Analysis
-
max time kernel
144s -
max time network
147s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
05-10-2021 12:34
Static task
static1
Behavioral task
behavioral1
Sample
c728e3a0d4a293e44314d663945354427848c220d05d5d87cdedd9995fee3dfe.dll
Resource
win7v20210408
Behavioral task
behavioral2
Sample
c728e3a0d4a293e44314d663945354427848c220d05d5d87cdedd9995fee3dfe.dll
Resource
win10-en-20210920
General
-
Target
c728e3a0d4a293e44314d663945354427848c220d05d5d87cdedd9995fee3dfe.dll
-
Size
67KB
-
MD5
639bb7abbd9bc6a9c275d0bf9555b610
-
SHA1
e4831da0e8fe5f0a01cd42693e607bc611423c16
-
SHA256
c728e3a0d4a293e44314d663945354427848c220d05d5d87cdedd9995fee3dfe
-
SHA512
f01621fab7ba598b80d52675c20d0d4bb4749b91df3298ee1bd6d6d410eb54d091677f85a2d4673eb9dc3d8cff6f4a328735226de0f5a01bd314dbe6d9af92aa
Malware Config
Extracted
C:\AVx2lZV2X.README.txt
blackmatter
http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/GDBJS76DH3D4IKQD2QO7R
Signatures
-
BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
-
Blocklisted process makes network request 6 IoCs
flow pid Process 2 3116 rundll32.exe 4 3116 rundll32.exe 6 3116 rundll32.exe 8 3116 rundll32.exe 10 3116 rundll32.exe 11 3116 rundll32.exe -
Modifies extensions of user files 18 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File opened for modification C:\Users\Admin\Pictures\CheckpointGroup.crw.AVx2lZV2X rundll32.exe File renamed C:\Users\Admin\Pictures\DismountLimit.raw => C:\Users\Admin\Pictures\DismountLimit.raw.AVx2lZV2X rundll32.exe File renamed C:\Users\Admin\Pictures\ResumeRename.crw => C:\Users\Admin\Pictures\ResumeRename.crw.AVx2lZV2X rundll32.exe File renamed C:\Users\Admin\Pictures\ResumeWatch.tiff => C:\Users\Admin\Pictures\ResumeWatch.tiff.AVx2lZV2X rundll32.exe File opened for modification C:\Users\Admin\Pictures\ResumeWatch.tiff.AVx2lZV2X rundll32.exe File opened for modification C:\Users\Admin\Pictures\InitializeUninstall.crw.AVx2lZV2X rundll32.exe File renamed C:\Users\Admin\Pictures\SubmitSwitch.png => C:\Users\Admin\Pictures\SubmitSwitch.png.AVx2lZV2X rundll32.exe File opened for modification C:\Users\Admin\Pictures\SubmitSwitch.png.AVx2lZV2X rundll32.exe File opened for modification C:\Users\Admin\Pictures\SuspendConvertTo.png.AVx2lZV2X rundll32.exe File opened for modification C:\Users\Admin\Pictures\UnlockBlock.tiff rundll32.exe File renamed C:\Users\Admin\Pictures\CheckpointGroup.crw => C:\Users\Admin\Pictures\CheckpointGroup.crw.AVx2lZV2X rundll32.exe File renamed C:\Users\Admin\Pictures\InitializeUninstall.crw => C:\Users\Admin\Pictures\InitializeUninstall.crw.AVx2lZV2X rundll32.exe File renamed C:\Users\Admin\Pictures\SuspendConvertTo.png => C:\Users\Admin\Pictures\SuspendConvertTo.png.AVx2lZV2X rundll32.exe File opened for modification C:\Users\Admin\Pictures\DismountLimit.raw.AVx2lZV2X rundll32.exe File opened for modification C:\Users\Admin\Pictures\ResumeRename.crw.AVx2lZV2X rundll32.exe File opened for modification C:\Users\Admin\Pictures\ResumeWatch.tiff rundll32.exe File renamed C:\Users\Admin\Pictures\UnlockBlock.tiff => C:\Users\Admin\Pictures\UnlockBlock.tiff.AVx2lZV2X rundll32.exe File opened for modification C:\Users\Admin\Pictures\UnlockBlock.tiff.AVx2lZV2X rundll32.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Z: rundll32.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 3116 rundll32.exe -
Modifies Control Panel 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\International rundll32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3116 rundll32.exe 3116 rundll32.exe 3116 rundll32.exe 3116 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
description pid Process Token: SeBackupPrivilege 3116 rundll32.exe Token: SeDebugPrivilege 3116 rundll32.exe Token: 36 3116 rundll32.exe Token: SeImpersonatePrivilege 3116 rundll32.exe Token: SeIncBasePriorityPrivilege 3116 rundll32.exe Token: SeIncreaseQuotaPrivilege 3116 rundll32.exe Token: 33 3116 rundll32.exe Token: SeManageVolumePrivilege 3116 rundll32.exe Token: SeProfSingleProcessPrivilege 3116 rundll32.exe Token: SeRestorePrivilege 3116 rundll32.exe Token: SeSecurityPrivilege 3116 rundll32.exe Token: SeSystemProfilePrivilege 3116 rundll32.exe Token: SeTakeOwnershipPrivilege 3116 rundll32.exe Token: SeShutdownPrivilege 3116 rundll32.exe Token: SeBackupPrivilege 4108 vssvc.exe Token: SeRestorePrivilege 4108 vssvc.exe Token: SeAuditPrivilege 4108 vssvc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4076 wrote to memory of 3116 4076 rundll32.exe 70 PID 4076 wrote to memory of 3116 4076 rundll32.exe 70 PID 4076 wrote to memory of 3116 4076 rundll32.exe 70
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c728e3a0d4a293e44314d663945354427848c220d05d5d87cdedd9995fee3dfe.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4076 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c728e3a0d4a293e44314d663945354427848c220d05d5d87cdedd9995fee3dfe.dll,#12⤵
- Blocklisted process makes network request
- Modifies extensions of user files
- Enumerates connected drives
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3116
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4108