Malware Analysis Report

2024-10-24 18:40

Sample ID 211020-xe5y3shec4
Target 603f72809a4fccd98a5b822064bacc67.blackmatter.exe
SHA256 f32604fba766c946b429cf7e152273794ebba9935999986b7e137ca46cd165fc
Tags
blackmatter ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f32604fba766c946b429cf7e152273794ebba9935999986b7e137ca46cd165fc

Threat Level: Known bad

The file 603f72809a4fccd98a5b822064bacc67.blackmatter.exe was found to be: Known bad.

Malicious Activity Summary

blackmatter ransomware

BlackMatter Ransomware

Modifies extensions of user files

Enumerates connected drives

Sets desktop wallpaper using registry

Suspicious use of NtSetInformationThreadHideFromDebugger

Modifies Control Panel

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-10-20 18:46

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-10-20 18:46

Reported

2021-10-20 18:57

Platform

win7-en-20210920

Max time kernel

361s

Max time network

368s

Command Line

"C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe"

Signatures

BlackMatter Ransomware

ransomware blackmatter

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\FormatProtect.tif => C:\Users\Admin\Pictures\FormatProtect.tif.chkvc3MvG C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe N/A
File opened for modification C:\Users\Admin\Pictures\FormatProtect.tif.chkvc3MvG C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe N/A
File renamed C:\Users\Admin\Pictures\FormatSplit.crw => C:\Users\Admin\Pictures\FormatSplit.crw.chkvc3MvG C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe N/A
File opened for modification C:\Users\Admin\Pictures\FormatSplit.crw.chkvc3MvG C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe N/A
File renamed C:\Users\Admin\Pictures\SwitchConvert.raw => C:\Users\Admin\Pictures\SwitchConvert.raw.chkvc3MvG C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe N/A
File opened for modification C:\Users\Admin\Pictures\SwitchConvert.raw.chkvc3MvG C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe N/A
File renamed C:\Users\Admin\Pictures\UnpublishReset.raw => C:\Users\Admin\Pictures\UnpublishReset.raw.chkvc3MvG C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe N/A
File opened for modification C:\Users\Admin\Pictures\UnpublishReset.raw.chkvc3MvG C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\chkvc3MvG.bmp" C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\chkvc3MvG.bmp" C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Control Panel\International C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe

"C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 paymenthacks.com udp
US 103.224.212.222:443 paymenthacks.com tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 104.110.191.201:80 apps.identrust.com tcp
US 8.8.8.8:53 ww25.paymenthacks.com udp
US 199.59.242.153:80 ww25.paymenthacks.com tcp
US 103.224.212.222:80 paymenthacks.com tcp
US 199.59.242.153:80 ww25.paymenthacks.com tcp
US 8.8.8.8:53 mojobiden.com udp
US 103.224.212.222:443 paymenthacks.com tcp
US 199.59.242.153:80 ww25.paymenthacks.com tcp
US 103.224.212.222:80 paymenthacks.com tcp
US 199.59.242.153:80 ww25.paymenthacks.com tcp

Files

memory/1364-53-0x0000000075651000-0x0000000075653000-memory.dmp

memory/1364-55-0x0000000001BA0000-0x0000000001BA1000-memory.dmp

memory/1364-54-0x0000000001BA5000-0x0000000001BB6000-memory.dmp

memory/1364-56-0x0000000001BB6000-0x0000000001BB7000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-10-20 18:46

Reported

2021-10-20 18:57

Platform

win10-en-20211014

Max time kernel

123s

Max time network

362s

Command Line

"C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe"

Signatures

BlackMatter Ransomware

ransomware blackmatter

Modifies extensions of user files

ransomware
Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\DenyCompare.crw.WRLMMTHME C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe N/A
File renamed C:\Users\Admin\Pictures\UninstallConvert.tif => C:\Users\Admin\Pictures\UninstallConvert.tif.WRLMMTHME C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe N/A
File opened for modification C:\Users\Admin\Pictures\UninstallConvert.tif.WRLMMTHME C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe N/A
File opened for modification C:\Users\Admin\Pictures\BackupExit.raw.WRLMMTHME C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe N/A
File opened for modification C:\Users\Admin\Pictures\ConnectBlock.crw.WRLMMTHME C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe N/A
File opened for modification C:\Users\Admin\Pictures\ConvertFromSet.tiff C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe N/A
File opened for modification C:\Users\Admin\Pictures\GrantResume.crw.WRLMMTHME C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe N/A
File opened for modification C:\Users\Admin\Pictures\SwitchConvertTo.tiff C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe N/A
File renamed C:\Users\Admin\Pictures\ConnectBlock.crw => C:\Users\Admin\Pictures\ConnectBlock.crw.WRLMMTHME C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe N/A
File renamed C:\Users\Admin\Pictures\ConnectProtect.crw => C:\Users\Admin\Pictures\ConnectProtect.crw.WRLMMTHME C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe N/A
File renamed C:\Users\Admin\Pictures\PublishImport.raw => C:\Users\Admin\Pictures\PublishImport.raw.WRLMMTHME C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe N/A
File opened for modification C:\Users\Admin\Pictures\PublishImport.raw.WRLMMTHME C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe N/A
File opened for modification C:\Users\Admin\Pictures\SkipGroup.tif.WRLMMTHME C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe N/A
File renamed C:\Users\Admin\Pictures\SwitchConvertTo.tiff => C:\Users\Admin\Pictures\SwitchConvertTo.tiff.WRLMMTHME C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe N/A
File renamed C:\Users\Admin\Pictures\BackupExit.raw => C:\Users\Admin\Pictures\BackupExit.raw.WRLMMTHME C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe N/A
File renamed C:\Users\Admin\Pictures\GrantResume.crw => C:\Users\Admin\Pictures\GrantResume.crw.WRLMMTHME C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe N/A
File opened for modification C:\Users\Admin\Pictures\ConvertFromSet.tiff.WRLMMTHME C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe N/A
File renamed C:\Users\Admin\Pictures\DenyCompare.crw => C:\Users\Admin\Pictures\DenyCompare.crw.WRLMMTHME C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe N/A
File renamed C:\Users\Admin\Pictures\PingDeny.png => C:\Users\Admin\Pictures\PingDeny.png.WRLMMTHME C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe N/A
File opened for modification C:\Users\Admin\Pictures\PingDeny.png.WRLMMTHME C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe N/A
File renamed C:\Users\Admin\Pictures\SkipGroup.tif => C:\Users\Admin\Pictures\SkipGroup.tif.WRLMMTHME C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe N/A
File opened for modification C:\Users\Admin\Pictures\SwitchConvertTo.tiff.WRLMMTHME C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe N/A
File opened for modification C:\Users\Admin\Pictures\ConnectProtect.crw.WRLMMTHME C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe N/A
File renamed C:\Users\Admin\Pictures\ConvertFromSet.tiff => C:\Users\Admin\Pictures\ConvertFromSet.tiff.WRLMMTHME C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\WRLMMTHME.bmp" C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\WRLMMTHME.bmp" C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe N/A
Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\International C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe

"C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 52.109.12.20:443 tcp
US 8.8.8.8:53 time.windows.com udp
NL 20.101.57.9:123 time.windows.com udp
US 8.8.8.8:53 paymenthacks.com udp
US 103.224.212.222:443 paymenthacks.com tcp
US 8.8.8.8:53 ww25.paymenthacks.com udp
US 199.59.242.153:80 ww25.paymenthacks.com tcp
US 103.224.212.222:80 paymenthacks.com tcp
US 199.59.242.153:80 ww25.paymenthacks.com tcp
US 8.8.8.8:53 mojobiden.com udp
US 103.224.212.222:443 paymenthacks.com tcp
US 199.59.242.153:80 ww25.paymenthacks.com tcp
US 103.224.212.222:80 paymenthacks.com tcp
US 199.59.242.153:80 ww25.paymenthacks.com tcp
US 8.8.8.8:53 mojobiden.com udp

Files

memory/1324-115-0x00000000021F3000-0x00000000021F5000-memory.dmp

memory/1324-116-0x00000000021F0000-0x00000000021F1000-memory.dmp