Analysis
-
max time kernel
116s -
max time network
119s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
05-10-2021 10:29
Static task
static1
Behavioral task
behavioral1
Sample
e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe
Resource
win10-en-20210920
General
-
Target
e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe
-
Size
79KB
-
MD5
5de71f0e1ad0e2c2968153809ffaff05
-
SHA1
f023f314327acd96cd8a0f8e32451b2d2dee61d0
-
SHA256
e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d
-
SHA512
2fce4fbdf3bc7e0dfa9cc90581c08ea6578522c65891e12359bd464b1ea007006979491b9049e4a20fabd196bf321275cc003d537236c2bd5bf8826f85543c05
Score
10/10
Malware Config
Extracted
Path
C:\AVx2lZV2X.README.txt
Family
blackmatter
Ransom Note
~+
* +
' BLACK |
() .-.,='``'=. - o -
'=/_ \ |
* | '=._ |
\ `=./`, '
. '=.__.=' `=' *
+ Matter +
O * ' .
>>> What happens?
Your network is encrypted, and currently not operational.
We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data.
>>> What data stolen?
From your network was stolen 250 GB of data.
If you do not contact us we will publish all your data in our blog and will send it to the biggest mass media.
Blog post link: http://blackmax7su6mbwtcyo3xwtpfxpm356jjqrs34y4crcytpw7mifuedyd.onion/YdWh7oMKjT/13f1a8efc53e2fa712813f4c39147a79
>>> What guarantees?
We are not a politically motivated group and we do not need anything other than your money.
If you pay, we will provide you the programs for decryption and we will delete your data.
If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals.
We always keep our promises.
>> How to contact with us?
1. Download and install TOR Browser (https://www.torproject.org/).
2. Open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/5AZHJFLKJNPOJ4F5O5T
>> Warning! Recovery recommendations.
We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.
URLs
http://blackmax7su6mbwtcyo3xwtpfxpm356jjqrs34y4crcytpw7mifuedyd.onion/YdWh7oMKjT/13f1a8efc53e2fa712813f4c39147a79
http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/5AZHJFLKJNPOJ4F5O5T
Signatures
-
BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
-
Modifies extensions of user files 19 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exedescription ioc process File renamed C:\Users\Admin\Pictures\ExitExport.raw => C:\Users\Admin\Pictures\ExitExport.raw.AVx2lZV2X e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe File opened for modification C:\Users\Admin\Pictures\ExitExport.raw.AVx2lZV2X e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe File renamed C:\Users\Admin\Pictures\JoinConfirm.png => C:\Users\Admin\Pictures\JoinConfirm.png.AVx2lZV2X e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe File opened for modification C:\Users\Admin\Pictures\JoinConfirm.png.AVx2lZV2X e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe File opened for modification C:\Users\Admin\Pictures\NewCompare.tiff.AVx2lZV2X e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe File opened for modification C:\Users\Admin\Pictures\ApproveSubmit.crw.AVx2lZV2X e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe File opened for modification C:\Users\Admin\Pictures\BackupInvoke.raw.AVx2lZV2X e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe File renamed C:\Users\Admin\Pictures\ConvertToExit.png => C:\Users\Admin\Pictures\ConvertToExit.png.AVx2lZV2X e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe File renamed C:\Users\Admin\Pictures\NewCompare.tiff => C:\Users\Admin\Pictures\NewCompare.tiff.AVx2lZV2X e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe File opened for modification C:\Users\Admin\Pictures\NewCompare.tiff e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe File renamed C:\Users\Admin\Pictures\StartUpdate.raw => C:\Users\Admin\Pictures\StartUpdate.raw.AVx2lZV2X e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe File opened for modification C:\Users\Admin\Pictures\StartUpdate.raw.AVx2lZV2X e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe File renamed C:\Users\Admin\Pictures\ApproveSubmit.crw => C:\Users\Admin\Pictures\ApproveSubmit.crw.AVx2lZV2X e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe File opened for modification C:\Users\Admin\Pictures\ConvertToExit.png.AVx2lZV2X e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe File opened for modification C:\Users\Admin\Pictures\HideEdit.png.AVx2lZV2X e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe File renamed C:\Users\Admin\Pictures\WriteCopy.raw => C:\Users\Admin\Pictures\WriteCopy.raw.AVx2lZV2X e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe File opened for modification C:\Users\Admin\Pictures\WriteCopy.raw.AVx2lZV2X e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe File renamed C:\Users\Admin\Pictures\BackupInvoke.raw => C:\Users\Admin\Pictures\BackupInvoke.raw.AVx2lZV2X e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe File renamed C:\Users\Admin\Pictures\HideEdit.png => C:\Users\Admin\Pictures\HideEdit.png.AVx2lZV2X e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exedescription ioc process File opened (read-only) \??\Z: e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\AVx2lZV2X.bmp" e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\AVx2lZV2X.bmp" e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
Processes:
e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exepid process 2072 e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe 2072 e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe 2072 e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe 2072 e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe 2072 e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe 2072 e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe -
Modifies Control Panel 3 IoCs
Processes:
e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\Desktop\WallpaperStyle = "10" e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\International e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\Desktop e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exepid process 2072 e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe 2072 e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe 2072 e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe 2072 e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
Processes:
e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exevssvc.exedescription pid process Token: SeBackupPrivilege 2072 e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe Token: SeDebugPrivilege 2072 e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe Token: 36 2072 e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe Token: SeImpersonatePrivilege 2072 e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe Token: SeIncBasePriorityPrivilege 2072 e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe Token: SeIncreaseQuotaPrivilege 2072 e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe Token: 33 2072 e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe Token: SeManageVolumePrivilege 2072 e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe Token: SeProfSingleProcessPrivilege 2072 e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe Token: SeRestorePrivilege 2072 e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe Token: SeSecurityPrivilege 2072 e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe Token: SeSystemProfilePrivilege 2072 e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe Token: SeTakeOwnershipPrivilege 2072 e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe Token: SeShutdownPrivilege 2072 e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe Token: SeBackupPrivilege 3912 vssvc.exe Token: SeRestorePrivilege 3912 vssvc.exe Token: SeAuditPrivilege 3912 vssvc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exePID:2072"C:\Users\Admin\AppData\Local\Temp\e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d.exe"Modifies extensions of user filesEnumerates connected drivesSets desktop wallpaper using registrySuspicious use of NtSetInformationThreadHideFromDebuggerModifies Control PanelSuspicious behavior: EnumeratesProcessesSuspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exePID:3912C:\Windows\system32\vssvc.exeSuspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Modify Registry
1Discovery
Query Registry
1System Information Discovery
1Peripheral Device Discovery
1Execution
Exfiltration
Impact
Defacement
1Initial Access
Lateral Movement
Persistence
Privilege Escalation
Replay Monitor
00:00
00:00
Loading data