Analysis
-
max time kernel
149s -
max time network
117s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
24-01-2022 00:36
Static task
static1
Behavioral task
behavioral1
Sample
496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe
Resource
win10-en-20211208
General
-
Target
496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe
-
Size
78KB
-
MD5
cb1e9e0b57107c1f5cd3569bf268de4f
-
SHA1
53f0be750671f565019890a35d8463eebc6fddc9
-
SHA256
496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d
-
SHA512
2620215ca9a7ba3cb412c8fc33f2bd6d89e0e61dd70d6bbe1762ccb820b29d2e5f7fd6be06c27328b0d333c5d12ef239d0101dfea23c6025b06110b7a3ad4cb5
Malware Config
Extracted
C:\y2VGe3tGZ.README.txt
blackmatter
http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/Z1DHIS62B9LUNC74
Signatures
-
BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
-
Modifies extensions of user files 22 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\RevokeResolve.raw.y2VGe3tGZ 496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe File renamed C:\Users\Admin\Pictures\MountClear.raw => C:\Users\Admin\Pictures\MountClear.raw.y2VGe3tGZ 496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe File opened for modification C:\Users\Admin\Pictures\MountClear.raw.y2VGe3tGZ 496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe File opened for modification C:\Users\Admin\Pictures\ExportStep.png.y2VGe3tGZ 496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe File renamed C:\Users\Admin\Pictures\FormatRemove.raw => C:\Users\Admin\Pictures\FormatRemove.raw.y2VGe3tGZ 496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe File renamed C:\Users\Admin\Pictures\OutPublish.crw => C:\Users\Admin\Pictures\OutPublish.crw.y2VGe3tGZ 496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe File opened for modification C:\Users\Admin\Pictures\ConvertUnprotect.tif.y2VGe3tGZ 496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe File renamed C:\Users\Admin\Pictures\EnterRestore.tiff => C:\Users\Admin\Pictures\EnterRestore.tiff.y2VGe3tGZ 496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe File opened for modification C:\Users\Admin\Pictures\EnterRestore.tiff 496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe File opened for modification C:\Users\Admin\Pictures\EnterRestore.tiff.y2VGe3tGZ 496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe File renamed C:\Users\Admin\Pictures\ExportStep.png => C:\Users\Admin\Pictures\ExportStep.png.y2VGe3tGZ 496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe File opened for modification C:\Users\Admin\Pictures\FormatRemove.raw.y2VGe3tGZ 496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe File renamed C:\Users\Admin\Pictures\RevokeResolve.raw => C:\Users\Admin\Pictures\RevokeResolve.raw.y2VGe3tGZ 496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe File opened for modification C:\Users\Admin\Pictures\SyncSave.crw.y2VGe3tGZ 496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe File renamed C:\Users\Admin\Pictures\ConvertUnprotect.tif => C:\Users\Admin\Pictures\ConvertUnprotect.tif.y2VGe3tGZ 496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe File opened for modification C:\Users\Admin\Pictures\EnableAssert.tiff 496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe File renamed C:\Users\Admin\Pictures\WatchCheckpoint.raw => C:\Users\Admin\Pictures\WatchCheckpoint.raw.y2VGe3tGZ 496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe File opened for modification C:\Users\Admin\Pictures\OutPublish.crw.y2VGe3tGZ 496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe File renamed C:\Users\Admin\Pictures\SyncSave.crw => C:\Users\Admin\Pictures\SyncSave.crw.y2VGe3tGZ 496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe File opened for modification C:\Users\Admin\Pictures\WatchCheckpoint.raw.y2VGe3tGZ 496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe File renamed C:\Users\Admin\Pictures\EnableAssert.tiff => C:\Users\Admin\Pictures\EnableAssert.tiff.y2VGe3tGZ 496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe File opened for modification C:\Users\Admin\Pictures\EnableAssert.tiff.y2VGe3tGZ 496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\y2VGe3tGZ.bmp" 496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\y2VGe3tGZ.bmp" 496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
Processes:
496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exepid process 740 496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe 740 496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe 740 496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe 740 496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe 740 496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe 740 496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Control Panel 3 IoCs
Processes:
496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Control Panel\International 496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Control Panel\Desktop 496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Control Panel\Desktop\WallpaperStyle = "10" 496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe -
Modifies registry class 20 IoCs
Processes:
splwow64.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 splwow64.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}" splwow64.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell splwow64.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 splwow64.exe Set value (data) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff splwow64.exe Set value (data) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff splwow64.exe Set value (data) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff splwow64.exe Set value (int) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewVersion = "0" splwow64.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_Classes\Local Settings splwow64.exe Set value (data) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots splwow64.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 splwow64.exe Set value (data) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff splwow64.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags splwow64.exe Set value (data) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 splwow64.exe Set value (int) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" splwow64.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg splwow64.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}" splwow64.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU splwow64.exe Set value (data) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000 splwow64.exe Set value (data) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000 splwow64.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 900 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exepid process 740 496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe 740 496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe 740 496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe 740 496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
splwow64.exepid process 1756 splwow64.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
Processes:
496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exevssvc.exedescription pid process Token: SeBackupPrivilege 740 496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe Token: SeDebugPrivilege 740 496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe Token: 36 740 496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe Token: SeImpersonatePrivilege 740 496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe Token: SeIncBasePriorityPrivilege 740 496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe Token: SeIncreaseQuotaPrivilege 740 496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe Token: 33 740 496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe Token: SeManageVolumePrivilege 740 496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe Token: SeProfSingleProcessPrivilege 740 496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe Token: SeRestorePrivilege 740 496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe Token: SeSecurityPrivilege 740 496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe Token: SeSystemProfilePrivilege 740 496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe Token: SeTakeOwnershipPrivilege 740 496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe Token: SeShutdownPrivilege 740 496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe Token: SeBackupPrivilege 1148 vssvc.exe Token: SeRestorePrivilege 1148 vssvc.exe Token: SeAuditPrivilege 1148 vssvc.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
splwow64.exepid process 1756 splwow64.exe 1756 splwow64.exe 1756 splwow64.exe 1756 splwow64.exe 1756 splwow64.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exeNOTEPAD.EXEdescription pid process target process PID 740 wrote to memory of 900 740 496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe NOTEPAD.EXE PID 740 wrote to memory of 900 740 496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe NOTEPAD.EXE PID 740 wrote to memory of 900 740 496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe NOTEPAD.EXE PID 740 wrote to memory of 900 740 496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe NOTEPAD.EXE PID 900 wrote to memory of 1756 900 NOTEPAD.EXE splwow64.exe PID 900 wrote to memory of 1756 900 NOTEPAD.EXE splwow64.exe PID 900 wrote to memory of 1756 900 NOTEPAD.EXE splwow64.exe PID 900 wrote to memory of 1756 900 NOTEPAD.EXE splwow64.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe"C:\Users\Admin\AppData\Local\Temp\496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe"1⤵
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" /p C:\Users\y2VGe3tGZ.README.txt2⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\PingUndo.xps.y2VGe3tGZMD5
8895165fca0114f7e0262741a16d6648
SHA12d771961a7da526f89fd6017779ebe356ff244de
SHA25686fd802002f456bfa1cff344944bd38de372d26f9406c1204a0420aec1b9bf6c
SHA512a5a38d3ee6bf735cc8bd0b8e35b4f6cb1b3a9f8922107c82511b752211bd3d3d991de240f5cc77cf3995f5ef03f7710d9d1166a4b6ba17c0c06c1e1ba7af0cb1
-
C:\Users\y2VGe3tGZ.README.txtMD5
3173c50d2e00032d48353d7edb3f6117
SHA17848dc8f46e8bf2daa056c7a9e6f74bf5709ebab
SHA256f38f654730eceb53bb1e07dc19efad9fced2079aa7053518918e6eb090afffcf
SHA512036f72851e0ac9f5c8d0d97ba9278476da568a1b31266d808ba9f76870f2c8fb21be5b9d4a304cc798d0c06c10316dc64bbe9e80877a411e14f02e8ce2dd9c9a
-
memory/740-54-0x0000000075321000-0x0000000075323000-memory.dmpFilesize
8KB
-
memory/740-56-0x0000000001E10000-0x0000000001E11000-memory.dmpFilesize
4KB
-
memory/740-55-0x0000000001E15000-0x0000000001E26000-memory.dmpFilesize
68KB
-
memory/740-57-0x0000000001E26000-0x0000000001E27000-memory.dmpFilesize
4KB
-
memory/1756-61-0x000007FEFBEB1000-0x000007FEFBEB3000-memory.dmpFilesize
8KB
-
memory/1756-62-0x00000000041E0000-0x00000000041E1000-memory.dmpFilesize
4KB