Overview

overview

10

Static

static

10

e88479a6a0...88.exe

windows7-x64

10

e88479a6a0...88.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    131s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-12-2023 16:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e88479a6a059eb522d2fec40fe2e1a88.exe

  • Size

    80KB

  • MD5

    e88479a6a059eb522d2fec40fe2e1a88

  • SHA1

    4bea73917d60c7b09c3f74ca2b1c80f27492b15f

  • SHA256

    ccee26ea662c87a6c3171b091044282849cc8d46d4b9b9da6cf429b8114c4239

  • SHA512

    40e9533188e2b76e27e095c8141851fa7dcddf85ddd686494ada2a48978ea429e6f507a0504a545c79df7dfcdd516ce162e5893704018a4a23c4fd5ae7ad9bc8

  • SSDEEP

    1536:unICS4A79p2qFTM2HT02F4mHI5mCTXOuZr:JpOqFQ2HT025HuTXN

Score
10/10
blackmatterransomware

Malware Config

Extracted

Path

F:\roQADg4Ah.README.txt

Family

blackmatter

Ransom Note
~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >>> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/YX6RXMC65MRX8LLQ >>> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.
URLs

http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/YX6RXMC65MRX8LLQ

Signatures

  • BlackMatter Ransomware

    BlackMatter ransomware group claims to be Darkside and REvil succesor.

    ransomwareblackmatter
  • Renames multiple (159) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
  • Modifies Control Panel 2 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\e88479a6a059eb522d2fec40fe2e1a88.exe
    "C:\Users\Admin\AppData\Local\Temp\e88479a6a059eb522d2fec40fe2e1a88.exe"
    1⤵
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies Control Panel
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:896
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2036

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • F:\roQADg4Ah.README.txt
    Filesize

    1KB

    MD5

    437cb918360e1d94c6f19a85ddd428a6

    SHA1

    30e3c0c3aed4054285fef804ebc75dc412fcbf41

    SHA256

    f99625bb156ed0b20feac08c71839cc2f03bee9701e83bd60fcc4b747ba726b4

    SHA512

    3aac087bdcfcda772c46b208118a223f577a81277e95c73641cefb30ff6d5d50f2a7b73697927d5ca4f23ff10614a60d7867f5af0a7ccf8a5e14d9d022a3c9b7

    Download Submit
  • memory/896-1-0x0000000002A30000-0x0000000002A40000-memory.dmp
    Filesize

    64KB

    Download
  • memory/896-0-0x0000000002A30000-0x0000000002A40000-memory.dmp
    Filesize

    64KB

    Download