General
Target

b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe

Filesize

78KB

Completed

24-10-2021 15:24

Task

behavioral2

Score
10/10
MD5

5e2a1323dbf28eac8b3f4df9cb4f2d45

SHA1

af77a09387df4ec967a8314ba0f93da0ef8e57ee

SHA256

b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7

SHA256

c2ba4f7458298129a8d2f1ac50640601d59086048ecc8d3d88985c31edf4014e4f4838308192ab39fb21d71a9b362a38a93edff58b570ec6f5ccfb940d871b94

Malware Config

Extracted

Path

C:\WRLMMTHME.README.txt

Family

blackmatter

Ransom Note
~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >>> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/O3KTUJZRE6CB4Q1OBR >>> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.
URLs

http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/O3KTUJZRE6CB4Q1OBR

Signatures 10

Filter: none

Defense Evasion
Discovery
Impact
  • BlackMatter Ransomware

    Description

    BlackMatter ransomware group claims to be Darkside and REvil succesor.

  • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    Description

    suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    Tags

  • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

    Description

    suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

    Tags

  • Modifies extensions of user files
    b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Users\Admin\Pictures\DisablePop.tiff.WRLMMTHMEb4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe
    File renamedC:\Users\Admin\Pictures\SetRename.png => C:\Users\Admin\Pictures\SetRename.png.WRLMMTHMEb4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe
    File renamedC:\Users\Admin\Pictures\UnlockUnregister.png => C:\Users\Admin\Pictures\UnlockUnregister.png.WRLMMTHMEb4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe
    File opened for modificationC:\Users\Admin\Pictures\UnlockUnregister.png.WRLMMTHMEb4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe
    File opened for modificationC:\Users\Admin\Pictures\WriteRevoke.crw.WRLMMTHMEb4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe
    File opened for modificationC:\Users\Admin\Pictures\DisablePop.tiffb4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe
    File renamedC:\Users\Admin\Pictures\DisablePop.tiff => C:\Users\Admin\Pictures\DisablePop.tiff.WRLMMTHMEb4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe
    File opened for modificationC:\Users\Admin\Pictures\SetRename.png.WRLMMTHMEb4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe
    File renamedC:\Users\Admin\Pictures\WriteRevoke.crw => C:\Users\Admin\Pictures\WriteRevoke.crw.WRLMMTHMEb4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe
  • Enumerates connected drives
    b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    File opened (read-only)\??\Z:b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe
  • Sets desktop wallpaper using registry
    b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe

    Tags

    TTPs

    DefacementModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\WRLMMTHME.bmp"b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\WRLMMTHME.bmp"b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe
  • Suspicious use of NtSetInformationThreadHideFromDebugger
    b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe

    Reported IOCs

    pidprocess
    2684b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe
    2684b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe
    2684b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe
    2684b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe
    2684b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe
    2684b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe
  • Modifies Control Panel
    b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe

    Tags

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\Internationalb4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe
    Key created\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\Desktopb4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\Desktop\WallpaperStyle = "10"b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe
  • Suspicious behavior: EnumeratesProcesses
    b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe

    Reported IOCs

    pidprocess
    2684b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe
    2684b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe
    2684b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe
    2684b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe
  • Suspicious use of AdjustPrivilegeToken
    b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exevssvc.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeBackupPrivilege2684b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe
    Token: SeDebugPrivilege2684b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe
    Token: 362684b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe
    Token: SeImpersonatePrivilege2684b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe
    Token: SeIncBasePriorityPrivilege2684b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe
    Token: SeIncreaseQuotaPrivilege2684b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe
    Token: 332684b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe
    Token: SeManageVolumePrivilege2684b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe
    Token: SeProfSingleProcessPrivilege2684b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe
    Token: SeRestorePrivilege2684b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe
    Token: SeSecurityPrivilege2684b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe
    Token: SeSystemProfilePrivilege2684b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe
    Token: SeTakeOwnershipPrivilege2684b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe
    Token: SeShutdownPrivilege2684b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe
    Token: SeBackupPrivilege3044vssvc.exe
    Token: SeRestorePrivilege3044vssvc.exe
    Token: SeAuditPrivilege3044vssvc.exe
Processes 2
  • C:\Users\Admin\AppData\Local\Temp\b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe
    "C:\Users\Admin\AppData\Local\Temp\b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7.exe"
    Modifies extensions of user files
    Enumerates connected drives
    Sets desktop wallpaper using registry
    Suspicious use of NtSetInformationThreadHideFromDebugger
    Modifies Control Panel
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    PID:2684
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    Suspicious use of AdjustPrivilegeToken
    PID:3044
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
            Initial Access
              Lateral Movement
                Persistence
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • memory/2684-115-0x0000000000E00000-0x0000000000F4A000-memory.dmp

                    • memory/2684-116-0x0000000000E00000-0x0000000000F4A000-memory.dmp