Analysis

  • max time kernel
    87s
  • max time network
    91s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    01-02-2022 08:39

General

  • Target

    FoxRansomware/0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe

  • Size

    1.2MB

  • MD5

    76b640aa00354e46b29ca7ac2adfd732

  • SHA1

    afebf9d72ba7186afefebf4deda87675621b0b8b

  • SHA256

    0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7

  • SHA512

    fecb15238714c786098f1dd0bb18696ab15634228ec3a48c900fd843e817d4c24607bdf6fb58e0321da3e1c1e49305ec919dddabbd34727acec8fbd6cb6fd552

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://myexternalip.com/raw

Signatures

  • Matrix Ransomware 3 IoCs

    Targeted ransomware with information collection and encryption functionality.

  • suricata: ET MALWARE MSIL/Matrix Ransomware CnC Activity

    suricata: ET MALWARE MSIL/Matrix Ransomware CnC Activity

  • Executes dropped EXE 1 IoCs
  • Sets service image path in registry 2 TTPs
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 6 IoCs
  • Modifies data under HKEY_USERS 41 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\FoxRansomware\0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
    "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe"
    1⤵
    • Enumerates connected drives
    • Suspicious use of WriteProcessMemory
    PID:460
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe" "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWZrWfQB.exe"
      2⤵
        PID:1016
      • C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWZrWfQB.exe
        "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWZrWfQB.exe" -n
        2⤵
        • Executes dropped EXE
        PID:1612
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')">"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\jDVDZFYL.txt"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4280
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')"
          3⤵
            PID:4320
      • C:\Windows\System32\WaaSMedicAgent.exe
        C:\Windows\System32\WaaSMedicAgent.exe 75365bb5bbe9f8469f7489fa6ef134fc PPhOZ3TibEms6cG7B6yjiw.0.1.0.0.0
        1⤵
        • Modifies data under HKEY_USERS
        PID:4480
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
        1⤵
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        PID:1120

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1120-138-0x00000205B3730000-0x00000205B3740000-memory.dmp

        Filesize

        64KB

      • memory/1120-139-0x00000205B5BB0000-0x00000205B5BB4000-memory.dmp

        Filesize

        16KB