blackcat | df8d000833243acc0004595b3a8d4b66fcd7b76d8685d5c2ff61ee2a40a0e92c

Resubmissions

15-12-2023 21:36

231215-1f5lgsagg5 10

15-12-2023 21:32

231215-1dlqlaagf5 10

Analysis

max time kernel
124s
max time network
123s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
15-12-2023 21:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sch1.exe
Size

12.6MB
MD5

a0cd8aa1cd7cc61d41977cceacd7d4f6
SHA1

83078ff956e5e441429257cfa3a3362d6ba3c0d5
SHA256

df8d000833243acc0004595b3a8d4b66fcd7b76d8685d5c2ff61ee2a40a0e92c
SHA512

2f147b25d3289f33623dd3fdfd339de75b71cab4eb6348d0a176815bc1a7a86889113c40b6b1d3a2eb275fd76c16dbbe0eb38e63584ce2f5005a13c7369e68db
SSDEEP

196608:zRXBBaGSqkZRLVupoP3/ih4a4kZLm77gZ9rwaATAZjiEjOvonfT:p/+j/ih4a4k9M5kjiOOvonfT

Score

10^/10

blackcat ransomware

Malware Config

Signatures

BlackCat
A Rust-based ransomware sold as RaaS first seen in late 2021.
ransomware blackcat
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\cr2_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.cr2	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\cr2_auto_file\shell\edit	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\cr2_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\cr2_auto_file\shell\edit\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\cr2_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\cr2_auto_file\shell\open\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\cr2_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\cr2_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.cr2\ = "cr2_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\cr2_auto_file\shell\open	rundll32.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2176	NOTEPAD.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 2176	2856	rundll32.exe	35
PID 2856 wrote to memory of 2176	2856	rundll32.exe	35
PID 2856 wrote to memory of 2176	2856	rundll32.exe	35

C:\Users\Admin\AppData\Local\Temp\sch1.exe
"C:\Users\Admin\AppData\Local\Temp\sch1.exe"
1⤵
PID:3040

C:\Windows\System32\fontview.exe
"C:\Windows\System32\fontview.exe" C:\Users\Admin\Desktop\InitializePop.fon
1⤵
PID:2252

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2628

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Pictures\BlockGroup.cr2
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Pictures\BlockGroup.cr2
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3040-0-0x0000000000F80000-0x0000000001C20000-memory.dmp

Filesize
12.6MB

Download