Malware Analysis Report

2024-10-16 03:23

Sample ID 230309-fckfxsaf58
Target amostra.bin
SHA256 3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859
Tags
blackmatter ransomware upx 512478c08dada2af19e49808fbda5b0b
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859

Threat Level: Known bad

The file amostra.bin was found to be: Known bad.

Malicious Activity Summary

blackmatter ransomware upx 512478c08dada2af19e49808fbda5b0b

Blackmatter family

BlackMatter Ransomware

Modifies extensions of user files

UPX packed file

Suspicious use of NtSetInformationThreadHideFromDebugger

Sets desktop wallpaper using registry

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Modifies Control Panel

Suspicious use of AdjustPrivilegeToken

Uses Volume Shadow Copy service COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-03-09 04:43

Signatures

Blackmatter family

blackmatter

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-09 04:43

Reported

2023-03-09 04:46

Platform

win7-20230220-en

Max time kernel

46s

Max time network

104s

Command Line

"C:\Users\Admin\AppData\Local\Temp\amostra.exe"

Signatures

BlackMatter Ransomware

ransomware blackmatter

Modifies extensions of user files

ransomware
Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\BackupInitialize.png.M9BTOztT0 C:\Users\Admin\AppData\Local\Temp\amostra.exe N/A
File renamed C:\Users\Admin\Pictures\ConvertToStop.tif => C:\Users\Admin\Pictures\ConvertToStop.tif.M9BTOztT0 C:\Users\Admin\AppData\Local\Temp\amostra.exe N/A
File opened for modification C:\Users\Admin\Pictures\ConvertToStop.tif.M9BTOztT0 C:\Users\Admin\AppData\Local\Temp\amostra.exe N/A
File renamed C:\Users\Admin\Pictures\MountSuspend.png => C:\Users\Admin\Pictures\MountSuspend.png.M9BTOztT0 C:\Users\Admin\AppData\Local\Temp\amostra.exe N/A
File renamed C:\Users\Admin\Pictures\WaitRedo.png => C:\Users\Admin\Pictures\WaitRedo.png.M9BTOztT0 C:\Users\Admin\AppData\Local\Temp\amostra.exe N/A
File opened for modification C:\Users\Admin\Pictures\WaitRedo.png.M9BTOztT0 C:\Users\Admin\AppData\Local\Temp\amostra.exe N/A
File opened for modification C:\Users\Admin\Pictures\ConfirmTest.tif.M9BTOztT0 C:\Users\Admin\AppData\Local\Temp\amostra.exe N/A
File opened for modification C:\Users\Admin\Pictures\MountSuspend.png.M9BTOztT0 C:\Users\Admin\AppData\Local\Temp\amostra.exe N/A
File renamed C:\Users\Admin\Pictures\ConfirmTest.tif => C:\Users\Admin\Pictures\ConfirmTest.tif.M9BTOztT0 C:\Users\Admin\AppData\Local\Temp\amostra.exe N/A
File renamed C:\Users\Admin\Pictures\UnprotectMeasure.raw => C:\Users\Admin\Pictures\UnprotectMeasure.raw.M9BTOztT0 C:\Users\Admin\AppData\Local\Temp\amostra.exe N/A
File opened for modification C:\Users\Admin\Pictures\UnprotectMeasure.raw.M9BTOztT0 C:\Users\Admin\AppData\Local\Temp\amostra.exe N/A
File renamed C:\Users\Admin\Pictures\BackupInitialize.png => C:\Users\Admin\Pictures\BackupInitialize.png.M9BTOztT0 C:\Users\Admin\AppData\Local\Temp\amostra.exe N/A
File renamed C:\Users\Admin\Pictures\PushLock.png => C:\Users\Admin\Pictures\PushLock.png.M9BTOztT0 C:\Users\Admin\AppData\Local\Temp\amostra.exe N/A
File opened for modification C:\Users\Admin\Pictures\PushLock.png.M9BTOztT0 C:\Users\Admin\AppData\Local\Temp\amostra.exe N/A
File renamed C:\Users\Admin\Pictures\StopPublish.png => C:\Users\Admin\Pictures\StopPublish.png.M9BTOztT0 C:\Users\Admin\AppData\Local\Temp\amostra.exe N/A
File opened for modification C:\Users\Admin\Pictures\StopPublish.png.M9BTOztT0 C:\Users\Admin\AppData\Local\Temp\amostra.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\M9BTOztT0.bmp" C:\Users\Admin\AppData\Local\Temp\amostra.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\M9BTOztT0.bmp" C:\Users\Admin\AppData\Local\Temp\amostra.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\amostra.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\amostra.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Control Panel\International C:\Users\Admin\AppData\Local\Temp\amostra.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\amostra.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\amostra.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\amostra.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\amostra.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\amostra.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\amostra.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\amostra.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\amostra.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\amostra.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\amostra.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\amostra.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\amostra.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\amostra.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\amostra.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\amostra.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\amostra.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\amostra.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\amostra.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\amostra.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\amostra.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\amostra.exe

"C:\Users\Admin\AppData\Local\Temp\amostra.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 paymenthacks.com udp
AU 103.224.212.222:443 paymenthacks.com tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 88.221.25.153:80 apps.identrust.com tcp
US 8.8.8.8:53 ww25.paymenthacks.com udp
US 199.59.243.222:80 ww25.paymenthacks.com tcp
AU 103.224.212.222:80 paymenthacks.com tcp
US 199.59.243.222:80 ww25.paymenthacks.com tcp
US 8.8.8.8:53 mojobiden.com udp
NL 77.247.183.153:443 mojobiden.com tcp
US 8.8.8.8:53 survey-smiles.com udp
US 199.59.243.222:80 survey-smiles.com tcp
NL 77.247.183.153:80 mojobiden.com tcp
US 199.59.243.222:80 survey-smiles.com tcp
AU 103.224.212.222:443 paymenthacks.com tcp
US 199.59.243.222:80 survey-smiles.com tcp
AU 103.224.212.222:80 paymenthacks.com tcp
US 199.59.243.222:80 survey-smiles.com tcp
NL 77.247.183.153:443 mojobiden.com tcp
NL 77.247.183.153:443 mojobiden.com tcp
US 199.59.243.222:80 survey-smiles.com tcp
NL 77.247.183.153:80 mojobiden.com tcp
US 199.59.243.222:80 survey-smiles.com tcp

Files

memory/924-54-0x0000000000BD0000-0x0000000000BE7000-memory.dmp

memory/924-55-0x00000000009C0000-0x0000000000A00000-memory.dmp

memory/924-56-0x00000000009C0000-0x0000000000A00000-memory.dmp

memory/924-57-0x00000000009C0000-0x0000000000A00000-memory.dmp

C:\M9BTOztT0.README.txt

MD5 f66968c47a64569e2281f65a95991be0
SHA1 ef9e3e80bfbea4c3021b226cb8cd00687013b8a8
SHA256 4b950c763006e7c4569df8742855cec31bf82f835bd7e2bdcb5f128db34c82bf
SHA512 cb4ace1b3e891ab100b3950c6bc133b216e91c8978a3af1ffd75617b606bb7ceb0133f44d37a30a827655e5b84b016d736a732f5f37635bb727e1a5b722cad24

C:\Users\Admin\AppData\Local\Temp\Cab2945.tmp

MD5 fc4666cbca561e864e7fdf883a9e6661
SHA1 2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5
SHA256 10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b
SHA512 c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 e71c8443ae0bc2e282c73faead0a6dd3
SHA1 0c110c1b01e68edfacaeae64781a37b1995fa94b
SHA256 95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72
SHA512 b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

C:\Users\Admin\AppData\Local\Temp\Tar2AF1.tmp

MD5 be2bec6e8c5653136d3e72fe53c98aa3
SHA1 a8182d6db17c14671c3d5766c72e58d87c0810de
SHA256 1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd
SHA512 0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f68ccb9861a046291591f5c5487d8e49
SHA1 55f2cc2b9b654c1aa60296562884f06b489182a3
SHA256 e34e4c2f6a7b303e25dc90397dd8c8303c16eff7fb01cc6384c06482aa416f16
SHA512 c1f8146c9ff0888609ecb24d9d4650914818747c25fc97128ac6b3cee5616b6cdb3d689b649f0fcc7ac19d039059ac59efdc12f9bd9aaf7ccd71bc430a3a0ffa

memory/924-365-0x0000000000BD0000-0x0000000000BE7000-memory.dmp

memory/924-387-0x00000000009C0000-0x0000000000A00000-memory.dmp

memory/924-388-0x00000000009C0000-0x0000000000A00000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-03-09 04:43

Reported

2023-03-09 04:46

Platform

win10v2004-20230220-en

Max time kernel

145s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\amostra.exe"

Signatures

BlackMatter Ransomware

ransomware blackmatter

Modifies extensions of user files

ransomware
Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\MoveStep.tiff C:\Users\Admin\AppData\Local\Temp\amostra.exe N/A
File opened for modification C:\Users\Admin\Pictures\ProtectSelect.crw.mK94SUl4r C:\Users\Admin\AppData\Local\Temp\amostra.exe N/A
File renamed C:\Users\Admin\Pictures\SaveMove.png => C:\Users\Admin\Pictures\SaveMove.png.mK94SUl4r C:\Users\Admin\AppData\Local\Temp\amostra.exe N/A
File opened for modification C:\Users\Admin\Pictures\TestExit.tif.mK94SUl4r C:\Users\Admin\AppData\Local\Temp\amostra.exe N/A
File opened for modification C:\Users\Admin\Pictures\UnregisterEdit.tiff.mK94SUl4r C:\Users\Admin\AppData\Local\Temp\amostra.exe N/A
File renamed C:\Users\Admin\Pictures\MoveStep.tiff => C:\Users\Admin\Pictures\MoveStep.tiff.mK94SUl4r C:\Users\Admin\AppData\Local\Temp\amostra.exe N/A
File renamed C:\Users\Admin\Pictures\ProtectSelect.crw => C:\Users\Admin\Pictures\ProtectSelect.crw.mK94SUl4r C:\Users\Admin\AppData\Local\Temp\amostra.exe N/A
File opened for modification C:\Users\Admin\Pictures\UnregisterEdit.tiff C:\Users\Admin\AppData\Local\Temp\amostra.exe N/A
File renamed C:\Users\Admin\Pictures\UnregisterEdit.tiff => C:\Users\Admin\Pictures\UnregisterEdit.tiff.mK94SUl4r C:\Users\Admin\AppData\Local\Temp\amostra.exe N/A
File renamed C:\Users\Admin\Pictures\ConvertFromStep.png => C:\Users\Admin\Pictures\ConvertFromStep.png.mK94SUl4r C:\Users\Admin\AppData\Local\Temp\amostra.exe N/A
File opened for modification C:\Users\Admin\Pictures\MoveStep.tiff.mK94SUl4r C:\Users\Admin\AppData\Local\Temp\amostra.exe N/A
File renamed C:\Users\Admin\Pictures\ProtectCheckpoint.raw => C:\Users\Admin\Pictures\ProtectCheckpoint.raw.mK94SUl4r C:\Users\Admin\AppData\Local\Temp\amostra.exe N/A
File opened for modification C:\Users\Admin\Pictures\SaveMove.png.mK94SUl4r C:\Users\Admin\AppData\Local\Temp\amostra.exe N/A
File renamed C:\Users\Admin\Pictures\TestExit.tif => C:\Users\Admin\Pictures\TestExit.tif.mK94SUl4r C:\Users\Admin\AppData\Local\Temp\amostra.exe N/A
File opened for modification C:\Users\Admin\Pictures\ConvertFromStep.png.mK94SUl4r C:\Users\Admin\AppData\Local\Temp\amostra.exe N/A
File opened for modification C:\Users\Admin\Pictures\ProtectCheckpoint.raw.mK94SUl4r C:\Users\Admin\AppData\Local\Temp\amostra.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\mK94SUl4r.bmp" C:\Users\Admin\AppData\Local\Temp\amostra.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\mK94SUl4r.bmp" C:\Users\Admin\AppData\Local\Temp\amostra.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International C:\Users\Admin\AppData\Local\Temp\amostra.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\amostra.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\amostra.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\amostra.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\amostra.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\amostra.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\amostra.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\amostra.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\amostra.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\amostra.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\amostra.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\amostra.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\amostra.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\amostra.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\amostra.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\amostra.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\amostra.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\amostra.exe

"C:\Users\Admin\AppData\Local\Temp\amostra.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 8.8.8.8:53 76.38.195.152.in-addr.arpa udp
US 8.8.8.8:53 paymenthacks.com udp
AU 103.224.212.222:443 paymenthacks.com tcp
US 8.8.8.8:53 ww25.paymenthacks.com udp
US 199.59.243.222:80 ww25.paymenthacks.com tcp
AU 103.224.212.222:80 paymenthacks.com tcp
US 8.8.8.8:53 222.212.224.103.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 67.55.52.23.in-addr.arpa udp
US 8.8.8.8:53 176.25.221.88.in-addr.arpa udp
US 8.8.8.8:53 222.243.59.199.in-addr.arpa udp
US 199.59.243.222:80 ww25.paymenthacks.com tcp
US 8.8.8.8:53 mojobiden.com udp
NL 77.247.183.153:443 mojobiden.com tcp
US 8.8.8.8:53 survey-smiles.com udp
US 199.59.243.222:80 survey-smiles.com tcp
NL 77.247.183.153:80 mojobiden.com tcp
US 199.59.243.222:80 survey-smiles.com tcp
US 8.8.8.8:53 153.183.247.77.in-addr.arpa udp
AU 103.224.212.222:443 paymenthacks.com tcp
US 199.59.243.222:80 survey-smiles.com tcp
AU 103.224.212.222:80 paymenthacks.com tcp
US 8.8.8.8:53 32.146.190.20.in-addr.arpa udp
US 199.59.243.222:80 survey-smiles.com tcp
NL 77.247.183.153:443 mojobiden.com tcp
US 199.59.243.222:80 survey-smiles.com tcp
NL 77.247.183.153:80 mojobiden.com tcp
US 8.8.8.8:53 123.108.74.40.in-addr.arpa udp
US 199.59.243.222:80 survey-smiles.com tcp
FR 51.11.192.48:443 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
NL 8.238.177.126:80 tcp
NL 173.223.113.164:443 tcp
US 8.8.8.8:53 1.77.109.52.in-addr.arpa udp
NL 8.238.177.126:80 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 8.8.8.8:53 177.238.32.23.in-addr.arpa udp
US 8.8.8.8:53 199.176.139.52.in-addr.arpa udp

Files

memory/2044-133-0x0000000000C70000-0x0000000000C87000-memory.dmp

memory/2044-134-0x0000000000A70000-0x0000000000A80000-memory.dmp

memory/2044-135-0x0000000000A70000-0x0000000000A80000-memory.dmp

C:\mK94SUl4r.README.txt

MD5 f66968c47a64569e2281f65a95991be0
SHA1 ef9e3e80bfbea4c3021b226cb8cd00687013b8a8
SHA256 4b950c763006e7c4569df8742855cec31bf82f835bd7e2bdcb5f128db34c82bf
SHA512 cb4ace1b3e891ab100b3950c6bc133b216e91c8978a3af1ffd75617b606bb7ceb0133f44d37a30a827655e5b84b016d736a732f5f37635bb727e1a5b722cad24

memory/2044-359-0x0000000000C70000-0x0000000000C87000-memory.dmp

memory/2044-361-0x0000000000C70000-0x0000000000C87000-memory.dmp

memory/2044-362-0x0000000000A70000-0x0000000000A80000-memory.dmp

memory/2044-363-0x0000000000A70000-0x0000000000A80000-memory.dmp

memory/2044-365-0x0000000000C70000-0x0000000000C87000-memory.dmp