Overview

overview

10

Static

static

10

38035325b7...75.exe

windows7-x64

10

38035325b7...75.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    5s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    31-12-2023 13:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    38035325b785329e3f618b2a0b90eb75.exe

  • Size

    78KB

  • MD5

    38035325b785329e3f618b2a0b90eb75

  • SHA1

    33294a6c609b6ced2acef3964d7ec34dc0101a9a

  • SHA256

    5da8d2e1b36be0d661d276ea6523760dbe3fa4f3fdb7e32b144812ce50c483fa

  • SHA512

    675a0defdfa3de5f54ece0297d955372480f25e8b9f27fa700d5cdc2c6ecedadc7b68cac2f8e2e452bdbab6a958593f45d3eab14d6e7bbfee472383879bd7b17

  • SSDEEP

    1536:WnICS4ArFnRoHhcVyid9EZZoi+zQQaHYqf5O4QN:BZnmqVyq9EN+MvlZQ

Score
10/10
blackmatterransomware

Malware Config

Extracted

Path

C:\PS3b2NjbL.README.txt

Family

blackmatter

Ransom Note
~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >>> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/O3KTUJZRE6CB4Q1OBR >>> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.
URLs

http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/O3KTUJZRE6CB4Q1OBR

Signatures

  • BlackMatter Ransomware

    BlackMatter ransomware group claims to be Darkside and REvil succesor.

    ransomwareblackmatter
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Modifies Control Panel 1 IoCs
    evasion
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\38035325b785329e3f618b2a0b90eb75.exe
    "C:\Users\Admin\AppData\Local\Temp\38035325b785329e3f618b2a0b90eb75.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies Control Panel
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1704
    • C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" /p C:\PS3b2NjbL.README.txt
      2⤵
      • Opens file in notepad (likely ransom note)
      PID:1772
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:1948
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2296

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\PS3b2NjbL.README.txt
      Filesize

      1KB

      MD5

      2a2ac841d6b7515f4b1021b92cc5f072

      SHA1

      e48a7a2be20b978f71a92f12ada328bcfd0b89c6

      SHA256

      9a59566d9ef3bab7faf9abc23f25aa19218d5afa2a910144acd011a78521377e

      SHA512

      a7944a10f2721db3dbdf5c36e80aae057c5fc8e2aab22a8d50c4d4e6436a7e22313257dd934961db1fa5e506c39ca23600c9d3e96a463221c13b54651bd47579

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      7798f53af1534c9d32716a9b35f43847

      SHA1

      f9bae192227a71018458274681c4d1c48ee71f51

      SHA256

      23ff7a417ee817b8cb39f471157a8bdee2fc0f436a0bcaee5def891961b6c845

      SHA512

      f36371b717649bfc44b77389419b8247548cce9cecc25ec485885038223983846aba8b90cf5cf3075eb649dcc20e6fa0e0eb30c68ce3fae54ed350b5467f83b5

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      245b5442cff8d047d9534ead5a2a4df6

      SHA1

      01195948951c00aaaee819ec39bbb7b901a3cde3

      SHA256

      8ac34c61ed5df8780474957508d883bf0118885a1839307f278e65116350c138

      SHA512

      ffb542043c3e56d8c7d8eee74a43f60e9756a4a330ffb3187d5716e449d40615046f75d8b0d8c2039effada1b0380a755ad5077bc0f033db66018eb62d1e9738

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Cab77FF.tmp
      Filesize

      26KB

      MD5

      3abcd21a1c7911b3991c847cfc29a2f4

      SHA1

      19a9bcbeb756ecb2618cfa4ee0ffa13673c2385d

      SHA256

      7f225d7cb23569378ea625ab026062087100de3f487883fed9d1e26b23ea1f81

      SHA512

      5984f47bdd48d8f1d22a28d8725109480db51592d5b9e2206033d83ad52b9c936117db52c19408004e53f4c6a96b5a6d4f293981b6bd36f6587d609007d6dfd8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar7822.tmp
      Filesize

      63KB

      MD5

      dd700e53705dc1dffd7fb3b926d1155a

      SHA1

      a799f95de1d17de6faf920906e780e0c58cb6ef1

      SHA256

      d712201a4ed651010eaeda39737393a4270af115aa0e5c084b7fc952886daf07

      SHA512

      8a220a5165d0ef79d37ca2ca76a7d4cf3edf71ed96c3d4e9acb33a9c19f9183c6d61ee45283b771c30170f70e4be9585baee281c83ae9e2b154dbaefc6dd2e6c

      Download Submit

    • memory/1704-0-0x0000000000720000-0x0000000000760000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1948-520-0x00000000040C0000-0x00000000040C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1948-521-0x0000000004260000-0x0000000004270000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1948-522-0x00000000040C0000-0x00000000040C1000-memory.dmp

      Filesize

      4KB

      Download