Analysis
-
max time kernel
110s -
max time network
121s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
23-11-2021 11:10
Static task
static1
Behavioral task
behavioral1
Sample
3.bin.exe
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
3.bin.exe
Resource
win10-en-20211104
General
-
Target
3.bin.exe
-
Size
67KB
-
MD5
d0512f2063cbd79fb0f770817cc81ab3
-
SHA1
e324a2c8fae0d26b12f00ac859340f8d9945a9c1
-
SHA256
7f6dd0ca03f04b64024e86a72a6d7cfab6abccc2173b85896fc4b431990a5984
-
SHA512
a62cecdf8887e426332d56914dfe03780402a34896ffe7a3a932986832db7080e599db32bb2113238443750227a50de84ae36c6811993c43b7eee8b1a018d641
Malware Config
Extracted
C:\eeWDzMyD5.README.txt
blackmatter
http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/7NT6LXKC1XQHW5039BLOV
Signatures
-
BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
-
suricata: ET MALWARE BlackMatter CnC Activity
suricata: ET MALWARE BlackMatter CnC Activity
-
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)
-
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)
-
Modifies extensions of user files 16 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
3.bin.exedescription ioc process File renamed C:\Users\Admin\Pictures\ResolveExport.tiff => C:\Users\Admin\Pictures\ResolveExport.tiff.eeWDzMyD5 3.bin.exe File renamed C:\Users\Admin\Pictures\SplitComplete.raw => C:\Users\Admin\Pictures\SplitComplete.raw.eeWDzMyD5 3.bin.exe File renamed C:\Users\Admin\Pictures\WatchGrant.png => C:\Users\Admin\Pictures\WatchGrant.png.eeWDzMyD5 3.bin.exe File opened for modification C:\Users\Admin\Pictures\ResetConnect.raw.eeWDzMyD5 3.bin.exe File opened for modification C:\Users\Admin\Pictures\JoinStart.raw.eeWDzMyD5 3.bin.exe File opened for modification C:\Users\Admin\Pictures\ResolveExport.tiff 3.bin.exe File opened for modification C:\Users\Admin\Pictures\ResolveExport.tiff.eeWDzMyD5 3.bin.exe File opened for modification C:\Users\Admin\Pictures\UnblockRepair.crw.eeWDzMyD5 3.bin.exe File opened for modification C:\Users\Admin\Pictures\InvokeSelect.tiff.eeWDzMyD5 3.bin.exe File renamed C:\Users\Admin\Pictures\JoinStart.raw => C:\Users\Admin\Pictures\JoinStart.raw.eeWDzMyD5 3.bin.exe File renamed C:\Users\Admin\Pictures\UnblockRepair.crw => C:\Users\Admin\Pictures\UnblockRepair.crw.eeWDzMyD5 3.bin.exe File opened for modification C:\Users\Admin\Pictures\WatchGrant.png.eeWDzMyD5 3.bin.exe File renamed C:\Users\Admin\Pictures\InvokeSelect.tiff => C:\Users\Admin\Pictures\InvokeSelect.tiff.eeWDzMyD5 3.bin.exe File renamed C:\Users\Admin\Pictures\ResetConnect.raw => C:\Users\Admin\Pictures\ResetConnect.raw.eeWDzMyD5 3.bin.exe File opened for modification C:\Users\Admin\Pictures\SplitComplete.raw.eeWDzMyD5 3.bin.exe File opened for modification C:\Users\Admin\Pictures\InvokeSelect.tiff 3.bin.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
3.bin.exedescription ioc process File opened (read-only) \??\Z: 3.bin.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
3.bin.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\eeWDzMyD5.bmp" 3.bin.exe Set value (str) \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\eeWDzMyD5.bmp" 3.bin.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
Processes:
3.bin.exepid process 3616 3.bin.exe 3616 3.bin.exe 3616 3.bin.exe 3616 3.bin.exe 3616 3.bin.exe 3616 3.bin.exe -
Modifies Control Panel 3 IoCs
Processes:
3.bin.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Control Panel\International 3.bin.exe Key created \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Control Panel\Desktop 3.bin.exe Set value (str) \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Control Panel\Desktop\WallpaperStyle = "10" 3.bin.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
3.bin.exepid process 3616 3.bin.exe 3616 3.bin.exe 3616 3.bin.exe 3616 3.bin.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
Processes:
3.bin.exevssvc.exedescription pid process Token: SeBackupPrivilege 3616 3.bin.exe Token: SeDebugPrivilege 3616 3.bin.exe Token: 36 3616 3.bin.exe Token: SeImpersonatePrivilege 3616 3.bin.exe Token: SeIncBasePriorityPrivilege 3616 3.bin.exe Token: SeIncreaseQuotaPrivilege 3616 3.bin.exe Token: 33 3616 3.bin.exe Token: SeManageVolumePrivilege 3616 3.bin.exe Token: SeProfSingleProcessPrivilege 3616 3.bin.exe Token: SeRestorePrivilege 3616 3.bin.exe Token: SeSecurityPrivilege 3616 3.bin.exe Token: SeSystemProfilePrivilege 3616 3.bin.exe Token: SeTakeOwnershipPrivilege 3616 3.bin.exe Token: SeShutdownPrivilege 3616 3.bin.exe Token: SeBackupPrivilege 1416 vssvc.exe Token: SeRestorePrivilege 1416 vssvc.exe Token: SeAuditPrivilege 1416 vssvc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3.bin.exe"C:\Users\Admin\AppData\Local\Temp\3.bin.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken