Overview

overview

10

Static

static

10

706F3EEC32...39D.7z

windows11-21h2-x64

706F3EEC32...39D.7z

windows7-x64

706F3EEC32...39D.7z

windows10-2004-x64

706F3EEC32...39D.7z

windows10-ltsc_2021-x64

706F3EEC32...39D.7z

windows11-21h2-x64

706F3EEC32...9D.exe

windows7-x64

10

706F3EEC32...9D.exe

windows7-x64

10

706F3EEC32...9D.exe

windows10-2004-x64

10

706F3EEC32...9D.exe

windows10-ltsc_2021-x64

10

706F3EEC32...9D.exe

windows11-21h2-x64

10

Resubmissions

25/03/2025, 13:19

250325-qkkrrszps5 10

05/02/2025, 11:22

250205-ngk71strbx 10

25/06/2024, 15:43

240625-s6cz6a1gnj 10

25/06/2024, 15:17

240625-sn4p6axdma 10

Analysis

  • max time kernel
    119s
  • max time network
    37s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    25/03/2025, 13:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    706F3EEC328E91FF7F66C8F0A2FB9B556325C153A329A2062DC85879C540839D.exe

  • Size

    79KB

  • MD5

    62a1b4d4b461f4eaae91c70727f71604

  • SHA1

    1ced9a7e62aa65faa03eb1ad2bc786e9d9b5f6c2

  • SHA256

    706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d

  • SHA512

    d14f989f5f54663c3ea63526a000e8db5d172046e37f412ed47cd31eb14db071b515b854bbb3ab3d2f41f936b6962583aaa0b3ef1236aa2506148813f66ad542

  • SSDEEP

    1536:DnICS4ArFnRoHhcVyid9EZZoi+zQ95f8IwdON:QZnmqVyq9EN+M95bwE

Score
10/10
blackmatterdiscoveryransomware

Malware Config

Extracted

Path

C:\yHh8Ghp8e.README.txt

Family

blackmatter

Ransom Note
~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What data stolen? From your network was stolen 1000 GB of data. If you do not contact us we will publish all your data in our blog and will send it to the biggest mass media. Blog post link: http://blackmax7su6mbwtcyo3xwtpfxpm356jjqrs34y4crcytpw7mifuedyd.onion/72oJjilhMD/6d067a8741848166fa2ac1e69472280c >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/X3452I2VDTHM30QX >> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.
URLs

http://blackmax7su6mbwtcyo3xwtpfxpm356jjqrs34y4crcytpw7mifuedyd.onion/72oJjilhMD/6d067a8741848166fa2ac1e69472280c

http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/X3452I2VDTHM30QX

Signatures

  • BlackMatter Ransomware

    BlackMatter ransomware group claims to be Darkside and REvil succesor.

    ransomwareblackmatter
  • Blackmatter family
    blackmatter
  • Renames multiple (158) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Control Panel 3 IoCs
    defense_evasion
  • Modifies registry class 20 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    defense_evasionspywaretrojan
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\706F3EEC328E91FF7F66C8F0A2FB9B556325C153A329A2062DC85879C540839D.exe
    C:\Users\Admin\AppData\Local\Temp\706F3EEC328E91FF7F66C8F0A2FB9B556325C153A329A2062DC85879C540839D.exe bcdedit /set shutdown /r /f /t 2
    1⤵
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1924
    • C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" /p C:\yHh8Ghp8e.README.txt
      2⤵
      • System Location Discovery: System Language Discovery
      • Opens file in notepad (likely ransom note)
      • Suspicious use of WriteProcessMemory
      PID:2664
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:2696
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2480

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    71KB

    MD5

    83142242e97b8953c386f988aa694e4a

    SHA1

    833ed12fc15b356136dcdd27c61a50f59c5c7d50

    SHA256

    d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

    SHA512

    bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TarAE7F.tmp
    Filesize

    183KB

    MD5

    109cab5505f5e065b63d01361467a83b

    SHA1

    4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

    SHA256

    ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

    SHA512

    753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

    Download Submit

  • C:\Users\Admin\Desktop\OpenBackup.xlsx.yHh8Ghp8e
    Filesize

    13KB

    MD5

    65be9a6b7af87036dd52de08e00c1eff

    SHA1

    c41a6862d8a507c51cfb89ae8d712a28bcf3c081

    SHA256

    8a684e464c44b00c9429948794393a90c10c210abe3ee2853e0e76968d5958cc

    SHA512

    8ae894f97b924ebc3e3ea06093b37098444aefcf8f6cde38dffa61750d723fdb37cb99f45d8fea57c9a2acd87759712a2b6505934217d0c636314ef864af695e

    Download Submit

  • C:\yHh8Ghp8e.README.txt
    Filesize

    1KB

    MD5

    1ba53a2b703aeb54647185c18cc1ddbd

    SHA1

    0bf081ef67e7c9fb4e55c53f56aa332a17740a7a

    SHA256

    74e29716d6211d4c26ab0c3184affef6f275bfbfab2ec4dd4fb776fb76065173

    SHA512

    15f7a5870ad2decf6b09c56a6b5e3f5803e5071749fd4638470c19e02ef1fd0c4438e8f7e62a9f7b8792cd1893e748def44a0a8026f10c4a0268feecae9cf617

    Download Submit

  • memory/1924-0-0x0000000000B10000-0x0000000000B50000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2696-314-0x00000000044C0000-0x00000000044D0000-memory.dmp

    Filesize

    64KB

    Download