Malware Analysis Report

2024-10-16 03:21

Sample ID 231231-mv42lsfchn
Target 3317daace715dc332622d883091cf68b
SHA256 e4fd947a781611c85ea2e5afa51b186de7f351026c28eb067ad70028acd72cda
Tags
0c6ca0532355a106258791f50b66c153 blackmatter ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e4fd947a781611c85ea2e5afa51b186de7f351026c28eb067ad70028acd72cda

Threat Level: Known bad

The file 3317daace715dc332622d883091cf68b was found to be: Known bad.

Malicious Activity Summary

0c6ca0532355a106258791f50b66c153 blackmatter ransomware

BlackMatter Ransomware

Blackmatter family

Renames multiple (182) files with added filename extension

Renames multiple (152) files with added filename extension

Enumerates connected drives

Suspicious use of NtSetInformationThreadHideFromDebugger

Sets desktop wallpaper using registry

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies registry class

Modifies Control Panel

Uses Volume Shadow Copy service COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-31 10:48

Signatures

Blackmatter family

blackmatter

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-31 10:48

Reported

2024-01-04 06:56

Platform

win7-20231215-en

Max time kernel

122s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3317daace715dc332622d883091cf68b.exe"

Signatures

BlackMatter Ransomware

ransomware blackmatter

Renames multiple (182) files with added filename extension

ransomware

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\3317daace715dc332622d883091cf68b.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\BzOXaWmXM.bmp" C:\Users\Admin\AppData\Local\Temp\3317daace715dc332622d883091cf68b.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\BzOXaWmXM.bmp" C:\Users\Admin\AppData\Local\Temp\3317daace715dc332622d883091cf68b.exe N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\3317daace715dc332622d883091cf68b.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\3317daace715dc332622d883091cf68b.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg C:\Windows\splwow64.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000 C:\Windows\splwow64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Windows\splwow64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Windows\splwow64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Windows\splwow64.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}" C:\Windows\splwow64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_Classes\Local Settings C:\Windows\splwow64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\splwow64.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Windows\splwow64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\splwow64.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\splwow64.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff C:\Windows\splwow64.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" C:\Windows\splwow64.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff C:\Windows\splwow64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Windows\splwow64.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}" C:\Windows\splwow64.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewVersion = "0" C:\Windows\splwow64.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\splwow64.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Windows\splwow64.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000 C:\Windows\splwow64.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\splwow64.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3317daace715dc332622d883091cf68b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3317daace715dc332622d883091cf68b.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\3317daace715dc332622d883091cf68b.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3317daace715dc332622d883091cf68b.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3317daace715dc332622d883091cf68b.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3317daace715dc332622d883091cf68b.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\3317daace715dc332622d883091cf68b.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3317daace715dc332622d883091cf68b.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3317daace715dc332622d883091cf68b.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3317daace715dc332622d883091cf68b.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3317daace715dc332622d883091cf68b.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3317daace715dc332622d883091cf68b.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3317daace715dc332622d883091cf68b.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3317daace715dc332622d883091cf68b.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\splwow64.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\3317daace715dc332622d883091cf68b.exe

"C:\Users\Admin\AppData\Local\Temp\3317daace715dc332622d883091cf68b.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" /p F:\BzOXaWmXM.README.txt

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/2964-0-0x0000000000BA0000-0x0000000000BE0000-memory.dmp

C:\Users\BzOXaWmXM.README.txt

MD5 c4947c60a66a5f286be734256b7e6e8d
SHA1 7cd483bbe59972ff22b2c122c08548933e812b66
SHA256 5119a7a0a3c668d897f1e33f1b39f3c78396a057b3efa58858c4b86878cce373
SHA512 ec43f7e65055d471c5f78d9777c0de661690a51da2f905467177c8a433468a74f546d2cac32f3881b75cdbfeabbff4e3ceaef10e181cdb2b5ae70f06875b2565

memory/1528-226-0x0000000004160000-0x0000000004161000-memory.dmp

memory/1528-227-0x00000000041E0000-0x00000000041F0000-memory.dmp

memory/1528-228-0x0000000004160000-0x0000000004161000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-31 10:48

Reported

2024-01-04 06:55

Platform

win10v2004-20231215-en

Max time kernel

129s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3317daace715dc332622d883091cf68b.exe"

Signatures

BlackMatter Ransomware

ransomware blackmatter

Renames multiple (152) files with added filename extension

ransomware

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\PUOTcnKTQ.bmp" C:\Users\Admin\AppData\Local\Temp\3317daace715dc332622d883091cf68b.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\PUOTcnKTQ.bmp" C:\Users\Admin\AppData\Local\Temp\3317daace715dc332622d883091cf68b.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\3317daace715dc332622d883091cf68b.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\3317daace715dc332622d883091cf68b.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3317daace715dc332622d883091cf68b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3317daace715dc332622d883091cf68b.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\3317daace715dc332622d883091cf68b.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3317daace715dc332622d883091cf68b.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3317daace715dc332622d883091cf68b.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3317daace715dc332622d883091cf68b.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\3317daace715dc332622d883091cf68b.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3317daace715dc332622d883091cf68b.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3317daace715dc332622d883091cf68b.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3317daace715dc332622d883091cf68b.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3317daace715dc332622d883091cf68b.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3317daace715dc332622d883091cf68b.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3317daace715dc332622d883091cf68b.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3317daace715dc332622d883091cf68b.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\3317daace715dc332622d883091cf68b.exe

"C:\Users\Admin\AppData\Local\Temp\3317daace715dc332622d883091cf68b.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 19.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 211.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 udp
N/A 96.17.178.180:80 tcp
N/A 96.17.178.180:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 96.17.178.174:80 tcp
US 8.8.8.8:53 udp
GB 88.221.134.32:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
GB 88.221.134.32:80 tcp
GB 88.221.134.32:80 tcp
GB 88.221.134.32:80 tcp
GB 88.221.134.32:80 tcp
GB 88.221.134.32:80 tcp
GB 88.221.134.32:80 tcp
GB 88.221.134.32:80 tcp
GB 88.221.134.32:80 tcp
GB 88.221.134.32:80 tcp
GB 88.221.134.32:80 tcp
US 8.8.8.8:53 udp
N/A 52.111.229.19:443 tcp
US 8.8.8.8:53 udp
GB 88.221.134.32:80 tcp
GB 88.221.134.32:80 tcp
GB 88.221.134.32:80 tcp
GB 88.221.134.32:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 udp
US 138.91.171.81:80 tcp
US 93.184.221.240:80 tcp
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 udp
N/A 52.142.223.178:80 tcp

Files

memory/2088-1-0x0000000000FA0000-0x0000000000FB0000-memory.dmp

memory/2088-0-0x0000000000FA0000-0x0000000000FB0000-memory.dmp

C:\Users\PUOTcnKTQ.README.txt

MD5 c4947c60a66a5f286be734256b7e6e8d
SHA1 7cd483bbe59972ff22b2c122c08548933e812b66
SHA256 5119a7a0a3c668d897f1e33f1b39f3c78396a057b3efa58858c4b86878cce373
SHA512 ec43f7e65055d471c5f78d9777c0de661690a51da2f905467177c8a433468a74f546d2cac32f3881b75cdbfeabbff4e3ceaef10e181cdb2b5ae70f06875b2565