Extracted

• • Target

    66448fe45bdb015c87688470a2e98f1fdef839906a517a9c37da1d96b497b53f

  • Size

    2.6MB

  • MD5

    bd90a796396be691b806fee34bdcc27b

  • SHA1

    8477fdec639e673dfc586e7a37cb2049d0927601

  • SHA256

    66448fe45bdb015c87688470a2e98f1fdef839906a517a9c37da1d96b497b53f

  • SHA512

    96023528edacfe8afd923839a8e964e72387afa82ceab7f965cb4149375ca1aaff266d0b7213c697e1719786f466a4d27b201534055df0f11734bb632583bccc

  Score

  10^/10

  matrixdiscoveryevasionpersistenceransomwaresuricataupx

  • Matrix Ransomware

    Targeted ransomware with information collection and encryption functionality.

    ransomwarematrix

  • suricata: ET MALWARE MSIL/Matrix Ransomware CnC Activity

    suricata: ET MALWARE MSIL/Matrix Ransomware CnC Activity

    suricata

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomware

  • Modifies boot configuration data using bcdedit

    ransomwareevasion

  • Blocklisted process makes network request

  • Drops file in Drivers directory

  • Executes dropped EXE

  • Modifies extensions of user files

    Ransomware generally changes the extension on encrypted files.

    ransomware

  • Sets service image path in registry

    persistence

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL

  • Modifies file permissions

    discovery

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  • Sets desktop wallpaper using registry

    ransomware
  behavioral1behavioral2