General
Target

b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe

Filesize

78KB

Completed

24-10-2021 15:24

Task

behavioral1

Score
10/10
MD5

5e2a1323dbf28eac8b3f4df9cb4f2d45

SHA1

af77a09387df4ec967a8314ba0f93da0ef8e57ee

SHA256

b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7

SHA256

c2ba4f7458298129a8d2f1ac50640601d59086048ecc8d3d88985c31edf4014e4f4838308192ab39fb21d71a9b362a38a93edff58b570ec6f5ccfb940d871b94

Malware Config

Extracted

Path

\??\Z:\f5yX7OyXn.README.txt

Family

blackmatter

Ransom Note
~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >>> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/O3KTUJZRE6CB4Q1OBR >>> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.
URLs

http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/O3KTUJZRE6CB4Q1OBR

Signatures 14

Filter: none

Defense Evasion
Discovery
Impact
Persistence
  • BlackMatter Ransomware

    Description

    BlackMatter ransomware group claims to be Darkside and REvil succesor.

  • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    Description

    suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    Tags

  • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

    Description

    suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

    Tags

  • Sets service image path in registry

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • Enumerates connected drives
    b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    File opened (read-only)\??\Z:b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe
  • Sets desktop wallpaper using registry
    b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe

    Tags

    TTPs

    DefacementModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\f5yX7OyXn.bmp"b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\f5yX7OyXn.bmp"b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe
  • Suspicious use of NtSetInformationThreadHideFromDebugger
    b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe

    Reported IOCs

    pidprocess
    1052b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe
    1052b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe
    1052b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe
    1052b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe
    1052b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe
    1052b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe
  • Drops file in Windows directory
    svchost.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\SoftwareDistribution\DataStore\DataStore.jfmsvchost.exe
    File opened for modificationC:\Windows\SoftwareDistribution\ReportingEvents.logsvchost.exe
    File opened for modificationC:\Windows\WindowsUpdate.logsvchost.exe
    File opened for modificationC:\Windows\SoftwareDistribution\DataStore\Logs\edb.chksvchost.exe
    File opened for modificationC:\Windows\SoftwareDistribution\DataStore\Logs\edb.logsvchost.exe
    File opened for modificationC:\Windows\SoftwareDistribution\DataStore\DataStore.edbsvchost.exe
  • Checks processor information in registry
    svchost.exe

    Description

    Processor information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHzsvchost.exe
    Key opened\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0svchost.exe
  • Modifies Control Panel
    b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe

    Tags

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Control Panel\Internationalb4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe
    Key created\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Control Panel\Desktopb4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Control Panel\Desktop\WallpaperStyle = "10"b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe
  • Modifies data under HKEY_USERS
    svchost.exeWaaSMedicAgent.exeWaaSMedicAgent.exe

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRootsvchost.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificatessvchost.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLsWaaSMedicAgent.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLsWaaSMedicAgent.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificatessvchost.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLsWaaSMedicAgent.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLsWaaSMedicAgent.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLsWaaSMedicAgent.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLssvchost.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CertificatesWaaSMedicAgent.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trustWaaSMedicAgent.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software PublishingWaaSMedicAgent.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Rootsvchost.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLssvchost.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLsWaaSMedicAgent.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLssvchost.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLssvchost.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificatessvchost.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLssvchost.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trustWaaSMedicAgent.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLsWaaSMedicAgent.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CertificatesWaaSMedicAgent.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLsWaaSMedicAgent.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\DisallowedWaaSMedicAgent.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLsWaaSMedicAgent.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLsWaaSMedicAgent.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowedsvchost.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLsWaaSMedicAgent.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CertificatesWaaSMedicAgent.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLsWaaSMedicAgent.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CertificatesWaaSMedicAgent.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLssvchost.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowedsvchost.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\DisallowedWaaSMedicAgent.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CertificatesWaaSMedicAgent.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLssvchost.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificatessvchost.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trustsvchost.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLsWaaSMedicAgent.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLsWaaSMedicAgent.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLsWaaSMedicAgent.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLssvchost.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificatessvchost.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trustsvchost.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLsWaaSMedicAgent.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CAWaaSMedicAgent.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CertificatesWaaSMedicAgent.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLssvchost.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLssvchost.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLsWaaSMedicAgent.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CertificatesWaaSMedicAgent.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeopleWaaSMedicAgent.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CertificatesWaaSMedicAgent.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\DisallowedWaaSMedicAgent.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLsWaaSMedicAgent.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLsWaaSMedicAgent.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeopleWaaSMedicAgent.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificatessvchost.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRootWaaSMedicAgent.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLsWaaSMedicAgent.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CertificatesWaaSMedicAgent.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLsWaaSMedicAgent.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificatessvchost.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificatessvchost.exe
  • Suspicious behavior: EnumeratesProcesses
    b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe

    Reported IOCs

    pidprocess
    1052b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe
    1052b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe
    1052b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe
    1052b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe
  • Suspicious use of AdjustPrivilegeToken
    b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exevssvc.exesvchost.exesvchost.exeWaaSMedicAgent.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeBackupPrivilege1052b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe
    Token: SeDebugPrivilege1052b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe
    Token: 361052b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe
    Token: SeImpersonatePrivilege1052b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe
    Token: SeIncBasePriorityPrivilege1052b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe
    Token: SeIncreaseQuotaPrivilege1052b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe
    Token: 331052b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe
    Token: SeManageVolumePrivilege1052b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe
    Token: SeProfSingleProcessPrivilege1052b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe
    Token: SeRestorePrivilege1052b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe
    Token: SeSecurityPrivilege1052b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe
    Token: SeSystemProfilePrivilege1052b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe
    Token: SeTakeOwnershipPrivilege1052b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe
    Token: SeShutdownPrivilege1052b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe
    Token: SeBackupPrivilege1608vssvc.exe
    Token: SeRestorePrivilege1608vssvc.exe
    Token: SeAuditPrivilege1608vssvc.exe
    Token: SeShutdownPrivilege2492svchost.exe
    Token: SeCreatePagefilePrivilege2492svchost.exe
    Token: SeShutdownPrivilege2492svchost.exe
    Token: SeCreatePagefilePrivilege2492svchost.exe
    Token: SeShutdownPrivilege2492svchost.exe
    Token: SeCreatePagefilePrivilege2492svchost.exe
    Token: SeShutdownPrivilege1496svchost.exe
    Token: SeCreatePagefilePrivilege1496svchost.exe
    Token: SeTakeOwnershipPrivilege4528WaaSMedicAgent.exe
    Token: SeSecurityPrivilege4528WaaSMedicAgent.exe
    Token: SeRestorePrivilege4528WaaSMedicAgent.exe
    Token: SeBackupPrivilege4528WaaSMedicAgent.exe
    Token: SeShutdownPrivilege2492svchost.exe
    Token: SeCreatePagefilePrivilege2492svchost.exe
  • Suspicious use of WriteProcessMemory
    svchost.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1496 wrote to memory of 18801496svchost.exeMoUsoCoreWorker.exe
    PID 1496 wrote to memory of 18801496svchost.exeMoUsoCoreWorker.exe
Processes 7
  • C:\Users\Admin\AppData\Local\Temp\b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe
    "C:\Users\Admin\AppData\Local\Temp\b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe"
    Enumerates connected drives
    Sets desktop wallpaper using registry
    Suspicious use of NtSetInformationThreadHideFromDebugger
    Modifies Control Panel
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    PID:1052
  • C:\Windows\System32\WaaSMedicAgent.exe
    C:\Windows\System32\WaaSMedicAgent.exe b34634922f00db267e803f4858beb050 GEwTR/2hiEy0A5uai15Dxg.0.1.0.3.0
    Modifies data under HKEY_USERS
    Suspicious use of AdjustPrivilegeToken
    PID:4528
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    Suspicious use of AdjustPrivilegeToken
    PID:1608
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
    Drops file in Windows directory
    Modifies data under HKEY_USERS
    Suspicious use of AdjustPrivilegeToken
    PID:2492
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
    Checks processor information in registry
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:1496
    • C:\Windows\uus\AMD64\MoUsoCoreWorker.exe
      C:\Windows\uus\AMD64\MoUsoCoreWorker.exe
      PID:1880
  • C:\Windows\System32\WaaSMedicAgent.exe
    C:\Windows\System32\WaaSMedicAgent.exe b34634922f00db267e803f4858beb050 GEwTR/2hiEy0A5uai15Dxg.0.1.0.3.0
    Modifies data under HKEY_USERS
    PID:1476
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
            Initial Access
              Lateral Movement
                Privilege Escalation
                  Replay Monitor
                  00:00 00:00
                  Downloads
                  • memory/1052-146-0x0000000003123000-0x0000000003125000-memory.dmp

                  • memory/1052-147-0x0000000003120000-0x0000000003121000-memory.dmp

                  • memory/1880-151-0x0000000000000000-mapping.dmp

                  • memory/2492-148-0x000001479BD20000-0x000001479BD30000-memory.dmp

                  • memory/2492-149-0x000001479BDA0000-0x000001479BDB0000-memory.dmp

                  • memory/2492-150-0x000001479E490000-0x000001479E494000-memory.dmp