Analysis
-
max time kernel
160s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
19-04-2024 18:21
Behavioral task
behavioral1
Sample
730f2d6243055c786d737bae0665267b962c64f57132e9ab401d6e7625c3d0a4.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
730f2d6243055c786d737bae0665267b962c64f57132e9ab401d6e7625c3d0a4.exe
Resource
win10v2004-20240226-en
General
-
Target
730f2d6243055c786d737bae0665267b962c64f57132e9ab401d6e7625c3d0a4.exe
-
Size
80KB
-
MD5
5fe6daa399b18058f9b7e58fe31b4131
-
SHA1
1ed39024b03b3490049b4d6f2577ca36e18b405a
-
SHA256
730f2d6243055c786d737bae0665267b962c64f57132e9ab401d6e7625c3d0a4
-
SHA512
31baf91130c7e932068e12fec6dfde7ad283487b9f01b92e64835cf91aba1c4f51602066994a8200b73d219e6ea82929cde1f11ca82fb2a48af90418e57e324c
-
SSDEEP
1536:AnICS4A79p2qFTM2HT02F4mHI5myK9IXU:PpOqFQ2HT025HWK9I
Malware Config
Extracted
C:\MaiYWlrYr.README.txt
blackmatter
http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd.onion/S2A4H6RGPHHLU1IJRLNTN
Signatures
-
BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
-
Renames multiple (114) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\MaiYWlrYr.bmp" 730f2d6243055c786d737bae0665267b962c64f57132e9ab401d6e7625c3d0a4.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\MaiYWlrYr.bmp" 730f2d6243055c786d737bae0665267b962c64f57132e9ab401d6e7625c3d0a4.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
pid Process 4496 730f2d6243055c786d737bae0665267b962c64f57132e9ab401d6e7625c3d0a4.exe 4496 730f2d6243055c786d737bae0665267b962c64f57132e9ab401d6e7625c3d0a4.exe 4496 730f2d6243055c786d737bae0665267b962c64f57132e9ab401d6e7625c3d0a4.exe 4496 730f2d6243055c786d737bae0665267b962c64f57132e9ab401d6e7625c3d0a4.exe 4496 730f2d6243055c786d737bae0665267b962c64f57132e9ab401d6e7625c3d0a4.exe 4496 730f2d6243055c786d737bae0665267b962c64f57132e9ab401d6e7625c3d0a4.exe -
Modifies Control Panel 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International 730f2d6243055c786d737bae0665267b962c64f57132e9ab401d6e7625c3d0a4.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop 730f2d6243055c786d737bae0665267b962c64f57132e9ab401d6e7625c3d0a4.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\WallpaperStyle = "10" 730f2d6243055c786d737bae0665267b962c64f57132e9ab401d6e7625c3d0a4.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4496 730f2d6243055c786d737bae0665267b962c64f57132e9ab401d6e7625c3d0a4.exe 4496 730f2d6243055c786d737bae0665267b962c64f57132e9ab401d6e7625c3d0a4.exe 4496 730f2d6243055c786d737bae0665267b962c64f57132e9ab401d6e7625c3d0a4.exe 4496 730f2d6243055c786d737bae0665267b962c64f57132e9ab401d6e7625c3d0a4.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
description pid Process Token: SeBackupPrivilege 4496 730f2d6243055c786d737bae0665267b962c64f57132e9ab401d6e7625c3d0a4.exe Token: SeDebugPrivilege 4496 730f2d6243055c786d737bae0665267b962c64f57132e9ab401d6e7625c3d0a4.exe Token: 36 4496 730f2d6243055c786d737bae0665267b962c64f57132e9ab401d6e7625c3d0a4.exe Token: SeImpersonatePrivilege 4496 730f2d6243055c786d737bae0665267b962c64f57132e9ab401d6e7625c3d0a4.exe Token: SeIncBasePriorityPrivilege 4496 730f2d6243055c786d737bae0665267b962c64f57132e9ab401d6e7625c3d0a4.exe Token: SeIncreaseQuotaPrivilege 4496 730f2d6243055c786d737bae0665267b962c64f57132e9ab401d6e7625c3d0a4.exe Token: 33 4496 730f2d6243055c786d737bae0665267b962c64f57132e9ab401d6e7625c3d0a4.exe Token: SeManageVolumePrivilege 4496 730f2d6243055c786d737bae0665267b962c64f57132e9ab401d6e7625c3d0a4.exe Token: SeProfSingleProcessPrivilege 4496 730f2d6243055c786d737bae0665267b962c64f57132e9ab401d6e7625c3d0a4.exe Token: SeRestorePrivilege 4496 730f2d6243055c786d737bae0665267b962c64f57132e9ab401d6e7625c3d0a4.exe Token: SeSecurityPrivilege 4496 730f2d6243055c786d737bae0665267b962c64f57132e9ab401d6e7625c3d0a4.exe Token: SeSystemProfilePrivilege 4496 730f2d6243055c786d737bae0665267b962c64f57132e9ab401d6e7625c3d0a4.exe Token: SeTakeOwnershipPrivilege 4496 730f2d6243055c786d737bae0665267b962c64f57132e9ab401d6e7625c3d0a4.exe Token: SeShutdownPrivilege 4496 730f2d6243055c786d737bae0665267b962c64f57132e9ab401d6e7625c3d0a4.exe Token: SeBackupPrivilege 5108 vssvc.exe Token: SeRestorePrivilege 5108 vssvc.exe Token: SeAuditPrivilege 5108 vssvc.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\730f2d6243055c786d737bae0665267b962c64f57132e9ab401d6e7625c3d0a4.exe"C:\Users\Admin\AppData\Local\Temp\730f2d6243055c786d737bae0665267b962c64f57132e9ab401d6e7625c3d0a4.exe"1⤵
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4496
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3940 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:81⤵PID:4112
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5108
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5041670e49c2b9ed154fc7eed49a3ae0d
SHA1510f7cd45b40b103e9c95f2d660da8c3ca810c6b
SHA256580e1c3c5b868b5afb2c68aff9f19633daec49e208a380b914f4e34daee2cbe1
SHA512ca8e0a73096f11320983eb7550ce1ad3e1dfe9670d700d9c2a7a66a96688f1e253810b5ba5703ef60577cc904f5fbb9973ff626bb944b2415d41910b5696ad0b