Behavioral Report

max time kernel98s
max time network97s
platformwindows7_x64
resourcewin7-20220414-en
submitted08-05-2022 12:59

Report
Files
Registry
Network
Processes
Mutex
Misc

Target

2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe

Filesize

80KB

Completed

08-05-2022 13:02

Task

behavioral1

Score

10^/10

MD5

5c66cd4f21254f83663819138e634dd9

SHA1

6626cae85970e6490b8b0bf9da9aa4b57a79bb62

SHA256

2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c

SHA512

093e1fb491d73ee240f1b0084bda233ef272618b56e61ed8602a57dec7b241b3f80a4a1749ff46d141399e71dd6127c9a8893c9d8d24c6aa48b0479a7ab42a2a

blackmatter ransomware

Extracted

Path	C:\S8qmQECmy.README.txt
Family	blackmatter
Ransom Note	~+ * + ' BLACK \| () .-.,='``'=. - o - '=/_ \ \| * \| '=._ \| \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What data stolen? From your network was stolen sensitive data. If you do not contact us we will publish all your data in our blog and will send it to the biggest mass media. >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd.onion/EWX33VYY3IGOXSG5ZZ2 >> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.
URLs	http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd.onion/EWX33VYY3IGOXSG5ZZ2

Defense Evasion

Impact

BlackMatter Ransomware

Description

BlackMatter ransomware group claims to be Darkside and REvil succesor.

Tags

ransomware blackmatter

Modifies extensions of user files

2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe

Description

Ransomware generally changes the extension on encrypted files.

Reported IOCs

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\RegisterUninstall.png.S8qmQECmy	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
File renamed	C:\Users\Admin\Pictures\RenameStep.png => C:\Users\Admin\Pictures\RenameStep.png.S8qmQECmy	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
File opened for modification	C:\Users\Admin\Pictures\RenameStep.png.S8qmQECmy	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
File renamed	C:\Users\Admin\Pictures\StopInvoke.png => C:\Users\Admin\Pictures\StopInvoke.png.S8qmQECmy	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
File opened for modification	C:\Users\Admin\Pictures\ProtectConfirm.png.S8qmQECmy	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
File opened for modification	C:\Users\Admin\Pictures\CompleteResolve.crw.S8qmQECmy	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
File renamed	C:\Users\Admin\Pictures\ProtectConfirm.png => C:\Users\Admin\Pictures\ProtectConfirm.png.S8qmQECmy	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
File renamed	C:\Users\Admin\Pictures\RegisterUninstall.png => C:\Users\Admin\Pictures\RegisterUninstall.png.S8qmQECmy	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
File opened for modification	C:\Users\Admin\Pictures\RenameRestart.tiff	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
File renamed	C:\Users\Admin\Pictures\RenameRestart.tiff => C:\Users\Admin\Pictures\RenameRestart.tiff.S8qmQECmy	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
File opened for modification	C:\Users\Admin\Pictures\RenameRestart.tiff.S8qmQECmy	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
File opened for modification	C:\Users\Admin\Pictures\StopInvoke.png.S8qmQECmy	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
File renamed	C:\Users\Admin\Pictures\CompleteResolve.crw => C:\Users\Admin\Pictures\CompleteResolve.crw.S8qmQECmy	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe

Sets desktop wallpaper using registry

2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe

TTPs

DefacementModify Registry

Reported IOCs

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\S8qmQECmy.bmp"	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\S8qmQECmy.bmp"	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe

Suspicious use of NtSetInformationThreadHideFromDebugger

2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe

Reported IOCs

pid	process
892	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
892	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
892	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
892	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
892	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
892	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe

Modifies Control Panel

2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe

Reported IOCs

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\International	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\Desktop	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\Desktop\WallpaperStyle = "10"	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe

Opens file in notepad (likely ransom note)
NOTEPAD.EXE

Tags

ransomware

Reported IOCs

pid process

1532 NOTEPAD.EXE

pid	process
1532	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses

2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe

Reported IOCs

pid	process
892	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
892	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
892	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
892	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe

Suspicious use of AdjustPrivilegeToken

2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exevssvc.exe

Reported IOCs

description	pid	process
Token: SeBackupPrivilege	892	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
Token: SeDebugPrivilege	892	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
Token: 36	892	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
Token: SeImpersonatePrivilege	892	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
Token: SeIncBasePriorityPrivilege	892	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
Token: SeIncreaseQuotaPrivilege	892	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
Token: 33	892	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
Token: SeManageVolumePrivilege	892	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
Token: SeProfSingleProcessPrivilege	892	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
Token: SeRestorePrivilege	892	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
Token: SeSecurityPrivilege	892	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
Token: SeSystemProfilePrivilege	892	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
Token: SeTakeOwnershipPrivilege	892	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
Token: SeShutdownPrivilege	892	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
Token: SeBackupPrivilege	1356	vssvc.exe
Token: SeRestorePrivilege	1356	vssvc.exe
Token: SeAuditPrivilege	1356	vssvc.exe

C:\Users\Admin\AppData\Local\Temp\2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe

"C:\Users\Admin\AppData\Local\Temp\2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe"

Modifies extensions of user files
Sets desktop wallpaper using registry
Suspicious use of NtSetInformationThreadHideFromDebugger
Modifies Control Panel
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken

PID:892

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Suspicious use of AdjustPrivilegeToken

PID:1356

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\S8qmQECmy.README.txt

Opens file in notepad (likely ransom note)

PID:1532

Collection

Command and Control

Credential Access

Defense Evasion

Modify Registry

Discovery

Execution

Exfiltration

Impact

Defacement

Initial Access

Lateral Movement

Persistence

Privilege Escalation

00:00 00:00

C:\Users\Admin\Desktop\S8qmQECmy.README.txt
MD5
896f61d321c4af276b7a80be14715992

SHA1
feca31af9616ac09d73900d32a8dc8d08fce51e6

SHA256
8553b63516ebbad0ce0653b3e21831b5dd114584ec49f6f413ad928ee68e6c21

SHA512
81fd91036800c12a66e9c352a70293734f5d4355c6c2fbf39446602655f596ac3afc150a4c0494c804a4226aba55aa65f031bd0957f79ffd131e5329fb0ec82e

Download Submit
memory/892-54-0x0000000074B51000-0x0000000074B53000-memory.dmp

Download
memory/892-55-0x00000000004D5000-0x00000000004E6000-memory.dmp

Download
memory/1532-56-0x000007FEFB5D1000-0x000007FEFB5D3000-memory.dmp

Download

Extracted

Filter: none

Description

Tags

Description

Tags

Reported IOCs

Tags

TTPs

Reported IOCs

Reported IOCs

Tags

Reported IOCs

Tags

Reported IOCs

Reported IOCs

Reported IOCs

Title