blackmatter | 8561226f674aeb4abc1b9910ddc4855ac8ac2fcd4f5face1f84e34878ac98afc

Analysis

max time kernel
158s
max time network
127s
platform
windows7_x64
resource
win7-en-20211014
submitted
23-11-2021 10:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eaac447d6ae733210a07b1f79e97eda017a442e721d8fafe618e2c789b18234b.exe
Size

79KB
MD5

c958e5710adefbc68f3e0719f48bcf87
SHA1

f50429c2e706f65fd3fb62968a74b391e5417e66
SHA256

eaac447d6ae733210a07b1f79e97eda017a442e721d8fafe618e2c789b18234b
SHA512

f5dbe5cc944d6dccbc085c5344e3a61f8945c838dcbfee0a0fbf69429946fed5db363da621835ffb54ee76eba938f7fd31c73b9a727ab2cf5c554b58bc09258d

Score

10^/10

blackmatter ransomware suricata

Malware Config

Extracted

Path

C:\6amPnJyPq.README.txt

Family

blackmatter

Ransom Note

~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What data stolen? From your network was stolen 1000 GB of data. If you do not contact us we will publish all your data in our blog and will send it to the biggest mass media. Blog post link: http://blackmax7su6mbwtcyo3xwtpfxpm356jjqrs34y4crcytpw7mifuedyd.onion/7Fzi2ntSlp/1094de0bf2bc03ac2ac8dc79d118a785 >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/9MDXJ6LXOUEK84ALNT >> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.

URLs

http://blackmax7su6mbwtcyo3xwtpfxpm356jjqrs34y4crcytpw7mifuedyd.onion/7Fzi2ntSlp/1094de0bf2bc03ac2ac8dc79d118a785

http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/9MDXJ6LXOUEK84ALNT

Signatures

BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
ransomware blackmatter
suricata: ET MALWARE BlackMatter CnC Activity
suricata: ET MALWARE BlackMatter CnC Activity
suricata
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)
suricata
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)
suricata

Modifies extensions of user files 9 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

eaac447d6ae733210a07b1f79e97eda017a442e721d8fafe618e2c789b18234b.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\BackupSkip.png => C:\Users\Admin\Pictures\BackupSkip.png.6amPnJyPq	eaac447d6ae733210a07b1f79e97eda017a442e721d8fafe618e2c789b18234b.exe
File opened for modification	C:\Users\Admin\Pictures\BackupSkip.png.6amPnJyPq	eaac447d6ae733210a07b1f79e97eda017a442e721d8fafe618e2c789b18234b.exe
File renamed	C:\Users\Admin\Pictures\InstallSubmit.tiff => C:\Users\Admin\Pictures\InstallSubmit.tiff.6amPnJyPq	eaac447d6ae733210a07b1f79e97eda017a442e721d8fafe618e2c789b18234b.exe
File opened for modification	C:\Users\Admin\Pictures\SuspendImport.raw.6amPnJyPq	eaac447d6ae733210a07b1f79e97eda017a442e721d8fafe618e2c789b18234b.exe
File renamed	C:\Users\Admin\Pictures\CopySkip.png => C:\Users\Admin\Pictures\CopySkip.png.6amPnJyPq	eaac447d6ae733210a07b1f79e97eda017a442e721d8fafe618e2c789b18234b.exe
File opened for modification	C:\Users\Admin\Pictures\CopySkip.png.6amPnJyPq	eaac447d6ae733210a07b1f79e97eda017a442e721d8fafe618e2c789b18234b.exe
File opened for modification	C:\Users\Admin\Pictures\InstallSubmit.tiff	eaac447d6ae733210a07b1f79e97eda017a442e721d8fafe618e2c789b18234b.exe
File opened for modification	C:\Users\Admin\Pictures\InstallSubmit.tiff.6amPnJyPq	eaac447d6ae733210a07b1f79e97eda017a442e721d8fafe618e2c789b18234b.exe
File renamed	C:\Users\Admin\Pictures\SuspendImport.raw => C:\Users\Admin\Pictures\SuspendImport.raw.6amPnJyPq	eaac447d6ae733210a07b1f79e97eda017a442e721d8fafe618e2c789b18234b.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

eaac447d6ae733210a07b1f79e97eda017a442e721d8fafe618e2c789b18234b.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\6amPnJyPq.bmp"	eaac447d6ae733210a07b1f79e97eda017a442e721d8fafe618e2c789b18234b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\6amPnJyPq.bmp"	eaac447d6ae733210a07b1f79e97eda017a442e721d8fafe618e2c789b18234b.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

eaac447d6ae733210a07b1f79e97eda017a442e721d8fafe618e2c789b18234b.exe

pid	process
816	eaac447d6ae733210a07b1f79e97eda017a442e721d8fafe618e2c789b18234b.exe
816	eaac447d6ae733210a07b1f79e97eda017a442e721d8fafe618e2c789b18234b.exe
816	eaac447d6ae733210a07b1f79e97eda017a442e721d8fafe618e2c789b18234b.exe
816	eaac447d6ae733210a07b1f79e97eda017a442e721d8fafe618e2c789b18234b.exe
816	eaac447d6ae733210a07b1f79e97eda017a442e721d8fafe618e2c789b18234b.exe
816	eaac447d6ae733210a07b1f79e97eda017a442e721d8fafe618e2c789b18234b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Control Panel 3 IoCs

evasion

Processes:

eaac447d6ae733210a07b1f79e97eda017a442e721d8fafe618e2c789b18234b.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Control Panel\International	eaac447d6ae733210a07b1f79e97eda017a442e721d8fafe618e2c789b18234b.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Control Panel\Desktop	eaac447d6ae733210a07b1f79e97eda017a442e721d8fafe618e2c789b18234b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Control Panel\Desktop\WallpaperStyle = "10"	eaac447d6ae733210a07b1f79e97eda017a442e721d8fafe618e2c789b18234b.exe

Modifies registry class 20 IoCs

Processes:

splwow64.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	splwow64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}"	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000	splwow64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	splwow64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}"	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_Classes\Local Settings	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	splwow64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewVersion = "0"	splwow64.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

108 NOTEPAD.EXE

pid	process
108	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

eaac447d6ae733210a07b1f79e97eda017a442e721d8fafe618e2c789b18234b.exe

pid	process
816	eaac447d6ae733210a07b1f79e97eda017a442e721d8fafe618e2c789b18234b.exe
816	eaac447d6ae733210a07b1f79e97eda017a442e721d8fafe618e2c789b18234b.exe
816	eaac447d6ae733210a07b1f79e97eda017a442e721d8fafe618e2c789b18234b.exe
816	eaac447d6ae733210a07b1f79e97eda017a442e721d8fafe618e2c789b18234b.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

splwow64.exe

pid process

1476 splwow64.exe

pid	process
1476	splwow64.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

eaac447d6ae733210a07b1f79e97eda017a442e721d8fafe618e2c789b18234b.exevssvc.exe

description	pid	process
Token: SeBackupPrivilege	816	eaac447d6ae733210a07b1f79e97eda017a442e721d8fafe618e2c789b18234b.exe
Token: SeDebugPrivilege	816	eaac447d6ae733210a07b1f79e97eda017a442e721d8fafe618e2c789b18234b.exe
Token: 36	816	eaac447d6ae733210a07b1f79e97eda017a442e721d8fafe618e2c789b18234b.exe
Token: SeImpersonatePrivilege	816	eaac447d6ae733210a07b1f79e97eda017a442e721d8fafe618e2c789b18234b.exe
Token: SeIncBasePriorityPrivilege	816	eaac447d6ae733210a07b1f79e97eda017a442e721d8fafe618e2c789b18234b.exe
Token: SeIncreaseQuotaPrivilege	816	eaac447d6ae733210a07b1f79e97eda017a442e721d8fafe618e2c789b18234b.exe
Token: 33	816	eaac447d6ae733210a07b1f79e97eda017a442e721d8fafe618e2c789b18234b.exe
Token: SeManageVolumePrivilege	816	eaac447d6ae733210a07b1f79e97eda017a442e721d8fafe618e2c789b18234b.exe
Token: SeProfSingleProcessPrivilege	816	eaac447d6ae733210a07b1f79e97eda017a442e721d8fafe618e2c789b18234b.exe
Token: SeRestorePrivilege	816	eaac447d6ae733210a07b1f79e97eda017a442e721d8fafe618e2c789b18234b.exe
Token: SeSecurityPrivilege	816	eaac447d6ae733210a07b1f79e97eda017a442e721d8fafe618e2c789b18234b.exe
Token: SeSystemProfilePrivilege	816	eaac447d6ae733210a07b1f79e97eda017a442e721d8fafe618e2c789b18234b.exe
Token: SeTakeOwnershipPrivilege	816	eaac447d6ae733210a07b1f79e97eda017a442e721d8fafe618e2c789b18234b.exe
Token: SeShutdownPrivilege	816	eaac447d6ae733210a07b1f79e97eda017a442e721d8fafe618e2c789b18234b.exe
Token: SeBackupPrivilege	1552	vssvc.exe
Token: SeRestorePrivilege	1552	vssvc.exe
Token: SeAuditPrivilege	1552	vssvc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

splwow64.exe

pid process

1476 splwow64.exe

pid	process
1476	splwow64.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

eaac447d6ae733210a07b1f79e97eda017a442e721d8fafe618e2c789b18234b.exeNOTEPAD.EXE

description	pid	process	target process
PID 816 wrote to memory of 108	816	eaac447d6ae733210a07b1f79e97eda017a442e721d8fafe618e2c789b18234b.exe	NOTEPAD.EXE
PID 816 wrote to memory of 108	816	eaac447d6ae733210a07b1f79e97eda017a442e721d8fafe618e2c789b18234b.exe	NOTEPAD.EXE
PID 816 wrote to memory of 108	816	eaac447d6ae733210a07b1f79e97eda017a442e721d8fafe618e2c789b18234b.exe	NOTEPAD.EXE
PID 816 wrote to memory of 108	816	eaac447d6ae733210a07b1f79e97eda017a442e721d8fafe618e2c789b18234b.exe	NOTEPAD.EXE
PID 108 wrote to memory of 1476	108	NOTEPAD.EXE	splwow64.exe
PID 108 wrote to memory of 1476	108	NOTEPAD.EXE	splwow64.exe
PID 108 wrote to memory of 1476	108	NOTEPAD.EXE	splwow64.exe
PID 108 wrote to memory of 1476	108	NOTEPAD.EXE	splwow64.exe

C:\Users\Admin\AppData\Local\Temp\eaac447d6ae733210a07b1f79e97eda017a442e721d8fafe618e2c789b18234b.exe
"C:\Users\Admin\AppData\Local\Temp\eaac447d6ae733210a07b1f79e97eda017a442e721d8fafe618e2c789b18234b.exe"
1⤵
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:816

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" /p C:\6amPnJyPq.README.txt
2⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of WriteProcessMemory
PID:108

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
3⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1476

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1552

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\6amPnJyPq.README.txt
MD5
f2c0a35502d62cb25ac27968bea50a00

SHA1
0f5e0b16f8f46d92cb9daf10957aec965821c6cc

SHA256
977575a45e581b15fe5635a4259a7c18ed1c8a77314d326100d71d2aa98d1cd1

SHA512
7246565a62976f0ecf75a4fdbe2c9cb7b9b053342f46d04e648bfbeb45192a506fee6f49efe0a6ab182960fd0404a769d355eca614b394c8518626b5889d1f14

Download Submit
memory/108-59-0x0000000000000000-mapping.dmp

Download
memory/816-55-0x0000000075321000-0x0000000075323000-memory.dmp

Filesize
8KB

Download
memory/816-56-0x0000000000905000-0x0000000000916000-memory.dmp

Filesize
68KB

Download
memory/816-57-0x0000000000900000-0x0000000000901000-memory.dmp

Filesize
4KB

Download
memory/816-58-0x0000000000916000-0x0000000000917000-memory.dmp

Filesize
4KB

Download
memory/1476-62-0x0000000000000000-mapping.dmp

Download
memory/1476-63-0x000007FEFBF81000-0x000007FEFBF83000-memory.dmp

Filesize
8KB

Download
memory/1476-64-0x00000000041D0000-0x00000000041D1000-memory.dmp

Filesize
4KB

Download