Analysis

  • max time kernel
    113s
  • max time network
    57s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    13-10-2021 20:07

General

  • Target

    730f2d6243055c786d737bae0665267b962c64f57132e9ab401d6e7625c3d0a4.exe

  • Size

    80KB

  • MD5

    5fe6daa399b18058f9b7e58fe31b4131

  • SHA1

    1ed39024b03b3490049b4d6f2577ca36e18b405a

  • SHA256

    730f2d6243055c786d737bae0665267b962c64f57132e9ab401d6e7625c3d0a4

  • SHA512

    31baf91130c7e932068e12fec6dfde7ad283487b9f01b92e64835cf91aba1c4f51602066994a8200b73d219e6ea82929cde1f11ca82fb2a48af90418e57e324c

Malware Config

Extracted

Path

C:\1rWCqamCt.README.txt

Family

blackmatter

Ransom Note
~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. From your network was stolen more than 100 GB of data. If you do not contact us we will publish all your data in our blog and will send it to the biggest mass media. >>> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd.onion/S2A4H6RGPHHLU1IJRLNTN >>> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.
URLs

http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd.onion/S2A4H6RGPHHLU1IJRLNTN

Signatures

  • BlackMatter Ransomware

    BlackMatter ransomware group claims to be Darkside and REvil succesor.

  • suricata: ET MALWARE BlackMatter CnC Activity

    suricata: ET MALWARE BlackMatter CnC Activity

  • Modifies extensions of user files 6 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
  • Modifies Control Panel 3 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\730f2d6243055c786d737bae0665267b962c64f57132e9ab401d6e7625c3d0a4.exe
    "C:\Users\Admin\AppData\Local\Temp\730f2d6243055c786d737bae0665267b962c64f57132e9ab401d6e7625c3d0a4.exe"
    1⤵
    • Modifies extensions of user files
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies Control Panel
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1304
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1764
  • C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\1rWCqamCt.README.txt
    1⤵
    • Opens file in notepad (likely ransom note)
    PID:1140

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1140-64-0x000007FEFB761000-0x000007FEFB763000-memory.dmp

    Filesize

    8KB

  • memory/1304-60-0x0000000075AD1000-0x0000000075AD3000-memory.dmp

    Filesize

    8KB

  • memory/1304-61-0x0000000000135000-0x0000000000146000-memory.dmp

    Filesize

    68KB

  • memory/1304-62-0x0000000000130000-0x0000000000131000-memory.dmp

    Filesize

    4KB

  • memory/1304-63-0x0000000000146000-0x0000000000147000-memory.dmp

    Filesize

    4KB