File name:

blackcat.exe

Full analysis: https://app.any.run/tasks/3c8047fc-55fc-48ec-bdd1-58005f524b9d
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: November 29, 2023, 01:53:39
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ransomware
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5:

BB266486EE8AC70C0687989E02CEFA14

SHA1:

11203786B17BB3873D46ACAE32A898C8DAC09850

SHA256:

0C6F444C6940A3688FFC6F8B9D5774C032E3551EBBCCB64E4280AE7FC1FAC479

SSDEEP:

49152:rEqvaaAjc2hdKjb8WXqE1PiEbE/TKMt3/RgaJ2wW4PRT8O1w:rbyaALKjwWXV1P9oVvwwW4JT8v

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Renames files like ransomware

      • blackcat.exe (PID: 2508)

    • Deletes shadow copies

      • cmd.exe (PID: 1860)
      • cmd.exe (PID: 3316)

    • Drops the executable file immediately after the start

      • blackcat.exe (PID: 2508)

  • SUSPICIOUS

    • Process uses ARP to discover network configuration

      • cmd.exe (PID: 3208)

    • Starts CMD.EXE for commands execution

      • blackcat.exe (PID: 2508)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 2668)

    • Changes the desktop background image

      • blackcat.exe (PID: 2508)

    • Creates files like ransomware instruction

      • blackcat.exe (PID: 2508)

  • INFO

    • Checks supported languages

      • blackcat.exe (PID: 2748)
      • blackcat.exe (PID: 1444)
      • blackcat.exe (PID: 2508)
      • wmpnscfg.exe (PID: 3752)

    • Reads the computer name

      • blackcat.exe (PID: 2508)
      • wmpnscfg.exe (PID: 3752)

    • Dropped object may contain TOR URL's

      • blackcat.exe (PID: 2508)

    • Reads the machine GUID from the registry

      • blackcat.exe (PID: 2508)
      • wmpnscfg.exe (PID: 3752)

    • Manual execution by a user

      • cmd.exe (PID: 1988)
      • wmpnscfg.exe (PID: 3752)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2021:12:06 21:20:36+01:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Large address aware, 32-bit, No debug
PEType: PE32
LinkerVersion: 2.3
CodeSize: 1637376
InitializedDataSize: 2280448
UninitializedDataSize: 1536
EntryPoint: 0x14c0
OSVersion: 4
ImageVersion: 1
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
62
Monitored processes
17
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start blackcat.exe no specs cmd.exe no specs blackcat.exe no specs blackcat.exe cmd.exe no specs fsutil.exe no specs cmd.exe no specs fsutil.exe no specs cmd.exe no specs cmd.exe no specs reg.exe no specs vssadmin.exe no specs cmd.exe no specs arp.exe no specs cmd.exe no specs vssadmin.exe no specs wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1016arp -aC:\Windows\System32\ARP.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Arp Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\arp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\snmpapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\advapi32.dll
1444blackcat.exe -hC:\Users\admin\Desktop\blackcat.execmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\admin\desktop\blackcat.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
1860"cmd" /c "vssadmin.exe delete shadows /all /quiet"C:\Windows\System32\cmd.exeblackcat.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
2
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1984"cmd" /c "fsutil behavior set SymlinkEvaluation R2L:1"C:\Windows\System32\cmd.exeblackcat.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1988"C:\Windows\system32\cmd.exe" C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2332"cmd" /c "fsutil behavior set SymlinkEvaluation R2R:1"C:\Windows\System32\cmd.exeblackcat.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2508blackcat.exe -a 1234567 -vC:\Users\admin\Desktop\blackcat.exe
cmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\blackcat.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
2668"cmd" /c "reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v MaxMpxCt /d 65535 /t REG_DWORD /f"C:\Windows\System32\cmd.exeblackcat.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2748"C:\Users\admin\Desktop\blackcat.exe" C:\Users\admin\Desktop\blackcat.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
2
Modules
Images
c:\users\admin\desktop\blackcat.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
2860fsutil behavior set SymlinkEvaluation R2R:1C:\Windows\System32\fsutil.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
fsutil.exe
Exit code:
1
Version:
6.1.7601.17577 (win7sp1_gdr.110310-1504)
Modules
Images
c:\windows\system32\fsutil.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ktmw32.dll
c:\windows\system32\ole32.dll
Total events
516
Read events
509
Write events
2
Delete events
5

Modification events

(PID) Process:(2508) blackcat.exeKey:HKEY_CURRENT_USER\Control Panel\Desktop
Operation:writeName:WallpaperStyle
Value:
10
(PID) Process:(2508) blackcat.exeKey:HKEY_CURRENT_USER\Control Panel\Desktop
Operation:writeName:WallPaper
Value:
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
(PID) Process:(3752) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{7763B905-E0C5-4B31-A185-E161ADDF18B5}\{C2D47007-6F8A-4894-8FCA-1044A49D9E81}
Operation:delete keyName:(default)
Value:
(PID) Process:(3752) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{A9D43164-3D0A-4750-A15A-4A744ED603C2}\{C2D47007-6F8A-4894-8FCA-1044A49D9E81}
Operation:delete keyName:(default)
Value:
(PID) Process:(3752) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{A9D43164-3D0A-4750-A15A-4A744ED603C2}
Operation:delete keyName:(default)
Value:
(PID) Process:(3752) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{7763B905-E0C5-4B31-A185-E161ADDF18B5}
Operation:delete keyName:(default)
Value:
(PID) Process:(3752) wmpnscfg.exeKey:HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Health\{6D3800B8-F096-42A8-9586-635785F26076}
Operation:delete keyName:(default)
Value:
Executable files
0
Suspicious files
128
Text files
50
Unknown types
0

Dropped files

PID
Process
Filename
Type
2508blackcat.exeC:\Users\admin\Searches\Microsoft OneNote.searchconnector-ms.sykfflexml
MD5:6BDCB5FE957F3B2E1976F840BEF77A50
SHA256:0D99E37B36245CD31D2F2FDA5AEA11FDBF5A83D717CF1626C3E125921517FFD8
2508blackcat.exeC:\Users\admin\Searches\Microsoft Outlook.searchconnector-ms.sykfflexml
MD5:0466122C8989B553BF813A08FF9E865D
SHA256:869FD853BE47EF57F44D6FA07E287665D8623CB2045CA3B6A2ADF2A7177B9F4B
2508blackcat.exeC:\Users\admin\Pictures\associatedeasy.png.sykffleimage
MD5:ED50C24F34BCAB4065A6A1F1A9674AE9
SHA256:9A480B89D1EC8F92AE849BF17E0E114821EDA2BADC793FF5214A7EF519CB64CA
2508blackcat.exeC:\Users\admin\Favorites\Windows Live\Windows Live Mail.url.sykfflebinary
MD5:F1D69EC4BC8F3BC62804487B1AFC91FC
SHA256:846EBF1AAFF5D3DBA6707BBC5B013EFA437E1811C87CDE6137D46882E4519313
2508blackcat.exeC:\Users\admin\Favorites\Windows Live\Get Windows Live.url.sykfflebinary
MD5:C7F2E7D3466314545A62E154E9571FDB
SHA256:735B6AEAB5624C8F57C1E9152AC07B60E731752B32FF10CE9A580FFD7467C98B
2508blackcat.exeC:\Users\admin\Pictures\checkpoints-subgroup.jpg.sykfflebinary
MD5:E67B41FB7137DB11A75C5F50B1519FEA
SHA256:394CFC4FFAA58A66B956AFF5CF1C90FA85A96FB2A1A3AB722C76A67C1856D453
2508blackcat.exeC:\Users\admin\Favorites\Windows Live\Windows Live Spaces.url.sykfflebinary
MD5:113F4E9D0DB8CDDE7FC2C85B0FDC9FFB
SHA256:B643AED41E6A6B44F6CCDAC91BFB15186C4ED5D1C7A0D2B3451D81BB15885B1F
2508blackcat.exeC:\Users\admin\Favorites\Windows Live\Windows Live Gallery.url.sykfflebinary
MD5:70C618F40F686A462C933F3EE7811571
SHA256:91DD0C1F3267F5C4AAEBD564B515F9ACB9A8EED02D89E12B37449674FFBC5100
2508blackcat.exeC:\Users\admin\Favorites\Windows Live\RECOVER-sykffle-FILES.txttext
MD5:D9C48E52B79A6B5FD477E83574AD12EA
SHA256:04F0C6DBF11FC3CC15756E94267863E00963334CAAFD9C376DD95F7E2384A62F
2508blackcat.exeC:\Users\admin\Favorites\Windows Live\checkpoints-Get Windows Live.url.sykfflebinary
MD5:4E3E981BBADC7E1D45FD8ECB6043564F
SHA256:191F7A8EFB2254444727ACF53F3E1DCEAAE26167771A71580D263E90E5B1E383
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
11
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1080
svchost.exe
GET
404
49.13.77.253:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?f6ffd6d9ba22ce0c
unknown
xml
341 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:137
whitelisted
2588
svchost.exe
239.255.255.250:1900
whitelisted
2508
blackcat.exe
192.168.1.1:137
unknown
2508
blackcat.exe
224.0.0.22:137
unknown
2508
blackcat.exe
192.168.100.2:137
whitelisted
2508
blackcat.exe
192.168.100.255:137
whitelisted
2508
blackcat.exe
224.0.0.252:137
unknown
2508
blackcat.exe
239.255.255.250:137
whitelisted

DNS requests

Domain
IP
Reputation
ctldl.windowsupdate.com
  • 49.13.77.253
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
blackcat.exe