Malware Analysis Report

2024-10-16 03:21

Sample ID 231231-qqnqlsbffq
Target 38035325b785329e3f618b2a0b90eb75
SHA256 5da8d2e1b36be0d661d276ea6523760dbe3fa4f3fdb7e32b144812ce50c483fa
Tags
blackmatter ransomware d58b3b69acc48f82eaa82076f97763d4
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5da8d2e1b36be0d661d276ea6523760dbe3fa4f3fdb7e32b144812ce50c483fa

Threat Level: Known bad

The file 38035325b785329e3f618b2a0b90eb75 was found to be: Known bad.

Malicious Activity Summary

blackmatter ransomware d58b3b69acc48f82eaa82076f97763d4

Blackmatter family

BlackMatter Ransomware

Renames multiple (149) files with added filename extension

Sets desktop wallpaper using registry

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Modifies Control Panel

Suspicious use of AdjustPrivilegeToken

Uses Volume Shadow Copy service COM API

Opens file in notepad (likely ransom note)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-31 13:28

Signatures

Blackmatter family

blackmatter

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-31 13:28

Reported

2024-01-05 03:09

Platform

win10v2004-20231215-en

Max time kernel

163s

Max time network

187s

Command Line

"C:\Users\Admin\AppData\Local\Temp\38035325b785329e3f618b2a0b90eb75.exe"

Signatures

BlackMatter Ransomware

ransomware blackmatter

Renames multiple (149) files with added filename extension

ransomware

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\jvdo5eVo9.bmp" C:\Users\Admin\AppData\Local\Temp\38035325b785329e3f618b2a0b90eb75.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\jvdo5eVo9.bmp" C:\Users\Admin\AppData\Local\Temp\38035325b785329e3f618b2a0b90eb75.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\38035325b785329e3f618b2a0b90eb75.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\38035325b785329e3f618b2a0b90eb75.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International C:\Users\Admin\AppData\Local\Temp\38035325b785329e3f618b2a0b90eb75.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\38035325b785329e3f618b2a0b90eb75.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\38035325b785329e3f618b2a0b90eb75.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\38035325b785329e3f618b2a0b90eb75.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\38035325b785329e3f618b2a0b90eb75.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\38035325b785329e3f618b2a0b90eb75.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\38035325b785329e3f618b2a0b90eb75.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\38035325b785329e3f618b2a0b90eb75.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\38035325b785329e3f618b2a0b90eb75.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\38035325b785329e3f618b2a0b90eb75.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\38035325b785329e3f618b2a0b90eb75.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\38035325b785329e3f618b2a0b90eb75.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\38035325b785329e3f618b2a0b90eb75.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\38035325b785329e3f618b2a0b90eb75.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\38035325b785329e3f618b2a0b90eb75.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\38035325b785329e3f618b2a0b90eb75.exe

"C:\Users\Admin\AppData\Local\Temp\38035325b785329e3f618b2a0b90eb75.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 mojobiden.com udp
US 3.33.130.190:443 mojobiden.com tcp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 190.130.33.3.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 41.249.124.192.in-addr.arpa udp
US 3.33.130.190:80 mojobiden.com tcp
US 8.8.8.8:53 nowautomation.com udp
DE 3.64.163.50:443 nowautomation.com tcp
DE 3.64.163.50:80 nowautomation.com tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 40.13.222.173.in-addr.arpa udp
US 3.33.130.190:443 mojobiden.com tcp
DE 3.64.163.50:443 nowautomation.com tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 200.201.50.20.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp

Files

memory/4108-0-0x00000000029D0000-0x00000000029E0000-memory.dmp

memory/4108-1-0x00000000029D0000-0x00000000029E0000-memory.dmp

C:\jvdo5eVo9.README.txt

MD5 2a2ac841d6b7515f4b1021b92cc5f072
SHA1 e48a7a2be20b978f71a92f12ada328bcfd0b89c6
SHA256 9a59566d9ef3bab7faf9abc23f25aa19218d5afa2a910144acd011a78521377e
SHA512 a7944a10f2721db3dbdf5c36e80aae057c5fc8e2aab22a8d50c4d4e6436a7e22313257dd934961db1fa5e506c39ca23600c9d3e96a463221c13b54651bd47579

memory/4108-250-0x00000000029D0000-0x00000000029E0000-memory.dmp

memory/4108-251-0x00000000029D0000-0x00000000029E0000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-31 13:28

Reported

2024-01-05 03:09

Platform

win7-20231215-en

Max time kernel

5s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\38035325b785329e3f618b2a0b90eb75.exe"

Signatures

BlackMatter Ransomware

ransomware blackmatter

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\38035325b785329e3f618b2a0b90eb75.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\International C:\Users\Admin\AppData\Local\Temp\38035325b785329e3f618b2a0b90eb75.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\NOTEPAD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\38035325b785329e3f618b2a0b90eb75.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\38035325b785329e3f618b2a0b90eb75.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\38035325b785329e3f618b2a0b90eb75.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\38035325b785329e3f618b2a0b90eb75.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\38035325b785329e3f618b2a0b90eb75.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\38035325b785329e3f618b2a0b90eb75.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\38035325b785329e3f618b2a0b90eb75.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\38035325b785329e3f618b2a0b90eb75.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\38035325b785329e3f618b2a0b90eb75.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\38035325b785329e3f618b2a0b90eb75.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\38035325b785329e3f618b2a0b90eb75.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\38035325b785329e3f618b2a0b90eb75.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\38035325b785329e3f618b2a0b90eb75.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\38035325b785329e3f618b2a0b90eb75.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\38035325b785329e3f618b2a0b90eb75.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\38035325b785329e3f618b2a0b90eb75.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\38035325b785329e3f618b2a0b90eb75.exe

"C:\Users\Admin\AppData\Local\Temp\38035325b785329e3f618b2a0b90eb75.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" /p C:\PS3b2NjbL.README.txt

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

Country Destination Domain Proto
US 8.8.8.8:53 mojobiden.com udp
US 3.33.130.190:443 mojobiden.com tcp
US 3.33.130.190:80 mojobiden.com tcp
US 3.33.130.190:443 mojobiden.com tcp
US 8.8.8.8:53 nowautomation.com udp
DE 3.64.163.50:443 nowautomation.com tcp
US 8.8.8.8:53 apps.identrust.com udp
GB 96.17.179.184:80 apps.identrust.com tcp
DE 3.64.163.50:80 nowautomation.com tcp
US 3.33.130.190:443 mojobiden.com tcp
US 3.33.130.190:443 mojobiden.com tcp
DE 3.64.163.50:443 nowautomation.com tcp

Files

memory/1704-0-0x0000000000720000-0x0000000000760000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tar7822.tmp

MD5 dd700e53705dc1dffd7fb3b926d1155a
SHA1 a799f95de1d17de6faf920906e780e0c58cb6ef1
SHA256 d712201a4ed651010eaeda39737393a4270af115aa0e5c084b7fc952886daf07
SHA512 8a220a5165d0ef79d37ca2ca76a7d4cf3edf71ed96c3d4e9acb33a9c19f9183c6d61ee45283b771c30170f70e4be9585baee281c83ae9e2b154dbaefc6dd2e6c

C:\Users\Admin\AppData\Local\Temp\Cab77FF.tmp

MD5 3abcd21a1c7911b3991c847cfc29a2f4
SHA1 19a9bcbeb756ecb2618cfa4ee0ffa13673c2385d
SHA256 7f225d7cb23569378ea625ab026062087100de3f487883fed9d1e26b23ea1f81
SHA512 5984f47bdd48d8f1d22a28d8725109480db51592d5b9e2206033d83ad52b9c936117db52c19408004e53f4c6a96b5a6d4f293981b6bd36f6587d609007d6dfd8

C:\PS3b2NjbL.README.txt

MD5 2a2ac841d6b7515f4b1021b92cc5f072
SHA1 e48a7a2be20b978f71a92f12ada328bcfd0b89c6
SHA256 9a59566d9ef3bab7faf9abc23f25aa19218d5afa2a910144acd011a78521377e
SHA512 a7944a10f2721db3dbdf5c36e80aae057c5fc8e2aab22a8d50c4d4e6436a7e22313257dd934961db1fa5e506c39ca23600c9d3e96a463221c13b54651bd47579

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7798f53af1534c9d32716a9b35f43847
SHA1 f9bae192227a71018458274681c4d1c48ee71f51
SHA256 23ff7a417ee817b8cb39f471157a8bdee2fc0f436a0bcaee5def891961b6c845
SHA512 f36371b717649bfc44b77389419b8247548cce9cecc25ec485885038223983846aba8b90cf5cf3075eb649dcc20e6fa0e0eb30c68ce3fae54ed350b5467f83b5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 245b5442cff8d047d9534ead5a2a4df6
SHA1 01195948951c00aaaee819ec39bbb7b901a3cde3
SHA256 8ac34c61ed5df8780474957508d883bf0118885a1839307f278e65116350c138
SHA512 ffb542043c3e56d8c7d8eee74a43f60e9756a4a330ffb3187d5716e449d40615046f75d8b0d8c2039effada1b0380a755ad5077bc0f033db66018eb62d1e9738

memory/1948-520-0x00000000040C0000-0x00000000040C1000-memory.dmp

memory/1948-521-0x0000000004260000-0x0000000004270000-memory.dmp

memory/1948-522-0x00000000040C0000-0x00000000040C1000-memory.dmp