Overview

overview

10

Static

static

10

b824bbc645...1f.exe

windows11_x64

10

Resubmissions

28-10-2021 08:45

211028-knq53afhbm 10

05-10-2021 12:34

211005-pr319aaagr 10

Analysis

  • max time kernel
    120s
  • max time network
    124s
  • platform
    windows11_x64
  • resource
    win11
  • submitted
    28-10-2021 08:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b824bbc645f15e213b4cb2628f7d383e9e37282059b03f6fe60f7c84ea1fed1f.exe

  • Size

    72KB

  • MD5

    1dd464cbb3fbd6881eef3f05b8b1fbd5

  • SHA1

    cafd8d20f2abaebbbfc367b4b4512107362f3758

  • SHA256

    b824bbc645f15e213b4cb2628f7d383e9e37282059b03f6fe60f7c84ea1fed1f

  • SHA512

    1564fffe28c2b7c2b18c35d68e3e254106620b2c3b7b5f41b95cfbb3a2cf0d9c42616d670b4060d09129ff18f0148c03e00bbd205f9d10697b265109a43d053c

Score
10/10
blackmatterransomware

Malware Config

Extracted

Path

C:\f5yX7OyXn.README.txt

Family

blackmatter

Ransom Note
~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> Hello B&G International >>> What happens? Your network is encrypted, and currently not operational. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >>> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd.onion/RSW33BDOYPLWM78U9A09BZDI >>> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.
URLs

http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd.onion/RSW33BDOYPLWM78U9A09BZDI

Signatures

  • BlackMatter Ransomware

    BlackMatter ransomware group claims to be Darkside and REvil succesor.

    ransomwareblackmatter
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
  • Modifies Control Panel 2 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b824bbc645f15e213b4cb2628f7d383e9e37282059b03f6fe60f7c84ea1fed1f.exe
    "C:\Users\Admin\AppData\Local\Temp\b824bbc645f15e213b4cb2628f7d383e9e37282059b03f6fe60f7c84ea1fed1f.exe"
    1⤵
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies Control Panel
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:4072
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1628

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4072-146-0x0000000002823000-0x0000000002825000-memory.dmp
    Filesize

    8KB

    Download
  • memory/4072-147-0x0000000002820000-0x0000000002821000-memory.dmp
    Filesize

    4KB

    Download