blackcat | 0ee645a3771e9247b7fa55496c35ee65cae86213be5702b6c2ea07c4be984a12

General

Target

0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
Size

2.6MB
MD5

bb266486ee8ac70c0687989e02cefa14
SHA1

11203786b17bb3873d46acae32a898c8dac09850
SHA256

0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479
SHA512

a167779fc95a5cf0a3eff86211e9e08c282470e050b17ae62c7499a82ea59b3447446eafea9d7b5c5ba833b7a2d060f76530b00509dd5ff7904a0735d83e14c4
SSDEEP

49152:rEqvaaAjc2hdKjb8WXqE1PiEbE/TKMt3/RgaJ2wW4PRT8O1:rbyaALKjwWXV1P9oVvwwW4JT8

Score

10^/10

blackcat ransomware

Malware Config

Extracted

Family

blackcat

Credentials

Username:
KELLERSUPPLY\Administrator
Password:
d@gw00d

Username:
KELLERSUPPLY\AdminRecovery
Password:
K3ller!$Supp1y

Username:
.\Administrator
Password:
d@gw00d

Username:
.\Administrator
Password:
K3ller!$Supp1y

Attributes

enable_network_discovery
true
enable_self_propagation
false
enable_set_wallpaper
true
extension
sykffle
note_file_name
RECOVER-${EXTENSION}-FILES.txt
note_full_text
>> Introduction Important files on your system was ENCRYPTED and now they have have "${EXTENSION}" extension. In order to recover your files you need to follow instructions below. >> Sensitive Data Sensitive data on your system was DOWNLOADED and it will be PUBLISHED if you refuse to cooperate. Data includes: - Employees personal data, CVs, DL, SSN. - Complete network map including credentials for local and remote services. - Financial information including clients data, bills, budgets, annual reports, bank statements. - Complete datagrams/schemas/drawings for manufacturing in solidworks format - And more... Private preview is published here: http://zujgzbu5y64xbmvc42addp4lxkoosb4tslf5mehnh7pvqjpwxn5gokyd.onion/b21e1fb6-ff88-425b-8339-3523179a1e3e/886cf430a907bbe9a3fd38fb704d524dbd199c1b042ad6f65dc72ad78704e21 >> CAUTION DO NOT MODIFY FILES YOURSELF. DO NOT USE THIRD PARTY SOFTWARE TO RESTORE YOUR DATA. YOU MAY DAMAGE YOUR FILES, IT WILL RESULT IN PERMANENT DATA LOSS. YOUR DATA IS STRONGLY ENCRYPTED, YOU CAN NOT DECRYPT IT WITHOUT CIPHER KEY. >> Recovery procedure Follow these simple steps to get in touch and recover your data: 1) Download and install Tor Browser from: https://torproject.org/ 2) Navigate to: http://mu75ltv3lxd24dbyu6gtvmnwybecigs5auki7fces437xvvflzva2nqd.onion/?access-key=${ACCESS_KEY}

rsa_pubkey.plain

Signatures

BlackCat
A Rust-based ransomware sold as RaaS first seen in late 2021.
ransomware blackcat

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1552	WINWORD.EXE
1552	WINWORD.EXE

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4444	OpenWith.exe
1552	WINWORD.EXE
1552	WINWORD.EXE
1552	WINWORD.EXE
1552	WINWORD.EXE
1552	WINWORD.EXE
1552	WINWORD.EXE
1552	WINWORD.EXE

C:\Users\Admin\AppData\Local\Temp\0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
"C:\Users\Admin\AppData\Local\Temp\0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe"
1⤵
PID:4376

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4444

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5088

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\Files.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
201B

MD5
35375f95b1430c8b11ebeb931fba0dda

SHA1
5122d139ac357db969c191b941bd479ceb9dc59f

SHA256
fd5691afe44306226fa973037fe144c3214867067cf88cb2285394888d959d5b

SHA512
b9043a4d4470ac90f83244a81fad5de8944b83ba1e8ab6bbc7d29fb216c2ded74bf1c7b1ca8c84535b989075660e83f676e273a1b524f9e5dd8e04fee412cc6b

