blackmatter | d9a0283f6e1e1bf2690fbe4c60b8bafbe971ca96f5bb754917427b1f709759ce

General

Target

OTSLG.ps1
Size

915KB
MD5

001bfe6f72fe64660ba498107c658bdc
SHA1

0946baf23e867f2564302b60f777db72a1244a30
SHA256

c22a6401a415fe642f3d96f38a887dd8ad23dd83a9255ee89d9adf4650ab98da
SHA512

32836eff8285a5a301be0b4410d34a73d99d4c04b38b0b67b937c1bc5ae6ab2d033a97089b6588c245371dfd8e95c420c8bbd3862a632a828122861e0ec839d3

Score

10^/10

blackmatter ransomware

Malware Config

Extracted

Path

C:\WRLMMTHME.README.txt

Family

blackmatter

Ransom Note

~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >>> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/O1E1HJ9H8JNKNNHC8 >>> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.

URLs

http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/O1E1HJ9H8JNKNNHC8

Signatures

BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
ransomware blackmatter

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

powershell.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\SendPing.png => C:\Users\Admin\Pictures\SendPing.png.WRLMMTHME	powershell.exe
File opened for modification	C:\Users\Admin\Pictures\SendPing.png.WRLMMTHME	powershell.exe
File renamed	C:\Users\Admin\Pictures\DisableAssert.png => C:\Users\Admin\Pictures\DisableAssert.png.WRLMMTHME	powershell.exe
File opened for modification	C:\Users\Admin\Pictures\DisableAssert.png.WRLMMTHME	powershell.exe

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

powershell.exe

description ioc process

File opened (read-only) \??\Z: powershell.exe

description	ioc	process
File opened (read-only)	\??\Z:	powershell.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\WRLMMTHME.bmp"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\WRLMMTHME.bmp"	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

powershell.exe

pid process

4584 powershell.exe
4584 powershell.exe
4584 powershell.exe
4584 powershell.exe
4584 powershell.exe
4584 powershell.exe

pid	process
4584	powershell.exe
4584	powershell.exe
4584	powershell.exe
4584	powershell.exe
4584	powershell.exe
4584	powershell.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

powershell.exepowershell.exe

pid	process
2864	powershell.exe
2864	powershell.exe
2864	powershell.exe
4584	powershell.exe
4584	powershell.exe
4584	powershell.exe
4584	powershell.exe
4584	powershell.exe
4584	powershell.exe
4584	powershell.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

powershell.exepowershell.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	2864	powershell.exe
Token: SeDebugPrivilege	4584	powershell.exe
Token: SeBackupPrivilege	4584	powershell.exe
Token: SeDebugPrivilege	4584	powershell.exe
Token: 36	4584	powershell.exe
Token: SeImpersonatePrivilege	4584	powershell.exe
Token: SeIncBasePriorityPrivilege	4584	powershell.exe
Token: SeIncreaseQuotaPrivilege	4584	powershell.exe
Token: 33	4584	powershell.exe
Token: SeManageVolumePrivilege	4584	powershell.exe
Token: SeProfSingleProcessPrivilege	4584	powershell.exe
Token: SeRestorePrivilege	4584	powershell.exe
Token: SeSecurityPrivilege	4584	powershell.exe
Token: SeSystemProfilePrivilege	4584	powershell.exe
Token: SeTakeOwnershipPrivilege	4584	powershell.exe
Token: SeShutdownPrivilege	4584	powershell.exe
Token: SeBackupPrivilege	2840	vssvc.exe
Token: SeRestorePrivilege	2840	vssvc.exe
Token: SeAuditPrivilege	2840	vssvc.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

powershell.exe

description	pid	process	target process
PID 2864 wrote to memory of 4584	2864	powershell.exe	powershell.exe
PID 2864 wrote to memory of 4584	2864	powershell.exe	powershell.exe
PID 2864 wrote to memory of 4584	2864	powershell.exe	powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\OTSLG.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2864

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ex bypass -NonI C:\Users\Admin\AppData\Local\Temp\OTSLG.ps1
2⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4584

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2840

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
1b58bf4c28654e1a15e58ddddf34b66f

SHA1
91f9972644a6365861b04a9f2bd2086c676f5397

SHA256
ca2f7b69672c8db70db75fea7907c5776e3a228e91b3932c67236357a73f733b

SHA512
1d341ac9034f876f73f315ee62b8a76f15366937de2042fc8aa2311002deabb40b9eb889b2e7fce394b3fdb4990a0cf7de8b79c46112d1958558f1a11413cecd

Download Submit
memory/2864-121-0x000001AEC3E60000-0x000001AEC3E62000-memory.dmp

Filesize
8KB

Download
memory/2864-123-0x000001AEDD0E0000-0x000001AEDD0E1000-memory.dmp

Filesize
4KB

Download
memory/2864-118-0x000001AEC3E60000-0x000001AEC3E62000-memory.dmp

Filesize
8KB

Download
memory/2864-119-0x000001AEDC5A0000-0x000001AEDC5A1000-memory.dmp

Filesize
4KB

Download
memory/2864-120-0x000001AEC3E60000-0x000001AEC3E62000-memory.dmp

Filesize
8KB

Download
memory/2864-116-0x000001AEC3E60000-0x000001AEC3E62000-memory.dmp

Filesize
8KB

Download
memory/2864-122-0x000001AEC3E60000-0x000001AEC3E62000-memory.dmp

Filesize
8KB

Download
memory/2864-117-0x000001AEC3E60000-0x000001AEC3E62000-memory.dmp

Filesize
8KB

Download
memory/2864-124-0x000001AEDC610000-0x000001AEDC612000-memory.dmp

Filesize
8KB

Download
memory/2864-125-0x000001AEDC613000-0x000001AEDC615000-memory.dmp

Filesize
8KB

Download
memory/2864-126-0x000001AEDC616000-0x000001AEDC618000-memory.dmp

Filesize
8KB

Download
memory/2864-127-0x000001AEC3E60000-0x000001AEC3E62000-memory.dmp

Filesize
8KB

Download
memory/2864-115-0x000001AEC3E60000-0x000001AEC3E62000-memory.dmp

Filesize
8KB

Download
memory/2864-168-0x000001AEC3E60000-0x000001AEC3E62000-memory.dmp

Filesize
8KB

Download
memory/4584-169-0x0000000004580000-0x0000000004581000-memory.dmp

Filesize
4KB

Download
memory/4584-178-0x0000000007C20000-0x0000000007C21000-memory.dmp

Filesize
4KB

Download
memory/4584-171-0x0000000006A80000-0x0000000006A81000-memory.dmp

Filesize
4KB

Download
memory/4584-172-0x0000000007240000-0x0000000007241000-memory.dmp

Filesize
4KB

Download
memory/4584-174-0x0000000006C02000-0x0000000006C03000-memory.dmp

Filesize
4KB

Download
memory/4584-173-0x0000000006C00000-0x0000000006C01000-memory.dmp

Filesize
4KB

Download
memory/4584-175-0x0000000007110000-0x0000000007111000-memory.dmp

Filesize
4KB

Download
memory/4584-176-0x0000000007870000-0x0000000007871000-memory.dmp

Filesize
4KB

Download
memory/4584-177-0x0000000007950000-0x0000000007951000-memory.dmp

Filesize
4KB

Download
memory/4584-170-0x0000000004580000-0x0000000004581000-memory.dmp

Filesize
4KB

Download
memory/4584-141-0x0000000000000000-mapping.dmp

Download
memory/4584-180-0x0000000007B40000-0x0000000007B41000-memory.dmp

Filesize
4KB

Download
memory/4584-181-0x0000000007FF0000-0x0000000007FF1000-memory.dmp

Filesize
4KB

Download
memory/4584-182-0x0000000008280000-0x0000000008281000-memory.dmp

Filesize
4KB

Download
memory/4584-183-0x0000000004580000-0x0000000004581000-memory.dmp

Filesize
4KB

Download
memory/4584-218-0x000000007F350000-0x000000007F351000-memory.dmp

Filesize
4KB

Download
memory/4584-219-0x0000000006C03000-0x0000000006C04000-memory.dmp

Filesize
4KB

Download
memory/4584-433-0x0000000006C06000-0x0000000006C08000-memory.dmp

Filesize
8KB

Download
memory/4584-436-0x000000000BE00000-0x000000000BE01000-memory.dmp

Filesize
4KB

Download
memory/4584-435-0x000000000BE03000-0x000000000BE05000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads