Analysis

  • max time kernel
    52s
  • max time network
    175s
  • platform
    windows7_x64
  • resource
    win7-20220718-en
  • resource tags

    arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
  • submitted
    09-08-2022 19:22

General

  • Target

    bcef5de9b1667dcdded82596b3a2b4b11c8546659f49662bb352d754d869c641.exe

  • Size

    34KB

  • MD5

    6f5c77478795ff7fb9700ed50b334429

  • SHA1

    6803d62254edf3bdd3bc523422ff98e6120b6e5b

  • SHA256

    668a4a2300f36c9df0f7307cc614be3297f036fa312a424765cdb2c169187fe6

  • SHA512

    40e4ffd227443003e0506f8d1fbfbacde54f9bfb5fa6908f05e134ee25217d3c3907d7c981107d642c071063b57253b4727fb6a211d7698a7a9bae2d8beede5f

Malware Config

Extracted

Path

C:\iGJgzMxgY.README.txt

Family

blackmatter

Ransom Note
~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >>> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/GDBJS76DH3D4IKQD2QO7R. >>> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.
URLs

http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/GDBJS76DH3D4IKQD2QO7R

Extracted

Family

blackmatter

Version

1.2

Signatures

  • BlackMatter Ransomware

    BlackMatter ransomware group claims to be Darkside and REvil succesor.

  • Modifies extensions of user files 4 IoCs

    Ransomware generally changes the extension on encrypted files.

  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
  • Modifies Control Panel 3 IoCs
  • Modifies system certificate store 2 TTPs 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bcef5de9b1667dcdded82596b3a2b4b11c8546659f49662bb352d754d869c641.exe
    "C:\Users\Admin\AppData\Local\Temp\bcef5de9b1667dcdded82596b3a2b4b11c8546659f49662bb352d754d869c641.exe"
    1⤵
    • Modifies extensions of user files
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies Control Panel
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1596
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1652
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x51c
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1816

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1596-54-0x0000000075BF1000-0x0000000075BF3000-memory.dmp

    Filesize

    8KB

  • memory/1596-55-0x0000000000D50000-0x0000000000D67000-memory.dmp

    Filesize

    92KB

  • memory/1596-56-0x0000000000585000-0x0000000000596000-memory.dmp

    Filesize

    68KB

  • memory/1596-57-0x0000000000D50000-0x0000000000D67000-memory.dmp

    Filesize

    92KB