Analysis
-
max time kernel
119s -
max time network
122s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
24-01-2022 00:36
Static task
static1
Behavioral task
behavioral1
Sample
26a7146fbed74a17e9f2f18145063de07cc103ce53c75c8d79bbc5560235c345.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
26a7146fbed74a17e9f2f18145063de07cc103ce53c75c8d79bbc5560235c345.exe
Resource
win10-en-20211208
General
-
Target
26a7146fbed74a17e9f2f18145063de07cc103ce53c75c8d79bbc5560235c345.exe
-
Size
80KB
-
MD5
471db2ef4582dc264ae95d2838f81588
-
SHA1
b6e130a43134613c45f10f0160090e26ded4dd3c
-
SHA256
26a7146fbed74a17e9f2f18145063de07cc103ce53c75c8d79bbc5560235c345
-
SHA512
8319596227fff44191f7cb9b03d7f6b1b20d89f6e7a034773ddd6d631086c609a1caf2f4f53bd89516925427676a75496aef9dd8754a45cd38536bfb856ed7b6
Malware Config
Extracted
C:\y2VGe3tGZ.README.txt
blackmatter
http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd.onion/EXJ0CFHWOZIISIE4NG3LT
Signatures
-
BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
-
Modifies extensions of user files 13 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
26a7146fbed74a17e9f2f18145063de07cc103ce53c75c8d79bbc5560235c345.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\DebugUninstall.tif.y2VGe3tGZ 26a7146fbed74a17e9f2f18145063de07cc103ce53c75c8d79bbc5560235c345.exe File renamed C:\Users\Admin\Pictures\PushPublish.raw => C:\Users\Admin\Pictures\PushPublish.raw.y2VGe3tGZ 26a7146fbed74a17e9f2f18145063de07cc103ce53c75c8d79bbc5560235c345.exe File opened for modification C:\Users\Admin\Pictures\ReceiveRequest.tiff 26a7146fbed74a17e9f2f18145063de07cc103ce53c75c8d79bbc5560235c345.exe File renamed C:\Users\Admin\Pictures\ReceiveRequest.tiff => C:\Users\Admin\Pictures\ReceiveRequest.tiff.y2VGe3tGZ 26a7146fbed74a17e9f2f18145063de07cc103ce53c75c8d79bbc5560235c345.exe File renamed C:\Users\Admin\Pictures\WaitRequest.png => C:\Users\Admin\Pictures\WaitRequest.png.y2VGe3tGZ 26a7146fbed74a17e9f2f18145063de07cc103ce53c75c8d79bbc5560235c345.exe File opened for modification C:\Users\Admin\Pictures\ConnectShow.png.y2VGe3tGZ 26a7146fbed74a17e9f2f18145063de07cc103ce53c75c8d79bbc5560235c345.exe File opened for modification C:\Users\Admin\Pictures\CompareStop.raw.y2VGe3tGZ 26a7146fbed74a17e9f2f18145063de07cc103ce53c75c8d79bbc5560235c345.exe File renamed C:\Users\Admin\Pictures\ConnectShow.png => C:\Users\Admin\Pictures\ConnectShow.png.y2VGe3tGZ 26a7146fbed74a17e9f2f18145063de07cc103ce53c75c8d79bbc5560235c345.exe File renamed C:\Users\Admin\Pictures\DebugUninstall.tif => C:\Users\Admin\Pictures\DebugUninstall.tif.y2VGe3tGZ 26a7146fbed74a17e9f2f18145063de07cc103ce53c75c8d79bbc5560235c345.exe File opened for modification C:\Users\Admin\Pictures\PushPublish.raw.y2VGe3tGZ 26a7146fbed74a17e9f2f18145063de07cc103ce53c75c8d79bbc5560235c345.exe File opened for modification C:\Users\Admin\Pictures\ReceiveRequest.tiff.y2VGe3tGZ 26a7146fbed74a17e9f2f18145063de07cc103ce53c75c8d79bbc5560235c345.exe File opened for modification C:\Users\Admin\Pictures\WaitRequest.png.y2VGe3tGZ 26a7146fbed74a17e9f2f18145063de07cc103ce53c75c8d79bbc5560235c345.exe File renamed C:\Users\Admin\Pictures\CompareStop.raw => C:\Users\Admin\Pictures\CompareStop.raw.y2VGe3tGZ 26a7146fbed74a17e9f2f18145063de07cc103ce53c75c8d79bbc5560235c345.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
26a7146fbed74a17e9f2f18145063de07cc103ce53c75c8d79bbc5560235c345.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\y2VGe3tGZ.bmp" 26a7146fbed74a17e9f2f18145063de07cc103ce53c75c8d79bbc5560235c345.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\y2VGe3tGZ.bmp" 26a7146fbed74a17e9f2f18145063de07cc103ce53c75c8d79bbc5560235c345.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
Processes:
26a7146fbed74a17e9f2f18145063de07cc103ce53c75c8d79bbc5560235c345.exepid process 1628 26a7146fbed74a17e9f2f18145063de07cc103ce53c75c8d79bbc5560235c345.exe 1628 26a7146fbed74a17e9f2f18145063de07cc103ce53c75c8d79bbc5560235c345.exe 1628 26a7146fbed74a17e9f2f18145063de07cc103ce53c75c8d79bbc5560235c345.exe 1628 26a7146fbed74a17e9f2f18145063de07cc103ce53c75c8d79bbc5560235c345.exe 1628 26a7146fbed74a17e9f2f18145063de07cc103ce53c75c8d79bbc5560235c345.exe 1628 26a7146fbed74a17e9f2f18145063de07cc103ce53c75c8d79bbc5560235c345.exe -
Modifies Control Panel 3 IoCs
Processes:
26a7146fbed74a17e9f2f18145063de07cc103ce53c75c8d79bbc5560235c345.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Control Panel\Desktop 26a7146fbed74a17e9f2f18145063de07cc103ce53c75c8d79bbc5560235c345.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Control Panel\Desktop\WallpaperStyle = "10" 26a7146fbed74a17e9f2f18145063de07cc103ce53c75c8d79bbc5560235c345.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Control Panel\International 26a7146fbed74a17e9f2f18145063de07cc103ce53c75c8d79bbc5560235c345.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
26a7146fbed74a17e9f2f18145063de07cc103ce53c75c8d79bbc5560235c345.exepid process 1628 26a7146fbed74a17e9f2f18145063de07cc103ce53c75c8d79bbc5560235c345.exe 1628 26a7146fbed74a17e9f2f18145063de07cc103ce53c75c8d79bbc5560235c345.exe 1628 26a7146fbed74a17e9f2f18145063de07cc103ce53c75c8d79bbc5560235c345.exe 1628 26a7146fbed74a17e9f2f18145063de07cc103ce53c75c8d79bbc5560235c345.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
Processes:
26a7146fbed74a17e9f2f18145063de07cc103ce53c75c8d79bbc5560235c345.exevssvc.exedescription pid process Token: SeBackupPrivilege 1628 26a7146fbed74a17e9f2f18145063de07cc103ce53c75c8d79bbc5560235c345.exe Token: SeDebugPrivilege 1628 26a7146fbed74a17e9f2f18145063de07cc103ce53c75c8d79bbc5560235c345.exe Token: 36 1628 26a7146fbed74a17e9f2f18145063de07cc103ce53c75c8d79bbc5560235c345.exe Token: SeImpersonatePrivilege 1628 26a7146fbed74a17e9f2f18145063de07cc103ce53c75c8d79bbc5560235c345.exe Token: SeIncBasePriorityPrivilege 1628 26a7146fbed74a17e9f2f18145063de07cc103ce53c75c8d79bbc5560235c345.exe Token: SeIncreaseQuotaPrivilege 1628 26a7146fbed74a17e9f2f18145063de07cc103ce53c75c8d79bbc5560235c345.exe Token: 33 1628 26a7146fbed74a17e9f2f18145063de07cc103ce53c75c8d79bbc5560235c345.exe Token: SeManageVolumePrivilege 1628 26a7146fbed74a17e9f2f18145063de07cc103ce53c75c8d79bbc5560235c345.exe Token: SeProfSingleProcessPrivilege 1628 26a7146fbed74a17e9f2f18145063de07cc103ce53c75c8d79bbc5560235c345.exe Token: SeRestorePrivilege 1628 26a7146fbed74a17e9f2f18145063de07cc103ce53c75c8d79bbc5560235c345.exe Token: SeSecurityPrivilege 1628 26a7146fbed74a17e9f2f18145063de07cc103ce53c75c8d79bbc5560235c345.exe Token: SeSystemProfilePrivilege 1628 26a7146fbed74a17e9f2f18145063de07cc103ce53c75c8d79bbc5560235c345.exe Token: SeTakeOwnershipPrivilege 1628 26a7146fbed74a17e9f2f18145063de07cc103ce53c75c8d79bbc5560235c345.exe Token: SeShutdownPrivilege 1628 26a7146fbed74a17e9f2f18145063de07cc103ce53c75c8d79bbc5560235c345.exe Token: SeBackupPrivilege 1224 vssvc.exe Token: SeRestorePrivilege 1224 vssvc.exe Token: SeAuditPrivilege 1224 vssvc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\26a7146fbed74a17e9f2f18145063de07cc103ce53c75c8d79bbc5560235c345.exe"C:\Users\Admin\AppData\Local\Temp\26a7146fbed74a17e9f2f18145063de07cc103ce53c75c8d79bbc5560235c345.exe"1⤵
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1628-55-0x0000000075021000-0x0000000075023000-memory.dmpFilesize
8KB
-
memory/1628-57-0x0000000000250000-0x0000000000251000-memory.dmpFilesize
4KB
-
memory/1628-56-0x0000000000255000-0x0000000000266000-memory.dmpFilesize
68KB
-
memory/1628-58-0x0000000000266000-0x0000000000267000-memory.dmpFilesize
4KB