General
-
Target
RNSM00480.7z
-
Size
26.3MB
-
Sample
240917-rf92jawhqe
-
MD5
eddd0c8d8f9919c8a2d18a25047d1b8c
-
SHA1
06c72f0c222805e448a3a5f15c204ddca9b65492
-
SHA256
3a6cee5509bb09d4e479d91dbf1ba292e76686c14c6a1049de7c0e0ddbdf7a2b
-
SHA512
68c7cb44dfc9c2b184844825e94a7f6ab122ad0eae8a1bd6eaf1132357c209976563eea702b5f6123a23c682f9aff23095f5307954809fa3e93ff0ea14eb3f6b
-
SSDEEP
393216:pSaU4WVWKWzPcGR3Rh5+bNAyie1ZEkkR7jxxacZ+HrMBnmHcLN0uYXKY3CBB0Ddl:dXTbR35S3PPe7j1sYg8LoXvSB4CTNA
Static task
static1
Behavioral task
behavioral1
Sample
RNSM00480.7z
Resource
win10v2004-20240802-en
Malware Config
Extracted
C:\Program Files\7-Zip\Lang\+REcovER+kwixt+.txt
http://88fga.ketteaero.com/C87BFBF0377562DB
http://2bdfb.spinakrosa.at/C87BFBF0377562DB
http://uj5nj.onanwhit.com/C87BFBF0377562DB
http://k7tlx3ghr3m4n2tu.onion/C87BFBF0377562DB
Extracted
blackmatter
2.0
207aab0afc614ac68359fc63f9665961
https://fluentzip.org
http://fluentzip.org
-
attempt_auth
false
-
create_mutex
true
-
encrypt_network_shares
true
-
exfiltrate
true
-
mount_volumes
true
Extracted
F:\WzEgyMggM.README.txt
blackmatter
http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd.onion/EWX33VYY3IGOXSG5ZZ2
Extracted
urelas
1.234.83.146
133.242.129.155
218.54.31.226
218.54.31.165
112.175.88.207
112.175.88.208
218.54.30.235
Extracted
C:\Users\Admin\AppData\Local\Microsoft\Office\_R_E_A_D___T_H_I_S___JQ6X30OI_.txt
http://xpcx6erilkjced3j.onion/30C0-25AF-6105-0006-4DCA
http://xpcx6erilkjced3j.tor2web.org/30C0-25AF-6105-0006-4DCA
http://xpcx6erilkjced3j.onion.link/30C0-25AF-6105-0006-4DCA
http://xpcx6erilkjced3j.onion.nu/30C0-25AF-6105-0006-4DCA
http://xpcx6erilkjced3j.onion.cab/30C0-25AF-6105-0006-4DCA
http://xpcx6erilkjced3j.onion.to/30C0-25AF-6105-0006-4DCA
Extracted
C:\Users\Admin\AppData\Local\Microsoft\Office\_R_E_A_D___T_H_I_S___ZX0XEV_.hta
cerber
Extracted
C:\Program Files\Common Files\DESIGNER\!! READ ME !!.txt
belingmor@cock.li
admin@cuba-supp.com
cuba_support@exploit.im
http://cuba4ikm4jakjgmkezytyawtdgr2xymvy6nvzgw5cglswg3si76icnqd.onion/
Targets
-
-
Target
RNSM00480.7z
-
Size
26.3MB
-
MD5
eddd0c8d8f9919c8a2d18a25047d1b8c
-
SHA1
06c72f0c222805e448a3a5f15c204ddca9b65492
-
SHA256
3a6cee5509bb09d4e479d91dbf1ba292e76686c14c6a1049de7c0e0ddbdf7a2b
-
SHA512
68c7cb44dfc9c2b184844825e94a7f6ab122ad0eae8a1bd6eaf1132357c209976563eea702b5f6123a23c682f9aff23095f5307954809fa3e93ff0ea14eb3f6b
-
SSDEEP
393216:pSaU4WVWKWzPcGR3Rh5+bNAyie1ZEkkR7jxxacZ+HrMBnmHcLN0uYXKY3CBB0Ddl:dXTbR35S3PPe7j1sYg8LoXvSB4CTNA
-
AtomSilo Ransomware
-
BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (132) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
XMRig Miner payload
-
Blocklisted process makes network request
-
Contacts a large (1126) amount of remote hosts
This may indicate a network scan to discover remotely running services.
-
Modifies Windows Firewall
-
Patched UPX-packed file
Sample is packed with UPX but required header fields are zeroed out to prevent unpacking with the default UPX tool.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Adds Run key to start application
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Uses Tor communications
Malware can proxy its traffic through Tor for more anonymity.
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
System Services
1Service Execution
1Windows Management Instrumentation
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Direct Volume Access
1Impair Defenses
2Disable or Modify System Firewall
1Indicator Removal
3File Deletion
3Modify Registry
5Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Discovery
Network Service Discovery
1Peripheral Device Discovery
1Query Registry
3Remote System Discovery
1System Information Discovery
4System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1