Overview
overview
10Static
static
10084c57449c...0e.exe
windows7-x64
1014b94844b9...c3.exe
windows7-x64
102daa514408...2e.exe
windows7-x64
102e6f094748...ec.exe
windows7-x64
2e96b55980...ea.exe
windows7-x64
134c392448f...ea.exe
windows7-x64
1037d8add251...4c.exe
windows7-x64
103a72653053...59.exe
windows7-x64
1049aca08f5b...24.exe
windows7-x64
104a2ad49c93...9f.exe
windows7-x64
35199b64b50...3c.exe
windows7-x64
55c30024ae...15.exe
windows7-x64
1056f7b48f38...59.exe
windows7-x64
105a96b92938...a4.exe
windows7-x64
10606b88fce1...c4.exe
windows7-x64
16bda9faf71...4b.exe
windows7-x64
1071b46e95fb...a8.exe
windows7-x64
107d98972d5c...9c.exe
windows7-x64
987b9b910d5...cb.exe
windows7-x64
108958d7b8c5...e2.exe
windows7-x64
10ab5be9e691...09.exe
windows7-x64
10b228a698ee...c0.exe
windows7-x64
c864a70f78...1d.exe
windows7-x64
cfd5d9a4e6...f0.exe
windows7-x64
da6f543313...2e.exe
windows7-x64
6e05323d9ca...62.exe
windows7-x64
1e48bd2f16b...14.exe
windows7-x64
10ecfb5c95d0...9d.exe
windows7-x64
10f08c1c26d3...3f.exe
windows7-x64
6f354148b5f...0f.exe
windows7-x64
6f7caf7d69c...6a.exe
windows7-x64
10fcb6844506...93.exe
windows7-x64
1Analysis
-
max time kernel
1565s -
max time network
1569s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
16-07-2024 08:54
Static task
static1
Behavioral task
behavioral1
Sample
084c57449c765416706301c723116da5073aa60da415c0eb3013239611135b0e.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
14b94844b99ac43c014ea73c3400097e3239a7307d1618e84159a741ab0e8ac3.exe
Resource
win7-20240704-en
Behavioral task
behavioral3
Sample
2daa5144081dd288c1dc936ec27b1c8bd709633450ceb73f235fccd1c3d3c62e.exe
Resource
win7-20240705-en
Behavioral task
behavioral4
Sample
2e6f094748124800d8cf6bdb28bb8aa4caa066923cf3e9778dae8bcb2b6e85ec.exe
Resource
win7-20240705-en
Behavioral task
behavioral5
Sample
2e96b55980a827011a7e0784ab95dcee53958a1bb19f5397080a434041bbeeea.exe
Resource
win7-20240708-en
Behavioral task
behavioral6
Sample
34c392448fc0818278cd19bb0841adf573e967be8a0f73bb42bb367a5835b6ea.exe
Resource
win7-20240704-en
Behavioral task
behavioral7
Sample
37d8add251cb4179224ebbc0e28f8d9e26b5e64bbaec37f26a996bf51556f04c.exe
Resource
win7-20240708-en
Behavioral task
behavioral8
Sample
3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859.exe
Resource
win7-20240704-en
Behavioral task
behavioral9
Sample
49aca08f5b259860364fc224601a944aa17161bb1da688e24621038457472d24.exe
Resource
win7-20240708-en
Behavioral task
behavioral10
Sample
4a2ad49c934f9ae6ca6b5d0c7cc34f5e12d349640012fa8cf8eb7e2d3acd6c9f.exe
Resource
win7-20240705-en
Behavioral task
behavioral11
Sample
5199b64b50f678d75f85cb0c3ac97d7df67f23471815e21236b1a790d008fe3c.exe
Resource
win7-20240704-en
Behavioral task
behavioral12
Sample
55c30024aed833336eb4720a1a4a40c78496efb27b3c4d5c3f1d1b5935c12715.exe
Resource
win7-20240705-en
Behavioral task
behavioral13
Sample
56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe
Resource
win7-20240704-en
Behavioral task
behavioral14
Sample
5a96b929383817aa298eec8cca019bcd984fcd71dd8ee353541392c1082756a4.exe
Resource
win7-20240708-en
Behavioral task
behavioral15
Sample
606b88fce1441e6d83e1fb2ba1b511e4a9e68f7fc01c55b7c53e08fd28f9a0c4.exe
Resource
win7-20240705-en
Behavioral task
behavioral16
Sample
6bda9faf719bb7a55e822667d909086193d323d8fa06b1a3d62437fcf6a9e24b.exe
Resource
win7-20240705-en
Behavioral task
behavioral17
Sample
71b46e95fba31267475537a338f49ce1cd0bc56c0f15346b05b673051cbe90a8.exe
Resource
win7-20240704-en
Behavioral task
behavioral18
Sample
7d98972d5c78e1d4969da76856d6818942b606c267efa67fd31d39ae77497e9c.exe
Resource
win7-20240705-en
Behavioral task
behavioral19
Sample
87b9b910d5d5a053e3b39989cc6fd51601abdaea207a26c765f21f43a4cd4dcb.exe
Resource
win7-20240708-en
Behavioral task
behavioral20
Sample
8958d7b8c51215d6a27444b2760f1ce843a414d380052e6e71c2af6e9ab69ce2.exe
Resource
win7-20240704-en
Behavioral task
behavioral21
Sample
ab5be9e6911b43f0974e01dabec772b968274d9b5ea39ba2ad7cd294056e5d09.exe
Resource
win7-20240708-en
Behavioral task
behavioral22
Sample
b228a698ee826b42e19307f2d34c2620819a67a0e98fd2af08aae570b8178cc0.exe
Resource
win7-20240704-en
Behavioral task
behavioral23
Sample
c864a70f78fb972f505ae5b13c0ad984e64c547194beb258926bb4c323fac31d.exe
Resource
win7-20240705-en
Behavioral task
behavioral24
Sample
cfd5d9a4e67799f2428c6071dcc13fcf726f49ec3e706f0302b4592a3a0a08f0.exe
Resource
win7-20240705-en
Behavioral task
behavioral25
Sample
da6f543313480695aab95a5e685741a8d185fba0600363f74063eb1cda0f672e.exe
Resource
win7-20240704-en
Behavioral task
behavioral26
Sample
e05323d9ca6df47d9add5b2f757ea2490ebd11dfe1b56b82a9e93ba9d814e162.exe
Resource
win7-20240705-en
Behavioral task
behavioral27
Sample
e48bd2f16b53a3630f3fca69d0d236d15bc23b08754d980bd29b15841b0fdf14.exe
Resource
win7-20240704-en
Behavioral task
behavioral28
Sample
ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
Resource
win7-20240705-en
Behavioral task
behavioral29
Sample
f08c1c26d375f6881990756e39208017b02af75fca0ebddb72f5e5c14e20363f.exe
Resource
win7-20240708-en
Behavioral task
behavioral30
Sample
f354148b5f0eab5af22e8152438468ae8976db84c65415d3f4a469b35e31710f.exe
Resource
win7-20240705-en
Behavioral task
behavioral31
Sample
f7caf7d69cef15d5c3b9983513e4e40edc3a31c5ead4139bc41d1500442a966a.exe
Resource
win7-20240705-en
Behavioral task
behavioral32
Sample
fcb68445068ebf4cd526d316622f9aa3e8065f9a9f42e5330f66f5cb160be393.exe
Resource
win7-20240705-en
General
-
Target
3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859.exe
-
Size
80KB
-
MD5
e3269531cf93d040b08074bfb31b72a0
-
SHA1
45b6d89dcea02cc90ae054d72ec80a2eb1036a7e
-
SHA256
3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859
-
SHA512
e4de5613557ff15f23e2c28763fee6443c81351401974389e1c01cb979efc81c0ff397b85ba3fc6f0204f7c5e0c7617617130d38b441748446e72a0fbb7a12b0
-
SSDEEP
1536:NE+VYVYMC2F7Aoter2j1lYgpM2HT02F4mHI5PsOqy:2+G3eaj0g+2HT025Hs
Malware Config
Extracted
blackmatter
1.2
Extracted
C:\Ntzrxivr3.README.txt
blackmatter
http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/7NT6LXKC1XQHW5039BLOV
Signatures
-
BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
-
Renames multiple (175) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Processes:
resource yara_rule behavioral8/memory/2136-0-0x00000000013A0000-0x00000000013B7000-memory.dmp upx behavioral8/memory/2136-307-0x00000000013A0000-0x00000000013B7000-memory.dmp upx -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\Ntzrxivr3.bmp" 3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\Ntzrxivr3.bmp" 3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
Processes:
3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859.exepid process 2136 3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859.exe 2136 3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859.exe 2136 3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859.exe 2136 3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859.exe 2136 3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859.exe 2136 3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859.exe -
Modifies Control Panel 3 IoCs
Processes:
3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\International 3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Desktop 3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Desktop\WallpaperStyle = "10" 3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 3064 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859.exepid process 2136 3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859.exe 2136 3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859.exe 2136 3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859.exe 2136 3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859.exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
Processes:
3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859.exevssvc.exeAUDIODG.EXEdescription pid process Token: SeBackupPrivilege 2136 3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859.exe Token: SeDebugPrivilege 2136 3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859.exe Token: 36 2136 3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859.exe Token: SeImpersonatePrivilege 2136 3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859.exe Token: SeIncBasePriorityPrivilege 2136 3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859.exe Token: SeIncreaseQuotaPrivilege 2136 3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859.exe Token: 33 2136 3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859.exe Token: SeManageVolumePrivilege 2136 3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859.exe Token: SeProfSingleProcessPrivilege 2136 3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859.exe Token: SeRestorePrivilege 2136 3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859.exe Token: SeSecurityPrivilege 2136 3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859.exe Token: SeSystemProfilePrivilege 2136 3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859.exe Token: SeTakeOwnershipPrivilege 2136 3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859.exe Token: SeShutdownPrivilege 2136 3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859.exe Token: SeBackupPrivilege 2592 vssvc.exe Token: SeRestorePrivilege 2592 vssvc.exe Token: SeAuditPrivilege 2592 vssvc.exe Token: 33 2480 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2480 AUDIODG.EXE Token: 33 2480 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2480 AUDIODG.EXE -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859.exe"C:\Users\Admin\AppData\Local\Temp\3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859.exe"1⤵
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2136
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2592
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:2808
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5b81⤵
- Suspicious use of AdjustPrivilegeToken
PID:2480
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Ntzrxivr3.README.txt1⤵
- Opens file in notepad (likely ransom note)
PID:3064
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5f66968c47a64569e2281f65a95991be0
SHA1ef9e3e80bfbea4c3021b226cb8cd00687013b8a8
SHA2564b950c763006e7c4569df8742855cec31bf82f835bd7e2bdcb5f128db34c82bf
SHA512cb4ace1b3e891ab100b3950c6bc133b216e91c8978a3af1ffd75617b606bb7ceb0133f44d37a30a827655e5b84b016d736a732f5f37635bb727e1a5b722cad24
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b