Overview

overview

10

Static

static

FoxRansomw...65.exe

windows7_x64

10

FoxRansomw...65.exe

windows10-2004_x64

10

FoxRansomw...a7.exe

windows7_x64

10

FoxRansomw...a7.exe

windows10-2004_x64

10

FoxRansomw...20.exe

windows7_x64

10

FoxRansomw...20.exe

windows10-2004_x64

10

FoxRansomw...0b.exe

windows7_x64

10

FoxRansomw...0b.exe

windows10-2004_x64

10

FoxRansomw...53.exe

windows7_x64

10

FoxRansomw...53.exe

windows10-2004_x64

10

FoxRansomw...b1.exe

windows7_x64

10

FoxRansomw...b1.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    016061f330faaeffdd84628f613a719a2f617c8145909d047b5721429ee5b451

  • Size

    7.0MB

  • Sample

    220201-kj9fvabehq

  • MD5

    ad11e4ce54e0c37b77fc47efe6f6ddd1

  • SHA1

    1045d499c1099edb576f1468796fe5520fc8e689

  • SHA256

    016061f330faaeffdd84628f613a719a2f617c8145909d047b5721429ee5b451

  • SHA512

    54fd5afabd7c12ea7656c13cdc6c332efa490a068a9d2ada918f02d5e47e6e72949fe53b0ad3e664d9df17820bcb125c60453b2277fe69e8788656fe9c963091

Score
10/10
matrixdiscoverypersistenceransomwarespywarestealersuricataupx

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://myexternalip.com/raw

Targets

    • Target

      FoxRansomware/0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65

    • Size

      1.2MB

    • MD5

      607d292bdcdde297252e002e613282ae

    • SHA1

      0161d2dd582d064f7e7f50ccb43478ff0884916a

    • SHA256

      0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65

    • SHA512

      2bdc2ff857f9f52aac5071d3a695f7baf822a971969ba263ad03769c41af7916b558bada6bfe76fe78f730235a4ca5d2dd1cf3eaa2a59c5efef06af0a798acb8

    Score
    10/10
    matrixdiscoverypersistenceransomwarespywarestealersuricataupx

    • Matrix Ransomware

      Targeted ransomware with information collection and encryption functionality.

      ransomwarematrix

    • suricata: ET MALWARE MSIL/Matrix Ransomware CnC Activity

      suricata: ET MALWARE MSIL/Matrix Ransomware CnC Activity

      suricata

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Blocklisted process makes network request

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Sets service image path in registry

      persistence

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

    • Target

      FoxRansomware/0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7

    • Size

      1.2MB

    • MD5

      76b640aa00354e46b29ca7ac2adfd732

    • SHA1

      afebf9d72ba7186afefebf4deda87675621b0b8b

    • SHA256

      0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7

    • SHA512

      fecb15238714c786098f1dd0bb18696ab15634228ec3a48c900fd843e817d4c24607bdf6fb58e0321da3e1c1e49305ec919dddabbd34727acec8fbd6cb6fd552

    Score
    10/10
    matrixdiscoverypersistenceransomwaresuricataupx

    • Matrix Ransomware

      Targeted ransomware with information collection and encryption functionality.

      ransomwarematrix

    • suricata: ET MALWARE MSIL/Matrix Ransomware CnC Activity

      suricata: ET MALWARE MSIL/Matrix Ransomware CnC Activity

      suricata

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Blocklisted process makes network request

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Sets service image path in registry

      persistence

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral3behavioral4

    • Target

      FoxRansomware/42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620

    • Size

      1.2MB

    • MD5

      268360527625d09e747d9f7ab1f84da5

    • SHA1

      09772eb89c9743d3a6d7b2709c76e9740aa4c4b1

    • SHA256

      42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620

    • SHA512

      07fba0c06040fe4ef5f812a52d639bdea6cbe5bf7ff4560403ad12955e6b1ff2b4615361ac4533696a6c5e12d36fb2d2e0df3da2927f6b45f154f0a4e83315e1

    Score
    10/10
    matrixdiscoverypersistenceransomwarespywarestealersuricataupx

    • Matrix Ransomware

      Targeted ransomware with information collection and encryption functionality.

      ransomwarematrix

    • suricata: ET MALWARE MSIL/Matrix Ransomware CnC Activity

      suricata: ET MALWARE MSIL/Matrix Ransomware CnC Activity

      suricata

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Blocklisted process makes network request

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Sets service image path in registry

      persistence

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral5behavioral6

    • Target

      FoxRansomware/6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b

    • Size

      1.2MB

    • MD5

      907636b28d162f7110b067a8178fa38c

    • SHA1

      048ae4691fe267e7c8d9eda5361663593747142a

    • SHA256

      6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b

    • SHA512

      501a7ee7fc8c0869d3cb57be3a75be02f6a17583e524fae9fa29e149a7391a5ed79c45143c09c667eed7d2fe217503121e23edd6f1bac47c8ba7ec7a4ecbe04a

    Score
    10/10
    matrixdiscoverypersistenceransomwaresuricataupx

    • Matrix Ransomware

      Targeted ransomware with information collection and encryption functionality.

      ransomwarematrix

    • suricata: ET MALWARE MSIL/Matrix Ransomware CnC Activity

      suricata: ET MALWARE MSIL/Matrix Ransomware CnC Activity

      suricata

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Blocklisted process makes network request

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Sets service image path in registry

      persistence

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral7behavioral8

    • Target

      FoxRansomware/91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53

    • Size

      1.2MB

    • MD5

      1fa1b6d4b3ed867c1d4baffc77417611

    • SHA1

      afb5e385f9cc8910d7a970b6c32b8d79295579da

    • SHA256

      91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53

    • SHA512

      0600b92914a7489a6428b8e4217e5f24e1d149fc5807d86cc4de91b43be2470a1ddf77093c8732d4371a87fd163cc556e09d11a2c6655382a35a5f5741ae05a5

    Score
    10/10
    matrixdiscoverypersistenceransomwarespywarestealersuricataupx

    • Matrix Ransomware

      Targeted ransomware with information collection and encryption functionality.

      ransomwarematrix

    • suricata: ET MALWARE MSIL/Matrix Ransomware CnC Activity

      suricata: ET MALWARE MSIL/Matrix Ransomware CnC Activity

      suricata

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Blocklisted process makes network request

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Sets service image path in registry

      persistence

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral9behavioral10

    • Target

      FoxRansomware/941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1

    • Size

      1.2MB

    • MD5

      c82d64850d35cc6a536c11adbd261cf6

    • SHA1

      9f4d070a1b4668d110b57c167c4527fa2752c1fe

    • SHA256

      941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1

    • SHA512

      777a06d73e70a881d5b3872236ba8b53aa4d42f94ad247c109980847ccd6d0c531d30afef10315d7b5fe70c7fe4496f932aaac41f6aec76e98474c44bb781002

    Score
    10/10
    matrixdiscoverypersistenceransomwarespywarestealersuricataupx

    • Matrix Ransomware

      Targeted ransomware with information collection and encryption functionality.

      ransomwarematrix

    • suricata: ET MALWARE MSIL/Matrix Ransomware CnC Activity

      suricata: ET MALWARE MSIL/Matrix Ransomware CnC Activity

      suricata

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Blocklisted process makes network request

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Sets service image path in registry

      persistence

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral11behavioral12

MITRE ATT&CK Enterprise v6

Tasks

static1

Score
N/A

behavioral1

matrixdiscoverypersistenceransomwarespywarestealersuricataupx
Score
10/10

behavioral2

matrixpersistenceransomwarespywarestealersuricata
Score
10/10

behavioral3

matrixdiscoverypersistenceransomwaresuricataupx
Score
10/10

behavioral4

matrixpersistenceransomwaresuricata
Score
10/10

behavioral5

matrixdiscoverypersistenceransomwarespywarestealersuricataupx
Score
10/10

behavioral6

matrixransomwarespywarestealersuricata
Score
10/10

behavioral7

matrixdiscoverypersistenceransomwaresuricataupx
Score
10/10

behavioral8

matrixransomwaresuricata
Score
10/10

behavioral9

matrixdiscoverypersistenceransomwarespywarestealersuricataupx
Score
10/10

behavioral10

matrixransomwarespywarestealersuricata
Score
10/10

behavioral11

matrixdiscoverypersistenceransomwarespywarestealersuricataupx
Score
10/10

behavioral12

matrixpersistenceransomwarespywarestealersuricata
Score
10/10