Analysis
-
max time kernel
98s -
max time network
97s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
08-05-2022 12:59
Static task
static1
Behavioral task
behavioral1
Sample
2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
Resource
win10v2004-20220414-en
General
-
Target
2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
-
Size
80KB
-
MD5
5c66cd4f21254f83663819138e634dd9
-
SHA1
6626cae85970e6490b8b0bf9da9aa4b57a79bb62
-
SHA256
2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c
-
SHA512
093e1fb491d73ee240f1b0084bda233ef272618b56e61ed8602a57dec7b241b3f80a4a1749ff46d141399e71dd6127c9a8893c9d8d24c6aa48b0479a7ab42a2a
Malware Config
Extracted
C:\S8qmQECmy.README.txt
blackmatter
http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd.onion/EWX33VYY3IGOXSG5ZZ2
Signatures
-
BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
-
Modifies extensions of user files 13 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\RegisterUninstall.png.S8qmQECmy 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe File renamed C:\Users\Admin\Pictures\RenameStep.png => C:\Users\Admin\Pictures\RenameStep.png.S8qmQECmy 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe File opened for modification C:\Users\Admin\Pictures\RenameStep.png.S8qmQECmy 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe File renamed C:\Users\Admin\Pictures\StopInvoke.png => C:\Users\Admin\Pictures\StopInvoke.png.S8qmQECmy 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe File opened for modification C:\Users\Admin\Pictures\ProtectConfirm.png.S8qmQECmy 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe File opened for modification C:\Users\Admin\Pictures\CompleteResolve.crw.S8qmQECmy 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe File renamed C:\Users\Admin\Pictures\ProtectConfirm.png => C:\Users\Admin\Pictures\ProtectConfirm.png.S8qmQECmy 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe File renamed C:\Users\Admin\Pictures\RegisterUninstall.png => C:\Users\Admin\Pictures\RegisterUninstall.png.S8qmQECmy 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe File opened for modification C:\Users\Admin\Pictures\RenameRestart.tiff 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe File renamed C:\Users\Admin\Pictures\RenameRestart.tiff => C:\Users\Admin\Pictures\RenameRestart.tiff.S8qmQECmy 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe File opened for modification C:\Users\Admin\Pictures\RenameRestart.tiff.S8qmQECmy 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe File opened for modification C:\Users\Admin\Pictures\StopInvoke.png.S8qmQECmy 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe File renamed C:\Users\Admin\Pictures\CompleteResolve.crw => C:\Users\Admin\Pictures\CompleteResolve.crw.S8qmQECmy 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\S8qmQECmy.bmp" 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\S8qmQECmy.bmp" 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
Processes:
2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exepid process 892 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe 892 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe 892 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe 892 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe 892 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe 892 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe -
Modifies Control Panel 3 IoCs
Processes:
2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\International 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\Desktop 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\Desktop\WallpaperStyle = "10" 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 1532 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exepid process 892 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe 892 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe 892 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe 892 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
Processes:
2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exevssvc.exedescription pid process Token: SeBackupPrivilege 892 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe Token: SeDebugPrivilege 892 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe Token: 36 892 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe Token: SeImpersonatePrivilege 892 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe Token: SeIncBasePriorityPrivilege 892 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe Token: SeIncreaseQuotaPrivilege 892 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe Token: 33 892 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe Token: SeManageVolumePrivilege 892 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe Token: SeProfSingleProcessPrivilege 892 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe Token: SeRestorePrivilege 892 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe Token: SeSecurityPrivilege 892 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe Token: SeSystemProfilePrivilege 892 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe Token: SeTakeOwnershipPrivilege 892 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe Token: SeShutdownPrivilege 892 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe Token: SeBackupPrivilege 1356 vssvc.exe Token: SeRestorePrivilege 1356 vssvc.exe Token: SeAuditPrivilege 1356 vssvc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe"C:\Users\Admin\AppData\Local\Temp\2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe"
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\S8qmQECmy.README.txt
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Downloads
-
C:\Users\Admin\Desktop\S8qmQECmy.README.txtFilesize
1KB
MD5896f61d321c4af276b7a80be14715992
SHA1feca31af9616ac09d73900d32a8dc8d08fce51e6
SHA2568553b63516ebbad0ce0653b3e21831b5dd114584ec49f6f413ad928ee68e6c21
SHA51281fd91036800c12a66e9c352a70293734f5d4355c6c2fbf39446602655f596ac3afc150a4c0494c804a4226aba55aa65f031bd0957f79ffd131e5329fb0ec82e
-
memory/892-54-0x0000000074B51000-0x0000000074B53000-memory.dmpFilesize
8KB
-
memory/892-55-0x00000000004D5000-0x00000000004E6000-memory.dmpFilesize
68KB
-
memory/1532-56-0x000007FEFB5D1000-0x000007FEFB5D3000-memory.dmpFilesize
8KB