Analysis

  • max time kernel
    98s
  • max time network
    97s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    08-05-2022 12:59

General

  • Target

    2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe

  • Size

    80KB

  • MD5

    5c66cd4f21254f83663819138e634dd9

  • SHA1

    6626cae85970e6490b8b0bf9da9aa4b57a79bb62

  • SHA256

    2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c

  • SHA512

    093e1fb491d73ee240f1b0084bda233ef272618b56e61ed8602a57dec7b241b3f80a4a1749ff46d141399e71dd6127c9a8893c9d8d24c6aa48b0479a7ab42a2a

Score
10/10

Malware Config

Extracted

Path

C:\S8qmQECmy.README.txt

Family

blackmatter

Ransom Note
~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What data stolen? From your network was stolen sensitive data. If you do not contact us we will publish all your data in our blog and will send it to the biggest mass media. >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd.onion/EWX33VYY3IGOXSG5ZZ2 >> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.
URLs

http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd.onion/EWX33VYY3IGOXSG5ZZ2

Signatures

  • BlackMatter Ransomware

    BlackMatter ransomware group claims to be Darkside and REvil succesor.

  • Modifies extensions of user files 13 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
  • Modifies Control Panel 3 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
    "C:\Users\Admin\AppData\Local\Temp\2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe"
    1⤵
    • Modifies extensions of user files
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies Control Panel
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:892
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1356
  • C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\S8qmQECmy.README.txt
    1⤵
    • Opens file in notepad (likely ransom note)
    PID:1532

Network

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Modify Registry

1
T1112

Impact

Defacement

1
T1491

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\Desktop\S8qmQECmy.README.txt
    Filesize

    1KB

    MD5

    896f61d321c4af276b7a80be14715992

    SHA1

    feca31af9616ac09d73900d32a8dc8d08fce51e6

    SHA256

    8553b63516ebbad0ce0653b3e21831b5dd114584ec49f6f413ad928ee68e6c21

    SHA512

    81fd91036800c12a66e9c352a70293734f5d4355c6c2fbf39446602655f596ac3afc150a4c0494c804a4226aba55aa65f031bd0957f79ffd131e5329fb0ec82e

  • memory/892-54-0x0000000074B51000-0x0000000074B53000-memory.dmp
    Filesize

    8KB

  • memory/892-55-0x00000000004D5000-0x00000000004E6000-memory.dmp
    Filesize

    68KB

  • memory/1532-56-0x000007FEFB5D1000-0x000007FEFB5D3000-memory.dmp
    Filesize

    8KB