blackmatter | e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d

General

Target

e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe
Size

79KB
MD5

5de71f0e1ad0e2c2968153809ffaff05
SHA1

f023f314327acd96cd8a0f8e32451b2d2dee61d0
SHA256

e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d
SHA512

2fce4fbdf3bc7e0dfa9cc90581c08ea6578522c65891e12359bd464b1ea007006979491b9049e4a20fabd196bf321275cc003d537236c2bd5bf8826f85543c05

Score

10^/10

blackmatter ransomware

Malware Config

Extracted

Path

C:\1rWCqamCt.README.txt

Family

blackmatter

Ransom Note

~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What data stolen? From your network was stolen 250 GB of data. If you do not contact us we will publish all your data in our blog and will send it to the biggest mass media. Blog post link: http://blackmax7su6mbwtcyo3xwtpfxpm356jjqrs34y4crcytpw7mifuedyd.onion/YdWh7oMKjT/13f1a8efc53e2fa712813f4c39147a79 >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/5AZHJFLKJNPOJ4F5O5T >> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.

URLs

http://blackmax7su6mbwtcyo3xwtpfxpm356jjqrs34y4crcytpw7mifuedyd.onion/YdWh7oMKjT/13f1a8efc53e2fa712813f4c39147a79

http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/5AZHJFLKJNPOJ4F5O5T

Signatures

BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
ransomware blackmatter

Modifies extensions of user files 6 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\NewFind.raw => C:\Users\Admin\Pictures\NewFind.raw.1rWCqamCt	e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe
File opened for modification	C:\Users\Admin\Pictures\NewFind.raw.1rWCqamCt	e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe
File renamed	C:\Users\Admin\Pictures\RedoImport.crw => C:\Users\Admin\Pictures\RedoImport.crw.1rWCqamCt	e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe
File opened for modification	C:\Users\Admin\Pictures\RedoImport.crw.1rWCqamCt	e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe
File renamed	C:\Users\Admin\Pictures\RenameLimit.tif => C:\Users\Admin\Pictures\RenameLimit.tif.1rWCqamCt	e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe
File opened for modification	C:\Users\Admin\Pictures\RenameLimit.tif.1rWCqamCt	e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\1rWCqamCt.bmp"	e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\1rWCqamCt.bmp"	e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe

pid	process
1304	e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe
1304	e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe
1304	e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe
1304	e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe
1304	e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe
1304	e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Control Panel 3 IoCs

evasion

Processes:

e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Control Panel\International	e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Control Panel\Desktop	e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Control Panel\Desktop\WallpaperStyle = "10"	e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe

Modifies registry class 20 IoCs

Processes:

splwow64.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	splwow64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	splwow64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}"	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_Classes\Local Settings	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	splwow64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}"	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	splwow64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewVersion = "0"	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	splwow64.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1020 NOTEPAD.EXE

pid	process
1020	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe

pid	process
1304	e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe
1304	e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe
1304	e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe
1304	e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

splwow64.exe

pid process

860 splwow64.exe

pid	process
860	splwow64.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exevssvc.exe

description	pid	process
Token: SeBackupPrivilege	1304	e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe
Token: SeDebugPrivilege	1304	e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe
Token: 36	1304	e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe
Token: SeImpersonatePrivilege	1304	e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe
Token: SeIncBasePriorityPrivilege	1304	e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe
Token: SeIncreaseQuotaPrivilege	1304	e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe
Token: 33	1304	e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe
Token: SeManageVolumePrivilege	1304	e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe
Token: SeProfSingleProcessPrivilege	1304	e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe
Token: SeRestorePrivilege	1304	e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe
Token: SeSecurityPrivilege	1304	e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe
Token: SeSystemProfilePrivilege	1304	e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe
Token: SeTakeOwnershipPrivilege	1304	e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe
Token: SeShutdownPrivilege	1304	e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe
Token: SeBackupPrivilege	1372	vssvc.exe
Token: SeRestorePrivilege	1372	vssvc.exe
Token: SeAuditPrivilege	1372	vssvc.exe

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

splwow64.exe

pid process

860 splwow64.exe
860 splwow64.exe
860 splwow64.exe
860 splwow64.exe
860 splwow64.exe
860 splwow64.exe
860 splwow64.exe
860 splwow64.exe
860 splwow64.exe

pid	process
860	splwow64.exe
860	splwow64.exe
860	splwow64.exe
860	splwow64.exe
860	splwow64.exe
860	splwow64.exe
860	splwow64.exe
860	splwow64.exe
860	splwow64.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exeNOTEPAD.EXE

description	pid	process	target process
PID 1304 wrote to memory of 1020	1304	e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe	NOTEPAD.EXE
PID 1304 wrote to memory of 1020	1304	e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe	NOTEPAD.EXE
PID 1304 wrote to memory of 1020	1304	e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe	NOTEPAD.EXE
PID 1304 wrote to memory of 1020	1304	e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe	NOTEPAD.EXE
PID 1020 wrote to memory of 860	1020	NOTEPAD.EXE	splwow64.exe
PID 1020 wrote to memory of 860	1020	NOTEPAD.EXE	splwow64.exe
PID 1020 wrote to memory of 860	1020	NOTEPAD.EXE	splwow64.exe
PID 1020 wrote to memory of 860	1020	NOTEPAD.EXE	splwow64.exe

C:\Users\Admin\AppData\Local\Temp\e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe
"C:\Users\Admin\AppData\Local\Temp\e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe"
1⤵
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1304

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" /p C:\1rWCqamCt.README.txt
2⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of WriteProcessMemory
PID:1020

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
3⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:860

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1372

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\1rWCqamCt.README.txt
MD5
b7f54f12f8d46188c98172cf6c39f91e

SHA1
73f9572f52d54b2cffb8e4464f28453bc3d192b9

SHA256
dedefcd61e8ed1e5a7c8a9469aad4605042ce2eb69c2b20cf6e1ed9b8a14f56d

SHA512
2f0f138db798902990fb4c4cd4f05c66f656a7aef5aa186bad17a39683973c98da392b5207d9ba654a6e2774d920bbf2afea996513e91d159cb87961548374d5

Download Submit
C:\Users\Admin\Documents\GetSuspend.xps.1rWCqamCt
MD5
1dad6e8e7e45e6214c61ddb96d793174

SHA1
44db3f75ab404023e0641c73054f13bf20893b62

SHA256
69e37366b80d04e76f8387de20ae20118649af89377ba971f8180704baf89853

SHA512
7264234a245a8a3fd49bdd1b5917aacb7400724d3675bec30528f0bf707d72c9cbdf0a91923e10378b64bf7bc1c6ad272398795850ef1ea1eb52dcbada0dbb86

Download Submit
C:\Users\Admin\Documents\UnprotectCopy.xps.1rWCqamCt
MD5
1781ab0a0ac2d51917ee06503bd2d9dc

SHA1
84d642df6aff81e845766bbadff59beb1706b5eb

SHA256
15375a32a778d939c318c1a603f9fb08384405571191f6aeeccf53548698b16c

SHA512
e5d45145b772dcd39fb42db8143013604b158fca5b9f452ac95c11bfbd34e5dccdbf804faec5df3122d8ee92c4ed6f1e153971710c9c3e35da09243a1003b9ea

Download Submit
memory/860-67-0x0000000000000000-mapping.dmp

Download
memory/860-68-0x000007FEFB761000-0x000007FEFB763000-memory.dmp

Filesize
8KB

Download
memory/860-71-0x00000000040E0000-0x00000000040E1000-memory.dmp

Filesize
4KB

Download
memory/1020-64-0x0000000000000000-mapping.dmp

Download
memory/1304-60-0x0000000075AD1000-0x0000000075AD3000-memory.dmp

Filesize
8KB

Download
memory/1304-61-0x0000000000865000-0x0000000000876000-memory.dmp

Filesize
68KB

Download
memory/1304-62-0x0000000000860000-0x0000000000861000-memory.dmp

Filesize
4KB

Download
memory/1304-63-0x0000000000876000-0x0000000000877000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads