General

  • Target

    BlackMatterSample.rar

  • Size

    36KB

  • Sample

    210929-1n8ywagabm

  • MD5

    16dfe367a2a6e12636757b16de480d0f

  • SHA1

    4d4b4ac4e4bf89e298bba90d2f8f5b93fbc5798f

  • SHA256

    b1891a5375198e262dfe6f83a89574e7aa438f41e2853d5d31e101bcec95cbf3

  • SHA512

    36a2d5a6b1d30f7409a9195633830a2f91cd228e1dc1e726ee38c5d3c720787301f438220cf430cca3f53e3628458b8bf112a17ff8824390ea5b31e56f7c7151

Score
10/10

Malware Config

Extracted

Path

C:\1rWCqamCt.README.txt

Family

blackmatter

Ransom Note
~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> Hello Expert System SpA We offer you a quick solution to this problem without too much fuss and publicity. You buy our decryption software and we remove all the information we were able to pull from your network. Otherwise, we will make the incident public and notify your customers of the data theft and hacking. The reputation will be ruined and may cause much more damage than the opportunity to negotiate with us. If you value your time and money of your clients, we are waiting for the dialogue in our chat room, the link to which you will find below. >>> What happens? Your network is encrypted, and currently not operational. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What data stolen? From your network was stolen of data. If you do not contact us we will publish all your data will send it to the biggest mass media and your customers. >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >>> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/YX6RXMC65MRX8LLQ >>> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.
URLs

http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/YX6RXMC65MRX8LLQ

Targets

    • Target

      BlackMatterSample/69e5f8287029bcc65354abefabb6854b4f7183735bd50b2da0624eb3ae252ea8

    • Size

      82KB

    • MD5

      73ec7f773ed33070c979fce8027f4680

    • SHA1

      d3eb98283502aeb85340267d1ba110390b77c436

    • SHA256

      69e5f8287029bcc65354abefabb6854b4f7183735bd50b2da0624eb3ae252ea8

    • SHA512

      6834caf307cd829dd394405985ade89afc41f6dbd53e6807b7af0a8ed8042a3d047f7a67c95bc4919793a20da34087815a35c494b7adcd85cae071be0b335e85

    Score
    10/10
    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks