Introduction
In this walk-through, we covered investigating BlackMatter ransomware with ProcDOT. You can use ProcDOT to visualize processes and conduct malware investigation.
The firewall alerted the Security Operations Center that one of the machines at the Sales department, which stores all the customers’ data, contacted the malicious domains over the network. When the Security Analysts looked closely, the data sent to the domains contained suspicious base64-encoded strings. The Analysts involved the Incident Response team in pulling the Process Monitor and network traffic data to determine if the host is infected. But once they got on the machine, they knew it was a ransomware attack by looking at the wallpaper and reading the ransomware note.
Can you find more evidence of compromise on the host and what ransomware was involved in the attack?
Room Link
Getting Started with Procdot
First, I introduce you to procdot, a powerful visualization tool for malware analysis. It works by taking two main inputs: a process monitor dump (in CSV format) and a Wireshark network capture (a PCAP file). By combining these, procdot creates a visual representation of everything that happened on the system, making it much easier to spot malicious activity. I explain how to generate these files by running Wireshark to capture network traffic while letting the malware execute, and then dumping the process monitor data.
Diving into the Analysis
With the setup out of the way, I fire up procdot and load the process monitor log. The first thing I do is look for any suspicious processes. I quickly spot a couple of odd-looking explorer.exe
processes. One has a typo in the name (“explorer.exe” with an extra ‘e’), and another is making unusual external calls. These are my first clues! I note their Process IDs (PIDs), which are 644 and 7128.
Visualizing the Attack
Next, I generate a visualization graph in procdot. This is where the magic happens! The graph shows me exactly what the ransomware did, including which files it encrypted, where it sent data, and the original file path of the ransomware itself. By following the connections in the graph, I discover that the ransomware first executed from C:\Users\Sales\AppData\Local\Temp\explorer.exe
.
Uncovering the C2 Infrastructure
The visualization also reveals that the suspicious explorer.exe
process was communicating with external IP addresses. To find the command and control (C2) domains, I switch over to Wireshark and filter for HTTP POST requests. This leads me to the first C2 domain: mojobiden.com
. I then use VirusTotal to find a second domain, paymenthacks.com
. The IP addresses associated with these domains are 206.111.88.197 and 146.112.61.108.
More Forensic Details
Digging deeper into the Wireshark capture, I examine the TCP stream of a POST request and find that the user agent used for data exfiltration was Firefox 89.0. I also discover that a cloud security service, Cisco Umbrella, blocked one of the malicious domains, which is why I see a “403 Forbidden” response.
Ransomware Artifacts
Back in the procdot visualization, I find a registry key related to the desktop wallpaper. This reveals the name of the bitmap file used for the ransom note wallpaper: ldykpi9r.bmap. I also identify the PID of the thread that tried to change the wallpaper as 4892. Furthermore, I find the registry key for a mounted drive, which is HKLM\SYSTEM\MountedDevices\DosDevices\Z:.
Identifying the Ransomware
Finally, using the IP addresses and file hashes I’ve collected, I turn to AlienVault OTX to identify the ransomware family. The evidence points to it being BlackMatter.
Technical Commands
Here are the technical commands I used during the investigation:
- In Wireshark, to filter for HTTP POST requests:
http.request.method == "POST"
- In the terminal, to perform a DNS lookup:
nslookup
TryHackMe Dunkle Materie Answers
Provide the two PIDs spawned from the malicious executable. (In the order as they appear in the analysis tool)
Provide the full path where the ransomware initially got executed? (Include the full path in your answer)
What are the IPs of the malicious domains? (no space in the answer)
Provide the user-agent used to transfer the encrypted data to the C2 channel.
Provide the cloud security service that blocked the malicious domain.
Provide the name of the bitmap that the ransomware set up as a desktop wallpaper.
Find the PID (Process ID) of the process which attempted to change the background wallpaper on the victim’s machine.
The ransomware mounted a drive and assigned it the letter. Provide the registry key path to the mounted drive, including the drive letter.
Now you have collected some IOCs from this investigation. Provide the name of the ransomware used in the attack. (external research required)