File name:

BlackCat(ALPHV).zip

Full analysis: https://app.any.run/tasks/f626968e-6463-4df5-800e-da7eff8d7309
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: October 30, 2023, 12:33:33
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ransomware
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

B7EBFF87F46339629A432CB1DCC2CAC1

SHA1:

6835C4E835506510251CF418CD39507DBF531367

SHA256:

F66F7ED98EA839175949BD6148BE4277A4D566AA9B912981A2BE485E851CF5C4

SSDEEP:

49152:U8928QAKJ18UgnBBKwLN0J35GZ7hQCeWz9RtkzIiybsLdeuNyQIFq1ej72oFQaj+:U8923AAgLpLCIGNWz9kzvWcdeNVq1eP6

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • BlackCat_Config.exe (PID: 3696)
      • BlackCat_Config.exe (PID: 3628)
      • BlackCat_Config.exe (PID: 2828)
      • BlackCat_Config.exe (PID: 3044)
      • BlackCat_Config.exe (PID: 1180)
      • BlackCat_Config.exe (PID: 120)
      • BlackCat_Config.exe (PID: 1896)
      • BlackCat_Config.exe (PID: 2436)

    • Known privilege escalation attack

      • dllhost.exe (PID: 960)

    • Deletes shadow copies

      • cmd.exe (PID: 2504)

    • Renames files like ransomware

      • BlackCat_Config.exe (PID: 1180)

    • Drops the executable file immediately after the start

      • BlackCat_Config.exe (PID: 1180)

  • SUSPICIOUS

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 3276)

    • Application launched itself

      • cmd.exe (PID: 1576)
      • BlackCat_Config.exe (PID: 1180)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 1576)
      • BlackCat_Config.exe (PID: 1180)

    • Creates files like ransomware instruction

      • BlackCat_Config.exe (PID: 1180)

    • Process uses ARP to discover network configuration

      • cmd.exe (PID: 3152)

    • Executes as Windows Service

      • VSSVC.exe (PID: 3584)

    • The process creates files with name similar to system file names

      • BlackCat_Config.exe (PID: 1180)

    • Process drops legitimate windows executable

      • BlackCat_Config.exe (PID: 1180)

  • INFO

    • Reads the computer name

      • wmpnscfg.exe (PID: 3068)
      • BlackCat_Config.exe (PID: 120)
      • BlackCat_Config.exe (PID: 1180)
      • BlackCat_Config.exe (PID: 2436)

    • Checks supported languages

      • wmpnscfg.exe (PID: 3068)
      • BlackCat_Config.exe (PID: 3696)
      • BlackCat_Config.exe (PID: 3628)
      • mode.com (PID: 3420)
      • BlackCat_Config.exe (PID: 2828)
      • BlackCat_Config.exe (PID: 1180)
      • BlackCat_Config.exe (PID: 3044)
      • BlackCat_Config.exe (PID: 1896)
      • BlackCat_Config.exe (PID: 120)
      • BlackCat_Config.exe (PID: 2436)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 3068)
      • BlackCat_Config.exe (PID: 3696)
      • notepad.exe (PID: 3524)
      • cmd.exe (PID: 2812)
      • notepad.exe (PID: 3784)

    • Reads the machine GUID from the registry

      • wmpnscfg.exe (PID: 3068)
      • BlackCat_Config.exe (PID: 1180)
      • BlackCat_Config.exe (PID: 120)
      • BlackCat_Config.exe (PID: 2436)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3820)

    • Checks transactions between databases Windows and Oracle

      • BlackCat_Config.exe (PID: 120)

    • Creates files in the program directory

      • BlackCat_Config.exe (PID: 1180)

    • Dropped object may contain TOR URL's

      • BlackCat_Config.exe (PID: 1180)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2023:10:29 21:04:16
ZipCRC: 0xf1a77cc0
ZipCompressedSize: 1672904
ZipUncompressedSize: 3079168
ZipFileName: BlackCat_Config.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
81
Monitored processes
29
Malicious processes
6
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe no specs wmpnscfg.exe no specs blackcat_config.exe no specs notepad.exe no specs cmd.exe no specs blackcat_config.exe no specs mode.com no specs blackcat_config.exe no specs blackcat_config.exe no specs blackcat_config.exe no specs blackcat_config.exe no specs CMSTPLUA no specs blackcat_config.exe cmd.exe no specs fsutil.exe no specs cmd.exe no specs fsutil.exe no specs cmd.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs cmd.exe no specs vssadmin.exe no specs arp.exe no specs vssvc.exe no specs blackcat_config.exe no specs cmd.exe no specs cmd.exe no specs notepad.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
120BlackCat_Config.exe --access-token 123C:\Users\admin\Desktop\BlackCat_Config.execmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\users\admin\desktop\blackcat_config.exe
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\netapi32.dll
960C:\Windows\system32\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}C:\Windows\System32\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\imm32.dll
1180"C:\Users\admin\Desktop\BlackCat_Config.exe" "--access-token" "123"C:\Users\admin\Desktop\BlackCat_Config.exe
dllhost.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\blackcat_config.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\sechost.dll
1576"C:\Windows\system32\cmd.exe" /c "cmd.exe /c for /F \"tokens=*\" %1 in ('wevtutil.exe el') DO wevtutil.exe cl \"%1\""C:\Windows\System32\cmd.exeBlackCat_Config.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\cmd.exe
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
1896BlackCat_Config.exe --verboseC:\Users\admin\Desktop\BlackCat_Config.execmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\admin\desktop\blackcat_config.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
2128reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v MaxMpxCt /d 65535 /t REG_DWORD /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2168fsutil behavior set SymlinkEvaluation R2L:1C:\Windows\System32\fsutil.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
fsutil.exe
Exit code:
0
Version:
6.1.7601.17577 (win7sp1_gdr.110310-1504)
Modules
Images
c:\windows\system32\fsutil.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ktmw32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
2292arp -aC:\Windows\System32\ARP.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
TCP/IP Arp Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\arp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\snmpapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\advapi32.dll
2436"C:\Users\admin\Desktop\BlackCat_Config.exe" --child --access-token 123C:\Users\admin\Desktop\BlackCat_Config.exeBlackCat_Config.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\blackcat_config.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
2504"C:\Windows\system32\cmd.exe" /c "vssadmin.exe delete shadows /all /quiet"C:\Windows\System32\cmd.exeBlackCat_Config.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
Total events
1 945
Read events
1 874
Write events
20
Delete events
51

Modification events

(PID) Process:(3820) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\178\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3820) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(3820) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3820) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3820) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3820) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3820) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3820) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3068) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{9C115E1B-E13A-476B-8A5C-5C56EAB9DC66}\{980EF500-0244-449B-B7E6-122A1942B664}
Operation:delete keyName:(default)
Value:
(PID) Process:(3068) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{9C115E1B-E13A-476B-8A5C-5C56EAB9DC66}
Operation:delete keyName:(default)
Value:
Executable files
420
Suspicious files
6 579
Text files
1 650
Unknown types
5

Dropped files

PID
Process
Filename
Type
1180BlackCat_Config.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp.b5o8ph3text
MD5:BFF1EBA7041AF7B373F4906B4D44ED5F
SHA256:D93620FFE3ACD8FFD6318402604F9269DDB14F558912602FD0FAA4652491CC08
1180BlackCat_Config.exeC:\Users\admin\.oracle_jre_usage\RECOVER-b5o8ph3-FILES.txttext
MD5:7B0FE4AB3A52F1F659ADA216DCFF68AD
SHA256:80978A9CCED4AA454E842D4BC4014C35CC250614B52C6F9443E6B30D6F351A1B
1180BlackCat_Config.exeC:\Users\Administrator\checkpoints-NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000002.regtrans-ms.b5o8ph3binary
MD5:4C8E195A55FCF51B1401F14586D36A75
SHA256:C0F1C7BBB1F16E4AA39329640479ED2C3580C1C540ABA0F26256F00BFED78F86
3820WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3820.21230\BlackCat_Config.exeexecutable
MD5:C681038BC738FF0A816176C4CD21150C
SHA256:C5AD3534E1C939661B71F56144D19FF36E9EA365FDB47E4F8E2D267C39376486
1180BlackCat_Config.exeC:\Users\Administrator\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TM.blf.b5o8ph3image
MD5:9FE72B0646ED43613EBBA75B52A85DC5
SHA256:3FCBF7EBD46726915B959065F44ED5F18123BA89C0ED3E76CD089B2C53A748F1
1180BlackCat_Config.exeC:\Users\Administrator\ntuser.dat.LOG1.b5o8ph3binary
MD5:4F8D8BA1CBDD6A51A693AB0A9CE79F14
SHA256:3DE8584BCDEF6D49DC8AB645845470D26A2765D921795D445CB801C785817E8E
1180BlackCat_Config.exeC:\Users\Administrator\checkpoints-NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TM.blf.b5o8ph3binary
MD5:3D2AA00E7F80CED3C957191B5A4C3605
SHA256:04D7A86144F3286D9D8676B4DA5E43D8894781ACF8219FFE075969D145321928
1180BlackCat_Config.exeC:\Users\admin\Contacts\admin.contact.b5o8ph3xml
MD5:7F467FF358243023B5786B254C645A68
SHA256:8BFB06D3BBB310DB7EF20D2CA1C649875410F67253648BB5BFCF78E73F3EC18E
1180BlackCat_Config.exeC:\Users\admin\.oracle_jre_usage\checkpoints-90737d32e3abaa4.timestamp.b5o8ph3binary
MD5:E07E828BC1FE3B49E6BBD0D4048180F8
SHA256:AA75424BADD104EB62AC5EE70C99157DD324FD490C15DDB29027EFE20E34C9A9
1180BlackCat_Config.exeC:\Users\Administrator\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000001.regtrans-ms.b5o8ph3image
MD5:CAB94708B00B7FA4A20E233119D249F5
SHA256:A4284D985B3D861487815DBE4A1D580862827F74721694AD8A82F885A6FEB0FF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
9
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1088
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:137
whitelisted
2656
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
1180
BlackCat_Config.exe
192.168.100.2:137
whitelisted
1180
BlackCat_Config.exe
239.255.255.250:137
whitelisted
1180
BlackCat_Config.exe
224.0.0.22:137
unknown
1180
BlackCat_Config.exe
224.0.0.252:137
unknown
1180
BlackCat_Config.exe
192.168.100.255:137
whitelisted

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
BlackCat(ALPHV).zip