Analysis
-
max time kernel
46s -
max time network
50s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
08-02-2023 09:11
Behavioral task
behavioral1
Sample
BlackMatter.7a223a0aa0f88e84a68da.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
BlackMatter.7a223a0aa0f88e84a68da.exe
Resource
win10v2004-20221111-en
General
-
Target
BlackMatter.7a223a0aa0f88e84a68da.exe
-
Size
95KB
-
MD5
930b9c1792a539acdb051af34de91060
-
SHA1
2cda394db71fc67905e31d9e8f4b88ef85a248dc
-
SHA256
7a223a0aa0f88e84a68da6cde7f7f5c3bb2890049b0bf3269230d87d2b027296
-
SHA512
9bd26a83d30f69ab7d9dfbe9c3b81c8fd2381f331ce139140646932cf09b461f177c4eb236cd2194d190c50598ac3de0023cfe38e843b08bbe2f120e790ee3f1
-
SSDEEP
1536:SUICS4ADkFAztzRyxoWtBErqylVxn1GZnKoEcXb/50Qtef0:sBkwtdyxoUH4BYnKobfw
Malware Config
Extracted
C:\iMxWNjZWz.README.txt
blackmatter
http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/QLA44XK2K4K1RZL9
Signatures
-
BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
-
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
BlackMatter.7a223a0aa0f88e84a68da.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\iMxWNjZWz.bmp" BlackMatter.7a223a0aa0f88e84a68da.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\iMxWNjZWz.bmp" BlackMatter.7a223a0aa0f88e84a68da.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
Processes:
BlackMatter.7a223a0aa0f88e84a68da.exepid process 1808 BlackMatter.7a223a0aa0f88e84a68da.exe 1808 BlackMatter.7a223a0aa0f88e84a68da.exe 1808 BlackMatter.7a223a0aa0f88e84a68da.exe 1808 BlackMatter.7a223a0aa0f88e84a68da.exe 1808 BlackMatter.7a223a0aa0f88e84a68da.exe 1808 BlackMatter.7a223a0aa0f88e84a68da.exe -
Modifies Control Panel 2 IoCs
Processes:
BlackMatter.7a223a0aa0f88e84a68da.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop BlackMatter.7a223a0aa0f88e84a68da.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\WallpaperStyle = "10" BlackMatter.7a223a0aa0f88e84a68da.exe -
Modifies registry class 5 IoCs
Processes:
BlackMatter.7a223a0aa0f88e84a68da.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.iMxWNjZWz\ = "iMxWNjZWz" BlackMatter.7a223a0aa0f88e84a68da.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\iMxWNjZWz\DefaultIcon BlackMatter.7a223a0aa0f88e84a68da.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\iMxWNjZWz BlackMatter.7a223a0aa0f88e84a68da.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\iMxWNjZWz\DefaultIcon\ = "C:\\ProgramData\\iMxWNjZWz.ico" BlackMatter.7a223a0aa0f88e84a68da.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.iMxWNjZWz BlackMatter.7a223a0aa0f88e84a68da.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
BlackMatter.7a223a0aa0f88e84a68da.exepid process 1808 BlackMatter.7a223a0aa0f88e84a68da.exe 1808 BlackMatter.7a223a0aa0f88e84a68da.exe 1808 BlackMatter.7a223a0aa0f88e84a68da.exe 1808 BlackMatter.7a223a0aa0f88e84a68da.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
Processes:
BlackMatter.7a223a0aa0f88e84a68da.exevssvc.exedescription pid process Token: SeBackupPrivilege 1808 BlackMatter.7a223a0aa0f88e84a68da.exe Token: SeDebugPrivilege 1808 BlackMatter.7a223a0aa0f88e84a68da.exe Token: 36 1808 BlackMatter.7a223a0aa0f88e84a68da.exe Token: SeImpersonatePrivilege 1808 BlackMatter.7a223a0aa0f88e84a68da.exe Token: SeIncBasePriorityPrivilege 1808 BlackMatter.7a223a0aa0f88e84a68da.exe Token: SeIncreaseQuotaPrivilege 1808 BlackMatter.7a223a0aa0f88e84a68da.exe Token: 33 1808 BlackMatter.7a223a0aa0f88e84a68da.exe Token: SeManageVolumePrivilege 1808 BlackMatter.7a223a0aa0f88e84a68da.exe Token: SeProfSingleProcessPrivilege 1808 BlackMatter.7a223a0aa0f88e84a68da.exe Token: SeRestorePrivilege 1808 BlackMatter.7a223a0aa0f88e84a68da.exe Token: SeSecurityPrivilege 1808 BlackMatter.7a223a0aa0f88e84a68da.exe Token: SeSystemProfilePrivilege 1808 BlackMatter.7a223a0aa0f88e84a68da.exe Token: SeTakeOwnershipPrivilege 1808 BlackMatter.7a223a0aa0f88e84a68da.exe Token: SeShutdownPrivilege 1808 BlackMatter.7a223a0aa0f88e84a68da.exe Token: SeBackupPrivilege 824 vssvc.exe Token: SeRestorePrivilege 824 vssvc.exe Token: SeAuditPrivilege 824 vssvc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\BlackMatter.7a223a0aa0f88e84a68da.exe"C:\Users\Admin\AppData\Local\Temp\BlackMatter.7a223a0aa0f88e84a68da.exe"1⤵
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken