blackmatter | 201ad4b503f9b0bf629c8acbb9d9f9722cfecd0f0b889d95d4a25d3c8beff3b8

Analysis

max time kernel
75s
max time network
146s
platform
windows10_x64
resource
win10-en
submitted
20-09-2021 12:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
Size

79KB
MD5

62a1b4d4b461f4eaae91c70727f71604
SHA1

1ced9a7e62aa65faa03eb1ad2bc786e9d9b5f6c2
SHA256

706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d
SHA512

d14f989f5f54663c3ea63526a000e8db5d172046e37f412ed47cd31eb14db071b515b854bbb3ab3d2f41f936b6962583aaa0b3ef1236aa2506148813f66ad542

Score

10^/10

blackmatter ransomware

Malware Config

Extracted

Path

\??\Z:\fViGXl6GW.README.txt

Family

blackmatter

Ransom Note

~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What data stolen? From your network was stolen 1000 GB of data. If you do not contact us we will publish all your data in our blog and will send it to the biggest mass media. Blog post link: http://blackmax7su6mbwtcyo3xwtpfxpm356jjqrs34y4crcytpw7mifuedyd.onion/72oJjilhMD/6d067a8741848166fa2ac1e69472280c >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/X3452I2VDTHM30QX >> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.

URLs

http://blackmax7su6mbwtcyo3xwtpfxpm356jjqrs34y4crcytpw7mifuedyd.onion/72oJjilhMD/6d067a8741848166fa2ac1e69472280c

http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/X3452I2VDTHM30QX

Signatures

BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
ransomware blackmatter

Modifies extensions of user files 32 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\UnregisterUninstall.tiff.fViGXl6GW	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
File opened for modification	C:\Users\Admin\Pictures\ConnectRemove.tiff.fViGXl6GW	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
File renamed	C:\Users\Admin\Pictures\PublishRename.tiff => C:\Users\Admin\Pictures\PublishRename.tiff.fViGXl6GW	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
File opened for modification	C:\Users\Admin\Pictures\UnregisterUninstall.tiff	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
File opened for modification	C:\Users\Admin\Pictures\PublishRename.tiff.fViGXl6GW	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
File opened for modification	C:\Users\Admin\Pictures\RestoreRepair.tiff	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
File renamed	C:\Users\Admin\Pictures\SendPublish.png => C:\Users\Admin\Pictures\SendPublish.png.fViGXl6GW	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
File opened for modification	C:\Users\Admin\Pictures\SendPublish.png.fViGXl6GW	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
File opened for modification	C:\Users\Admin\Pictures\TraceConnect.tif.fViGXl6GW	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
File renamed	C:\Users\Admin\Pictures\CompressUnpublish.raw => C:\Users\Admin\Pictures\CompressUnpublish.raw.fViGXl6GW	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
File opened for modification	C:\Users\Admin\Pictures\CompressUnpublish.raw.fViGXl6GW	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
File opened for modification	C:\Users\Admin\Pictures\ConnectRemove.tiff	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
File opened for modification	C:\Users\Admin\Pictures\RestoreRepair.tiff.fViGXl6GW	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
File renamed	C:\Users\Admin\Pictures\RevokeRestart.png => C:\Users\Admin\Pictures\RevokeRestart.png.fViGXl6GW	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
File opened for modification	C:\Users\Admin\Pictures\RevokeRestart.png.fViGXl6GW	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
File opened for modification	C:\Users\Admin\Pictures\GrantNew.tiff	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
File opened for modification	C:\Users\Admin\Pictures\GrantNew.tiff.fViGXl6GW	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
File renamed	C:\Users\Admin\Pictures\MeasureRevoke.tiff => C:\Users\Admin\Pictures\MeasureRevoke.tiff.fViGXl6GW	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
File renamed	C:\Users\Admin\Pictures\UnregisterUninstall.tiff => C:\Users\Admin\Pictures\UnregisterUninstall.tiff.fViGXl6GW	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
File renamed	C:\Users\Admin\Pictures\CheckpointResolve.crw => C:\Users\Admin\Pictures\CheckpointResolve.crw.fViGXl6GW	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
File renamed	C:\Users\Admin\Pictures\RedoReset.png => C:\Users\Admin\Pictures\RedoReset.png.fViGXl6GW	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
File opened for modification	C:\Users\Admin\Pictures\RedoReset.png.fViGXl6GW	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
File opened for modification	C:\Users\Admin\Pictures\MeasureRevoke.tiff	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
File renamed	C:\Users\Admin\Pictures\TraceConnect.tif => C:\Users\Admin\Pictures\TraceConnect.tif.fViGXl6GW	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
File renamed	C:\Users\Admin\Pictures\ConnectRemove.tiff => C:\Users\Admin\Pictures\ConnectRemove.tiff.fViGXl6GW	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
File opened for modification	C:\Users\Admin\Pictures\MeasureRevoke.tiff.fViGXl6GW	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
File opened for modification	C:\Users\Admin\Pictures\PublishRename.tiff	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
File opened for modification	C:\Users\Admin\Pictures\CheckpointResolve.crw.fViGXl6GW	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
File opened for modification	C:\Users\Admin\Pictures\DenyEnable.raw.fViGXl6GW	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
File renamed	C:\Users\Admin\Pictures\DenyEnable.raw => C:\Users\Admin\Pictures\DenyEnable.raw.fViGXl6GW	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
File renamed	C:\Users\Admin\Pictures\GrantNew.tiff => C:\Users\Admin\Pictures\GrantNew.tiff.fViGXl6GW	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
File renamed	C:\Users\Admin\Pictures\RestoreRepair.tiff => C:\Users\Admin\Pictures\RestoreRepair.tiff.fViGXl6GW	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\fViGXl6GW.bmp"	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\fViGXl6GW.bmp"	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
2248	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
2248	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
2248	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
2248	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
2248	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
2248	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe

Modifies Control Panel 3 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Control Panel\International	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Control Panel\Desktop	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Control Panel\Desktop\WallpaperStyle = "10"	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2248	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
2248	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
2248	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
2248	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeBackupPrivilege	2248	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
Token: SeDebugPrivilege	2248	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
Token: 36	2248	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
Token: SeImpersonatePrivilege	2248	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
Token: SeIncBasePriorityPrivilege	2248	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
Token: SeIncreaseQuotaPrivilege	2248	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
Token: 33	2248	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
Token: SeManageVolumePrivilege	2248	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
Token: SeProfSingleProcessPrivilege	2248	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
Token: SeRestorePrivilege	2248	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
Token: SeSecurityPrivilege	2248	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
Token: SeSystemProfilePrivilege	2248	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
Token: SeTakeOwnershipPrivilege	2248	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
Token: SeShutdownPrivilege	2248	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
Token: SeBackupPrivilege	4004	vssvc.exe
Token: SeRestorePrivilege	4004	vssvc.exe
Token: SeAuditPrivilege	4004	vssvc.exe

C:\Users\Admin\AppData\Local\Temp\706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
"C:\Users\Admin\AppData\Local\Temp\706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe"
1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2248

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4004

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2248-116-0x0000000003000000-0x0000000003001000-memory.dmp

Filesize
4KB

Download
memory/2248-115-0x0000000003003000-0x0000000003005000-memory.dmp

Filesize
8KB

Download