Overview

overview

10

Static

static

10

26a7146fbe...45.exe

windows7_x64

10

26a7146fbe...45.exe

windows10_x64

10

Analysis

  • max time kernel
    122s
  • max time network
    137s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    24-01-2022 00:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    26a7146fbed74a17e9f2f18145063de07cc103ce53c75c8d79bbc5560235c345.exe

  • Size

    80KB

  • MD5

    471db2ef4582dc264ae95d2838f81588

  • SHA1

    b6e130a43134613c45f10f0160090e26ded4dd3c

  • SHA256

    26a7146fbed74a17e9f2f18145063de07cc103ce53c75c8d79bbc5560235c345

  • SHA512

    8319596227fff44191f7cb9b03d7f6b1b20d89f6e7a034773ddd6d631086c609a1caf2f4f53bd89516925427676a75496aef9dd8754a45cd38536bfb856ed7b6

Score
10/10
blackmatterransomware

Malware Config

Extracted

Path

C:\uR7ZOTnZH.README.txt

Family

blackmatter

Ransom Note
~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What data stolen? From your network was stolen 1000 GB of data. If you do not contact us we will publish all your data in our blog and will send it to the biggest mass media. >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd.onion/EXJ0CFHWOZIISIE4NG3LT >> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.
URLs

http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd.onion/EXJ0CFHWOZIISIE4NG3LT

Signatures

  • BlackMatter Ransomware

    BlackMatter ransomware group claims to be Darkside and REvil succesor.

    ransomwareblackmatter
  • Modifies extensions of user files 6 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
  • Modifies Control Panel 3 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\26a7146fbed74a17e9f2f18145063de07cc103ce53c75c8d79bbc5560235c345.exe
    "C:\Users\Admin\AppData\Local\Temp\26a7146fbed74a17e9f2f18145063de07cc103ce53c75c8d79bbc5560235c345.exe"
    1⤵
    • Modifies extensions of user files
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies Control Panel
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2388
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1400

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2388-115-0x0000000000F53000-0x0000000000F55000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2388-116-0x0000000000F50000-0x0000000000F51000-memory.dmp
    Filesize

    4KB

    Download