blackcat | f66f7ed98ea839175949bd6148be4277a4d566aa9b912981a2be485e851cf5c4

Resubmissions

18-09-2024 16:10

240918-tmtdga1ckk 10

Analysis

max time kernel
34s
max time network
34s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18-09-2024 16:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BlackCat_Config.exe
Size

2.9MB
MD5

c681038bc738ff0a816176c4cd21150c
SHA1

c5181892afde538c73109b4c83e2a2730eb9014d
SHA256

c5ad3534e1c939661b71f56144d19ff36e9ea365fdb47e4f8e2d267c39376486
SHA512

defabbcf84219a69366c01e2c1cfe72cd1e29879434cddab31c2c035fc7958bce3611b5f9568ad8abce0d7bf28f1f718159e712d0fc7caf56185a20949f9b060
SSDEEP

49152:nKoWSw+biIUslcrZM2xTSQyAnsKN3uLlkoCP4QNS/RgaJ2wgX:nKoWSw+e9slcrq2xTpsKNOVoCvwwgX

Score

10^/10

blackcat discovery ransomware

Malware Config

Extracted

Family

blackcat

Credentials

Username:
CEKOK\comodo
Password:
Ngn2016!

Attributes

enable_network_discovery
true
enable_self_propagation
true
enable_set_wallpaper
true
extension
b5o8ph3
note_file_name
RECOVER-${EXTENSION}-FILES.txt
note_full_text
>> What happened? Important files on your network was ENCRYPTED and now they have "${EXTENSION}" extension. In order to recover your files you need to follow instructions below. >> CAUTION DO NOT MODIFY ENCRYPTED FILES YOURSELF. DO NOT USE THIRD PARTY SOFTWARE TO RESTORE YOUR DATA. YOU MAY DAMAGE YOUR FILES, IT WILL RESULT IN PERMANENT DATA LOSS. >> What should I do next? Follow these simple steps to get everything back to normal: 1) Download and install Tor Browser from: https://torproject.org/ 2) Navigate to: http://aoczppoxmfqqthtwlwi4fmzlrv6aor3isn6ffaiic55wrfumxslx3vyd.onion/?access-key=${ACCESS_KEY}

rsa_pubkey.plain

Signatures

BlackCat
A Rust-based ransomware sold as RaaS first seen in late 2021.
ransomware blackcat

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BlackCat_Config.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4192	taskmgr.exe
Token: SeSystemProfilePrivilege	4192	taskmgr.exe
Token: SeCreateGlobalPrivilege	4192	taskmgr.exe

Suspicious use of FindShellTrayWindow 41 IoCs

pid	Process
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe

Suspicious use of SendNotifyMessage 40 IoCs

pid	Process
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe
4192	taskmgr.exe

C:\Users\Admin\AppData\Local\Temp\BlackCat_Config.exe
"C:\Users\Admin\AppData\Local\Temp\BlackCat_Config.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:3824

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3824-0-0x0000000000400000-0x00000000006F6000-memory.dmp

Filesize
3.0MB

Download
memory/4192-1-0x000001C22CDC0000-0x000001C22CDC1000-memory.dmp

Filesize
4KB

Download
memory/4192-3-0x000001C22CDC0000-0x000001C22CDC1000-memory.dmp

Filesize
4KB

Download
memory/4192-2-0x000001C22CDC0000-0x000001C22CDC1000-memory.dmp

Filesize
4KB

Download
memory/4192-7-0x000001C22CDC0000-0x000001C22CDC1000-memory.dmp

Filesize
4KB

Download
memory/4192-9-0x000001C22CDC0000-0x000001C22CDC1000-memory.dmp

Filesize
4KB

Download
memory/4192-13-0x000001C22CDC0000-0x000001C22CDC1000-memory.dmp

Filesize
4KB

Download
memory/4192-12-0x000001C22CDC0000-0x000001C22CDC1000-memory.dmp

Filesize
4KB

Download
memory/4192-11-0x000001C22CDC0000-0x000001C22CDC1000-memory.dmp

Filesize
4KB

Download
memory/4192-10-0x000001C22CDC0000-0x000001C22CDC1000-memory.dmp

Filesize
4KB

Download
memory/4192-8-0x000001C22CDC0000-0x000001C22CDC1000-memory.dmp

Filesize
4KB

Download