668a4a2300f36c9df0f7307cc614be3297f036fa312a424765cdb2c169187fe6

General
Target

668a4a2300f36c9df0f7307cc614be3297f036fa312a424765cdb2c169187fe6

Size

34KB

Sample

211129-vlj9vafeb7

Score
10 /10
MD5

6f5c77478795ff7fb9700ed50b334429

SHA1

6803d62254edf3bdd3bc523422ff98e6120b6e5b

SHA256

668a4a2300f36c9df0f7307cc614be3297f036fa312a424765cdb2c169187fe6

SHA512

40e4ffd227443003e0506f8d1fbfbacde54f9bfb5fa6908f05e134ee25217d3c3907d7c981107d642c071063b57253b4727fb6a211d7698a7a9bae2d8beede5f

Malware Config

Extracted

Path C:\6amPnJyPq.README.txt
Family blackmatter
Ransom Note
~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >>> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/GDBJS76DH3D4IKQD2QO7R. >>> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.
URLs

http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/GDBJS76DH3D4IKQD2QO7R

Targets
Target

668a4a2300f36c9df0f7307cc614be3297f036fa312a424765cdb2c169187fe6

MD5

6f5c77478795ff7fb9700ed50b334429

Filesize

34KB

Score
10/10
SHA1

6803d62254edf3bdd3bc523422ff98e6120b6e5b

SHA256

668a4a2300f36c9df0f7307cc614be3297f036fa312a424765cdb2c169187fe6

SHA512

40e4ffd227443003e0506f8d1fbfbacde54f9bfb5fa6908f05e134ee25217d3c3907d7c981107d642c071063b57253b4727fb6a211d7698a7a9bae2d8beede5f

Tags

Signatures

  • BlackMatter Ransomware

    Description

    BlackMatter ransomware group claims to be Darkside and REvil succesor.

    Tags

  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery
  • Sets desktop wallpaper using registry

    Tags

    TTPs

    DefacementModify Registry
  • Suspicious use of NtSetInformationThreadHideFromDebugger

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
            Initial Access
              Lateral Movement
                Persistence
                  Privilege Escalation
                    Tasks

                    static1

                    8/10

                    behavioral1

                    10/10

                    behavioral2

                    10/10