Analysis
-
max time kernel
98s -
max time network
97s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
08-05-2022 12:59
Static task
static1
Behavioral task
behavioral1
Sample
2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
Resource
win10v2004-20220414-en
General
-
Target
2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
-
Size
80KB
-
MD5
5c66cd4f21254f83663819138e634dd9
-
SHA1
6626cae85970e6490b8b0bf9da9aa4b57a79bb62
-
SHA256
2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c
-
SHA512
093e1fb491d73ee240f1b0084bda233ef272618b56e61ed8602a57dec7b241b3f80a4a1749ff46d141399e71dd6127c9a8893c9d8d24c6aa48b0479a7ab42a2a
Score
10/10
Malware Config
Extracted
Path
C:\S8qmQECmy.README.txt
Family
blackmatter
Ransom Note
~+
* +
' BLACK |
() .-.,='``'=. - o -
'=/_ \ |
* | '=._ |
\ `=./`, '
. '=.__.=' `=' *
+ Matter +
O * ' .
>>> What happens?
Your network is encrypted, and currently not operational.
We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data.
>>> What data stolen?
From your network was stolen sensitive data.
If you do not contact us we will publish all your data in our blog and will send it to the biggest mass media.
>>> What guarantees?
We are not a politically motivated group and we do not need anything other than your money.
If you pay, we will provide you the programs for decryption and we will delete your data.
If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals.
We always keep our promises.
>> How to contact with us?
1. Download and install TOR Browser (https://www.torproject.org/).
2. Open http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd.onion/EWX33VYY3IGOXSG5ZZ2
>> Warning! Recovery recommendations.
We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.
URLs
http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd.onion/EWX33VYY3IGOXSG5ZZ2
Signatures
-
BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
-
Modifies extensions of user files 13 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\RegisterUninstall.png.S8qmQECmy 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe File renamed C:\Users\Admin\Pictures\RenameStep.png => C:\Users\Admin\Pictures\RenameStep.png.S8qmQECmy 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe File opened for modification C:\Users\Admin\Pictures\RenameStep.png.S8qmQECmy 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe File renamed C:\Users\Admin\Pictures\StopInvoke.png => C:\Users\Admin\Pictures\StopInvoke.png.S8qmQECmy 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe File opened for modification C:\Users\Admin\Pictures\ProtectConfirm.png.S8qmQECmy 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe File opened for modification C:\Users\Admin\Pictures\CompleteResolve.crw.S8qmQECmy 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe File renamed C:\Users\Admin\Pictures\ProtectConfirm.png => C:\Users\Admin\Pictures\ProtectConfirm.png.S8qmQECmy 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe File renamed C:\Users\Admin\Pictures\RegisterUninstall.png => C:\Users\Admin\Pictures\RegisterUninstall.png.S8qmQECmy 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe File opened for modification C:\Users\Admin\Pictures\RenameRestart.tiff 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe File renamed C:\Users\Admin\Pictures\RenameRestart.tiff => C:\Users\Admin\Pictures\RenameRestart.tiff.S8qmQECmy 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe File opened for modification C:\Users\Admin\Pictures\RenameRestart.tiff.S8qmQECmy 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe File opened for modification C:\Users\Admin\Pictures\StopInvoke.png.S8qmQECmy 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe File renamed C:\Users\Admin\Pictures\CompleteResolve.crw => C:\Users\Admin\Pictures\CompleteResolve.crw.S8qmQECmy 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\S8qmQECmy.bmp" 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\S8qmQECmy.bmp" 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
Processes:
2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exepid process 892 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe 892 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe 892 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe 892 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe 892 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe 892 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe -
Modifies Control Panel 3 IoCs
Processes:
2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\International 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\Desktop 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\Desktop\WallpaperStyle = "10" 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 1532 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exepid process 892 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe 892 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe 892 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe 892 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
Processes:
2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exevssvc.exedescription pid process Token: SeBackupPrivilege 892 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe Token: SeDebugPrivilege 892 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe Token: 36 892 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe Token: SeImpersonatePrivilege 892 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe Token: SeIncBasePriorityPrivilege 892 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe Token: SeIncreaseQuotaPrivilege 892 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe Token: 33 892 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe Token: SeManageVolumePrivilege 892 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe Token: SeProfSingleProcessPrivilege 892 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe Token: SeRestorePrivilege 892 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe Token: SeSecurityPrivilege 892 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe Token: SeSystemProfilePrivilege 892 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe Token: SeTakeOwnershipPrivilege 892 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe Token: SeShutdownPrivilege 892 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe Token: SeBackupPrivilege 1356 vssvc.exe Token: SeRestorePrivilege 1356 vssvc.exe Token: SeAuditPrivilege 1356 vssvc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe"C:\Users\Admin\AppData\Local\Temp\2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe"
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\S8qmQECmy.README.txt
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
00:00
00:00
Downloads
-
C:\Users\Admin\Desktop\S8qmQECmy.README.txtFilesize
1KB
MD5896f61d321c4af276b7a80be14715992
SHA1feca31af9616ac09d73900d32a8dc8d08fce51e6
SHA2568553b63516ebbad0ce0653b3e21831b5dd114584ec49f6f413ad928ee68e6c21
SHA51281fd91036800c12a66e9c352a70293734f5d4355c6c2fbf39446602655f596ac3afc150a4c0494c804a4226aba55aa65f031bd0957f79ffd131e5329fb0ec82e
-
memory/892-54-0x0000000074B51000-0x0000000074B53000-memory.dmpFilesize
8KB
-
memory/892-55-0x00000000004D5000-0x00000000004E6000-memory.dmpFilesize
68KB
-
memory/1532-56-0x000007FEFB5D1000-0x000007FEFB5D3000-memory.dmpFilesize
8KB