blackmatter | 2cdb5edf3039863c30818ca34d9240cb0068ad33128895500721bcdca70c78fd

Analysis

max time kernel
67s
max time network
136s
platform
windows10_x64
resource
win10-en
submitted
06-09-2021 21:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

w32.exe
Size

78KB
MD5

6e5986761cea340dce2efd4cf4f3790c
SHA1

4a8ca4b5c04112a753e9ff5989b80f0b12e13654
SHA256

2cdb5edf3039863c30818ca34d9240cb0068ad33128895500721bcdca70c78fd
SHA512

8df4406a8807978df8690cb578cd00f8d22c2ad5ff78b8d87806484adcde2eaa2901f1da100c31f1538da0503043c78cb3856d0592af2f094901d864956b83af

Score

10^/10

blackmatter ransomware

Malware Config

Extracted

Path

C:\fViGXl6GW.README.txt

Family

blackmatter

Ransom Note

~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >>> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd.onion/GBSLNRB4NL0OG6FX >>> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.

URLs

http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd.onion/GBSLNRB4NL0OG6FX

Signatures

BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
ransomware blackmatter

Modifies extensions of user files 12 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\FormatSend.tif.fViGXl6GW	w32.exe
File renamed	C:\Users\Admin\Pictures\ApproveResume.tif => C:\Users\Admin\Pictures\ApproveResume.tif.fViGXl6GW	w32.exe
File opened for modification	C:\Users\Admin\Pictures\CheckpointPop.tif.fViGXl6GW	w32.exe
File renamed	C:\Users\Admin\Pictures\DebugCompare.raw => C:\Users\Admin\Pictures\DebugCompare.raw.fViGXl6GW	w32.exe
File opened for modification	C:\Users\Admin\Pictures\DebugCompare.raw.fViGXl6GW	w32.exe
File renamed	C:\Users\Admin\Pictures\FormatSend.tif => C:\Users\Admin\Pictures\FormatSend.tif.fViGXl6GW	w32.exe
File renamed	C:\Users\Admin\Pictures\ReadUnregister.crw => C:\Users\Admin\Pictures\ReadUnregister.crw.fViGXl6GW	w32.exe
File opened for modification	C:\Users\Admin\Pictures\ReadUnregister.crw.fViGXl6GW	w32.exe
File opened for modification	C:\Users\Admin\Pictures\ApproveResume.tif.fViGXl6GW	w32.exe
File renamed	C:\Users\Admin\Pictures\CheckpointPop.tif => C:\Users\Admin\Pictures\CheckpointPop.tif.fViGXl6GW	w32.exe
File renamed	C:\Users\Admin\Pictures\CheckpointSend.raw => C:\Users\Admin\Pictures\CheckpointSend.raw.fViGXl6GW	w32.exe
File opened for modification	C:\Users\Admin\Pictures\CheckpointSend.raw.fViGXl6GW	w32.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	w32.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
4696	w32.exe
4696	w32.exe
4696	w32.exe
4696	w32.exe
4696	w32.exe
4696	w32.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUECALM\BLUECALM.INF	w32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Trial-ul-oob.xrm-ms.fViGXl6GW	w32.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosWideTile.contrast-black_scale-200.png	w32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\ECLIPSE_.SF	w32.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\hwrusalm.dat.fViGXl6GW	w32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-explorer_zh_CN.jar.fViGXl6GW	w32.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\ea.xml.fViGXl6GW	w32.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ar-ae\fViGXl6GW.README.txt	w32.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreWideTile.scale-200.png	w32.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderStoreLogo.scale-100.png	w32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SPRING\SPRING.INF	w32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial4-ul-oob.xrm-ms	w32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_OEM_Perp-pl.xrm-ms.fViGXl6GW	w32.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\System\ole db\fViGXl6GW.README.txt	w32.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\GamePlayAssets\Localization\localized_HR-HR.respack	w32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_pt_135x40.svg	w32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ko-kr\PlayStore_icon.svg	w32.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\SmallTile.scale-100.png	w32.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\klondike\Ice_Castle_Unearned_small.png	w32.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GetStartedAppList.scale-200_contrast-white.png	w32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\orcl7.xsl.fViGXl6GW	w32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\plugin.js	w32.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.2\PSReadline.psm1.fViGXl6GW	w32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SONORA\SONORA.ELM.fViGXl6GW	w32.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sk\fViGXl6GW.README.txt	w32.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-white\fViGXl6GW.README.txt	w32.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EXPEDITN\fViGXl6GW.README.txt	w32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\fr-fr\PlayStore_icon.svg	w32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\it-it\ui-strings.js	w32.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\fViGXl6GW.README.txt	w32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_F_COL.HXK.fViGXl6GW	w32.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\security\US_export_policy.jar	w32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvmstat_ja.jar.fViGXl6GW	w32.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\SkypeWideTile.scale-200_contrast-black.png	w32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe.config	w32.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Beach\mask\fViGXl6GW.README.txt	w32.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_16.511.8780.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxSignature.p7x	w32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt.fViGXl6GW	w32.exe
File created	C:\Program Files\VideoLAN\VLC\locale\az\fViGXl6GW.README.txt	w32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\README.txt.fViGXl6GW	w32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\root\ui-strings.js	w32.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNotebookMedTile.scale-150.png	w32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Retail-ppd.xrm-ms	w32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\plugin.properties.fViGXl6GW	w32.exe
File created	C:\Program Files\Common Files\System\Ole DB\en-US\fViGXl6GW.README.txt	w32.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\Images\Ratings\Yelp2.scale-200.png	w32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.core.di.extensions_0.12.0.v20140417-2033.jar	w32.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Office\settle.scale-100.png	w32.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\EppManifest.dll.mui	w32.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\fViGXl6GW.README.txt	w32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ko-kr\ui-strings.js	w32.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\fViGXl6GW.README.txt	w32.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\TextureBitmaps\rcypaper.jpg	w32.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\fViGXl6GW.README.txt	w32.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\il_60x42.png	w32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-services.xml.fViGXl6GW	w32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.zh_CN_5.5.0.165303.jar	w32.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Beach\mask\mask_corners.png	w32.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_x64__8wekyb3d8bbwe\Assets\OneConnectAppList.targetsize-64.png	w32.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\http.luac.fViGXl6GW	w32.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\models\es-ES.mail.config	w32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-windows_ja.jar.fViGXl6GW	w32.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\LargeTile.scale-200.png	w32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\tr\msipc.dll.mui	w32.exe

Modifies Control Panel 1 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Control Panel\International	w32.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4696	w32.exe
4696	w32.exe
4696	w32.exe
4696	w32.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeBackupPrivilege	4696	w32.exe
Token: SeDebugPrivilege	4696	w32.exe
Token: 36	4696	w32.exe
Token: SeImpersonatePrivilege	4696	w32.exe
Token: SeIncBasePriorityPrivilege	4696	w32.exe
Token: SeIncreaseQuotaPrivilege	4696	w32.exe
Token: 33	4696	w32.exe
Token: SeManageVolumePrivilege	4696	w32.exe
Token: SeProfSingleProcessPrivilege	4696	w32.exe
Token: SeRestorePrivilege	4696	w32.exe
Token: SeSecurityPrivilege	4696	w32.exe
Token: SeSystemProfilePrivilege	4696	w32.exe
Token: SeTakeOwnershipPrivilege	4696	w32.exe
Token: SeShutdownPrivilege	4696	w32.exe
Token: SeBackupPrivilege	4140	vssvc.exe
Token: SeRestorePrivilege	4140	vssvc.exe
Token: SeAuditPrivilege	4140	vssvc.exe

C:\Users\Admin\AppData\Local\Temp\w32.exe
"C:\Users\Admin\AppData\Local\Temp\w32.exe"
1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4696

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4140

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4696-115-0x00000000020B3000-0x00000000020B5000-memory.dmp

Filesize
8KB

Download
memory/4696-116-0x00000000020B0000-0x00000000020B1000-memory.dmp

Filesize
4KB

Download