Analysis

  • max time kernel
    117s
  • max time network
    125s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    03-11-2021 13:58

General

  • Target

    8eada5114fbbc73b7d648b38623fc206367c94c0e76cb3b395a33ea8859d2952.exe

  • Size

    80KB

  • MD5

    bd888dddb2e341518b1cd9efff2f80cd

  • SHA1

    8e06e25de1c77dae2447adb7dbe10c80153e902c

  • SHA256

    8eada5114fbbc73b7d648b38623fc206367c94c0e76cb3b395a33ea8859d2952

  • SHA512

    0385151f8ca63613f46dda29206cc139f060735f898bc16e85c987de3f2ae552c0a64e1a5e79c183ea4aa7cf2963a7922389ae5ec0b7d28400875e9a19ef969c

Score
10/10

Malware Config

Extracted

Path

C:\WRLMMTHME.README.txt

Family

blackmatter

Ransom Note
~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What data stolen? From your network was stolen sensitive data. If you do not contact us we will publish all your data in our blog and will send it to the biggest mass media. >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/Q0DVRYWVDUGDD22V0K7XX >> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.
URLs

http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/Q0DVRYWVDUGDD22V0K7XX

Signatures

  • BlackMatter Ransomware

    BlackMatter ransomware group claims to be Darkside and REvil succesor.

  • Modifies extensions of user files 15 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
  • Modifies Control Panel 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8eada5114fbbc73b7d648b38623fc206367c94c0e76cb3b395a33ea8859d2952.exe
    "C:\Users\Admin\AppData\Local\Temp\8eada5114fbbc73b7d648b38623fc206367c94c0e76cb3b395a33ea8859d2952.exe"
    1⤵
    • Modifies extensions of user files
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies Control Panel
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:4396
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4584

Network

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Impact

Defacement

1
T1491

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4396-118-0x00000000027F3000-0x00000000027F5000-memory.dmp
    Filesize

    8KB

  • memory/4396-119-0x00000000027F0000-0x00000000027F1000-memory.dmp
    Filesize

    4KB