General
-
Target
2c323453e959257c7aa86dc180bb3aaaa5c5ec06fa4e72b632d9e4b817052009
-
Size
66KB
-
Sample
210922-21p7zaeac8
-
MD5
a55bc3368a10ca5a92c1c9ecae97ced9
-
SHA1
72ed32b0e8692c7caa25d61e1828cdb48c4fe361
-
SHA256
2c323453e959257c7aa86dc180bb3aaaa5c5ec06fa4e72b632d9e4b817052009
-
SHA512
da3187046c267b8053f0274de81665234dd07c1d06c61108878abccccb2f10bfe4bf7c53e0e4100ed76772b8b92bdd6c4953f19250f33be7dd9380ab3b63db3c
Static task
static1
Behavioral task
behavioral1
Sample
2c323453e959257c7aa86dc180bb3aaaa5c5ec06fa4e72b632d9e4b817052009.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
2c323453e959257c7aa86dc180bb3aaaa5c5ec06fa4e72b632d9e4b817052009.exe
Resource
win10-en-20210920
Malware Config
Extracted
blackmatter
1.2
bab21ee475b52c0c9eb47d23ec9ba1d1
https://paymenthacks.com
http://paymenthacks.com
https://mojobiden.com
http://mojobiden.com
-
attempt_auth
false
-
create_mutex
true
-
encrypt_network_shares
true
-
exfiltrate
true
-
mount_volumes
true
Extracted
C:\1rWCqamCt.README.txt
blackmatter
http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/GDBJS76DH3D4IKQD2QO7R
Targets
-
-
Target
2c323453e959257c7aa86dc180bb3aaaa5c5ec06fa4e72b632d9e4b817052009
-
Size
66KB
-
MD5
a55bc3368a10ca5a92c1c9ecae97ced9
-
SHA1
72ed32b0e8692c7caa25d61e1828cdb48c4fe361
-
SHA256
2c323453e959257c7aa86dc180bb3aaaa5c5ec06fa4e72b632d9e4b817052009
-
SHA512
da3187046c267b8053f0274de81665234dd07c1d06c61108878abccccb2f10bfe4bf7c53e0e4100ed76772b8b92bdd6c4953f19250f33be7dd9380ab3b63db3c
Score10/10-
BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-