Analysis
-
max time kernel
149s -
max time network
44s -
platform
windows7_x64 -
resource
win7-en-20210916 -
submitted
20-09-2021 12:45
Static task
static1
Behavioral task
behavioral1
Sample
2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exe
Resource
win7-en-20210916
Behavioral task
behavioral2
Sample
2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exe
Resource
win10v20210408
General
-
Target
2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exe
-
Size
79KB
-
MD5
18c7c940bc6a4e778fbdf4a3e28151a8
-
SHA1
f3589918d71b87c7e764479b79c4a7b485cb746a
-
SHA256
2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2
-
SHA512
6e808fe882640a517c2054fdece73059c7ea3e27a946e55f41b91fd0f757dcd8c76be8f381f60f3e45449edebaa4f620b903337727607f7768543b1acec40d18
Malware Config
Extracted
C:\SykSKioSK.README.txt
blackmatter
http://blackmax7su6mbwtcyo3xwtpfxpm356jjqrs34y4crcytpw7mifuedyd.onion/YdWh7oMKjT/13f1a8efc53e2fa712813f4c39147a79
http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/5AZHJFLKJNPOJ4F5O5T
Signatures
-
BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
-
Modifies extensions of user files 7 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\RevokePush.tif => C:\Users\Admin\Pictures\RevokePush.tif.SykSKioSK 2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exe File opened for modification C:\Users\Admin\Pictures\RevokePush.tif.SykSKioSK 2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exe File renamed C:\Users\Admin\Pictures\SelectDismount.crw => C:\Users\Admin\Pictures\SelectDismount.crw.SykSKioSK 2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exe File opened for modification C:\Users\Admin\Pictures\SelectDismount.crw.SykSKioSK 2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exe File opened for modification C:\Users\Admin\Pictures\RegisterCheckpoint.tiff 2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exe File renamed C:\Users\Admin\Pictures\RegisterCheckpoint.tiff => C:\Users\Admin\Pictures\RegisterCheckpoint.tiff.SykSKioSK 2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exe File opened for modification C:\Users\Admin\Pictures\RegisterCheckpoint.tiff.SykSKioSK 2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\SykSKioSK.bmp" 2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exe Set value (str) \REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\SykSKioSK.bmp" 2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
pid Process 532 2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exe 532 2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exe 532 2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exe 532 2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exe 532 2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exe 532 2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Control Panel 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Control Panel\International 2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exe Key created \REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Control Panel\Desktop 2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exe Set value (str) \REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Control Panel\Desktop\WallpaperStyle = "10" 2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exe -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell splwow64.exe Set value (data) \REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000 splwow64.exe Set value (data) \REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff splwow64.exe Key created \REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg splwow64.exe Set value (str) \REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}" splwow64.exe Set value (int) \REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewVersion = "0" splwow64.exe Key created \REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU splwow64.exe Set value (data) \REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots splwow64.exe Set value (int) \REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" splwow64.exe Key created \REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 splwow64.exe Key created \REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000_Classes\Local Settings splwow64.exe Set value (data) \REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000 splwow64.exe Key created \REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 splwow64.exe Key created \REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 splwow64.exe Set value (data) \REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 splwow64.exe Key created \REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags splwow64.exe Set value (data) \REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff splwow64.exe Set value (data) \REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff splwow64.exe Set value (data) \REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff splwow64.exe Set value (str) \REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}" splwow64.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 320 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 532 2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exe 532 2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exe 532 2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exe 532 2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 396 splwow64.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
description pid Process Token: SeBackupPrivilege 532 2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exe Token: SeDebugPrivilege 532 2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exe Token: 36 532 2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exe Token: SeImpersonatePrivilege 532 2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exe Token: SeIncBasePriorityPrivilege 532 2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exe Token: SeIncreaseQuotaPrivilege 532 2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exe Token: 33 532 2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exe Token: SeManageVolumePrivilege 532 2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exe Token: SeProfSingleProcessPrivilege 532 2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exe Token: SeRestorePrivilege 532 2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exe Token: SeSecurityPrivilege 532 2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exe Token: SeSystemProfilePrivilege 532 2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exe Token: SeTakeOwnershipPrivilege 532 2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exe Token: SeShutdownPrivilege 532 2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exe Token: SeBackupPrivilege 1568 vssvc.exe Token: SeRestorePrivilege 1568 vssvc.exe Token: SeAuditPrivilege 1568 vssvc.exe -
Suspicious use of SetWindowsHookEx 9 IoCs
pid Process 396 splwow64.exe 396 splwow64.exe 396 splwow64.exe 396 splwow64.exe 396 splwow64.exe 396 splwow64.exe 396 splwow64.exe 396 splwow64.exe 396 splwow64.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 532 wrote to memory of 320 532 2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exe 35 PID 532 wrote to memory of 320 532 2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exe 35 PID 532 wrote to memory of 320 532 2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exe 35 PID 532 wrote to memory of 320 532 2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exe 35 PID 320 wrote to memory of 396 320 NOTEPAD.EXE 36 PID 320 wrote to memory of 396 320 NOTEPAD.EXE 36 PID 320 wrote to memory of 396 320 NOTEPAD.EXE 36 PID 320 wrote to memory of 396 320 NOTEPAD.EXE 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exe"C:\Users\Admin\AppData\Local\Temp\2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2.bin.sample.exe"1⤵
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" /p C:\SykSKioSK.README.txt2⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:396
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1568