blackmatter | cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7

General

Target

cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe
Size

1.3MB
MD5

da3ab4d40944c077f92e52d2c1de8fca
SHA1

6676ef8826b9e5419958761f3a71464105290288
SHA256

cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7
SHA512

1dcc1259105c730fff76e518d7d57bce8cacacfebc05cf7b3294ccdbf8286635bfe43532f7a19507d3fd42973429f2c9335d031cbd473b356cba1bab79ce318a

Score

10^/10

blackmatter caa0d21adc7bdc4dc424497512a8f37d ransomware suricata

Malware Config

Extracted

Path

C:\eeWDzMyD5.README.txt

Family

blackmatter

Ransom Note

~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What data stolen? From your network was stolen 100 GB of data. If you do not contact us we will publish all your data in our blog and will send it to the biggest mass media. Blog post link: %BLOG_URL% >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd.onion/8ZHJ2G2FJDX9JSHTA6S >> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.

URLs

http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd.onion/8ZHJ2G2FJDX9JSHTA6S

Extracted

Family

blackmatter

Version

1.4

Botnet

caa0d21adc7bdc4dc424497512a8f37d

C2

https://paymenthacks.com

http://paymenthacks.com

https://mojobiden.com

http://mojobiden.com

Attributes

attempt_auth
false
create_mutex
true
encrypt_network_shares
true
exfiltrate
true
mount_volumes
true

rsa_pubkey.base64

aes.base64

Signatures

BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
ransomware blackmatter
suricata: ET MALWARE BlackMatter CnC Activity
suricata: ET MALWARE BlackMatter CnC Activity
suricata
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)
suricata
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)
suricata

Modifies extensions of user files 18 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\ResolveComplete.tiff.eeWDzMyD5	cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe
File renamed	C:\Users\Admin\Pictures\ResumeDismount.png => C:\Users\Admin\Pictures\ResumeDismount.png.eeWDzMyD5	cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe
File opened for modification	C:\Users\Admin\Pictures\ResumeDismount.png.eeWDzMyD5	cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe
File opened for modification	C:\Users\Admin\Pictures\UnlockConfirm.crw.eeWDzMyD5	cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe
File opened for modification	C:\Users\Admin\Pictures\DismountInitialize.tif.eeWDzMyD5	cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe
File opened for modification	C:\Users\Admin\Pictures\ExpandUnlock.png.eeWDzMyD5	cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe
File opened for modification	C:\Users\Admin\Pictures\LimitConvertFrom.raw.eeWDzMyD5	cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe
File renamed	C:\Users\Admin\Pictures\PingFormat.raw => C:\Users\Admin\Pictures\PingFormat.raw.eeWDzMyD5	cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe
File opened for modification	C:\Users\Admin\Pictures\ResolveComplete.tiff	cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe
File renamed	C:\Users\Admin\Pictures\ResolveComplete.tiff => C:\Users\Admin\Pictures\ResolveComplete.tiff.eeWDzMyD5	cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe
File renamed	C:\Users\Admin\Pictures\UnlockConfirm.crw => C:\Users\Admin\Pictures\UnlockConfirm.crw.eeWDzMyD5	cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe
File opened for modification	C:\Users\Admin\Pictures\CloseBlock.tiff	cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe
File renamed	C:\Users\Admin\Pictures\CloseBlock.tiff => C:\Users\Admin\Pictures\CloseBlock.tiff.eeWDzMyD5	cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe
File opened for modification	C:\Users\Admin\Pictures\CloseBlock.tiff.eeWDzMyD5	cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe
File renamed	C:\Users\Admin\Pictures\DismountInitialize.tif => C:\Users\Admin\Pictures\DismountInitialize.tif.eeWDzMyD5	cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe
File renamed	C:\Users\Admin\Pictures\ExpandUnlock.png => C:\Users\Admin\Pictures\ExpandUnlock.png.eeWDzMyD5	cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe
File renamed	C:\Users\Admin\Pictures\LimitConvertFrom.raw => C:\Users\Admin\Pictures\LimitConvertFrom.raw.eeWDzMyD5	cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe
File opened for modification	C:\Users\Admin\Pictures\PingFormat.raw.eeWDzMyD5	cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe

Loads dropped DLL 1 IoCs

Processes:

cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe

pid process

3772 cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe

description ioc process

File opened (read-only) \??\Z: cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe

pid	process
3772	cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe

description	ioc	process
File opened (read-only)	\??\Z:	cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\eeWDzMyD5.bmp"	cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\eeWDzMyD5.bmp"	cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe

pid	process
4080	cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe
4080	cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe
4080	cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe
4080	cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe
4080	cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe
4080	cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe

description	pid	process	target process
PID 3772 set thread context of 4080	3772	cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe	cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Control Panel 3 IoCs

evasion

Processes:

cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Control Panel\International	cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Control Panel\Desktop	cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Control Panel\Desktop\WallpaperStyle = "10"	cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe

Modifies registry class 21 IoCs

Processes:

NOTEPAD.EXEcf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\NodeSlot = "2"	NOTEPAD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings	cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = ffffffff	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	NOTEPAD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Documents"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 14002e80922b16d365937a46956b92703aca08af0000	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings	NOTEPAD.EXE

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

2028 NOTEPAD.EXE

pid	process
2028	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe

pid	process
4080	cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe
4080	cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe
4080	cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe
4080	cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe

pid process

3772 cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe

pid	process
3772	cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exevssvc.exe

description	pid	process
Token: SeBackupPrivilege	4080	cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe
Token: SeDebugPrivilege	4080	cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe
Token: 36	4080	cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe
Token: SeImpersonatePrivilege	4080	cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe
Token: SeIncBasePriorityPrivilege	4080	cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe
Token: SeIncreaseQuotaPrivilege	4080	cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe
Token: 33	4080	cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe
Token: SeManageVolumePrivilege	4080	cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe
Token: SeProfSingleProcessPrivilege	4080	cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe
Token: SeRestorePrivilege	4080	cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe
Token: SeSecurityPrivilege	4080	cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe
Token: SeSystemProfilePrivilege	4080	cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe
Token: SeTakeOwnershipPrivilege	4080	cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe
Token: SeShutdownPrivilege	4080	cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe
Token: SeBackupPrivilege	3936	vssvc.exe
Token: SeRestorePrivilege	3936	vssvc.exe
Token: SeAuditPrivilege	3936	vssvc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

NOTEPAD.EXE

pid process

2028 NOTEPAD.EXE

pid	process
2028	NOTEPAD.EXE

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.execf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exeNOTEPAD.EXE

description	pid	process	target process
PID 3772 wrote to memory of 4080	3772	cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe	cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe
PID 3772 wrote to memory of 4080	3772	cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe	cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe
PID 3772 wrote to memory of 4080	3772	cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe	cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe
PID 3772 wrote to memory of 4080	3772	cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe	cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe
PID 4080 wrote to memory of 2028	4080	cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe	NOTEPAD.EXE
PID 4080 wrote to memory of 2028	4080	cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe	NOTEPAD.EXE
PID 4080 wrote to memory of 2028	4080	cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe	NOTEPAD.EXE
PID 2028 wrote to memory of 3460	2028	NOTEPAD.EXE	splwow64.exe
PID 2028 wrote to memory of 3460	2028	NOTEPAD.EXE	splwow64.exe

C:\Users\Admin\AppData\Local\Temp\cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe
"C:\Users\Admin\AppData\Local\Temp\cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3772

C:\Users\Admin\AppData\Local\Temp\cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe
"C:\Users\Admin\AppData\Local\Temp\cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7.exe"
2⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4080

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" /p C:\eeWDzMyD5.README.txt
3⤵
- Modifies registry class
- Opens file in notepad (likely ransom note)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
4⤵
PID:3460

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3936

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\eeWDzMyD5.README.txt
MD5
6fa43061e83bcd017c53d4193f15a9de

SHA1
4967320d8646cdcdc9685ae51cb26bdbcc01eaa9

SHA256
7bd9ec7fb1b24ec085bf0f07a0453ad9fcb54ba8093a4fc62c3db3fddf20312e

SHA512
18be5472b3caca35ed41821397bede35cb050f0c5994126139c97c6093ce8e0c5cc9cc7da7f372a414205d3116ec9cf37b65a70a843adb743c0f7d92881f9d3e

Download Submit
\Users\Admin\AppData\Local\Temp\nswADF5.tmp\System.dll
MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
memory/2028-123-0x0000000000000000-mapping.dmp

Download
memory/3460-125-0x0000000000000000-mapping.dmp

Download
memory/4080-119-0x000000000040EB61-mapping.dmp

Download
memory/4080-120-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4080-121-0x0000000002023000-0x0000000002025000-memory.dmp

Filesize
8KB

Download
memory/4080-122-0x0000000002020000-0x0000000002021000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads