General

  • Target

    fe2b2beeff98cae90f58a5b2f01dab31eaa98d274757a7dd9f70f4dc8432a6e2.bin.sample

  • Size

    80KB

  • Sample

    211019-q9te7sfhf7

  • MD5

    83b5eed2bc3b182170fd40ec8b8f5867

  • SHA1

    b4072bc41d10a822f0ca63094dd30eae6fa008a2

  • SHA256

    fe2b2beeff98cae90f58a5b2f01dab31eaa98d274757a7dd9f70f4dc8432a6e2

  • SHA512

    0c108e05c59831ee963122e2e77df1eb6ed8e0fd96f3b33fd1d1719447099144601cc3e28338bf6929933e80b885e3329f322f1831ed313e0859258484d48e16

Score
10/10

Malware Config

Extracted

Path

C:\chkvc3MvG.README.txt

Family

blackmatter

Ransom Note
~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >>> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/5PRYG0PCO2OW528IDWU3VFPE >>> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.
URLs

http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/5PRYG0PCO2OW528IDWU3VFPE

Targets

    • Target

      fe2b2beeff98cae90f58a5b2f01dab31eaa98d274757a7dd9f70f4dc8432a6e2.bin.sample

    • Size

      80KB

    • MD5

      83b5eed2bc3b182170fd40ec8b8f5867

    • SHA1

      b4072bc41d10a822f0ca63094dd30eae6fa008a2

    • SHA256

      fe2b2beeff98cae90f58a5b2f01dab31eaa98d274757a7dd9f70f4dc8432a6e2

    • SHA512

      0c108e05c59831ee963122e2e77df1eb6ed8e0fd96f3b33fd1d1719447099144601cc3e28338bf6929933e80b885e3329f322f1831ed313e0859258484d48e16

    Score
    10/10
    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks