blackcat | fb498ec79ef20691c23b9fd768ffd6caf1b98d49b0b165a5767d2471c3182900

Resubmissions

08-03-2024 21:30

240308-1cjjvage44 10

08-03-2024 21:29

240308-1b52fshc8w 10

Analysis

max time kernel
175s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08-03-2024 21:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f66f7ed98ea839175949bd6148be4277a4d566aa9b912981a2be485e851cf5c4.zip
Size

1.6MB
MD5

b7ebff87f46339629a432cb1dcc2cac1
SHA1

6835c4e835506510251cf418cd39507dbf531367
SHA256

f66f7ed98ea839175949bd6148be4277a4d566aa9b912981a2be485e851cf5c4
SHA512

57277ccaaffeb74271012d1319224926816b9d144076e57e7c57bd12c79b88d4db0bf37b0bba39104ec03a05ca84a455f691508f64d3411cab3dcf457a60e3f5
SSDEEP

49152:OuregtEp+FIVSKp/JTohzNW+0WyX/zTndTnjP4qDgN:OYdtqSKpxTonundTn9gN

Score

10^/10

blackcat ransomware

Malware Config

Extracted

Family

blackcat

Credentials

Username:
CEKOK\comodo
Password:
Ngn2016!

Attributes

enable_network_discovery
true
enable_self_propagation
true
enable_set_wallpaper
true
extension
b5o8ph3
note_file_name
RECOVER-${EXTENSION}-FILES.txt
note_full_text
>> What happened? Important files on your network was ENCRYPTED and now they have "${EXTENSION}" extension. In order to recover your files you need to follow instructions below. >> CAUTION DO NOT MODIFY ENCRYPTED FILES YOURSELF. DO NOT USE THIRD PARTY SOFTWARE TO RESTORE YOUR DATA. YOU MAY DAMAGE YOUR FILES, IT WILL RESULT IN PERMANENT DATA LOSS. >> What should I do next? Follow these simple steps to get everything back to normal: 1) Download and install Tor Browser from: https://torproject.org/ 2) Navigate to: http://aoczppoxmfqqthtwlwi4fmzlrv6aor3isn6ffaiic55wrfumxslx3vyd.onion/?access-key=${ACCESS_KEY}

rsa_pubkey.plain

Signatures

BlackCat
A Rust-based ransomware sold as RaaS first seen in late 2021.
ransomware blackcat

Executes dropped EXE 3 IoCs

pid	Process
2080	BlackCat_Config.exe
660	BlackCat_Config.exe
760	BlackCat_Config.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
556	NOTEPAD.EXE

Suspicious behavior: CmdExeWriteProcessMemorySpam 3 IoCs

pid	Process
2080	BlackCat_Config.exe
660	BlackCat_Config.exe
760	BlackCat_Config.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	2688	7zG.exe
Token: 35	2688	7zG.exe
Token: SeSecurityPrivilege	2688	7zG.exe
Token: SeSecurityPrivilege	2688	7zG.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2688	7zG.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 2080	1988	cmd.exe	38
PID 1988 wrote to memory of 2080	1988	cmd.exe	38
PID 1988 wrote to memory of 2080	1988	cmd.exe	38
PID 1988 wrote to memory of 2080	1988	cmd.exe	38
PID 1988 wrote to memory of 660	1988	cmd.exe	39
PID 1988 wrote to memory of 660	1988	cmd.exe	39
PID 1988 wrote to memory of 660	1988	cmd.exe	39
PID 1988 wrote to memory of 660	1988	cmd.exe	39
PID 1988 wrote to memory of 760	1988	cmd.exe	40
PID 1988 wrote to memory of 760	1988	cmd.exe	40
PID 1988 wrote to memory of 760	1988	cmd.exe	40
PID 1988 wrote to memory of 760	1988	cmd.exe	40

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\f66f7ed98ea839175949bd6148be4277a4d566aa9b912981a2be485e851cf5c4.zip
1⤵
PID:1920

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2516

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\f66f7ed98ea839175949bd6148be4277a4d566aa9b912981a2be485e851cf5c4\" -spe -an -ai#7zMap21771:208:7zEvent31149
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2688

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Users\Admin\AppData\Local\Temp\f66f7ed98ea839175949bd6148be4277a4d566aa9b912981a2be485e851cf5c4\BlackCat_Config.exe
  C:\Users\Admin\AppData\Local\Temp\f66f7ed98ea839175949bd6148be4277a4d566aa9b912981a2be485e851cf5c4\BlackCat_Config.exe -help
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2080
- C:\Users\Admin\AppData\Local\Temp\f66f7ed98ea839175949bd6148be4277a4d566aa9b912981a2be485e851cf5c4\BlackCat_Config.exe
  C:\Users\Admin\AppData\Local\Temp\f66f7ed98ea839175949bd6148be4277a4d566aa9b912981a2be485e851cf5c4\BlackCat_Config.exe --help
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:660
- C:\Users\Admin\AppData\Local\Temp\f66f7ed98ea839175949bd6148be4277a4d566aa9b912981a2be485e851cf5c4\BlackCat_Config.exe
  C:\Users\Admin\AppData\Local\Temp\f66f7ed98ea839175949bd6148be4277a4d566aa9b912981a2be485e851cf5c4\BlackCat_Config.exe --ui
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:760

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\f66f7ed98ea839175949bd6148be4277a4d566aa9b912981a2be485e851cf5c4\UseTool.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:556

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\f66f7ed98ea839175949bd6148be4277a4d566aa9b912981a2be485e851cf5c4\BlackCat_Config.exe

Filesize
2.9MB

MD5
c681038bc738ff0a816176c4cd21150c

SHA1
c5181892afde538c73109b4c83e2a2730eb9014d

SHA256
c5ad3534e1c939661b71f56144d19ff36e9ea365fdb47e4f8e2d267c39376486

SHA512
defabbcf84219a69366c01e2c1cfe72cd1e29879434cddab31c2c035fc7958bce3611b5f9568ad8abce0d7bf28f1f718159e712d0fc7caf56185a20949f9b060

Download Submit
C:\Users\Admin\AppData\Local\Temp\f66f7ed98ea839175949bd6148be4277a4d566aa9b912981a2be485e851cf5c4\UseTool.txt

Filesize
26B

MD5
e0971b41ef6ee960b6e840ba0252befd

SHA1
67c001e08e068a1e166a612a556005956436fe43

SHA256
784dd149612554e2346c42010546f03904f26ffcb9239d89d0c2d1cc72edb7d0

SHA512
ae43a6a7b34ba05ccb8d026fbcb2368df6c05a64e8dadb79b44da7d731ee7a4bb1b35730a29f8127a372f40570abd01239cf4f43b2c240a9d12c203a97d54499

Download Submit
memory/660-8-0x0000000000400000-0x00000000006F6000-memory.dmp

Filesize
3.0MB

Download
memory/760-10-0x0000000000400000-0x00000000006F6000-memory.dmp

Filesize
3.0MB

Download
memory/2080-6-0x0000000000400000-0x00000000006F6000-memory.dmp

Filesize
3.0MB

Download