Download Submit
memory/1552-17-0x00007FF9CAF30000-0x00007FF9CB125000-memory.dmp

Filesize
2.0MB

Download
memory/1552-59-0x00007FF9CAF30000-0x00007FF9CB125000-memory.dmp

Filesize
2.0MB

Download
memory/1552-16-0x00007FF9CAF30000-0x00007FF9CB125000-memory.dmp

Filesize
2.0MB

Download
memory/1552-6-0x00007FF98AFB0000-0x00007FF98AFC0000-memory.dmp

Filesize
64KB

Download
memory/1552-5-0x00007FF9CAF30000-0x00007FF9CB125000-memory.dmp

Filesize
2.0MB

Download
memory/1552-8-0x00007FF98AFB0000-0x00007FF98AFC0000-memory.dmp

Filesize
64KB

Download
memory/1552-9-0x00007FF9CAF30000-0x00007FF9CB125000-memory.dmp

Filesize
2.0MB

Download
memory/1552-10-0x00007FF98AFB0000-0x00007FF98AFC0000-memory.dmp

Filesize
64KB

Download
memory/1552-11-0x00007FF9CAF30000-0x00007FF9CB125000-memory.dmp

Filesize
2.0MB

Download
memory/1552-12-0x00007FF98AFB0000-0x00007FF98AFC0000-memory.dmp

Filesize
64KB

Download
memory/1552-7-0x00007FF9CAF30000-0x00007FF9CB125000-memory.dmp

Filesize
2.0MB

Download
memory/1552-13-0x00007FF9CAF30000-0x00007FF9CB125000-memory.dmp

Filesize
2.0MB

Download
memory/1552-14-0x00007FF9CAF30000-0x00007FF9CB125000-memory.dmp

Filesize
2.0MB

Download
memory/1552-15-0x00007FF988B50000-0x00007FF988B60000-memory.dmp

Filesize
64KB

Download
memory/1552-3-0x00007FF98AFB0000-0x00007FF98AFC0000-memory.dmp

Filesize
64KB

Download
memory/1552-18-0x00007FF9CAF30000-0x00007FF9CB125000-memory.dmp

Filesize
2.0MB

Download
memory/1552-4-0x00007FF9CAF30000-0x00007FF9CB125000-memory.dmp

Filesize
2.0MB

Download
memory/1552-19-0x00007FF9CAF30000-0x00007FF9CB125000-memory.dmp

Filesize
2.0MB

Download
memory/1552-20-0x00007FF988B50000-0x00007FF988B60000-memory.dmp

Filesize
64KB

Download
memory/1552-60-0x00007FF9CAF30000-0x00007FF9CB125000-memory.dmp

Filesize
2.0MB

Download
memory/1552-34-0x00007FF9CAF30000-0x00007FF9CB125000-memory.dmp

Filesize
2.0MB

Download
memory/1552-35-0x00007FF9CAF30000-0x00007FF9CB125000-memory.dmp

Filesize
2.0MB

Download
memory/1552-36-0x00007FF9CAF30000-0x00007FF9CB125000-memory.dmp

Filesize
2.0MB

Download
memory/1552-53-0x00007FF98AFB0000-0x00007FF98AFC0000-memory.dmp

Filesize
64KB

Download
memory/1552-54-0x00007FF98AFB0000-0x00007FF98AFC0000-memory.dmp

Filesize
64KB

Download
memory/1552-55-0x00007FF98AFB0000-0x00007FF98AFC0000-memory.dmp

Filesize
64KB

Download
memory/1552-56-0x00007FF98AFB0000-0x00007FF98AFC0000-memory.dmp

Filesize
64KB

Download
memory/1552-57-0x00007FF9CAF30000-0x00007FF9CB125000-memory.dmp

Filesize
2.0MB

Download
memory/1552-58-0x00007FF9CAF30000-0x00007FF9CB125000-memory.dmp

Filesize
2.0MB

Download
memory/4376-2-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/4376-0-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads