Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
06-12-2024 02:28
Behavioral task
behavioral1
Sample
2024-12-06_6799c364310f68900ed085758cfa106f_alphv_blackcat.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-12-06_6799c364310f68900ed085758cfa106f_alphv_blackcat.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-12-06_6799c364310f68900ed085758cfa106f_alphv_blackcat.exe
-
Size
2.2MB
-
MD5
6799c364310f68900ed085758cfa106f
-
SHA1
f8ebea315ace187cc6f0a4a6c4a92403ce3c4dfb
-
SHA256
e3c2d7854658fd7fa53d8f41aa9577ab7044c2c6d70af004367f657f17335e18
-
SHA512
dc5cc422c1d413fd5703575245a8ab203c303a0c6af8d212f044b6989d01726430353e724a801ac085e5a7f5e6c75c78e3e9aaaec3e459d33730af402a1b8f46
-
SSDEEP
49152:qEqvaaAjc2hdKjb8WXqE1PiEbE/TKMt3/RgaJ2wW:qbyaALKjwWXV1P9oVvwwW
Malware Config
Extracted
blackcat
- Username:
KELLERSUPPLY\Administrator - Password:
d@gw00d
- Username:
KELLERSUPPLY\AdminRecovery - Password:
K3ller!$Supp1y
- Username:
.\Administrator - Password:
d@gw00d
- Username:
.\Administrator - Password:
K3ller!$Supp1y
-
enable_network_discovery
true
-
enable_self_propagation
false
-
enable_set_wallpaper
true
-
extension
sykffle
-
note_file_name
RECOVER-${EXTENSION}-FILES.txt
-
note_full_text
>> Introduction Important files on your system was ENCRYPTED and now they have have "${EXTENSION}" extension. In order to recover your files you need to follow instructions below. >> Sensitive Data Sensitive data on your system was DOWNLOADED and it will be PUBLISHED if you refuse to cooperate. Data includes: - Employees personal data, CVs, DL, SSN. - Complete network map including credentials for local and remote services. - Financial information including clients data, bills, budgets, annual reports, bank statements. - Complete datagrams/schemas/drawings for manufacturing in solidworks format - And more... Private preview is published here: http://zujgzbu5y64xbmvc42addp4lxkoosb4tslf5mehnh7pvqjpwxn5gokyd.onion/b21e1fb6-ff88-425b-8339-3523179a1e3e/886cf430a907bbe9a3fd38fb704d524dbd199c1b042ad6f65dc72ad78704e21 >> CAUTION DO NOT MODIFY FILES YOURSELF. DO NOT USE THIRD PARTY SOFTWARE TO RESTORE YOUR DATA. YOU MAY DAMAGE YOUR FILES, IT WILL RESULT IN PERMANENT DATA LOSS. YOUR DATA IS STRONGLY ENCRYPTED, YOU CAN NOT DECRYPT IT WITHOUT CIPHER KEY. >> Recovery procedure Follow these simple steps to get in touch and recover your data: 1) Download and install Tor Browser from: https://torproject.org/ 2) Navigate to: http://mu75ltv3lxd24dbyu6gtvmnwybecigs5auki7fces437xvvflzva2nqd.onion/?access-key=${ACCESS_KEY}
Signatures
-
BlackCat
A Rust-based ransomware sold as RaaS first seen in late 2021.
-
Blackcat family
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-12-06_6799c364310f68900ed085758cfa106f_alphv_blackcat.exe