Overview

overview

10

Static

static

bm.ps1

windows7_x64

1

bm.ps1

windows10_x64

10

Analysis

  • max time kernel
    33s
  • max time network
    30s
  • platform
    windows10_x64
  • resource
    win10-en-20211104
  • submitted
    03-12-2021 12:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bm.ps1

  • Size

    915KB

  • MD5

    001bfe6f72fe64660ba498107c658bdc

  • SHA1

    0946baf23e867f2564302b60f777db72a1244a30

  • SHA256

    c22a6401a415fe642f3d96f38a887dd8ad23dd83a9255ee89d9adf4650ab98da

  • SHA512

    32836eff8285a5a301be0b4410d34a73d99d4c04b38b0b67b937c1bc5ae6ab2d033a97089b6588c245371dfd8e95c420c8bbd3862a632a828122861e0ec839d3

Score
10/10
blackmatterransomware

Malware Config

Extracted

Path

C:\eeWDzMyD5.README.txt

Family

blackmatter

Ransom Note
~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >>> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/O1E1HJ9H8JNKNNHC8 >>> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.
URLs

http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/O1E1HJ9H8JNKNNHC8

Signatures

  • BlackMatter Ransomware

    BlackMatter ransomware group claims to be Darkside and REvil succesor.

    ransomwareblackmatter
  • Modifies extensions of user files 5 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\bm.ps1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3636
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ex bypass -NonI C:\Users\Admin\AppData\Local\Temp\bm.ps1
      2⤵
      • Modifies extensions of user files
      • Enumerates connected drives
      • Sets desktop wallpaper using registry
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3240
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3508

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    MD5

    38fcd7bfa41917d88106906bf712cbc4

    SHA1

    755d75e36bde59f316b7a81383c6d38be3e5b750

    SHA256

    6b6b349c37d2cfdc11d1866d14204c64a76f4a53caa2fcd3e14f1073a783b9ad

    SHA512

    d12fa1e8290b39232cec91a85b6fe8131c2b4b2ce517e45399624b8c0ab6710bb5450c38c9939d4c91dfc1e9467acea44f27f390b7a9d6b3ed12f24638c8924b

    Download Submit
  • memory/3240-175-0x00000000035E0000-0x00000000035E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3240-176-0x0000000004F20000-0x0000000004F21000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3240-174-0x00000000035E0000-0x00000000035E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3240-440-0x000000000FA70000-0x000000000FA71000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3240-439-0x000000000FA73000-0x000000000FA75000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3240-438-0x0000000004F76000-0x0000000004F78000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3240-223-0x000000007F7C0000-0x000000007F7C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3240-224-0x0000000004F73000-0x0000000004F74000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3240-188-0x00000000035E0000-0x00000000035E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3240-178-0x0000000004F70000-0x0000000004F71000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3240-187-0x0000000008A90000-0x0000000008A91000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3240-186-0x0000000008860000-0x0000000008861000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3240-185-0x00000000082E0000-0x00000000082E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3240-183-0x00000000083A0000-0x00000000083A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3240-146-0x0000000000000000-mapping.dmp
    Download
  • memory/3240-182-0x0000000007AD0000-0x0000000007AD1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3240-181-0x0000000007A60000-0x0000000007A61000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3240-180-0x00000000078C0000-0x00000000078C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3240-179-0x0000000004F72000-0x0000000004F73000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3240-177-0x0000000007B90000-0x0000000007B91000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3636-128-0x00000261BFA90000-0x00000261BFA91000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3636-120-0x00000261A3870000-0x00000261A3872000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3636-122-0x00000261A3870000-0x00000261A3872000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3636-121-0x00000261A3870000-0x00000261A3872000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3636-173-0x00000261A3870000-0x00000261A3872000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3636-132-0x00000261A3870000-0x00000261A3872000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3636-119-0x00000261A3870000-0x00000261A3872000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3636-131-0x00000261BD9B6000-0x00000261BD9B8000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3636-130-0x00000261BD9B3000-0x00000261BD9B5000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3636-129-0x00000261BD9B0000-0x00000261BD9B2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3636-127-0x00000261A3870000-0x00000261A3872000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3636-126-0x00000261A3870000-0x00000261A3872000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3636-125-0x00000261A3870000-0x00000261A3872000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3636-124-0x00000261A3870000-0x00000261A3872000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3636-123-0x00000261A5430000-0x00000261A5431000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3636-118-0x00000261A3870000-0x00000261A3872000-memory.dmp
    Filesize

    8KB

    Download