General

  • Target

    klollar-LT2_2021-09-30_16_32_37.zip

  • Size

    335KB

  • Sample

    210930-vbwvwsabf5

  • MD5

    808575dec4dfb3019a5b719c003c5436

  • SHA1

    a83f82071e8a41c21071b4103d0c7b45c68f2f92

  • SHA256

    98227953d55c5aee2271851cbea3680925d4d0838ee0d63090da143c8d71ac55

  • SHA512

    f3b69684df19134647e009c5a2013dea2ddb730842a48cf79130f805ef911b413cc748f2099a72bf649d48c18ac11f95aa3a62a718a6dbb7372e3c06de686aa7

Score
10/10

Malware Config

Extracted

Path

\??\Z:\UCzUExPUL.README.txt

Family

blackmatter

Ransom Note
~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >>> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd.onion/24HUMRRAZYQNDJ8A >>> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.
URLs

http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd.onion/24HUMRRAZYQNDJ8A

Targets

    • Target

      Device/HarddiskVolume3/WINDOWS/PREMIER.ps1

    • Size

      802KB

    • MD5

      3721485def21e7efbb418b3502ebc000

    • SHA1

      6ce90543099f44f06b9151524c22e497777ed026

    • SHA256

      4524784688e60313b8fefdebde441ca447c1330d90b86885fb55d099071c6ec9

    • SHA512

      a0a8508afe73cf442c54adaa504e61d106127daa39f61a7400c773e0d21512eaff5c4a93c9497bf3f207aa0be3c48f212c03c6f53f212b89bf7783e7a032c211

    Score
    10/10
    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

    • Blocklisted process makes network request

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks