Overview

overview

10

Static

static

10

706f3eec328e91...9d.exe

windows7_x64

10

706f3eec328e91...9d.exe

windows10_x64

10
General
Target

706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe

Filesize

79KB

Completed

23-11-2021 18:18

Task

behavioral1

Score
10/10
MD5

62a1b4d4b461f4eaae91c70727f71604

SHA1

1ced9a7e62aa65faa03eb1ad2bc786e9d9b5f6c2

SHA256

706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d

SHA256

d14f989f5f54663c3ea63526a000e8db5d172046e37f412ed47cd31eb14db071b515b854bbb3ab3d2f41f936b6962583aaa0b3ef1236aa2506148813f66ad542

Malware Config

Extracted

Path

C:\6amPnJyPq.README.txt
Family

blackmatter
Ransom Note
~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What data stolen? From your network was stolen 1000 GB of data. If you do not contact us we will publish all your data in our blog and will send it to the biggest mass media. Blog post link: http://blackmax7su6mbwtcyo3xwtpfxpm356jjqrs34y4crcytpw7mifuedyd.onion/72oJjilhMD/6d067a8741848166fa2ac1e69472280c >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/X3452I2VDTHM30QX >> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.
URLs

http://blackmax7su6mbwtcyo3xwtpfxpm356jjqrs34y4crcytpw7mifuedyd.onion/72oJjilhMD/6d067a8741848166fa2ac1e69472280c

http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/X3452I2VDTHM30QX
Signatures 15

Filter: none

Defense Evasion
Discovery
Impact
  • BlackMatter Ransomware

    Description

    BlackMatter ransomware group claims to be Darkside and REvil succesor.

    Tags

  • suricata: ET MALWARE BlackMatter CnC Activity

    Description

    suricata: ET MALWARE BlackMatter CnC Activity

    Tags

  • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    Description

    suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

    Tags

  • suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

    Description

    suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)

    Tags

  • Modifies extensions of user files
    706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Users\Admin\Pictures\NewWrite.tiff.6amPnJyPq706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
    File renamedC:\Users\Admin\Pictures\OpenRead.raw => C:\Users\Admin\Pictures\OpenRead.raw.6amPnJyPq706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
    File opened for modificationC:\Users\Admin\Pictures\ResumeUninstall.png.6amPnJyPq706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
    File renamedC:\Users\Admin\Pictures\NewWrite.tiff => C:\Users\Admin\Pictures\NewWrite.tiff.6amPnJyPq706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
    File opened for modificationC:\Users\Admin\Pictures\OpenRead.raw.6amPnJyPq706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
    File renamedC:\Users\Admin\Pictures\ResumeUninstall.png => C:\Users\Admin\Pictures\ResumeUninstall.png.6amPnJyPq706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
    File renamedC:\Users\Admin\Pictures\UndoProtect.raw => C:\Users\Admin\Pictures\UndoProtect.raw.6amPnJyPq706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
    File opened for modificationC:\Users\Admin\Pictures\UndoProtect.raw.6amPnJyPq706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
    File opened for modificationC:\Users\Admin\Pictures\NewWrite.tiff706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
  • Sets desktop wallpaper using registry
    706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe

    Tags

    TTPs

    DefacementModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\6amPnJyPq.bmp"706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\6amPnJyPq.bmp"706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
  • Suspicious use of NtSetInformationThreadHideFromDebugger
    706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe

    Reported IOCs

    pidprocess
    984706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
    984706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
    984706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
    984706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
    984706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
    984706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Modifies Control Panel
    706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe

    Tags

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Control Panel\International706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
    Key created\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Control Panel\Desktop706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Control Panel\Desktop\WallpaperStyle = "10"706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
  • Modifies registry class
    splwow64.exe

    Reported IOCs

    descriptioniocprocess
    Set value (data)\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000splwow64.exe
    Key created\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0splwow64.exe
    Key created\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bagssplwow64.exe
    Key created\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1splwow64.exe
    Key created\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shellsplwow64.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotssplwow64.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffffsplwow64.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffffsplwow64.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}"splwow64.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}"splwow64.exe
    Key created\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRUsplwow64.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffffsplwow64.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02splwow64.exe
    Key created\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_Classes\Local Settingssplwow64.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000splwow64.exe
    Key created\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgsplwow64.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewVersion = "0"splwow64.exe
    Key created\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0splwow64.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffffsplwow64.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"splwow64.exe
  • Opens file in notepad (likely ransom note)
    NOTEPAD.EXE

    Tags

    Reported IOCs

    pidprocess
    1316NOTEPAD.EXE
  • Suspicious behavior: EnumeratesProcesses
    706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe

    Reported IOCs

    pidprocess
    984706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
    984706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
    984706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
    984706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
  • Suspicious use of AdjustPrivilegeToken
    706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exevssvc.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeBackupPrivilege984706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
    Token: SeDebugPrivilege984706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
    Token: 36984706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
    Token: SeImpersonatePrivilege984706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
    Token: SeIncBasePriorityPrivilege984706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
    Token: SeIncreaseQuotaPrivilege984706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
    Token: 33984706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
    Token: SeManageVolumePrivilege984706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
    Token: SeProfSingleProcessPrivilege984706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
    Token: SeRestorePrivilege984706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
    Token: SeSecurityPrivilege984706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
    Token: SeSystemProfilePrivilege984706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
    Token: SeTakeOwnershipPrivilege984706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
    Token: SeShutdownPrivilege984706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
    Token: SeBackupPrivilege1320vssvc.exe
    Token: SeRestorePrivilege1320vssvc.exe
    Token: SeAuditPrivilege1320vssvc.exe
  • Suspicious use of SetWindowsHookEx
    splwow64.exe

    Reported IOCs

    pidprocess
    1564splwow64.exe
  • Suspicious use of WriteProcessMemory
    706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exeNOTEPAD.EXE

    Reported IOCs

    descriptionpidprocesstarget process
    PID 984 wrote to memory of 1316984706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exeNOTEPAD.EXE
    PID 984 wrote to memory of 1316984706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exeNOTEPAD.EXE
    PID 984 wrote to memory of 1316984706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exeNOTEPAD.EXE
    PID 984 wrote to memory of 1316984706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exeNOTEPAD.EXE
    PID 1316 wrote to memory of 15641316NOTEPAD.EXEsplwow64.exe
    PID 1316 wrote to memory of 15641316NOTEPAD.EXEsplwow64.exe
    PID 1316 wrote to memory of 15641316NOTEPAD.EXEsplwow64.exe
    PID 1316 wrote to memory of 15641316NOTEPAD.EXEsplwow64.exe
Processes 4
  • C:\Users\Admin\AppData\Local\Temp\706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe
    "C:\Users\Admin\AppData\Local\Temp\706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.exe"
    Modifies extensions of user files
    Sets desktop wallpaper using registry
    Suspicious use of NtSetInformationThreadHideFromDebugger
    Modifies Control Panel
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:984
    • C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" /p C:\6amPnJyPq.README.txt
      Opens file in notepad (likely ransom note)
      Suspicious use of WriteProcessMemory
      PID:1316
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        PID:1564
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    Suspicious use of AdjustPrivilegeToken
    PID:1320
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Discovery
        Execution
          Exfiltration
            Impact
            Initial Access
              Lateral Movement
                Persistence
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads

                    • C:\6amPnJyPq.README.txt

                      MD5

                      1ba53a2b703aeb54647185c18cc1ddbd

                      SHA1

                      0bf081ef67e7c9fb4e55c53f56aa332a17740a7a

                      SHA256

                      74e29716d6211d4c26ab0c3184affef6f275bfbfab2ec4dd4fb776fb76065173

                      SHA512

                      15f7a5870ad2decf6b09c56a6b5e3f5803e5071749fd4638470c19e02ef1fd0c4438e8f7e62a9f7b8792cd1893e748def44a0a8026f10c4a0268feecae9cf617

                      Download Submit

                    • C:\Users\Admin\Documents\ExportImport.xps.6amPnJyPq

                      MD5

                      b07a8b48e1ad2112bf5a7c1c5da6e34e

                      SHA1

                      950d542c35d46e628120728aaeb6e070aa968337

                      SHA256

                      89d618241c06f8048228e5f067c1544d9582abce509fb93140c20f0d4446443c

                      SHA512

                      828fe58462bcd0419d183b91bb228a85f1f0470ed1b3b00a19180f00599d3ec663407ed40909f6f74d30f913bfcf6892baf6b57cdfc4152786f8690f7d204edc

                      Download Submit

                    • C:\Users\Admin\Documents\OpenRemove.xps.6amPnJyPq

                      MD5

                      038992682b33a9cf46b7dbaec66290e5

                      SHA1

                      b17d7fdc103d79a43cb9186239a3feb9d0b2ae7b

                      SHA256

                      517ce875325257636a374d4744b22e3708f12b8bdb794e48e1638bab00411c3f

                      SHA512

                      8255e86fafe5578b7abbac2935bba9fc888d2b2aae4c9468ba6c769177d0202e8fcf81b9b60c375e88d3a6217e35cd5b4327c50b568befd093330e369bc4d329

                      Download Submit

                    • C:\Users\Admin\Documents\ProtectComplete.xps.6amPnJyPq

                      MD5

                      5559be895f8343801c5e3dd1eb2c1d3c

                      SHA1

                      1c12cd097b8efa907dcc33b32b0358d4e3e6a286

                      SHA256

                      62005f8c9deb25600ca76c463a5814bf572f039755b143a4a9e0271660b0232d

                      SHA512

                      27f6a3ddac14eec3ffa82987ec217d4b0c4d830fd016ed6eff560bab81f22bfa53333e59dac14a0c5943be98052ecbbb552da3686e6997ff6ecd9b3c4e3241f9

                      Download Submit

                    • memory/984-55-0x0000000075AC1000-0x0000000075AC3000-memory.dmp

                      Download

                    • memory/984-56-0x0000000000835000-0x0000000000846000-memory.dmp

                      Download

                    • memory/984-57-0x0000000000830000-0x0000000000831000-memory.dmp

                      Download

                    • memory/984-58-0x0000000000846000-0x0000000000847000-memory.dmp

                      Download

                    • memory/1316-59-0x0000000000000000-mapping.dmp

                      Download

                    • memory/1564-62-0x0000000000000000-mapping.dmp

                      Download

                    • memory/1564-63-0x000007FEFB7E1000-0x000007FEFB7E3000-memory.dmp

                      Download

                    • memory/1564-67-0x0000000004140000-0x0000000004141000-memory.dmp

                      Download