Overview

overview

10

Static

static

OTSLG.ps1

windows7_x64

5

OTSLG.ps1

windows10_x64

10

Analysis

  • max time kernel
    119s
  • max time network
    125s
  • platform
    windows10_x64
  • resource
    win10-en-20211104
  • submitted
    03-12-2021 13:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    OTSLG.ps1

  • Size

    915KB

  • MD5

    001bfe6f72fe64660ba498107c658bdc

  • SHA1

    0946baf23e867f2564302b60f777db72a1244a30

  • SHA256

    c22a6401a415fe642f3d96f38a887dd8ad23dd83a9255ee89d9adf4650ab98da

  • SHA512

    32836eff8285a5a301be0b4410d34a73d99d4c04b38b0b67b937c1bc5ae6ab2d033a97089b6588c245371dfd8e95c420c8bbd3862a632a828122861e0ec839d3

Score
10/10
blackmatterransomware

Malware Config

Extracted

Path

C:\eeWDzMyD5.README.txt

Family

blackmatter

Ransom Note
~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >>> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/O1E1HJ9H8JNKNNHC8 >>> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.
URLs

http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/O1E1HJ9H8JNKNNHC8

Signatures

  • BlackMatter Ransomware

    BlackMatter ransomware group claims to be Darkside and REvil succesor.

    ransomwareblackmatter
  • Modifies extensions of user files 14 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\OTSLG.ps1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3064
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ex bypass -NonI C:\Users\Admin\AppData\Local\Temp\OTSLG.ps1
      2⤵
      • Modifies extensions of user files
      • Enumerates connected drives
      • Sets desktop wallpaper using registry
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:652
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1520

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    MD5

    385b4a9d826a52e13e9d36280175f8e8

    SHA1

    879c00dae1b257f93f21634aa7eaa184c9fcf5a0

    SHA256

    253c4f5f363812e3bf95830653b86aa2efb50c6db490754a8f1899a0fe6b92dd

    SHA512

    5ea3458f5bbb6e01ed8d2360a508b2be19d132303cafa94de82898058c4c378811556298ae844ee0b54e09a665f7816157a6c8a0e8f015d0292703896754aef8

    Download Submit
  • memory/652-173-0x0000000004D10000-0x0000000004D11000-memory.dmp
    Filesize

    4KB

    Download
  • memory/652-185-0x00000000048C0000-0x00000000048C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/652-438-0x000000000B4D0000-0x000000000BB48000-memory.dmp
    Filesize

    6.5MB

    Download
  • memory/652-174-0x00000000074B0000-0x00000000074B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/652-437-0x000000000B4D0000-0x000000000BB48000-memory.dmp
    Filesize

    6.5MB

    Download
  • memory/652-435-0x0000000004DC6000-0x0000000004DC8000-memory.dmp
    Filesize

    8KB

    Download
  • memory/652-290-0x0000000004DC3000-0x0000000004DC4000-memory.dmp
    Filesize

    4KB

    Download
  • memory/652-175-0x0000000004DC0000-0x0000000004DC1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/652-220-0x000000007EFD0000-0x000000007EFD1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/652-178-0x0000000007B50000-0x0000000007B51000-memory.dmp
    Filesize

    4KB

    Download
  • memory/652-184-0x00000000084E0000-0x00000000084E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/652-143-0x0000000000000000-mapping.dmp
    Download
  • memory/652-183-0x0000000008260000-0x0000000008261000-memory.dmp
    Filesize

    4KB

    Download
  • memory/652-176-0x0000000004DC2000-0x0000000004DC3000-memory.dmp
    Filesize

    4KB

    Download
  • memory/652-172-0x00000000048C0000-0x00000000048C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/652-182-0x0000000007C10000-0x0000000007C11000-memory.dmp
    Filesize

    4KB

    Download
  • memory/652-180-0x0000000007F10000-0x0000000007F11000-memory.dmp
    Filesize

    4KB

    Download
  • memory/652-179-0x0000000007C30000-0x0000000007C31000-memory.dmp
    Filesize

    4KB

    Download
  • memory/652-171-0x00000000048C0000-0x00000000048C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/652-177-0x0000000007360000-0x0000000007361000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3064-128-0x000002E672806000-0x000002E672808000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3064-126-0x000002E672800000-0x000002E672802000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3064-122-0x000002E65A290000-0x000002E65A291000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3064-119-0x000002E6586E0000-0x000002E6586E2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3064-118-0x000002E6586E0000-0x000002E6586E2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3064-170-0x000002E6586E0000-0x000002E6586E2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3064-129-0x000002E6586E0000-0x000002E6586E2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3064-120-0x000002E6586E0000-0x000002E6586E2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3064-127-0x000002E672803000-0x000002E672805000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3064-125-0x000002E672A40000-0x000002E672A41000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3064-124-0x000002E6586E0000-0x000002E6586E2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3064-123-0x000002E6586E0000-0x000002E6586E2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3064-121-0x000002E6586E0000-0x000002E6586E2000-memory.dmp
    Filesize

    8KB

    Download