Overview

overview

10

Static

static

8

8323fdfda0...ac.exe

windows7_x64

10

8323fdfda0...ac.exe

windows10_x64

10

Analysis

  • max time kernel
    120s
  • max time network
    145s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    03-11-2021 13:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8323fdfda08300c691d330badec2607ea050cc10ee39934faeebedf3877df3ac.exe

  • Size

    5MB

  • MD5

    6bd9bcccf3b918b5b1b7d554f82c2fdf

  • SHA1

    06cadd71039666315102aa5e46f52c45bec453a8

  • SHA256

    8323fdfda08300c691d330badec2607ea050cc10ee39934faeebedf3877df3ac

  • SHA512

    c74a0c90f5c6e1f99f1aad0729b2fdb22e616d3070dca0852bc7f2c12b30703206f7bf171ef9e19807d7e9a9788cbc8416fb142fbdcd3625bc22c42acb73b176

Score
10/10
blackmatter5791ae39aeab40b5e8e33d8dce465877ransomwaresuricatavmprotect

Malware Config

Extracted

Path

\??\Z:\WRLMMTHME.README.txt

Family

blackmatter

Ransom Note
~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What data stolen? From your network was stolen 50 GB of data. If you do not contact us we will publish all your data in our blog and will send it to the biggest mass media. Blog post link: %BLOG_URL% >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd.onion/LEOYRMQLSRHFGFGYWF2T5 >> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.
URLs

http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd.onion/LEOYRMQLSRHFGFGYWF2T5

Extracted

Family

blackmatter

Version

2.0

Botnet

5791ae39aeab40b5e8e33d8dce465877

Attributes
  • attempt_auth

    false

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    false

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Signatures

  • BlackMatter Ransomware

    BlackMatter ransomware group claims to be Darkside and REvil succesor.

    ransomwareblackmatter
  • suricata: ET MALWARE BlackMatter CnC Activity

    suricata: ET MALWARE BlackMatter CnC Activity

    suricata
  • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    suricata
  • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

    suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

    suricata
  • Modifies extensions of user files 32 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • VMProtect packed file 1 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
  • Modifies Control Panel 3 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8323fdfda08300c691d330badec2607ea050cc10ee39934faeebedf3877df3ac.exe
    "C:\Users\Admin\AppData\Local\Temp\8323fdfda08300c691d330badec2607ea050cc10ee39934faeebedf3877df3ac.exe"
    • Modifies extensions of user files
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies Control Panel
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1200
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    • Suspicious use of AdjustPrivilegeToken
    PID:352

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Replay Monitor

00:00 00:00

Downloads

  • memory/1200-119-0x0000000000FA0000-0x0000000001833000-memory.dmp
    Filesize

    8MB

    Download
  • memory/1200-121-0x0000000000BE0000-0x0000000000BE1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1200-122-0x00000000036F3000-0x00000000036F5000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1200-123-0x00000000036F0000-0x00000000036F1000-memory.dmp
    Filesize

    4KB

    Download