4d7f6c6a051ecb1f8410243cd6941b339570165ebcfd3cc7db48d2a924874e99

General

Target

BlackSuite.Ransom.exe
Size

2.1MB
MD5

4f813698141cb7144786cdc6f629a92b
SHA1

69feda9188dbebc2d2efec5926eb2af23ab78c5d
SHA256

4d7f6c6a051ecb1f8410243cd6941b339570165ebcfd3cc7db48d2a924874e99
SHA512

578e445bb595fd36c5095092abb1bc49b1878550469eeb5c9af4d8bd7994fa6540de453e34ccf2759832deee184060a3cb8928afff879bb31f8cd2261195bde0
SSDEEP

24576:R+KpPzIzkQoU6TPF8mkoSW12GR7qMA6v0Xwq8UcNV++e/i5dv9jOlRJYzyiMAIQR:Bq9LmKKe36MmYJPAvIPtHzH2h4UC4qk

Score

9^/10

ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
1700	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Toolbar	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\MenuExt	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	POWERPNT.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	POWERPNT.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	POWERPNT.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2912	POWERPNT.EXE
1360	POWERPNT.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	2976	vssvc.exe
Token: SeRestorePrivilege	2976	vssvc.exe
Token: SeAuditPrivilege	2976	vssvc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2912	POWERPNT.EXE
1360	POWERPNT.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2404 wrote to memory of 1700	2404	BlackSuite.Ransom.exe	28
PID 2404 wrote to memory of 1700	2404	BlackSuite.Ransom.exe	28
PID 2404 wrote to memory of 1700	2404	BlackSuite.Ransom.exe	28
PID 2404 wrote to memory of 1700	2404	BlackSuite.Ransom.exe	28
PID 2912 wrote to memory of 2780	2912	POWERPNT.EXE	35
PID 2912 wrote to memory of 2780	2912	POWERPNT.EXE	35
PID 2912 wrote to memory of 2780	2912	POWERPNT.EXE	35
PID 2912 wrote to memory of 2780	2912	POWERPNT.EXE	35

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\BlackSuite.Ransom.exe
"C:\Users\Admin\AppData\Local\Temp\BlackSuite.Ransom.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Windows\SysWOW64\vssadmin.exe
  delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:1700

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2976

C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\Admin\Desktop\SkipProtect.ppt"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2912
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2780

C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\Admin\Desktop\FindStep.odp"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

2

T1070

File Deletion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1360-7-0x000000002D8F1000-0x000000002D8F2000-memory.dmp

Filesize
4KB

Download
memory/1360-8-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1360-9-0x000000007311D000-0x0000000073128000-memory.dmp

Filesize
44KB

Download
memory/1360-12-0x000000007311D000-0x0000000073128000-memory.dmp

Filesize
44KB

Download
memory/2912-1-0x000000002D9C1000-0x000000002D9C2000-memory.dmp

Filesize
4KB

Download
memory/2912-2-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2912-3-0x0000000071D7D000-0x0000000071D88000-memory.dmp

Filesize
44KB

Download
memory/2912-5-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2912-6-0x0000000071D7D000-0x0000000071D88000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing