Edit tour
Windows
Analysis Report
build.exe
Overview
General Information
Detection
BlackCat
Score: | 80 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Found malware configuration
Yara detected BlackCat Ransomware
Malicious sample detected (through community Yara rule)
Found Tor onion address
Deletes shadow drive data (may be related to ransomware)
Uses 32bit PE files
Yara signature match
PE file contains an invalid checksum
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Program does not show much activity (idle)
Classification
- System is w10x64
- build.exe (PID: 6328 cmdline:
"C:\Users\ user\Deskt op\build.e xe" MD5: 29FA3F046D74ECB98B88F2DB96B69856)
- cleanup
{"config_id": "", "public_key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtkOBBovKJud3BzJyaBY2tik4hSIRHS6tHvupmLHLbnNkVD6aIksfd/L+EvWdS8AQyQ/L0/NdyLpubkySYLd6zI0mFNMIvwaBdnePbog2OVIRB/BkMUo0G0xfnjpVj+CPOIm1ougYn/1OJL8xP+ryPptxtAZLBU9aEZMk2IeQNNYsWIz2AfXgmkQ+6l+Zc42aqru3ne9nAX6jR9JvavSYjJ6Srk6EX8tPb1JGu1hjXKDoGC6HpvxNhvUTjIu94y/2A9NU805lrINdmq0YSKEB4M5uEc+lm/Vq+8o+HqambGA3dQkGl7kSzgm8zO0sIegg/rKKxra1UtNdhcrRFNo3TwIDAQAB", "extension": "4v9zkhj", "note_file_name": "RECOVER-${EXTENSION}-FILES.txt", "note_full_text": ">> What happened?\n\nImportant files on your network was ENCRYPTED and now they have \"${EXTENSION}\" extension.\nIn order to recover your files you need to follow instructions below.\n\n>> Sensitive Data\n\nSensitive data on your network was DOWNLOADED.\nIf you DON'T WANT your sensitive data to be PUBLISHED you have to act quickly.\n\nData includes:\n- Employees personal data, CVs, DL, SSN.\n- Complete network map including credentials for local and remote services.\n- Private financial information including: clients data, bills, budgets, annual reports, bank statements.\n- Manufacturing documents including: datagrams, schemas, drawings in solidworks format\n- And more...\n\n>> CAUTION\n\nDO NOT MODIFY ENCRYPTED FILES YOURSELF.\nDO NOT USE THIRD PARTY SOFTWARE TO RESTORE YOUR DATA.\nYOU MAY DAMAGE YOUR FILES, IT WILL RESULT IN PERMANENT DATA LOSS.\n\n>> What should I do next?\n\n1) Download and install Tor Browser from: https://torproject.org/\n2) Navigate to: http://xnffv7gqnvmhbo6abr5ctt6go2zzcbefuhjqbq6ijczpwjn2nmkhzsad.onion/?access-key=${ACCESS_KEY}", "note_short_text": "Important files on your network was DOWNLOADED and ENCRYPTED.\nSee \"${NOTE_FILE_NAME}\" file to get further instructions.", "default_file_mode": "Auto", "default_file_cipher": "Best", "credentials": [], "kill_services": ["mepocs", "memtas", "veeam", "svc$", "backup", "sql", "vss", "msexchange", "sql$", "mysql", "mysql$", "sophos", "MSExchange", "MSExchange$", "WSBExchange", "PDVFSService", "BackupExecVSSProvider", "BackupExecAgentAccelerator", "BackupExecAgentBrowser", "BackupExecDiveciMediaService", "BackupExecJobuser", "BackupExecManagementService", "BackupExecRPCService", "GxBlr", "GxVss", "GxClMgrS", "GxCVD", "GxCIMgr", "GXMMM", "GxVssHWProv", "GxFWD", "SAPService", "SAP", "SAP$", "SAPD$", "SAPHostControl", "SAPHostExec", "QBCFMonitorService", "QBDBMgrN", "QBIDPService", "AcronisAgent", "VeeamNFSSvc", "VeeamDeploymentService", "VeeamTransportSvc", "MVArmor", "MVarmor64", "VSNAPVSS", "AcrSch2Svc"], "kill_processes": ["agntsvc", "dbeng50", "dbsnmp", "encsvc", "excel", "firefox", "infopath", "isqlplussvc", "msaccess", "mspub", "mydesktopqos", "mydesktopservice", "notepad", "ocautoupds", "ocomm", "ocssd", "onenote", "oracle", "outlook", "powerpnt", "sqbcoreservice", "sql", "steam", "synctime", "tbirdconfig", "thebat", "thunderbird", "visio", "winword", "wordpad", "xfssvccon", "*sql*", "bedbh", "vxmon", "benetns", "bengien", "pvlsvr", "beserver", "raw_agent_svc", "vsnapvss", "CagService", "QBIDPService", "QBDBMgrN", "QBCFMonitorService", "SAP", "TeamViewer_Service", "TeamViewer", "tv_w32", "tv_x64", "CVMountd", "cvd", "cvfwd", "CVODS", "saphostexec", "saposcol", "sapstartsrv", "avagent", "avscc", "DellSystemDetect", "EnterpriseClient", "VeeamNFSSvc", "VeeamTransportSvc", "VeeamDeploymentSvc"], "exclude_directory_names": ["system volume information", "intel", "$windows.~ws", "application data", "$recycle.bin", "mozilla", "$windows.~bt", "public", "msocache", "windows", "default", "all users", "tor browser", "programdata", "boot", "config.msi", "google", "perflogs", "appdata", "windows.old"], "exclude_file_names": ["desktop.ini", "autorun.inf", "ntldr", "bootsect.bak", "thumbs.db", "boot.ini", "ntuser.dat", "iconcache.db", "bootfont.bin", "ntuser.ini", "ntuser.dat.log"], "exclude_file_extensions": ["themepack", "nls", "diagpkg", "msi", "lnk", "exe", "cab", "scr", "bat", "drv", "rtp", "msp", "prf", "msc", "ico", "key", "ocx", "diagcab", "diagcfg", "pdb", "wpx", "hlp", "icns", "rom", "dll", "msstyles", "mod", "ps1", "ics", "hta", "bin", "cmd", "ani", "386", "lock", "cur", "idx", "sys", "com", "deskthemepack", "shs", "ldf", "theme", "mpa", "nomedia", "spl", "cpl", "adv", "icl", "msu"], "exclude_file_path_wildcard": [], "enable_network_discovery": true, "enable_self_propagation": true, "enable_set_wallpaper": true, "enable_esxi_vm_kill": true, "enable_esxi_vm_snapshot_kill": true, "strict_include_paths": [], "esxi_vm_kill_exclude": []}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_BlackCat | Yara detected BlackCat Ransomware | Joe Security | ||
INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM | Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) | ditekSHen |
| |
INDICATOR_SUSPICOUS_EXE_References_VEEAM | Detects executables containing many references to VEEAM. Observed in ransomware | unknown |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_BlackCat | Yara detected BlackCat Ransomware | Joe Security | ||
JoeSecurity_BlackCat | Yara detected BlackCat Ransomware | Joe Security | ||
JoeSecurity_BlackCat | Yara detected BlackCat Ransomware | Joe Security | ||
JoeSecurity_BlackCat | Yara detected BlackCat Ransomware | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM | Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) | ditekSHen |
| |
INDICATOR_SUSPICOUS_EXE_References_VEEAM | Detects executables containing many references to VEEAM. Observed in ransomware | unknown |
| |
INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM | Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) | ditekSHen |
| |
INDICATOR_SUSPICOUS_EXE_References_VEEAM | Detects executables containing many references to VEEAM. Observed in ransomware | unknown |
|
⊘No Sigma rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Avira: |
Source: | Malware Configuration Extractor: |