blackmatter | bf9511517f610387d714553bed6ff59d55c21cd0aa18ae00714585e699a332a3

Analysis

max time kernel
158s
max time network
136s
platform
windows7_x64
resource
win7-en-20211014
submitted
22-11-2021 13:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0751c422962dcd500d7cf2cf8bf544ddf5b2fe3465df7dd9b9998f6bba5e08a4.exe
Size

79KB
MD5

900b7b852674521b306bb03eb991b94a
SHA1

ed5b159b94ed5977efc1f3e05490545d7cb6a93e
SHA256

0751c422962dcd500d7cf2cf8bf544ddf5b2fe3465df7dd9b9998f6bba5e08a4
SHA512

04db23845665c6152a965d8401502588d09f6a4d30f83797cd772c179db8e445463ec5988e381d3a83789d4f20cd0378631e90560040f44a4b0b6634f373a093

Score

10^/10

blackmatter ransomware suricata

Malware Config

Extracted

Path

C:\6amPnJyPq.README.txt

Family

blackmatter

Ransom Note

~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What data stolen? From your network was stolen sensitive data. If you do not contact us we will publish all your data in our blog and will send it to the biggest mass media. >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/D4MX4VGFCMO7MFQ6P >> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.

URLs

http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/D4MX4VGFCMO7MFQ6P

Signatures

BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
ransomware blackmatter
suricata: ET MALWARE BlackMatter CnC Activity
suricata: ET MALWARE BlackMatter CnC Activity
suricata
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)
suricata
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)
suricata

Modifies extensions of user files 6 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

0751c422962dcd500d7cf2cf8bf544ddf5b2fe3465df7dd9b9998f6bba5e08a4.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\ExitHide.raw => C:\Users\Admin\Pictures\ExitHide.raw.6amPnJyPq	0751c422962dcd500d7cf2cf8bf544ddf5b2fe3465df7dd9b9998f6bba5e08a4.exe
File opened for modification	C:\Users\Admin\Pictures\ExitHide.raw.6amPnJyPq	0751c422962dcd500d7cf2cf8bf544ddf5b2fe3465df7dd9b9998f6bba5e08a4.exe
File renamed	C:\Users\Admin\Pictures\JoinTest.raw => C:\Users\Admin\Pictures\JoinTest.raw.6amPnJyPq	0751c422962dcd500d7cf2cf8bf544ddf5b2fe3465df7dd9b9998f6bba5e08a4.exe
File opened for modification	C:\Users\Admin\Pictures\JoinTest.raw.6amPnJyPq	0751c422962dcd500d7cf2cf8bf544ddf5b2fe3465df7dd9b9998f6bba5e08a4.exe
File renamed	C:\Users\Admin\Pictures\SubmitConvert.crw => C:\Users\Admin\Pictures\SubmitConvert.crw.6amPnJyPq	0751c422962dcd500d7cf2cf8bf544ddf5b2fe3465df7dd9b9998f6bba5e08a4.exe
File opened for modification	C:\Users\Admin\Pictures\SubmitConvert.crw.6amPnJyPq	0751c422962dcd500d7cf2cf8bf544ddf5b2fe3465df7dd9b9998f6bba5e08a4.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

0751c422962dcd500d7cf2cf8bf544ddf5b2fe3465df7dd9b9998f6bba5e08a4.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\6amPnJyPq.bmp"	0751c422962dcd500d7cf2cf8bf544ddf5b2fe3465df7dd9b9998f6bba5e08a4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\6amPnJyPq.bmp"	0751c422962dcd500d7cf2cf8bf544ddf5b2fe3465df7dd9b9998f6bba5e08a4.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

0751c422962dcd500d7cf2cf8bf544ddf5b2fe3465df7dd9b9998f6bba5e08a4.exe

pid	process
840	0751c422962dcd500d7cf2cf8bf544ddf5b2fe3465df7dd9b9998f6bba5e08a4.exe
840	0751c422962dcd500d7cf2cf8bf544ddf5b2fe3465df7dd9b9998f6bba5e08a4.exe
840	0751c422962dcd500d7cf2cf8bf544ddf5b2fe3465df7dd9b9998f6bba5e08a4.exe
840	0751c422962dcd500d7cf2cf8bf544ddf5b2fe3465df7dd9b9998f6bba5e08a4.exe
840	0751c422962dcd500d7cf2cf8bf544ddf5b2fe3465df7dd9b9998f6bba5e08a4.exe
840	0751c422962dcd500d7cf2cf8bf544ddf5b2fe3465df7dd9b9998f6bba5e08a4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Control Panel 3 IoCs

evasion

Processes:

0751c422962dcd500d7cf2cf8bf544ddf5b2fe3465df7dd9b9998f6bba5e08a4.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Control Panel\Desktop\WallpaperStyle = "10"	0751c422962dcd500d7cf2cf8bf544ddf5b2fe3465df7dd9b9998f6bba5e08a4.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Control Panel\International	0751c422962dcd500d7cf2cf8bf544ddf5b2fe3465df7dd9b9998f6bba5e08a4.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Control Panel\Desktop	0751c422962dcd500d7cf2cf8bf544ddf5b2fe3465df7dd9b9998f6bba5e08a4.exe

Modifies registry class 20 IoCs

Processes:

splwow64.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	splwow64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}"	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	splwow64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	splwow64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}"	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_Classes\Local Settings	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	splwow64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewVersion = "0"	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	splwow64.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

580 NOTEPAD.EXE

pid	process
580	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

0751c422962dcd500d7cf2cf8bf544ddf5b2fe3465df7dd9b9998f6bba5e08a4.exe

pid	process
840	0751c422962dcd500d7cf2cf8bf544ddf5b2fe3465df7dd9b9998f6bba5e08a4.exe
840	0751c422962dcd500d7cf2cf8bf544ddf5b2fe3465df7dd9b9998f6bba5e08a4.exe
840	0751c422962dcd500d7cf2cf8bf544ddf5b2fe3465df7dd9b9998f6bba5e08a4.exe
840	0751c422962dcd500d7cf2cf8bf544ddf5b2fe3465df7dd9b9998f6bba5e08a4.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

splwow64.exe

pid process

1284 splwow64.exe

pid	process
1284	splwow64.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

0751c422962dcd500d7cf2cf8bf544ddf5b2fe3465df7dd9b9998f6bba5e08a4.exevssvc.exe

description	pid	process
Token: SeBackupPrivilege	840	0751c422962dcd500d7cf2cf8bf544ddf5b2fe3465df7dd9b9998f6bba5e08a4.exe
Token: SeDebugPrivilege	840	0751c422962dcd500d7cf2cf8bf544ddf5b2fe3465df7dd9b9998f6bba5e08a4.exe
Token: 36	840	0751c422962dcd500d7cf2cf8bf544ddf5b2fe3465df7dd9b9998f6bba5e08a4.exe
Token: SeImpersonatePrivilege	840	0751c422962dcd500d7cf2cf8bf544ddf5b2fe3465df7dd9b9998f6bba5e08a4.exe
Token: SeIncBasePriorityPrivilege	840	0751c422962dcd500d7cf2cf8bf544ddf5b2fe3465df7dd9b9998f6bba5e08a4.exe
Token: SeIncreaseQuotaPrivilege	840	0751c422962dcd500d7cf2cf8bf544ddf5b2fe3465df7dd9b9998f6bba5e08a4.exe
Token: 33	840	0751c422962dcd500d7cf2cf8bf544ddf5b2fe3465df7dd9b9998f6bba5e08a4.exe
Token: SeManageVolumePrivilege	840	0751c422962dcd500d7cf2cf8bf544ddf5b2fe3465df7dd9b9998f6bba5e08a4.exe
Token: SeProfSingleProcessPrivilege	840	0751c422962dcd500d7cf2cf8bf544ddf5b2fe3465df7dd9b9998f6bba5e08a4.exe
Token: SeRestorePrivilege	840	0751c422962dcd500d7cf2cf8bf544ddf5b2fe3465df7dd9b9998f6bba5e08a4.exe
Token: SeSecurityPrivilege	840	0751c422962dcd500d7cf2cf8bf544ddf5b2fe3465df7dd9b9998f6bba5e08a4.exe
Token: SeSystemProfilePrivilege	840	0751c422962dcd500d7cf2cf8bf544ddf5b2fe3465df7dd9b9998f6bba5e08a4.exe
Token: SeTakeOwnershipPrivilege	840	0751c422962dcd500d7cf2cf8bf544ddf5b2fe3465df7dd9b9998f6bba5e08a4.exe
Token: SeShutdownPrivilege	840	0751c422962dcd500d7cf2cf8bf544ddf5b2fe3465df7dd9b9998f6bba5e08a4.exe
Token: SeBackupPrivilege	916	vssvc.exe
Token: SeRestorePrivilege	916	vssvc.exe
Token: SeAuditPrivilege	916	vssvc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

splwow64.exe

pid process

1284 splwow64.exe

pid	process
1284	splwow64.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

0751c422962dcd500d7cf2cf8bf544ddf5b2fe3465df7dd9b9998f6bba5e08a4.exeNOTEPAD.EXE

description	pid	process	target process
PID 840 wrote to memory of 580	840	0751c422962dcd500d7cf2cf8bf544ddf5b2fe3465df7dd9b9998f6bba5e08a4.exe	NOTEPAD.EXE
PID 840 wrote to memory of 580	840	0751c422962dcd500d7cf2cf8bf544ddf5b2fe3465df7dd9b9998f6bba5e08a4.exe	NOTEPAD.EXE
PID 840 wrote to memory of 580	840	0751c422962dcd500d7cf2cf8bf544ddf5b2fe3465df7dd9b9998f6bba5e08a4.exe	NOTEPAD.EXE
PID 840 wrote to memory of 580	840	0751c422962dcd500d7cf2cf8bf544ddf5b2fe3465df7dd9b9998f6bba5e08a4.exe	NOTEPAD.EXE
PID 580 wrote to memory of 1284	580	NOTEPAD.EXE	splwow64.exe
PID 580 wrote to memory of 1284	580	NOTEPAD.EXE	splwow64.exe
PID 580 wrote to memory of 1284	580	NOTEPAD.EXE	splwow64.exe
PID 580 wrote to memory of 1284	580	NOTEPAD.EXE	splwow64.exe

C:\Users\Admin\AppData\Local\Temp\0751c422962dcd500d7cf2cf8bf544ddf5b2fe3465df7dd9b9998f6bba5e08a4.exe
"C:\Users\Admin\AppData\Local\Temp\0751c422962dcd500d7cf2cf8bf544ddf5b2fe3465df7dd9b9998f6bba5e08a4.exe"
1⤵
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:840

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" /p C:\6amPnJyPq.README.txt
2⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of WriteProcessMemory
PID:580

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
3⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1284

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:916

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\6amPnJyPq.README.txt
MD5
5fc34d51147df5696554dd7cca4febaa

SHA1
cc58005940434a64e8c1f18a1a645a09869abeb4

SHA256
a811e4d76dc3a6014a3a41a6692a09ce82a0f28276df1b9252b87894a69e3fce

SHA512
1a50b466e43259b2f7faf5a472759a8a355609186bd1227dcf64309a3e9eab7d258c0d8931d4c283156a61558b678c1563a6ea05dfe489f75316b1b3c7e9da23

Download Submit
memory/580-59-0x0000000000000000-mapping.dmp

Download
memory/840-55-0x0000000075191000-0x0000000075193000-memory.dmp

Filesize
8KB

Download
memory/840-57-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/840-56-0x00000000002B5000-0x00000000002C6000-memory.dmp

Filesize
68KB

Download
memory/840-58-0x00000000002C6000-0x00000000002C7000-memory.dmp

Filesize
4KB

Download
memory/1284-62-0x0000000000000000-mapping.dmp

Download
memory/1284-63-0x000007FEFBA61000-0x000007FEFBA63000-memory.dmp

Filesize
8KB

Download
memory/1284-64-0x0000000004140000-0x0000000004141000-memory.dmp

Filesize
4KB

Download