blackmatter | b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7

General

Target

01.exe
Size

78KB
MD5

5e2a1323dbf28eac8b3f4df9cb4f2d45
SHA1

af77a09387df4ec967a8314ba0f93da0ef8e57ee
SHA256

b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7
SHA512

c2ba4f7458298129a8d2f1ac50640601d59086048ecc8d3d88985c31edf4014e4f4838308192ab39fb21d71a9b362a38a93edff58b570ec6f5ccfb940d871b94

Score

10^/10

blackmatter ransomware

Malware Config

Extracted

Path

C:\WRLMMTHME.README.txt

Family

blackmatter

Ransom Note

~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >>> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/O3KTUJZRE6CB4Q1OBR >>> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.

URLs

http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/O3KTUJZRE6CB4Q1OBR

Signatures

BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
ransomware blackmatter

Modifies extensions of user files 32 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

01.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\LimitImport.tif => C:\Users\Admin\Pictures\LimitImport.tif.WRLMMTHME	01.exe
File renamed	C:\Users\Admin\Pictures\RegisterLock.tiff => C:\Users\Admin\Pictures\RegisterLock.tiff.WRLMMTHME	01.exe
File opened for modification	C:\Users\Admin\Pictures\SplitStop.png.WRLMMTHME	01.exe
File renamed	C:\Users\Admin\Pictures\StepRequest.tiff => C:\Users\Admin\Pictures\StepRequest.tiff.WRLMMTHME	01.exe
File opened for modification	C:\Users\Admin\Pictures\ApproveEnter.png.WRLMMTHME	01.exe
File opened for modification	C:\Users\Admin\Pictures\SelectReset.tiff	01.exe
File opened for modification	C:\Users\Admin\Pictures\SelectReset.tiff.WRLMMTHME	01.exe
File renamed	C:\Users\Admin\Pictures\SplitWrite.raw => C:\Users\Admin\Pictures\SplitWrite.raw.WRLMMTHME	01.exe
File opened for modification	C:\Users\Admin\Pictures\SplitWrite.raw.WRLMMTHME	01.exe
File opened for modification	C:\Users\Admin\Pictures\RegisterLock.tiff.WRLMMTHME	01.exe
File opened for modification	C:\Users\Admin\Pictures\ClearEnable.tiff.WRLMMTHME	01.exe
File opened for modification	C:\Users\Admin\Pictures\InstallTest.raw.WRLMMTHME	01.exe
File opened for modification	C:\Users\Admin\Pictures\ResolveTrace.crw.WRLMMTHME	01.exe
File opened for modification	C:\Users\Admin\Pictures\StepRequest.tiff.WRLMMTHME	01.exe
File opened for modification	C:\Users\Admin\Pictures\SubmitInstall.crw.WRLMMTHME	01.exe
File renamed	C:\Users\Admin\Pictures\ApproveEnter.png => C:\Users\Admin\Pictures\ApproveEnter.png.WRLMMTHME	01.exe
File opened for modification	C:\Users\Admin\Pictures\RegisterLock.tiff	01.exe
File renamed	C:\Users\Admin\Pictures\GroupBackup.raw => C:\Users\Admin\Pictures\GroupBackup.raw.WRLMMTHME	01.exe
File renamed	C:\Users\Admin\Pictures\InstallTest.raw => C:\Users\Admin\Pictures\InstallTest.raw.WRLMMTHME	01.exe
File opened for modification	C:\Users\Admin\Pictures\LimitImport.tif.WRLMMTHME	01.exe
File renamed	C:\Users\Admin\Pictures\ResolveTrace.crw => C:\Users\Admin\Pictures\ResolveTrace.crw.WRLMMTHME	01.exe
File renamed	C:\Users\Admin\Pictures\SelectReset.tiff => C:\Users\Admin\Pictures\SelectReset.tiff.WRLMMTHME	01.exe
File renamed	C:\Users\Admin\Pictures\SplitStop.png => C:\Users\Admin\Pictures\SplitStop.png.WRLMMTHME	01.exe
File opened for modification	C:\Users\Admin\Pictures\StepRequest.tiff	01.exe
File opened for modification	C:\Users\Admin\Pictures\GroupBackup.raw.WRLMMTHME	01.exe
File renamed	C:\Users\Admin\Pictures\SubmitInstall.crw => C:\Users\Admin\Pictures\SubmitInstall.crw.WRLMMTHME	01.exe
File renamed	C:\Users\Admin\Pictures\WriteExit.raw => C:\Users\Admin\Pictures\WriteExit.raw.WRLMMTHME	01.exe
File renamed	C:\Users\Admin\Pictures\CloseUnpublish.tif => C:\Users\Admin\Pictures\CloseUnpublish.tif.WRLMMTHME	01.exe
File renamed	C:\Users\Admin\Pictures\ClearEnable.tiff => C:\Users\Admin\Pictures\ClearEnable.tiff.WRLMMTHME	01.exe
File opened for modification	C:\Users\Admin\Pictures\CloseUnpublish.tif.WRLMMTHME	01.exe
File opened for modification	C:\Users\Admin\Pictures\WriteExit.raw.WRLMMTHME	01.exe
File opened for modification	C:\Users\Admin\Pictures\ClearEnable.tiff	01.exe

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

01.exe

description ioc process

File opened (read-only) \??\Z: 01.exe

description	ioc	process
File opened (read-only)	\??\Z:	01.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

01.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\WRLMMTHME.bmp"	01.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\WRLMMTHME.bmp"	01.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

01.exe

pid process

3380 01.exe
3380 01.exe
3380 01.exe
3380 01.exe
3380 01.exe
3380 01.exe

pid	process
3380	01.exe
3380	01.exe
3380	01.exe
3380	01.exe
3380	01.exe
3380	01.exe

Modifies Control Panel 3 IoCs

evasion

Processes:

01.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\Desktop\WallpaperStyle = "10"	01.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\International	01.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\Desktop	01.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1776 NOTEPAD.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

01.exe

pid process

3380 01.exe
3380 01.exe
3380 01.exe
3380 01.exe

pid	process
1776	NOTEPAD.EXE

pid	process
3380	01.exe
3380	01.exe
3380	01.exe
3380	01.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

01.exevssvc.exe

description	pid	process
Token: SeBackupPrivilege	3380	01.exe
Token: SeDebugPrivilege	3380	01.exe
Token: 36	3380	01.exe
Token: SeImpersonatePrivilege	3380	01.exe
Token: SeIncBasePriorityPrivilege	3380	01.exe
Token: SeIncreaseQuotaPrivilege	3380	01.exe
Token: 33	3380	01.exe
Token: SeManageVolumePrivilege	3380	01.exe
Token: SeProfSingleProcessPrivilege	3380	01.exe
Token: SeRestorePrivilege	3380	01.exe
Token: SeSecurityPrivilege	3380	01.exe
Token: SeSystemProfilePrivilege	3380	01.exe
Token: SeTakeOwnershipPrivilege	3380	01.exe
Token: SeShutdownPrivilege	3380	01.exe
Token: SeBackupPrivilege	1936	vssvc.exe
Token: SeRestorePrivilege	1936	vssvc.exe
Token: SeAuditPrivilege	1936	vssvc.exe

C:\Users\Admin\AppData\Local\Temp\01.exe
"C:\Users\Admin\AppData\Local\Temp\01.exe"
1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3380

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1936

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\WRLMMTHME.README.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1776

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1984

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\WRLMMTHME.README.txt
MD5
2a2ac841d6b7515f4b1021b92cc5f072

SHA1
e48a7a2be20b978f71a92f12ada328bcfd0b89c6

SHA256
9a59566d9ef3bab7faf9abc23f25aa19218d5afa2a910144acd011a78521377e

SHA512
a7944a10f2721db3dbdf5c36e80aae057c5fc8e2aab22a8d50c4d4e6436a7e22313257dd934961db1fa5e506c39ca23600c9d3e96a463221c13b54651bd47579

Download Submit
memory/3380-115-0x0000000002553000-0x0000000002555000-memory.dmp

Filesize
8KB

Download
memory/3380-116-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads