Analysis
-
max time kernel
1565s -
max time network
1613s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
01-09-2021 09:08
Static task
static1
Behavioral task
behavioral1
Sample
EIS.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
EIS.exe
Resource
win10v20210410
General
-
Target
EIS.exe
-
Size
4.8MB
-
MD5
3df675b0800e6fc57c81271c440327c4
-
SHA1
361aaa051121753358ea49bfd05716cdd38fe492
-
SHA256
c3cc8efd60b85139c9b9f4c62c56ffbafde26c1b22cd7b339a371afde7fc513b
-
SHA512
321f4b2e5dda2b39268ea057df02f49e96a6ab8461fa9e0ed970202b9a934e816f4885c33534dad35f0301fb1046303a9d2b2207293947997db54e307cc4f06b
Malware Config
Extracted
C:\1rWCqamCt.README.txt
blackmatter
http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd.onion/5PBOYRSETHVDBDPTL
Extracted
blackmatter
2.0
b8726db5d916731db5625cfc30c4f7d9
-
attempt_auth
false
-
create_mutex
false
-
encrypt_network_shares
true
-
exfiltrate
false
-
mount_volumes
true
Signatures
-
BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
-
Modifies extensions of user files 13 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\ConfirmPop.raw => C:\Users\Admin\Pictures\ConfirmPop.raw.1rWCqamCt EIS.exe File opened for modification C:\Users\Admin\Pictures\ConfirmPop.raw.1rWCqamCt EIS.exe File renamed C:\Users\Admin\Pictures\EditRedo.tif => C:\Users\Admin\Pictures\EditRedo.tif.1rWCqamCt EIS.exe File renamed C:\Users\Admin\Pictures\UnpublishAssert.tif => C:\Users\Admin\Pictures\UnpublishAssert.tif.1rWCqamCt EIS.exe File renamed C:\Users\Admin\Pictures\ProtectStop.raw => C:\Users\Admin\Pictures\ProtectStop.raw.1rWCqamCt EIS.exe File opened for modification C:\Users\Admin\Pictures\ProtectStop.raw.1rWCqamCt EIS.exe File opened for modification C:\Users\Admin\Pictures\EditRedo.tif.1rWCqamCt EIS.exe File opened for modification C:\Users\Admin\Pictures\InitializeApprove.tiff EIS.exe File renamed C:\Users\Admin\Pictures\InitializeApprove.tiff => C:\Users\Admin\Pictures\InitializeApprove.tiff.1rWCqamCt EIS.exe File opened for modification C:\Users\Admin\Pictures\InitializeApprove.tiff.1rWCqamCt EIS.exe File renamed C:\Users\Admin\Pictures\PopEnable.png => C:\Users\Admin\Pictures\PopEnable.png.1rWCqamCt EIS.exe File opened for modification C:\Users\Admin\Pictures\PopEnable.png.1rWCqamCt EIS.exe File opened for modification C:\Users\Admin\Pictures\UnpublishAssert.tif.1rWCqamCt EIS.exe -
resource yara_rule behavioral1/memory/1652-61-0x0000000000400000-0x0000000000BA4000-memory.dmp vmprotect -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\1rWCqamCt.bmp" EIS.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\1rWCqamCt.bmp" EIS.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
pid Process 1652 EIS.exe 1652 EIS.exe 1652 EIS.exe 1652 EIS.exe 1652 EIS.exe 1652 EIS.exe -
Modifies Control Panel 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Control Panel\Desktop EIS.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Control Panel\Desktop\WallpaperStyle = "10" EIS.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 1652 EIS.exe 1652 EIS.exe 1652 EIS.exe 1652 EIS.exe 1652 EIS.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
description pid Process Token: SeBackupPrivilege 1652 EIS.exe Token: SeDebugPrivilege 1652 EIS.exe Token: 36 1652 EIS.exe Token: SeImpersonatePrivilege 1652 EIS.exe Token: SeIncBasePriorityPrivilege 1652 EIS.exe Token: SeIncreaseQuotaPrivilege 1652 EIS.exe Token: 33 1652 EIS.exe Token: SeManageVolumePrivilege 1652 EIS.exe Token: SeProfSingleProcessPrivilege 1652 EIS.exe Token: SeRestorePrivilege 1652 EIS.exe Token: SeSecurityPrivilege 1652 EIS.exe Token: SeSystemProfilePrivilege 1652 EIS.exe Token: SeTakeOwnershipPrivilege 1652 EIS.exe Token: SeShutdownPrivilege 1652 EIS.exe Token: SeBackupPrivilege 688 vssvc.exe Token: SeRestorePrivilege 688 vssvc.exe Token: SeAuditPrivilege 688 vssvc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\EIS.exe"C:\Users\Admin\AppData\Local\Temp\EIS.exe"1⤵
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1652
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:688