Analysis Overview
SHA256
c728e3a0d4a293e44314d663945354427848c220d05d5d87cdedd9995fee3dfe
Threat Level: Known bad
The file c728e3a0d4a293e44314d663945354427848c220d05d5d87cdedd9995fee3dfe was found to be: Known bad.
Malicious Activity Summary
BlackMatter Ransomware
Blackmatter family
Blocklisted process makes network request
Modifies extensions of user files
Enumerates connected drives
Suspicious use of NtSetInformationThreadHideFromDebugger
Modifies Control Panel
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-10-05 12:34
Signatures
Blackmatter family
Analysis: behavioral1
Detonation Overview
Submitted
2021-10-05 12:34
Reported
2021-10-05 12:38
Platform
win7v20210408
Max time kernel
119s
Max time network
48s
Command Line
Signatures
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Control Panel\International | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1644 wrote to memory of 1632 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1644 wrote to memory of 1632 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1644 wrote to memory of 1632 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1644 wrote to memory of 1632 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1644 wrote to memory of 1632 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1644 wrote to memory of 1632 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1644 wrote to memory of 1632 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c728e3a0d4a293e44314d663945354427848c220d05d5d87cdedd9995fee3dfe.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c728e3a0d4a293e44314d663945354427848c220d05d5d87cdedd9995fee3dfe.dll,#1
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
Network
Files
memory/1632-60-0x0000000000000000-mapping.dmp
memory/1632-61-0x0000000075041000-0x0000000075043000-memory.dmp
memory/1632-62-0x0000000000565000-0x0000000000576000-memory.dmp
memory/1632-63-0x0000000000560000-0x0000000000561000-memory.dmp
memory/1632-64-0x0000000000576000-0x0000000000577000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2021-10-05 12:34
Reported
2021-10-05 12:37
Platform
win10-en-20210920
Max time kernel
144s
Max time network
147s
Command Line
Signatures
BlackMatter Ransomware
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Pictures\CheckpointGroup.crw.AVx2lZV2X | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\DismountLimit.raw => C:\Users\Admin\Pictures\DismountLimit.raw.AVx2lZV2X | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ResumeRename.crw => C:\Users\Admin\Pictures\ResumeRename.crw.AVx2lZV2X | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ResumeWatch.tiff => C:\Users\Admin\Pictures\ResumeWatch.tiff.AVx2lZV2X | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\ResumeWatch.tiff.AVx2lZV2X | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\InitializeUninstall.crw.AVx2lZV2X | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SubmitSwitch.png => C:\Users\Admin\Pictures\SubmitSwitch.png.AVx2lZV2X | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\SubmitSwitch.png.AVx2lZV2X | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\SuspendConvertTo.png.AVx2lZV2X | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\UnlockBlock.tiff | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\CheckpointGroup.crw => C:\Users\Admin\Pictures\CheckpointGroup.crw.AVx2lZV2X | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\InitializeUninstall.crw => C:\Users\Admin\Pictures\InitializeUninstall.crw.AVx2lZV2X | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SuspendConvertTo.png => C:\Users\Admin\Pictures\SuspendConvertTo.png.AVx2lZV2X | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\DismountLimit.raw.AVx2lZV2X | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\ResumeRename.crw.AVx2lZV2X | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\ResumeWatch.tiff | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\UnlockBlock.tiff => C:\Users\Admin\Pictures\UnlockBlock.tiff.AVx2lZV2X | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\UnlockBlock.tiff.AVx2lZV2X | C:\Windows\SysWOW64\rundll32.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\Z: | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\International | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4076 wrote to memory of 3116 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4076 wrote to memory of 3116 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4076 wrote to memory of 3116 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c728e3a0d4a293e44314d663945354427848c220d05d5d87cdedd9995fee3dfe.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c728e3a0d4a293e44314d663945354427848c220d05d5d87cdedd9995fee3dfe.dll,#1
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | paymenthacks.com | udp |
| US | 103.224.212.222:443 | paymenthacks.com | tcp |
| US | 8.8.8.8:53 | ww38.paymenthacks.com | udp |
| US | 76.223.26.96:80 | ww38.paymenthacks.com | tcp |
| US | 103.224.212.222:80 | paymenthacks.com | tcp |
Files
memory/3116-115-0x0000000000000000-mapping.dmp
memory/3116-116-0x00000000040A3000-0x00000000040A5000-memory.dmp
memory/3116-117-0x00000000040A0000-0x00000000040A1000-memory.dmp