blackcat | 0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479

Resubmissions

25-09-2023 22:55

230925-2wd9xadh33 10

25-09-2023 22:53

25-09-2023 13:16

25-09-2023 13:05

25-09-2023 13:00

Analysis

max time kernel
600s
max time network
572s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
25-09-2023 13:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

blackcat.exe
Size

2.6MB
MD5

bb266486ee8ac70c0687989e02cefa14
SHA1

11203786b17bb3873d46acae32a898c8dac09850
SHA256

0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479
SHA512

a167779fc95a5cf0a3eff86211e9e08c282470e050b17ae62c7499a82ea59b3447446eafea9d7b5c5ba833b7a2d060f76530b00509dd5ff7904a0735d83e14c4
SSDEEP

49152:rEqvaaAjc2hdKjb8WXqE1PiEbE/TKMt3/RgaJ2wW4PRT8O1:rbyaALKjwWXV1P9oVvwwW4JT8

Score

10^/10

blackcat discovery evasion ransomware trojan

Malware Config

Extracted

Family

blackcat

Credentials

Username:
KELLERSUPPLY\Administrator
Password:
d@gw00d

Username:
KELLERSUPPLY\AdminRecovery
Password:
K3ller!$Supp1y

Username:
.\Administrator
Password:
d@gw00d

Username:
.\Administrator
Password:
K3ller!$Supp1y

Attributes

enable_network_discovery
true
enable_self_propagation
false
enable_set_wallpaper
true
extension
sykffle
note_file_name
RECOVER-${EXTENSION}-FILES.txt
note_full_text
>> Introduction Important files on your system was ENCRYPTED and now they have have "${EXTENSION}" extension. In order to recover your files you need to follow instructions below. >> Sensitive Data Sensitive data on your system was DOWNLOADED and it will be PUBLISHED if you refuse to cooperate. Data includes: - Employees personal data, CVs, DL, SSN. - Complete network map including credentials for local and remote services. - Financial information including clients data, bills, budgets, annual reports, bank statements. - Complete datagrams/schemas/drawings for manufacturing in solidworks format - And more... Private preview is published here: http://zujgzbu5y64xbmvc42addp4lxkoosb4tslf5mehnh7pvqjpwxn5gokyd.onion/b21e1fb6-ff88-425b-8339-3523179a1e3e/886cf430a907bbe9a3fd38fb704d524dbd199c1b042ad6f65dc72ad78704e21 >> CAUTION DO NOT MODIFY FILES YOURSELF. DO NOT USE THIRD PARTY SOFTWARE TO RESTORE YOUR DATA. YOU MAY DAMAGE YOUR FILES, IT WILL RESULT IN PERMANENT DATA LOSS. YOUR DATA IS STRONGLY ENCRYPTED, YOU CAN NOT DECRYPT IT WITHOUT CIPHER KEY. >> Recovery procedure Follow these simple steps to get in touch and recover your data: 1) Download and install Tor Browser from: https://torproject.org/ 2) Navigate to: http://mu75ltv3lxd24dbyu6gtvmnwybecigs5auki7fces437xvvflzva2nqd.onion/?access-key=${ACCESS_KEY}

rsa_pubkey.plain

Extracted

Path

C:\RECOVER-sykffle-FILES.txt

Ransom Note

>> Introduction Important files on your system was ENCRYPTED and now they have have "sykffle" extension. In order to recover your files you need to follow instructions below. >> Sensitive Data Sensitive data on your system was DOWNLOADED and it will be PUBLISHED if you refuse to cooperate. Data includes: - Employees personal data, CVs, DL, SSN. - Complete network map including credentials for local and remote services. - Financial information including clients data, bills, budgets, annual reports, bank statements. - Complete datagrams/schemas/drawings for manufacturing in solidworks format - And more... Private preview is published here: http://zujgzbu5y64xbmvc42addp4lxkoosb4tslf5mehnh7pvqjpwxn5gokyd.onion/b21e1fb6-ff88-425b-8339-3523179a1e3e/886cf430a907bbe9a3fd38fb704d524dbd199c1b042ad6f65dc72ad78704e21 >> CAUTION DO NOT MODIFY FILES YOURSELF. DO NOT USE THIRD PARTY SOFTWARE TO RESTORE YOUR DATA. YOU MAY DAMAGE YOUR FILES, IT WILL RESULT IN PERMANENT DATA LOSS. YOUR DATA IS STRONGLY ENCRYPTED, YOU CAN NOT DECRYPT IT WITHOUT CIPHER KEY. >> Recovery procedure Follow these simple steps to get in touch and recover your data: 1) Download and install Tor Browser from: https://torproject.org/ 2) Navigate to: http://mu75ltv3lxd24dbyu6gtvmnwybecigs5auki7fces437xvvflzva2nqd.onion/?access-key=o4vkB35mK95%2Fk%2F6LXtvFewoSfmQmAYSoQ4F9vLvvtZCqUEf5IrZprdiYt3GSEvaowin2agKM%2FytyWC8pcB%2BGrd8LgqM9BeJR1LjJaDVIwPIuyOy61VCBqNSd2AKNwaj3gWHiFHnD9W10r3yc8c%2F2COSIxgv7uL%2FLp3pI0rdhB00h4wcm53qbAwKfgsSNQaFHccrqm4NgBLgMER4CVOkfblottmByOxSZHlQjXD8GN8Pf1Y04EQCvgJAewpu2oDIMrSu7gUOrKwaRjZtkvJp90GgHr9uGLWc2p71G9yq06ka6mwpET7ZI15XlKnELUL7qm1Ewkqt%2Bsjkzey9wJZceEg%3D%3D

URLs

http://zujgzbu5y64xbmvc42addp4lxkoosb4tslf5mehnh7pvqjpwxn5gokyd.onion/b21e1fb6-ff88-425b-8339-3523179a1e3e/886cf430a907bbe9a3fd38fb704d524dbd199c1b042ad6f65dc72ad78704e21

http://mu75ltv3lxd24dbyu6gtvmnwybecigs5auki7fces437xvvflzva2nqd.onion/?access-key=o4vkB35mK95%2Fk%2F6LXtvFewoSfmQmAYSoQ4F9vLvvtZCqUEf5IrZprdiYt3GSEvaowin2agKM%2FytyWC8pcB%2BGrd8LgqM9BeJR1LjJaDVIwPIuyOy61VCBqNSd2AKNwaj3gWHiFHnD9W10r3yc8c%2F2COSIxgv7uL%2FLp3pI0rdhB00h4wcm53qbAwKfgsSNQaFHccrqm4NgBLgMER4CVOkfblottmByOxSZHlQjXD8GN8Pf1Y04EQCvgJAewpu2oDIMrSu7gUOrKwaRjZtkvJp90GgHr9uGLWc2p71G9yq06ka6mwpET7ZI15XlKnELUL7qm1Ewkqt%2Bsjkzey9wJZceEg%3D%3D

Signatures

BlackCat
A Rust-based ransomware sold as RaaS first seen in late 2021.
ransomware blackcat
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (152) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 3 IoCs

pid	Process
3400	alg.exe
3068	DiagnosticsHub.StandardCollector.Service.exe
4248	fxssvc.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-1045988481-1457812719-2617974652-1000	alg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-1045988481-1457812719-2617974652-1000\EnableNotifications = "0"	alg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	blackcat.exe
File opened (read-only)	\??\E:	alg.exe
File opened (read-only)	\??\J:	alg.exe
File opened (read-only)	\??\U:	alg.exe
File opened (read-only)	\??\G:	alg.exe
File opened (read-only)	\??\K:	alg.exe
File opened (read-only)	\??\L:	alg.exe
File opened (read-only)	\??\P:	alg.exe
File opened (read-only)	\??\Q:	alg.exe
File opened (read-only)	\??\S:	alg.exe
File opened (read-only)	\??\T:	alg.exe
File opened (read-only)	\??\W:	alg.exe
File opened (read-only)	\??\X:	alg.exe
File opened (read-only)	\??\M:	alg.exe
File opened (read-only)	\??\R:	alg.exe
File opened (read-only)	\??\V:	alg.exe
File opened (read-only)	\??\H:	alg.exe
File opened (read-only)	\??\I:	alg.exe
File opened (read-only)	\??\N:	alg.exe
File opened (read-only)	\??\O:	alg.exe
File opened (read-only)	\??\Y:	alg.exe

Drops file in System32 directory 41 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	blackcat.exe
File opened for modification	\??\c:\windows\system32\Appvclient.exe	alg.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	alg.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	alg.exe
File opened for modification	\??\c:\windows\system32\alg.exe	blackcat.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	blackcat.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	blackcat.exe
File opened for modification	\??\c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe	blackcat.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	alg.exe
File created	\??\c:\windows\SysWOW64\khakbiig.tmp	blackcat.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	alg.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	blackcat.exe
File created	\??\c:\windows\SysWOW64\lnlgdacm.tmp	blackcat.exe
File opened for modification	\??\c:\windows\SysWOW64\Appvclient.exe	blackcat.exe
File opened for modification	\??\c:\windows\system32\spectrum.exe	alg.exe
File opened for modification	\??\c:\windows\system32\openssh\ssh-agent.exe	alg.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	alg.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	blackcat.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	blackcat.exe
File created	\??\c:\windows\system32\nbolbacb.tmp	blackcat.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	alg.exe
File opened for modification	\??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe	alg.exe
File opened for modification	\??\c:\windows\system32\sensordataservice.exe	alg.exe
File opened for modification	\??\c:\windows\system32\sgrmbroker.exe	alg.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	alg.exe
File opened for modification	\??\c:\windows\SysWOW64\diagsvcs\diagnosticshub.standardcollector.service.exe	blackcat.exe
File created	\??\c:\windows\system32\diagsvcs\jgpehhog.tmp	blackcat.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	alg.exe
File opened for modification	\??\c:\windows\system32\tieringengineservice.exe	alg.exe
File opened for modification	\??\c:\windows\system32\vds.exe	alg.exe
File opened for modification	\??\c:\windows\system32\Agentservice.exe	alg.exe
File opened for modification	\??\c:\windows\system32\Appvclient.exe	blackcat.exe
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	blackcat.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	alg.exe
File created	\??\c:\windows\system32\ngjbnogb.tmp	blackcat.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	alg.exe
File opened for modification	\??\c:\windows\system32\locator.exe	alg.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	alg.exe
File created	\??\c:\windows\system32\aokfbbai.tmp	blackcat.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	blackcat.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	blackcat.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\Desktop\WallPaper = "C:\\Users\\Admin\\Desktop\\RECOVER-sykffle-FILES.txt.png"	blackcat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\RECOVER-sykffle-FILES.txt.png"	blackcat.exe

Drops file in Program Files directory 33 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\occlljkq.tmp	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File created	\??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\bmeehklg.tmp	alg.exe
File created	C:\Program Files\7-Zip\nccafaqk.tmp	alg.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\hlepeenn.tmp	alg.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\mnmjadqg.tmp	alg.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\olemadei.tmp	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File created	\??\c:\program files\google\chrome\Application\106.0.5249.119\mcbhagfa.tmp	alg.exe
File created	C:\Program Files\7-Zip\gkooamha.tmp	alg.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\mgecidfd.tmp	alg.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\source engine\ose.exe	alg.exe
File created	\??\c:\program files\common files\microsoft shared\source engine\hcgjefid.tmp	alg.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	alg.exe
File created	C:\Program Files\7-Zip\jgpijieg.tmp	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	\??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.exe	blackcat.exe
File opened for modification	\??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\elevation_service.exe	alg.exe
File created	\??\c:\program files (x86)\mozilla maintenance service\cekjlejd.tmp	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	alg.exe
File created	C:\Program Files\7-Zip\cedpmnkl.tmp	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	blackcat.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	alg.exe

