General
-
Target
2e4c3ae32372bb1b189665e8e84c13bcc88e7f2c7459f71e075694fd3aaf8376.exe
-
Size
610KB
-
Sample
221227-mchewshh7w
-
MD5
1c73c307773fedfccd544a6b6b0b55b9
-
SHA1
899ffd934e0b8a6df4b115c49df33fca524e2135
-
SHA256
2e4c3ae32372bb1b189665e8e84c13bcc88e7f2c7459f71e075694fd3aaf8376
-
SHA512
049211f9d07e3cca9f92dfb1bc2e0f6895586f9f36b2651ffb2de20f3573ba9d719aff27e67b996f4706852578e919810e3e6854eebf0aaff0d412d8cabc127d
-
SSDEEP
12288:mT9zGQU31phksyH0F8eHSE3BGAFTT/OAchocfoOG6FTvcDldnozRpXFqOO:mRyQUlGuLSE3BGAF//xlcfoO/IDr6FqO
Behavioral task
behavioral1
Sample
2e4c3ae32372bb1b189665e8e84c13bcc88e7f2c7459f71e075694fd3aaf8376.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
2e4c3ae32372bb1b189665e8e84c13bcc88e7f2c7459f71e075694fd3aaf8376.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
http://myexternalip.com/raw
Targets
-
-
Target
2e4c3ae32372bb1b189665e8e84c13bcc88e7f2c7459f71e075694fd3aaf8376.exe
-
Size
610KB
-
MD5
1c73c307773fedfccd544a6b6b0b55b9
-
SHA1
899ffd934e0b8a6df4b115c49df33fca524e2135
-
SHA256
2e4c3ae32372bb1b189665e8e84c13bcc88e7f2c7459f71e075694fd3aaf8376
-
SHA512
049211f9d07e3cca9f92dfb1bc2e0f6895586f9f36b2651ffb2de20f3573ba9d719aff27e67b996f4706852578e919810e3e6854eebf0aaff0d412d8cabc127d
-
SSDEEP
12288:mT9zGQU31phksyH0F8eHSE3BGAFTT/OAchocfoOG6FTvcDldnozRpXFqOO:mRyQUlGuLSE3BGAF//xlcfoO/IDr6FqO
-
Matrix Ransomware
Targeted ransomware with information collection and encryption functionality.
-
Modifies boot configuration data using bcdedit
-
Blocklisted process makes network request
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Modifies file permissions
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Sets desktop wallpaper using registry
-
MITRE ATT&CK Enterprise v6
Persistence
Hidden Files and Directories
1Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
File Deletion
2File and Directory Permissions Modification
1Hidden Files and Directories
1Modify Registry
2