Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    08-03-2024 10:25

General

  • Target

    730f2d6243055c786d737bae0665267b962c64f57132e9ab401d6e7625c3d0a4.exe

  • Size

    80KB

  • MD5

    5fe6daa399b18058f9b7e58fe31b4131

  • SHA1

    1ed39024b03b3490049b4d6f2577ca36e18b405a

  • SHA256

    730f2d6243055c786d737bae0665267b962c64f57132e9ab401d6e7625c3d0a4

  • SHA512

    31baf91130c7e932068e12fec6dfde7ad283487b9f01b92e64835cf91aba1c4f51602066994a8200b73d219e6ea82929cde1f11ca82fb2a48af90418e57e324c

  • SSDEEP

    1536:AnICS4A79p2qFTM2HT02F4mHI5myK9IXU:PpOqFQ2HT025HWK9I

Score
10/10

Malware Config

Extracted

Path

C:\FLNjIiJjs.README.txt

Family

blackmatter

Ransom Note
~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. From your network was stolen more than 100 GB of data. If you do not contact us we will publish all your data in our blog and will send it to the biggest mass media. >>> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd.onion/S2A4H6RGPHHLU1IJRLNTN >>> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.
URLs

http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd.onion/S2A4H6RGPHHLU1IJRLNTN

Signatures

  • BlackMatter Ransomware

    BlackMatter ransomware group claims to be Darkside and REvil succesor.

  • Renames multiple (153) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
  • Modifies Control Panel 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\730f2d6243055c786d737bae0665267b962c64f57132e9ab401d6e7625c3d0a4.exe
    "C:\Users\Admin\AppData\Local\Temp\730f2d6243055c786d737bae0665267b962c64f57132e9ab401d6e7625c3d0a4.exe"
    1⤵
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies Control Panel
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:836
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2028

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\FLNjIiJjs.README.txt

    Filesize

    1KB

    MD5

    041670e49c2b9ed154fc7eed49a3ae0d

    SHA1

    510f7cd45b40b103e9c95f2d660da8c3ca810c6b

    SHA256

    580e1c3c5b868b5afb2c68aff9f19633daec49e208a380b914f4e34daee2cbe1

    SHA512

    ca8e0a73096f11320983eb7550ce1ad3e1dfe9670d700d9c2a7a66a96688f1e253810b5ba5703ef60577cc904f5fbb9973ff626bb944b2415d41910b5696ad0b

  • memory/836-0-0x0000000000370000-0x00000000003B0000-memory.dmp

    Filesize

    256KB