Overview
overview
10Static
static
FoxRansomw...65.exe
windows7_x64
10FoxRansomw...65.exe
windows10-2004_x64
10FoxRansomw...a7.exe
windows7_x64
10FoxRansomw...a7.exe
windows10-2004_x64
10FoxRansomw...20.exe
windows7_x64
10FoxRansomw...20.exe
windows10-2004_x64
10FoxRansomw...0b.exe
windows7_x64
10FoxRansomw...0b.exe
windows10-2004_x64
10FoxRansomw...53.exe
windows7_x64
10FoxRansomw...53.exe
windows10-2004_x64
10FoxRansomw...b1.exe
windows7_x64
10FoxRansomw...b1.exe
windows10-2004_x64
10Analysis
-
max time kernel
163s -
max time network
132s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
01-02-2022 08:39
Static task
static1
Behavioral task
behavioral1
Sample
FoxRansomware/0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
FoxRansomware/0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
Resource
win10v2004-en-20220112
Behavioral task
behavioral3
Sample
FoxRansomware/0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
Resource
win7-en-20211208
Behavioral task
behavioral4
Sample
FoxRansomware/0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
Resource
win10v2004-en-20220113
Behavioral task
behavioral5
Sample
FoxRansomware/42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
Resource
win7-en-20211208
Behavioral task
behavioral6
Sample
FoxRansomware/42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
Resource
win10v2004-en-20220113
Behavioral task
behavioral7
Sample
FoxRansomware/6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
Resource
win7-en-20211208
Behavioral task
behavioral8
Sample
FoxRansomware/6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
Resource
win10v2004-en-20220113
Behavioral task
behavioral9
Sample
FoxRansomware/91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
Resource
win7-en-20211208
Behavioral task
behavioral10
Sample
FoxRansomware/91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
Resource
win10v2004-en-20220113
Behavioral task
behavioral11
Sample
FoxRansomware/941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
Resource
win7-en-20211208
Behavioral task
behavioral12
Sample
FoxRansomware/941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
Resource
win10v2004-en-20220112
General
-
Target
FoxRansomware/6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
-
Size
1.2MB
-
MD5
907636b28d162f7110b067a8178fa38c
-
SHA1
048ae4691fe267e7c8d9eda5361663593747142a
-
SHA256
6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b
-
SHA512
501a7ee7fc8c0869d3cb57be3a75be02f6a17583e524fae9fa29e149a7391a5ed79c45143c09c667eed7d2fe217503121e23edd6f1bac47c8ba7ec7a4ecbe04a
Malware Config
Extracted
http://myexternalip.com/raw
Signatures
-
Matrix Ransomware 64 IoCs
Targeted ransomware with information collection and encryption functionality.
description ioc Process File created C:\Program Files\VideoLAN\VLC\lua\http\css\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\VideoLAN\VLC\lua\playlist\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\Java\jre7\lib\jfr\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\Java\jre7\lib\zi\Antarctica\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\VideoLAN\VLC\locale\or\LC_MESSAGES\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Users\Admin\Documents\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Microsoft Office\Templates\1033\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Microsoft Office\Stationery\1033\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\VideoLAN\VLC\plugins\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\VideoLAN\VLC\locale\lt\LC_MESSAGES\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Users\Public\Pictures\Sample Pictures\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\Java\jdk1.7.0_80\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\VideoLAN\VLC\locale\hi\LC_MESSAGES\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\Google\Chrome\Application\Dictionaries\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\Mozilla Firefox\browser\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\Mozilla Firefox\fonts\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Users\Admin\Music\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\VideoLAN\VLC\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\VideoLAN\VLC\locale\tl\LC_MESSAGES\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\VideoLAN\VLC\locale\oc\LC_MESSAGES\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\VideoLAN\VLC\locale\zh_CN\LC_MESSAGES\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Welcome Tool\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\Mozilla Firefox\uninstall\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\Google\Chrome\Application\89.0.4389.114\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\Java\jre7\lib\zi\Africa\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\Java\jre7\lib\management\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\VideoLAN\VLC\locale\si\LC_MESSAGES\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\Java\jre7\lib\zi\America\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\Microsoft Office\Office14\1033\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\Java\jre7\lib\amd64\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe -
suricata: ET MALWARE MSIL/Matrix Ransomware CnC Activity
suricata: ET MALWARE MSIL/Matrix Ransomware CnC Activity
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Blocklisted process makes network request 1 IoCs
flow pid Process 10 1560 powershell.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\Drivers\PROCEXP152.SYS ata6BnUW64.exe -
Executes dropped EXE 3 IoCs
pid Process 1344 NWjIWxqe.exe 1376 ata6BnUW.exe 752 ata6BnUW64.exe -
Sets service image path in registry 2 TTPs
-
resource yara_rule behavioral7/files/0x0005000000014046-68.dat upx behavioral7/files/0x0005000000014046-69.dat upx behavioral7/files/0x0005000000014046-70.dat upx -
Loads dropped DLL 4 IoCs
pid Process 732 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 732 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 1344 cmd.exe 1376 ata6BnUW.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 1592 takeown.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\V: 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened (read-only) \??\P: 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened (read-only) \??\J: 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened (read-only) \??\J: ata6BnUW64.exe File opened (read-only) \??\M: ata6BnUW64.exe File opened (read-only) \??\Y: ata6BnUW64.exe File opened (read-only) \??\U: 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened (read-only) \??\Q: 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened (read-only) \??\X: 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened (read-only) \??\W: 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened (read-only) \??\H: ata6BnUW64.exe File opened (read-only) \??\I: ata6BnUW64.exe File opened (read-only) \??\L: ata6BnUW64.exe File opened (read-only) \??\R: ata6BnUW64.exe File opened (read-only) \??\K: 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened (read-only) \??\H: 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened (read-only) \??\G: 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened (read-only) \??\U: ata6BnUW64.exe File opened (read-only) \??\V: ata6BnUW64.exe File opened (read-only) \??\T: 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened (read-only) \??\Q: ata6BnUW64.exe File opened (read-only) \??\S: ata6BnUW64.exe File opened (read-only) \??\T: ata6BnUW64.exe File opened (read-only) \??\X: ata6BnUW64.exe File opened (read-only) \??\F: ata6BnUW64.exe File opened (read-only) \??\Y: 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened (read-only) \??\R: 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened (read-only) \??\O: 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened (read-only) \??\M: 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened (read-only) \??\I: 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened (read-only) \??\F: 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened (read-only) \??\E: ata6BnUW64.exe File opened (read-only) \??\G: ata6BnUW64.exe File opened (read-only) \??\N: ata6BnUW64.exe File opened (read-only) \??\W: ata6BnUW64.exe File opened (read-only) \??\N: 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened (read-only) \??\L: 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened (read-only) \??\A: ata6BnUW64.exe File opened (read-only) \??\B: ata6BnUW64.exe File opened (read-only) \??\P: ata6BnUW64.exe File opened (read-only) \??\Z: 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened (read-only) \??\S: 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened (read-only) \??\E: 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened (read-only) \??\K: ata6BnUW64.exe File opened (read-only) \??\O: ata6BnUW64.exe File opened (read-only) \??\Z: ata6BnUW64.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 9 myexternalip.com -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\ZbUSLsrw.bmp" reg.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\sunjce_provider.jar 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Java\jre7\lib\deploy\messages_pt_BR.properties 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\intf\dumpmeta.luac 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_it.properties 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\vlc.mo 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0086384.WMF 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0212953.WMF 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01561_.WMF 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\alt-rt.jar 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\ViewHeaderPreview.jpg 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\7-Zip\Lang\ps.txt 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\MET 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-execution_ja.jar 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_222222_256x240.png 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD06200_.WMF 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01180_.WMF 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099186.JPG 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01474_.WMF 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\conticon.gif 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-masterfs.jar 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Winnipeg 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Kiev 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\203x8subpicture.png 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\artifacts.xml 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.SF 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-editor-mimelookup-impl.xml 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03380I.JPG 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.renderers.swt.nl_ja_4.4.0.v20140623020002.jar 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.nl_zh_4.4.0.v20140623020002.jar 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-nodes.xml 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-charts.xml 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\CalendarToolIconImages.jpg 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_ko_KR.jar 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Santarem 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT+1 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-coredump_ja.jar 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00273_.WMF 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0241019.WMF 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099147.JPG 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT-1 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Baku 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00985_.WMF 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105384.WMF 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PARNT_07.MID 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Push\push_title.png 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer.ssl_1.0.0.v20140827-1444.jar 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\about.html 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT-2 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00135_.GIF 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\vlm_export.html 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\ko.pak 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.services.nl_zh_4.4.0.v20140623020002.jar 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.win32.nl_zh_4.4.0.v20140623020002.jar 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\resources.jar 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Dushanbe 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Mozilla Firefox\defaults\pref\channel-prefs.js 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\SettingsInternal.zip 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\AboutBox.zip 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD07804_.WMF 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 360 schtasks.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1904 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1560 powershell.exe 752 ata6BnUW64.exe 752 ata6BnUW64.exe 752 ata6BnUW64.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 752 ata6BnUW64.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 1560 powershell.exe Token: SeDebugPrivilege 752 ata6BnUW64.exe Token: SeLoadDriverPrivilege 752 ata6BnUW64.exe Token: SeBackupPrivilege 1628 vssvc.exe Token: SeRestorePrivilege 1628 vssvc.exe Token: SeAuditPrivilege 1628 vssvc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 732 wrote to memory of 1520 732 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 28 PID 732 wrote to memory of 1520 732 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 28 PID 732 wrote to memory of 1520 732 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 28 PID 732 wrote to memory of 1520 732 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 28 PID 732 wrote to memory of 1344 732 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 30 PID 732 wrote to memory of 1344 732 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 30 PID 732 wrote to memory of 1344 732 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 30 PID 732 wrote to memory of 1344 732 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 30 PID 732 wrote to memory of 1616 732 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 34 PID 732 wrote to memory of 1616 732 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 34 PID 732 wrote to memory of 1616 732 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 34 PID 732 wrote to memory of 1616 732 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 34 PID 1616 wrote to memory of 1560 1616 cmd.exe 36 PID 1616 wrote to memory of 1560 1616 cmd.exe 36 PID 1616 wrote to memory of 1560 1616 cmd.exe 36 PID 1616 wrote to memory of 1560 1616 cmd.exe 36 PID 732 wrote to memory of 748 732 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 37 PID 732 wrote to memory of 748 732 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 37 PID 732 wrote to memory of 748 732 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 37 PID 732 wrote to memory of 748 732 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 37 PID 732 wrote to memory of 564 732 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 38 PID 732 wrote to memory of 564 732 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 38 PID 732 wrote to memory of 564 732 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 38 PID 732 wrote to memory of 564 732 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 38 PID 564 wrote to memory of 1648 564 cmd.exe 41 PID 564 wrote to memory of 1648 564 cmd.exe 41 PID 564 wrote to memory of 1648 564 cmd.exe 41 PID 564 wrote to memory of 1648 564 cmd.exe 41 PID 748 wrote to memory of 1664 748 cmd.exe 42 PID 748 wrote to memory of 1664 748 cmd.exe 42 PID 748 wrote to memory of 1664 748 cmd.exe 42 PID 748 wrote to memory of 1664 748 cmd.exe 42 PID 748 wrote to memory of 1524 748 cmd.exe 43 PID 748 wrote to memory of 1524 748 cmd.exe 43 PID 748 wrote to memory of 1524 748 cmd.exe 43 PID 748 wrote to memory of 1524 748 cmd.exe 43 PID 748 wrote to memory of 1476 748 cmd.exe 44 PID 748 wrote to memory of 1476 748 cmd.exe 44 PID 748 wrote to memory of 1476 748 cmd.exe 44 PID 748 wrote to memory of 1476 748 cmd.exe 44 PID 732 wrote to memory of 1156 732 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 46 PID 732 wrote to memory of 1156 732 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 46 PID 732 wrote to memory of 1156 732 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 46 PID 732 wrote to memory of 1156 732 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 46 PID 1156 wrote to memory of 1732 1156 cmd.exe 48 PID 1156 wrote to memory of 1732 1156 cmd.exe 48 PID 1156 wrote to memory of 1732 1156 cmd.exe 48 PID 1156 wrote to memory of 1732 1156 cmd.exe 48 PID 1156 wrote to memory of 1880 1156 cmd.exe 49 PID 1156 wrote to memory of 1880 1156 cmd.exe 49 PID 1156 wrote to memory of 1880 1156 cmd.exe 49 PID 1156 wrote to memory of 1880 1156 cmd.exe 49 PID 1156 wrote to memory of 1592 1156 cmd.exe 50 PID 1156 wrote to memory of 1592 1156 cmd.exe 50 PID 1156 wrote to memory of 1592 1156 cmd.exe 50 PID 1156 wrote to memory of 1592 1156 cmd.exe 50 PID 1156 wrote to memory of 1344 1156 cmd.exe 51 PID 1156 wrote to memory of 1344 1156 cmd.exe 51 PID 1156 wrote to memory of 1344 1156 cmd.exe 51 PID 1156 wrote to memory of 1344 1156 cmd.exe 51 PID 1344 wrote to memory of 1376 1344 cmd.exe 52 PID 1344 wrote to memory of 1376 1344 cmd.exe 52 PID 1344 wrote to memory of 1376 1344 cmd.exe 52 PID 1344 wrote to memory of 1376 1344 cmd.exe 52 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 1732 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe"1⤵
- Matrix Ransomware
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:732 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe" "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWjIWxqe.exe"2⤵PID:1520
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWjIWxqe.exe"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWjIWxqe.exe" -n2⤵
- Executes dropped EXE
PID:1344
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')">"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\UxEdXYu5.txt"2⤵
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')"3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1560
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\ZbUSLsrw.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f2⤵
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\ZbUSLsrw.bmp" /f3⤵
- Sets desktop wallpaper using registry
PID:1664
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f3⤵PID:1524
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f3⤵PID:1476
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\ezou9v4F.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:564 -
C:\Windows\SysWOW64\wscript.exewscript //B //Nologo "C:\Users\Admin\AppData\Roaming\ezou9v4F.vbs"3⤵PID:1648
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\94w5FyNX.bat" /sc minute /mo 5 /RL HIGHEST /F4⤵PID:1888
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\94w5FyNX.bat" /sc minute /mo 5 /RL HIGHEST /F5⤵
- Creates scheduled task(s)
PID:360
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA4⤵PID:816
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /I /tn DSHCA5⤵PID:1792
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\A8MCq2rp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf""2⤵
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\SysWOW64\attrib.exeattrib -R -A -S "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf"3⤵
- Views/modifies file attributes
PID:1732
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf" /E /G Admin:F /C3⤵PID:1880
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf"3⤵
- Modifies file permissions
PID:1592
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ata6BnUW.exe -accepteula "SignHere.pdf" -nobanner3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\ata6BnUW.exeata6BnUW.exe -accepteula "SignHere.pdf" -nobanner4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1376 -
C:\Users\Admin\AppData\Local\Temp\ata6BnUW64.exeata6BnUW.exe -accepteula "SignHere.pdf" -nobanner5⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:752
-
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {4B1FF62E-C1F6-4EB9-AA99-C0FEC8608460} S-1-5-21-2329389628-4064185017-3901522362-1000:QSKGHMYQ\Admin:Interactive:[1]1⤵PID:1164
-
C:\Windows\SYSTEM32\cmd.exeC:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\94w5FyNX.bat"2⤵PID:1444
-
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
PID:1904
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1628
Network
MITRE ATT&CK Enterprise v6
Persistence
Hidden Files and Directories
1Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
File Deletion
2File and Directory Permissions Modification
1Hidden Files and Directories
1Modify Registry
2