Overview

overview

10

Static

static

8

8323fdfda08300...ac.exe

windows7_x64

10

8323fdfda08300...ac.exe

windows10_x64

10
General
Target

8323fdfda08300c691d330badec2607ea050cc10ee39934faeebedf3877df3ac.exe

Filesize

5MB

Completed

03-11-2021 14:01

Task

behavioral2

Score
10/10
MD5

6bd9bcccf3b918b5b1b7d554f82c2fdf

SHA1

06cadd71039666315102aa5e46f52c45bec453a8

SHA256

8323fdfda08300c691d330badec2607ea050cc10ee39934faeebedf3877df3ac

SHA256

c74a0c90f5c6e1f99f1aad0729b2fdb22e616d3070dca0852bc7f2c12b30703206f7bf171ef9e19807d7e9a9788cbc8416fb142fbdcd3625bc22c42acb73b176

Malware Config

Extracted

Path

\??\Z:\WRLMMTHME.README.txt
Family

blackmatter
Ransom Note
~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What data stolen? From your network was stolen 50 GB of data. If you do not contact us we will publish all your data in our blog and will send it to the biggest mass media. Blog post link: %BLOG_URL% >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd.onion/LEOYRMQLSRHFGFGYWF2T5 >> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.
URLs

http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd.onion/LEOYRMQLSRHFGFGYWF2T5

Extracted

Family

blackmatter
Version

2.0
Botnet

5791ae39aeab40b5e8e33d8dce465877
Attributes
attempt_auth
false
create_mutex
true
encrypt_network_shares
true
exfiltrate
false
mount_volumes
true
rsa_pubkey.base64
aes.base64
Signatures 12

Filter: none

Defense Evasion
Discovery
Impact
  • BlackMatter Ransomware

    Description

    BlackMatter ransomware group claims to be Darkside and REvil succesor.

    Tags

  • suricata: ET MALWARE BlackMatter CnC Activity

    Description

    suricata: ET MALWARE BlackMatter CnC Activity

    Tags

  • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    Description

    suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    Tags

  • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

    Description

    suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

    Tags

  • Modifies extensions of user files
    8323fdfda08300c691d330badec2607ea050cc10ee39934faeebedf3877df3ac.exe

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

    Reported IOCs

    descriptioniocprocess
    File renamedC:\Users\Admin\Pictures\SelectReset.tiff => C:\Users\Admin\Pictures\SelectReset.tiff.WRLMMTHME8323fdfda08300c691d330badec2607ea050cc10ee39934faeebedf3877df3ac.exe
    File opened for modificationC:\Users\Admin\Pictures\SplitStop.png.WRLMMTHME8323fdfda08300c691d330badec2607ea050cc10ee39934faeebedf3877df3ac.exe
    File opened for modificationC:\Users\Admin\Pictures\StepRequest.tiff8323fdfda08300c691d330badec2607ea050cc10ee39934faeebedf3877df3ac.exe
    File opened for modificationC:\Users\Admin\Pictures\SubmitInstall.crw.WRLMMTHME8323fdfda08300c691d330badec2607ea050cc10ee39934faeebedf3877df3ac.exe
    File opened for modificationC:\Users\Admin\Pictures\WriteExit.raw.WRLMMTHME8323fdfda08300c691d330badec2607ea050cc10ee39934faeebedf3877df3ac.exe
    File opened for modificationC:\Users\Admin\Pictures\CloseUnpublish.tif.WRLMMTHME8323fdfda08300c691d330badec2607ea050cc10ee39934faeebedf3877df3ac.exe
    File renamedC:\Users\Admin\Pictures\GroupBackup.raw => C:\Users\Admin\Pictures\GroupBackup.raw.WRLMMTHME8323fdfda08300c691d330badec2607ea050cc10ee39934faeebedf3877df3ac.exe
    File renamedC:\Users\Admin\Pictures\RegisterLock.tiff => C:\Users\Admin\Pictures\RegisterLock.tiff.WRLMMTHME8323fdfda08300c691d330badec2607ea050cc10ee39934faeebedf3877df3ac.exe
    File opened for modificationC:\Users\Admin\Pictures\SelectReset.tiff.WRLMMTHME8323fdfda08300c691d330badec2607ea050cc10ee39934faeebedf3877df3ac.exe
    File renamedC:\Users\Admin\Pictures\SplitStop.png => C:\Users\Admin\Pictures\SplitStop.png.WRLMMTHME8323fdfda08300c691d330badec2607ea050cc10ee39934faeebedf3877df3ac.exe
    File renamedC:\Users\Admin\Pictures\ClearEnable.tiff => C:\Users\Admin\Pictures\ClearEnable.tiff.WRLMMTHME8323fdfda08300c691d330badec2607ea050cc10ee39934faeebedf3877df3ac.exe
    File renamedC:\Users\Admin\Pictures\LimitImport.tif => C:\Users\Admin\Pictures\LimitImport.tif.WRLMMTHME8323fdfda08300c691d330badec2607ea050cc10ee39934faeebedf3877df3ac.exe
    File renamedC:\Users\Admin\Pictures\SubmitInstall.crw => C:\Users\Admin\Pictures\SubmitInstall.crw.WRLMMTHME8323fdfda08300c691d330badec2607ea050cc10ee39934faeebedf3877df3ac.exe
    File renamedC:\Users\Admin\Pictures\WriteExit.raw => C:\Users\Admin\Pictures\WriteExit.raw.WRLMMTHME8323fdfda08300c691d330badec2607ea050cc10ee39934faeebedf3877df3ac.exe
    File opened for modificationC:\Users\Admin\Pictures\ApproveEnter.png.WRLMMTHME8323fdfda08300c691d330badec2607ea050cc10ee39934faeebedf3877df3ac.exe
    File renamedC:\Users\Admin\Pictures\StepRequest.tiff => C:\Users\Admin\Pictures\StepRequest.tiff.WRLMMTHME8323fdfda08300c691d330badec2607ea050cc10ee39934faeebedf3877df3ac.exe
    File renamedC:\Users\Admin\Pictures\ApproveEnter.png => C:\Users\Admin\Pictures\ApproveEnter.png.WRLMMTHME8323fdfda08300c691d330badec2607ea050cc10ee39934faeebedf3877df3ac.exe
    File renamedC:\Users\Admin\Pictures\InstallTest.raw => C:\Users\Admin\Pictures\InstallTest.raw.WRLMMTHME8323fdfda08300c691d330badec2607ea050cc10ee39934faeebedf3877df3ac.exe
    File opened for modificationC:\Users\Admin\Pictures\RegisterLock.tiff.WRLMMTHME8323fdfda08300c691d330badec2607ea050cc10ee39934faeebedf3877df3ac.exe
    File renamedC:\Users\Admin\Pictures\ResolveTrace.crw => C:\Users\Admin\Pictures\ResolveTrace.crw.WRLMMTHME8323fdfda08300c691d330badec2607ea050cc10ee39934faeebedf3877df3ac.exe
    File opened for modificationC:\Users\Admin\Pictures\GroupBackup.raw.WRLMMTHME8323fdfda08300c691d330badec2607ea050cc10ee39934faeebedf3877df3ac.exe
    File opened for modificationC:\Users\Admin\Pictures\RegisterLock.tiff8323fdfda08300c691d330badec2607ea050cc10ee39934faeebedf3877df3ac.exe
    File opened for modificationC:\Users\Admin\Pictures\ResolveTrace.crw.WRLMMTHME8323fdfda08300c691d330badec2607ea050cc10ee39934faeebedf3877df3ac.exe
    File opened for modificationC:\Users\Admin\Pictures\SelectReset.tiff8323fdfda08300c691d330badec2607ea050cc10ee39934faeebedf3877df3ac.exe
    File opened for modificationC:\Users\Admin\Pictures\SplitWrite.raw.WRLMMTHME8323fdfda08300c691d330badec2607ea050cc10ee39934faeebedf3877df3ac.exe
    File renamedC:\Users\Admin\Pictures\CloseUnpublish.tif => C:\Users\Admin\Pictures\CloseUnpublish.tif.WRLMMTHME8323fdfda08300c691d330badec2607ea050cc10ee39934faeebedf3877df3ac.exe
    File opened for modificationC:\Users\Admin\Pictures\InstallTest.raw.WRLMMTHME8323fdfda08300c691d330badec2607ea050cc10ee39934faeebedf3877df3ac.exe
    File renamedC:\Users\Admin\Pictures\SplitWrite.raw => C:\Users\Admin\Pictures\SplitWrite.raw.WRLMMTHME8323fdfda08300c691d330badec2607ea050cc10ee39934faeebedf3877df3ac.exe
    File opened for modificationC:\Users\Admin\Pictures\ClearEnable.tiff8323fdfda08300c691d330badec2607ea050cc10ee39934faeebedf3877df3ac.exe
    File opened for modificationC:\Users\Admin\Pictures\ClearEnable.tiff.WRLMMTHME8323fdfda08300c691d330badec2607ea050cc10ee39934faeebedf3877df3ac.exe
    File opened for modificationC:\Users\Admin\Pictures\LimitImport.tif.WRLMMTHME8323fdfda08300c691d330badec2607ea050cc10ee39934faeebedf3877df3ac.exe
    File opened for modificationC:\Users\Admin\Pictures\StepRequest.tiff.WRLMMTHME8323fdfda08300c691d330badec2607ea050cc10ee39934faeebedf3877df3ac.exe
  • VMProtect packed file

    Description

    Detects executables packed with VMProtect commercial packer.

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/1200-119-0x0000000000FA0000-0x0000000001833000-memory.dmpvmprotect
  • Enumerates connected drives
    8323fdfda08300c691d330badec2607ea050cc10ee39934faeebedf3877df3ac.exe

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    File opened (read-only)\??\Z:8323fdfda08300c691d330badec2607ea050cc10ee39934faeebedf3877df3ac.exe
  • Sets desktop wallpaper using registry
    8323fdfda08300c691d330badec2607ea050cc10ee39934faeebedf3877df3ac.exe

    Tags

    TTPs

    DefacementModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\WRLMMTHME.bmp"8323fdfda08300c691d330badec2607ea050cc10ee39934faeebedf3877df3ac.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\WRLMMTHME.bmp"8323fdfda08300c691d330badec2607ea050cc10ee39934faeebedf3877df3ac.exe
  • Suspicious use of NtSetInformationThreadHideFromDebugger
    8323fdfda08300c691d330badec2607ea050cc10ee39934faeebedf3877df3ac.exe

    Reported IOCs

    pidprocess
    12008323fdfda08300c691d330badec2607ea050cc10ee39934faeebedf3877df3ac.exe
    12008323fdfda08300c691d330badec2607ea050cc10ee39934faeebedf3877df3ac.exe
    12008323fdfda08300c691d330badec2607ea050cc10ee39934faeebedf3877df3ac.exe
    12008323fdfda08300c691d330badec2607ea050cc10ee39934faeebedf3877df3ac.exe
    12008323fdfda08300c691d330badec2607ea050cc10ee39934faeebedf3877df3ac.exe
    12008323fdfda08300c691d330badec2607ea050cc10ee39934faeebedf3877df3ac.exe
  • Modifies Control Panel
    8323fdfda08300c691d330badec2607ea050cc10ee39934faeebedf3877df3ac.exe

    Tags

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\Desktop8323fdfda08300c691d330badec2607ea050cc10ee39934faeebedf3877df3ac.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\Desktop\WallpaperStyle = "10"8323fdfda08300c691d330badec2607ea050cc10ee39934faeebedf3877df3ac.exe
    Key created\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\International8323fdfda08300c691d330badec2607ea050cc10ee39934faeebedf3877df3ac.exe
  • Suspicious behavior: EnumeratesProcesses
    8323fdfda08300c691d330badec2607ea050cc10ee39934faeebedf3877df3ac.exe

    Reported IOCs

    pidprocess
    12008323fdfda08300c691d330badec2607ea050cc10ee39934faeebedf3877df3ac.exe
    12008323fdfda08300c691d330badec2607ea050cc10ee39934faeebedf3877df3ac.exe
    12008323fdfda08300c691d330badec2607ea050cc10ee39934faeebedf3877df3ac.exe
    12008323fdfda08300c691d330badec2607ea050cc10ee39934faeebedf3877df3ac.exe
    12008323fdfda08300c691d330badec2607ea050cc10ee39934faeebedf3877df3ac.exe
    12008323fdfda08300c691d330badec2607ea050cc10ee39934faeebedf3877df3ac.exe
  • Suspicious use of AdjustPrivilegeToken
    8323fdfda08300c691d330badec2607ea050cc10ee39934faeebedf3877df3ac.exevssvc.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeBackupPrivilege12008323fdfda08300c691d330badec2607ea050cc10ee39934faeebedf3877df3ac.exe
    Token: SeDebugPrivilege12008323fdfda08300c691d330badec2607ea050cc10ee39934faeebedf3877df3ac.exe
    Token: 3612008323fdfda08300c691d330badec2607ea050cc10ee39934faeebedf3877df3ac.exe
    Token: SeImpersonatePrivilege12008323fdfda08300c691d330badec2607ea050cc10ee39934faeebedf3877df3ac.exe
    Token: SeIncBasePriorityPrivilege12008323fdfda08300c691d330badec2607ea050cc10ee39934faeebedf3877df3ac.exe
    Token: SeIncreaseQuotaPrivilege12008323fdfda08300c691d330badec2607ea050cc10ee39934faeebedf3877df3ac.exe
    Token: 3312008323fdfda08300c691d330badec2607ea050cc10ee39934faeebedf3877df3ac.exe
    Token: SeManageVolumePrivilege12008323fdfda08300c691d330badec2607ea050cc10ee39934faeebedf3877df3ac.exe
    Token: SeProfSingleProcessPrivilege12008323fdfda08300c691d330badec2607ea050cc10ee39934faeebedf3877df3ac.exe
    Token: SeRestorePrivilege12008323fdfda08300c691d330badec2607ea050cc10ee39934faeebedf3877df3ac.exe
    Token: SeSecurityPrivilege12008323fdfda08300c691d330badec2607ea050cc10ee39934faeebedf3877df3ac.exe
    Token: SeSystemProfilePrivilege12008323fdfda08300c691d330badec2607ea050cc10ee39934faeebedf3877df3ac.exe
    Token: SeTakeOwnershipPrivilege12008323fdfda08300c691d330badec2607ea050cc10ee39934faeebedf3877df3ac.exe
    Token: SeShutdownPrivilege12008323fdfda08300c691d330badec2607ea050cc10ee39934faeebedf3877df3ac.exe
    Token: SeBackupPrivilege352vssvc.exe
    Token: SeRestorePrivilege352vssvc.exe
    Token: SeAuditPrivilege352vssvc.exe
Processes 2
  • C:\Users\Admin\AppData\Local\Temp\8323fdfda08300c691d330badec2607ea050cc10ee39934faeebedf3877df3ac.exe
    "C:\Users\Admin\AppData\Local\Temp\8323fdfda08300c691d330badec2607ea050cc10ee39934faeebedf3877df3ac.exe"
    Modifies extensions of user files
    Enumerates connected drives
    Sets desktop wallpaper using registry
    Suspicious use of NtSetInformationThreadHideFromDebugger
    Modifies Control Panel
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    PID:1200
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    Suspicious use of AdjustPrivilegeToken
    PID:352
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Discovery
        Execution
          Exfiltration
            Impact
            Initial Access
              Lateral Movement
                Persistence
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads

                    • memory/1200-119-0x0000000000FA0000-0x0000000001833000-memory.dmp

                      Download

                    • memory/1200-121-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

                      Download

                    • memory/1200-122-0x00000000036F3000-0x00000000036F5000-memory.dmp

                      Download

                    • memory/1200-123-0x00000000036F0000-0x00000000036F1000-memory.dmp

                      Download