Overview

overview

10

Static

static

10

10aa058a3a...86.exe

windows7-x64

10

10aa058a3a...86.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    129s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    30-12-2023 06:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    10aa058a3ac49e016cad7987b8e09886.exe

  • Size

    71KB

  • MD5

    10aa058a3ac49e016cad7987b8e09886

  • SHA1

    cca6682330a819592c3b1ea0448ceb4e141593dc

  • SHA256

    6d4712df42ad0982041ef0e2e109ab5718b43830f2966bd9207a7fac3af883db

  • SHA512

    f115fb62b1ca5e18f6340d42ff4393e2b175917312ae1cc14e7a6a9322cf8adaf22457bc8213e2baafdc2cb19d5db1e5a9c003155cbf142d5a08604495e22f6e

  • SSDEEP

    768:VjjjjjjjjjDahoICS4AIbxCJhjZeO3r825CiqxLbMnkHYnvizKktsLFYXg/ripMX:NICS4AgxwhjEO3r825exqkHYnKevTiO

Score
10/10
blackmatterransomware

Malware Config

Extracted

Path

C:\BzOXaWmXM.README.txt

Family

blackmatter

Ransom Note
~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What data stolen? From your network was stolen 500 GB of data. If you do not contact us we will publish all your data in our blog and will send it to the biggest mass media. Blog post link: %BLOG_URL% >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd.onion/OYPF561W4U8HVA0NLVCKJCZB >> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.
URLs

http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd.onion/OYPF561W4U8HVA0NLVCKJCZB

Signatures

  • BlackMatter Ransomware

    BlackMatter ransomware group claims to be Darkside and REvil succesor.

    ransomwareblackmatter
  • Renames multiple (178) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Control Panel 3 IoCs
    evasion
  • Modifies registry class 20 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\10aa058a3ac49e016cad7987b8e09886.exe
    "C:\Users\Admin\AppData\Local\Temp\10aa058a3ac49e016cad7987b8e09886.exe"
    1⤵
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies Control Panel
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2976
    • C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" /p C:\BzOXaWmXM.README.txt
      2⤵
      • Opens file in notepad (likely ransom note)
      • Suspicious use of WriteProcessMemory
      PID:2752
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:2328
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2800

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\BzOXaWmXM.README.txt
    Filesize

    1KB

    MD5

    9be52968352d6207153fd7a6b8fcb75f

    SHA1

    e9a821e195712d6f585a2cd60d91b606cad7110e

    SHA256

    5b5d55b03b22a3611662bd521983fb05da9df710c4a9d7831321c9d983d6c41e

    SHA512

    1b35ee275af4edf106ca4f80c35419f8ff338e1905bfd0da5992da48eeed5c842215edef55d4fb7e9c2678f734c40bb4d51d7a8e3a4886610963f09a655b8c45

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab7429.tmp
    Filesize

    65KB

    MD5

    ac05d27423a85adc1622c714f2cb6184

    SHA1

    b0fe2b1abddb97837ea0195be70ab2ff14d43198

    SHA256

    c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

    SHA512

    6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar747A.tmp
    Filesize

    171KB

    MD5

    9c0c641c06238516f27941aa1166d427

    SHA1

    64cd549fb8cf014fcd9312aa7a5b023847b6c977

    SHA256

    4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

    SHA512

    936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

    Download Submit

  • memory/2328-437-0x00000000042E0000-0x00000000042E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2328-438-0x0000000004350000-0x0000000004360000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2328-439-0x00000000042E0000-0x00000000042E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2976-0-0x00000000003E0000-0x0000000000420000-memory.dmp

    Filesize

    256KB

    Download