Analysis

  • max time kernel
    60s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-12-2022 15:05

General

  • Target

    55926e8f3e48c5cc5a1e6279045a5ae39c26dcc79e84411d34f7b2158042a843.exe

  • Size

    66KB

  • MD5

    8e09e25c6dd51a06b9383457a5ec4b1e

  • SHA1

    bb04c8d83f8946c3e03386269b290fb338c07dae

  • SHA256

    55926e8f3e48c5cc5a1e6279045a5ae39c26dcc79e84411d34f7b2158042a843

  • SHA512

    5ff01b4a419f3e25b5b3b154b556dd847a33aff884e25fc2c827bdf7c2d10b77affb7908f46b7400c293470314984ad771303d6468c6909b86093af9fca0414b

  • SSDEEP

    1536:1zICS4AT6GxdEe+TOdincJXvKvWLBjklE:WR7auJXSOhCE

Score
10/10

Malware Config

Extracted

Path

C:\4tYDr68D1.README.txt

Family

blackmatter

Ransom Note
~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >>> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/GDBJS76DH3D4IKQD2QO7R. >>> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.
URLs

http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/GDBJS76DH3D4IKQD2QO7R

Signatures

  • BlackMatter Ransomware

    BlackMatter ransomware group claims to be Darkside and REvil succesor.

  • Modifies extensions of user files 20 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
  • Modifies Control Panel 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\55926e8f3e48c5cc5a1e6279045a5ae39c26dcc79e84411d34f7b2158042a843.exe
    "C:\Users\Admin\AppData\Local\Temp\55926e8f3e48c5cc5a1e6279045a5ae39c26dcc79e84411d34f7b2158042a843.exe"
    1⤵
    • Modifies extensions of user files
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies Control Panel
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:812
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3592

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads