blackmatter | 2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2

General

Target

2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exe
Size

79KB
MD5

18c7c940bc6a4e778fbdf4a3e28151a8
SHA1

f3589918d71b87c7e764479b79c4a7b485cb746a
SHA256

2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2
SHA512

6e808fe882640a517c2054fdece73059c7ea3e27a946e55f41b91fd0f757dcd8c76be8f381f60f3e45449edebaa4f620b903337727607f7768543b1acec40d18

Score

10^/10

blackmatter ransomware

Malware Config

Extracted

Path

C:\SykSKioSK.README.txt

Family

blackmatter

Ransom Note

~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What data stolen? From your network was stolen 250 GB of data. If you do not contact us we will publish all your data in our blog and will send it to the biggest mass media. Blog post link: http://blackmax7su6mbwtcyo3xwtpfxpm356jjqrs34y4crcytpw7mifuedyd.onion/YdWh7oMKjT/13f1a8efc53e2fa712813f4c39147a79 >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/5AZHJFLKJNPOJ4F5O5T >> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.

URLs

http://blackmax7su6mbwtcyo3xwtpfxpm356jjqrs34y4crcytpw7mifuedyd.onion/YdWh7oMKjT/13f1a8efc53e2fa712813f4c39147a79

http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/5AZHJFLKJNPOJ4F5O5T

Signatures

BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
ransomware blackmatter

Modifies extensions of user files 7 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\RevokePush.tif => C:\Users\Admin\Pictures\RevokePush.tif.SykSKioSK	2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\RevokePush.tif.SykSKioSK	2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\SelectDismount.crw => C:\Users\Admin\Pictures\SelectDismount.crw.SykSKioSK	2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\SelectDismount.crw.SykSKioSK	2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\RegisterCheckpoint.tiff	2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\RegisterCheckpoint.tiff => C:\Users\Admin\Pictures\RegisterCheckpoint.tiff.SykSKioSK	2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\RegisterCheckpoint.tiff.SykSKioSK	2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\SykSKioSK.bmp"	2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\SykSKioSK.bmp"	2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exe

pid	process
532	2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exe
532	2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exe
532	2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exe
532	2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exe
532	2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exe
532	2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Control Panel 3 IoCs

evasion

Processes:

2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Control Panel\International	2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exe
Key created	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Control Panel\Desktop	2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Control Panel\Desktop\WallpaperStyle = "10"	2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exe

Modifies registry class 20 IoCs

Processes:

splwow64.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	splwow64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}"	splwow64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewVersion = "0"	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	splwow64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000_Classes\Local Settings	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	splwow64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}"	splwow64.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

320 NOTEPAD.EXE

pid	process
320	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exe

pid	process
532	2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exe
532	2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exe
532	2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exe
532	2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

splwow64.exe

pid process

396 splwow64.exe

pid	process
396	splwow64.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exevssvc.exe

description	pid	process
Token: SeBackupPrivilege	532	2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exe
Token: SeDebugPrivilege	532	2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exe
Token: 36	532	2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exe
Token: SeImpersonatePrivilege	532	2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exe
Token: SeIncBasePriorityPrivilege	532	2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exe
Token: SeIncreaseQuotaPrivilege	532	2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exe
Token: 33	532	2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exe
Token: SeManageVolumePrivilege	532	2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exe
Token: SeProfSingleProcessPrivilege	532	2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exe
Token: SeRestorePrivilege	532	2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exe
Token: SeSecurityPrivilege	532	2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exe
Token: SeSystemProfilePrivilege	532	2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exe
Token: SeTakeOwnershipPrivilege	532	2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exe
Token: SeShutdownPrivilege	532	2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exe
Token: SeBackupPrivilege	1568	vssvc.exe
Token: SeRestorePrivilege	1568	vssvc.exe
Token: SeAuditPrivilege	1568	vssvc.exe

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

splwow64.exe

pid process

396 splwow64.exe
396 splwow64.exe
396 splwow64.exe
396 splwow64.exe
396 splwow64.exe
396 splwow64.exe
396 splwow64.exe
396 splwow64.exe
396 splwow64.exe

pid	process
396	splwow64.exe
396	splwow64.exe
396	splwow64.exe
396	splwow64.exe
396	splwow64.exe
396	splwow64.exe
396	splwow64.exe
396	splwow64.exe
396	splwow64.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exeNOTEPAD.EXE

description	pid	process	target process
PID 532 wrote to memory of 320	532	2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exe	NOTEPAD.EXE
PID 532 wrote to memory of 320	532	2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exe	NOTEPAD.EXE
PID 532 wrote to memory of 320	532	2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exe	NOTEPAD.EXE
PID 532 wrote to memory of 320	532	2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exe	NOTEPAD.EXE
PID 320 wrote to memory of 396	320	NOTEPAD.EXE	splwow64.exe
PID 320 wrote to memory of 396	320	NOTEPAD.EXE	splwow64.exe
PID 320 wrote to memory of 396	320	NOTEPAD.EXE	splwow64.exe
PID 320 wrote to memory of 396	320	NOTEPAD.EXE	splwow64.exe

C:\Users\Admin\AppData\Local\Temp\2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exe"
1⤵
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:532

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" /p C:\SykSKioSK.README.txt
2⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of WriteProcessMemory
PID:320

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
3⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:396

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1568

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\SykSKioSK.README.txt
MD5
b7f54f12f8d46188c98172cf6c39f91e

SHA1
73f9572f52d54b2cffb8e4464f28453bc3d192b9

SHA256
dedefcd61e8ed1e5a7c8a9469aad4605042ce2eb69c2b20cf6e1ed9b8a14f56d

SHA512
2f0f138db798902990fb4c4cd4f05c66f656a7aef5aa186bad17a39683973c98da392b5207d9ba654a6e2774d920bbf2afea996513e91d159cb87961548374d5

Download Submit
C:\Users\Admin\Documents\ReceiveTest.xps.SykSKioSK
MD5
68fed270fa2b30c84f09548536363dc0

SHA1
3273cb0686b2adf70354678339c90ca42fd3caf5

SHA256
36f8ea2190f3313953cf20a40121ae130690a2d8be3e6c86b382ba928abbca45

SHA512
9de50649dfdc9402d80ab244dacfd3a9fceb343e65ce591c0f54bcbe1eb78f3f05cc49263aec28569487a2d63829a7d49dace58fcf56b05116b89069a706a49b

Download Submit
C:\Users\Admin\Documents\UnblockReset.xps.SykSKioSK
MD5
daa3907719513eb079a9c2604e173dd0

SHA1
130f0c62d666b34e2dc1ae304723ae3cc5ba05aa

SHA256
44a1255f77994ede7874e5a616c89b9cb3dad09590a907053ad026d85e673167

SHA512
1933af35d8b076f9b2aed00e3a90a5e7ac1bf80bf516efbb324469bb691c530990ec96e88ee3798a2742b9b231a6a1af1834a54abbf1010d6e1bff4be757e4c7

Download Submit
memory/320-58-0x0000000000000000-mapping.dmp

Download
memory/396-61-0x0000000000000000-mapping.dmp

Download
memory/396-62-0x000007FEFC401000-0x000007FEFC403000-memory.dmp

Filesize
8KB

Download
memory/396-65-0x00000000041D0000-0x00000000041D1000-memory.dmp

Filesize
4KB

Download
memory/532-54-0x0000000075EC1000-0x0000000075EC3000-memory.dmp

Filesize
8KB

Download
memory/532-55-0x0000000001DB5000-0x0000000001DC6000-memory.dmp

Filesize
68KB

Download
memory/532-56-0x0000000001DB0000-0x0000000001DB1000-memory.dmp

Filesize
4KB

Download
memory/532-57-0x0000000001DC6000-0x0000000001DC7000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads