General

  • Target

    6601547044782080.zip

  • Size

    44KB

  • Sample

    211013-ywad6sfagm

  • MD5

    c00dd7206db94bf3825145d5d901b3b0

  • SHA1

    6befec1a22035d1842e1d826ebce739b4f3d9e39

  • SHA256

    6e846881115448d5d4b69bf020fcd5872a0efef56e582f6ac8e3e80ea79b7a55

  • SHA512

    27806babe49896fc12667e2cadbf74ba4d312cb985a3d8c9b61225d1c121682abf7de705b28f914b507cd9a304fd58cf272cc82c6e930774404731f9f7109088

Malware Config

Extracted

Path

C:\1rWCqamCt.README.txt

Family

blackmatter

Ransom Note
~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. From your network was stolen more than 100 GB of data. If you do not contact us we will publish all your data in our blog and will send it to the biggest mass media. >>> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd.onion/S2A4H6RGPHHLU1IJRLNTN >>> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.
URLs

http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd.onion/S2A4H6RGPHHLU1IJRLNTN

Targets

    • Target

      730f2d6243055c786d737bae0665267b962c64f57132e9ab401d6e7625c3d0a4

    • Size

      80KB

    • MD5

      5fe6daa399b18058f9b7e58fe31b4131

    • SHA1

      1ed39024b03b3490049b4d6f2577ca36e18b405a

    • SHA256

      730f2d6243055c786d737bae0665267b962c64f57132e9ab401d6e7625c3d0a4

    • SHA512

      31baf91130c7e932068e12fec6dfde7ad283487b9f01b92e64835cf91aba1c4f51602066994a8200b73d219e6ea82929cde1f11ca82fb2a48af90418e57e324c

    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

    • suricata: ET MALWARE BlackMatter CnC Activity

      suricata: ET MALWARE BlackMatter CnC Activity

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks