Overview

overview

10

Static

static

10

730f2d6243...a4.exe

windows7_x64

10

730f2d6243...a4.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    103s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    11-07-2022 17:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    730f2d6243055c786d737bae0665267b962c64f57132e9ab401d6e7625c3d0a4.exe

  • Size

    80KB

  • MD5

    5fe6daa399b18058f9b7e58fe31b4131

  • SHA1

    1ed39024b03b3490049b4d6f2577ca36e18b405a

  • SHA256

    730f2d6243055c786d737bae0665267b962c64f57132e9ab401d6e7625c3d0a4

  • SHA512

    31baf91130c7e932068e12fec6dfde7ad283487b9f01b92e64835cf91aba1c4f51602066994a8200b73d219e6ea82929cde1f11ca82fb2a48af90418e57e324c

Score
10/10
blackmatterransomware

Malware Config

Extracted

Path

C:\aXWw9vawd.README.txt

Family

blackmatter

Ransom Note
~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. From your network was stolen more than 100 GB of data. If you do not contact us we will publish all your data in our blog and will send it to the biggest mass media. >>> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd.onion/S2A4H6RGPHHLU1IJRLNTN >>> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.
URLs

http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd.onion/S2A4H6RGPHHLU1IJRLNTN

Signatures

  • BlackMatter Ransomware

    BlackMatter ransomware group claims to be Darkside and REvil succesor.

    ransomwareblackmatter
  • Modifies extensions of user files 9 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
  • Modifies Control Panel 3 IoCs
    evasion
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\730f2d6243055c786d737bae0665267b962c64f57132e9ab401d6e7625c3d0a4.exe
    "C:\Users\Admin\AppData\Local\Temp\730f2d6243055c786d737bae0665267b962c64f57132e9ab401d6e7625c3d0a4.exe"
    1⤵
    • Modifies extensions of user files
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies Control Panel
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:952
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4636
  • C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\aXWw9vawd.README.txt
    1⤵
    • Opens file in notepad (likely ransom note)
    PID:3440

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\Desktop\aXWw9vawd.README.txt
    Filesize

    1KB

    MD5

    041670e49c2b9ed154fc7eed49a3ae0d

    SHA1

    510f7cd45b40b103e9c95f2d660da8c3ca810c6b

    SHA256

    580e1c3c5b868b5afb2c68aff9f19633daec49e208a380b914f4e34daee2cbe1

    SHA512

    ca8e0a73096f11320983eb7550ce1ad3e1dfe9670d700d9c2a7a66a96688f1e253810b5ba5703ef60577cc904f5fbb9973ff626bb944b2415d41910b5696ad0b

    Download Submit