Malware Analysis Report

2024-10-16 03:21

Sample ID 240101-1mnxbabbgp
Target 3df675b0800e6fc57c81271c440327c4
SHA256 c3cc8efd60b85139c9b9f4c62c56ffbafde26c1b22cd7b339a371afde7fc513b
Tags
vmprotect blackmatter b8726db5d916731db5625cfc30c4f7d9 ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c3cc8efd60b85139c9b9f4c62c56ffbafde26c1b22cd7b339a371afde7fc513b

Threat Level: Known bad

The file 3df675b0800e6fc57c81271c440327c4 was found to be: Known bad.

Malicious Activity Summary

vmprotect blackmatter b8726db5d916731db5625cfc30c4f7d9 ransomware

BlackMatter Ransomware

Renames multiple (161) files with added filename extension

Renames multiple (141) files with added filename extension

VMProtect packed file

Sets desktop wallpaper using registry

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Modifies Control Panel

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Uses Volume Shadow Copy service COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-01 21:46

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-01 21:46

Reported

2024-01-01 21:48

Platform

win7-20231129-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3df675b0800e6fc57c81271c440327c4.exe"

Signatures

BlackMatter Ransomware

ransomware blackmatter

Renames multiple (161) files with added filename extension

ransomware

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\FLNjIiJjs.bmp" C:\Users\Admin\AppData\Local\Temp\3df675b0800e6fc57c81271c440327c4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\FLNjIiJjs.bmp" C:\Users\Admin\AppData\Local\Temp\3df675b0800e6fc57c81271c440327c4.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\3df675b0800e6fc57c81271c440327c4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\3df675b0800e6fc57c81271c440327c4.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3df675b0800e6fc57c81271c440327c4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3df675b0800e6fc57c81271c440327c4.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\3df675b0800e6fc57c81271c440327c4.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3df675b0800e6fc57c81271c440327c4.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3df675b0800e6fc57c81271c440327c4.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3df675b0800e6fc57c81271c440327c4.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\3df675b0800e6fc57c81271c440327c4.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3df675b0800e6fc57c81271c440327c4.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3df675b0800e6fc57c81271c440327c4.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3df675b0800e6fc57c81271c440327c4.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3df675b0800e6fc57c81271c440327c4.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3df675b0800e6fc57c81271c440327c4.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3df675b0800e6fc57c81271c440327c4.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3df675b0800e6fc57c81271c440327c4.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\3df675b0800e6fc57c81271c440327c4.exe

"C:\Users\Admin\AppData\Local\Temp\3df675b0800e6fc57c81271c440327c4.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

N/A

Files

memory/2216-1-0x0000000000400000-0x0000000000BA4000-memory.dmp

memory/2216-3-0x0000000000400000-0x0000000000BA4000-memory.dmp

memory/2216-4-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/2216-0-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/2216-6-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/2216-9-0x0000000077150000-0x0000000077151000-memory.dmp

memory/2216-10-0x0000000002480000-0x00000000024C0000-memory.dmp

F:\FLNjIiJjs.README.txt

MD5 e25ee5b580fcb49e00a481b656c2022a
SHA1 e5bb6f852b1d454a6afd66e5465fc3b89b0b9516
SHA256 1e45f64d3a9e3de8c1e270363349c62d346cbe744e3c31a50bcf65544a894a98
SHA512 3be30a96c432b3eb4875da5b4ea4ee799a73b9d787544265da368e77011975b1816bf0f8eb796cd1d716b91ed4f0e937f2fff8da4e9288ed010d5c8e0e44caea

memory/2216-233-0x0000000000400000-0x0000000000BA4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-01 21:46

Reported

2024-01-01 21:49

Platform

win10v2004-20231215-en

Max time kernel

144s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3df675b0800e6fc57c81271c440327c4.exe"

Signatures

BlackMatter Ransomware

ransomware blackmatter

Renames multiple (141) files with added filename extension

ransomware

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\jHFUHx9Uc.bmp" C:\Users\Admin\AppData\Local\Temp\3df675b0800e6fc57c81271c440327c4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\jHFUHx9Uc.bmp" C:\Users\Admin\AppData\Local\Temp\3df675b0800e6fc57c81271c440327c4.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\3df675b0800e6fc57c81271c440327c4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\3df675b0800e6fc57c81271c440327c4.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3df675b0800e6fc57c81271c440327c4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3df675b0800e6fc57c81271c440327c4.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\3df675b0800e6fc57c81271c440327c4.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3df675b0800e6fc57c81271c440327c4.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3df675b0800e6fc57c81271c440327c4.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3df675b0800e6fc57c81271c440327c4.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\3df675b0800e6fc57c81271c440327c4.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3df675b0800e6fc57c81271c440327c4.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3df675b0800e6fc57c81271c440327c4.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3df675b0800e6fc57c81271c440327c4.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3df675b0800e6fc57c81271c440327c4.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3df675b0800e6fc57c81271c440327c4.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3df675b0800e6fc57c81271c440327c4.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3df675b0800e6fc57c81271c440327c4.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\3df675b0800e6fc57c81271c440327c4.exe

"C:\Users\Admin\AppData\Local\Temp\3df675b0800e6fc57c81271c440327c4.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 149.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 16.234.44.23.in-addr.arpa udp
US 8.8.8.8:53 18.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 195.233.44.23.in-addr.arpa udp
US 8.8.8.8:53 206.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 137.71.105.51.in-addr.arpa udp

Files

memory/4724-0-0x0000000000400000-0x0000000000BA4000-memory.dmp

memory/4724-1-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

memory/4724-2-0x0000000000400000-0x0000000000BA4000-memory.dmp

memory/4724-4-0x0000000002950000-0x0000000002960000-memory.dmp

memory/4724-5-0x0000000002950000-0x0000000002960000-memory.dmp

F:\jHFUHx9Uc.README.txt

MD5 e25ee5b580fcb49e00a481b656c2022a
SHA1 e5bb6f852b1d454a6afd66e5465fc3b89b0b9516
SHA256 1e45f64d3a9e3de8c1e270363349c62d346cbe744e3c31a50bcf65544a894a98
SHA512 3be30a96c432b3eb4875da5b4ea4ee799a73b9d787544265da368e77011975b1816bf0f8eb796cd1d716b91ed4f0e937f2fff8da4e9288ed010d5c8e0e44caea

memory/4724-237-0x0000000000400000-0x0000000000BA4000-memory.dmp