General
-
Target
5602495258853376.zip
-
Size
1.1MB
-
Sample
210823-x3sw7v2l5s
-
MD5
a3d5610af86633ee689b53347b95c30b
-
SHA1
975c08c0a41d9a2819e52d2da22d9106bee06781
-
SHA256
08dca840a349cd814b1f5aae53ba95f204c8207d02b44561f5760482eb84fbfe
-
SHA512
b47484821c809412402e8049b25260dd917d3094be0c94ad0f7439a02ae7c648769fa4720f69f01da626d929eb60c33d18e4c4a3763fa86217ad21641133133a
Static task
static1
Behavioral task
behavioral1
Sample
cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe
Resource
win10v20210408
Malware Config
Extracted
blackmatter
1.4
caa0d21adc7bdc4dc424497512a8f37d
https://paymenthacks.com
http://paymenthacks.com
https://mojobiden.com
http://mojobiden.com
-
attempt_auth
false
-
create_mutex
true
-
encrypt_network_shares
true
-
exfiltrate
true
-
mount_volumes
true
Extracted
C:\UCzUExPUL.README.txt
blackmatter
http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd.onion/8ZHJ2G2FJDX9JSHTA6S
Targets
-
-
Target
cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7
-
Size
1.3MB
-
MD5
da3ab4d40944c077f92e52d2c1de8fca
-
SHA1
6676ef8826b9e5419958761f3a71464105290288
-
SHA256
cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7
-
SHA512
1dcc1259105c730fff76e518d7d57bce8cacacfebc05cf7b3294ccdbf8286635bfe43532f7a19507d3fd42973429f2c9335d031cbd473b356cba1bab79ce318a
-
BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Loads dropped DLL
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-