Overview

overview

10

Static

static

10

706F3EEC32...9D.exe

windows7-x64

10

706F3EEC32...9D.exe

windows10-1703-x64

10

706F3EEC32...9D.exe

windows10-2004-x64

10

706F3EEC32...9D.exe

windows11-21h2-x64

10

Resubmissions

25-06-2024 15:43

240625-s6cz6a1gnj 10

25-06-2024 15:17

240625-sn4p6axdma 10

Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    25-06-2024 15:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    706F3EEC328E91FF7F66C8F0A2FB9B556325C153A329A2062DC85879C540839D.exe

  • Size

    79KB

  • MD5

    62a1b4d4b461f4eaae91c70727f71604

  • SHA1

    1ced9a7e62aa65faa03eb1ad2bc786e9d9b5f6c2

  • SHA256

    706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d

  • SHA512

    d14f989f5f54663c3ea63526a000e8db5d172046e37f412ed47cd31eb14db071b515b854bbb3ab3d2f41f936b6962583aaa0b3ef1236aa2506148813f66ad542

  • SSDEEP

    1536:DnICS4ArFnRoHhcVyid9EZZoi+zQ95f8IwdON:QZnmqVyq9EN+M95bwE

Score
10/10
blackmatterransomware

Malware Config

Extracted

Path

C:\XS6hn5xhL.README.txt

Family

blackmatter

Ransom Note
~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What data stolen? From your network was stolen 1000 GB of data. If you do not contact us we will publish all your data in our blog and will send it to the biggest mass media. Blog post link: http://blackmax7su6mbwtcyo3xwtpfxpm356jjqrs34y4crcytpw7mifuedyd.onion/72oJjilhMD/6d067a8741848166fa2ac1e69472280c >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/X3452I2VDTHM30QX >> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.
URLs

http://blackmax7su6mbwtcyo3xwtpfxpm356jjqrs34y4crcytpw7mifuedyd.onion/72oJjilhMD/6d067a8741848166fa2ac1e69472280c

http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/X3452I2VDTHM30QX

Signatures

  • BlackMatter Ransomware

    BlackMatter ransomware group claims to be Darkside and REvil succesor.

    ransomwareblackmatter
  • Renames multiple (139) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Control Panel 3 IoCs
    evasion
  • Modifies registry class 20 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\706F3EEC328E91FF7F66C8F0A2FB9B556325C153A329A2062DC85879C540839D.exe
    "C:\Users\Admin\AppData\Local\Temp\706F3EEC328E91FF7F66C8F0A2FB9B556325C153A329A2062DC85879C540839D.exe"
    1⤵
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies Control Panel
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2116
    • C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" /p C:\XS6hn5xhL.README.txt
      2⤵
      • Opens file in notepad (likely ransom note)
      • Suspicious use of WriteProcessMemory
      PID:2680
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:2752
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2740

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\Documents\EnableOut.xps.XS6hn5xhL
    Filesize

    1.1MB

    MD5

    c6637afa1d196165295ec61ee84092d1

    SHA1

    680510b9ec40495240fea4506e605740507bb4fc

    SHA256

    9a134ed42da791f74454feb850d8ea5bf8868b9817cdc185de7601019ed75d31

    SHA512

    6c9722bc03e1be3330a39a2a22053c4621b6b269d35ec7359b21b203a25163fdf8c5b0ce64ac06b7459c63ca12645a5e7e593c978de7262cfc7c911bb1a0eb26

    Download Submit

  • C:\XS6hn5xhL.README.txt
    Filesize

    1KB

    MD5

    1ba53a2b703aeb54647185c18cc1ddbd

    SHA1

    0bf081ef67e7c9fb4e55c53f56aa332a17740a7a

    SHA256

    74e29716d6211d4c26ab0c3184affef6f275bfbfab2ec4dd4fb776fb76065173

    SHA512

    15f7a5870ad2decf6b09c56a6b5e3f5803e5071749fd4638470c19e02ef1fd0c4438e8f7e62a9f7b8792cd1893e748def44a0a8026f10c4a0268feecae9cf617

    Download Submit

  • memory/2116-0-0x0000000000480000-0x00000000004C0000-memory.dmp

    Filesize

    256KB

    Download