Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
30-12-2023 21:59
General
-
Target
1dd464cbb3fbd6881eef3f05b8b1fbd5.exe
-
Size
72KB
-
MD5
1dd464cbb3fbd6881eef3f05b8b1fbd5
-
SHA1
cafd8d20f2abaebbbfc367b4b4512107362f3758
-
SHA256
b824bbc645f15e213b4cb2628f7d383e9e37282059b03f6fe60f7c84ea1fed1f
-
SHA512
1564fffe28c2b7c2b18c35d68e3e254106620b2c3b7b5f41b95cfbb3a2cf0d9c42616d670b4060d09129ff18f0148c03e00bbd205f9d10697b265109a43d053c
-
SSDEEP
1536:yICS4AgxwhjEO3r825exqkHYnKeGsXqsMt:R2SN3mxYnKr
Malware Config
Extracted
C:\Users\5XCNh4eNc.README.txt
blackmatter
http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd.onion/RSW33BDOYPLWM78U9A09BZDI
Signatures
-
BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
-
Renames multiple (169) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Control Panel 2 IoCs
-
Modifies registry class 20 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 17 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1dd464cbb3fbd6881eef3f05b8b1fbd5.exe"C:\Users\Admin\AppData\Local\Temp\1dd464cbb3fbd6881eef3f05b8b1fbd5.exe"1⤵
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" /p C:\5XCNh4eNc.README.txt2⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\5XCNh4eNc.README.txtFilesize
1KB
MD5c4947c60a66a5f286be734256b7e6e8d
SHA17cd483bbe59972ff22b2c122c08548933e812b66
SHA2565119a7a0a3c668d897f1e33f1b39f3c78396a057b3efa58858c4b86878cce373
SHA512ec43f7e65055d471c5f78d9777c0de661690a51da2f905467177c8a433468a74f546d2cac32f3881b75cdbfeabbff4e3ceaef10e181cdb2b5ae70f06875b2565
-
C:\Users\Admin\Documents\PingImport.xps.5XCNh4eNcFilesize
423KB
MD5c36336988f677353fef9f0435267f8e1
SHA162a08fa1e0cd07b7628142fdac6c303e8e320fc3
SHA2564ef42c0afc38825c9d08ce4760bb083d98456c04c44b25cead51d9ddc34141da
SHA512bcde5b54be19a329e7bb743a6fbfb91dcc2b74e39c714e2c8a138a646ef243f8c51cb4f686e603cb44d1fe540fa46923822a4a48da0cfc0318c74df3dab48d36
-
C:\Users\Admin\Documents\UnregisterMerge.xps.5XCNh4eNcFilesize
323KB
MD57f5e017221af35b564ff3f7ccf8697b0
SHA12d81ff936ba0e0ecd5f34f2040186e3974c654fe
SHA2560382b2c34c2433999ddb9337c5dd743b67a508372c67977b2fae0e67d4dad79a
SHA5123ed7cb7e19b17abea80eb156036f09179272fa5cbb672458dc772b56294d09d79141e6bc9913879cccd1d143b12586e2e4543019e3db42492cfa3ff12cd3af03
-
memory/2496-213-0x00000000044B0000-0x00000000044B1000-memory.dmpFilesize
4KB
-
memory/2496-216-0x00000000044B0000-0x00000000044B1000-memory.dmpFilesize
4KB
-
memory/2516-0-0x0000000000370000-0x00000000003B0000-memory.dmpFilesize
256KB