Overview

overview

10

Static

static

10

45ecce9dfe...6d.exe

windows7_x64

10

45ecce9dfe...6d.exe

windows10_x64

10

Analysis

  • max time kernel
    117s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    24-01-2022 00:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    45ecce9dfec886e2b092a996f6affb9e7417d6121e58b0ec643be7e36a03106d.exe

  • Size

    66KB

  • MD5

    f04d97ffa32eec5aac8f84d86a1f51a0

  • SHA1

    bd75fd070c4962aa59653f934e4af68b609a021d

  • SHA256

    45ecce9dfec886e2b092a996f6affb9e7417d6121e58b0ec643be7e36a03106d

  • SHA512

    77bdb50d7b300e6acd2ef273751673e7dc6c52610ce2c007f7d98805535c10dc96975b74a7ee8ed41f3097a485e57803053c52f0b1f27e524f7f04b0aee7d284

Score
10/10
blackmatterransomware

Malware Config

Extracted

Path

C:\TEVwl5dwR.README.txt

Family

blackmatter

Ransom Note
~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >>> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/GDBJS76DH3D4IKQD2QO7R. >>> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.
URLs

http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/GDBJS76DH3D4IKQD2QO7R

Signatures

  • BlackMatter Ransomware

    BlackMatter ransomware group claims to be Darkside and REvil succesor.

    ransomwareblackmatter
  • Modifies extensions of user files 4 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
  • Modifies Control Panel 3 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\45ecce9dfec886e2b092a996f6affb9e7417d6121e58b0ec643be7e36a03106d.exe
    "C:\Users\Admin\AppData\Local\Temp\45ecce9dfec886e2b092a996f6affb9e7417d6121e58b0ec643be7e36a03106d.exe"
    1⤵
    • Modifies extensions of user files
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies Control Panel
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:528
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1796

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/528-54-0x0000000076121000-0x0000000076123000-memory.dmp
    Filesize

    8KB

    Download
  • memory/528-55-0x0000000000A05000-0x0000000000A16000-memory.dmp
    Filesize

    68KB

    Download
  • memory/528-56-0x0000000000A00000-0x0000000000A01000-memory.dmp
    Filesize

    4KB

    Download
  • memory/528-57-0x0000000000A16000-0x0000000000A17000-memory.dmp
    Filesize

    4KB

    Download