blackmatter | 98227953d55c5aee2271851cbea3680925d4d0838ee0d63090da143c8d71ac55

General

Target

Device/HarddiskVolume3/WINDOWS/PREMIER.ps1
Size

802KB
MD5

3721485def21e7efbb418b3502ebc000
SHA1

6ce90543099f44f06b9151524c22e497777ed026
SHA256

4524784688e60313b8fefdebde441ca447c1330d90b86885fb55d099071c6ec9
SHA512

a0a8508afe73cf442c54adaa504e61d106127daa39f61a7400c773e0d21512eaff5c4a93c9497bf3f207aa0be3c48f212c03c6f53f212b89bf7783e7a032c211

Score

10^/10

blackmatter ransomware

Malware Config

Extracted

Path

\??\Z:\UCzUExPUL.README.txt

Family

blackmatter

Ransom Note

~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >>> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd.onion/24HUMRRAZYQNDJ8A >>> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.

URLs

http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd.onion/24HUMRRAZYQNDJ8A

Signatures

BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
ransomware blackmatter

Blocklisted process makes network request 5 IoCs

flow	pid	Process
13	3240	powershell.exe
15	3240	powershell.exe
17	3240	powershell.exe
19	3240	powershell.exe
20	3240	powershell.exe

Modifies extensions of user files 8 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\BackupRedo.tif => C:\Users\Admin\Pictures\BackupRedo.tif.UCzUExPUL	powershell.exe
File opened for modification	C:\Users\Admin\Pictures\BackupRedo.tif.UCzUExPUL	powershell.exe
File renamed	C:\Users\Admin\Pictures\JoinEnable.tif => C:\Users\Admin\Pictures\JoinEnable.tif.UCzUExPUL	powershell.exe
File opened for modification	C:\Users\Admin\Pictures\JoinEnable.tif.UCzUExPUL	powershell.exe
File renamed	C:\Users\Admin\Pictures\SuspendRestore.png => C:\Users\Admin\Pictures\SuspendRestore.png.UCzUExPUL	powershell.exe
File opened for modification	C:\Users\Admin\Pictures\SuspendRestore.png.UCzUExPUL	powershell.exe
File renamed	C:\Users\Admin\Pictures\TraceConvertFrom.png => C:\Users\Admin\Pictures\TraceConvertFrom.png.UCzUExPUL	powershell.exe
File opened for modification	C:\Users\Admin\Pictures\TraceConvertFrom.png.UCzUExPUL	powershell.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	powershell.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\UCzUExPUL.bmp"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\UCzUExPUL.bmp"	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
3240	powershell.exe
3240	powershell.exe
3240	powershell.exe
3240	powershell.exe
3240	powershell.exe
3240	powershell.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3944	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4016	powershell.exe
4016	powershell.exe
4016	powershell.exe
3240	powershell.exe
3240	powershell.exe
3240	powershell.exe
3240	powershell.exe
3240	powershell.exe
3240	powershell.exe
3240	powershell.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	4016	powershell.exe
Token: SeDebugPrivilege	3240	powershell.exe
Token: SeBackupPrivilege	3240	powershell.exe
Token: SeDebugPrivilege	3240	powershell.exe
Token: 36	3240	powershell.exe
Token: SeImpersonatePrivilege	3240	powershell.exe
Token: SeIncBasePriorityPrivilege	3240	powershell.exe
Token: SeIncreaseQuotaPrivilege	3240	powershell.exe
Token: 33	3240	powershell.exe
Token: SeManageVolumePrivilege	3240	powershell.exe
Token: SeProfSingleProcessPrivilege	3240	powershell.exe
Token: SeRestorePrivilege	3240	powershell.exe
Token: SeSecurityPrivilege	3240	powershell.exe
Token: SeSystemProfilePrivilege	3240	powershell.exe
Token: SeTakeOwnershipPrivilege	3240	powershell.exe
Token: SeShutdownPrivilege	3240	powershell.exe
Token: SeBackupPrivilege	764	vssvc.exe
Token: SeRestorePrivilege	764	vssvc.exe
Token: SeAuditPrivilege	764	vssvc.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4016 wrote to memory of 3240	4016	powershell.exe	69
PID 4016 wrote to memory of 3240	4016	powershell.exe	69
PID 4016 wrote to memory of 3240	4016	powershell.exe	69

