2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
80KB
08-05-2022 13:02
behavioral1
5c66cd4f21254f83663819138e634dd9
6626cae85970e6490b8b0bf9da9aa4b57a79bb62
2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c
093e1fb491d73ee240f1b0084bda233ef272618b56e61ed8602a57dec7b241b3f80a4a1749ff46d141399e71dd6127c9a8893c9d8d24c6aa48b0479a7ab42a2a
Extracted
Path | C:\S8qmQECmy.README.txt |
Family | blackmatter |
Ransom Note |
~+
* +
' BLACK |
() .-.,='``'=. - o -
'=/_ \ |
* | '=._ |
\ `=./`, '
. '=.__.=' `=' *
+ Matter +
O * ' .
>>> What happens?
Your network is encrypted, and currently not operational.
We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data.
>>> What data stolen?
From your network was stolen sensitive data.
If you do not contact us we will publish all your data in our blog and will send it to the biggest mass media.
>>> What guarantees?
We are not a politically motivated group and we do not need anything other than your money.
If you pay, we will provide you the programs for decryption and we will delete your data.
If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals.
We always keep our promises.
>> How to contact with us?
1. Download and install TOR Browser (https://www.torproject.org/).
2. Open http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd.onion/EWX33VYY3IGOXSG5ZZ2
>> Warning! Recovery recommendations.
We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.
|
URLs |
http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd.onion/EWX33VYY3IGOXSG5ZZ2 |
Filter: none
-
BlackMatter Ransomware
Description
BlackMatter ransomware group claims to be Darkside and REvil succesor.
Tags
-
Modifies extensions of user files2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
Description
Ransomware generally changes the extension on encrypted files.
Tags
Reported IOCs
description ioc process File opened for modification C:\Users\Admin\Pictures\RegisterUninstall.png.S8qmQECmy 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe File renamed C:\Users\Admin\Pictures\RenameStep.png => C:\Users\Admin\Pictures\RenameStep.png.S8qmQECmy 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe File opened for modification C:\Users\Admin\Pictures\RenameStep.png.S8qmQECmy 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe File renamed C:\Users\Admin\Pictures\StopInvoke.png => C:\Users\Admin\Pictures\StopInvoke.png.S8qmQECmy 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe File opened for modification C:\Users\Admin\Pictures\ProtectConfirm.png.S8qmQECmy 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe File opened for modification C:\Users\Admin\Pictures\CompleteResolve.crw.S8qmQECmy 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe File renamed C:\Users\Admin\Pictures\ProtectConfirm.png => C:\Users\Admin\Pictures\ProtectConfirm.png.S8qmQECmy 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe File renamed C:\Users\Admin\Pictures\RegisterUninstall.png => C:\Users\Admin\Pictures\RegisterUninstall.png.S8qmQECmy 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe File opened for modification C:\Users\Admin\Pictures\RenameRestart.tiff 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe File renamed C:\Users\Admin\Pictures\RenameRestart.tiff => C:\Users\Admin\Pictures\RenameRestart.tiff.S8qmQECmy 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe File opened for modification C:\Users\Admin\Pictures\RenameRestart.tiff.S8qmQECmy 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe File opened for modification C:\Users\Admin\Pictures\StopInvoke.png.S8qmQECmy 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe File renamed C:\Users\Admin\Pictures\CompleteResolve.crw => C:\Users\Admin\Pictures\CompleteResolve.crw.S8qmQECmy 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe -
Sets desktop wallpaper using registry2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
Tags
TTPs
Reported IOCs
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\S8qmQECmy.bmp" 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\S8qmQECmy.bmp" 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
Reported IOCs
pid process 892 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe 892 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe 892 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe 892 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe 892 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe 892 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe -
Modifies Control Panel2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
Tags
Reported IOCs
description ioc process Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\International 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\Desktop 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\Desktop\WallpaperStyle = "10" 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe -
Opens file in notepad (likely ransom note)NOTEPAD.EXE
Tags
Reported IOCs
pid process 1532 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
Reported IOCs
pid process 892 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe 892 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe 892 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe 892 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe -
Suspicious use of AdjustPrivilegeToken2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exevssvc.exe
Reported IOCs
description pid process Token: SeBackupPrivilege 892 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe Token: SeDebugPrivilege 892 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe Token: 36 892 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe Token: SeImpersonatePrivilege 892 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe Token: SeIncBasePriorityPrivilege 892 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe Token: SeIncreaseQuotaPrivilege 892 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe Token: 33 892 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe Token: SeManageVolumePrivilege 892 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe Token: SeProfSingleProcessPrivilege 892 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe Token: SeRestorePrivilege 892 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe Token: SeSecurityPrivilege 892 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe Token: SeSystemProfilePrivilege 892 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe Token: SeTakeOwnershipPrivilege 892 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe Token: SeShutdownPrivilege 892 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe Token: SeBackupPrivilege 1356 vssvc.exe Token: SeRestorePrivilege 1356 vssvc.exe Token: SeAuditPrivilege 1356 vssvc.exe
-
C:\Users\Admin\AppData\Local\Temp\2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe"C:\Users\Admin\AppData\Local\Temp\2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe"Modifies extensions of user filesSets desktop wallpaper using registrySuspicious use of NtSetInformationThreadHideFromDebuggerModifies Control PanelSuspicious behavior: EnumeratesProcessesSuspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeSuspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\S8qmQECmy.README.txtOpens file in notepad (likely ransom note)
-
C:\Users\Admin\Desktop\S8qmQECmy.README.txt
MD5896f61d321c4af276b7a80be14715992
SHA1feca31af9616ac09d73900d32a8dc8d08fce51e6
SHA2568553b63516ebbad0ce0653b3e21831b5dd114584ec49f6f413ad928ee68e6c21
SHA51281fd91036800c12a66e9c352a70293734f5d4355c6c2fbf39446602655f596ac3afc150a4c0494c804a4226aba55aa65f031bd0957f79ffd131e5329fb0ec82e
-
memory/892-54-0x0000000074B51000-0x0000000074B53000-memory.dmp
-
memory/892-55-0x00000000004D5000-0x00000000004E6000-memory.dmp
-
memory/1532-56-0x000007FEFB5D1000-0x000007FEFB5D3000-memory.dmp