8eada5114fbbc73b7d648b38623fc206367c94c0e76cb3b395a33ea8859d2952

General
Target

8eada5114fbbc73b7d648b38623fc206367c94c0e76cb3b395a33ea8859d2952

Size

80KB

Sample

211103-q9xgvsbbaq

Score
10 /10
MD5

bd888dddb2e341518b1cd9efff2f80cd

SHA1

8e06e25de1c77dae2447adb7dbe10c80153e902c

SHA256

8eada5114fbbc73b7d648b38623fc206367c94c0e76cb3b395a33ea8859d2952

SHA512

0385151f8ca63613f46dda29206cc139f060735f898bc16e85c987de3f2ae552c0a64e1a5e79c183ea4aa7cf2963a7922389ae5ec0b7d28400875e9a19ef969c

Malware Config

Extracted

Path C:\6amPnJyPq.README.txt
Family blackmatter
Ransom Note
~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What data stolen? From your network was stolen sensitive data. If you do not contact us we will publish all your data in our blog and will send it to the biggest mass media. >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/Q0DVRYWVDUGDD22V0K7XX >> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.
URLs

http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/Q0DVRYWVDUGDD22V0K7XX

Targets
Target

8eada5114fbbc73b7d648b38623fc206367c94c0e76cb3b395a33ea8859d2952

MD5

bd888dddb2e341518b1cd9efff2f80cd

Filesize

80KB

Score
10/10
SHA1

8e06e25de1c77dae2447adb7dbe10c80153e902c

SHA256

8eada5114fbbc73b7d648b38623fc206367c94c0e76cb3b395a33ea8859d2952

SHA512

0385151f8ca63613f46dda29206cc139f060735f898bc16e85c987de3f2ae552c0a64e1a5e79c183ea4aa7cf2963a7922389ae5ec0b7d28400875e9a19ef969c

Tags

Signatures

  • BlackMatter Ransomware

    Description

    BlackMatter ransomware group claims to be Darkside and REvil succesor.

    Tags

  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery
  • Sets desktop wallpaper using registry

    Tags

    TTPs

    DefacementModify Registry
  • Suspicious use of NtSetInformationThreadHideFromDebugger

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
            Initial Access
              Lateral Movement
                Persistence
                  Privilege Escalation
                    Tasks

                    static1

                    behavioral1

                    10/10

                    behavioral2

                    10/10