blackmatter | 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c

General

Target

2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
Size

80KB
MD5

5c66cd4f21254f83663819138e634dd9
SHA1

6626cae85970e6490b8b0bf9da9aa4b57a79bb62
SHA256

2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c
SHA512

093e1fb491d73ee240f1b0084bda233ef272618b56e61ed8602a57dec7b241b3f80a4a1749ff46d141399e71dd6127c9a8893c9d8d24c6aa48b0479a7ab42a2a
SSDEEP

768:JHVfahoICS4AI4kyPh2qFSpAM0zHTMoXsLipP4+1Kkxwz5m7HEzETWOUP9LXzTN:/nICS4A79p2qFTM2HT02F4mHI5msOq

Score

10^/10

blackmatter discovery ransomware

Malware Config

Extracted

Path

F:\WK6xExOxr.README.txt

Family

blackmatter

Ransom Note

~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What data stolen? From your network was stolen sensitive data. If you do not contact us we will publish all your data in our blog and will send it to the biggest mass media. >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd.onion/EWX33VYY3IGOXSG5ZZ2 >> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.

URLs

http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd.onion/EWX33VYY3IGOXSG5ZZ2

Signatures

BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
ransomware blackmatter
Blackmatter family
blackmatter
Renames multiple (168) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-976934595-4290022905-4081117292-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\WK6xExOxr.bmp"	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-976934595-4290022905-4081117292-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\WK6xExOxr.bmp"	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
2096	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
2096	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
2096	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
2096	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
2096	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
2096	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Winword.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Winword.exe

Modifies Control Panel 3 IoCs

defense_evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-976934595-4290022905-4081117292-1000\Control Panel\International	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
Key created	\REGISTRY\USER\S-1-5-21-976934595-4290022905-4081117292-1000\Control Panel\Desktop	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-976934595-4290022905-4081117292-1000\Control Panel\Desktop\WallpaperStyle = "10"	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe

Modifies registry class 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-976934595-4290022905-4081117292-1000_Classes\WK6xExOxr_auto_file\shell\edit\ = "@C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\oregres.dll,-1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-976934595-4290022905-4081117292-1000_Classes\.WK6xExOxr	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-976934595-4290022905-4081117292-1000_Classes\.WK6xExOxr\ = "WK6xExOxr_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-976934595-4290022905-4081117292-1000_Classes\WK6xExOxr_auto_file\shell\edit	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-976934595-4290022905-4081117292-1000_Classes\WK6xExOxr_auto_file\shell\edit\command\ = "\"C:\\Program Files\\Microsoft Office\\root\\Office16\\Winword.exe\" /n \"%1\""	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-976934595-4290022905-4081117292-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-976934595-4290022905-4081117292-1000_Classes\WK6xExOxr_auto_file	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-976934595-4290022905-4081117292-1000_Classes\WK6xExOxr_auto_file\shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-976934595-4290022905-4081117292-1000_Classes\WK6xExOxr_auto_file\shell\edit\command	OpenWith.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3036	Winword.exe
3036	Winword.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2096	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
2096	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
2096	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
2096	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
640	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeBackupPrivilege	2096	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
Token: SeDebugPrivilege	2096	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
Token: 36	2096	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
Token: SeImpersonatePrivilege	2096	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
Token: SeIncBasePriorityPrivilege	2096	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
Token: SeIncreaseQuotaPrivilege	2096	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
Token: 33	2096	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
Token: SeManageVolumePrivilege	2096	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
Token: SeProfSingleProcessPrivilege	2096	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
Token: SeRestorePrivilege	2096	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
Token: SeSecurityPrivilege	2096	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
Token: SeSystemProfilePrivilege	2096	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
Token: SeTakeOwnershipPrivilege	2096	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
Token: SeShutdownPrivilege	2096	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
Token: SeBackupPrivilege	5360	vssvc.exe
Token: SeRestorePrivilege	5360	vssvc.exe
Token: SeAuditPrivilege	5360	vssvc.exe

Suspicious use of SetWindowsHookEx 22 IoCs

pid	Process
640	OpenWith.exe
640	OpenWith.exe
640	OpenWith.exe
640	OpenWith.exe
640	OpenWith.exe
640	OpenWith.exe
640	OpenWith.exe
640	OpenWith.exe
640	OpenWith.exe
640	OpenWith.exe
640	OpenWith.exe
640	OpenWith.exe
640	OpenWith.exe
3036	Winword.exe
3036	Winword.exe
3036	Winword.exe
3036	Winword.exe
3036	Winword.exe
3036	Winword.exe
3036	Winword.exe
3036	Winword.exe
3036	Winword.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 640 wrote to memory of 3036	640	OpenWith.exe	88
PID 640 wrote to memory of 3036	640	OpenWith.exe	88

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
"C:\Users\Admin\AppData\Local\Temp\2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe"
1⤵
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2096

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5360

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4952

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:640
- C:\Program Files\Microsoft Office\root\Office16\Winword.exe
  "C:\Program Files\Microsoft Office\root\Office16\Winword.exe" /n "C:\Users\Admin\Downloads\WaitStop.aiff.WK6xExOxr"
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:3036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
326B

MD5
8b955a356cb3bd8514dd7bb90add5810

SHA1
570a642e366d5f560d126728a54f7bf058a3a178

SHA256
cfd66b2aee702e5b750205d11c9ee01d0734133cec4a99d9714e9939cbf03811

SHA512
87ba265c843e28ca2125e5ed1cfff392049851c815c56b8a30049285bae7d1c07823de5208399eeee25d16f902b311fac0e7407f35520a82247be9c366ee2366

Download Submit
C:\Users\Admin\Downloads\WaitStop.aiff.WK6xExOxr

Filesize
499KB

MD5
a8ec385f6e92ca8b977de29946070399

SHA1
d8c407629fe80a3553a4003fa9bdefdb37ced47c

SHA256
453fd4ee521338019af9ee59e1dac095aba44a54958dba2d304ffad8d85f71a5

SHA512
fbf26a666386a88902bec55d54274c710296499eef8d3bb5c6ef84d2b41093049b9cf4a3a7fb231207afab3214667fb2c9dde7db06dff9c22f44e48854f8b8cf

Download Submit
F:\WK6xExOxr.README.txt

Filesize
1KB

MD5
896f61d321c4af276b7a80be14715992

SHA1
feca31af9616ac09d73900d32a8dc8d08fce51e6

SHA256
8553b63516ebbad0ce0653b3e21831b5dd114584ec49f6f413ad928ee68e6c21

SHA512
81fd91036800c12a66e9c352a70293734f5d4355c6c2fbf39446602655f596ac3afc150a4c0494c804a4226aba55aa65f031bd0957f79ffd131e5329fb0ec82e

Download Submit
memory/2096-1-0x0000000003060000-0x0000000003070000-memory.dmp

Filesize
64KB

Download
memory/2096-0-0x0000000003060000-0x0000000003070000-memory.dmp

Filesize
64KB

Download
memory/3036-264-0x00007FFE8EF50000-0x00007FFE8EF60000-memory.dmp

Filesize
64KB

Download
memory/3036-262-0x00007FFE8EF50000-0x00007FFE8EF60000-memory.dmp

Filesize
64KB

Download
memory/3036-265-0x00007FFE8EF50000-0x00007FFE8EF60000-memory.dmp

Filesize
64KB

Download
memory/3036-263-0x00007FFE8EF50000-0x00007FFE8EF60000-memory.dmp

Filesize
64KB

Download
memory/3036-266-0x00007FFE8CB70000-0x00007FFE8CB80000-memory.dmp

Filesize
64KB

Download
memory/3036-267-0x00007FFE8CB70000-0x00007FFE8CB80000-memory.dmp

Filesize
64KB

Download
memory/3036-261-0x00007FFE8EF50000-0x00007FFE8EF60000-memory.dmp

Filesize
64KB

Download
memory/3036-313-0x00007FFE8EF50000-0x00007FFE8EF60000-memory.dmp

Filesize
64KB

Download
memory/3036-314-0x00007FFE8EF50000-0x00007FFE8EF60000-memory.dmp

Filesize
64KB

Download
memory/3036-315-0x00007FFE8EF50000-0x00007FFE8EF60000-memory.dmp

Filesize
64KB

Download
memory/3036-312-0x00007FFE8EF50000-0x00007FFE8EF60000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads