Malware Analysis Report

2024-10-16 03:23

Sample ID 220727-hahknaeff3
Target 22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.zip
SHA256 3ed7c84e02085f4a019e047a4bcae4ac3c1b002f08bc7b22a4db3e4c948d9538
Tags
512478c08dada2af19e49808fbda5b0b blackmatter ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3ed7c84e02085f4a019e047a4bcae4ac3c1b002f08bc7b22a4db3e4c948d9538

Threat Level: Known bad

The file 22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.zip was found to be: Known bad.

Malicious Activity Summary

512478c08dada2af19e49808fbda5b0b blackmatter ransomware

Blackmatter family

BlackMatter Ransomware

Modifies extensions of user files

Sets desktop wallpaper using registry

Suspicious use of NtSetInformationThreadHideFromDebugger

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Modifies Control Panel

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-07-27 06:31

Signatures

Blackmatter family

blackmatter

Analysis: behavioral5

Detonation Overview

Submitted

2022-07-27 06:31

Reported

2022-07-27 06:32

Platform

android-x64-arm64-20220621-en

Max time network

9s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
NL 216.58.214.14:443 udp
NL 142.250.179.195:443 tcp
NL 172.217.168.234:443 udp
US 1.1.1.1:853 tcp
US 1.1.1.1:853 tcp
N/A 224.0.0.251:5353 udp
NL 172.217.168.202:443 tcp
NL 172.217.168.202:443 tcp
NL 142.250.179.162:443 tcp
NL 142.251.36.38:443 tcp
NL 142.251.36.8:443 tcp
NL 142.250.179.138:443 tcp
NL 216.58.208.98:443 tcp
NL 172.217.168.234:443 tcp
NL 142.250.179.138:443 tcp
NL 142.250.179.202:80 play.googleapis.com tcp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2022-07-27 06:31

Reported

2022-07-27 06:32

Platform

debian9-armhf-en-20211208

Max time kernel

0s

Command Line

[/tmp/22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe]

Signatures

N/A

Processes

/tmp/22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe

[/tmp/22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe]

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-07-27 06:31

Reported

2022-07-27 06:37

Platform

win7-20220718-en

Max time kernel

41s

Max time network

164s

Command Line

"C:\Users\Admin\AppData\Local\Temp\22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe"

Signatures

BlackMatter Ransomware

ransomware blackmatter

Modifies extensions of user files

ransomware
Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\SaveRegister.tiff C:\Users\Admin\AppData\Local\Temp\22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe N/A
File renamed C:\Users\Admin\Pictures\SaveRegister.tiff => C:\Users\Admin\Pictures\SaveRegister.tiff.iGJgzMxgY C:\Users\Admin\AppData\Local\Temp\22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe N/A
File opened for modification C:\Users\Admin\Pictures\SaveRegister.tiff.iGJgzMxgY C:\Users\Admin\AppData\Local\Temp\22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe N/A
File renamed C:\Users\Admin\Pictures\UnblockSelect.png => C:\Users\Admin\Pictures\UnblockSelect.png.iGJgzMxgY C:\Users\Admin\AppData\Local\Temp\22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe N/A
File opened for modification C:\Users\Admin\Pictures\UnblockSelect.png.iGJgzMxgY C:\Users\Admin\AppData\Local\Temp\22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\iGJgzMxgY.bmp" C:\Users\Admin\AppData\Local\Temp\22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\iGJgzMxgY.bmp" C:\Users\Admin\AppData\Local\Temp\22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Control Panel\International C:\Users\Admin\AppData\Local\Temp\22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe

"C:\Users\Admin\AppData\Local\Temp\22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 paymenthacks.com udp
US 103.224.212.222:443 paymenthacks.com tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 104.110.191.201:80 apps.identrust.com tcp
US 8.8.8.8:53 ww25.paymenthacks.com udp
US 199.59.243.220:80 ww25.paymenthacks.com tcp
US 103.224.212.222:80 paymenthacks.com tcp
US 199.59.243.220:80 ww25.paymenthacks.com tcp
US 8.8.8.8:53 mojobiden.com udp
NL 95.211.75.16:443 mojobiden.com tcp
NL 95.211.75.16:80 mojobiden.com tcp
US 103.224.212.222:443 paymenthacks.com tcp
US 199.59.243.220:80 ww25.paymenthacks.com tcp
US 103.224.212.222:80 paymenthacks.com tcp
US 199.59.243.220:80 ww25.paymenthacks.com tcp
NL 95.211.75.16:443 mojobiden.com tcp
NL 95.211.75.16:80 mojobiden.com tcp

Files

memory/1348-54-0x00000000762D1000-0x00000000762D3000-memory.dmp

memory/1348-55-0x0000000000415000-0x0000000000426000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2022-07-27 06:31

Reported

2022-07-27 06:32

Platform

android-x64-20220621-en

Max time network

9s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
NL 142.251.39.106:443 tcp
US 1.1.1.1:853 tcp
US 1.1.1.1:853 tcp
N/A 224.0.0.251:5353 udp
NL 142.251.36.46:443 udp
NL 172.217.168.234:443 tcp
NL 142.251.39.106:443 tcp
NL 142.251.39.106:443 tcp
NL 142.251.36.34:443 tcp
NL 142.251.39.106:443 tcp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2022-07-27 06:31

Reported

2022-07-27 06:37

Platform

macos-20220504-en

Max time kernel

116s

Max time network

152s

Command Line

[/usr/sbin/spctl --test-devid-status]

Signatures

N/A

Processes

/usr/sbin/spctl

[/usr/sbin/spctl --test-devid-status]

/usr/bin/syslog

[/usr/bin/syslog -s -k com.apple.message.domain com.apple.security.assessment.current_state com.apple.message.signature assessments enabled com.apple.message.signature2 devid enabled Message Gatekeeper state assessments enabled/devid enabled]

/bin/sh

[sh -c sudo /bin/zsh -c "/Users/run/22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe"]

/bin/bash

[sh -c sudo /bin/zsh -c "/Users/run/22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe"]

/bin/bash

[sh -c sudo /bin/zsh -c "/Users/run/22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe"]

/usr/bin/sudo

[sudo /bin/zsh -c /Users/run/22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe]

/usr/bin/sudo

[sudo /bin/zsh -c /Users/run/22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe]

/bin/zsh

[/bin/zsh -c /Users/run/22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe]

/bin/zsh

[/bin/zsh -c /Users/run/22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe]

/Users/run/22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe

[/Users/run/22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe]

/Users/run/22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe

[/Users/run/22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe]

Network

Country Destination Domain Proto
US 8.8.8.8:53 e673.dsce9.akamaiedge.net udp
US 8.8.8.8:53 gsp-ssl.ls.apple.com udp
NL 17.253.53.210:443 gsp-ssl.ls.apple.com tcp
US 8.8.8.8:53 itunes.apple.com udp
NL 104.73.136.99:443 itunes.apple.com tcp
US 8.8.8.8:53 udp
US 17.142.171.6:443 tcp
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2022-07-27 06:31

Reported

2022-07-27 06:32

Platform

ubuntu1804-amd64-en-20211208

Max time kernel

0s

Command Line

[/tmp/22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe]

Signatures

N/A

Processes

/tmp/22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe

[/tmp/22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe]

Network

N/A

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2022-07-27 06:31

Reported

2022-07-27 06:32

Platform

debian9-mipsbe-en-20211208

Command Line

[/tmp/22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe]

Signatures

N/A

Processes

/tmp/22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe

[/tmp/22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe]

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2022-07-27 06:31

Reported

2022-07-27 06:32

Platform

debian9-mipsel-en-20211208

Max time kernel

0s

Command Line

[/tmp/22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe]

Signatures

N/A

Processes

/tmp/22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe

[/tmp/22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe]

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-07-27 06:31

Reported

2022-07-27 06:37

Platform

win10v2004-20220721-en

Max time kernel

143s

Max time network

176s

Command Line

"C:\Users\Admin\AppData\Local\Temp\22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe"

Signatures

BlackMatter Ransomware

ransomware blackmatter

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\SkipRequest.crw => C:\Users\Admin\Pictures\SkipRequest.crw.zdYRw8MR1 C:\Users\Admin\AppData\Local\Temp\22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe N/A
File renamed C:\Users\Admin\Pictures\UnprotectMount.tif => C:\Users\Admin\Pictures\UnprotectMount.tif.zdYRw8MR1 C:\Users\Admin\AppData\Local\Temp\22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe N/A
File renamed C:\Users\Admin\Pictures\WaitConnect.crw => C:\Users\Admin\Pictures\WaitConnect.crw.zdYRw8MR1 C:\Users\Admin\AppData\Local\Temp\22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe N/A
File renamed C:\Users\Admin\Pictures\ClearClose.raw => C:\Users\Admin\Pictures\ClearClose.raw.zdYRw8MR1 C:\Users\Admin\AppData\Local\Temp\22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe N/A
File opened for modification C:\Users\Admin\Pictures\ClearClose.raw.zdYRw8MR1 C:\Users\Admin\AppData\Local\Temp\22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe N/A
File renamed C:\Users\Admin\Pictures\PopStep.png => C:\Users\Admin\Pictures\PopStep.png.zdYRw8MR1 C:\Users\Admin\AppData\Local\Temp\22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe N/A
File renamed C:\Users\Admin\Pictures\ConvertToInvoke.raw => C:\Users\Admin\Pictures\ConvertToInvoke.raw.zdYRw8MR1 C:\Users\Admin\AppData\Local\Temp\22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe N/A
File opened for modification C:\Users\Admin\Pictures\SkipSuspend.tiff C:\Users\Admin\AppData\Local\Temp\22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe N/A
File opened for modification C:\Users\Admin\Pictures\WaitConnect.crw.zdYRw8MR1 C:\Users\Admin\AppData\Local\Temp\22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe N/A
File opened for modification C:\Users\Admin\Pictures\NewConfirm.crw.zdYRw8MR1 C:\Users\Admin\AppData\Local\Temp\22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe N/A
File opened for modification C:\Users\Admin\Pictures\PopStep.png.zdYRw8MR1 C:\Users\Admin\AppData\Local\Temp\22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe N/A
File renamed C:\Users\Admin\Pictures\ProtectRestart.tiff => C:\Users\Admin\Pictures\ProtectRestart.tiff.zdYRw8MR1 C:\Users\Admin\AppData\Local\Temp\22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe N/A
File opened for modification C:\Users\Admin\Pictures\UnprotectMount.tif.zdYRw8MR1 C:\Users\Admin\AppData\Local\Temp\22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe N/A
File opened for modification C:\Users\Admin\Pictures\ConvertToInvoke.raw.zdYRw8MR1 C:\Users\Admin\AppData\Local\Temp\22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe N/A
File opened for modification C:\Users\Admin\Pictures\ImportCompare.crw.zdYRw8MR1 C:\Users\Admin\AppData\Local\Temp\22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe N/A
File renamed C:\Users\Admin\Pictures\NewConfirm.crw => C:\Users\Admin\Pictures\NewConfirm.crw.zdYRw8MR1 C:\Users\Admin\AppData\Local\Temp\22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe N/A
File renamed C:\Users\Admin\Pictures\SearchCheckpoint.crw => C:\Users\Admin\Pictures\SearchCheckpoint.crw.zdYRw8MR1 C:\Users\Admin\AppData\Local\Temp\22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe N/A
File opened for modification C:\Users\Admin\Pictures\SearchCheckpoint.crw.zdYRw8MR1 C:\Users\Admin\AppData\Local\Temp\22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe N/A
File opened for modification C:\Users\Admin\Pictures\SkipRequest.crw.zdYRw8MR1 C:\Users\Admin\AppData\Local\Temp\22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe N/A
File renamed C:\Users\Admin\Pictures\SkipSuspend.tiff => C:\Users\Admin\Pictures\SkipSuspend.tiff.zdYRw8MR1 C:\Users\Admin\AppData\Local\Temp\22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe N/A
File opened for modification C:\Users\Admin\Pictures\SkipSuspend.tiff.zdYRw8MR1 C:\Users\Admin\AppData\Local\Temp\22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe N/A
File renamed C:\Users\Admin\Pictures\ImportCompare.crw => C:\Users\Admin\Pictures\ImportCompare.crw.zdYRw8MR1 C:\Users\Admin\AppData\Local\Temp\22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe N/A
File opened for modification C:\Users\Admin\Pictures\ProtectRestart.tiff C:\Users\Admin\AppData\Local\Temp\22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe N/A
File opened for modification C:\Users\Admin\Pictures\ProtectRestart.tiff.zdYRw8MR1 C:\Users\Admin\AppData\Local\Temp\22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\zdYRw8MR1.bmp" C:\Users\Admin\AppData\Local\Temp\22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\zdYRw8MR1.bmp" C:\Users\Admin\AppData\Local\Temp\22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International C:\Users\Admin\AppData\Local\Temp\22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe

"C:\Users\Admin\AppData\Local\Temp\22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.253.146.121:80 tcp
US 8.253.146.121:80 tcp
US 8.253.146.121:80 tcp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 paymenthacks.com udp
US 103.224.212.222:443 paymenthacks.com tcp
US 8.253.183.249:80 tcp
US 13.107.22.200:443 tcp
US 103.224.212.222:80 paymenthacks.com tcp
US 8.8.8.8:53 ww25.paymenthacks.com udp
US 199.59.243.220:80 ww25.paymenthacks.com tcp
US 8.8.8.8:53 mojobiden.com udp
NL 81.171.28.45:443 mojobiden.com tcp
US 8.8.8.8:53 survey-smiles.com udp
US 199.59.243.220:80 survey-smiles.com tcp
FR 40.79.141.154:443 tcp
FR 2.18.109.224:443 tcp
NL 81.171.28.45:80 mojobiden.com tcp
US 199.59.243.220:80 survey-smiles.com tcp
US 103.224.212.222:443 paymenthacks.com tcp
US 199.59.243.220:80 survey-smiles.com tcp
US 103.224.212.222:80 paymenthacks.com tcp
US 199.59.243.220:80 survey-smiles.com tcp
NL 81.171.28.45:443 mojobiden.com tcp
US 199.59.243.220:80 survey-smiles.com tcp
US 93.184.220.29:80 tcp
US 199.59.243.220:80 survey-smiles.com tcp
NL 81.171.28.45:80 mojobiden.com tcp
US 199.59.243.220:80 survey-smiles.com tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2022-07-27 06:31

Reported

2022-07-27 06:32

Platform

android-x86-arm-20220621-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
NL 142.250.179.138:443 tcp
NL 142.250.179.138:443 tcp

Files

N/A