Analysis
-
max time kernel
11s -
max time network
149s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
09-08-2021 20:26
Static task
static1
Behavioral task
behavioral1
Sample
86c84c07e27cc8aba129e1cf51215b65c445f178b94f2e8c4c10e6bc110daa94.dll
Resource
win7v20210410
Behavioral task
behavioral2
Sample
86c84c07e27cc8aba129e1cf51215b65c445f178b94f2e8c4c10e6bc110daa94.dll
Resource
win10v20210410
General
-
Target
86c84c07e27cc8aba129e1cf51215b65c445f178b94f2e8c4c10e6bc110daa94.dll
-
Size
73KB
-
MD5
01aef1c692a50a9d0e0369a58b1516ff
-
SHA1
8572344f5320d4b9ea4c03c37409210a290540c0
-
SHA256
86c84c07e27cc8aba129e1cf51215b65c445f178b94f2e8c4c10e6bc110daa94
-
SHA512
abbd643dfcc25bc68983ff1c572824cfd1a2f44eff3f37c22450041aa2de31bdaace6996c55e2371040f479a9b5364bbcfbc41d6bc48e364a0433bb76e7b6f72
Malware Config
Extracted
C:\oSPvdHTvI.README.txt
blackmatter
http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd.onion/RSW33BDOYPLWM78U9A09BZDI
Signatures
-
BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
-
Modifies extensions of user files 9 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\StepGet.tiff => C:\Users\Admin\Pictures\StepGet.tiff.oSPvdHTvI rundll32.exe File opened for modification C:\Users\Admin\Pictures\StepGet.tiff.oSPvdHTvI rundll32.exe File renamed C:\Users\Admin\Pictures\CompleteSubmit.raw => C:\Users\Admin\Pictures\CompleteSubmit.raw.oSPvdHTvI rundll32.exe File opened for modification C:\Users\Admin\Pictures\DebugUse.crw.oSPvdHTvI rundll32.exe File renamed C:\Users\Admin\Pictures\MeasureUpdate.tif => C:\Users\Admin\Pictures\MeasureUpdate.tif.oSPvdHTvI rundll32.exe File opened for modification C:\Users\Admin\Pictures\MeasureUpdate.tif.oSPvdHTvI rundll32.exe File opened for modification C:\Users\Admin\Pictures\StepGet.tiff rundll32.exe File opened for modification C:\Users\Admin\Pictures\CompleteSubmit.raw.oSPvdHTvI rundll32.exe File renamed C:\Users\Admin\Pictures\DebugUse.crw => C:\Users\Admin\Pictures\DebugUse.crw.oSPvdHTvI rundll32.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Z: rundll32.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\oSPvdHTvI.bmp" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\oSPvdHTvI.bmp" rundll32.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
pid Process 3124 rundll32.exe 3124 rundll32.exe 3124 rundll32.exe 3124 rundll32.exe 3124 rundll32.exe 3124 rundll32.exe -
Modifies Control Panel 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\WallpaperStyle = "10" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop rundll32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3124 rundll32.exe 3124 rundll32.exe 3124 rundll32.exe 3124 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
description pid Process Token: SeBackupPrivilege 3124 rundll32.exe Token: SeDebugPrivilege 3124 rundll32.exe Token: 36 3124 rundll32.exe Token: SeImpersonatePrivilege 3124 rundll32.exe Token: SeIncBasePriorityPrivilege 3124 rundll32.exe Token: SeIncreaseQuotaPrivilege 3124 rundll32.exe Token: 33 3124 rundll32.exe Token: SeManageVolumePrivilege 3124 rundll32.exe Token: SeProfSingleProcessPrivilege 3124 rundll32.exe Token: SeRestorePrivilege 3124 rundll32.exe Token: SeSecurityPrivilege 3124 rundll32.exe Token: SeSystemProfilePrivilege 3124 rundll32.exe Token: SeTakeOwnershipPrivilege 3124 rundll32.exe Token: SeShutdownPrivilege 3124 rundll32.exe Token: SeBackupPrivilege 2228 vssvc.exe Token: SeRestorePrivilege 2228 vssvc.exe Token: SeAuditPrivilege 2228 vssvc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3984 wrote to memory of 3124 3984 rundll32.exe 72 PID 3984 wrote to memory of 3124 3984 rundll32.exe 72 PID 3984 wrote to memory of 3124 3984 rundll32.exe 72
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\86c84c07e27cc8aba129e1cf51215b65c445f178b94f2e8c4c10e6bc110daa94.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3984 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\86c84c07e27cc8aba129e1cf51215b65c445f178b94f2e8c4c10e6bc110daa94.dll,#12⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3124
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2228