Analysis
-
max time kernel
120s -
max time network
124s -
platform
windows11_x64 -
resource
win11 -
submitted
28-10-2021 08:45
Static task
static1
Behavioral task
behavioral1
Sample
b824bbc645f15e213b4cb2628f7d383e9e37282059b03f6fe60f7c84ea1fed1f.exe
Resource
win11
General
-
Target
b824bbc645f15e213b4cb2628f7d383e9e37282059b03f6fe60f7c84ea1fed1f.exe
-
Size
72KB
-
MD5
1dd464cbb3fbd6881eef3f05b8b1fbd5
-
SHA1
cafd8d20f2abaebbbfc367b4b4512107362f3758
-
SHA256
b824bbc645f15e213b4cb2628f7d383e9e37282059b03f6fe60f7c84ea1fed1f
-
SHA512
1564fffe28c2b7c2b18c35d68e3e254106620b2c3b7b5f41b95cfbb3a2cf0d9c42616d670b4060d09129ff18f0148c03e00bbd205f9d10697b265109a43d053c
Malware Config
Extracted
C:\f5yX7OyXn.README.txt
blackmatter
http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd.onion/RSW33BDOYPLWM78U9A09BZDI
Signatures
-
BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Z: b824bbc645f15e213b4cb2628f7d383e9e37282059b03f6fe60f7c84ea1fed1f.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\f5yX7OyXn.bmp" b824bbc645f15e213b4cb2628f7d383e9e37282059b03f6fe60f7c84ea1fed1f.exe Set value (str) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\f5yX7OyXn.bmp" b824bbc645f15e213b4cb2628f7d383e9e37282059b03f6fe60f7c84ea1fed1f.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
pid Process 4072 b824bbc645f15e213b4cb2628f7d383e9e37282059b03f6fe60f7c84ea1fed1f.exe 4072 b824bbc645f15e213b4cb2628f7d383e9e37282059b03f6fe60f7c84ea1fed1f.exe 4072 b824bbc645f15e213b4cb2628f7d383e9e37282059b03f6fe60f7c84ea1fed1f.exe 4072 b824bbc645f15e213b4cb2628f7d383e9e37282059b03f6fe60f7c84ea1fed1f.exe 4072 b824bbc645f15e213b4cb2628f7d383e9e37282059b03f6fe60f7c84ea1fed1f.exe 4072 b824bbc645f15e213b4cb2628f7d383e9e37282059b03f6fe60f7c84ea1fed1f.exe -
Modifies Control Panel 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Control Panel\Desktop\WallpaperStyle = "10" b824bbc645f15e213b4cb2628f7d383e9e37282059b03f6fe60f7c84ea1fed1f.exe Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Control Panel\Desktop b824bbc645f15e213b4cb2628f7d383e9e37282059b03f6fe60f7c84ea1fed1f.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4072 b824bbc645f15e213b4cb2628f7d383e9e37282059b03f6fe60f7c84ea1fed1f.exe 4072 b824bbc645f15e213b4cb2628f7d383e9e37282059b03f6fe60f7c84ea1fed1f.exe 4072 b824bbc645f15e213b4cb2628f7d383e9e37282059b03f6fe60f7c84ea1fed1f.exe 4072 b824bbc645f15e213b4cb2628f7d383e9e37282059b03f6fe60f7c84ea1fed1f.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
description pid Process Token: SeBackupPrivilege 4072 b824bbc645f15e213b4cb2628f7d383e9e37282059b03f6fe60f7c84ea1fed1f.exe Token: SeDebugPrivilege 4072 b824bbc645f15e213b4cb2628f7d383e9e37282059b03f6fe60f7c84ea1fed1f.exe Token: 36 4072 b824bbc645f15e213b4cb2628f7d383e9e37282059b03f6fe60f7c84ea1fed1f.exe Token: SeImpersonatePrivilege 4072 b824bbc645f15e213b4cb2628f7d383e9e37282059b03f6fe60f7c84ea1fed1f.exe Token: SeIncBasePriorityPrivilege 4072 b824bbc645f15e213b4cb2628f7d383e9e37282059b03f6fe60f7c84ea1fed1f.exe Token: SeIncreaseQuotaPrivilege 4072 b824bbc645f15e213b4cb2628f7d383e9e37282059b03f6fe60f7c84ea1fed1f.exe Token: 33 4072 b824bbc645f15e213b4cb2628f7d383e9e37282059b03f6fe60f7c84ea1fed1f.exe Token: SeManageVolumePrivilege 4072 b824bbc645f15e213b4cb2628f7d383e9e37282059b03f6fe60f7c84ea1fed1f.exe Token: SeProfSingleProcessPrivilege 4072 b824bbc645f15e213b4cb2628f7d383e9e37282059b03f6fe60f7c84ea1fed1f.exe Token: SeRestorePrivilege 4072 b824bbc645f15e213b4cb2628f7d383e9e37282059b03f6fe60f7c84ea1fed1f.exe Token: SeSecurityPrivilege 4072 b824bbc645f15e213b4cb2628f7d383e9e37282059b03f6fe60f7c84ea1fed1f.exe Token: SeSystemProfilePrivilege 4072 b824bbc645f15e213b4cb2628f7d383e9e37282059b03f6fe60f7c84ea1fed1f.exe Token: SeTakeOwnershipPrivilege 4072 b824bbc645f15e213b4cb2628f7d383e9e37282059b03f6fe60f7c84ea1fed1f.exe Token: SeShutdownPrivilege 4072 b824bbc645f15e213b4cb2628f7d383e9e37282059b03f6fe60f7c84ea1fed1f.exe Token: SeBackupPrivilege 1628 vssvc.exe Token: SeRestorePrivilege 1628 vssvc.exe Token: SeAuditPrivilege 1628 vssvc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b824bbc645f15e213b4cb2628f7d383e9e37282059b03f6fe60f7c84ea1fed1f.exe"C:\Users\Admin\AppData\Local\Temp\b824bbc645f15e213b4cb2628f7d383e9e37282059b03f6fe60f7c84ea1fed1f.exe"1⤵
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4072
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1628