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
4824	vssadmin.exe
1248	vssadmin.exe

Modifies Control Panel 1 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\Desktop\WallpaperStyle = "0"	blackcat.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1676	blackcat.exe
1676	blackcat.exe
3400	alg.exe
3400	alg.exe
3400	alg.exe
3400	alg.exe
3400	alg.exe
3400	alg.exe
3400	alg.exe
3400	alg.exe
3400	alg.exe
3400	alg.exe
3400	alg.exe
3400	alg.exe
3400	alg.exe
3400	alg.exe
3400	alg.exe
3400	alg.exe
3400	alg.exe
3400	alg.exe
3400	alg.exe
3400	alg.exe
3400	alg.exe
3400	alg.exe
3400	alg.exe
3400	alg.exe
3400	alg.exe
3400	alg.exe
3400	alg.exe
3400	alg.exe
3400	alg.exe
3400	alg.exe
3400	alg.exe
3400	alg.exe
3400	alg.exe
3400	alg.exe
3400	alg.exe
3400	alg.exe
3400	alg.exe
3400	alg.exe
3400	alg.exe
3400	alg.exe
3400	alg.exe
3400	alg.exe
3400	alg.exe
3400	alg.exe
3400	alg.exe
3400	alg.exe
3400	alg.exe
3400	alg.exe
3400	alg.exe
3400	alg.exe
3400	alg.exe
3400	alg.exe
3400	alg.exe
3400	alg.exe
3400	alg.exe
3400	alg.exe
3400	alg.exe
3400	alg.exe
3400	alg.exe
3400	alg.exe
3400	alg.exe
3400	alg.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 51 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2312	WMIC.exe
Token: SeSecurityPrivilege	2312	WMIC.exe
Token: SeTakeOwnershipPrivilege	2312	WMIC.exe
Token: SeLoadDriverPrivilege	2312	WMIC.exe
Token: SeSystemProfilePrivilege	2312	WMIC.exe
Token: SeSystemtimePrivilege	2312	WMIC.exe
Token: SeProfSingleProcessPrivilege	2312	WMIC.exe
Token: SeIncBasePriorityPrivilege	2312	WMIC.exe
Token: SeCreatePagefilePrivilege	2312	WMIC.exe
Token: SeBackupPrivilege	2312	WMIC.exe
Token: SeRestorePrivilege	2312	WMIC.exe
Token: SeShutdownPrivilege	2312	WMIC.exe
Token: SeDebugPrivilege	2312	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2312	WMIC.exe
Token: SeRemoteShutdownPrivilege	2312	WMIC.exe
Token: SeUndockPrivilege	2312	WMIC.exe
Token: SeManageVolumePrivilege	2312	WMIC.exe
Token: 33	2312	WMIC.exe
Token: 34	2312	WMIC.exe
Token: 35	2312	WMIC.exe
Token: 36	2312	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2312	WMIC.exe
Token: SeSecurityPrivilege	2312	WMIC.exe
Token: SeTakeOwnershipPrivilege	2312	WMIC.exe
Token: SeLoadDriverPrivilege	2312	WMIC.exe
Token: SeSystemProfilePrivilege	2312	WMIC.exe
Token: SeSystemtimePrivilege	2312	WMIC.exe
Token: SeProfSingleProcessPrivilege	2312	WMIC.exe
Token: SeIncBasePriorityPrivilege	2312	WMIC.exe
Token: SeCreatePagefilePrivilege	2312	WMIC.exe
Token: SeBackupPrivilege	2312	WMIC.exe
Token: SeRestorePrivilege	2312	WMIC.exe
Token: SeShutdownPrivilege	2312	WMIC.exe
Token: SeDebugPrivilege	2312	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2312	WMIC.exe
Token: SeRemoteShutdownPrivilege	2312	WMIC.exe
Token: SeUndockPrivilege	2312	WMIC.exe
Token: SeManageVolumePrivilege	2312	WMIC.exe
Token: 33	2312	WMIC.exe
Token: 34	2312	WMIC.exe
Token: 35	2312	WMIC.exe
Token: 36	2312	WMIC.exe
Token: SeBackupPrivilege	392	vssvc.exe
Token: SeRestorePrivilege	392	vssvc.exe
Token: SeAuditPrivilege	392	vssvc.exe
Token: SeTakeOwnershipPrivilege	1676	blackcat.exe
Token: SeBackupPrivilege	3844	vssvc.exe
Token: SeRestorePrivilege	3844	vssvc.exe
Token: SeAuditPrivilege	3844	vssvc.exe
Token: SeAuditPrivilege	4248	fxssvc.exe
Token: SeTakeOwnershipPrivilege	3400	alg.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 3752	2980	cmd.exe	102
PID 2980 wrote to memory of 3752	2980	cmd.exe	102
PID 2980 wrote to memory of 3752	2980	cmd.exe	102
PID 2980 wrote to memory of 1676	2980	cmd.exe	104
PID 2980 wrote to memory of 1676	2980	cmd.exe	104
PID 2980 wrote to memory of 1676	2980	cmd.exe	104
PID 1676 wrote to memory of 3248	1676	blackcat.exe	105
PID 1676 wrote to memory of 3248	1676	blackcat.exe	105
PID 1676 wrote to memory of 3248	1676	blackcat.exe	105
PID 3248 wrote to memory of 2312	3248	cmd.exe	107
PID 3248 wrote to memory of 2312	3248	cmd.exe	107
PID 3248 wrote to memory of 2312	3248	cmd.exe	107
PID 1676 wrote to memory of 3236	1676	blackcat.exe	108
PID 1676 wrote to memory of 3236	1676	blackcat.exe	108
PID 1676 wrote to memory of 3236	1676	blackcat.exe	108
PID 3236 wrote to memory of 3560	3236	cmd.exe	110
PID 3236 wrote to memory of 3560	3236	cmd.exe	110
PID 3236 wrote to memory of 3560	3236	cmd.exe	110
PID 1676 wrote to memory of 5040	1676	blackcat.exe	111
PID 1676 wrote to memory of 5040	1676	blackcat.exe	111
PID 1676 wrote to memory of 5040	1676	blackcat.exe	111
PID 5040 wrote to memory of 4400	5040	cmd.exe	113
PID 5040 wrote to memory of 4400	5040	cmd.exe	113
PID 5040 wrote to memory of 4400	5040	cmd.exe	113
PID 1676 wrote to memory of 1484	1676	blackcat.exe	114
PID 1676 wrote to memory of 1484	1676	blackcat.exe	114
PID 1676 wrote to memory of 2988	1676	blackcat.exe	117
PID 1676 wrote to memory of 2988	1676	blackcat.exe	117
PID 1676 wrote to memory of 2988	1676	blackcat.exe	117
PID 2988 wrote to memory of 2020	2988	cmd.exe	118
PID 2988 wrote to memory of 2020	2988	cmd.exe	118
PID 2988 wrote to memory of 2020	2988	cmd.exe	118
PID 1484 wrote to memory of 4824	1484	cmd.exe	119
PID 1484 wrote to memory of 4824	1484	cmd.exe	119
PID 1676 wrote to memory of 2736	1676	blackcat.exe	120
PID 1676 wrote to memory of 2736	1676	blackcat.exe	120
PID 1676 wrote to memory of 2736	1676	blackcat.exe	120
PID 2736 wrote to memory of 1664	2736	cmd.exe	123
PID 2736 wrote to memory of 1664	2736	cmd.exe	123
PID 2736 wrote to memory of 1664	2736	cmd.exe	123
PID 1676 wrote to memory of 4656	1676	blackcat.exe	128
PID 1676 wrote to memory of 4656	1676	blackcat.exe	128
PID 4656 wrote to memory of 1248	4656	cmd.exe	131
PID 4656 wrote to memory of 1248	4656	cmd.exe	131

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	alg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	alg.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\blackcat.exe
"C:\Users\Admin\AppData\Local\Temp\blackcat.exe"
1⤵
PID:4184

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Users\Admin\AppData\Local\Temp\blackcat.exe
  blackcat.exe -h
  2⤵
  PID:3752
- C:\Users\Admin\AppData\Local\Temp\blackcat.exe
  blackcat.exe -a 1234567 -v
  2⤵
  - Enumerates connected drives
  - Drops file in System32 directory
  - Sets desktop wallpaper using registry
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1676
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c "wmic csproduct get UUID"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3248
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic csproduct get UUID
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2312
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c "fsutil behavior set SymlinkEvaluation R2L:1"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3236
  - - C:\Windows\SysWOW64\fsutil.exe
      fsutil behavior set SymlinkEvaluation R2L:1
      4⤵
      PID:3560
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c "fsutil behavior set SymlinkEvaluation R2R:1"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5040
  - - C:\Windows\SysWOW64\fsutil.exe
      fsutil behavior set SymlinkEvaluation R2R:1
      4⤵
      PID:4400
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /c "vssadmin.exe delete shadows /all /quiet"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1484
  - - C:\Windows\system32\vssadmin.exe
      vssadmin.exe delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:4824
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c "reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v MaxMpxCt /d 65535 /t REG_DWORD /f"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2988
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v MaxMpxCt /d 65535 /t REG_DWORD /f
      4⤵
      PID:2020
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c "arp -a"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - C:\Windows\SysWOW64\ARP.EXE
      arp -a
      4⤵
      PID:1664
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /c "vssadmin.exe delete shadows /all /quiet"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4656
  - - C:\Windows\system32\vssadmin.exe
      vssadmin.exe delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:1248

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:392

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3400

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3068

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3844

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2052

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\Application\106.0.5249.119\mcbhagfa.tmp

Filesize
2.0MB

MD5
7341809b4afc3bb452855d18c06c0db8

SHA1
76da2f5a69a51e398e9ada438edec6ec911f7499

SHA256
694179f0037009786a7464a647772ef8bf4be9d40ad1fb229d3c5bf8cec553a7

SHA512
d6e5dcc8c8e039828d85290e364780fa9f6a4ad99590a6f031a29cee732b49b99e84deec341b6ea79112cc5f08b76bc059b7f4cf8cc79cf637e8654650789a2b

Download Submit
C:\RECOVER-sykffle-FILES.txt

Filesize
1KB

MD5
9e1aa84061dc27a3300925feee1a6aa4

SHA1
b3be79f44634fe8a9c1bd279ecff3474386d2a45

SHA256
ffc3f977f0a102f3ee1c04368703e03c0a60e125e4e2642d28eab41ac485aa31

SHA512
52bff09df291e00015c056c1a37ebad16c35e72089b49eb35bdf2b95e711057feca75148992cea5f5bf75f8d8b3f405e6612729af94d632a182adadd7c27acc5

Download Submit
C:\Users\Admin\AppData\Local\qddkmlrl\iaqebmla.tmp

Filesize
629KB

MD5
ad17cde2ea26f047cde42213f907c7f2

SHA1
22aeb3bc8c334edc890ea361e37d4f52067bae62

SHA256
34c0ae85398b86f828434acd8e4dfba9d57b8bd274e924f8b081f52c066300df

SHA512
a9d48d8c91429d8c94f27dd16982ece3ff8435319a51c507f539bf2fc8016c538a8db1b3a90dc1892448a8079048c36f0d266a552fb617caa0affbdc79437a1a

Download Submit
C:\Users\Admin\Desktop\RECOVER-sykffle-FILES.txt.png

Filesize
3KB

MD5
ec07ab4d75267d39784da0611b8d26d0

SHA1
3dd155942a4993a7887b0d70e033b3f3a9e5653a

SHA256
b61e68e4ded886db073e2e35ef51b6cf09de3ed4c3413e7dc8077b200f89e26c

SHA512
7d36b50ca2992e0ea0ad7211cde1bc52d1b981dd87a4fcd6743a3037e91ac46e456889b6e8eec6d452374e00bd0e7664a4c0fbf895f99dfabb5ba166d7a8fe01

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
491KB

MD5
a54f87177480b5deb027021815b20cb4

SHA1
fabd2f27d1ffbfd568fefaba056c620f100dca60

SHA256
f1fc94e8dc5ea4f044ed761b319f48c6f374c8aff342ab677e0668c87ea84850

SHA512
8322db830d48e6afe600df8e1fae2d8bd38487b0408d9e7729a10cf40c454093202fe7ed3f0649ff8e5c28764a58badd6f04366ebbea3f969f897779d3dc293b

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.0MB

MD5
3154209a631564e8edf23882dcd1237f

SHA1
8734bcfa871a31fb7cb3daf4f22a3969b837ee76

SHA256
70dc2093b74134f0494799534f0d430bdf7706a63de87d054295ca74a5254940

SHA512
5e7993511779c29d8c24608e7f4e463a514053729c8eb38205c5389c546b778f475aa83503916f59d842010529f64d80972904cff5e5c9d75435c1d50aad6ff1

Download Submit
C:\Windows\System32\alg.exe

Filesize
493KB

MD5
eaafc608810c62546f80dd2e744f1e94

SHA1
b1a1cfedf1cff29c7971ad26cf50cf94f90dac59

SHA256
3b206bfe4922fe65f223928aeb9db4ecec8bec997feda0e3c86f20eb974163bf

SHA512
206e258e15be9eba28535c83de47601ca2171803193e1e34f6d2058c085cc02a617e99a44db19a754b25acfca9029a2d54aaf7aa86d6b174aeb281f8175f1c7f

Download Submit
\??\c:\windows\system32\Appvclient.exe

Filesize
1.1MB

MD5
20fdd3237751b581a0eb27923167f48e

SHA1
e97c2293dc5aa9cb5e443a6f1233d269d5390bf6

SHA256
3427145936d2d1cf5b07f04ef675272e34cfbd1f431a49659e50cc2dd4c0ea43

SHA512
6e638f05a18545cc7dc172105ad60358b26bcae773cf7795bbff62ff191013ec33046fd6ce33f94ef4a0c8408a2c9aa093edeb07f54479fafb9657f2079fbed0

Download Submit
\??\c:\windows\system32\fxssvc.exe

Filesize
1.0MB

MD5
3154209a631564e8edf23882dcd1237f

SHA1
8734bcfa871a31fb7cb3daf4f22a3969b837ee76

SHA256
70dc2093b74134f0494799534f0d430bdf7706a63de87d054295ca74a5254940

SHA512
5e7993511779c29d8c24608e7f4e463a514053729c8eb38205c5389c546b778f475aa83503916f59d842010529f64d80972904cff5e5c9d75435c1d50aad6ff1

Download Submit
memory/1676-689-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/1676-477-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/1676-475-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/1676-473-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/1676-476-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/1676-7-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/1676-6-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/1676-527-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/3068-701-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/3068-526-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/3400-497-0x0000000140000000-0x00000001400D5000-memory.dmp

Filesize
852KB

Download
memory/3400-691-0x0000000140000000-0x00000001400D5000-memory.dmp

Filesize
852KB

Download
memory/3400-693-0x0000000140000000-0x00000001400D5000-memory.dmp

Filesize
852KB

Download
memory/3752-4-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/3752-3-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/3752-5-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/4184-0-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/4184-2-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/4248-534-0x0000000140000000-0x0000000140160000-memory.dmp

Filesize
1.4MB

Download
memory/4248-690-0x0000000140000000-0x0000000140160000-memory.dmp

Filesize
1.4MB

Download