General
Target

bm.ps1

Filesize

915KB

Completed

03-12-2021 12:10

Task

behavioral2

Score
10/10
MD5

001bfe6f72fe64660ba498107c658bdc

SHA1

0946baf23e867f2564302b60f777db72a1244a30

SHA256

c22a6401a415fe642f3d96f38a887dd8ad23dd83a9255ee89d9adf4650ab98da

SHA512

32836eff8285a5a301be0b4410d34a73d99d4c04b38b0b67b937c1bc5ae6ab2d033a97089b6588c245371dfd8e95c420c8bbd3862a632a828122861e0ec839d3

Malware Config

Extracted

Path

C:\eeWDzMyD5.README.txt

Family

blackmatter

Ransom Note
~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >>> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/O1E1HJ9H8JNKNNHC8 >>> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.
URLs

http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/O1E1HJ9H8JNKNNHC8

Signatures 8

Filter: none

Defense Evasion
Discovery
Impact
  • BlackMatter Ransomware

    Description

    BlackMatter ransomware group claims to be Darkside and REvil succesor.

  • Modifies extensions of user files
    powershell.exe

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

    Reported IOCs

    descriptioniocprocess
    File renamedC:\Users\Admin\Pictures\SaveOpen.crw => C:\Users\Admin\Pictures\SaveOpen.crw.eeWDzMyD5powershell.exe
    File opened for modificationC:\Users\Admin\Pictures\SaveOpen.crw.eeWDzMyD5powershell.exe
    File opened for modificationC:\Users\Admin\Pictures\WatchGrant.tiffpowershell.exe
    File renamedC:\Users\Admin\Pictures\WatchGrant.tiff => C:\Users\Admin\Pictures\WatchGrant.tiff.eeWDzMyD5powershell.exe
    File opened for modificationC:\Users\Admin\Pictures\WatchGrant.tiff.eeWDzMyD5powershell.exe
  • Enumerates connected drives
    powershell.exe

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    File opened (read-only)\??\Z:powershell.exe
  • Sets desktop wallpaper using registry
    powershell.exe

    Tags

    TTPs

    DefacementModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\eeWDzMyD5.bmp"powershell.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\eeWDzMyD5.bmp"powershell.exe
  • Suspicious use of NtSetInformationThreadHideFromDebugger
    powershell.exe

    Reported IOCs

    pidprocess
    3240powershell.exe
    3240powershell.exe
    3240powershell.exe
    3240powershell.exe
    3240powershell.exe
    3240powershell.exe
  • Suspicious behavior: EnumeratesProcesses
    powershell.exepowershell.exe

    Reported IOCs

    pidprocess
    3636powershell.exe
    3636powershell.exe
    3636powershell.exe
    3240powershell.exe
    3240powershell.exe
    3240powershell.exe
    3240powershell.exe
    3240powershell.exe
    3240powershell.exe
    3240powershell.exe
  • Suspicious use of AdjustPrivilegeToken
    powershell.exepowershell.exevssvc.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege3636powershell.exe
    Token: SeDebugPrivilege3240powershell.exe
    Token: SeBackupPrivilege3240powershell.exe
    Token: SeDebugPrivilege3240powershell.exe
    Token: 363240powershell.exe
    Token: SeImpersonatePrivilege3240powershell.exe
    Token: SeIncBasePriorityPrivilege3240powershell.exe
    Token: SeIncreaseQuotaPrivilege3240powershell.exe
    Token: 333240powershell.exe
    Token: SeManageVolumePrivilege3240powershell.exe
    Token: SeProfSingleProcessPrivilege3240powershell.exe
    Token: SeRestorePrivilege3240powershell.exe
    Token: SeSecurityPrivilege3240powershell.exe
    Token: SeSystemProfilePrivilege3240powershell.exe
    Token: SeTakeOwnershipPrivilege3240powershell.exe
    Token: SeShutdownPrivilege3240powershell.exe
    Token: SeBackupPrivilege3508vssvc.exe
    Token: SeRestorePrivilege3508vssvc.exe
    Token: SeAuditPrivilege3508vssvc.exe
  • Suspicious use of WriteProcessMemory
    powershell.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3636 wrote to memory of 32403636powershell.exepowershell.exe
    PID 3636 wrote to memory of 32403636powershell.exepowershell.exe
    PID 3636 wrote to memory of 32403636powershell.exepowershell.exe
Processes 3
  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\bm.ps1
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:3636
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ex bypass -NonI C:\Users\Admin\AppData\Local\Temp\bm.ps1
      Modifies extensions of user files
      Enumerates connected drives
      Sets desktop wallpaper using registry
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3240
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    Suspicious use of AdjustPrivilegeToken
    PID:3508
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
            Initial Access
              Lateral Movement
                Persistence
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                      MD5

                      38fcd7bfa41917d88106906bf712cbc4

                      SHA1

                      755d75e36bde59f316b7a81383c6d38be3e5b750

                      SHA256

                      6b6b349c37d2cfdc11d1866d14204c64a76f4a53caa2fcd3e14f1073a783b9ad

                      SHA512

                      d12fa1e8290b39232cec91a85b6fe8131c2b4b2ce517e45399624b8c0ab6710bb5450c38c9939d4c91dfc1e9467acea44f27f390b7a9d6b3ed12f24638c8924b

                    • memory/3240-177-0x0000000007B90000-0x0000000007B91000-memory.dmp

                    • memory/3240-438-0x0000000004F76000-0x0000000004F78000-memory.dmp

                    • memory/3240-223-0x000000007F7C0000-0x000000007F7C1000-memory.dmp

                    • memory/3240-224-0x0000000004F73000-0x0000000004F74000-memory.dmp

                    • memory/3240-188-0x00000000035E0000-0x00000000035E1000-memory.dmp

                    • memory/3240-187-0x0000000008A90000-0x0000000008A91000-memory.dmp

                    • memory/3240-186-0x0000000008860000-0x0000000008861000-memory.dmp

                    • memory/3240-185-0x00000000082E0000-0x00000000082E1000-memory.dmp

                    • memory/3240-439-0x000000000FA73000-0x000000000FA75000-memory.dmp

                    • memory/3240-183-0x00000000083A0000-0x00000000083A1000-memory.dmp

                    • memory/3240-182-0x0000000007AD0000-0x0000000007AD1000-memory.dmp

                    • memory/3240-181-0x0000000007A60000-0x0000000007A61000-memory.dmp

                    • memory/3240-180-0x00000000078C0000-0x00000000078C1000-memory.dmp

                    • memory/3240-179-0x0000000004F72000-0x0000000004F73000-memory.dmp

                    • memory/3240-146-0x0000000000000000-mapping.dmp

                    • memory/3240-178-0x0000000004F70000-0x0000000004F71000-memory.dmp

                    • memory/3240-174-0x00000000035E0000-0x00000000035E1000-memory.dmp

                    • memory/3240-175-0x00000000035E0000-0x00000000035E1000-memory.dmp

                    • memory/3240-176-0x0000000004F20000-0x0000000004F21000-memory.dmp

                    • memory/3240-440-0x000000000FA70000-0x000000000FA71000-memory.dmp

                    • memory/3636-173-0x00000261A3870000-0x00000261A3872000-memory.dmp

                    • memory/3636-132-0x00000261A3870000-0x00000261A3872000-memory.dmp

                    • memory/3636-131-0x00000261BD9B6000-0x00000261BD9B8000-memory.dmp

                    • memory/3636-130-0x00000261BD9B3000-0x00000261BD9B5000-memory.dmp

                    • memory/3636-129-0x00000261BD9B0000-0x00000261BD9B2000-memory.dmp

                    • memory/3636-128-0x00000261BFA90000-0x00000261BFA91000-memory.dmp

                    • memory/3636-127-0x00000261A3870000-0x00000261A3872000-memory.dmp

                    • memory/3636-126-0x00000261A3870000-0x00000261A3872000-memory.dmp

                    • memory/3636-125-0x00000261A3870000-0x00000261A3872000-memory.dmp

                    • memory/3636-124-0x00000261A3870000-0x00000261A3872000-memory.dmp

                    • memory/3636-123-0x00000261A5430000-0x00000261A5431000-memory.dmp

                    • memory/3636-122-0x00000261A3870000-0x00000261A3872000-memory.dmp

                    • memory/3636-121-0x00000261A3870000-0x00000261A3872000-memory.dmp

                    • memory/3636-120-0x00000261A3870000-0x00000261A3872000-memory.dmp

                    • memory/3636-119-0x00000261A3870000-0x00000261A3872000-memory.dmp

                    • memory/3636-118-0x00000261A3870000-0x00000261A3872000-memory.dmp