General

  • Target

    7a223a0aa0f88e84a68da6cde7f7f5c3bb2890049b0bf3269230d87d2b027296

  • Size

    95KB

  • Sample

    211103-q97mtsbbbj

  • MD5

    930b9c1792a539acdb051af34de91060

  • SHA1

    2cda394db71fc67905e31d9e8f4b88ef85a248dc

  • SHA256

    7a223a0aa0f88e84a68da6cde7f7f5c3bb2890049b0bf3269230d87d2b027296

  • SHA512

    9bd26a83d30f69ab7d9dfbe9c3b81c8fd2381f331ce139140646932cf09b461f177c4eb236cd2194d190c50598ac3de0023cfe38e843b08bbe2f120e790ee3f1

Score
10/10

Malware Config

Extracted

Path

C:\6amPnJyPq.README.txt

Family

blackmatter

Ransom Note
~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your computers and servers are encrypted, private data was downloaded. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> Data leak First of all we have downloaded more then 200GB of data. Your personal leak page (TOR LINK): On the page you will find examples of files that have been downloaded. The data is preloaded and will be automatically published in our blog if you do not contact us. After publication, your data can be downloaded by anyone, it stored on our tor CDN and will be available for at least 6 months. >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >> HOW TO CONTACT US? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/QLA44XK2K4K1RZL9 >> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.
URLs

http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/QLA44XK2K4K1RZL9

Targets

    • Target

      7a223a0aa0f88e84a68da6cde7f7f5c3bb2890049b0bf3269230d87d2b027296

    • Size

      95KB

    • MD5

      930b9c1792a539acdb051af34de91060

    • SHA1

      2cda394db71fc67905e31d9e8f4b88ef85a248dc

    • SHA256

      7a223a0aa0f88e84a68da6cde7f7f5c3bb2890049b0bf3269230d87d2b027296

    • SHA512

      9bd26a83d30f69ab7d9dfbe9c3b81c8fd2381f331ce139140646932cf09b461f177c4eb236cd2194d190c50598ac3de0023cfe38e843b08bbe2f120e790ee3f1

    Score
    10/10
    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks