Malware Analysis Report

2024-10-16 03:21

Sample ID 230516-nql6nshf3t
Target 2023-05-15_713ff075b572353ea0b1a010a905a16c_darkside
SHA256 e44345e64dc202f0226bfcf5c8a77446f9242debffa2d6e8eca14a1613b11794
Tags
upx blackmatter
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e44345e64dc202f0226bfcf5c8a77446f9242debffa2d6e8eca14a1613b11794

Threat Level: Known bad

The file 2023-05-15_713ff075b572353ea0b1a010a905a16c_darkside was found to be: Known bad.

Malicious Activity Summary

upx blackmatter

Blackmatter family

UPX packed file

Drops file in System32 directory

Program crash

Unsigned PE

Checks processor information in registry

Enumerates system info in registry

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-05-16 11:36

Signatures

Blackmatter family

blackmatter

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-05-16 11:36

Reported

2023-05-16 11:38

Platform

win7-20230220-en

Max time kernel

28s

Max time network

30s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2023-05-15_713ff075b572353ea0b1a010a905a16c_darkside.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2023-05-15_713ff075b572353ea0b1a010a905a16c_darkside.exe

"C:\Users\Admin\AppData\Local\Temp\2023-05-15_713ff075b572353ea0b1a010a905a16c_darkside.exe"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-05-16 11:36

Reported

2023-05-16 11:38

Platform

win10v2004-20230220-en

Max time kernel

147s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2023-05-15_713ff075b572353ea0b1a010a905a16c_darkside.exe"

Signatures

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{CC18D2C3-DBDA-4CE2-9AE4-16AC98440E1E}.catalogItem C:\Windows\System32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{439909DC-64A2-4454-9DF5-1DBD3B5A9462}.catalogItem C:\Windows\System32\svchost.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\System32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\System32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\System32\svchost.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\System32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\System32\svchost.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\2023-05-15_713ff075b572353ea0b1a010a905a16c_darkside.exe

"C:\Users\Admin\AppData\Local\Temp\2023-05-15_713ff075b572353ea0b1a010a905a16c_darkside.exe"

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 2664 -ip 2664

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 216

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 254.211.247.8.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 134.121.24.20.in-addr.arpa udp
US 8.8.8.8:53 84.150.43.20.in-addr.arpa udp
US 8.8.8.8:53 14.103.197.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 50.4.107.13.in-addr.arpa udp
US 8.8.8.8:53 47.125.24.20.in-addr.arpa udp
US 8.8.8.8:53 177.238.32.23.in-addr.arpa udp
US 8.8.8.8:53 113.208.253.8.in-addr.arpa udp
US 8.8.8.8:53 229.78.74.40.in-addr.arpa udp

Files

N/A