blackmatter | 706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d

General

Target

706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
Size

79KB
MD5

62a1b4d4b461f4eaae91c70727f71604
SHA1

1ced9a7e62aa65faa03eb1ad2bc786e9d9b5f6c2
SHA256

706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d
SHA512

d14f989f5f54663c3ea63526a000e8db5d172046e37f412ed47cd31eb14db071b515b854bbb3ab3d2f41f936b6962583aaa0b3ef1236aa2506148813f66ad542

Score

10^/10

blackmatter ransomware suricata

Malware Config

Extracted

Path

C:\6amPnJyPq.README.txt

Family

blackmatter

Ransom Note

~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What data stolen? From your network was stolen 1000 GB of data. If you do not contact us we will publish all your data in our blog and will send it to the biggest mass media. Blog post link: http://blackmax7su6mbwtcyo3xwtpfxpm356jjqrs34y4crcytpw7mifuedyd.onion/72oJjilhMD/6d067a8741848166fa2ac1e69472280c >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/X3452I2VDTHM30QX >> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.

URLs

http://blackmax7su6mbwtcyo3xwtpfxpm356jjqrs34y4crcytpw7mifuedyd.onion/72oJjilhMD/6d067a8741848166fa2ac1e69472280c

http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/X3452I2VDTHM30QX

Signatures

BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
ransomware blackmatter
suricata: ET MALWARE BlackMatter CnC Activity
suricata: ET MALWARE BlackMatter CnC Activity
suricata
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)
suricata
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)
suricata

Modifies extensions of user files 9 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\NewWrite.tiff.6amPnJyPq	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
File renamed	C:\Users\Admin\Pictures\OpenRead.raw => C:\Users\Admin\Pictures\OpenRead.raw.6amPnJyPq	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
File opened for modification	C:\Users\Admin\Pictures\ResumeUninstall.png.6amPnJyPq	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
File renamed	C:\Users\Admin\Pictures\NewWrite.tiff => C:\Users\Admin\Pictures\NewWrite.tiff.6amPnJyPq	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
File opened for modification	C:\Users\Admin\Pictures\OpenRead.raw.6amPnJyPq	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
File renamed	C:\Users\Admin\Pictures\ResumeUninstall.png => C:\Users\Admin\Pictures\ResumeUninstall.png.6amPnJyPq	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
File renamed	C:\Users\Admin\Pictures\UndoProtect.raw => C:\Users\Admin\Pictures\UndoProtect.raw.6amPnJyPq	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
File opened for modification	C:\Users\Admin\Pictures\UndoProtect.raw.6amPnJyPq	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
File opened for modification	C:\Users\Admin\Pictures\NewWrite.tiff	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\6amPnJyPq.bmp"	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\6amPnJyPq.bmp"	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe

pid	process
984	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
984	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
984	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
984	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
984	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
984	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Control Panel 3 IoCs

evasion

Processes:

706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Control Panel\International	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Control Panel\Desktop	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Control Panel\Desktop\WallpaperStyle = "10"	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe

Modifies registry class 20 IoCs

Processes:

splwow64.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	splwow64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}"	splwow64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}"	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_Classes\Local Settings	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	splwow64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewVersion = "0"	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	splwow64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	splwow64.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1316 NOTEPAD.EXE

pid	process
1316	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe

pid	process
984	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
984	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
984	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
984	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exevssvc.exe

description	pid	process
Token: SeBackupPrivilege	984	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
Token: SeDebugPrivilege	984	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
Token: 36	984	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
Token: SeImpersonatePrivilege	984	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
Token: SeIncBasePriorityPrivilege	984	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
Token: SeIncreaseQuotaPrivilege	984	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
Token: 33	984	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
Token: SeManageVolumePrivilege	984	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
Token: SeProfSingleProcessPrivilege	984	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
Token: SeRestorePrivilege	984	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
Token: SeSecurityPrivilege	984	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
Token: SeSystemProfilePrivilege	984	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
Token: SeTakeOwnershipPrivilege	984	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
Token: SeShutdownPrivilege	984	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
Token: SeBackupPrivilege	1320	vssvc.exe
Token: SeRestorePrivilege	1320	vssvc.exe
Token: SeAuditPrivilege	1320	vssvc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

splwow64.exe

pid process

1564 splwow64.exe

pid	process
1564	splwow64.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exeNOTEPAD.EXE

description	pid	process	target process
PID 984 wrote to memory of 1316	984	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe	NOTEPAD.EXE
PID 984 wrote to memory of 1316	984	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe	NOTEPAD.EXE
PID 984 wrote to memory of 1316	984	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe	NOTEPAD.EXE
PID 984 wrote to memory of 1316	984	706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe	NOTEPAD.EXE
PID 1316 wrote to memory of 1564	1316	NOTEPAD.EXE	splwow64.exe
PID 1316 wrote to memory of 1564	1316	NOTEPAD.EXE	splwow64.exe
PID 1316 wrote to memory of 1564	1316	NOTEPAD.EXE	splwow64.exe
PID 1316 wrote to memory of 1564	1316	NOTEPAD.EXE	splwow64.exe

C:\Users\Admin\AppData\Local\Temp\706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
"C:\Users\Admin\AppData\Local\Temp\706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe"
1⤵
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:984

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" /p C:\6amPnJyPq.README.txt
2⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of WriteProcessMemory
PID:1316

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
3⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1564

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1320

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\6amPnJyPq.README.txt
MD5
1ba53a2b703aeb54647185c18cc1ddbd

SHA1
0bf081ef67e7c9fb4e55c53f56aa332a17740a7a

SHA256
74e29716d6211d4c26ab0c3184affef6f275bfbfab2ec4dd4fb776fb76065173

SHA512
15f7a5870ad2decf6b09c56a6b5e3f5803e5071749fd4638470c19e02ef1fd0c4438e8f7e62a9f7b8792cd1893e748def44a0a8026f10c4a0268feecae9cf617

Download Submit
C:\Users\Admin\Documents\ExportImport.xps.6amPnJyPq
MD5
b07a8b48e1ad2112bf5a7c1c5da6e34e

SHA1
950d542c35d46e628120728aaeb6e070aa968337

SHA256
89d618241c06f8048228e5f067c1544d9582abce509fb93140c20f0d4446443c

SHA512
828fe58462bcd0419d183b91bb228a85f1f0470ed1b3b00a19180f00599d3ec663407ed40909f6f74d30f913bfcf6892baf6b57cdfc4152786f8690f7d204edc

Download Submit
C:\Users\Admin\Documents\OpenRemove.xps.6amPnJyPq
MD5
038992682b33a9cf46b7dbaec66290e5

SHA1
b17d7fdc103d79a43cb9186239a3feb9d0b2ae7b

SHA256
517ce875325257636a374d4744b22e3708f12b8bdb794e48e1638bab00411c3f

SHA512
8255e86fafe5578b7abbac2935bba9fc888d2b2aae4c9468ba6c769177d0202e8fcf81b9b60c375e88d3a6217e35cd5b4327c50b568befd093330e369bc4d329

Download Submit
C:\Users\Admin\Documents\ProtectComplete.xps.6amPnJyPq
MD5
5559be895f8343801c5e3dd1eb2c1d3c

SHA1
1c12cd097b8efa907dcc33b32b0358d4e3e6a286

SHA256
62005f8c9deb25600ca76c463a5814bf572f039755b143a4a9e0271660b0232d

SHA512
27f6a3ddac14eec3ffa82987ec217d4b0c4d830fd016ed6eff560bab81f22bfa53333e59dac14a0c5943be98052ecbbb552da3686e6997ff6ecd9b3c4e3241f9

Download Submit
memory/984-55-0x0000000075AC1000-0x0000000075AC3000-memory.dmp

Filesize
8KB

Download
memory/984-56-0x0000000000835000-0x0000000000846000-memory.dmp

Filesize
68KB

Download
memory/984-57-0x0000000000830000-0x0000000000831000-memory.dmp

Filesize
4KB

Download
memory/984-58-0x0000000000846000-0x0000000000847000-memory.dmp

Filesize
4KB

Download
memory/1316-59-0x0000000000000000-mapping.dmp

Download
memory/1564-62-0x0000000000000000-mapping.dmp

Download
memory/1564-63-0x000007FEFB7E1000-0x000007FEFB7E3000-memory.dmp

Filesize
8KB

Download
memory/1564-67-0x0000000004140000-0x0000000004141000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads