Analysis
-
max time kernel
110s -
max time network
123s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
05-12-2021 00:17
Static task
static1
Behavioral task
behavioral1
Sample
OTSLG.ps1
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
OTSLG.ps1
Resource
win10-en-20211014
Behavioral task
behavioral3
Sample
dump_stage1.ps1
Resource
win7-en-20211104
Behavioral task
behavioral4
Sample
dump_stage1.ps1
Resource
win10-en-20211014
Behavioral task
behavioral5
Sample
dump_stage2.ps1
Resource
win7-en-20211104
Behavioral task
behavioral6
Sample
dump_stage2.ps1
Resource
win10-en-20211104
General
-
Target
OTSLG.ps1
-
Size
915KB
-
MD5
001bfe6f72fe64660ba498107c658bdc
-
SHA1
0946baf23e867f2564302b60f777db72a1244a30
-
SHA256
c22a6401a415fe642f3d96f38a887dd8ad23dd83a9255ee89d9adf4650ab98da
-
SHA512
32836eff8285a5a301be0b4410d34a73d99d4c04b38b0b67b937c1bc5ae6ab2d033a97089b6588c245371dfd8e95c420c8bbd3862a632a828122861e0ec839d3
Malware Config
Extracted
C:\WRLMMTHME.README.txt
blackmatter
http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/O1E1HJ9H8JNKNNHC8
Signatures
-
BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
-
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\SendPing.png => C:\Users\Admin\Pictures\SendPing.png.WRLMMTHME powershell.exe File opened for modification C:\Users\Admin\Pictures\SendPing.png.WRLMMTHME powershell.exe File renamed C:\Users\Admin\Pictures\DisableAssert.png => C:\Users\Admin\Pictures\DisableAssert.png.WRLMMTHME powershell.exe File opened for modification C:\Users\Admin\Pictures\DisableAssert.png.WRLMMTHME powershell.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Z: powershell.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\WRLMMTHME.bmp" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\WRLMMTHME.bmp" powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
pid Process 4584 powershell.exe 4584 powershell.exe 4584 powershell.exe 4584 powershell.exe 4584 powershell.exe 4584 powershell.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 2864 powershell.exe 2864 powershell.exe 2864 powershell.exe 4584 powershell.exe 4584 powershell.exe 4584 powershell.exe 4584 powershell.exe 4584 powershell.exe 4584 powershell.exe 4584 powershell.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
description pid Process Token: SeDebugPrivilege 2864 powershell.exe Token: SeDebugPrivilege 4584 powershell.exe Token: SeBackupPrivilege 4584 powershell.exe Token: SeDebugPrivilege 4584 powershell.exe Token: 36 4584 powershell.exe Token: SeImpersonatePrivilege 4584 powershell.exe Token: SeIncBasePriorityPrivilege 4584 powershell.exe Token: SeIncreaseQuotaPrivilege 4584 powershell.exe Token: 33 4584 powershell.exe Token: SeManageVolumePrivilege 4584 powershell.exe Token: SeProfSingleProcessPrivilege 4584 powershell.exe Token: SeRestorePrivilege 4584 powershell.exe Token: SeSecurityPrivilege 4584 powershell.exe Token: SeSystemProfilePrivilege 4584 powershell.exe Token: SeTakeOwnershipPrivilege 4584 powershell.exe Token: SeShutdownPrivilege 4584 powershell.exe Token: SeBackupPrivilege 2840 vssvc.exe Token: SeRestorePrivilege 2840 vssvc.exe Token: SeAuditPrivilege 2840 vssvc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2864 wrote to memory of 4584 2864 powershell.exe 69 PID 2864 wrote to memory of 4584 2864 powershell.exe 69 PID 2864 wrote to memory of 4584 2864 powershell.exe 69
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\OTSLG.ps11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ex bypass -NonI C:\Users\Admin\AppData\Local\Temp\OTSLG.ps12⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4584
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2840