Overview

overview

10

Static

static

10

Windows.Encryptor.exe

windows10-1703-x64

10

Resubmissions

30-01-2024 15:55

240130-tcqvlaagbq 10

29-01-2024 23:52

240129-3wytzsegen 10

29-01-2024 23:50

240129-3vl4ssdca6 10

Analysis

  • max time kernel
    40s
  • max time network
    21s
  • platform
    windows10-1703_x64
  • resource
    win10-20231215-en
  • resource tags

    arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
  • submitted
    29-01-2024 23:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Windows.Encryptor.exe

  • Size

    66KB

  • MD5

    ba375d0625001102fc1f2ccb6f582d91

  • SHA1

    379ebd1eff6f8685f4ff72657626bf6df5383d87

  • SHA256

    c6e2ef30a86baa670590bd21acf5b91822117e0cbe6060060bc5fe0182dace99

  • SHA512

    795b10a638e289729192de6a6d9964b5ad3b8084f84d58da077ca8ec08c8b8cb1acadb5240962d4ccacf66242bab1430923fc77bdbbfacd0badd64df2ba1487f

  • SSDEEP

    1536:HzICS4AT6GxdEe+TOdincJXvKvWLBjkl:4R7auJXSOhC

Score
10/10
blackmatterransomware

Malware Config

Extracted

Path

C:\bKKoOzuoo.README.txt

Family

blackmatter

Ransom Note
~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >>> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/GDBJS76DH3D4IKQD2QO7R. >>> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.
URLs

http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/GDBJS76DH3D4IKQD2QO7R

Signatures

  • BlackMatter Ransomware

    BlackMatter ransomware group claims to be Darkside and REvil succesor.

    ransomwareblackmatter
  • Renames multiple (161) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
  • Modifies Control Panel 3 IoCs
    evasion
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\Windows.Encryptor.exe
    "C:\Users\Admin\AppData\Local\Temp\Windows.Encryptor.exe"
    1⤵
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies Control Panel
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:4964
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:212
  • C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\bKKoOzuoo.README.txt
    1⤵
    • Opens file in notepad (likely ransom note)
    PID:588

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\bKKoOzuoo.README.txt
    Filesize

    1KB

    MD5

    8a485e9f1237d69236522d2409a7fc3c

    SHA1

    fab1b7c56399623ae49ba840d0a88deb20099b5d

    SHA256

    d9006d5c753c364b27388831f03332f404b719a66f344ce8b1a340da24e93d53

    SHA512

    d0f2416496c77ad305de712ac8b6b42d9b57337eec88e66dddd8fc59309acda7a08ab3a492b961a850e8e501eafc0b23f6371af78210b86beefaae980e014483

    Download Submit

  • memory/4964-0-0x0000000003090000-0x00000000030A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4964-1-0x0000000003090000-0x00000000030A0000-memory.dmp

    Filesize

    64KB

    Download