blackmatter | 8561226f674aeb4abc1b9910ddc4855ac8ac2fcd4f5face1f84e34878ac98afc

Analysis

max time kernel
159s
max time network
136s
platform
windows7_x64
resource
win7-en-20211014
submitted
23-11-2021 10:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
Size

79KB
MD5

62a1b4d4b461f4eaae91c70727f71604
SHA1

1ced9a7e62aa65faa03eb1ad2bc786e9d9b5f6c2
SHA256

706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d
SHA512

d14f989f5f54663c3ea63526a000e8db5d172046e37f412ed47cd31eb14db071b515b854bbb3ab3d2f41f936b6962583aaa0b3ef1236aa2506148813f66ad542

Score

10^/10

blackmatter ransomware suricata

Malware Config

Extracted

Path

C:\6amPnJyPq.README.txt

Family

blackmatter

Ransom Note

~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What data stolen? From your network was stolen 1000 GB of data. If you do not contact us we will publish all your data in our blog and will send it to the biggest mass media. Blog post link: http://blackmax7su6mbwtcyo3xwtpfxpm356jjqrs34y4crcytpw7mifuedyd.onion/72oJjilhMD/6d067a8741848166fa2ac1e69472280c >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/X3452I2VDTHM30QX >> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.

URLs

http://blackmax7su6mbwtcyo3xwtpfxpm356jjqrs34y4crcytpw7mifuedyd.onion/72oJjilhMD/6d067a8741848166fa2ac1e69472280c

http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/X3452I2VDTHM30QX

Signatures

BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
ransomware blackmatter
suricata: ET MALWARE BlackMatter CnC Activity
suricata: ET MALWARE BlackMatter CnC Activity
suricata
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)
suricata
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)
suricata

Modifies extensions of user files 18 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\SearchNew.tiff.6amPnJyPq	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
File renamed	C:\Users\Admin\Pictures\WatchReceive.tiff => C:\Users\Admin\Pictures\WatchReceive.tiff.6amPnJyPq	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
File renamed	C:\Users\Admin\Pictures\UnprotectEnable.png => C:\Users\Admin\Pictures\UnprotectEnable.png.6amPnJyPq	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
File renamed	C:\Users\Admin\Pictures\UnprotectEnable.tif => C:\Users\Admin\Pictures\UnprotectEnable.tif.6amPnJyPq	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
File opened for modification	C:\Users\Admin\Pictures\WatchReceive.tiff.6amPnJyPq	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
File opened for modification	C:\Users\Admin\Pictures\DisconnectResolve.tif.6amPnJyPq	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
File opened for modification	C:\Users\Admin\Pictures\SearchNew.tiff	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
File opened for modification	C:\Users\Admin\Pictures\UninstallSuspend.tiff	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
File renamed	C:\Users\Admin\Pictures\UninstallSuspend.tiff => C:\Users\Admin\Pictures\UninstallSuspend.tiff.6amPnJyPq	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
File opened for modification	C:\Users\Admin\Pictures\UninstallSuspend.tiff.6amPnJyPq	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
File renamed	C:\Users\Admin\Pictures\DisconnectResolve.tif => C:\Users\Admin\Pictures\DisconnectResolve.tif.6amPnJyPq	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
File opened for modification	C:\Users\Admin\Pictures\PingCompress.tiff	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
File renamed	C:\Users\Admin\Pictures\SearchNew.tiff => C:\Users\Admin\Pictures\SearchNew.tiff.6amPnJyPq	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
File opened for modification	C:\Users\Admin\Pictures\UnprotectEnable.png.6amPnJyPq	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
File opened for modification	C:\Users\Admin\Pictures\UnprotectEnable.tif.6amPnJyPq	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
File renamed	C:\Users\Admin\Pictures\PingCompress.tiff => C:\Users\Admin\Pictures\PingCompress.tiff.6amPnJyPq	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
File opened for modification	C:\Users\Admin\Pictures\PingCompress.tiff.6amPnJyPq	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
File opened for modification	C:\Users\Admin\Pictures\WatchReceive.tiff	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\6amPnJyPq.bmp"	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\6amPnJyPq.bmp"	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe

pid	process
1360	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
1360	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
1360	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
1360	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
1360	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
1360	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Control Panel 3 IoCs

evasion

Processes:

706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Control Panel\International	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Control Panel\Desktop	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Control Panel\Desktop\WallpaperStyle = "10"	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe

Modifies registry class 20 IoCs

Processes:

splwow64.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	splwow64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_Classes\Local Settings	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	splwow64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}"	splwow64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}"	splwow64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewVersion = "0"	splwow64.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1060 NOTEPAD.EXE

pid	process
1060	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe

pid	process
1360	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
1360	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
1360	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
1360	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

splwow64.exe

pid process

1804 splwow64.exe

pid	process
1804	splwow64.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exevssvc.exe

description	pid	process
Token: SeBackupPrivilege	1360	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
Token: SeDebugPrivilege	1360	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
Token: 36	1360	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
Token: SeImpersonatePrivilege	1360	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
Token: SeIncBasePriorityPrivilege	1360	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
Token: SeIncreaseQuotaPrivilege	1360	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
Token: 33	1360	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
Token: SeManageVolumePrivilege	1360	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
Token: SeProfSingleProcessPrivilege	1360	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
Token: SeRestorePrivilege	1360	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
Token: SeSecurityPrivilege	1360	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
Token: SeSystemProfilePrivilege	1360	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
Token: SeTakeOwnershipPrivilege	1360	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
Token: SeShutdownPrivilege	1360	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
Token: SeBackupPrivilege	1932	vssvc.exe
Token: SeRestorePrivilege	1932	vssvc.exe
Token: SeAuditPrivilege	1932	vssvc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

splwow64.exe

pid process

1804 splwow64.exe

pid	process
1804	splwow64.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exeNOTEPAD.EXE

description	pid	process	target process
PID 1360 wrote to memory of 1060	1360	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe	NOTEPAD.EXE
PID 1360 wrote to memory of 1060	1360	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe	NOTEPAD.EXE
PID 1360 wrote to memory of 1060	1360	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe	NOTEPAD.EXE
PID 1360 wrote to memory of 1060	1360	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe	NOTEPAD.EXE
PID 1060 wrote to memory of 1804	1060	NOTEPAD.EXE	splwow64.exe
PID 1060 wrote to memory of 1804	1060	NOTEPAD.EXE	splwow64.exe
PID 1060 wrote to memory of 1804	1060	NOTEPAD.EXE	splwow64.exe
PID 1060 wrote to memory of 1804	1060	NOTEPAD.EXE	splwow64.exe

C:\Users\Admin\AppData\Local\Temp\706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
"C:\Users\Admin\AppData\Local\Temp\706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe"
1⤵
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1360

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" /p C:\6amPnJyPq.README.txt
2⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of WriteProcessMemory
PID:1060

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
3⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1804

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1932

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\6amPnJyPq.README.txt
MD5
1ba53a2b703aeb54647185c18cc1ddbd

SHA1
0bf081ef67e7c9fb4e55c53f56aa332a17740a7a

SHA256
74e29716d6211d4c26ab0c3184affef6f275bfbfab2ec4dd4fb776fb76065173

SHA512
15f7a5870ad2decf6b09c56a6b5e3f5803e5071749fd4638470c19e02ef1fd0c4438e8f7e62a9f7b8792cd1893e748def44a0a8026f10c4a0268feecae9cf617

Download Submit
memory/1060-59-0x0000000000000000-mapping.dmp

Download
memory/1360-55-0x00000000757A1000-0x00000000757A3000-memory.dmp

Filesize
8KB

Download
memory/1360-56-0x00000000009A5000-0x00000000009B6000-memory.dmp

Filesize
68KB

Download
memory/1360-57-0x00000000009A0000-0x00000000009A1000-memory.dmp

Filesize
4KB

Download
memory/1360-58-0x00000000009B6000-0x00000000009B7000-memory.dmp

Filesize
4KB

Download
memory/1804-62-0x0000000000000000-mapping.dmp

Download
memory/1804-63-0x000007FEFBB71000-0x000007FEFBB73000-memory.dmp

Filesize
8KB

Download
memory/1804-64-0x0000000004140000-0x0000000004141000-memory.dmp

Filesize
4KB

Download