Overview
overview
10Static
static
FoxRansomw...65.exe
windows7_x64
10FoxRansomw...65.exe
windows10-2004_x64
10FoxRansomw...a7.exe
windows7_x64
10FoxRansomw...a7.exe
windows10-2004_x64
10FoxRansomw...20.exe
windows7_x64
10FoxRansomw...20.exe
windows10-2004_x64
10FoxRansomw...0b.exe
windows7_x64
10FoxRansomw...0b.exe
windows10-2004_x64
10FoxRansomw...53.exe
windows7_x64
10FoxRansomw...53.exe
windows10-2004_x64
10FoxRansomw...b1.exe
windows7_x64
10FoxRansomw...b1.exe
windows10-2004_x64
10Analysis
-
max time kernel
163s -
max time network
148s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
01-02-2022 08:39
Static task
static1
Behavioral task
behavioral1
Sample
FoxRansomware/0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
FoxRansomware/0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
Resource
win10v2004-en-20220112
Behavioral task
behavioral3
Sample
FoxRansomware/0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
Resource
win7-en-20211208
Behavioral task
behavioral4
Sample
FoxRansomware/0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
Resource
win10v2004-en-20220113
Behavioral task
behavioral5
Sample
FoxRansomware/42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
Resource
win7-en-20211208
Behavioral task
behavioral6
Sample
FoxRansomware/42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
Resource
win10v2004-en-20220113
Behavioral task
behavioral7
Sample
FoxRansomware/6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
Resource
win7-en-20211208
Behavioral task
behavioral8
Sample
FoxRansomware/6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
Resource
win10v2004-en-20220113
Behavioral task
behavioral9
Sample
FoxRansomware/91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
Resource
win7-en-20211208
Behavioral task
behavioral10
Sample
FoxRansomware/91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
Resource
win10v2004-en-20220113
Behavioral task
behavioral11
Sample
FoxRansomware/941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
Resource
win7-en-20211208
Behavioral task
behavioral12
Sample
FoxRansomware/941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
Resource
win10v2004-en-20220112
General
-
Target
FoxRansomware/0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
-
Size
1.2MB
-
MD5
76b640aa00354e46b29ca7ac2adfd732
-
SHA1
afebf9d72ba7186afefebf4deda87675621b0b8b
-
SHA256
0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7
-
SHA512
fecb15238714c786098f1dd0bb18696ab15634228ec3a48c900fd843e817d4c24607bdf6fb58e0321da3e1c1e49305ec919dddabbd34727acec8fbd6cb6fd552
Malware Config
Extracted
http://myexternalip.com/raw
Signatures
-
Matrix Ransomware 64 IoCs
Targeted ransomware with information collection and encryption functionality.
description ioc Process File created C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\Mozilla Firefox\browser\features\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Lime\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Desert\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Servers\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\VideoLAN\VLC\lua\http\dialogs\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\Java\jre7\lib\cmm\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\VideoLAN\VLC\locale\id\LC_MESSAGES\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\VideoLAN\VLC\locale\pt_PT\LC_MESSAGES\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Microsoft Office\Stationery\1033\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\VideoLAN\VLC\locale\te\LC_MESSAGES\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\VideoLAN\VLC\lua\http\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\Java\jre7\lib\ext\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\VideoLAN\VLC\locale\nb\LC_MESSAGES\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Microsoft Office\Office14\ACCWIZ\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\VideoLAN\VLC\lua\http\images\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\VideoLAN\VLC\lua\http\js\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\Java\jre7\lib\zi\Atlantic\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\STS2\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightOrange\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\Java\jre7\lib\security\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Slate\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\VideoLAN\VLC\locale\zh_TW\LC_MESSAGES\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe -
suricata: ET MALWARE MSIL/Matrix Ransomware CnC Activity
suricata: ET MALWARE MSIL/Matrix Ransomware CnC Activity
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Blocklisted process makes network request 1 IoCs
flow pid Process 9 888 powershell.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\Drivers\PROCEXP152.SYS x7CWUbd864.exe -
Executes dropped EXE 3 IoCs
pid Process 1132 NWlAsQ0H.exe 832 x7CWUbd8.exe 1252 x7CWUbd864.exe -
Sets service image path in registry 2 TTPs
-
resource yara_rule behavioral3/files/0x000600000001265d-69.dat upx behavioral3/files/0x000600000001265d-68.dat upx behavioral3/files/0x000600000001265d-70.dat upx -
Loads dropped DLL 4 IoCs
pid Process 1736 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 1736 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 1708 cmd.exe 832 x7CWUbd8.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 1808 takeown.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Z: 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened (read-only) \??\S: 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened (read-only) \??\M: 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened (read-only) \??\G: 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened (read-only) \??\Y: x7CWUbd864.exe File opened (read-only) \??\X: 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened (read-only) \??\P: 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened (read-only) \??\B: x7CWUbd864.exe File opened (read-only) \??\G: x7CWUbd864.exe File opened (read-only) \??\V: 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened (read-only) \??\E: 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened (read-only) \??\Q: x7CWUbd864.exe File opened (read-only) \??\S: x7CWUbd864.exe File opened (read-only) \??\U: x7CWUbd864.exe File opened (read-only) \??\W: x7CWUbd864.exe File opened (read-only) \??\T: 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened (read-only) \??\Q: 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened (read-only) \??\K: 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened (read-only) \??\J: 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened (read-only) \??\H: 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened (read-only) \??\F: 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened (read-only) \??\I: x7CWUbd864.exe File opened (read-only) \??\M: x7CWUbd864.exe File opened (read-only) \??\N: x7CWUbd864.exe File opened (read-only) \??\O: x7CWUbd864.exe File opened (read-only) \??\Y: 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened (read-only) \??\R: 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened (read-only) \??\O: 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened (read-only) \??\E: x7CWUbd864.exe File opened (read-only) \??\K: x7CWUbd864.exe File opened (read-only) \??\R: x7CWUbd864.exe File opened (read-only) \??\X: x7CWUbd864.exe File opened (read-only) \??\T: x7CWUbd864.exe File opened (read-only) \??\V: x7CWUbd864.exe File opened (read-only) \??\W: 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened (read-only) \??\U: 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened (read-only) \??\L: 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened (read-only) \??\A: x7CWUbd864.exe File opened (read-only) \??\H: x7CWUbd864.exe File opened (read-only) \??\J: x7CWUbd864.exe File opened (read-only) \??\P: x7CWUbd864.exe File opened (read-only) \??\Z: x7CWUbd864.exe File opened (read-only) \??\N: 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened (read-only) \??\I: 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened (read-only) \??\F: x7CWUbd864.exe File opened (read-only) \??\L: x7CWUbd864.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 8 myexternalip.com -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\kqDKmwP5.bmp" reg.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0214098.WAV 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0179963.JPG 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\7-Zip\Lang\hi.txt 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\triggerActionExceptionHandlers.exsd 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.commands_5.5.0.165303.jar 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\offset_window.html 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Americana\TAB_ON.GIF 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR9B.GIF 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Edmonton 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\javaws.policy 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\javafx-doclet.jar 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.databinding.nl_zh_4.4.0.v20140623020002.jar 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\VideoLAN\VLC\locale\th\LC_MESSAGES\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OEMPRINT.CAT 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10268_.GIF 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\cursors.properties 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.theme_0.9.300.v20140424-2042.jar 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup_ja.jar 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\MSOSEC.XML 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0102762.WMF 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-lib-uihandler.jar 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Brunei 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Lord_Howe 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\nb.pak 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\new-trigger-wiz.gif 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Java\jre7\lib\deploy\messages_sv.properties 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099182.WMF 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-windows.xml 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-selector-ui.xml 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099148.JPG 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\platform.xml 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-5 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.descriptorProvider.exsd 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\MSOUC.HXS 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.repository_2.3.0.v20131211-1531.jar 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT+3 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Equity.xml 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.continuation_8.1.14.v20131031.jar 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\sRGB.pf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Melbourne 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\about.html 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Australia\Sydney 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\VideoLAN\VLC\README.txt 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382962.JPG 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Metlakatla 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.databinding_1.6.200.v20140528-1422.jar 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-filesystems.xml 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\MST 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.greychart.ui.zh_CN_5.5.0.165303.jar 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.commands.nl_zh_4.4.0.v20140623020002.jar 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0233512.WMF 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Stationery\1033\NOTEBOOK.JPG 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\external_extensions.json 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Macquarie 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-options-api_zh_CN.jar 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Java\jre7\lib\fonts\LucidaSansDemiBold.ttf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\7-Zip\Lang\be.txt 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.httpcomponents.httpclient_4.2.6.v201311072007.jar 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0199483.WMF 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01743_.GIF 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18253_.WMF 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\7-Zip\Lang\ku.txt 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1228 schtasks.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1068 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 888 powershell.exe 1252 x7CWUbd864.exe 1252 x7CWUbd864.exe 1252 x7CWUbd864.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 1252 x7CWUbd864.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 888 powershell.exe Token: SeDebugPrivilege 1252 x7CWUbd864.exe Token: SeLoadDriverPrivilege 1252 x7CWUbd864.exe Token: SeBackupPrivilege 572 vssvc.exe Token: SeRestorePrivilege 572 vssvc.exe Token: SeAuditPrivilege 572 vssvc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1736 wrote to memory of 1752 1736 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 28 PID 1736 wrote to memory of 1752 1736 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 28 PID 1736 wrote to memory of 1752 1736 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 28 PID 1736 wrote to memory of 1752 1736 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 28 PID 1736 wrote to memory of 1132 1736 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 30 PID 1736 wrote to memory of 1132 1736 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 30 PID 1736 wrote to memory of 1132 1736 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 30 PID 1736 wrote to memory of 1132 1736 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 30 PID 1736 wrote to memory of 1068 1736 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 34 PID 1736 wrote to memory of 1068 1736 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 34 PID 1736 wrote to memory of 1068 1736 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 34 PID 1736 wrote to memory of 1068 1736 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 34 PID 1068 wrote to memory of 888 1068 cmd.exe 36 PID 1068 wrote to memory of 888 1068 cmd.exe 36 PID 1068 wrote to memory of 888 1068 cmd.exe 36 PID 1068 wrote to memory of 888 1068 cmd.exe 36 PID 1736 wrote to memory of 1592 1736 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 37 PID 1736 wrote to memory of 1592 1736 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 37 PID 1736 wrote to memory of 1592 1736 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 37 PID 1736 wrote to memory of 1592 1736 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 37 PID 1736 wrote to memory of 1364 1736 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 38 PID 1736 wrote to memory of 1364 1736 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 38 PID 1736 wrote to memory of 1364 1736 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 38 PID 1736 wrote to memory of 1364 1736 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 38 PID 1592 wrote to memory of 668 1592 cmd.exe 41 PID 1592 wrote to memory of 668 1592 cmd.exe 41 PID 1592 wrote to memory of 668 1592 cmd.exe 41 PID 1592 wrote to memory of 668 1592 cmd.exe 41 PID 1736 wrote to memory of 1816 1736 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 43 PID 1736 wrote to memory of 1816 1736 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 43 PID 1736 wrote to memory of 1816 1736 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 43 PID 1736 wrote to memory of 1816 1736 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 43 PID 1816 wrote to memory of 1080 1816 cmd.exe 45 PID 1816 wrote to memory of 1080 1816 cmd.exe 45 PID 1816 wrote to memory of 1080 1816 cmd.exe 45 PID 1816 wrote to memory of 1080 1816 cmd.exe 45 PID 1364 wrote to memory of 1916 1364 cmd.exe 42 PID 1364 wrote to memory of 1916 1364 cmd.exe 42 PID 1364 wrote to memory of 1916 1364 cmd.exe 42 PID 1364 wrote to memory of 1916 1364 cmd.exe 42 PID 1592 wrote to memory of 1064 1592 cmd.exe 46 PID 1592 wrote to memory of 1064 1592 cmd.exe 46 PID 1592 wrote to memory of 1064 1592 cmd.exe 46 PID 1592 wrote to memory of 1064 1592 cmd.exe 46 PID 1592 wrote to memory of 1728 1592 cmd.exe 47 PID 1592 wrote to memory of 1728 1592 cmd.exe 47 PID 1592 wrote to memory of 1728 1592 cmd.exe 47 PID 1592 wrote to memory of 1728 1592 cmd.exe 47 PID 1816 wrote to memory of 1660 1816 cmd.exe 48 PID 1816 wrote to memory of 1660 1816 cmd.exe 48 PID 1816 wrote to memory of 1660 1816 cmd.exe 48 PID 1816 wrote to memory of 1660 1816 cmd.exe 48 PID 1816 wrote to memory of 1808 1816 cmd.exe 49 PID 1816 wrote to memory of 1808 1816 cmd.exe 49 PID 1816 wrote to memory of 1808 1816 cmd.exe 49 PID 1816 wrote to memory of 1808 1816 cmd.exe 49 PID 1816 wrote to memory of 1708 1816 cmd.exe 50 PID 1816 wrote to memory of 1708 1816 cmd.exe 50 PID 1816 wrote to memory of 1708 1816 cmd.exe 50 PID 1816 wrote to memory of 1708 1816 cmd.exe 50 PID 1708 wrote to memory of 832 1708 cmd.exe 51 PID 1708 wrote to memory of 832 1708 cmd.exe 51 PID 1708 wrote to memory of 832 1708 cmd.exe 51 PID 1708 wrote to memory of 832 1708 cmd.exe 51 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 1080 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe"1⤵
- Matrix Ransomware
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe" "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWlAsQ0H.exe"2⤵PID:1752
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWlAsQ0H.exe"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWlAsQ0H.exe" -n2⤵
- Executes dropped EXE
PID:1132
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')">"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\K73dccXq.txt"2⤵
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')"3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:888
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\kqDKmwP5.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f2⤵
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\kqDKmwP5.bmp" /f3⤵
- Sets desktop wallpaper using registry
PID:668
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f3⤵PID:1064
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f3⤵PID:1728
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\QeOC2pbw.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Windows\SysWOW64\wscript.exewscript //B //Nologo "C:\Users\Admin\AppData\Roaming\QeOC2pbw.vbs"3⤵PID:1916
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\wT305Pzq.bat" /sc minute /mo 5 /RL HIGHEST /F4⤵PID:1724
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\wT305Pzq.bat" /sc minute /mo 5 /RL HIGHEST /F5⤵
- Creates scheduled task(s)
PID:1228
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA4⤵PID:1716
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /I /tn DSHCA5⤵PID:1168
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\e9EhWF6F.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf""2⤵
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\SysWOW64\attrib.exeattrib -R -A -S "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf"3⤵
- Views/modifies file attributes
PID:1080
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf" /E /G Admin:F /C3⤵PID:1660
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf"3⤵
- Modifies file permissions
PID:1808
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c x7CWUbd8.exe -accepteula "ENUtxt.pdf" -nobanner3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\x7CWUbd8.exex7CWUbd8.exe -accepteula "ENUtxt.pdf" -nobanner4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:832 -
C:\Users\Admin\AppData\Local\Temp\x7CWUbd864.exex7CWUbd8.exe -accepteula "ENUtxt.pdf" -nobanner5⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:1252
-
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {EFC26F6A-0ECD-41A0-ADD4-B0D63C06595B} S-1-5-21-3846991908-3261386348-1409841751-1000:VQVVOAJK\Admin:Interactive:[1]1⤵PID:1568
-
C:\Windows\SYSTEM32\cmd.exeC:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\wT305Pzq.bat"2⤵PID:2044
-
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
PID:1068
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:572
Network
MITRE ATT&CK Enterprise v6
Persistence
Hidden Files and Directories
1Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
File Deletion
2File and Directory Permissions Modification
1Hidden Files and Directories
1Modify Registry
2