Analysis
-
max time kernel
119s -
max time network
125s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
03-12-2021 13:54
Static task
static1
Behavioral task
behavioral1
Sample
OTSLG.ps1
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
OTSLG.ps1
Resource
win10-en-20211104
General
-
Target
OTSLG.ps1
-
Size
915KB
-
MD5
001bfe6f72fe64660ba498107c658bdc
-
SHA1
0946baf23e867f2564302b60f777db72a1244a30
-
SHA256
c22a6401a415fe642f3d96f38a887dd8ad23dd83a9255ee89d9adf4650ab98da
-
SHA512
32836eff8285a5a301be0b4410d34a73d99d4c04b38b0b67b937c1bc5ae6ab2d033a97089b6588c245371dfd8e95c420c8bbd3862a632a828122861e0ec839d3
Malware Config
Extracted
C:\eeWDzMyD5.README.txt
blackmatter
http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/O1E1HJ9H8JNKNNHC8
Signatures
-
BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
-
Modifies extensions of user files 14 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\SyncExit.raw => C:\Users\Admin\Pictures\SyncExit.raw.eeWDzMyD5 powershell.exe File renamed C:\Users\Admin\Pictures\BlockPush.tif => C:\Users\Admin\Pictures\BlockPush.tif.eeWDzMyD5 powershell.exe File renamed C:\Users\Admin\Pictures\ConfirmJoin.raw => C:\Users\Admin\Pictures\ConfirmJoin.raw.eeWDzMyD5 powershell.exe File opened for modification C:\Users\Admin\Pictures\SearchHide.tif.eeWDzMyD5 powershell.exe File opened for modification C:\Users\Admin\Pictures\UnpublishRequest.raw.eeWDzMyD5 powershell.exe File opened for modification C:\Users\Admin\Pictures\BlockPush.tif.eeWDzMyD5 powershell.exe File renamed C:\Users\Admin\Pictures\InvokeStart.crw => C:\Users\Admin\Pictures\InvokeStart.crw.eeWDzMyD5 powershell.exe File opened for modification C:\Users\Admin\Pictures\SyncExit.raw.eeWDzMyD5 powershell.exe File opened for modification C:\Users\Admin\Pictures\CloseEdit.raw.eeWDzMyD5 powershell.exe File opened for modification C:\Users\Admin\Pictures\ConfirmJoin.raw.eeWDzMyD5 powershell.exe File renamed C:\Users\Admin\Pictures\SearchHide.tif => C:\Users\Admin\Pictures\SearchHide.tif.eeWDzMyD5 powershell.exe File renamed C:\Users\Admin\Pictures\UnpublishRequest.raw => C:\Users\Admin\Pictures\UnpublishRequest.raw.eeWDzMyD5 powershell.exe File renamed C:\Users\Admin\Pictures\CloseEdit.raw => C:\Users\Admin\Pictures\CloseEdit.raw.eeWDzMyD5 powershell.exe File opened for modification C:\Users\Admin\Pictures\InvokeStart.crw.eeWDzMyD5 powershell.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Z: powershell.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\eeWDzMyD5.bmp" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\eeWDzMyD5.bmp" powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
pid Process 652 powershell.exe 652 powershell.exe 652 powershell.exe 652 powershell.exe 652 powershell.exe 652 powershell.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 3064 powershell.exe 3064 powershell.exe 3064 powershell.exe 652 powershell.exe 652 powershell.exe 652 powershell.exe 652 powershell.exe 652 powershell.exe 652 powershell.exe 652 powershell.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
description pid Process Token: SeDebugPrivilege 3064 powershell.exe Token: SeDebugPrivilege 652 powershell.exe Token: SeBackupPrivilege 652 powershell.exe Token: SeDebugPrivilege 652 powershell.exe Token: 36 652 powershell.exe Token: SeImpersonatePrivilege 652 powershell.exe Token: SeIncBasePriorityPrivilege 652 powershell.exe Token: SeIncreaseQuotaPrivilege 652 powershell.exe Token: 33 652 powershell.exe Token: SeManageVolumePrivilege 652 powershell.exe Token: SeProfSingleProcessPrivilege 652 powershell.exe Token: SeRestorePrivilege 652 powershell.exe Token: SeSecurityPrivilege 652 powershell.exe Token: SeSystemProfilePrivilege 652 powershell.exe Token: SeTakeOwnershipPrivilege 652 powershell.exe Token: SeShutdownPrivilege 652 powershell.exe Token: SeBackupPrivilege 1520 vssvc.exe Token: SeRestorePrivilege 1520 vssvc.exe Token: SeAuditPrivilege 1520 vssvc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3064 wrote to memory of 652 3064 powershell.exe 70 PID 3064 wrote to memory of 652 3064 powershell.exe 70 PID 3064 wrote to memory of 652 3064 powershell.exe 70
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\OTSLG.ps11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ex bypass -NonI C:\Users\Admin\AppData\Local\Temp\OTSLG.ps12⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:652
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1520