Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
28-02-2024 23:38
Behavioral task
behavioral1
Sample
ad260da314d2f8f3f1531cc5779cbba9.dll
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
ad260da314d2f8f3f1531cc5779cbba9.dll
Resource
win10v2004-20240226-en
General
-
Target
ad260da314d2f8f3f1531cc5779cbba9.dll
-
Size
64KB
-
MD5
ad260da314d2f8f3f1531cc5779cbba9
-
SHA1
30e15cf49a97e4560c96eed7e0c68ed9a8502023
-
SHA256
4ad9432cc817afa905bab2f16d4f713af42ea42f5e4fcf53e6d4b631a7d6da91
-
SHA512
3791b4058ee64bed388b10eeefd733ff45e10c4f374d5644cd4aa10eee6a3fac9bf31076be021acc5c46e8fe79f84048807aaf2c278a5e0e46d41eec00e5e723
-
SSDEEP
768:QDjahoICS4AIqa3x4aSOo+sYk+5qmOaA/yGzySTe7/cA2gdu0v:yzICS4ALqaaS1+Pq5aPGzysuENs
Malware Config
Extracted
C:\Users\iusZFBQZ6.README.txt
blackmatter
http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/GDBJS76DH3D4IKQD2QO7R
Signatures
-
BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
-
Renames multiple (166) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Blocklisted process makes network request 1 IoCs
flow pid Process 4 2912 rundll32.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2912 rundll32.exe -
Modifies Control Panel 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\International rundll32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2912 rundll32.exe 2912 rundll32.exe 2912 rundll32.exe 2912 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
description pid Process Token: SeBackupPrivilege 2912 rundll32.exe Token: SeDebugPrivilege 2912 rundll32.exe Token: 36 2912 rundll32.exe Token: SeImpersonatePrivilege 2912 rundll32.exe Token: SeIncBasePriorityPrivilege 2912 rundll32.exe Token: SeIncreaseQuotaPrivilege 2912 rundll32.exe Token: 33 2912 rundll32.exe Token: SeManageVolumePrivilege 2912 rundll32.exe Token: SeProfSingleProcessPrivilege 2912 rundll32.exe Token: SeRestorePrivilege 2912 rundll32.exe Token: SeSecurityPrivilege 2912 rundll32.exe Token: SeSystemProfilePrivilege 2912 rundll32.exe Token: SeTakeOwnershipPrivilege 2912 rundll32.exe Token: SeShutdownPrivilege 2912 rundll32.exe Token: SeBackupPrivilege 2556 vssvc.exe Token: SeRestorePrivilege 2556 vssvc.exe Token: SeAuditPrivilege 2556 vssvc.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2860 wrote to memory of 2912 2860 rundll32.exe 13 PID 2860 wrote to memory of 2912 2860 rundll32.exe 13 PID 2860 wrote to memory of 2912 2860 rundll32.exe 13 PID 2860 wrote to memory of 2912 2860 rundll32.exe 13 PID 2860 wrote to memory of 2912 2860 rundll32.exe 13 PID 2860 wrote to memory of 2912 2860 rundll32.exe 13 PID 2860 wrote to memory of 2912 2860 rundll32.exe 13 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ad260da314d2f8f3f1531cc5779cbba9.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ad260da314d2f8f3f1531cc5779cbba9.dll,#12⤵
- Blocklisted process makes network request
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2912
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2556
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD58a485e9f1237d69236522d2409a7fc3c
SHA1fab1b7c56399623ae49ba840d0a88deb20099b5d
SHA256d9006d5c753c364b27388831f03332f404b719a66f344ce8b1a340da24e93d53
SHA512d0f2416496c77ad305de712ac8b6b42d9b57337eec88e66dddd8fc59309acda7a08ab3a492b961a850e8e501eafc0b23f6371af78210b86beefaae980e014483