Malware Analysis Report

2024-10-24 18:40

Sample ID 211005-pr879shgb7
Target c728e3a0d4a293e44314d663945354427848c220d05d5d87cdedd9995fee3dfe
SHA256 c728e3a0d4a293e44314d663945354427848c220d05d5d87cdedd9995fee3dfe
Tags
bab21ee475b52c0c9eb47d23ec9ba1d1 blackmatter ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c728e3a0d4a293e44314d663945354427848c220d05d5d87cdedd9995fee3dfe

Threat Level: Known bad

The file c728e3a0d4a293e44314d663945354427848c220d05d5d87cdedd9995fee3dfe was found to be: Known bad.

Malicious Activity Summary

bab21ee475b52c0c9eb47d23ec9ba1d1 blackmatter ransomware

BlackMatter Ransomware

Blackmatter family

Blocklisted process makes network request

Modifies extensions of user files

Enumerates connected drives

Suspicious use of NtSetInformationThreadHideFromDebugger

Modifies Control Panel

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-10-05 12:34

Signatures

Blackmatter family

blackmatter

Analysis: behavioral1

Detonation Overview

Submitted

2021-10-05 12:34

Reported

2021-10-05 12:38

Platform

win7v20210408

Max time kernel

119s

Max time network

48s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\c728e3a0d4a293e44314d663945354427848c220d05d5d87cdedd9995fee3dfe.dll,#1

Signatures

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Control Panel\International C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1644 wrote to memory of 1632 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1644 wrote to memory of 1632 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1644 wrote to memory of 1632 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1644 wrote to memory of 1632 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1644 wrote to memory of 1632 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1644 wrote to memory of 1632 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1644 wrote to memory of 1632 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\c728e3a0d4a293e44314d663945354427848c220d05d5d87cdedd9995fee3dfe.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\c728e3a0d4a293e44314d663945354427848c220d05d5d87cdedd9995fee3dfe.dll,#1

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

N/A

Files

memory/1632-60-0x0000000000000000-mapping.dmp

memory/1632-61-0x0000000075041000-0x0000000075043000-memory.dmp

memory/1632-62-0x0000000000565000-0x0000000000576000-memory.dmp

memory/1632-63-0x0000000000560000-0x0000000000561000-memory.dmp

memory/1632-64-0x0000000000576000-0x0000000000577000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-10-05 12:34

Reported

2021-10-05 12:37

Platform

win10-en-20210920

Max time kernel

144s

Max time network

147s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\c728e3a0d4a293e44314d663945354427848c220d05d5d87cdedd9995fee3dfe.dll,#1

Signatures

BlackMatter Ransomware

ransomware blackmatter

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Modifies extensions of user files

ransomware
Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\CheckpointGroup.crw.AVx2lZV2X C:\Windows\SysWOW64\rundll32.exe N/A
File renamed C:\Users\Admin\Pictures\DismountLimit.raw => C:\Users\Admin\Pictures\DismountLimit.raw.AVx2lZV2X C:\Windows\SysWOW64\rundll32.exe N/A
File renamed C:\Users\Admin\Pictures\ResumeRename.crw => C:\Users\Admin\Pictures\ResumeRename.crw.AVx2lZV2X C:\Windows\SysWOW64\rundll32.exe N/A
File renamed C:\Users\Admin\Pictures\ResumeWatch.tiff => C:\Users\Admin\Pictures\ResumeWatch.tiff.AVx2lZV2X C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Admin\Pictures\ResumeWatch.tiff.AVx2lZV2X C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Admin\Pictures\InitializeUninstall.crw.AVx2lZV2X C:\Windows\SysWOW64\rundll32.exe N/A
File renamed C:\Users\Admin\Pictures\SubmitSwitch.png => C:\Users\Admin\Pictures\SubmitSwitch.png.AVx2lZV2X C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Admin\Pictures\SubmitSwitch.png.AVx2lZV2X C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Admin\Pictures\SuspendConvertTo.png.AVx2lZV2X C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Admin\Pictures\UnlockBlock.tiff C:\Windows\SysWOW64\rundll32.exe N/A
File renamed C:\Users\Admin\Pictures\CheckpointGroup.crw => C:\Users\Admin\Pictures\CheckpointGroup.crw.AVx2lZV2X C:\Windows\SysWOW64\rundll32.exe N/A
File renamed C:\Users\Admin\Pictures\InitializeUninstall.crw => C:\Users\Admin\Pictures\InitializeUninstall.crw.AVx2lZV2X C:\Windows\SysWOW64\rundll32.exe N/A
File renamed C:\Users\Admin\Pictures\SuspendConvertTo.png => C:\Users\Admin\Pictures\SuspendConvertTo.png.AVx2lZV2X C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Admin\Pictures\DismountLimit.raw.AVx2lZV2X C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Admin\Pictures\ResumeRename.crw.AVx2lZV2X C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Admin\Pictures\ResumeWatch.tiff C:\Windows\SysWOW64\rundll32.exe N/A
File renamed C:\Users\Admin\Pictures\UnlockBlock.tiff => C:\Users\Admin\Pictures\UnlockBlock.tiff.AVx2lZV2X C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Admin\Pictures\UnlockBlock.tiff.AVx2lZV2X C:\Windows\SysWOW64\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Z: C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\International C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4076 wrote to memory of 3116 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4076 wrote to memory of 3116 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4076 wrote to memory of 3116 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\c728e3a0d4a293e44314d663945354427848c220d05d5d87cdedd9995fee3dfe.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\c728e3a0d4a293e44314d663945354427848c220d05d5d87cdedd9995fee3dfe.dll,#1

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 paymenthacks.com udp
US 103.224.212.222:443 paymenthacks.com tcp
US 8.8.8.8:53 ww38.paymenthacks.com udp
US 76.223.26.96:80 ww38.paymenthacks.com tcp
US 103.224.212.222:80 paymenthacks.com tcp

Files

memory/3116-115-0x0000000000000000-mapping.dmp

memory/3116-116-0x00000000040A3000-0x00000000040A5000-memory.dmp

memory/3116-117-0x00000000040A0000-0x00000000040A1000-memory.dmp