Overview

overview

10

Static

static

10

out.exe

windows11-21h2-x64

10

out.exe

windows7-x64

10

out.exe

windows10-2004-x64

10

out.exe

windows10-ltsc_2021-x64

10

out.exe

windows11-21h2-x64

10

f354148b5f...0f.exe

windows10-2004-x64

7

f354148b5f...0f.exe

windows7-x64

6

f354148b5f...0f.exe

windows10-2004-x64

7

f354148b5f...0f.exe

windows10-ltsc_2021-x64

7

f354148b5f...0f.exe

windows11-21h2-x64

6

f7caf7d69c...6a.exe

windows10-ltsc_2021-x64

10

f7caf7d69c...6a.exe

windows7-x64

10

f7caf7d69c...6a.exe

windows10-2004-x64

10

f7caf7d69c...6a.exe

windows10-ltsc_2021-x64

10

f7caf7d69c...6a.exe

windows11-21h2-x64

10

fcb6844506...93.exe

windows7-x64

1

fcb6844506...93.exe

windows7-x64

1

fcb6844506...93.exe

windows10-2004-x64

3

fcb6844506...93.exe

windows10-ltsc_2021-x64

3

fcb6844506...93.exe

windows11-21h2-x64

3

Resubmissions

25/03/2025, 13:12

250325-qfl42aznw9 10

25/03/2025, 13:09

250325-qdtq4aznv6 10

25/03/2025, 13:05

250325-qbtcjszns3 10

25/03/2025, 13:01

250325-p9k86awxat 10

25/03/2025, 12:55

250325-p58tnawwe1 10

25/03/2025, 12:51

250325-p3txqazmt6 10

05/02/2025, 11:16

250205-ndjvsavrdm 10

16/07/2024, 08:54

240716-kt64gavakp 10

Analysis

  • max time kernel
    107s
  • max time network
    109s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250314-en
  • resource tags

    arch:x64arch:x86image:win11-20250314-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    25/03/2025, 13:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    out.exe

  • Size

    67KB

  • MD5

    b976d86caac14a71b0326e4da3accced

  • SHA1

    40fcfb07f10a62964ddfe502a9c04c8ebc710ab9

  • SHA256

    a6fbf55fafcf68634bfc24149e0626ee1d8ca9c0e587850d8382436c6abfed9d

  • SHA512

    433d260508326bf4d33a30ce1186bd81c0d6d422f8ddc90f647109714414f89a6230be28d7522a01cc30150b78863bc050119350c48981a83336307ab0c5bfff

  • SSDEEP

    768:YDjahoICS4AIiaVRShxdEe+T0iN2QwdincJ9JGEKvr1Bg2QpXeCggfV:6zICS4AT6GxdEe+TOdincJXvKvQZg

Score
10/10
blackmatterdiscoveryransomware

Malware Config

Extracted

Path

C:\Dtn8dnb82.README.txt

Family

blackmatter

Ransom Note
~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We have downloaded 1TB from your fileserver. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >> Data leak includes 1. Full emloyeers personal data 2. Network information 3. Schemes of buildings, active project information, architect details and contracts, 4. Finance info >>> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/7NT6LXKC1XQHW5039BLOV. >>> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.
URLs

http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/7NT6LXKC1XQHW5039BLOV

Signatures

  • BlackMatter Ransomware

    BlackMatter ransomware group claims to be Darkside and REvil succesor.

    ransomwareblackmatter
  • Blackmatter family
    blackmatter
  • Renames multiple (158) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Control Panel 3 IoCs
    defense_evasion
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\out.exe
    "C:\Users\Admin\AppData\Local\Temp\out.exe"
    1⤵
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:4828
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:540

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Dtn8dnb82.README.txt
    Filesize

    1KB

    MD5

    f66968c47a64569e2281f65a95991be0

    SHA1

    ef9e3e80bfbea4c3021b226cb8cd00687013b8a8

    SHA256

    4b950c763006e7c4569df8742855cec31bf82f835bd7e2bdcb5f128db34c82bf

    SHA512

    cb4ace1b3e891ab100b3950c6bc133b216e91c8978a3af1ffd75617b606bb7ceb0133f44d37a30a827655e5b84b016d736a732f5f37635bb727e1a5b722cad24

    Download Submit

  • memory/4828-1-0x00000000008E0000-0x00000000008F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4828-0-0x00000000008E0000-0x00000000008F0000-memory.dmp

    Filesize

    64KB

    Download