworks format - And more... Private preview is published here: http://zujgzbu5y64xbmvc42addp4lxkoosb4tslf5mehnh7pvqjpwxn5gokyd.onion/b21e1fb6-ff88-425b-8339-3523179a1e3e/886cf430a907bbe9a3fd38fb704d524dbd199c1b042ad6f65dc72ad78704e21 >> CAUTION DO NOT MODIFY FILES YOURSELF. DO NOT USE THIRD PARTY SOFTWARE TO RESTORE YOUR DATA. YOU MAY DAMAGE YOUR FILES, IT WILL RESULT IN PERMANENT DATA LOSS. YOUR DATA IS STRONGLY ENCRYPTED, YOU CAN NOT DECRYPT IT WITHOUT CIPHER KEY. >> Recovery procedure Follow these simple steps to get in touch and recover your data: 1) Download and install Tor Browser from: https://torproject.org/ 2) Navigate to: http://mu75ltv3lxd24dbyu6gtvmnwybecigs5auki7fces437xvvflzva2nqd.onion/?access-key=${ACCESS_KEY}

rsa_pubkey.plain

Extracted

Path

C:\RECOVER-sykffle-FILES.txt

Ransom Note
>> Introduction Important files on your system was ENCRYPTED and now they have have "sykffle" extension. In order to recover your files you need to follow instructions below. >> Sensitive Data Sensitive data on your system was DOWNLOADED and it will be PUBLISHED if you refuse to cooperate. Data includes: - Employees personal data, CVs, DL, SSN. - Complete network map including credentials for local and remote services. - Financial information including clients data, bills, budgets, annual reports, bank statements. - Complete datagrams/schemas/drawings for manufacturing in solidworks format - And more... Private preview is published here: http://zujgzbu5y64xbmvc42addp4lxkoosb4tslf5mehnh7pvqjpwxn5gokyd.onion/b21e1fb6-ff88-425b-8339-3523179a1e3e/886cf430a907bbe9a3fd38fb704d524dbd199c1b042ad6f65dc72ad78704e21 >> CAUTION DO NOT MODIFY FILES YOURSELF. DO NOT USE THIRD PARTY SOFTWARE TO RESTORE YOUR DATA. YOU MAY DAMAGE YOUR FILES, IT WILL RESULT IN PERMANENT DATA LOSS. YOUR DATA IS STRONGLY ENCRYPTED, YOU CAN NOT DECRYPT IT WITHOUT CIPHER KEY. >> Recovery procedure Follow these simple steps to get in touch and recover your data: 1) Download and install Tor Browser from: https://torproject.org/ 2) Navigate to: http://mu75ltv3lxd24dbyu6gtvmnwybecigs5auki7fces437xvvflzva2nqd.onion/?access-key=o4vkB35mK95%2Fk%2F6LXtvFewoSfmQmAYSoQ4F9vLvvtZCqUEf5IrZprdiYt3GSEvaowin2agKM%2FytyWC8pcB%2BGrd8LgqM9BeJR1LjJaDVIwPIuyOy61VCBqNSd2AKNwaj3gWHiFHnD9W10r3yc8c%2F2COSIxgv7uL%2FLp3pI0rdhB00h4wcm53qbAwKfgsSNQaFHccrqm4NgBLgMER4CVOkfblottmByOxSZHlQjXD8GN8Pf1Y04EQCvgJAewpu2oDIMrSu7gUOrKwaRjZtkvJp90GgHr9uGLWc2p71G9yq06ka6mwpET7ZI15XlKnELUL7qm1Ewkqt%2Bsjkzey9wJZceEg%3D%3D
URLs

http://zujgzbu5y64xbmvc42addp4lxkoosb4tslf5mehnh7pvqjpwxn5gokyd.onion/b21e1fb6-ff88-425b-8339-3523179a1e3e/886cf430a907bbe9a3fd38fb704d524dbd199c1b042ad6f65dc72ad78704e21

http://mu75ltv3lxd24dbyu6gtvmnwybecigs5auki7fces437xvvflzva2nqd.onion/?access-key=o4vkB35mK95%2Fk%2F6LXtvFewoSfmQmAYSoQ4F9vLvvtZCqUEf5IrZprdiYt3GSEvaowin2agKM%2FytyWC8pcB%2BGrd8LgqM9BeJR1LjJaDVIwPIuyOy61VCBqNSd2AKNwaj3gWHiFHnD9W10r3yc8c%2F2COSIxgv7uL%2FLp3pI0rdhB00h4wcm53qbAwKfgsSNQaFHccrqm4NgBLgMER4CVOkfblottmByOxSZHlQjXD8GN8Pf1Y04EQCvgJAewpu2oDIMrSu7gUOrKwaRjZtkvJp90GgHr9uGLWc2p71G9yq06ka6mwpET7ZI15XlKnELUL7qm1Ewkqt%2Bsjkzey9wJZceEg%3D%3D

Targets

    • Target

      blackcat.exe

    • Size

      2.6MB

    • MD5

      bb266486ee8ac70c0687989e02cefa14

    • SHA1

      11203786b17bb3873d46acae32a898c8dac09850

    • SHA256

      0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479

    • SHA512

      a167779fc95a5cf0a3eff86211e9e08c282470e050b17ae62c7499a82ea59b3447446eafea9d7b5c5ba833b7a2d060f76530b00509dd5ff7904a0735d83e14c4

    • SSDEEP

      49152:rEqvaaAjc2hdKjb8WXqE1PiEbE/TKMt3/RgaJ2wW4PRT8O1:rbyaALKjwWXV1P9oVvwwW4JT8

    • BlackCat

      A Rust-based ransomware sold as RaaS first seen in late 2021.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Renames multiple (152) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Disables taskbar notifications via registry modification

    • Executes dropped EXE

    • Windows security modification

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v15

Tasks