Overview

overview

10

Static

static

10

ecea6b7727...7c.exe

windows7-x64

10

ecea6b7727...7c.exe

windows10-2004-x64

10

Resubmissions

07-01-2024 11:13

240107-nbw3bsbfbp 10

07-12-2023 12:37

231207-ptk88aaf85 10

Analysis

  • max time kernel
    109s
  • max time network
    122s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231130-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-12-2023 12:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe

  • Size

    2.9MB

  • MD5

    ff8a7dd8b1cb0420dd18810041d172a7

  • SHA1

    cc166bc3eaa024aac4a2cdc02174ae87fcf47e28

  • SHA256

    ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c

  • SHA512

    edac57212b21a8046ab07213bf0ea51d1f3c5c9c539812fb1dffba6663b1f74e137991128f1c3135f4c1ab2ff4b470dcc6563ecae5079546dd1f6dfda210ba60

  • SSDEEP

    49152:VUzeOdI+NDXIgqUPGPiTgvRZHrn7hQyZ9haNSAXpuNh/RgaJ2wf3:VUzekDpRGaTARZHPhQMCcyYvwwf3

Score
10/10
blackcatevasionransomware

Malware Config

Extracted

Path

C:\RECOVER-kh1ftzx-FILES.txt

Ransom Note
>> What happened? Important files on your network was ENCRYPTED and now they have "kh1ftzx" extension. In order to recover your files you need to follow instructions below. >> Sensitive Data Sensitive data on your system was DOWNLOADED. If you DON'T WANT your sensitive data to be PUBLISHED you have to act quickly. Data includes: - Employees personal data, CVs, DL, SSN. - Complete network map including credentials for local and remote services. - Private financial information including: clients data, bills, budgets, annual reports, bank statements. - Manufacturing documents including: datagrams, schemas, drawings in solidworks format - And more... >> CAUTION DO NOT MODIFY ENCRYPTED FILES YOURSELF. DO NOT USE THIRD PARTY SOFTWARE TO RESTORE YOUR DATA. YOU MAY DAMAGE YOUR FILES, IT WILL RESULT IN PERMANENT DATA LOSS. >> What should I do next? Follow these simple steps to get everything back to normal: 1) Download and install Tor Browser from: https://torproject.org/ 2) Navigate to: http://rfosusl6qdm4zhoqbqnjxaloprld2qz35u77h4aap46rhwkouejsooqd.onion/?access-key=ZeMlxEQ%2FaXRfMUJ55ZLjG20Tb5P9PN5MMImCmv%2BOW06OVBgA9XwrPVpZpa4LvPHvce7nUZtGm6%2FHs3vkTOt9WSk165%2B3fh5y2HsLzxRF7HjEtR3iTt2N7gSB6EXBcPBErSKQszjpNXiGTEw4tOojwi3UZYE7gLwqYoyWTHdIwjmgy79RD749zJ19Fuv9jp9Wt3MFfYc9Csr7eShfjlv73YlmMejipyZdNxiNB91xLkC%2FEjWDyw4KG213SFRGKaUpVJqKXBtYYFTiWN436L2Sfi00prvb59skMlUiPyZYa0AqXa32SRbjpi4sVTnUva7WRmZOCZZR8V2MV%2FAotoSmWg%3D%3D
URLs

http://rfosusl6qdm4zhoqbqnjxaloprld2qz35u77h4aap46rhwkouejsooqd.onion/?access-key=ZeMlxEQ%2FaXRfMUJ55ZLjG20Tb5P9PN5MMImCmv%2BOW06OVBgA9XwrPVpZpa4LvPHvce7nUZtGm6%2FHs3vkTOt9WSk165%2B3fh5y2HsLzxRF7HjEtR3iTt2N7gSB6EXBcPBErSKQszjpNXiGTEw4tOojwi3UZYE7gLwqYoyWTHdIwjmgy79RD749zJ19Fuv9jp9Wt3MFfYc9Csr7eShfjlv73YlmMejipyZdNxiNB91xLkC%2FEjWDyw4KG213SFRGKaUpVJqKXBtYYFTiWN436L2Sfi00prvb59skMlUiPyZYa0AqXa32SRbjpi4sVTnUva7WRmZOCZZR8V2MV%2FAotoSmWg%3D%3D

Extracted

Family

blackcat

Attributes
  • enable_network_discovery

    true

  • enable_self_propagation

    true

  • enable_set_wallpaper

    true

  • extension

    kh1ftzx

  • note_file_name

    RECOVER-${EXTENSION}-FILES.txt

  • note_full_text

    >> What happened? Important files on your network was ENCRYPTED and now they have "${EXTENSION}" extension. In order to recover your files you need to follow instructions below. >> Sensitive Data Sensitive data on your system was DOWNLOADED. If you DON'T WANT your sensitive data to be PUBLISHED you have to act quickly. Data includes: - Employees personal data, CVs, DL, SSN. - Complete network map including credentials for local and remote services. - Private financial information including: clients data, bills, budgets, annual reports, bank statements. - Manufacturing documents including: datagrams, schemas, drawings in solidworks format - And more... >> CAUTION DO NOT MODIFY ENCRYPTED FILES YOURSELF. DO NOT USE THIRD PARTY SOFTWARE TO RESTORE YOUR DATA. YOU MAY DAMAGE YOUR FILES, IT WILL RESULT IN PERMANENT DATA LOSS. >> What should I do next? Follow these simple steps to get everything back to normal: 1) Download and install Tor Browser from: https://torproject.org/ 2) Navigate to: http://rfosusl6qdm4zhoqbqnjxaloprld2qz35u77h4aap46rhwkouejsooqd.onion/?access-key=${ACCESS_KEY}

rsa_pubkey.plain

Signatures

  • BlackCat

    A Rust-based ransomware sold as RaaS first seen in late 2021.

    ransomwareblackcat
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Renames multiple (6319) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Control Panel 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 32 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe
    C:\Users\Admin\AppData\Local\Temp\ecea6b772742758a2240898ef772ca11aa9d870aec711cffab8994c23044117c.exe --access-token "hello"
    1⤵
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Modifies Control Panel
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4500
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "wmic csproduct get UUID"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1812
      • C:\Windows\SysWOW64\Wbem\WMIC.exe
        wmic csproduct get UUID
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1640
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "fsutil behavior set SymlinkEvaluation R2L:1"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1728
      • C:\Windows\SysWOW64\fsutil.exe
        fsutil behavior set SymlinkEvaluation R2L:1
        3⤵
          PID:1552
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "fsutil behavior set SymlinkEvaluation R2R:1"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:448
        • C:\Windows\SysWOW64\fsutil.exe
          fsutil behavior set SymlinkEvaluation R2R:1
          3⤵
            PID:4672
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c "iisreset.exe /stop"
          2⤵
            PID:540
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v MaxMpxCt /d 65535 /t REG_DWORD /f"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1328
            • C:\Windows\SysWOW64\reg.exe
              reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v MaxMpxCt /d 65535 /t REG_DWORD /f
              3⤵
                PID:5116
            • C:\Windows\system32\cmd.exe
              "C:\Windows\system32\cmd.exe" /c "vssadmin.exe Delete Shadows /all /quiet"
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:4416
              • C:\Windows\system32\vssadmin.exe
                vssadmin.exe Delete Shadows /all /quiet
                3⤵
                • Interacts with shadow copies
                PID:4868
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c "arp -a"
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:2120
              • C:\Windows\SysWOW64\ARP.EXE
                arp -a
                3⤵
                  PID:2780
              • C:\Windows\system32\cmd.exe
                "C:\Windows\system32\cmd.exe" /c "wmic.exe Shadowcopy Delete"
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:1304
                • C:\Windows\System32\Wbem\WMIC.exe
                  wmic.exe Shadowcopy Delete
                  3⤵
                    PID:4248
                • C:\Windows\system32\cmd.exe
                  "C:\Windows\system32\cmd.exe" /c "bcdedit /set {default}"
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:3624
                  • C:\Windows\system32\bcdedit.exe
                    bcdedit /set {default}
                    3⤵
                    • Modifies boot configuration data using bcdedit
                    PID:3312
                • C:\Windows\system32\cmd.exe
                  "C:\Windows\system32\cmd.exe" /c "bcdedit /set {default} recoveryenabled No"
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1628
                  • C:\Windows\system32\bcdedit.exe
                    bcdedit /set {default} recoveryenabled No
                    3⤵
                    • Modifies boot configuration data using bcdedit
                    PID:3184
                • C:\Windows\system32\cmd.exe
                  "C:\Windows\system32\cmd.exe" /c "cmd.exe /c for /F \"tokens=*\" %1 in ('wevtutil.exe el') DO wevtutil.exe cl \"%1\""
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1408
                  • C:\Windows\system32\cmd.exe
                    cmd.exe /c for /F \"tokens=*\" %1 in ('wevtutil.exe el') DO wevtutil.exe cl \"%1\"
                    3⤵
                      PID:2292
                  • C:\Windows\system32\cmd.exe
                    "C:\Windows\system32\cmd.exe" /c "vssadmin.exe Delete Shadows /all /quiet"
                    2⤵
                    • Suspicious use of WriteProcessMemory
                    PID:7412
                    • C:\Windows\system32\vssadmin.exe
                      vssadmin.exe Delete Shadows /all /quiet
                      3⤵
                      • Interacts with shadow copies
                      PID:5560
                  • C:\Windows\system32\cmd.exe
                    "C:\Windows\system32\cmd.exe" /c "wmic.exe Shadowcopy Delete"
                    2⤵
                    • Suspicious use of WriteProcessMemory
                    PID:7468
                    • C:\Windows\System32\Wbem\WMIC.exe
                      wmic.exe Shadowcopy Delete
                      3⤵
                        PID:7296
                    • C:\Windows\system32\cmd.exe
                      "C:\Windows\system32\cmd.exe" /c "cmd.exe /c for /F \"tokens=*\" %1 in ('wevtutil.exe el') DO wevtutil.exe cl \"%1\""
                      2⤵
                      • Suspicious use of WriteProcessMemory
                      PID:1920
                      • C:\Windows\system32\cmd.exe
                        cmd.exe /c for /F \"tokens=*\" %1 in ('wevtutil.exe el') DO wevtutil.exe cl \"%1\"
                        3⤵
                          PID:7924
                    • C:\Windows\system32\vssvc.exe
                      C:\Windows\system32\vssvc.exe
                      1⤵
                        PID:5072
                      • C:\Windows\system32\vssvc.exe
                        C:\Windows\system32\vssvc.exe
                        1⤵
                          PID:6040

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\RECOVER-kh1ftzx-FILES.txt
                          Filesize

                          1KB

                          MD5

                          55ae55e6b4305859882426805987041b

                          SHA1

                          12e71110997105f68ceb0d12044f0777dc4cc2cc

                          SHA256

                          eede68b87a4cccb2b40f01564d0bc4f88fa16ef8ac17c01ab125c5b59539d56b

                          SHA512

                          9f583344e3417d09bb203717e0bfc5cd81a56a8266cf44fd5338676dc233d24312dabeefb84bf806e596d59b38984c53354036b2be3b86d809ca987b2555bc6a

                          Download Submit

                        • C:\Users\Default\Desktop\RECOVER-kh1ftzx-FILES.txt.png
                          Filesize

                          1KB

                          MD5

                          20012d62ab22730ca6346db05f5819f6

                          SHA1

                          6236431cc70d6905b95b323a81c015a4b476f888

                          SHA256

                          586a861604dc00f0308a4370f4681e146672f6df13a0fa6f2caef7dba320c0da

                          SHA512

                          f060c94443b94646af0fa349bddd9649bc64b32ddc00e330ffe6816e8c409af47b44f90ec364d12967f6b78480f195f35ac371a4a3a11d05deaf8d6a8f4739b9

                          Download Submit

                        • memory/4500-8867-0x0000000000400000-0x00000000006F6000-memory.dmp

                          Filesize

                          3.0MB

                          Download

                        • memory/4500-25289-0x0000000000400000-0x00000000006F6000-memory.dmp

                          Filesize

                          3.0MB

                          Download