Analysis
-
max time kernel
361s -
max time network
1444s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
01-09-2021 09:08
Static task
static1
Behavioral task
behavioral1
Sample
EIS.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
EIS.exe
Resource
win10v20210410
General
-
Target
EIS.exe
-
Size
4.8MB
-
MD5
3df675b0800e6fc57c81271c440327c4
-
SHA1
361aaa051121753358ea49bfd05716cdd38fe492
-
SHA256
c3cc8efd60b85139c9b9f4c62c56ffbafde26c1b22cd7b339a371afde7fc513b
-
SHA512
321f4b2e5dda2b39268ea057df02f49e96a6ab8461fa9e0ed970202b9a934e816f4885c33534dad35f0301fb1046303a9d2b2207293947997db54e307cc4f06b
Malware Config
Extracted
C:\oSPvdHTvI.README.txt
blackmatter
http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd.onion/5PBOYRSETHVDBDPTL
Extracted
blackmatter
2.0
b8726db5d916731db5625cfc30c4f7d9
-
attempt_auth
false
-
create_mutex
false
-
encrypt_network_shares
true
-
exfiltrate
false
-
mount_volumes
true
Signatures
-
BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
-
Modifies extensions of user files 22 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\InstallDisconnect.crw => C:\Users\Admin\Pictures\InstallDisconnect.crw.oSPvdHTvI EIS.exe File opened for modification C:\Users\Admin\Pictures\InstallDisconnect.crw.oSPvdHTvI EIS.exe File renamed C:\Users\Admin\Pictures\InvokeSubmit.tiff => C:\Users\Admin\Pictures\InvokeSubmit.tiff.oSPvdHTvI EIS.exe File renamed C:\Users\Admin\Pictures\MoveDisable.raw => C:\Users\Admin\Pictures\MoveDisable.raw.oSPvdHTvI EIS.exe File opened for modification C:\Users\Admin\Pictures\MoveDisable.raw.oSPvdHTvI EIS.exe File renamed C:\Users\Admin\Pictures\SuspendApprove.tif => C:\Users\Admin\Pictures\SuspendApprove.tif.oSPvdHTvI EIS.exe File renamed C:\Users\Admin\Pictures\RestoreNew.tif => C:\Users\Admin\Pictures\RestoreNew.tif.oSPvdHTvI EIS.exe File renamed C:\Users\Admin\Pictures\SubmitInitialize.png => C:\Users\Admin\Pictures\SubmitInitialize.png.oSPvdHTvI EIS.exe File renamed C:\Users\Admin\Pictures\WatchInvoke.raw => C:\Users\Admin\Pictures\WatchInvoke.raw.oSPvdHTvI EIS.exe File renamed C:\Users\Admin\Pictures\InitializeStep.raw => C:\Users\Admin\Pictures\InitializeStep.raw.oSPvdHTvI EIS.exe File opened for modification C:\Users\Admin\Pictures\InvokeSubmit.tiff EIS.exe File renamed C:\Users\Admin\Pictures\ResetInitialize.png => C:\Users\Admin\Pictures\ResetInitialize.png.oSPvdHTvI EIS.exe File opened for modification C:\Users\Admin\Pictures\SyncAdd.tiff.oSPvdHTvI EIS.exe File opened for modification C:\Users\Admin\Pictures\SyncAdd.tiff EIS.exe File renamed C:\Users\Admin\Pictures\SyncAdd.tiff => C:\Users\Admin\Pictures\SyncAdd.tiff.oSPvdHTvI EIS.exe File opened for modification C:\Users\Admin\Pictures\InitializeStep.raw.oSPvdHTvI EIS.exe File opened for modification C:\Users\Admin\Pictures\InvokeSubmit.tiff.oSPvdHTvI EIS.exe File opened for modification C:\Users\Admin\Pictures\ResetInitialize.png.oSPvdHTvI EIS.exe File opened for modification C:\Users\Admin\Pictures\RestoreNew.tif.oSPvdHTvI EIS.exe File opened for modification C:\Users\Admin\Pictures\SubmitInitialize.png.oSPvdHTvI EIS.exe File opened for modification C:\Users\Admin\Pictures\SuspendApprove.tif.oSPvdHTvI EIS.exe File opened for modification C:\Users\Admin\Pictures\WatchInvoke.raw.oSPvdHTvI EIS.exe -
resource yara_rule behavioral2/memory/3988-115-0x0000000000400000-0x0000000000BA4000-memory.dmp vmprotect -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Z: EIS.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\oSPvdHTvI.bmp" EIS.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\oSPvdHTvI.bmp" EIS.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
pid Process 3988 EIS.exe 3988 EIS.exe 3988 EIS.exe 3988 EIS.exe 3988 EIS.exe 3988 EIS.exe -
Modifies Control Panel 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop EIS.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\WallpaperStyle = "10" EIS.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3988 EIS.exe 3988 EIS.exe 3988 EIS.exe 3988 EIS.exe 3988 EIS.exe 3988 EIS.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
description pid Process Token: SeBackupPrivilege 3988 EIS.exe Token: SeDebugPrivilege 3988 EIS.exe Token: 36 3988 EIS.exe Token: SeImpersonatePrivilege 3988 EIS.exe Token: SeIncBasePriorityPrivilege 3988 EIS.exe Token: SeIncreaseQuotaPrivilege 3988 EIS.exe Token: 33 3988 EIS.exe Token: SeManageVolumePrivilege 3988 EIS.exe Token: SeProfSingleProcessPrivilege 3988 EIS.exe Token: SeRestorePrivilege 3988 EIS.exe Token: SeSecurityPrivilege 3988 EIS.exe Token: SeSystemProfilePrivilege 3988 EIS.exe Token: SeTakeOwnershipPrivilege 3988 EIS.exe Token: SeShutdownPrivilege 3988 EIS.exe Token: SeBackupPrivilege 2492 vssvc.exe Token: SeRestorePrivilege 2492 vssvc.exe Token: SeAuditPrivilege 2492 vssvc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\EIS.exe"C:\Users\Admin\AppData\Local\Temp\EIS.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3988
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2492