4524784688e60313b8fefdebde441ca447c1330d90b86885fb55d099071c6ec9

General
Target

4524784688e60313b8fefdebde441ca447c1330d90b86885fb55d099071c6ec9

Size

802KB

Sample

211123-m85v3ahhbr

Score
10 /10
MD5

3721485def21e7efbb418b3502ebc000

SHA1

6ce90543099f44f06b9151524c22e497777ed026

SHA256

4524784688e60313b8fefdebde441ca447c1330d90b86885fb55d099071c6ec9

SHA512

a0a8508afe73cf442c54adaa504e61d106127daa39f61a7400c773e0d21512eaff5c4a93c9497bf3f207aa0be3c48f212c03c6f53f212b89bf7783e7a032c211

Malware Config

Extracted

Path \??\Z:\WRLMMTHME.README.txt
Family blackmatter
Ransom Note
~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >>> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd.onion/24HUMRRAZYQNDJ8A >>> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.
URLs

http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd.onion/24HUMRRAZYQNDJ8A

Targets
Target

4524784688e60313b8fefdebde441ca447c1330d90b86885fb55d099071c6ec9

MD5

3721485def21e7efbb418b3502ebc000

Filesize

802KB

Score
10/10
SHA1

6ce90543099f44f06b9151524c22e497777ed026

SHA256

4524784688e60313b8fefdebde441ca447c1330d90b86885fb55d099071c6ec9

SHA512

a0a8508afe73cf442c54adaa504e61d106127daa39f61a7400c773e0d21512eaff5c4a93c9497bf3f207aa0be3c48f212c03c6f53f212b89bf7783e7a032c211

Tags

Signatures

  • BlackMatter Ransomware

    Description

    BlackMatter ransomware group claims to be Darkside and REvil succesor.

    Tags

  • suricata: ET MALWARE BlackMatter CnC Activity

    Description

    suricata: ET MALWARE BlackMatter CnC Activity

    Tags

  • Blocklisted process makes network request

  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Tasks

                        static1

                        behavioral1

                        5/10

                        behavioral2

                        10/10