General

  • Target

    eafce6e79a087b26475260afe43f337e7168056616b3e073832891bf18c299c1

  • Size

    36KB

  • Sample

    211103-q9rxdadhg5

  • MD5

    7c02bc2ee956639ffdfa4eac62305708

  • SHA1

    9e745e222ba198dd9fc29264ffeff189d13e9b51

  • SHA256

    eafce6e79a087b26475260afe43f337e7168056616b3e073832891bf18c299c1

  • SHA512

    47a49b46aa6e514b97e863968d6b921a1ee0a65eb27812506e30e0ba7e5e32e64b6a62662e7cec32c4febfce9371a56b64e0ed272dc54176427f7b0f9ab8d821

Malware Config

Extracted

Path

C:\6amPnJyPq.README.txt

Family

blackmatter

Ransom Note
~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What data stolen? From your network was stolen sensitive data. If you do not contact us we will publish all your data in our blog and will send it to the biggest mass media. >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/D4MX4VGFCMO7MFQ6P >> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.
URLs

http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/D4MX4VGFCMO7MFQ6P

Targets

    • Target

      eafce6e79a087b26475260afe43f337e7168056616b3e073832891bf18c299c1

    • Size

      36KB

    • MD5

      7c02bc2ee956639ffdfa4eac62305708

    • SHA1

      9e745e222ba198dd9fc29264ffeff189d13e9b51

    • SHA256

      eafce6e79a087b26475260afe43f337e7168056616b3e073832891bf18c299c1

    • SHA512

      47a49b46aa6e514b97e863968d6b921a1ee0a65eb27812506e30e0ba7e5e32e64b6a62662e7cec32c4febfce9371a56b64e0ed272dc54176427f7b0f9ab8d821

    Score
    10/10
    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks