Resubmissions
25/03/2025, 13:12
250325-qfl42aznw9 1025/03/2025, 13:09
250325-qdtq4aznv6 1025/03/2025, 13:05
250325-qbtcjszns3 1025/03/2025, 13:01
250325-p9k86awxat 1025/03/2025, 12:55
250325-p58tnawwe1 1025/03/2025, 12:51
250325-p3txqazmt6 1005/02/2025, 11:16
250205-ndjvsavrdm 1016/07/2024, 08:54
240716-kt64gavakp 10Analysis
-
max time kernel
104s -
max time network
107s -
platform
windows10-ltsc_2021_x64 -
resource
win10ltsc2021-20250314-en -
resource tags
-
submitted
25/03/2025, 12:55
General
-
Target
3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859.exe
-
Size
80KB
-
MD5
e3269531cf93d040b08074bfb31b72a0
-
SHA1
45b6d89dcea02cc90ae054d72ec80a2eb1036a7e
-
SHA256
3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859
-
SHA512
e4de5613557ff15f23e2c28763fee6443c81351401974389e1c01cb979efc81c0ff397b85ba3fc6f0204f7c5e0c7617617130d38b441748446e72a0fbb7a12b0
-
SSDEEP
1536:NE+VYVYMC2F7Aoter2j1lYgpM2HT02F4mHI5PsOqy:2+G3eaj0g+2HT025Hs
Malware Config
Extracted
C:\QkiINTXIT.README.txt
blackmatter
http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/7NT6LXKC1XQHW5039BLOV
Extracted
blackmatter
1.2
Signatures
-
BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
-
Blackmatter family
-
Renames multiple (145) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies Control Panel 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 17 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859.exeC:\Users\Admin\AppData\Local\Temp\3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859.exe bcdedit /set shutdown /r /f /t 21⤵
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5f66968c47a64569e2281f65a95991be0
SHA1ef9e3e80bfbea4c3021b226cb8cd00687013b8a8
SHA2564b950c763006e7c4569df8742855cec31bf82f835bd7e2bdcb5f128db34c82bf
SHA512cb4ace1b3e891ab100b3950c6bc133b216e91c8978a3af1ffd75617b606bb7ceb0133f44d37a30a827655e5b84b016d736a732f5f37635bb727e1a5b722cad24
-
Filesize
92KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
92KB