Analysis Overview
SHA256
5da8d2e1b36be0d661d276ea6523760dbe3fa4f3fdb7e32b144812ce50c483fa
Threat Level: Known bad
The file 38035325b785329e3f618b2a0b90eb75 was found to be: Known bad.
Malicious Activity Summary
Blackmatter family
BlackMatter Ransomware
Renames multiple (149) files with added filename extension
Sets desktop wallpaper using registry
Suspicious use of NtSetInformationThreadHideFromDebugger
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Modifies Control Panel
Suspicious use of AdjustPrivilegeToken
Uses Volume Shadow Copy service COM API
Opens file in notepad (likely ransom note)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-31 13:28
Signatures
Blackmatter family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-31 13:28
Reported
2024-01-05 03:09
Platform
win10v2004-20231215-en
Max time kernel
163s
Max time network
187s
Command Line
Signatures
BlackMatter Ransomware
Renames multiple (149) files with added filename extension
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\jvdo5eVo9.bmp" | C:\Users\Admin\AppData\Local\Temp\38035325b785329e3f618b2a0b90eb75.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\jvdo5eVo9.bmp" | C:\Users\Admin\AppData\Local\Temp\38035325b785329e3f618b2a0b90eb75.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\38035325b785329e3f618b2a0b90eb75.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\38035325b785329e3f618b2a0b90eb75.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\38035325b785329e3f618b2a0b90eb75.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\38035325b785329e3f618b2a0b90eb75.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\38035325b785329e3f618b2a0b90eb75.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\38035325b785329e3f618b2a0b90eb75.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\Desktop | C:\Users\Admin\AppData\Local\Temp\38035325b785329e3f618b2a0b90eb75.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\Desktop\WallpaperStyle = "10" | C:\Users\Admin\AppData\Local\Temp\38035325b785329e3f618b2a0b90eb75.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International | C:\Users\Admin\AppData\Local\Temp\38035325b785329e3f618b2a0b90eb75.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\38035325b785329e3f618b2a0b90eb75.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\38035325b785329e3f618b2a0b90eb75.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\38035325b785329e3f618b2a0b90eb75.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\38035325b785329e3f618b2a0b90eb75.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\38035325b785329e3f618b2a0b90eb75.exe
"C:\Users\Admin\AppData\Local\Temp\38035325b785329e3f618b2a0b90eb75.exe"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mojobiden.com | udp |
| US | 3.33.130.190:443 | mojobiden.com | tcp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 190.130.33.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.249.124.192.in-addr.arpa | udp |
| US | 3.33.130.190:80 | mojobiden.com | tcp |
| US | 8.8.8.8:53 | nowautomation.com | udp |
| DE | 3.64.163.50:443 | nowautomation.com | tcp |
| DE | 3.64.163.50:80 | nowautomation.com | tcp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 40.13.222.173.in-addr.arpa | udp |
| US | 3.33.130.190:443 | mojobiden.com | tcp |
| DE | 3.64.163.50:443 | nowautomation.com | tcp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.201.50.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 174.178.17.96.in-addr.arpa | udp |
Files
memory/4108-0-0x00000000029D0000-0x00000000029E0000-memory.dmp
memory/4108-1-0x00000000029D0000-0x00000000029E0000-memory.dmp
C:\jvdo5eVo9.README.txt
| MD5 | 2a2ac841d6b7515f4b1021b92cc5f072 |
| SHA1 | e48a7a2be20b978f71a92f12ada328bcfd0b89c6 |
| SHA256 | 9a59566d9ef3bab7faf9abc23f25aa19218d5afa2a910144acd011a78521377e |
| SHA512 | a7944a10f2721db3dbdf5c36e80aae057c5fc8e2aab22a8d50c4d4e6436a7e22313257dd934961db1fa5e506c39ca23600c9d3e96a463221c13b54651bd47579 |
memory/4108-250-0x00000000029D0000-0x00000000029E0000-memory.dmp
memory/4108-251-0x00000000029D0000-0x00000000029E0000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-31 13:28
Reported
2024-01-05 03:09
Platform
win7-20231215-en
Max time kernel
5s
Max time network
139s
Command Line
Signatures
BlackMatter Ransomware
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\38035325b785329e3f618b2a0b90eb75.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\International | C:\Users\Admin\AppData\Local\Temp\38035325b785329e3f618b2a0b90eb75.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\NOTEPAD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\38035325b785329e3f618b2a0b90eb75.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\38035325b785329e3f618b2a0b90eb75.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\38035325b785329e3f618b2a0b90eb75.exe
"C:\Users\Admin\AppData\Local\Temp\38035325b785329e3f618b2a0b90eb75.exe"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" /p C:\PS3b2NjbL.README.txt
C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | mojobiden.com | udp |
| US | 3.33.130.190:443 | mojobiden.com | tcp |
| US | 3.33.130.190:80 | mojobiden.com | tcp |
| US | 3.33.130.190:443 | mojobiden.com | tcp |
| US | 8.8.8.8:53 | nowautomation.com | udp |
| DE | 3.64.163.50:443 | nowautomation.com | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| GB | 96.17.179.184:80 | apps.identrust.com | tcp |
| DE | 3.64.163.50:80 | nowautomation.com | tcp |
| US | 3.33.130.190:443 | mojobiden.com | tcp |
| US | 3.33.130.190:443 | mojobiden.com | tcp |
| DE | 3.64.163.50:443 | nowautomation.com | tcp |
Files
memory/1704-0-0x0000000000720000-0x0000000000760000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tar7822.tmp
| MD5 | dd700e53705dc1dffd7fb3b926d1155a |
| SHA1 | a799f95de1d17de6faf920906e780e0c58cb6ef1 |
| SHA256 | d712201a4ed651010eaeda39737393a4270af115aa0e5c084b7fc952886daf07 |
| SHA512 | 8a220a5165d0ef79d37ca2ca76a7d4cf3edf71ed96c3d4e9acb33a9c19f9183c6d61ee45283b771c30170f70e4be9585baee281c83ae9e2b154dbaefc6dd2e6c |
C:\Users\Admin\AppData\Local\Temp\Cab77FF.tmp
| MD5 | 3abcd21a1c7911b3991c847cfc29a2f4 |
| SHA1 | 19a9bcbeb756ecb2618cfa4ee0ffa13673c2385d |
| SHA256 | 7f225d7cb23569378ea625ab026062087100de3f487883fed9d1e26b23ea1f81 |
| SHA512 | 5984f47bdd48d8f1d22a28d8725109480db51592d5b9e2206033d83ad52b9c936117db52c19408004e53f4c6a96b5a6d4f293981b6bd36f6587d609007d6dfd8 |
C:\PS3b2NjbL.README.txt
| MD5 | 2a2ac841d6b7515f4b1021b92cc5f072 |
| SHA1 | e48a7a2be20b978f71a92f12ada328bcfd0b89c6 |
| SHA256 | 9a59566d9ef3bab7faf9abc23f25aa19218d5afa2a910144acd011a78521377e |
| SHA512 | a7944a10f2721db3dbdf5c36e80aae057c5fc8e2aab22a8d50c4d4e6436a7e22313257dd934961db1fa5e506c39ca23600c9d3e96a463221c13b54651bd47579 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7798f53af1534c9d32716a9b35f43847 |
| SHA1 | f9bae192227a71018458274681c4d1c48ee71f51 |
| SHA256 | 23ff7a417ee817b8cb39f471157a8bdee2fc0f436a0bcaee5def891961b6c845 |
| SHA512 | f36371b717649bfc44b77389419b8247548cce9cecc25ec485885038223983846aba8b90cf5cf3075eb649dcc20e6fa0e0eb30c68ce3fae54ed350b5467f83b5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 245b5442cff8d047d9534ead5a2a4df6 |
| SHA1 | 01195948951c00aaaee819ec39bbb7b901a3cde3 |
| SHA256 | 8ac34c61ed5df8780474957508d883bf0118885a1839307f278e65116350c138 |
| SHA512 | ffb542043c3e56d8c7d8eee74a43f60e9756a4a330ffb3187d5716e449d40615046f75d8b0d8c2039effada1b0380a755ad5077bc0f033db66018eb62d1e9738 |
memory/1948-520-0x00000000040C0000-0x00000000040C1000-memory.dmp
memory/1948-521-0x0000000004260000-0x0000000004270000-memory.dmp
memory/1948-522-0x00000000040C0000-0x00000000040C1000-memory.dmp