blackmatter | 4ad9432cc817afa905bab2f16d4f713af42ea42f5e4fcf53e6d4b631a7d6da91

Analysis

max time kernel
142s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28-02-2024 23:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad260da314d2f8f3f1531cc5779cbba9.dll
Size

64KB
MD5

ad260da314d2f8f3f1531cc5779cbba9
SHA1

30e15cf49a97e4560c96eed7e0c68ed9a8502023
SHA256

4ad9432cc817afa905bab2f16d4f713af42ea42f5e4fcf53e6d4b631a7d6da91
SHA512

3791b4058ee64bed388b10eeefd733ff45e10c4f374d5644cd4aa10eee6a3fac9bf31076be021acc5c46e8fe79f84048807aaf2c278a5e0e46d41eec00e5e723
SSDEEP

768:QDjahoICS4AIqa3x4aSOo+sYk+5qmOaA/yGzySTe7/cA2gdu0v:yzICS4ALqaaS1+Pq5aPGzysuENs

Score

10^/10

blackmatter ransomware

Malware Config

Extracted

Path

C:\Users\MaiYWlrYr.README.txt

Family

blackmatter

Ransom Note

~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >>> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/GDBJS76DH3D4IKQD2QO7R. >>> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.

URLs

http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/GDBJS76DH3D4IKQD2QO7R

Signatures

BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
ransomware blackmatter
Renames multiple (88) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Blocklisted process makes network request 1 IoCs

flow	pid	Process
34	4788	rundll32.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4788	rundll32.exe

Modifies Control Panel 1 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International	rundll32.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4788	rundll32.exe
4788	rundll32.exe
4788	rundll32.exe
4788	rundll32.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeBackupPrivilege	4788	rundll32.exe
Token: SeDebugPrivilege	4788	rundll32.exe
Token: 36	4788	rundll32.exe
Token: SeImpersonatePrivilege	4788	rundll32.exe
Token: SeIncBasePriorityPrivilege	4788	rundll32.exe
Token: SeIncreaseQuotaPrivilege	4788	rundll32.exe
Token: 33	4788	rundll32.exe
Token: SeManageVolumePrivilege	4788	rundll32.exe
Token: SeProfSingleProcessPrivilege	4788	rundll32.exe
Token: SeRestorePrivilege	4788	rundll32.exe
Token: SeSecurityPrivilege	4788	rundll32.exe
Token: SeSystemProfilePrivilege	4788	rundll32.exe
Token: SeTakeOwnershipPrivilege	4788	rundll32.exe
Token: SeShutdownPrivilege	4788	rundll32.exe
Token: SeBackupPrivilege	2988	vssvc.exe
Token: SeRestorePrivilege	2988	vssvc.exe
Token: SeAuditPrivilege	2988	vssvc.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2680 wrote to memory of 4788	2680	rundll32.exe	94
PID 2680 wrote to memory of 4788	2680	rundll32.exe	94
PID 2680 wrote to memory of 4788	2680	rundll32.exe	94

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ad260da314d2f8f3f1531cc5779cbba9.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\ad260da314d2f8f3f1531cc5779cbba9.dll,#1
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Modifies Control Panel
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4788

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4136 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:8
1⤵
PID:1764

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\MaiYWlrYr.README.txt

Filesize
1KB

MD5
8a485e9f1237d69236522d2409a7fc3c

SHA1
fab1b7c56399623ae49ba840d0a88deb20099b5d

SHA256
d9006d5c753c364b27388831f03332f404b719a66f344ce8b1a340da24e93d53

SHA512
d0f2416496c77ad305de712ac8b6b42d9b57337eec88e66dddd8fc59309acda7a08ab3a492b961a850e8e501eafc0b23f6371af78210b86beefaae980e014483

Download Submit
memory/4788-0-0x00000000013C0000-0x00000000013D0000-memory.dmp

Filesize
64KB

Download
memory/4788-1-0x00000000013C0000-0x00000000013D0000-memory.dmp

Filesize
64KB

Download