Overview

overview

10

Static

static

10

83b5eed2bc...18.exe

windows7-x64

10

83b5eed2bc...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-10-2024 22:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    83b5eed2bc3b182170fd40ec8b8f5867_JaffaCakes118.exe

  • Size

    80KB

  • MD5

    83b5eed2bc3b182170fd40ec8b8f5867

  • SHA1

    b4072bc41d10a822f0ca63094dd30eae6fa008a2

  • SHA256

    fe2b2beeff98cae90f58a5b2f01dab31eaa98d274757a7dd9f70f4dc8432a6e2

  • SHA512

    0c108e05c59831ee963122e2e77df1eb6ed8e0fd96f3b33fd1d1719447099144601cc3e28338bf6929933e80b885e3329f322f1831ed313e0859258484d48e16

  • SSDEEP

    1536:nnICS4A79p2qFTM2HT02F4mHI5mF7O3p6R9:0pOqFQ2HT025HI56

Score
10/10
blackmatterdiscoveryransomware

Malware Config

Extracted

Path

F:\xTeGOTmGN.README.txt

Family

blackmatter

Ransom Note
~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >>> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/5PRYG0PCO2OW528IDWU3VFPE >>> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.
URLs

http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/5PRYG0PCO2OW528IDWU3VFPE

Signatures

  • BlackMatter Ransomware

    BlackMatter ransomware group claims to be Darkside and REvil succesor.

    ransomwareblackmatter
  • Blackmatter family
    blackmatter
  • Renames multiple (130) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Control Panel 3 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\83b5eed2bc3b182170fd40ec8b8f5867_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\83b5eed2bc3b182170fd40ec8b8f5867_JaffaCakes118.exe"
    1⤵
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1788
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2700

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • F:\xTeGOTmGN.README.txt
    Filesize

    1KB

    MD5

    899383665adcda33f699c0ac4ef0623a

    SHA1

    471eef0b521cbe628f2f692aa759d2db8cc62eaf

    SHA256

    88605e52e87c74c1368c4d00ddf42fc9af2bf2f3ebf7f31f05b7463a11612e01

    SHA512

    f0bc0689c04d27e6d0a056f59a239b894af4d66c97059a5e2e1b22c4e26a5bf74bab7ea4915a665f189e27d32ffe03e0af7875382ac4f4ca70acc71fd7fa79bf

    Download Submit

  • memory/1788-0-0x0000000002940000-0x0000000002950000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1788-1-0x0000000002940000-0x0000000002950000-memory.dmp

    Filesize

    64KB

    Download