General
Target

2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe

Filesize

80KB

Completed

08-05-2022 13:02

Task

behavioral1

Score
10/10
MD5

5c66cd4f21254f83663819138e634dd9

SHA1

6626cae85970e6490b8b0bf9da9aa4b57a79bb62

SHA256

2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c

SHA512

093e1fb491d73ee240f1b0084bda233ef272618b56e61ed8602a57dec7b241b3f80a4a1749ff46d141399e71dd6127c9a8893c9d8d24c6aa48b0479a7ab42a2a

Malware Config

Extracted

Path

C:\S8qmQECmy.README.txt

Family

blackmatter

Ransom Note
~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What data stolen? From your network was stolen sensitive data. If you do not contact us we will publish all your data in our blog and will send it to the biggest mass media. >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd.onion/EWX33VYY3IGOXSG5ZZ2 >> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.
URLs

http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd.onion/EWX33VYY3IGOXSG5ZZ2

Signatures 8

Filter: none

Defense Evasion
Impact
  • BlackMatter Ransomware

    Description

    BlackMatter ransomware group claims to be Darkside and REvil succesor.

  • Modifies extensions of user files
    2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Users\Admin\Pictures\RegisterUninstall.png.S8qmQECmy2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
    File renamedC:\Users\Admin\Pictures\RenameStep.png => C:\Users\Admin\Pictures\RenameStep.png.S8qmQECmy2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
    File opened for modificationC:\Users\Admin\Pictures\RenameStep.png.S8qmQECmy2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
    File renamedC:\Users\Admin\Pictures\StopInvoke.png => C:\Users\Admin\Pictures\StopInvoke.png.S8qmQECmy2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
    File opened for modificationC:\Users\Admin\Pictures\ProtectConfirm.png.S8qmQECmy2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
    File opened for modificationC:\Users\Admin\Pictures\CompleteResolve.crw.S8qmQECmy2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
    File renamedC:\Users\Admin\Pictures\ProtectConfirm.png => C:\Users\Admin\Pictures\ProtectConfirm.png.S8qmQECmy2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
    File renamedC:\Users\Admin\Pictures\RegisterUninstall.png => C:\Users\Admin\Pictures\RegisterUninstall.png.S8qmQECmy2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
    File opened for modificationC:\Users\Admin\Pictures\RenameRestart.tiff2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
    File renamedC:\Users\Admin\Pictures\RenameRestart.tiff => C:\Users\Admin\Pictures\RenameRestart.tiff.S8qmQECmy2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
    File opened for modificationC:\Users\Admin\Pictures\RenameRestart.tiff.S8qmQECmy2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
    File opened for modificationC:\Users\Admin\Pictures\StopInvoke.png.S8qmQECmy2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
    File renamedC:\Users\Admin\Pictures\CompleteResolve.crw => C:\Users\Admin\Pictures\CompleteResolve.crw.S8qmQECmy2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
  • Sets desktop wallpaper using registry
    2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe

    Tags

    TTPs

    DefacementModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\S8qmQECmy.bmp"2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\S8qmQECmy.bmp"2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
  • Suspicious use of NtSetInformationThreadHideFromDebugger
    2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe

    Reported IOCs

    pidprocess
    8922aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
    8922aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
    8922aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
    8922aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
    8922aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
    8922aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
  • Modifies Control Panel
    2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe

    Tags

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\International2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
    Key created\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\Desktop2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\Desktop\WallpaperStyle = "10"2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
  • Opens file in notepad (likely ransom note)
    NOTEPAD.EXE

    Tags

    Reported IOCs

    pidprocess
    1532NOTEPAD.EXE
  • Suspicious behavior: EnumeratesProcesses
    2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe

    Reported IOCs

    pidprocess
    8922aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
    8922aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
    8922aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
    8922aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
  • Suspicious use of AdjustPrivilegeToken
    2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exevssvc.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeBackupPrivilege8922aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
    Token: SeDebugPrivilege8922aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
    Token: 368922aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
    Token: SeImpersonatePrivilege8922aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
    Token: SeIncBasePriorityPrivilege8922aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
    Token: SeIncreaseQuotaPrivilege8922aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
    Token: 338922aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
    Token: SeManageVolumePrivilege8922aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
    Token: SeProfSingleProcessPrivilege8922aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
    Token: SeRestorePrivilege8922aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
    Token: SeSecurityPrivilege8922aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
    Token: SeSystemProfilePrivilege8922aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
    Token: SeTakeOwnershipPrivilege8922aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
    Token: SeShutdownPrivilege8922aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
    Token: SeBackupPrivilege1356vssvc.exe
    Token: SeRestorePrivilege1356vssvc.exe
    Token: SeAuditPrivilege1356vssvc.exe
Processes 3
  • C:\Users\Admin\AppData\Local\Temp\2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
    "C:\Users\Admin\AppData\Local\Temp\2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe"
    Modifies extensions of user files
    Sets desktop wallpaper using registry
    Suspicious use of NtSetInformationThreadHideFromDebugger
    Modifies Control Panel
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    PID:892
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    Suspicious use of AdjustPrivilegeToken
    PID:1356
  • C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\S8qmQECmy.README.txt
    Opens file in notepad (likely ransom note)
    PID:1532
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Discovery
          Execution
            Exfiltration
              Impact
              Initial Access
                Lateral Movement
                  Persistence
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads
                      • C:\Users\Admin\Desktop\S8qmQECmy.README.txt

                        MD5

                        896f61d321c4af276b7a80be14715992

                        SHA1

                        feca31af9616ac09d73900d32a8dc8d08fce51e6

                        SHA256

                        8553b63516ebbad0ce0653b3e21831b5dd114584ec49f6f413ad928ee68e6c21

                        SHA512

                        81fd91036800c12a66e9c352a70293734f5d4355c6c2fbf39446602655f596ac3afc150a4c0494c804a4226aba55aa65f031bd0957f79ffd131e5329fb0ec82e

                      • memory/892-54-0x0000000074B51000-0x0000000074B53000-memory.dmp

                      • memory/892-55-0x00000000004D5000-0x00000000004E6000-memory.dmp

                      • memory/1532-56-0x000007FEFB5D1000-0x000007FEFB5D3000-memory.dmp