blackcat | a998493c66df7decf160160847d3a8c2413fc1938a0e586cfec472c8856bd8b9

Analysis

max time kernel
151s
max time network
205s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-01-2025 03:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

asss1.exe.zip
Size

7.5MB
MD5

1b7999617f5074264506cd78e46ffd12
SHA1

8b298be0aa2f0df68a62028d71e5f557c134318f
SHA256

a998493c66df7decf160160847d3a8c2413fc1938a0e586cfec472c8856bd8b9
SHA512

a80fa2d906ce9a04854a5ea705731eae31d9b9d059237bb2b664d6a710e7e46c13f1dfe8b8bcea1a3b1154994442ec93d3630c95588cfaf4ba78396c4e62015b
SSDEEP

196608:fOIIa6yMxIIyXLaSF8g77UQXMIwZ9SXIlHDdzrli:GII7bIncIAQcj+me

Score

10^/10

blackcat discovery ransomware

Malware Config

Signatures

BlackCat
A Rust-based ransomware sold as RaaS first seen in late 2021.
ransomware blackcat
Blackcat family
blackcat

Executes dropped EXE 8 IoCs

pid	Process
4544	asss1.exe
3628	asss1.exe
864	asss1.exe
552	asss1.exe
3052	asss1.exe
3876	asss1.exe
2296	asss1.exe
4060	asss1.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	asss1.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 3 IoCs

pid	Process
4076	EXCEL.EXE
1432	WINWORD.EXE
1432	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4604	7zFM.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeRestorePrivilege	4604	7zFM.exe
Token: 35	4604	7zFM.exe
Token: SeSecurityPrivilege	4604	7zFM.exe
Token: SeSecurityPrivilege	4604	7zFM.exe
Token: SeDebugPrivilege	640	taskmgr.exe
Token: SeSystemProfilePrivilege	640	taskmgr.exe
Token: SeCreateGlobalPrivilege	640	taskmgr.exe
Token: 33	640	taskmgr.exe
Token: SeIncBasePriorityPrivilege	640	taskmgr.exe

Suspicious use of FindShellTrayWindow 47 IoCs

pid	Process
4604	7zFM.exe
4604	7zFM.exe
4604	7zFM.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe

Suspicious use of SendNotifyMessage 44 IoCs

pid	Process
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe

Suspicious use of SetWindowsHookEx 17 IoCs

pid	Process
4076	EXCEL.EXE
4076	EXCEL.EXE
4076	EXCEL.EXE
4076	EXCEL.EXE
4076	EXCEL.EXE
4076	EXCEL.EXE
4076	EXCEL.EXE
4076	EXCEL.EXE
4076	EXCEL.EXE
1432	WINWORD.EXE
1432	WINWORD.EXE
1432	WINWORD.EXE
1432	WINWORD.EXE
1432	WINWORD.EXE
1432	WINWORD.EXE
1432	WINWORD.EXE
1432	WINWORD.EXE

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\asss1.exe.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4604

C:\Users\Admin\Desktop\asss1.exe
"C:\Users\Admin\Desktop\asss1.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4544

C:\Users\Admin\Desktop\asss1.exe
"C:\Users\Admin\Desktop\asss1.exe"
1⤵
- Executes dropped EXE
PID:3628

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1756

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /n "C:\Users\Admin\Documents\GetExpand.xltx"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4076

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\PublishRead.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1432

C:\Users\Admin\Desktop\asss1.exe
"C:\Users\Admin\Desktop\asss1.exe"
1⤵
- Executes dropped EXE
PID:864

C:\Users\Admin\Desktop\asss1.exe
"C:\Users\Admin\Desktop\asss1.exe"
1⤵
- Executes dropped EXE
PID:552

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:640

C:\Users\Admin\Desktop\asss1.exe
"C:\Users\Admin\Desktop\asss1.exe"
1⤵
- Executes dropped EXE
PID:3052

C:\Users\Admin\Desktop\asss1.exe
"C:\Users\Admin\Desktop\asss1.exe"
1⤵
- Executes dropped EXE
PID:3876

C:\Users\Admin\Desktop\asss1.exe
"C:\Users\Admin\Desktop\asss1.exe"
1⤵
- Executes dropped EXE
PID:2296

C:\Users\Admin\Desktop\asss1.exe
"C:\Users\Admin\Desktop\asss1.exe"
1⤵
- Executes dropped EXE
PID:4060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\F7145798-E48D-4303-8ED7-58C65BFA6C8E

Filesize
177KB

MD5
874f7cf98042de6131a1fb727aac433f

SHA1
0b19f3e03fbc27998cf7926305b1687b17b8b3bc

SHA256
8e7ef0c47ffd84da4c23cbaf99694db4a7ee8410c691bc8d98f9f3ec20caf48b

SHA512
3d68091a9712f96096361e319e00bba3982835ab71e78b4d29d5be4f07c0dcc14464ba2ca04dd4c239ecc0e4d185885dc4808de2f544b5b32a9d7f321eb0af49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
0cb286c0c7e4178d531cdd898755f7b7

SHA1
79383a865274135684e4ab8a46404c77abc28f4a

SHA256
bba4203c55cbd11d0df7c75424b18a27495cefc52b2e588e3b612abeb019299b

SHA512
c260e417375527a1a0d1b455fefee545e9f43b5739444783661af84ba88e1e2fbcbd5d99976f2057fbe8074c98fc8705dc6c479a7e91886f4358962c645bfe22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
9df1cced0cbac140ea47f3354d1f0bcd

SHA1
94430464223d6914d18f93e2f39fb6725593feab

SHA256
81e5d1731634fe95fadd92e4f795c0bedf7c9d98ce125adbd05842182c61ee09

SHA512
111d86d50d1a8d99397f4f2a3756e60d1c0d1d5cf1a575011bc51b9596456652a8d82f379793ce90cd20e8d8561dfc752d6ee9feaeae413302e31a613655a684

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
351B

MD5
8f90a3fe8e6f5dc8fd53969cd9feb6b5

SHA1
7683c1bcfa0b25ec8845014f137deac889aa9659

SHA256
84916d30bdfb9a50f95e289c48ea9aa81dab989ff4b7a33d2486a35b1adce67f

SHA512
d69ace12525253a80a3bdbe228f087a0c039c4a37e11d4b3d3003d72840146518e1e4cf7c79e0aa02cdc60d5640098e7c25a48cd4d6df64c23ffaf246f711ffa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\Desktop\asss1.exe

Filesize
14.3MB

MD5
db7a7403e5e248d0e96efe67cef73449

SHA1
11331c98855fdf42bd94a84687661c682336fea9

SHA256
847fb7609f53ed334d5affbb07256c21cb5e6f68b1cc14004f5502d714d2a456

SHA512
4fcf43cc7d337dbe17273e217acc6e98617fc153bf1e8295be6ba7b2afe3c7efca86d5e7eddc1fdf1212c74f1cd1803c5b6b0164e4322d89757cc6897b7313f0

Download Submit
memory/552-106-0x0000000000860000-0x00000000016AC000-memory.dmp

Filesize
14.3MB

Download
memory/640-108-0x000002F258420000-0x000002F258421000-memory.dmp

Filesize
4KB

Download
memory/640-114-0x000002F258420000-0x000002F258421000-memory.dmp

Filesize
4KB

Download
memory/640-113-0x000002F258420000-0x000002F258421000-memory.dmp

Filesize
4KB

Download
memory/640-116-0x000002F258420000-0x000002F258421000-memory.dmp

Filesize
4KB

Download
memory/640-117-0x000002F258420000-0x000002F258421000-memory.dmp

Filesize
4KB

Download
memory/640-118-0x000002F258420000-0x000002F258421000-memory.dmp

Filesize
4KB

Download
memory/640-119-0x000002F258420000-0x000002F258421000-memory.dmp

Filesize
4KB

Download
memory/640-115-0x000002F258420000-0x000002F258421000-memory.dmp

Filesize
4KB

Download
memory/640-109-0x000002F258420000-0x000002F258421000-memory.dmp

Filesize
4KB

Download
memory/640-107-0x000002F258420000-0x000002F258421000-memory.dmp

Filesize
4KB

Download
memory/864-104-0x0000000000860000-0x00000000016AC000-memory.dmp

Filesize
14.3MB

Download
memory/1432-45-0x00007FFAA0510000-0x00007FFAA0520000-memory.dmp

Filesize
64KB

Download
memory/1432-102-0x00007FFAA0510000-0x00007FFAA0520000-memory.dmp

Filesize
64KB

Download
memory/1432-48-0x00007FFA9DE90000-0x00007FFA9DEA0000-memory.dmp

Filesize
64KB

Download
memory/1432-43-0x00007FFAA0510000-0x00007FFAA0520000-memory.dmp

Filesize
64KB

Download
memory/1432-42-0x00007FFAA0510000-0x00007FFAA0520000-memory.dmp

Filesize
64KB

Download
memory/1432-46-0x00007FFAA0510000-0x00007FFAA0520000-memory.dmp

Filesize
64KB

Download
memory/1432-99-0x00007FFAA0510000-0x00007FFAA0520000-memory.dmp

Filesize
64KB

Download
memory/1432-47-0x00007FFA9DE90000-0x00007FFA9DEA0000-memory.dmp

Filesize
64KB

Download
memory/1432-100-0x00007FFAA0510000-0x00007FFAA0520000-memory.dmp

Filesize
64KB

Download
memory/1432-101-0x00007FFAA0510000-0x00007FFAA0520000-memory.dmp

Filesize
64KB

Download
memory/1432-44-0x00007FFAA0510000-0x00007FFAA0520000-memory.dmp

Filesize
64KB

Download
memory/2296-125-0x0000000000860000-0x00000000016AC000-memory.dmp

Filesize
14.3MB

Download
memory/3052-121-0x0000000000860000-0x00000000016AC000-memory.dmp

Filesize
14.3MB

Download
memory/3628-6-0x0000000000860000-0x00000000016AC000-memory.dmp

Filesize
14.3MB

Download
memory/3876-123-0x0000000000860000-0x00000000016AC000-memory.dmp

Filesize
14.3MB

Download
memory/4060-127-0x0000000000860000-0x00000000016AC000-memory.dmp

Filesize
14.3MB

Download
memory/4076-7-0x00007FFAA0510000-0x00007FFAA0520000-memory.dmp

Filesize
64KB

Download
memory/4076-12-0x00007FFA9DE90000-0x00007FFA9DEA0000-memory.dmp

Filesize
64KB

Download
memory/4076-40-0x00007FFAA0510000-0x00007FFAA0520000-memory.dmp

Filesize
64KB

Download
memory/4076-41-0x00007FFAA0510000-0x00007FFAA0520000-memory.dmp

Filesize
64KB

Download
memory/4076-39-0x00007FFAA0510000-0x00007FFAA0520000-memory.dmp

Filesize
64KB

Download
memory/4076-38-0x00007FFAA0510000-0x00007FFAA0520000-memory.dmp

Filesize
64KB

Download
memory/4076-13-0x00007FFA9DE90000-0x00007FFA9DEA0000-memory.dmp

Filesize
64KB

Download
memory/4076-8-0x00007FFAA0510000-0x00007FFAA0520000-memory.dmp

Filesize
64KB

Download
memory/4076-9-0x00007FFAA0510000-0x00007FFAA0520000-memory.dmp

Filesize
64KB

Download
memory/4076-10-0x00007FFAA0510000-0x00007FFAA0520000-memory.dmp

Filesize
64KB

Download
memory/4076-11-0x00007FFAA0510000-0x00007FFAA0520000-memory.dmp

Filesize
64KB

Download
memory/4544-4-0x0000000000860000-0x00000000016AC000-memory.dmp

Filesize
14.3MB

Download