blackcat | ab6053417ad8ead3a16c778a7828085635abef9ed9b45ceaf04ff973b448d17d

Analysis

max time kernel
97s
max time network
120s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
19-11-2024 11:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BlackCat(ALPHV)_pw_infected.zip
Size

1.6MB
MD5

cc4ce6b2e43d4281de9d4b3f8d119563
SHA1

46f3c65451a31a95831fc398eb71b2f996ce1363
SHA256

ab6053417ad8ead3a16c778a7828085635abef9ed9b45ceaf04ff973b448d17d
SHA512

c4fd5c7aa9bd44fc57197b474e358f915cd0dc707f3571b95ba16403d476c803ddaecee021f80d9ffa8fc8a93b829503745fa9fc198d46d7fb01fd480445feae
SSDEEP

24576:XpQQ1fGbxeB2yJHrZJzbBvmeayeoUyXrv+ChgEG0d5ggpyit26Nf794fWTtrO/4i:Z1WydzRmnoUyXXE0PgCTt26d79LdOgk/

Score

10^/10

blackcat discovery ransomware

Malware Config

Extracted

Family

blackcat

Credentials

Username:
CEKOK\comodo
Password:
Ngn2016!

Attributes

enable_network_discovery
true
enable_self_propagation
true
enable_set_wallpaper
true
extension
b5o8ph3
note_file_name
RECOVER-${EXTENSION}-FILES.txt
note_full_text
>> What happened? Important files on your network was ENCRYPTED and now they have "${EXTENSION}" extension. In order to recover your files you need to follow instructions below. >> CAUTION DO NOT MODIFY ENCRYPTED FILES YOURSELF. DO NOT USE THIRD PARTY SOFTWARE TO RESTORE YOUR DATA. YOU MAY DAMAGE YOUR FILES, IT WILL RESULT IN PERMANENT DATA LOSS. >> What should I do next? Follow these simple steps to get everything back to normal: 1) Download and install Tor Browser from: https://torproject.org/ 2) Navigate to: http://aoczppoxmfqqthtwlwi4fmzlrv6aor3isn6ffaiic55wrfumxslx3vyd.onion/?access-key=${ACCESS_KEY}

rsa_pubkey.plain

Signatures

BlackCat
A Rust-based ransomware sold as RaaS first seen in late 2021.
ransomware blackcat
Blackcat family
blackcat

Executes dropped EXE 4 IoCs

pid	Process
2788	BlackCat_Config.exe
4700	BlackCat_Config.exe
4312	BlackCat_Config.exe
2956	BlackCat_Config.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BlackCat_Config.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BlackCat_Config.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
772	7zFM.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	772	7zFM.exe
Token: 35	772	7zFM.exe
Token: SeSecurityPrivilege	772	7zFM.exe
Token: SeSecurityPrivilege	772	7zFM.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
772	7zFM.exe
772	7zFM.exe
772	7zFM.exe
772	7zFM.exe
772	7zFM.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1568 wrote to memory of 2788	1568	cmd.exe	95
PID 1568 wrote to memory of 2788	1568	cmd.exe	95
PID 1568 wrote to memory of 2788	1568	cmd.exe	95
PID 1568 wrote to memory of 4700	1568	cmd.exe	96
PID 1568 wrote to memory of 4700	1568	cmd.exe	96
PID 1568 wrote to memory of 4700	1568	cmd.exe	96
PID 1568 wrote to memory of 4312	1568	cmd.exe	97
PID 1568 wrote to memory of 4312	1568	cmd.exe	97
PID 1568 wrote to memory of 4312	1568	cmd.exe	97

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\BlackCat(ALPHV)_pw_infected.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:772

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1568
- C:\Users\Admin\Desktop\BlackCat_Config.exe
  BlackCat_Config.exe -h
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2788
- C:\Users\Admin\Desktop\BlackCat_Config.exe
  BlackCat_Config.exe --help
  2⤵
  - Executes dropped EXE
  PID:4700
- C:\Users\Admin\Desktop\BlackCat_Config.exe
  BlackCat_Config.exe -p C:\Users\Admin\Desktop
  2⤵
  - Executes dropped EXE
  PID:4312

C:\Users\Admin\Desktop\BlackCat_Config.exe
"C:\Users\Admin\Desktop\BlackCat_Config.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\BlackCat_Config.exe

Filesize
2.9MB

MD5
c681038bc738ff0a816176c4cd21150c

SHA1
c5181892afde538c73109b4c83e2a2730eb9014d

SHA256
c5ad3534e1c939661b71f56144d19ff36e9ea365fdb47e4f8e2d267c39376486

SHA512
defabbcf84219a69366c01e2c1cfe72cd1e29879434cddab31c2c035fc7958bce3611b5f9568ad8abce0d7bf28f1f718159e712d0fc7caf56185a20949f9b060

Download Submit
memory/2788-10-0x0000000000400000-0x00000000006F6000-memory.dmp

Filesize
3.0MB

Download
memory/2956-14-0x0000000000400000-0x00000000006F6000-memory.dmp

Filesize
3.0MB

Download
memory/4312-12-0x0000000000400000-0x00000000006F6000-memory.dmp

Filesize
3.0MB

Download
memory/4700-9-0x0000000000400000-0x00000000006F6000-memory.dmp

Filesize
3.0MB

Download