Overview

overview

10

Static

static

10

BlackMatte...in.exe

windows7-x64

10

BlackMatte...in.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    31s
  • max time network
    33s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    10-03-2023 21:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    BlackMatter.7a223a0aa0f88e84a68da.bin.exe

  • Size

    95KB

  • MD5

    930b9c1792a539acdb051af34de91060

  • SHA1

    2cda394db71fc67905e31d9e8f4b88ef85a248dc

  • SHA256

    7a223a0aa0f88e84a68da6cde7f7f5c3bb2890049b0bf3269230d87d2b027296

  • SHA512

    9bd26a83d30f69ab7d9dfbe9c3b81c8fd2381f331ce139140646932cf09b461f177c4eb236cd2194d190c50598ac3de0023cfe38e843b08bbe2f120e790ee3f1

  • SSDEEP

    1536:SUICS4ADkFAztzRyxoWtBErqylVxn1GZnKoEcXb/50Qtef0:sBkwtdyxoUH4BYnKobfw

Score
10/10
blackmatterransomware

Malware Config

Extracted

Path

C:\Users\uBBIsrJIE.README.txt

Family

blackmatter

Ransom Note
~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your computers and servers are encrypted, private data was downloaded. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> Data leak First of all we have downloaded more then 200GB of data. Your personal leak page (TOR LINK): On the page you will find examples of files that have been downloaded. The data is preloaded and will be automatically published in our blog if you do not contact us. After publication, your data can be downloaded by anyone, it stored on our tor CDN and will be available for at least 6 months. >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >> HOW TO CONTACT US? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/QLA44XK2K4K1RZL9 >> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.
URLs

http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/QLA44XK2K4K1RZL9

Signatures

  • BlackMatter Ransomware

    BlackMatter ransomware group claims to be Darkside and REvil succesor.

    ransomwareblackmatter
  • Modifies extensions of user files 4 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\BlackMatter.7a223a0aa0f88e84a68da.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\BlackMatter.7a223a0aa0f88e84a68da.bin.exe"
    1⤵
    • Modifies extensions of user files
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1060
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1536

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\uBBIsrJIE.README.txt
    Filesize

    1KB

    MD5

    a34fb07ce7696459f74aef7fefb56352

    SHA1

    dbd83ff37e90810eb57a802464ac5458ee092d5d

    SHA256

    b5497509edf9a86d80038354f2f07968785592be55ff779e573c776d85437e04

    SHA512

    30b2a812bdb0c4caeccf542fe5c07e81c21c50d3211f4526bfba69b6473592577aebf7488c622167c7ffe5fd0cb5f4dfcf0c1d9795cd2416ad0509ac44c01ce8

    Download Submit

  • memory/1060-55-0x0000000002220000-0x0000000002260000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1060-56-0x0000000002220000-0x0000000002260000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1060-57-0x0000000002220000-0x0000000002260000-memory.dmp

    Filesize

    256KB

    Download