blackmatter | 4ad9432cc817afa905bab2f16d4f713af42ea42f5e4fcf53e6d4b631a7d6da91

General

Target

ad260da314d2f8f3f1531cc5779cbba9.dll
Size

64KB
MD5

ad260da314d2f8f3f1531cc5779cbba9
SHA1

30e15cf49a97e4560c96eed7e0c68ed9a8502023
SHA256

4ad9432cc817afa905bab2f16d4f713af42ea42f5e4fcf53e6d4b631a7d6da91
SHA512

3791b4058ee64bed388b10eeefd733ff45e10c4f374d5644cd4aa10eee6a3fac9bf31076be021acc5c46e8fe79f84048807aaf2c278a5e0e46d41eec00e5e723
SSDEEP

768:QDjahoICS4AIqa3x4aSOo+sYk+5qmOaA/yGzySTe7/cA2gdu0v:yzICS4ALqaaS1+Pq5aPGzysuENs

Score

10^/10

blackmatter ransomware

Malware Config

Extracted

Path

C:\Users\iusZFBQZ6.README.txt

Family

blackmatter

Ransom Note

~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >>> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/GDBJS76DH3D4IKQD2QO7R. >>> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.

URLs

http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/GDBJS76DH3D4IKQD2QO7R

Signatures

BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
ransomware blackmatter
Renames multiple (166) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

4 2912 rundll32.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

rundll32.exe

pid process

2912 rundll32.exe
Modifies Control Panel 1 IoCs
evasion

Processes:

rundll32.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\International rundll32.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rundll32.exe

pid process

2912 rundll32.exe
2912 rundll32.exe
2912 rundll32.exe
2912 rundll32.exe

flow	pid	process
4	2912	rundll32.exe

pid	process
2912	rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\International	rundll32.exe

pid	process
2912	rundll32.exe
2912	rundll32.exe
2912	rundll32.exe
2912	rundll32.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

rundll32.exevssvc.exe

description	pid	process
Token: SeBackupPrivilege	2912	rundll32.exe
Token: SeDebugPrivilege	2912	rundll32.exe
Token: 36	2912	rundll32.exe
Token: SeImpersonatePrivilege	2912	rundll32.exe
Token: SeIncBasePriorityPrivilege	2912	rundll32.exe
Token: SeIncreaseQuotaPrivilege	2912	rundll32.exe
Token: 33	2912	rundll32.exe
Token: SeManageVolumePrivilege	2912	rundll32.exe
Token: SeProfSingleProcessPrivilege	2912	rundll32.exe
Token: SeRestorePrivilege	2912	rundll32.exe
Token: SeSecurityPrivilege	2912	rundll32.exe
Token: SeSystemProfilePrivilege	2912	rundll32.exe
Token: SeTakeOwnershipPrivilege	2912	rundll32.exe
Token: SeShutdownPrivilege	2912	rundll32.exe
Token: SeBackupPrivilege	2556	vssvc.exe
Token: SeRestorePrivilege	2556	vssvc.exe
Token: SeAuditPrivilege	2556	vssvc.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 2860 wrote to memory of 2912	2860	rundll32.exe	rundll32.exe
PID 2860 wrote to memory of 2912	2860	rundll32.exe	rundll32.exe
PID 2860 wrote to memory of 2912	2860	rundll32.exe	rundll32.exe
PID 2860 wrote to memory of 2912	2860	rundll32.exe	rundll32.exe
PID 2860 wrote to memory of 2912	2860	rundll32.exe	rundll32.exe
PID 2860 wrote to memory of 2912	2860	rundll32.exe	rundll32.exe
PID 2860 wrote to memory of 2912	2860	rundll32.exe	rundll32.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ad260da314d2f8f3f1531cc5779cbba9.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2860

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ad260da314d2f8f3f1531cc5779cbba9.dll,#1
2⤵
- Blocklisted process makes network request
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2912

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2556

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\iusZFBQZ6.README.txt
Filesize
1KB

MD5
8a485e9f1237d69236522d2409a7fc3c

SHA1
fab1b7c56399623ae49ba840d0a88deb20099b5d

SHA256
d9006d5c753c364b27388831f03332f404b719a66f344ce8b1a340da24e93d53

SHA512
d0f2416496c77ad305de712ac8b6b42d9b57337eec88e66dddd8fc59309acda7a08ab3a492b961a850e8e501eafc0b23f6371af78210b86beefaae980e014483

Download Submit
memory/2912-0-0x0000000000AB0000-0x0000000000AF0000-memory.dmp

Filesize
256KB

Download
memory/2912-206-0x0000000000AB0000-0x0000000000AF0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing