9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58

General
Target

9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58

Size

95KB

Sample

211027-q5a33aehd3

Score
10 /10
MD5

757139e76fae876ae50dd2c3ac11d5d8

SHA1

1c150493014d29c1f8a51e397e527f7d7c1476c7

SHA256

9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58

SHA512

852febe5dc991fa6dc5ff994b2de18548e98a2f53de903a480ed871d9d25413159b167a3c0ff39175bbf7c339604bb1eccc2f9425415ab16089bc56e3e998974

Malware Config

Extracted

Path C:\6amPnJyPq.README.txt
Family blackmatter
Ransom Note
~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What data stolen? From your network was stolen large amount of data. If you do not contact us we will publish all your data in our blog and will send it to the biggest mass media. >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd.onion/U6H6RKDF6W3B8XOWL >> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.
URLs

http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd.onion/U6H6RKDF6W3B8XOWL

Targets
Target

9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58

MD5

757139e76fae876ae50dd2c3ac11d5d8

Filesize

95KB

Score
10/10
SHA1

1c150493014d29c1f8a51e397e527f7d7c1476c7

SHA256

9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58

SHA512

852febe5dc991fa6dc5ff994b2de18548e98a2f53de903a480ed871d9d25413159b167a3c0ff39175bbf7c339604bb1eccc2f9425415ab16089bc56e3e998974

Tags

Signatures

  • BlackMatter Ransomware

    Description

    BlackMatter ransomware group claims to be Darkside and REvil succesor.

    Tags

  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery
  • Sets desktop wallpaper using registry

    Tags

    TTPs

    DefacementModify Registry
  • Suspicious use of NtSetInformationThreadHideFromDebugger

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Execution
          Exfiltration
            Impact
            Initial Access
              Lateral Movement
                Persistence
                  Privilege Escalation
                    Tasks

                    static1

                    behavioral1

                    10/10

                    behavioral2

                    10/10