Analysis Overview
SHA256
f32604fba766c946b429cf7e152273794ebba9935999986b7e137ca46cd165fc
Threat Level: Known bad
The file 603f72809a4fccd98a5b822064bacc67.blackmatter.exe was found to be: Known bad.
Malicious Activity Summary
BlackMatter Ransomware
Modifies extensions of user files
Enumerates connected drives
Sets desktop wallpaper using registry
Suspicious use of NtSetInformationThreadHideFromDebugger
Modifies Control Panel
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-10-20 18:46
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-10-20 18:46
Reported
2021-10-20 18:57
Platform
win7-en-20210920
Max time kernel
361s
Max time network
368s
Command Line
Signatures
BlackMatter Ransomware
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\FormatProtect.tif => C:\Users\Admin\Pictures\FormatProtect.tif.chkvc3MvG | C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\FormatProtect.tif.chkvc3MvG | C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\FormatSplit.crw => C:\Users\Admin\Pictures\FormatSplit.crw.chkvc3MvG | C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\FormatSplit.crw.chkvc3MvG | C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SwitchConvert.raw => C:\Users\Admin\Pictures\SwitchConvert.raw.chkvc3MvG | C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\SwitchConvert.raw.chkvc3MvG | C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\UnpublishReset.raw => C:\Users\Admin\Pictures\UnpublishReset.raw.chkvc3MvG | C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\UnpublishReset.raw.chkvc3MvG | C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\chkvc3MvG.bmp" | C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\chkvc3MvG.bmp" | C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Modifies Control Panel
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Control Panel\Desktop\WallpaperStyle = "10" | C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Control Panel\International | C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Control Panel\Desktop | C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Processes
C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe
"C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | paymenthacks.com | udp |
| US | 103.224.212.222:443 | paymenthacks.com | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| NL | 104.110.191.201:80 | apps.identrust.com | tcp |
| US | 8.8.8.8:53 | ww25.paymenthacks.com | udp |
| US | 199.59.242.153:80 | ww25.paymenthacks.com | tcp |
| US | 103.224.212.222:80 | paymenthacks.com | tcp |
| US | 199.59.242.153:80 | ww25.paymenthacks.com | tcp |
| US | 8.8.8.8:53 | mojobiden.com | udp |
| US | 103.224.212.222:443 | paymenthacks.com | tcp |
| US | 199.59.242.153:80 | ww25.paymenthacks.com | tcp |
| US | 103.224.212.222:80 | paymenthacks.com | tcp |
| US | 199.59.242.153:80 | ww25.paymenthacks.com | tcp |
Files
memory/1364-53-0x0000000075651000-0x0000000075653000-memory.dmp
memory/1364-55-0x0000000001BA0000-0x0000000001BA1000-memory.dmp
memory/1364-54-0x0000000001BA5000-0x0000000001BB6000-memory.dmp
memory/1364-56-0x0000000001BB6000-0x0000000001BB7000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2021-10-20 18:46
Reported
2021-10-20 18:57
Platform
win10-en-20211014
Max time kernel
123s
Max time network
362s
Command Line
Signatures
BlackMatter Ransomware
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Pictures\DenyCompare.crw.WRLMMTHME | C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\UninstallConvert.tif => C:\Users\Admin\Pictures\UninstallConvert.tif.WRLMMTHME | C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\UninstallConvert.tif.WRLMMTHME | C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\BackupExit.raw.WRLMMTHME | C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\ConnectBlock.crw.WRLMMTHME | C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\ConvertFromSet.tiff | C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\GrantResume.crw.WRLMMTHME | C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\SwitchConvertTo.tiff | C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ConnectBlock.crw => C:\Users\Admin\Pictures\ConnectBlock.crw.WRLMMTHME | C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ConnectProtect.crw => C:\Users\Admin\Pictures\ConnectProtect.crw.WRLMMTHME | C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\PublishImport.raw => C:\Users\Admin\Pictures\PublishImport.raw.WRLMMTHME | C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\PublishImport.raw.WRLMMTHME | C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\SkipGroup.tif.WRLMMTHME | C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SwitchConvertTo.tiff => C:\Users\Admin\Pictures\SwitchConvertTo.tiff.WRLMMTHME | C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\BackupExit.raw => C:\Users\Admin\Pictures\BackupExit.raw.WRLMMTHME | C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\GrantResume.crw => C:\Users\Admin\Pictures\GrantResume.crw.WRLMMTHME | C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\ConvertFromSet.tiff.WRLMMTHME | C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\DenyCompare.crw => C:\Users\Admin\Pictures\DenyCompare.crw.WRLMMTHME | C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\PingDeny.png => C:\Users\Admin\Pictures\PingDeny.png.WRLMMTHME | C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\PingDeny.png.WRLMMTHME | C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SkipGroup.tif => C:\Users\Admin\Pictures\SkipGroup.tif.WRLMMTHME | C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\SwitchConvertTo.tiff.WRLMMTHME | C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\ConnectProtect.crw.WRLMMTHME | C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ConvertFromSet.tiff => C:\Users\Admin\Pictures\ConvertFromSet.tiff.WRLMMTHME | C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\Z: | C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\WRLMMTHME.bmp" | C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\WRLMMTHME.bmp" | C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Modifies Control Panel
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\Desktop | C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\Desktop\WallpaperStyle = "10" | C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\International | C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Processes
C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe
"C:\Users\Admin\AppData\Local\Temp\603f72809a4fccd98a5b822064bacc67.blackmatter.exe"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
Network
| Country | Destination | Domain | Proto |
| US | 52.109.12.20:443 | tcp | |
| US | 8.8.8.8:53 | time.windows.com | udp |
| NL | 20.101.57.9:123 | time.windows.com | udp |
| US | 8.8.8.8:53 | paymenthacks.com | udp |
| US | 103.224.212.222:443 | paymenthacks.com | tcp |
| US | 8.8.8.8:53 | ww25.paymenthacks.com | udp |
| US | 199.59.242.153:80 | ww25.paymenthacks.com | tcp |
| US | 103.224.212.222:80 | paymenthacks.com | tcp |
| US | 199.59.242.153:80 | ww25.paymenthacks.com | tcp |
| US | 8.8.8.8:53 | mojobiden.com | udp |
| US | 103.224.212.222:443 | paymenthacks.com | tcp |
| US | 199.59.242.153:80 | ww25.paymenthacks.com | tcp |
| US | 103.224.212.222:80 | paymenthacks.com | tcp |
| US | 199.59.242.153:80 | ww25.paymenthacks.com | tcp |
| US | 8.8.8.8:53 | mojobiden.com | udp |
Files
memory/1324-115-0x00000000021F3000-0x00000000021F5000-memory.dmp
memory/1324-116-0x00000000021F0000-0x00000000021F1000-memory.dmp