Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

2c323453e9.exe

windows7-x64

10

2c323453e9.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    08/03/2024, 10:12 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2c323453e9.exe

  • Size

    66KB

  • MD5

    a55bc3368a10ca5a92c1c9ecae97ced9

  • SHA1

    72ed32b0e8692c7caa25d61e1828cdb48c4fe361

  • SHA256

    2c323453e959257c7aa86dc180bb3aaaa5c5ec06fa4e72b632d9e4b817052009

  • SHA512

    da3187046c267b8053f0274de81665234dd07c1d06c61108878abccccb2f10bfe4bf7c53e0e4100ed76772b8b92bdd6c4953f19250f33be7dd9380ab3b63db3c

  • SSDEEP

    1536:HzICS4AT6GxdEe+TOdincJXvKvWLBjklE:4R7auJXSOhCE

Score
10/10
blackmatterransomware

Malware Config

Extracted

Path

C:\bc67Kiq7z.README.txt

Family

blackmatter

Ransom Note
~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >>> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/GDBJS76DH3D4IKQD2QO7R. >>> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.
URLs

http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/GDBJS76DH3D4IKQD2QO7R

Signatures

  • BlackMatter Ransomware

    BlackMatter ransomware group claims to be Darkside and REvil succesor.

    ransomwareblackmatter
  • Renames multiple (166) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
  • Modifies Control Panel 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\2c323453e9.exe
    "C:\Users\Admin\AppData\Local\Temp\2c323453e9.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies Control Panel
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:272
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2992

Network

  • flag-us
    DNS
    paymenthacks.com
    2c323453e9.exe
    Remote address:
    8.8.8.8:53
    Request
    paymenthacks.com
    IN A
    Response
    paymenthacks.com
    IN A
    204.11.56.48
  • flag-us
    POST
    http://paymenthacks.com/?j7q=tyPkn23F1QL&z8uVH=ovpy&gXfc=QoKDQPVSzWcQZRrGKu
    2c323453e9.exe
    Remote address:
    204.11.56.48:80
    Request
    POST /?j7q=tyPkn23F1QL&z8uVH=ovpy&gXfc=QoKDQPVSzWcQZRrGKu HTTP/1.1
    Accept: */*
    Connection: keep-alive
    Accept-Encoding: gzip, deflate, br
    Content-Type: text/plain
    User-Agent: Chrome/91.0.4472.77
    Host: paymenthacks.com
    Content-Length: 858
    Cache-Control: no-cache
  • flag-us
    DNS
    mojobiden.com
    2c323453e9.exe
    Remote address:
    8.8.8.8:53
    Request
    mojobiden.com
    IN A
    Response
    mojobiden.com
    IN A
    3.33.130.190
    mojobiden.com
    IN A
    15.197.148.33
  • flag-us
    DNS
    mojobiden.com
    2c323453e9.exe
    Remote address:
    8.8.8.8:53
    Request
    mojobiden.com
    IN A
  • flag-us
    POST
    http://mojobiden.com/?j7q=tyPkn23F1QL&z8uVH=ovpy&gXfc=QoKDQPVSzWcQZRrGKu
    2c323453e9.exe
    Remote address:
    3.33.130.190:80
    Request
    POST /?j7q=tyPkn23F1QL&z8uVH=ovpy&gXfc=QoKDQPVSzWcQZRrGKu HTTP/1.1
    Accept: */*
    Connection: keep-alive
    Accept-Encoding: gzip, deflate, br
    Content-Type: text/plain
    User-Agent: Chrome/91.0.4472.77
    Host: mojobiden.com
    Content-Length: 858
    Cache-Control: no-cache
    Response
    HTTP/1.1 403 Forbidden
    Server: openresty
    Date: Fri, 08 Mar 2024 10:13:40 GMT
    Content-Type: text/plain
    Content-Length: 0
    Connection: keep-alive
    ETag: "65dd12f1-0"
  • 204.11.56.48:443
    paymenthacks.com
    tls
    2c323453e9.exe
    305 B
     84 B
     3
    2
  • 204.11.56.48:443
    paymenthacks.com
    2c323453e9.exe
    152 B
     3
  • 204.11.56.48:443
    paymenthacks.com
    tls
    2c323453e9.exe
    1.3kB
     211 B
     11
    5
  • 204.11.56.48:443
    paymenthacks.com
    2c323453e9.exe
    152 B
     3
  • 204.11.56.48:443
    paymenthacks.com
    tls
    2c323453e9.exe
    484 B
     211 B
     7
    5
  • 204.11.56.48:443
    paymenthacks.com
    2c323453e9.exe
    152 B
     3
  • 204.11.56.48:443
    paymenthacks.com
    2c323453e9.exe
    374 B
     124 B
     8
    3
  • 204.11.56.48:80
    http://paymenthacks.com/?j7q=tyPkn23F1QL&z8uVH=ovpy&gXfc=QoKDQPVSzWcQZRrGKu
    http
    2c323453e9.exe
    4.8kB
     92 B
     7
    2

    HTTP Request

    POST http://paymenthacks.com/?j7q=tyPkn23F1QL&z8uVH=ovpy&gXfc=QoKDQPVSzWcQZRrGKu
  • 3.33.130.190:443
    mojobiden.com
    tls
    2c323453e9.exe
    1.0kB
     5.9kB
     11
    10
  • 3.33.130.190:80
    http://mojobiden.com/?j7q=tyPkn23F1QL&z8uVH=ovpy&gXfc=QoKDQPVSzWcQZRrGKu
    http
    2c323453e9.exe
    1.4kB
     554 B
     5
    5

    HTTP Request

    POST http://mojobiden.com/?j7q=tyPkn23F1QL&z8uVH=ovpy&gXfc=QoKDQPVSzWcQZRrGKu

    HTTP Response

    403
  • 204.11.56.48:443
    paymenthacks.com
    2c323453e9.exe
    152 B
     3
  • 204.11.56.48:443
    paymenthacks.com
    tls
    2c323453e9.exe
    305 B
     84 B
     3
    2
  • 204.11.56.48:443
    paymenthacks.com
    2c323453e9.exe
    152 B
     3
  • 204.11.56.48:443
    paymenthacks.com
    tls
    2c323453e9.exe
    267 B
     84 B
     3
    2
  • 204.11.56.48:443
    paymenthacks.com
    2c323453e9.exe
    152 B
     3
  • 204.11.56.48:443
    paymenthacks.com
    tls
    2c323453e9.exe
    248 B
     44 B
     4
    1
  • 8.8.8.8:53
    paymenthacks.com
    dns
    2c323453e9.exe
    62 B
     78 B
     1
    1

    DNS Request

    paymenthacks.com

    DNS Response

    204.11.56.48

  • 8.8.8.8:53
    mojobiden.com
    dns
    2c323453e9.exe
    118 B
     91 B
     2
    1

    DNS Request

    mojobiden.com

    DNS Request

    mojobiden.com

    DNS Response

    3.33.130.190
    15.197.148.33

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    67KB

    MD5

    753df6889fd7410a2e9fe333da83a429

    SHA1

    3c425f16e8267186061dd48ac1c77c122962456e

    SHA256

    b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

    SHA512

    9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar85E9.tmp
    Filesize

    175KB

    MD5

    dd73cead4b93366cf3465c8cd32e2796

    SHA1

    74546226dfe9ceb8184651e920d1dbfb432b314e

    SHA256

    a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

    SHA512

    ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

    Download Submit

  • C:\bc67Kiq7z.README.txt
    Filesize

    1KB

    MD5

    8a485e9f1237d69236522d2409a7fc3c

    SHA1

    fab1b7c56399623ae49ba840d0a88deb20099b5d

    SHA256

    d9006d5c753c364b27388831f03332f404b719a66f344ce8b1a340da24e93d53

    SHA512

    d0f2416496c77ad305de712ac8b6b42d9b57337eec88e66dddd8fc59309acda7a08ab3a492b961a850e8e501eafc0b23f6371af78210b86beefaae980e014483

    Download Submit

  • memory/272-0-0x0000000002070000-0x00000000020B0000-memory.dmp

    Filesize

    256KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.