blackmatter | e4fd947a781611c85ea2e5afa51b186de7f351026c28eb067ad70028acd72cda

General

Target

3317daace715dc332622d883091cf68b.exe
Size

72KB
MD5

3317daace715dc332622d883091cf68b
SHA1

02fa74523198ebc1db490bdc6f10a78a44c4e28b
SHA256

e4fd947a781611c85ea2e5afa51b186de7f351026c28eb067ad70028acd72cda
SHA512

2739769ddd079b6555ebb84204f46bf94317ef5351734bd2aad74b1ad53738f92e3e278ea74b22f9b17db2219e01c963e694e6e1aec52a6089eaba394ef331b2
SSDEEP

1536:BICS4AgxwhjEO3r825exqkHYnKeGsXqsMt:q2SN3mxYnKr

Score

10^/10

blackmatter ransomware

Malware Config

Extracted

Path

C:\Users\PUOTcnKTQ.README.txt

Family

blackmatter

Ransom Note

~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> Hello B&G International >>> What happens? Your network is encrypted, and currently not operational. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >>> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd.onion/RSW33BDOYPLWM78U9A09BZDI >>> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.

URLs

http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd.onion/RSW33BDOYPLWM78U9A09BZDI

Signatures

BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
ransomware blackmatter
Renames multiple (152) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\PUOTcnKTQ.bmp"	3317daace715dc332622d883091cf68b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\PUOTcnKTQ.bmp"	3317daace715dc332622d883091cf68b.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
2088	3317daace715dc332622d883091cf68b.exe
2088	3317daace715dc332622d883091cf68b.exe
2088	3317daace715dc332622d883091cf68b.exe
2088	3317daace715dc332622d883091cf68b.exe
2088	3317daace715dc332622d883091cf68b.exe
2088	3317daace715dc332622d883091cf68b.exe

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\Desktop\WallpaperStyle = "10"	3317daace715dc332622d883091cf68b.exe
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\Desktop	3317daace715dc332622d883091cf68b.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2088	3317daace715dc332622d883091cf68b.exe
2088	3317daace715dc332622d883091cf68b.exe
2088	3317daace715dc332622d883091cf68b.exe
2088	3317daace715dc332622d883091cf68b.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeBackupPrivilege	2088	3317daace715dc332622d883091cf68b.exe
Token: SeDebugPrivilege	2088	3317daace715dc332622d883091cf68b.exe
Token: 36	2088	3317daace715dc332622d883091cf68b.exe
Token: SeImpersonatePrivilege	2088	3317daace715dc332622d883091cf68b.exe
Token: SeIncBasePriorityPrivilege	2088	3317daace715dc332622d883091cf68b.exe
Token: SeIncreaseQuotaPrivilege	2088	3317daace715dc332622d883091cf68b.exe
Token: 33	2088	3317daace715dc332622d883091cf68b.exe
Token: SeManageVolumePrivilege	2088	3317daace715dc332622d883091cf68b.exe
Token: SeProfSingleProcessPrivilege	2088	3317daace715dc332622d883091cf68b.exe
Token: SeRestorePrivilege	2088	3317daace715dc332622d883091cf68b.exe
Token: SeSecurityPrivilege	2088	3317daace715dc332622d883091cf68b.exe
Token: SeSystemProfilePrivilege	2088	3317daace715dc332622d883091cf68b.exe
Token: SeTakeOwnershipPrivilege	2088	3317daace715dc332622d883091cf68b.exe
Token: SeShutdownPrivilege	2088	3317daace715dc332622d883091cf68b.exe
Token: SeBackupPrivilege	3536	vssvc.exe
Token: SeRestorePrivilege	3536	vssvc.exe
Token: SeAuditPrivilege	3536	vssvc.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\3317daace715dc332622d883091cf68b.exe
"C:\Users\Admin\AppData\Local\Temp\3317daace715dc332622d883091cf68b.exe"
1⤵
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2088

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\PUOTcnKTQ.README.txt

Filesize
1KB

MD5
c4947c60a66a5f286be734256b7e6e8d

SHA1
7cd483bbe59972ff22b2c122c08548933e812b66

SHA256
5119a7a0a3c668d897f1e33f1b39f3c78396a057b3efa58858c4b86878cce373

SHA512
ec43f7e65055d471c5f78d9777c0de661690a51da2f905467177c8a433468a74f546d2cac32f3881b75cdbfeabbff4e3ceaef10e181cdb2b5ae70f06875b2565

Download Submit
memory/2088-1-0x0000000000FA0000-0x0000000000FB0000-memory.dmp

Filesize
64KB

Download
memory/2088-0-0x0000000000FA0000-0x0000000000FB0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing