blackmatter | 3730e9cba4a93bc985ef7cd2368ccbf5eccd4724f514b38b20e320e5553dd08d

Analysis

max time kernel
1565s
max time network
1569s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
16-07-2024 08:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859.exe
Size

80KB
MD5

e3269531cf93d040b08074bfb31b72a0
SHA1

45b6d89dcea02cc90ae054d72ec80a2eb1036a7e
SHA256

3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859
SHA512

e4de5613557ff15f23e2c28763fee6443c81351401974389e1c01cb979efc81c0ff397b85ba3fc6f0204f7c5e0c7617617130d38b441748446e72a0fbb7a12b0
SSDEEP

1536:NE+VYVYMC2F7Aoter2j1lYgpM2HT02F4mHI5PsOqy:2+G3eaj0g+2HT025Hs

Score

10^/10

blackmatter ransomware upx

Malware Config

Extracted

Family

blackmatter

Version

1.2

Extracted

Path

C:\Ntzrxivr3.README.txt

Family

blackmatter

Ransom Note

~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We have downloaded 1TB from your fileserver. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >> Data leak includes 1. Full emloyeers personal data 2. Network information 3. Schemes of buildings, active project information, architect details and contracts, 4. Finance info >>> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/7NT6LXKC1XQHW5039BLOV. >>> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.

URLs

http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/7NT6LXKC1XQHW5039BLOV

Signatures

BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
ransomware blackmatter
Renames multiple (175) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral8/memory/2136-0-0x00000000013A0000-0x00000000013B7000-memory.dmp	upx
behavioral8/memory/2136-307-0x00000000013A0000-0x00000000013B7000-memory.dmp	upx

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\Ntzrxivr3.bmp"	3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\Ntzrxivr3.bmp"	3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859.exe

pid	process
2136	3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859.exe
2136	3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859.exe
2136	3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859.exe
2136	3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859.exe
2136	3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859.exe
2136	3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859.exe

Modifies Control Panel 3 IoCs

evasion

Processes:

3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\International	3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Desktop	3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Desktop\WallpaperStyle = "10"	3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

3064 NOTEPAD.EXE

pid	process
3064	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859.exe

pid	process
2136	3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859.exe
2136	3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859.exe
2136	3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859.exe
2136	3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859.exevssvc.exeAUDIODG.EXE

description	pid	process
Token: SeBackupPrivilege	2136	3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859.exe
Token: SeDebugPrivilege	2136	3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859.exe
Token: 36	2136	3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859.exe
Token: SeImpersonatePrivilege	2136	3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859.exe
Token: SeIncBasePriorityPrivilege	2136	3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859.exe
Token: SeIncreaseQuotaPrivilege	2136	3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859.exe
Token: 33	2136	3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859.exe
Token: SeManageVolumePrivilege	2136	3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859.exe
Token: SeProfSingleProcessPrivilege	2136	3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859.exe
Token: SeRestorePrivilege	2136	3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859.exe
Token: SeSecurityPrivilege	2136	3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859.exe
Token: SeSystemProfilePrivilege	2136	3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859.exe
Token: SeTakeOwnershipPrivilege	2136	3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859.exe
Token: SeShutdownPrivilege	2136	3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859.exe
Token: SeBackupPrivilege	2592	vssvc.exe
Token: SeRestorePrivilege	2592	vssvc.exe
Token: SeAuditPrivilege	2592	vssvc.exe
Token: 33	2480	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2480	AUDIODG.EXE
Token: 33	2480	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2480	AUDIODG.EXE

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859.exe
"C:\Users\Admin\AppData\Local\Temp\3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859.exe"
1⤵
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2136

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2592

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2808

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x5b8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2480

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Ntzrxivr3.README.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:3064

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Ntzrxivr3.README.txt
Filesize
1KB

MD5
f66968c47a64569e2281f65a95991be0

SHA1
ef9e3e80bfbea4c3021b226cb8cd00687013b8a8

SHA256
4b950c763006e7c4569df8742855cec31bf82f835bd7e2bdcb5f128db34c82bf

SHA512
cb4ace1b3e891ab100b3950c6bc133b216e91c8978a3af1ffd75617b606bb7ceb0133f44d37a30a827655e5b84b016d736a732f5f37635bb727e1a5b722cad24

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF1B1.tmp
Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF1E3.tmp
Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/2136-0-0x00000000013A0000-0x00000000013B7000-memory.dmp

Filesize
92KB

Download
memory/2136-1-0x0000000000890000-0x00000000008D0000-memory.dmp

Filesize
256KB

Download
memory/2136-307-0x00000000013A0000-0x00000000013B7000-memory.dmp

Filesize
92KB

Download