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\WINDOWS\PREMIER.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4016
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ex bypass -NonI C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\WINDOWS\PREMIER.ps1
  2⤵
  - Blocklisted process makes network request
  - Modifies extensions of user files
  - Enumerates connected drives
  - Sets desktop wallpaper using registry
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3240

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:764

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\UCzUExPUL.README.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:3944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3240-182-0x0000000007850000-0x0000000007851000-memory.dmp

Filesize
4KB

Download
memory/3240-220-0x000000000D850000-0x000000000D851000-memory.dmp

Filesize
4KB

Download
memory/3240-183-0x0000000008090000-0x0000000008091000-memory.dmp

Filesize
4KB

Download
memory/3240-172-0x0000000002D20000-0x0000000002D21000-memory.dmp

Filesize
4KB

Download
memory/3240-173-0x00000000070A0000-0x00000000070A1000-memory.dmp

Filesize
4KB

Download
memory/3240-175-0x0000000002D12000-0x0000000002D13000-memory.dmp

Filesize
4KB

Download
memory/3240-174-0x0000000002D10000-0x0000000002D11000-memory.dmp

Filesize
4KB

Download
memory/3240-176-0x0000000006E70000-0x0000000006E71000-memory.dmp

Filesize
4KB

Download
memory/3240-177-0x0000000006F10000-0x0000000006F11000-memory.dmp

Filesize
4KB

Download
memory/3240-178-0x0000000006F80000-0x0000000006F81000-memory.dmp

Filesize
4KB

Download
memory/3240-179-0x0000000007A50000-0x0000000007A51000-memory.dmp

Filesize
4KB

Download
memory/3240-439-0x000000000C043000-0x000000000C045000-memory.dmp

Filesize
8KB

Download
memory/3240-181-0x0000000007790000-0x0000000007791000-memory.dmp

Filesize
4KB

Download
memory/3240-440-0x000000000C040000-0x000000000C041000-memory.dmp

Filesize
4KB

Download
memory/3240-436-0x0000000002D16000-0x0000000002D18000-memory.dmp

Filesize
8KB

Download
memory/3240-188-0x000000000DB10000-0x000000000DB11000-memory.dmp

Filesize
4KB

Download
memory/3240-189-0x0000000006E20000-0x0000000006E21000-memory.dmp

Filesize
4KB

Download
memory/3240-205-0x0000000007810000-0x0000000007843000-memory.dmp

Filesize
204KB

Download
memory/3240-213-0x000000007E490000-0x000000007E491000-memory.dmp

Filesize
4KB

Download
memory/3240-214-0x00000000077F0000-0x00000000077F1000-memory.dmp

Filesize
4KB

Download
memory/3240-219-0x000000000D700000-0x000000000D701000-memory.dmp

Filesize
4KB

Download
memory/3240-420-0x00000000082A0000-0x00000000082A1000-memory.dmp

Filesize
4KB

Download
memory/3240-223-0x0000000002D13000-0x0000000002D14000-memory.dmp

Filesize
4KB

Download
memory/3240-414-0x00000000082C0000-0x00000000082C1000-memory.dmp

Filesize
4KB

Download
memory/4016-123-0x00000277ACB90000-0x00000277ACB92000-memory.dmp

Filesize
8KB

Download
memory/4016-125-0x00000277ACB96000-0x00000277ACB98000-memory.dmp

Filesize
8KB

Download
memory/4016-122-0x00000277ACDA0000-0x00000277ACDA1000-memory.dmp

Filesize
4KB

Download
memory/4016-124-0x00000277ACB93000-0x00000277ACB95000-memory.dmp

Filesize
8KB

Download
memory/4016-119-0x00000277ACAE0000-0x00000277ACAE1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads