Malware Analysis Report

2024-10-16 03:21

Sample ID 231230-1v6r4agfgr
Target 1dd464cbb3fbd6881eef3f05b8b1fbd5
SHA256 b824bbc645f15e213b4cb2628f7d383e9e37282059b03f6fe60f7c84ea1fed1f
Tags
0c6ca0532355a106258791f50b66c153 blackmatter ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b824bbc645f15e213b4cb2628f7d383e9e37282059b03f6fe60f7c84ea1fed1f

Threat Level: Known bad

The file 1dd464cbb3fbd6881eef3f05b8b1fbd5 was found to be: Known bad.

Malicious Activity Summary

0c6ca0532355a106258791f50b66c153 blackmatter ransomware

Blackmatter family

BlackMatter Ransomware

Renames multiple (150) files with added filename extension

Renames multiple (169) files with added filename extension

Sets desktop wallpaper using registry

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Enumerates physical storage devices

Opens file in notepad (likely ransom note)

Suspicious behavior: EnumeratesProcesses

Modifies Control Panel

Uses Volume Shadow Copy service COM API

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-30 21:59

Signatures

Blackmatter family

blackmatter

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-30 21:59

Reported

2024-01-01 07:55

Platform

win7-20231215-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1dd464cbb3fbd6881eef3f05b8b1fbd5.exe"

Signatures

BlackMatter Ransomware

ransomware blackmatter

Renames multiple (169) files with added filename extension

ransomware

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\5XCNh4eNc.bmp" C:\Users\Admin\AppData\Local\Temp\1dd464cbb3fbd6881eef3f05b8b1fbd5.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\5XCNh4eNc.bmp" C:\Users\Admin\AppData\Local\Temp\1dd464cbb3fbd6881eef3f05b8b1fbd5.exe N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\1dd464cbb3fbd6881eef3f05b8b1fbd5.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\1dd464cbb3fbd6881eef3f05b8b1fbd5.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\splwow64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\splwow64.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000 C:\Windows\splwow64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Windows\splwow64.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" C:\Windows\splwow64.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff C:\Windows\splwow64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg C:\Windows\splwow64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Windows\splwow64.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewVersion = "0" C:\Windows\splwow64.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\splwow64.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\splwow64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Windows\splwow64.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff C:\Windows\splwow64.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}" C:\Windows\splwow64.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}" C:\Windows\splwow64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_Classes\Local Settings C:\Windows\splwow64.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Windows\splwow64.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000 C:\Windows\splwow64.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Windows\splwow64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Windows\splwow64.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\NOTEPAD.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\splwow64.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1dd464cbb3fbd6881eef3f05b8b1fbd5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1dd464cbb3fbd6881eef3f05b8b1fbd5.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\1dd464cbb3fbd6881eef3f05b8b1fbd5.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1dd464cbb3fbd6881eef3f05b8b1fbd5.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1dd464cbb3fbd6881eef3f05b8b1fbd5.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1dd464cbb3fbd6881eef3f05b8b1fbd5.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\1dd464cbb3fbd6881eef3f05b8b1fbd5.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1dd464cbb3fbd6881eef3f05b8b1fbd5.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1dd464cbb3fbd6881eef3f05b8b1fbd5.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1dd464cbb3fbd6881eef3f05b8b1fbd5.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1dd464cbb3fbd6881eef3f05b8b1fbd5.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1dd464cbb3fbd6881eef3f05b8b1fbd5.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1dd464cbb3fbd6881eef3f05b8b1fbd5.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1dd464cbb3fbd6881eef3f05b8b1fbd5.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\splwow64.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\1dd464cbb3fbd6881eef3f05b8b1fbd5.exe

"C:\Users\Admin\AppData\Local\Temp\1dd464cbb3fbd6881eef3f05b8b1fbd5.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" /p C:\5XCNh4eNc.README.txt

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/2516-0-0x0000000000370000-0x00000000003B0000-memory.dmp

C:\Users\5XCNh4eNc.README.txt

MD5 c4947c60a66a5f286be734256b7e6e8d
SHA1 7cd483bbe59972ff22b2c122c08548933e812b66
SHA256 5119a7a0a3c668d897f1e33f1b39f3c78396a057b3efa58858c4b86878cce373
SHA512 ec43f7e65055d471c5f78d9777c0de661690a51da2f905467177c8a433468a74f546d2cac32f3881b75cdbfeabbff4e3ceaef10e181cdb2b5ae70f06875b2565

memory/2496-213-0x00000000044B0000-0x00000000044B1000-memory.dmp

C:\Users\Admin\Documents\PingImport.xps.5XCNh4eNc

MD5 c36336988f677353fef9f0435267f8e1
SHA1 62a08fa1e0cd07b7628142fdac6c303e8e320fc3
SHA256 4ef42c0afc38825c9d08ce4760bb083d98456c04c44b25cead51d9ddc34141da
SHA512 bcde5b54be19a329e7bb743a6fbfb91dcc2b74e39c714e2c8a138a646ef243f8c51cb4f686e603cb44d1fe540fa46923822a4a48da0cfc0318c74df3dab48d36

C:\Users\Admin\Documents\UnregisterMerge.xps.5XCNh4eNc

MD5 7f5e017221af35b564ff3f7ccf8697b0
SHA1 2d81ff936ba0e0ecd5f34f2040186e3974c654fe
SHA256 0382b2c34c2433999ddb9337c5dd743b67a508372c67977b2fae0e67d4dad79a
SHA512 3ed7cb7e19b17abea80eb156036f09179272fa5cbb672458dc772b56294d09d79141e6bc9913879cccd1d143b12586e2e4543019e3db42492cfa3ff12cd3af03

memory/2496-216-0x00000000044B0000-0x00000000044B1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-30 21:59

Reported

2024-01-01 07:56

Platform

win10v2004-20231215-en

Max time kernel

98s

Max time network

167s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1dd464cbb3fbd6881eef3f05b8b1fbd5.exe"

Signatures

BlackMatter Ransomware

ransomware blackmatter

Renames multiple (150) files with added filename extension

ransomware

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\jHFUHx9Uc.bmp" C:\Users\Admin\AppData\Local\Temp\1dd464cbb3fbd6881eef3f05b8b1fbd5.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\jHFUHx9Uc.bmp" C:\Users\Admin\AppData\Local\Temp\1dd464cbb3fbd6881eef3f05b8b1fbd5.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\1dd464cbb3fbd6881eef3f05b8b1fbd5.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\1dd464cbb3fbd6881eef3f05b8b1fbd5.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1dd464cbb3fbd6881eef3f05b8b1fbd5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1dd464cbb3fbd6881eef3f05b8b1fbd5.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\1dd464cbb3fbd6881eef3f05b8b1fbd5.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1dd464cbb3fbd6881eef3f05b8b1fbd5.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1dd464cbb3fbd6881eef3f05b8b1fbd5.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1dd464cbb3fbd6881eef3f05b8b1fbd5.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\1dd464cbb3fbd6881eef3f05b8b1fbd5.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1dd464cbb3fbd6881eef3f05b8b1fbd5.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1dd464cbb3fbd6881eef3f05b8b1fbd5.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1dd464cbb3fbd6881eef3f05b8b1fbd5.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1dd464cbb3fbd6881eef3f05b8b1fbd5.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1dd464cbb3fbd6881eef3f05b8b1fbd5.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1dd464cbb3fbd6881eef3f05b8b1fbd5.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1dd464cbb3fbd6881eef3f05b8b1fbd5.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\1dd464cbb3fbd6881eef3f05b8b1fbd5.exe

"C:\Users\Admin\AppData\Local\Temp\1dd464cbb3fbd6881eef3f05b8b1fbd5.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 21.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

memory/1276-0-0x0000000002BC0000-0x0000000002BD0000-memory.dmp

memory/1276-1-0x0000000002BC0000-0x0000000002BD0000-memory.dmp

C:\Users\jHFUHx9Uc.README.txt

MD5 c4947c60a66a5f286be734256b7e6e8d
SHA1 7cd483bbe59972ff22b2c122c08548933e812b66
SHA256 5119a7a0a3c668d897f1e33f1b39f3c78396a057b3efa58858c4b86878cce373
SHA512 ec43f7e65055d471c5f78d9777c0de661690a51da2f905467177c8a433468a74f546d2cac32f3881b75cdbfeabbff4e3ceaef10e181cdb2b5ae70f06875b2565