General

  • Target

    4524784688e60313b8fefdebde441ca447c1330d90b86885fb55d099071c6ec9

  • Size

    802KB

  • Sample

    211123-m85v3ahhbr

  • MD5

    3721485def21e7efbb418b3502ebc000

  • SHA1

    6ce90543099f44f06b9151524c22e497777ed026

  • SHA256

    4524784688e60313b8fefdebde441ca447c1330d90b86885fb55d099071c6ec9

  • SHA512

    a0a8508afe73cf442c54adaa504e61d106127daa39f61a7400c773e0d21512eaff5c4a93c9497bf3f207aa0be3c48f212c03c6f53f212b89bf7783e7a032c211

Malware Config

Extracted

Path

\??\Z:\WRLMMTHME.README.txt

Family

blackmatter

Ransom Note
~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >>> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd.onion/24HUMRRAZYQNDJ8A >>> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.
URLs

http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd.onion/24HUMRRAZYQNDJ8A

Targets

    • Target

      4524784688e60313b8fefdebde441ca447c1330d90b86885fb55d099071c6ec9

    • Size

      802KB

    • MD5

      3721485def21e7efbb418b3502ebc000

    • SHA1

      6ce90543099f44f06b9151524c22e497777ed026

    • SHA256

      4524784688e60313b8fefdebde441ca447c1330d90b86885fb55d099071c6ec9

    • SHA512

      a0a8508afe73cf442c54adaa504e61d106127daa39f61a7400c773e0d21512eaff5c4a93c9497bf3f207aa0be3c48f212c03c6f53f212b89bf7783e7a032c211

    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

    • suricata: ET MALWARE BlackMatter CnC Activity

      suricata: ET MALWARE BlackMatter CnC Activity

    • Blocklisted process makes network request

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks