blackmatter | 072158f5588440e6c94cb419ae06a27cf584afe3b0cb09c28eff0b4662c15486

General

Target

b06e2455a9c7c9485b85e9bdcceb8078.exe
Size

34KB
MD5

b06e2455a9c7c9485b85e9bdcceb8078
SHA1

a63304592f422656d7abcb086915f9e799ad4641
SHA256

072158f5588440e6c94cb419ae06a27cf584afe3b0cb09c28eff0b4662c15486
SHA512

adc0501cbb19b53ecafa4522d5369f08e013df3c06dc068f3b1b6b823bca9dfa49a93d0fe1df5fb9ae026305f720cb8923bdbb9c5b7b98fb846670dd3e51fcf9
SSDEEP

768:4mgeEbf2rriFVI1kggGVtSMC2F7QGIFFBMter7RI7d91NTYkd8aex:CE+VYVYMC2F7Aoter2j1lYg

Score

10^/10

blackmatter ransomware upx

Malware Config

Extracted

Family

blackmatter

Version

1.2

Extracted

Path

C:\MaiYWlrYr.README.txt

Family

blackmatter

Ransom Note

~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We have downloaded 1TB from your fileserver. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >> Data leak includes 1. Full emloyeers personal data 2. Network information 3. Schemes of buildings, active project information, architect details and contracts, 4. Finance info >>> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/7NT6LXKC1XQHW5039BLOV. >>> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.

URLs

http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/7NT6LXKC1XQHW5039BLOV

Signatures

BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
ransomware blackmatter
Renames multiple (166) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/64-0-0x0000000000280000-0x0000000000297000-memory.dmp	upx
behavioral2/memory/64-1-0x0000000000280000-0x0000000000297000-memory.dmp	upx
behavioral2/memory/64-134-0x0000000000280000-0x0000000000297000-memory.dmp	upx
behavioral2/memory/64-241-0x0000000000280000-0x0000000000297000-memory.dmp	upx
behavioral2/memory/64-252-0x0000000000280000-0x0000000000297000-memory.dmp	upx

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\MaiYWlrYr.bmp"	b06e2455a9c7c9485b85e9bdcceb8078.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\MaiYWlrYr.bmp"	b06e2455a9c7c9485b85e9bdcceb8078.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
64	b06e2455a9c7c9485b85e9bdcceb8078.exe
64	b06e2455a9c7c9485b85e9bdcceb8078.exe
64	b06e2455a9c7c9485b85e9bdcceb8078.exe
64	b06e2455a9c7c9485b85e9bdcceb8078.exe
64	b06e2455a9c7c9485b85e9bdcceb8078.exe
64	b06e2455a9c7c9485b85e9bdcceb8078.exe

Modifies Control Panel 3 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International	b06e2455a9c7c9485b85e9bdcceb8078.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop	b06e2455a9c7c9485b85e9bdcceb8078.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\WallpaperStyle = "10"	b06e2455a9c7c9485b85e9bdcceb8078.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
64	b06e2455a9c7c9485b85e9bdcceb8078.exe
64	b06e2455a9c7c9485b85e9bdcceb8078.exe
64	b06e2455a9c7c9485b85e9bdcceb8078.exe
64	b06e2455a9c7c9485b85e9bdcceb8078.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeBackupPrivilege	64	b06e2455a9c7c9485b85e9bdcceb8078.exe
Token: SeDebugPrivilege	64	b06e2455a9c7c9485b85e9bdcceb8078.exe
Token: 36	64	b06e2455a9c7c9485b85e9bdcceb8078.exe
Token: SeImpersonatePrivilege	64	b06e2455a9c7c9485b85e9bdcceb8078.exe
Token: SeIncBasePriorityPrivilege	64	b06e2455a9c7c9485b85e9bdcceb8078.exe
Token: SeIncreaseQuotaPrivilege	64	b06e2455a9c7c9485b85e9bdcceb8078.exe
Token: 33	64	b06e2455a9c7c9485b85e9bdcceb8078.exe
Token: SeManageVolumePrivilege	64	b06e2455a9c7c9485b85e9bdcceb8078.exe
Token: SeProfSingleProcessPrivilege	64	b06e2455a9c7c9485b85e9bdcceb8078.exe
Token: SeRestorePrivilege	64	b06e2455a9c7c9485b85e9bdcceb8078.exe
Token: SeSecurityPrivilege	64	b06e2455a9c7c9485b85e9bdcceb8078.exe
Token: SeSystemProfilePrivilege	64	b06e2455a9c7c9485b85e9bdcceb8078.exe
Token: SeTakeOwnershipPrivilege	64	b06e2455a9c7c9485b85e9bdcceb8078.exe
Token: SeShutdownPrivilege	64	b06e2455a9c7c9485b85e9bdcceb8078.exe
Token: SeBackupPrivilege	4312	vssvc.exe
Token: SeRestorePrivilege	4312	vssvc.exe
Token: SeAuditPrivilege	4312	vssvc.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\b06e2455a9c7c9485b85e9bdcceb8078.exe
"C:\Users\Admin\AppData\Local\Temp\b06e2455a9c7c9485b85e9bdcceb8078.exe"
1⤵
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:64

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4312

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3796 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:8
1⤵
PID:1772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MaiYWlrYr.README.txt

Filesize
1KB

MD5
f66968c47a64569e2281f65a95991be0

SHA1
ef9e3e80bfbea4c3021b226cb8cd00687013b8a8

SHA256
4b950c763006e7c4569df8742855cec31bf82f835bd7e2bdcb5f128db34c82bf

SHA512
cb4ace1b3e891ab100b3950c6bc133b216e91c8978a3af1ffd75617b606bb7ceb0133f44d37a30a827655e5b84b016d736a732f5f37635bb727e1a5b722cad24

Download Submit
memory/64-0-0x0000000000280000-0x0000000000297000-memory.dmp

Filesize
92KB

Download
memory/64-1-0x0000000000280000-0x0000000000297000-memory.dmp

Filesize
92KB

Download
memory/64-2-0x0000000002600000-0x0000000002610000-memory.dmp

Filesize
64KB

Download
memory/64-3-0x0000000002600000-0x0000000002610000-memory.dmp

Filesize
64KB

Download
memory/64-134-0x0000000000280000-0x0000000000297000-memory.dmp

Filesize
92KB

Download
memory/64-241-0x0000000000280000-0x0000000000297000-memory.dmp

Filesize
92KB

Download
memory/64-252-0x0000000000280000-0x0000000000297000-memory.dmp

Filesize
92KB

Download
memory/64-253-0x0000000002600000-0x0000000002610000-memory.dmp

Filesize
64KB

Download
memory/64-254-0x0000000002600000-0x0000000002610000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads