blackmatter | 5da8d2e1b36be0d661d276ea6523760dbe3fa4f3fdb7e32b144812ce50c483fa

General

Target

38035325b785329e3f618b2a0b90eb75.exe
Size

78KB
MD5

38035325b785329e3f618b2a0b90eb75
SHA1

33294a6c609b6ced2acef3964d7ec34dc0101a9a
SHA256

5da8d2e1b36be0d661d276ea6523760dbe3fa4f3fdb7e32b144812ce50c483fa
SHA512

675a0defdfa3de5f54ece0297d955372480f25e8b9f27fa700d5cdc2c6ecedadc7b68cac2f8e2e452bdbab6a958593f45d3eab14d6e7bbfee472383879bd7b17
SSDEEP

1536:WnICS4ArFnRoHhcVyid9EZZoi+zQQaHYqf5O4QN:BZnmqVyq9EN+MvlZQ

Score

10^/10

blackmatter ransomware

Malware Config

Extracted

Path

C:\PS3b2NjbL.README.txt

Family

blackmatter

Ransom Note

~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >>> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/O3KTUJZRE6CB4Q1OBR >>> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.

URLs

http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/O3KTUJZRE6CB4Q1OBR

Signatures

BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
ransomware blackmatter
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

38035325b785329e3f618b2a0b90eb75.exe

pid process

1704 38035325b785329e3f618b2a0b90eb75.exe

pid	process
1704	38035325b785329e3f618b2a0b90eb75.exe

Modifies Control Panel 1 IoCs

evasion

Processes:

38035325b785329e3f618b2a0b90eb75.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\International	38035325b785329e3f618b2a0b90eb75.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1772 NOTEPAD.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

38035325b785329e3f618b2a0b90eb75.exe

pid process

1704 38035325b785329e3f618b2a0b90eb75.exe
1704 38035325b785329e3f618b2a0b90eb75.exe

pid	process
1772	NOTEPAD.EXE

pid	process
1704	38035325b785329e3f618b2a0b90eb75.exe
1704	38035325b785329e3f618b2a0b90eb75.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

38035325b785329e3f618b2a0b90eb75.exevssvc.exe

description	pid	process
Token: SeBackupPrivilege	1704	38035325b785329e3f618b2a0b90eb75.exe
Token: SeDebugPrivilege	1704	38035325b785329e3f618b2a0b90eb75.exe
Token: 36	1704	38035325b785329e3f618b2a0b90eb75.exe
Token: SeImpersonatePrivilege	1704	38035325b785329e3f618b2a0b90eb75.exe
Token: SeIncBasePriorityPrivilege	1704	38035325b785329e3f618b2a0b90eb75.exe
Token: SeIncreaseQuotaPrivilege	1704	38035325b785329e3f618b2a0b90eb75.exe
Token: 33	1704	38035325b785329e3f618b2a0b90eb75.exe
Token: SeManageVolumePrivilege	1704	38035325b785329e3f618b2a0b90eb75.exe
Token: SeProfSingleProcessPrivilege	1704	38035325b785329e3f618b2a0b90eb75.exe
Token: SeRestorePrivilege	1704	38035325b785329e3f618b2a0b90eb75.exe
Token: SeSecurityPrivilege	1704	38035325b785329e3f618b2a0b90eb75.exe
Token: SeSystemProfilePrivilege	1704	38035325b785329e3f618b2a0b90eb75.exe
Token: SeTakeOwnershipPrivilege	1704	38035325b785329e3f618b2a0b90eb75.exe
Token: SeShutdownPrivilege	1704	38035325b785329e3f618b2a0b90eb75.exe
Token: SeBackupPrivilege	2296	vssvc.exe
Token: SeRestorePrivilege	2296	vssvc.exe
Token: SeAuditPrivilege	2296	vssvc.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\38035325b785329e3f618b2a0b90eb75.exe
"C:\Users\Admin\AppData\Local\Temp\38035325b785329e3f618b2a0b90eb75.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1704

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" /p C:\PS3b2NjbL.README.txt
2⤵
- Opens file in notepad (likely ransom note)
PID:1772

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
3⤵
PID:1948

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2296

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PS3b2NjbL.README.txt
Filesize
1KB

MD5
2a2ac841d6b7515f4b1021b92cc5f072

SHA1
e48a7a2be20b978f71a92f12ada328bcfd0b89c6

SHA256
9a59566d9ef3bab7faf9abc23f25aa19218d5afa2a910144acd011a78521377e

SHA512
a7944a10f2721db3dbdf5c36e80aae057c5fc8e2aab22a8d50c4d4e6436a7e22313257dd934961db1fa5e506c39ca23600c9d3e96a463221c13b54651bd47579

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
7798f53af1534c9d32716a9b35f43847

SHA1
f9bae192227a71018458274681c4d1c48ee71f51

SHA256
23ff7a417ee817b8cb39f471157a8bdee2fc0f436a0bcaee5def891961b6c845

SHA512
f36371b717649bfc44b77389419b8247548cce9cecc25ec485885038223983846aba8b90cf5cf3075eb649dcc20e6fa0e0eb30c68ce3fae54ed350b5467f83b5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
245b5442cff8d047d9534ead5a2a4df6

SHA1
01195948951c00aaaee819ec39bbb7b901a3cde3

SHA256
8ac34c61ed5df8780474957508d883bf0118885a1839307f278e65116350c138

SHA512
ffb542043c3e56d8c7d8eee74a43f60e9756a4a330ffb3187d5716e449d40615046f75d8b0d8c2039effada1b0380a755ad5077bc0f033db66018eb62d1e9738

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab77FF.tmp
Filesize
26KB

MD5
3abcd21a1c7911b3991c847cfc29a2f4

SHA1
19a9bcbeb756ecb2618cfa4ee0ffa13673c2385d

SHA256
7f225d7cb23569378ea625ab026062087100de3f487883fed9d1e26b23ea1f81

SHA512
5984f47bdd48d8f1d22a28d8725109480db51592d5b9e2206033d83ad52b9c936117db52c19408004e53f4c6a96b5a6d4f293981b6bd36f6587d609007d6dfd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7822.tmp
Filesize
63KB

MD5
dd700e53705dc1dffd7fb3b926d1155a

SHA1
a799f95de1d17de6faf920906e780e0c58cb6ef1

SHA256
d712201a4ed651010eaeda39737393a4270af115aa0e5c084b7fc952886daf07

SHA512
8a220a5165d0ef79d37ca2ca76a7d4cf3edf71ed96c3d4e9acb33a9c19f9183c6d61ee45283b771c30170f70e4be9585baee281c83ae9e2b154dbaefc6dd2e6c

Download Submit
memory/1704-0-0x0000000000720000-0x0000000000760000-memory.dmp

Filesize
256KB

Download
memory/1948-520-0x00000000040C0000-0x00000000040C1000-memory.dmp

Filesize
4KB

Download
memory/1948-521-0x0000000004260000-0x0000000004270000-memory.dmp

Filesize
64KB

Download
memory/1948-522-0x00000000040C0000-0x00000000040C1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing