General

  • Target

    8eada5114fbbc73b7d648b38623fc206367c94c0e76cb3b395a33ea8859d2952

  • Size

    80KB

  • Sample

    211103-q9xgvsbbaq

  • MD5

    bd888dddb2e341518b1cd9efff2f80cd

  • SHA1

    8e06e25de1c77dae2447adb7dbe10c80153e902c

  • SHA256

    8eada5114fbbc73b7d648b38623fc206367c94c0e76cb3b395a33ea8859d2952

  • SHA512

    0385151f8ca63613f46dda29206cc139f060735f898bc16e85c987de3f2ae552c0a64e1a5e79c183ea4aa7cf2963a7922389ae5ec0b7d28400875e9a19ef969c

Score
10/10

Malware Config

Extracted

Path

C:\6amPnJyPq.README.txt

Family

blackmatter

Ransom Note
~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What data stolen? From your network was stolen sensitive data. If you do not contact us we will publish all your data in our blog and will send it to the biggest mass media. >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/Q0DVRYWVDUGDD22V0K7XX >> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.
URLs

http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/Q0DVRYWVDUGDD22V0K7XX

Targets

    • Target

      8eada5114fbbc73b7d648b38623fc206367c94c0e76cb3b395a33ea8859d2952

    • Size

      80KB

    • MD5

      bd888dddb2e341518b1cd9efff2f80cd

    • SHA1

      8e06e25de1c77dae2447adb7dbe10c80153e902c

    • SHA256

      8eada5114fbbc73b7d648b38623fc206367c94c0e76cb3b395a33ea8859d2952

    • SHA512

      0385151f8ca63613f46dda29206cc139f060735f898bc16e85c987de3f2ae552c0a64e1a5e79c183ea4aa7cf2963a7922389ae5ec0b7d28400875e9a19ef969c

    Score
    10/10
    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks