Analysis
-
max time kernel
151s -
max time network
119s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
03-11-2021 13:57
Static task
static1
Behavioral task
behavioral1
Sample
eafce6e79a087b26475260afe43f337e7168056616b3e073832891bf18c299c1.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
eafce6e79a087b26475260afe43f337e7168056616b3e073832891bf18c299c1.exe
Resource
win10-en-20211014
General
-
Target
eafce6e79a087b26475260afe43f337e7168056616b3e073832891bf18c299c1.exe
-
Size
36KB
-
MD5
7c02bc2ee956639ffdfa4eac62305708
-
SHA1
9e745e222ba198dd9fc29264ffeff189d13e9b51
-
SHA256
eafce6e79a087b26475260afe43f337e7168056616b3e073832891bf18c299c1
-
SHA512
47a49b46aa6e514b97e863968d6b921a1ee0a65eb27812506e30e0ba7e5e32e64b6a62662e7cec32c4febfce9371a56b64e0ed272dc54176427f7b0f9ab8d821
Malware Config
Extracted
C:\6amPnJyPq.README.txt
blackmatter
http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/D4MX4VGFCMO7MFQ6P
Signatures
-
BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
-
Modifies extensions of user files 20 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File opened for modification C:\Users\Admin\Pictures\RenameMerge.crw.6amPnJyPq eafce6e79a087b26475260afe43f337e7168056616b3e073832891bf18c299c1.exe File renamed C:\Users\Admin\Pictures\WriteDisconnect.png => C:\Users\Admin\Pictures\WriteDisconnect.png.6amPnJyPq eafce6e79a087b26475260afe43f337e7168056616b3e073832891bf18c299c1.exe File renamed C:\Users\Admin\Pictures\InitializeAssert.png => C:\Users\Admin\Pictures\InitializeAssert.png.6amPnJyPq eafce6e79a087b26475260afe43f337e7168056616b3e073832891bf18c299c1.exe File renamed C:\Users\Admin\Pictures\InstallRegister.tif => C:\Users\Admin\Pictures\InstallRegister.tif.6amPnJyPq eafce6e79a087b26475260afe43f337e7168056616b3e073832891bf18c299c1.exe File renamed C:\Users\Admin\Pictures\RenameMerge.crw => C:\Users\Admin\Pictures\RenameMerge.crw.6amPnJyPq eafce6e79a087b26475260afe43f337e7168056616b3e073832891bf18c299c1.exe File opened for modification C:\Users\Admin\Pictures\ShowSearch.crw.6amPnJyPq eafce6e79a087b26475260afe43f337e7168056616b3e073832891bf18c299c1.exe File renamed C:\Users\Admin\Pictures\TraceFind.raw => C:\Users\Admin\Pictures\TraceFind.raw.6amPnJyPq eafce6e79a087b26475260afe43f337e7168056616b3e073832891bf18c299c1.exe File opened for modification C:\Users\Admin\Pictures\CheckpointUnpublish.png.6amPnJyPq eafce6e79a087b26475260afe43f337e7168056616b3e073832891bf18c299c1.exe File renamed C:\Users\Admin\Pictures\DismountSkip.raw => C:\Users\Admin\Pictures\DismountSkip.raw.6amPnJyPq eafce6e79a087b26475260afe43f337e7168056616b3e073832891bf18c299c1.exe File renamed C:\Users\Admin\Pictures\ImportExit.crw => C:\Users\Admin\Pictures\ImportExit.crw.6amPnJyPq eafce6e79a087b26475260afe43f337e7168056616b3e073832891bf18c299c1.exe File opened for modification C:\Users\Admin\Pictures\InstallRegister.tif.6amPnJyPq eafce6e79a087b26475260afe43f337e7168056616b3e073832891bf18c299c1.exe File renamed C:\Users\Admin\Pictures\CheckpointUnpublish.png => C:\Users\Admin\Pictures\CheckpointUnpublish.png.6amPnJyPq eafce6e79a087b26475260afe43f337e7168056616b3e073832891bf18c299c1.exe File renamed C:\Users\Admin\Pictures\FindMove.tif => C:\Users\Admin\Pictures\FindMove.tif.6amPnJyPq eafce6e79a087b26475260afe43f337e7168056616b3e073832891bf18c299c1.exe File opened for modification C:\Users\Admin\Pictures\ImportExit.crw.6amPnJyPq eafce6e79a087b26475260afe43f337e7168056616b3e073832891bf18c299c1.exe File renamed C:\Users\Admin\Pictures\ShowSearch.crw => C:\Users\Admin\Pictures\ShowSearch.crw.6amPnJyPq eafce6e79a087b26475260afe43f337e7168056616b3e073832891bf18c299c1.exe File opened for modification C:\Users\Admin\Pictures\TraceFind.raw.6amPnJyPq eafce6e79a087b26475260afe43f337e7168056616b3e073832891bf18c299c1.exe File opened for modification C:\Users\Admin\Pictures\WriteDisconnect.png.6amPnJyPq eafce6e79a087b26475260afe43f337e7168056616b3e073832891bf18c299c1.exe File opened for modification C:\Users\Admin\Pictures\DismountSkip.raw.6amPnJyPq eafce6e79a087b26475260afe43f337e7168056616b3e073832891bf18c299c1.exe File opened for modification C:\Users\Admin\Pictures\FindMove.tif.6amPnJyPq eafce6e79a087b26475260afe43f337e7168056616b3e073832891bf18c299c1.exe File opened for modification C:\Users\Admin\Pictures\InitializeAssert.png.6amPnJyPq eafce6e79a087b26475260afe43f337e7168056616b3e073832891bf18c299c1.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\6amPnJyPq.bmp" eafce6e79a087b26475260afe43f337e7168056616b3e073832891bf18c299c1.exe Set value (str) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\6amPnJyPq.bmp" eafce6e79a087b26475260afe43f337e7168056616b3e073832891bf18c299c1.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
pid Process 1728 eafce6e79a087b26475260afe43f337e7168056616b3e073832891bf18c299c1.exe 1728 eafce6e79a087b26475260afe43f337e7168056616b3e073832891bf18c299c1.exe 1728 eafce6e79a087b26475260afe43f337e7168056616b3e073832891bf18c299c1.exe 1728 eafce6e79a087b26475260afe43f337e7168056616b3e073832891bf18c299c1.exe 1728 eafce6e79a087b26475260afe43f337e7168056616b3e073832891bf18c299c1.exe 1728 eafce6e79a087b26475260afe43f337e7168056616b3e073832891bf18c299c1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Control Panel 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Control Panel\Desktop eafce6e79a087b26475260afe43f337e7168056616b3e073832891bf18c299c1.exe Set value (str) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Control Panel\Desktop\WallpaperStyle = "10" eafce6e79a087b26475260afe43f337e7168056616b3e073832891bf18c299c1.exe Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Control Panel\International eafce6e79a087b26475260afe43f337e7168056616b3e073832891bf18c299c1.exe -
Modifies registry class 20 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots splwow64.exe Set value (data) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000 splwow64.exe Set value (data) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff splwow64.exe Set value (data) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff splwow64.exe Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg splwow64.exe Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags splwow64.exe Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 splwow64.exe Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU splwow64.exe Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 splwow64.exe Set value (data) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 splwow64.exe Set value (int) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" splwow64.exe Set value (str) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}" splwow64.exe Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell splwow64.exe Set value (data) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff splwow64.exe Set value (data) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000 splwow64.exe Set value (str) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}" splwow64.exe Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_Classes\Local Settings splwow64.exe Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 splwow64.exe Set value (int) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewVersion = "0" splwow64.exe Set value (data) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff splwow64.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 592 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1728 eafce6e79a087b26475260afe43f337e7168056616b3e073832891bf18c299c1.exe 1728 eafce6e79a087b26475260afe43f337e7168056616b3e073832891bf18c299c1.exe 1728 eafce6e79a087b26475260afe43f337e7168056616b3e073832891bf18c299c1.exe 1728 eafce6e79a087b26475260afe43f337e7168056616b3e073832891bf18c299c1.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1164 splwow64.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
description pid Process Token: SeBackupPrivilege 1728 eafce6e79a087b26475260afe43f337e7168056616b3e073832891bf18c299c1.exe Token: SeDebugPrivilege 1728 eafce6e79a087b26475260afe43f337e7168056616b3e073832891bf18c299c1.exe Token: 36 1728 eafce6e79a087b26475260afe43f337e7168056616b3e073832891bf18c299c1.exe Token: SeImpersonatePrivilege 1728 eafce6e79a087b26475260afe43f337e7168056616b3e073832891bf18c299c1.exe Token: SeIncBasePriorityPrivilege 1728 eafce6e79a087b26475260afe43f337e7168056616b3e073832891bf18c299c1.exe Token: SeIncreaseQuotaPrivilege 1728 eafce6e79a087b26475260afe43f337e7168056616b3e073832891bf18c299c1.exe Token: 33 1728 eafce6e79a087b26475260afe43f337e7168056616b3e073832891bf18c299c1.exe Token: SeManageVolumePrivilege 1728 eafce6e79a087b26475260afe43f337e7168056616b3e073832891bf18c299c1.exe Token: SeProfSingleProcessPrivilege 1728 eafce6e79a087b26475260afe43f337e7168056616b3e073832891bf18c299c1.exe Token: SeRestorePrivilege 1728 eafce6e79a087b26475260afe43f337e7168056616b3e073832891bf18c299c1.exe Token: SeSecurityPrivilege 1728 eafce6e79a087b26475260afe43f337e7168056616b3e073832891bf18c299c1.exe Token: SeSystemProfilePrivilege 1728 eafce6e79a087b26475260afe43f337e7168056616b3e073832891bf18c299c1.exe Token: SeTakeOwnershipPrivilege 1728 eafce6e79a087b26475260afe43f337e7168056616b3e073832891bf18c299c1.exe Token: SeShutdownPrivilege 1728 eafce6e79a087b26475260afe43f337e7168056616b3e073832891bf18c299c1.exe Token: SeBackupPrivilege 1092 vssvc.exe Token: SeRestorePrivilege 1092 vssvc.exe Token: SeAuditPrivilege 1092 vssvc.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1164 splwow64.exe 1164 splwow64.exe 1164 splwow64.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1728 wrote to memory of 592 1728 eafce6e79a087b26475260afe43f337e7168056616b3e073832891bf18c299c1.exe 35 PID 1728 wrote to memory of 592 1728 eafce6e79a087b26475260afe43f337e7168056616b3e073832891bf18c299c1.exe 35 PID 1728 wrote to memory of 592 1728 eafce6e79a087b26475260afe43f337e7168056616b3e073832891bf18c299c1.exe 35 PID 1728 wrote to memory of 592 1728 eafce6e79a087b26475260afe43f337e7168056616b3e073832891bf18c299c1.exe 35 PID 592 wrote to memory of 1164 592 NOTEPAD.EXE 36 PID 592 wrote to memory of 1164 592 NOTEPAD.EXE 36 PID 592 wrote to memory of 1164 592 NOTEPAD.EXE 36 PID 592 wrote to memory of 1164 592 NOTEPAD.EXE 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\eafce6e79a087b26475260afe43f337e7168056616b3e073832891bf18c299c1.exe"C:\Users\Admin\AppData\Local\Temp\eafce6e79a087b26475260afe43f337e7168056616b3e073832891bf18c299c1.exe"1⤵
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" /p C:\6amPnJyPq.README.txt2⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of WriteProcessMemory
PID:592 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1164
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1092