Overview

overview

10

Static

static

10

0c6f444c69...479.7z

windows10-2004-x64

10

Analysis

  • max time kernel
    44s
  • max time network
    37s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-11-2024 18:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.7z

  • Size

    1.2MB

  • MD5

    3d6462858fbdfaba38da280963663a88

  • SHA1

    61beddabb7acb1e50a8c9c7d858d303d07c421b9

  • SHA256

    6394c5aea697493242f8b48249b5a2020709a6c58345a0da881830c481489130

  • SHA512

    1e317887f2778f25058dd27c81e5b6c6bd7d793cf4b9cdfb159ab9b1b648b47dc6392679319e1e61bcc3089fc73a08b11a7b34f6eccea6951dccaf3a5c6bd970

  • SSDEEP

    24576:Z+3Q1P7yWG7g8SrvFJuouQfOnAx8/GTJoC/A1t+mErf9mJcsqyr:MQ1PibSrd0qfOnJG9b/0t+mErf9JM

Score
10/10
blackcatexpirobackdoordiscoveryransomware

Malware Config

Extracted

Family

blackcat

Credentials
  • Username:
    KELLERSUPPLY\Administrator
  • Password:
    d@gw00d
  • Username:
    KELLERSUPPLY\AdminRecovery
  • Password:
    K3ller!$Supp1y
  • Username:
    .\Administrator
  • Password:
    d@gw00d
  • Username:
    .\Administrator
  • Password:
    K3ller!$Supp1y
Attributes
  • enable_network_discovery

    true

  • enable_self_propagation

    false

  • enable_set_wallpaper

    true

  • extension

    sykffle

  • note_file_name

    RECOVER-${EXTENSION}-FILES.txt

  • note_full_text

    >> Introduction Important files on your system was ENCRYPTED and now they have have "${EXTENSION}" extension. In order to recover your files you need to follow instructions below. >> Sensitive Data Sensitive data on your system was DOWNLOADED and it will be PUBLISHED if you refuse to cooperate. Data includes: - Employees personal data, CVs, DL, SSN. - Complete network map including credentials for local and remote services. - Financial information including clients data, bills, budgets, annual reports, bank statements. - Complete datagrams/schemas/drawings for manufacturing in solidworks format - And more... Private preview is published here: http://zujgzbu5y64xbmvc42addp4lxkoosb4tslf5mehnh7pvqjpwxn5gokyd.onion/b21e1fb6-ff88-425b-8339-3523179a1e3e/886cf430a907bbe9a3fd38fb704d524dbd199c1b042ad6f65dc72ad78704e21 >> CAUTION DO NOT MODIFY FILES YOURSELF. DO NOT USE THIRD PARTY SOFTWARE TO RESTORE YOUR DATA. YOU MAY DAMAGE YOUR FILES, IT WILL RESULT IN PERMANENT DATA LOSS. YOUR DATA IS STRONGLY ENCRYPTED, YOU CAN NOT DECRYPT IT WITHOUT CIPHER KEY. >> Recovery procedure Follow these simple steps to get in touch and recover your data: 1) Download and install Tor Browser from: https://torproject.org/ 2) Navigate to: http://mu75ltv3lxd24dbyu6gtvmnwybecigs5auki7fces437xvvflzva2nqd.onion/?access-key=${ACCESS_KEY}

rsa_pubkey.plain

Signatures

  • BlackCat

    A Rust-based ransomware sold as RaaS first seen in late 2021.

    ransomwareblackcat
  • Blackcat family
    blackcat
  • Expiro family
    expiro
  • Expiro, m0yv

    Expiro aka m0yv is a multi-functional backdoor written in C++.

    backdoorexpiro
  • Expiro payload 30 IoCs
    backdoor
  • Executes dropped EXE 27 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 63 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 48 IoCs
  • Suspicious use of SendNotifyMessage 45 IoCs

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.7z"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:4884
  • C:\Users\Admin\Desktop\0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
    "C:\Users\Admin\Desktop\0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe"
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    PID:2728
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:720
  • C:\Users\Admin\Desktop\0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
    "C:\Users\Admin\Desktop\0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe"
    1⤵
    • Executes dropped EXE
    PID:2400
  • C:\Users\Admin\Desktop\0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
    "C:\Users\Admin\Desktop\0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe"
    1⤵
    • Executes dropped EXE
    PID:748
  • C:\Users\Admin\Desktop\0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
    "C:\Users\Admin\Desktop\0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe"
    1⤵
    • Executes dropped EXE
    PID:3832
  • C:\Users\Admin\Desktop\0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
    "C:\Users\Admin\Desktop\0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe"
    1⤵
    • Executes dropped EXE
    PID:3256
  • C:\Users\Admin\Desktop\0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
    "C:\Users\Admin\Desktop\0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe"
    1⤵
    • Executes dropped EXE
    PID:3124
  • C:\Users\Admin\Desktop\0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
    "C:\Users\Admin\Desktop\0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe"
    1⤵
    • Executes dropped EXE
    PID:2660
  • C:\Users\Admin\Desktop\0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
    "C:\Users\Admin\Desktop\0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe"
    1⤵
    • Executes dropped EXE
    PID:4040
  • C:\Users\Admin\Desktop\0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
    "C:\Users\Admin\Desktop\0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe"
    1⤵
    • Executes dropped EXE
    PID:2308
  • C:\Users\Admin\Desktop\0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
    "C:\Users\Admin\Desktop\0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe"
    1⤵
    • Executes dropped EXE
    PID:4020
  • C:\Users\Admin\Desktop\0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
    "C:\Users\Admin\Desktop\0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe"
    1⤵
    • Executes dropped EXE
    PID:4840
  • C:\Users\Admin\Desktop\0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
    "C:\Users\Admin\Desktop\0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe"
    1⤵
    • Executes dropped EXE
    PID:2592
  • C:\Users\Admin\Desktop\0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
    "C:\Users\Admin\Desktop\0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe"
    1⤵
    • Executes dropped EXE
    PID:4444
  • C:\Users\Admin\Desktop\0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
    "C:\Users\Admin\Desktop\0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe"
    1⤵
    • Executes dropped EXE
    PID:4764
  • C:\Users\Admin\Desktop\0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
    "C:\Users\Admin\Desktop\0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe"
    1⤵
    • Executes dropped EXE
    PID:2192
  • C:\Users\Admin\Desktop\0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
    "C:\Users\Admin\Desktop\0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe"
    1⤵
    • Executes dropped EXE
    PID:3896
  • C:\Users\Admin\Desktop\0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
    "C:\Users\Admin\Desktop\0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe"
    1⤵
    • Executes dropped EXE
    PID:5092
  • C:\Users\Admin\Desktop\0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
    "C:\Users\Admin\Desktop\0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe"
    1⤵
    • Executes dropped EXE
    PID:3496
  • C:\Users\Admin\Desktop\0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
    "C:\Users\Admin\Desktop\0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe"
    1⤵
    • Executes dropped EXE
    PID:4072
  • C:\Users\Admin\Desktop\0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
    "C:\Users\Admin\Desktop\0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe"
    1⤵
    • Executes dropped EXE
    PID:3916
  • C:\Users\Admin\Desktop\0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
    "C:\Users\Admin\Desktop\0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe"
    1⤵
    • Executes dropped EXE
    PID:3444
  • C:\Users\Admin\Desktop\0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
    "C:\Users\Admin\Desktop\0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe"
    1⤵
    • Executes dropped EXE
    PID:2020
  • C:\Users\Admin\Desktop\0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
    "C:\Users\Admin\Desktop\0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe"
    1⤵
    • Executes dropped EXE
    PID:1632
  • C:\Users\Admin\Desktop\0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
    "C:\Users\Admin\Desktop\0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe"
    1⤵
    • Executes dropped EXE
    PID:816
  • C:\Users\Admin\Desktop\0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
    "C:\Users\Admin\Desktop\0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe"
    1⤵
    • Executes dropped EXE
    PID:3560
  • C:\Users\Admin\Desktop\0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
    "C:\Users\Admin\Desktop\0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe"
    1⤵
    • Executes dropped EXE
    PID:3140
  • C:\Users\Admin\Desktop\0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
    "C:\Users\Admin\Desktop\0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe"
    1⤵
    • Executes dropped EXE
    PID:1840

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\Desktop\0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479.exe
    Filesize

    2.6MB

    MD5

    bb266486ee8ac70c0687989e02cefa14

    SHA1

    11203786b17bb3873d46acae32a898c8dac09850

    SHA256

    0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479

    SHA512

    a167779fc95a5cf0a3eff86211e9e08c282470e050b17ae62c7499a82ea59b3447446eafea9d7b5c5ba833b7a2d060f76530b00509dd5ff7904a0735d83e14c4

    Download Submit

  • memory/720-18-0x000001586AC00000-0x000001586AC01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/720-14-0x000001586AC00000-0x000001586AC01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/720-19-0x000001586AC00000-0x000001586AC01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/720-15-0x000001586AC00000-0x000001586AC01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/720-8-0x000001586AC00000-0x000001586AC01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/720-9-0x000001586AC00000-0x000001586AC01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/720-10-0x000001586AC00000-0x000001586AC01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/720-20-0x000001586AC00000-0x000001586AC01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/720-17-0x000001586AC00000-0x000001586AC01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/720-16-0x000001586AC00000-0x000001586AC01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/748-24-0x0000000000400000-0x00000000006C7000-memory.dmp

    Filesize

    2.8MB

    Download

  • memory/816-66-0x0000000000400000-0x00000000006C7000-memory.dmp

    Filesize

    2.8MB

    Download

  • memory/1632-65-0x0000000000400000-0x00000000006C7000-memory.dmp

    Filesize

    2.8MB

    Download

  • memory/1840-72-0x0000000000400000-0x00000000006C7000-memory.dmp

    Filesize

    2.8MB

    Download

  • memory/2020-63-0x0000000000400000-0x00000000006C7000-memory.dmp

    Filesize

    2.8MB

    Download

  • memory/2192-48-0x0000000000400000-0x00000000006C7000-memory.dmp

    Filesize

    2.8MB

    Download

  • memory/2308-37-0x0000000000400000-0x00000000006C7000-memory.dmp

    Filesize

    2.8MB

    Download

  • memory/2400-22-0x0000000000400000-0x00000000006C7000-memory.dmp

    Filesize

    2.8MB

    Download

  • memory/2592-43-0x0000000000400000-0x00000000006C7000-memory.dmp

    Filesize

    2.8MB

    Download

  • memory/2660-33-0x0000000000400000-0x00000000006C7000-memory.dmp

    Filesize

    2.8MB

    Download

  • memory/2728-4-0x0000000000697000-0x00000000006C7000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2728-5-0x0000000000400000-0x00000000006C7000-memory.dmp

    Filesize

    2.8MB

    Download

  • memory/2728-6-0x0000000000400000-0x00000000006C7000-memory.dmp

    Filesize

    2.8MB

    Download

  • memory/2728-7-0x0000000000697000-0x00000000006C7000-memory.dmp

    Filesize

    192KB

    Download

  • memory/3124-31-0x0000000000400000-0x00000000006C7000-memory.dmp

    Filesize

    2.8MB

    Download

  • memory/3140-71-0x0000000000400000-0x00000000006C7000-memory.dmp

    Filesize

    2.8MB

    Download

  • memory/3256-29-0x0000000000400000-0x00000000006C7000-memory.dmp

    Filesize

    2.8MB

    Download

  • memory/3444-61-0x0000000000400000-0x00000000006C7000-memory.dmp

    Filesize

    2.8MB

    Download

  • memory/3496-54-0x0000000000400000-0x00000000006C7000-memory.dmp

    Filesize

    2.8MB

    Download

  • memory/3560-69-0x0000000000400000-0x00000000006C7000-memory.dmp

    Filesize

    2.8MB

    Download

  • memory/3832-27-0x0000000000400000-0x00000000006C7000-memory.dmp

    Filesize

    2.8MB

    Download

  • memory/3896-50-0x0000000000400000-0x00000000006C7000-memory.dmp

    Filesize

    2.8MB

    Download

  • memory/3916-58-0x0000000000400000-0x00000000006C7000-memory.dmp

    Filesize

    2.8MB

    Download

  • memory/4020-38-0x0000000000400000-0x00000000006C7000-memory.dmp

    Filesize

    2.8MB

    Download

  • memory/4040-34-0x0000000000400000-0x00000000006C7000-memory.dmp

    Filesize

    2.8MB

    Download

  • memory/4072-57-0x0000000000400000-0x00000000006C7000-memory.dmp

    Filesize

    2.8MB

    Download

  • memory/4444-45-0x0000000000400000-0x00000000006C7000-memory.dmp

    Filesize

    2.8MB

    Download

  • memory/4764-47-0x0000000000400000-0x00000000006C7000-memory.dmp

    Filesize

    2.8MB

    Download

  • memory/4840-41-0x0000000000400000-0x00000000006C7000-memory.dmp

    Filesize

    2.8MB

    Download

  • memory/5092-52-0x0000000000400000-0x00000000006C7000-memory.dmp

    Filesize

    2.8MB

    Download