Overview

overview

10

Static

static

72c5665c43...f5.exe

windows7_x64

10

72c5665c43...f5.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    4294211s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20220223-en
  • submitted
    06-03-2022 04:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe

  • Size

    2.6MB

  • MD5

    1f987de3da76b532d5eb4dc0a8e07edc

  • SHA1

    2002718bb7d81d6661892c6f2631df27eac89f61

  • SHA256

    72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5

  • SHA512

    7db16f026aee59ff24e30e7e4ce9a0c7a0d6575b5dc1e7907169fd0fe53a5576deb21e16e7a88d053fe6ea6cec035458539e180e4caac6b46f5e612ce4486310

Score
10/10
matrixdiscoveryevasionpersistenceransomwaresuricataupx

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://myexternalip.com/raw

Signatures

  • Matrix Ransomware 64 IoCs

    Targeted ransomware with information collection and encryption functionality.

    ransomwarematrix
  • suricata: ET MALWARE MSIL/Matrix Ransomware CnC Activity

    suricata: ET MALWARE MSIL/Matrix Ransomware CnC Activity

    suricata
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Blocklisted process makes network request 1 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Modifies extensions of user files 1 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Sets service image path in registry 2 TTPs
    persistence
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 4 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 47 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
    "C:\Users\Admin\AppData\Local\Temp\72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe"
    1⤵
    • Matrix Ransomware
    • Modifies extensions of user files
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:756
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe" "C:\Users\Admin\AppData\Local\Temp\NWSO8eY2.exe"
      2⤵
        PID:1056
      • C:\Users\Admin\AppData\Local\Temp\NWSO8eY2.exe
        "C:\Users\Admin\AppData\Local\Temp\NWSO8eY2.exe" -n
        2⤵
        • Executes dropped EXE
        PID:1624
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')">"C:\Users\Admin\AppData\Local\Temp\ma6TWcbo.txt"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1976
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')"
          3⤵
          • Blocklisted process makes network request
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:512
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\3STAYjlo.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1056
        • C:\Windows\SysWOW64\reg.exe
          reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\3STAYjlo.bmp" /f
          3⤵
          • Sets desktop wallpaper using registry
          PID:436
        • C:\Windows\SysWOW64\reg.exe
          reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f
          3⤵
            PID:1280
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
            3⤵
              PID:388
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\i7qsm92W.vbs"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:936
            • C:\Windows\SysWOW64\wscript.exe
              wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\i7qsm92W.vbs"
              3⤵
                PID:1232
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\GCmejp5M.bat" /sc minute /mo 5 /RL HIGHEST /F
                  4⤵
                    PID:1464
                    • C:\Windows\SysWOW64\schtasks.exe
                      schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\GCmejp5M.bat" /sc minute /mo 5 /RL HIGHEST /F
                      5⤵
                      • Creates scheduled task(s)
                      PID:840
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA
                    4⤵
                      PID:112
                      • C:\Windows\SysWOW64\schtasks.exe
                        schtasks /Run /I /tn DSHCA
                        5⤵
                          PID:1540
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c ""C:\Users\Admin\AppData\Local\Temp\w2KPNC2M.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf""
                    2⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1716
                    • C:\Windows\SysWOW64\attrib.exe
                      attrib -R -A -S "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf"
                      3⤵
                      • Views/modifies file attributes
                      PID:456
                    • C:\Windows\SysWOW64\cacls.exe
                      cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf" /E /G Admin:F /C
                      3⤵
                        PID:1124
                      • C:\Windows\SysWOW64\takeown.exe
                        takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf"
                        3⤵
                        • Modifies file permissions
                        PID:1784
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c DhyQfpmw.exe -accepteula "DefaultID.pdf" -nobanner
                        3⤵
                        • Loads dropped DLL
                        • Suspicious use of WriteProcessMemory
                        PID:1600
                        • C:\Users\Admin\AppData\Local\Temp\DhyQfpmw.exe
                          DhyQfpmw.exe -accepteula "DefaultID.pdf" -nobanner
                          4⤵
                          • Executes dropped EXE
                          • Loads dropped DLL
                          PID:1604
                          • C:\Users\Admin\AppData\Local\Temp\DhyQfpmw64.exe
                            DhyQfpmw.exe -accepteula "DefaultID.pdf" -nobanner
                            5⤵
                            • Drops file in Drivers directory
                            • Executes dropped EXE
                            • Enumerates connected drives
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious behavior: LoadsDriver
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1684
                  • C:\Windows\system32\taskeng.exe
                    taskeng.exe {9201C9EF-350D-401D-9F9A-1DD3A7BA142A} S-1-5-21-1405931862-909307831-4085185274-1000:GZAATBZA\Admin:Interactive:[1]
                    1⤵
                      PID:960
                      • C:\Windows\SYSTEM32\cmd.exe
                        C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\GCmejp5M.bat"
                        2⤵
                          PID:1372
                          • C:\Windows\system32\vssadmin.exe
                            vssadmin Delete Shadows /All /Quiet
                            3⤵
                            • Interacts with shadow copies
                            PID:684
                          • C:\Windows\System32\Wbem\WMIC.exe
                            wmic SHADOWCOPY DELETE
                            3⤵
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1488
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            powershell -Exec Unrestricted try {start-process -FilePath "vssadmin" -ArgumentList "delete","shadows","/all","/quiet" -WindowStyle Hidden} catch {}
                            3⤵
                            • Drops file in System32 directory
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1464
                            • C:\Windows\system32\vssadmin.exe
                              "C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet
                              4⤵
                              • Interacts with shadow copies
                              PID:224
                          • C:\Windows\system32\bcdedit.exe
                            bcdedit /set {default} recoveryenabled No
                            3⤵
                            • Modifies boot configuration data using bcdedit
                            PID:892
                          • C:\Windows\system32\bcdedit.exe
                            bcdedit /set {default} bootstatuspolicy ignoreallfailures
                            3⤵
                            • Modifies boot configuration data using bcdedit
                            PID:1280
                          • C:\Windows\system32\schtasks.exe
                            SCHTASKS /Delete /TN DSHCA /F
                            3⤵
                              PID:1488
                        • C:\Windows\system32\vssvc.exe
                          C:\Windows\system32\vssvc.exe
                          1⤵
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1584

                        Network

                        MITRE ATT&CK Enterprise v6

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Local\Temp\DhyQfpmw.exe
                          MD5

                          2f5b509929165fc13ceab9393c3b911d

                          SHA1

                          b016316132a6a277c5d8a4d7f3d6e2c769984052

                          SHA256

                          0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

                          SHA512

                          c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\DhyQfpmw.exe
                          MD5

                          2f5b509929165fc13ceab9393c3b911d

                          SHA1

                          b016316132a6a277c5d8a4d7f3d6e2c769984052

                          SHA256

                          0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

                          SHA512

                          c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\DhyQfpmw64.exe
                          MD5

                          3026bc2448763d5a9862d864b97288ff

                          SHA1

                          7d93a18713ece2e7b93e453739ffd7ad0c646e9e

                          SHA256

                          7adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec

                          SHA512

                          d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\NWSO8eY2.exe
                          MD5

                          1f987de3da76b532d5eb4dc0a8e07edc

                          SHA1

                          2002718bb7d81d6661892c6f2631df27eac89f61

                          SHA256

                          72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5

                          SHA512

                          7db16f026aee59ff24e30e7e4ce9a0c7a0d6575b5dc1e7907169fd0fe53a5576deb21e16e7a88d053fe6ea6cec035458539e180e4caac6b46f5e612ce4486310

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\NWSO8eY2.exe
                          MD5

                          1f987de3da76b532d5eb4dc0a8e07edc

                          SHA1

                          2002718bb7d81d6661892c6f2631df27eac89f61

                          SHA256

                          72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5

                          SHA512

                          7db16f026aee59ff24e30e7e4ce9a0c7a0d6575b5dc1e7907169fd0fe53a5576deb21e16e7a88d053fe6ea6cec035458539e180e4caac6b46f5e612ce4486310

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\ma6TWcbo.txt
                          MD5

                          75564e2df4b8c8d33695e8e5e58cb03c

                          SHA1

                          64a796a9f01a1f12bcbe641ecc92541a41ece9b5

                          SHA256

                          bfc3a26300e7bd0144a9974a6cc1f88f555dd022002aab0166aa0813070a8965

                          SHA512

                          c24aa065ed61adf4f32d9dd1edd089163b0b953a10ef14f87f4095c0677cc27c684c3666ab1911e4e21f2517d1292454c3016255bb3279e2ff48a59257b455af

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\w2KPNC2M.bat
                          MD5

                          544b94dffb6b3338bb22df17a4e9de3a

                          SHA1

                          f4437ca5f7504146cd80d5cca35bfa04ad864255

                          SHA256

                          8e948c92ce0438e0111efab52a26a8fbdff1f3f0402ec4338f2c4625a20e21e0

                          SHA512

                          ab6628e393bd708adeb377ab65be17b725655dfe0b94e3551a3d1b370ec4bbcd669958572ab86c93884b24e70a65d41e850161b64a12fb0565b6750abfdca30c

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\GCmejp5M.bat
                          MD5

                          b56e905552be56572b8752a7bf54eda0

                          SHA1

                          c90475c38eec9ea6b53e84a11c54880c96ce0af7

                          SHA256

                          3e7e1c7d5ee1f49aa758b97575daf102525fb28f1ba1034be20b371f4b5466be

                          SHA512

                          91e94c207cf21c8404ea0c4be2b8bb03d80c902abf93f43c5385c11f04cad266dcf266fc532c5e2e61c1d2d2e461d99fd3c71517f1fe9276bf418d26297b19f9

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\i7qsm92W.vbs
                          MD5

                          b2e734ef4a56437b9c491d3f122a687b

                          SHA1

                          9bfc74c6ce44d9730bc362ce3c411f571a8bccf8

                          SHA256

                          9297c44b7e8fd2e96fea2c8dfd225d49fa6b335ff0805e59663e9974d88e998b

                          SHA512

                          bdcb29ec30ef8bf1d92a4b45e5d435b60c8a84af166445e39077b83dee3ee649ebd384f3c78c265ca90ff943d7ce35df91833e920c496fc12a7da80d576bbc9b

                          Download Submit

                        • \Users\Admin\AppData\Local\Temp\DhyQfpmw.exe
                          MD5

                          2f5b509929165fc13ceab9393c3b911d

                          SHA1

                          b016316132a6a277c5d8a4d7f3d6e2c769984052

                          SHA256

                          0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

                          SHA512

                          c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

                          Download Submit

                        • \Users\Admin\AppData\Local\Temp\DhyQfpmw64.exe
                          MD5

                          3026bc2448763d5a9862d864b97288ff

                          SHA1

                          7d93a18713ece2e7b93e453739ffd7ad0c646e9e

                          SHA256

                          7adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec

                          SHA512

                          d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6

                          Download Submit

                        • \Users\Admin\AppData\Local\Temp\NWSO8eY2.exe
                          MD5

                          1f987de3da76b532d5eb4dc0a8e07edc

                          SHA1

                          2002718bb7d81d6661892c6f2631df27eac89f61

                          SHA256

                          72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5

                          SHA512

                          7db16f026aee59ff24e30e7e4ce9a0c7a0d6575b5dc1e7907169fd0fe53a5576deb21e16e7a88d053fe6ea6cec035458539e180e4caac6b46f5e612ce4486310

                          Download Submit

                        • \Users\Admin\AppData\Local\Temp\NWSO8eY2.exe
                          MD5

                          1f987de3da76b532d5eb4dc0a8e07edc

                          SHA1

                          2002718bb7d81d6661892c6f2631df27eac89f61

                          SHA256

                          72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5

                          SHA512

                          7db16f026aee59ff24e30e7e4ce9a0c7a0d6575b5dc1e7907169fd0fe53a5576deb21e16e7a88d053fe6ea6cec035458539e180e4caac6b46f5e612ce4486310

                          Download Submit

                        • memory/512-63-0x0000000073960000-0x0000000073F0B000-memory.dmp

                          Filesize

                          5.7MB

                          Download

                        • memory/512-62-0x0000000002500000-0x000000000314A000-memory.dmp

                          Filesize

                          12.3MB

                          Download

                        • memory/512-61-0x0000000073960000-0x0000000073F0B000-memory.dmp

                          Filesize

                          5.7MB

                          Download

                        • memory/756-54-0x0000000075781000-0x0000000075783000-memory.dmp

                          Filesize

                          8KB

                          Download

                        • memory/1464-75-0x000007FEFBAE1000-0x000007FEFBAE3000-memory.dmp

                          Filesize

                          8KB

                          Download

                        • memory/1464-76-0x000007FEF2BB0000-0x000007FEF370D000-memory.dmp

                          Filesize

                          11.4MB

                          Download

                        • memory/1464-77-0x000000001B810000-0x000000001BB0F000-memory.dmp

                          Filesize

                          3.0MB

                          Download

                        • memory/1464-79-0x0000000002BDB000-0x0000000002BFA000-memory.dmp

                          Filesize

                          124KB

                          Download

                        • memory/1464-80-0x0000000002BD0000-0x0000000002BD2000-memory.dmp

                          Filesize

                          8KB

                          Download

                        • memory/1464-78-0x000007FEF50E0000-0x000007FEF5A7D000-memory.dmp

                          Filesize

                          9.6MB

                          Download

                        • memory/1464-81-0x000007FEF50E0000-0x000007FEF5A7D000-memory.dmp

                          Filesize

                          9.6MB

                          Download

                        • memory/1464-82-0x0000000002BD2000-0x0000000002BD4000-memory.dmp

                          Filesize

                          8KB

                          Download

                        • memory/1464-83-0x0000000002BD4000-0x0000000002BD7000-memory.dmp

                          Filesize

                          12KB

                          Download