General
-
Target
klollar-LT2_2021-09-30_16_32_37.zip
-
Size
335KB
-
Sample
210930-vbwvwsabf5
-
MD5
808575dec4dfb3019a5b719c003c5436
-
SHA1
a83f82071e8a41c21071b4103d0c7b45c68f2f92
-
SHA256
98227953d55c5aee2271851cbea3680925d4d0838ee0d63090da143c8d71ac55
-
SHA512
f3b69684df19134647e009c5a2013dea2ddb730842a48cf79130f805ef911b413cc748f2099a72bf649d48c18ac11f95aa3a62a718a6dbb7372e3c06de686aa7
Static task
static1
Behavioral task
behavioral1
Sample
Device/HarddiskVolume3/WINDOWS/PREMIER.ps1
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
Device/HarddiskVolume3/WINDOWS/PREMIER.ps1
Resource
win10v20210408
Malware Config
Extracted
\??\Z:\UCzUExPUL.README.txt
blackmatter
http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd.onion/24HUMRRAZYQNDJ8A
Targets
-
-
Target
Device/HarddiskVolume3/WINDOWS/PREMIER.ps1
-
Size
802KB
-
MD5
3721485def21e7efbb418b3502ebc000
-
SHA1
6ce90543099f44f06b9151524c22e497777ed026
-
SHA256
4524784688e60313b8fefdebde441ca447c1330d90b86885fb55d099071c6ec9
-
SHA512
a0a8508afe73cf442c54adaa504e61d106127daa39f61a7400c773e0d21512eaff5c4a93c9497bf3f207aa0be3c48f212c03c6f53f212b89bf7783e7a032c211
Score10/10-
BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
-
Blocklisted process makes network request
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-