Overview

overview

10

Static

static

bm.ps1

windows7_x64

1

bm.ps1

windows10_x64

10

Analysis

  • max time kernel
    33s
  • max time network
    30s
  • platform
    windows10_x64
  • resource
    win10-en-20211104
  • submitted
    03-12-2021 12:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bm.ps1

  • Size

    915KB

  • MD5

    001bfe6f72fe64660ba498107c658bdc

  • SHA1

    0946baf23e867f2564302b60f777db72a1244a30

  • SHA256

    c22a6401a415fe642f3d96f38a887dd8ad23dd83a9255ee89d9adf4650ab98da

  • SHA512

    32836eff8285a5a301be0b4410d34a73d99d4c04b38b0b67b937c1bc5ae6ab2d033a97089b6588c245371dfd8e95c420c8bbd3862a632a828122861e0ec839d3

Score
10/10
blackmatterransomware

Malware Config

Extracted

Path

C:\eeWDzMyD5.README.txt

Family

blackmatter

Ransom Note
~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >>> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/O1E1HJ9H8JNKNNHC8 >>> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.
URLs

http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/O1E1HJ9H8JNKNNHC8

Signatures

  • BlackMatter Ransomware

    BlackMatter ransomware group claims to be Darkside and REvil succesor.

    ransomwareblackmatter
  • Modifies extensions of user files 5 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\bm.ps1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3636
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ex bypass -NonI C:\Users\Admin\AppData\Local\Temp\bm.ps1
      2⤵
      • Modifies extensions of user files
      • Enumerates connected drives
      • Sets desktop wallpaper using registry
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3240
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3508

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3240-175-0x00000000035E0000-0x00000000035E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3240-176-0x0000000004F20000-0x0000000004F21000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3240-174-0x00000000035E0000-0x00000000035E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3240-440-0x000000000FA70000-0x000000000FA71000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3240-439-0x000000000FA73000-0x000000000FA75000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3240-438-0x0000000004F76000-0x0000000004F78000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3240-223-0x000000007F7C0000-0x000000007F7C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3240-224-0x0000000004F73000-0x0000000004F74000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3240-188-0x00000000035E0000-0x00000000035E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3240-178-0x0000000004F70000-0x0000000004F71000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3240-187-0x0000000008A90000-0x0000000008A91000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3240-186-0x0000000008860000-0x0000000008861000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3240-185-0x00000000082E0000-0x00000000082E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3240-183-0x00000000083A0000-0x00000000083A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3240-182-0x0000000007AD0000-0x0000000007AD1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3240-181-0x0000000007A60000-0x0000000007A61000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3240-180-0x00000000078C0000-0x00000000078C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3240-179-0x0000000004F72000-0x0000000004F73000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3240-177-0x0000000007B90000-0x0000000007B91000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3636-128-0x00000261BFA90000-0x00000261BFA91000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3636-120-0x00000261A3870000-0x00000261A3872000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3636-122-0x00000261A3870000-0x00000261A3872000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3636-121-0x00000261A3870000-0x00000261A3872000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3636-173-0x00000261A3870000-0x00000261A3872000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3636-132-0x00000261A3870000-0x00000261A3872000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3636-119-0x00000261A3870000-0x00000261A3872000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3636-131-0x00000261BD9B6000-0x00000261BD9B8000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3636-130-0x00000261BD9B3000-0x00000261BD9B5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3636-129-0x00000261BD9B0000-0x00000261BD9B2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3636-127-0x00000261A3870000-0x00000261A3872000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3636-126-0x00000261A3870000-0x00000261A3872000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3636-125-0x00000261A3870000-0x00000261A3872000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3636-124-0x00000261A3870000-0x00000261A3872000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3636-123-0x00000261A5430000-0x00000261A5431000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3636-118-0x00000261A3870000-0x00000261A3872000-memory.dmp

    Filesize

    8KB

    Download