Overview

overview

10

Static

static

10

6660d0e87a...96.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-12-2024 01:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6660d0e87a142ab1bde4521d9c6f5e148490b05a57c71122e28280b35452e896.exe

  • Size

    2.9MB

  • MD5

    cf2264987cc01dc8d3f72027347a968b

  • SHA1

    3d385b316df5d37d39b10113a67080fc1516e0c9

  • SHA256

    6660d0e87a142ab1bde4521d9c6f5e148490b05a57c71122e28280b35452e896

  • SHA512

    3a8ce5a82f4455804e8f0a43526b8d60524426a4a4ae04f777cfd6d139ef6e7adcc4cbc07fcbe6399f6ad583e293fa6f6b27e95db30f14a89cf51ca5622516e6

  • SSDEEP

    49152:H0z5TqmuGSSJLiqwRrYqFrjsAkJxyNuN/RgaJ2wp4:OVh/xGDCbJPvwwp4

Score
10/10
blackcatdiscoveryransomware

Malware Config

Extracted

Family

blackcat

Credentials
  • Username:
    Administrateur
  • Password:
    Imed
  • Username:
    Irvoas
  • Password:
    irvoas
  • Username:
    secretariat
  • Password:
    secretariat
  • Username:
    cao
  • Password:
    cao
Attributes
  • enable_network_discovery

    true

  • enable_self_propagation

    true

  • enable_set_wallpaper

    true

  • extension

    ua3a2q0

  • note_file_name

    RECOVER-${EXTENSION}-FILES.txt

  • note_full_text

    Meow Meow. Bonjour. Welcome to the Black Cat Ransomware. We have been infilitrating your network for weeks and uploading all your files to our servers. We have ALL your info, ongoing projects (affaires en cours) and ended ones, providers information, passports... You better contact us fast, price will be cheaper and no one will know. If you dont contact in 5 days, we will contact all your customers 1 by 1 and publishing their info. Dont waste time with backups, we have deleted them. >> What happened? Important files on your network was ENCRYPTED and now they have "${EXTENSION}" extension. In order to recover your files you need to follow instructions below. >> Sensitive Data Sensitive data on your network was DOWNLOADED. If you DON'T WANT your sensitive data to be PUBLISHED you have to act quickly. Data includes: -Affaires en course -Affaires termines -Fournisseurs -Logiciels -Disputes -Blueprints for all your projects. -Customers contact and financial information. - Employees personal data, includin passports -All the emails (/sauve mail). - Complete network map including credentials for local and remote services. - Private financial information including: clients data, bills, budgets, annual reports, bank statements. - Manufacturing documents including: datagrams, schemas, drawings in solidworks format - And more... >> CAUTION DO NOT MODIFY ENCRYPTED FILES YOURSELF. DO NOT USE THIRD PARTY SOFTWARE TO RESTORE YOUR DATA. YOU MAY DAMAGE YOUR FILES, IT WILL RESULT IN PERMANENT DATA LOSS. >> What should I do next? 1) Download and install Tor Browser from: https://torproject.org/ 2) Navigate to: http://lputkyq4cnbwrpdmjfahc6vnvs2rhia6fq2eycjuxvv5dbob3mqvh6qd.onion/?access-key=${ACCESS_KEY}

rsa_pubkey.plain

Signatures

  • BlackCat

    A Rust-based ransomware sold as RaaS first seen in late 2021.

    ransomwareblackcat
  • Blackcat family
    blackcat
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 38 IoCs
  • Suspicious use of SendNotifyMessage 38 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6660d0e87a142ab1bde4521d9c6f5e148490b05a57c71122e28280b35452e896.exe
    "C:\Users\Admin\AppData\Local\Temp\6660d0e87a142ab1bde4521d9c6f5e148490b05a57c71122e28280b35452e896.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    PID:3772
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:3672

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3672-1-0x00000230FA890000-0x00000230FA891000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3672-2-0x00000230FA890000-0x00000230FA891000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3672-3-0x00000230FA890000-0x00000230FA891000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3672-13-0x00000230FA890000-0x00000230FA891000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3672-12-0x00000230FA890000-0x00000230FA891000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3672-11-0x00000230FA890000-0x00000230FA891000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3672-10-0x00000230FA890000-0x00000230FA891000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3672-9-0x00000230FA890000-0x00000230FA891000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3672-8-0x00000230FA890000-0x00000230FA891000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3672-7-0x00000230FA890000-0x00000230FA891000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3772-0-0x0000000000400000-0x00000000006E1000-memory.dmp

    Filesize

    2.9MB

    Download