General

  • Target

    BlackMatter-win_PS1-reflective.zip

  • Size

    585KB

  • Sample

    211205-ak8wlabghj

  • MD5

    451e17fd4720b996b6b7515b90f12c79

  • SHA1

    88dd181ba9133b094fdbcaadb1154ff4ce5df8f0

  • SHA256

    d9a0283f6e1e1bf2690fbe4c60b8bafbe971ca96f5bb754917427b1f709759ce

  • SHA512

    0f61d97337b8a5d13f5dac270cf755f9fa7a75ac926712457dbb3ff915f5b53c921c1e2b5a82aaa782deb7d125ede8fd48b5c7912ffe2e5b20e596983b428383

Score
10/10

Malware Config

Extracted

Path

C:\WRLMMTHME.README.txt

Family

blackmatter

Ransom Note
~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >>> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/O1E1HJ9H8JNKNNHC8 >>> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.
URLs

http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/O1E1HJ9H8JNKNNHC8

Targets

    • Target

      OTSLG.ps1

    • Size

      915KB

    • MD5

      001bfe6f72fe64660ba498107c658bdc

    • SHA1

      0946baf23e867f2564302b60f777db72a1244a30

    • SHA256

      c22a6401a415fe642f3d96f38a887dd8ad23dd83a9255ee89d9adf4650ab98da

    • SHA512

      32836eff8285a5a301be0b4410d34a73d99d4c04b38b0b67b937c1bc5ae6ab2d033a97089b6588c245371dfd8e95c420c8bbd3862a632a828122861e0ec839d3

    Score
    10/10
    • BlackMatter Ransomware

      BlackMatter ransomware group claims to be Darkside and REvil succesor.

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      dump_stage1.ps1

    • Size

      740KB

    • MD5

      5cffb281fe8937f26e4994f8133f7456

    • SHA1

      5479ddb635bf9c9a5632955c7d2cd2a6047256df

    • SHA256

      3609272795c8f8ba1275959d1457b03f6143efaaf8cd037547cd561e68763237

    • SHA512

      12418b348819ae9b9aa1115c19723cd77964273c3b0d07225971756a3ccd1061f0db891911390847d244db3acbf1b268739275a0e3fe2a41407781443a26600e

    Score
    5/10
    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      dump_stage2.ps1

    • Size

      328KB

    • MD5

      94982d1b3f651eefb0dfe0cae15c99de

    • SHA1

      7d32816f90fd7a459b00fdaa329488e019cf8cdb

    • SHA256

      20ba4529c17660f96be2882dbbf520c0388917dd49de1ded22b063af32e35ffe

    • SHA512

      103f2e9b96394592897417352a75e05aa411ed39b88a7e24c768c9acc20e60f5572b427ee40152e55fc9c205d8a2626901524d2b2768fd439fdae8765b25ad3e

    Score
    3/10

MITRE ATT&CK Enterprise v6

Tasks