General
-
Target
mpressed.exe_
-
Size
31KB
-
Sample
211004-2w7lfshah9
-
MD5
b07ff2183904731e4905b1bc1e23d24e
-
SHA1
3fe14bbf67d25bfa3b9d06f5f1fc7812aa28a687
-
SHA256
3a03530c732ebe53cdd7c17bee0988896d36c2b632dbd6118613697c2af82117
-
SHA512
e7774b76759952979bac48a5f1a24808d957181d5720393f16cfb6af054253a47fd63c9f068203eb2433ff768979c59043f9f4a52cf734f375583ddaba478c4d
Static task
static1
Behavioral task
behavioral1
Sample
mpressed.exe_.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
mpressed.exe_.exe
Resource
win10-en-20210920
Malware Config
Extracted
C:\1rWCqamCt.README.txt
blackmatter
http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/GDBJS76DH3D4IKQD2QO7R
Targets
-
-
Target
mpressed.exe_
-
Size
31KB
-
MD5
b07ff2183904731e4905b1bc1e23d24e
-
SHA1
3fe14bbf67d25bfa3b9d06f5f1fc7812aa28a687
-
SHA256
3a03530c732ebe53cdd7c17bee0988896d36c2b632dbd6118613697c2af82117
-
SHA512
e7774b76759952979bac48a5f1a24808d957181d5720393f16cfb6af054253a47fd63c9f068203eb2433ff768979c59043f9f4a52cf734f375583ddaba478c4d
Score10/10-
BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-