Overview

overview

10

Static

static

1

test.zip

windows7-x64

10

test.zip

windows10-2004-x64

1

Analysis

  • max time kernel
    122s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    29-07-2023 12:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    test.zip

  • Size

    178KB

  • MD5

    637f1b621634196dd7628c5ce387da62

  • SHA1

    c727727ed610d62da7e51d099f809a13f656e99e

  • SHA256

    aebc7adbfa6abde961966f30524f8c2a12d2c21132a7d647983209c061d9885e

  • SHA512

    0ceed157c8362e6f01b2f2d90f458008d0fc3d0b6721e7abcd61dcd89f24036e681b0e5a976aeea7eff6a8a012425b8024c4912661e81207559424ec8c2c8183

  • SSDEEP

    3072:DdEZd15mu8QHZWzq6ifTvfy4WVmqbPmEd8N9NBmVKeM6z50zo4FEXMuxI:GP5WG62yZxbOEqHmhV10zwMr

Score
10/10
matrixransomware

Malware Config

Signatures

  • Matrix Ransomware 3 IoCs

    Targeted ransomware with information collection and encryption functionality.

    ransomwarematrix
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Delays execution with timeout.exe 2 IoCs
    evasion
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\test.zip
    1⤵
      PID:2064
    • C:\Users\Admin\Desktop\test.exe
      "C:\Users\Admin\Desktop\test.exe"
      1⤵
      • Matrix Ransomware
      • Loads dropped DLL
      • Sets desktop wallpaper using registry
      • Suspicious use of WriteProcessMemory
      PID:1712
      • C:\Windows\SysWOW64\vssadmin.exe
        "vssadmin.exe" delete shadows /all /quiet
        2⤵
        • Interacts with shadow copies
        PID:1776
      • C:\Users\Admin\Desktop\decryptor.exe
        "C:\Users\Admin\Desktop\decryptor.exe" C:\Users\Admin\Desktop//test.exe
        2⤵
        • Matrix Ransomware
        • Executes dropped EXE
        • Suspicious use of FindShellTrayWindow
        PID:2768
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\//destruct.bat""
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1004
        • C:\Windows\SysWOW64\timeout.exe
          timeout 1
          3⤵
          • Delays execution with timeout.exe
          PID:576
        • C:\Windows\SysWOW64\timeout.exe
          timeout 1
          3⤵
          • Delays execution with timeout.exe
          PID:1384
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2600

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20230712_120418825.html.bit
      Filesize

      1.1MB

      MD5

      9fc8c1a6a41735fc179f5c68c873094e

      SHA1

      72fa99ada01df642fc4be3be5919f5fde13e237d

      SHA256

      1729afa415cae96f5519487be1b66f85ae754ce421f8aa5395489fd8c71bd09c

      SHA512

      a736bce10e24e19688464ac3c802938a76e0ac332faa5577d5b81673bf2bb1c28acf5a43ac6b907ff3676bb03323cb7af7b102530add1d9303b0de33cacb2c62

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\destruct.bat
      Filesize

      74B

      MD5

      0cff879b1fb5d30b2d19fb28f3509022

      SHA1

      f2908f85d71e5b6e891325a90577856bff3cafa5

      SHA256

      b13b8b4bd3ea908828841e928358569eab51c0c98267f56a4ee59a791138b15d

      SHA512

      5db4cb41d255267cbe53b792c281ddd1526fbecd07ae8d7bd0458d442b1960fffc4c40451c759ae0cfe85702e6b4c12ad16995e0c0ba3c4350885e53bc6a5b2a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\destruct.bat
      Filesize

      74B

      MD5

      0cff879b1fb5d30b2d19fb28f3509022

      SHA1

      f2908f85d71e5b6e891325a90577856bff3cafa5

      SHA256

      b13b8b4bd3ea908828841e928358569eab51c0c98267f56a4ee59a791138b15d

      SHA512

      5db4cb41d255267cbe53b792c281ddd1526fbecd07ae8d7bd0458d442b1960fffc4c40451c759ae0cfe85702e6b4c12ad16995e0c0ba3c4350885e53bc6a5b2a

      Download Submit

    • C:\Users\Admin\Desktop\MountHide.TTS
      Filesize

      1.8MB

      MD5

      c15bc99ff3302bc5b7df5cdf9e35867a

      SHA1

      eeccd6df77b0d54edb2525e5509dca3d0997cd81

      SHA256

      abb3204ada8a8f754027bff135f8c7d0959266cba3d361540ab4c1cf5155699e

      SHA512

      811cb07d49a1a696ba8ae42196d3d2888c09fb33f0e96840fb91595391edafc468871bda9328f25227659a22021fc744cec33b5b0b8f754e3ab8175b4f55f498

      Download Submit

    • C:\Users\Admin\Desktop\MountTrace.rle
      Filesize

      1.1MB

      MD5

      29e36ffed6a74fb0ea47557add869791

      SHA1

      e6bd838895c243f40d7f7e01b3129eb98defea58

      SHA256

      302e6812043ccebadfc3b17585ebd5139ac03ef44d1cbf23cf7d7749e4b3b526

      SHA512

      e6c024234fae580738ad96e33cc1bb53b9c5e0d75114f1a6725c778f17b1f0d2b2279b6ba0ed2365d47af68337db895a4672d3d4cc4d506cb55e7cbfe9aa995f

      Download Submit

    • C:\Users\Admin\Desktop\OpenEnter.snd
      Filesize

      1.2MB

      MD5

      a1d74e4c3e0e9c4e321a5c31f781cb9f

      SHA1

      aa2a99bf3fa5500db700a3cabe4826ef382d3d9b

      SHA256

      8e86e286051d7bed6b52e551b715e851283f6407a67759fb5261c6df761fcd2c

      SHA512

      70d9a8021797ca96ed3d06c9c500d7ee2a56f251d067aa4c4db123f814819adee0b6aa1ec244ec9d5170d5d93236166daeb87d3fe1c47c5e691d06b9a4855367

      Download Submit

    • C:\Users\Admin\Desktop\PingLock.DVR-MS
      Filesize

      992KB

      MD5

      4d5e70f6eff4bf66918c7064957f5dcb

      SHA1

      250cb054173c2b3a9dfcede576223e23370d4843

      SHA256

      dd7cae139857619a47cd5521114d387e0bdf43bd53c360c1bb8e9e71dad85be2

      SHA512

      4ba88e8751925386421db6ff7992008966d7d38b988cae3b85427ea5630e04a21c3ca4b96c16cd21a6262034d45d95a3ed0d1efd96462c91dd2600384594116b

      Download Submit

    • C:\Users\Admin\Desktop\RemoveWatch.m4a
      Filesize

      551KB

      MD5

      cf3e9995c794c68b0feb14d7c87a21d1

      SHA1

      7c26d05d73e773e533eb732b217fb75a4f94bf87

      SHA256

      a3cfcc4acbecd571c1465e409c757c8ab67ccd706c8746baeb10c14eb0269511

      SHA512

      c5f39f05fe1e1ca63332fc79c3b12a2dfafc257019fe09c7420cf94494901c0a33f09a9732baf427f035bb9362e7e308583560d93bfcdc157572d113e1104ff5

      Download Submit

    • C:\Users\Admin\Desktop\SplitSend.wpl
      Filesize

      1.3MB

      MD5

      c2bf2e59eb704d682c19e0113ea623be

      SHA1

      a8c1628487d381f2377c09fb756b20d959870363

      SHA256

      e6ff6f30016fa4937cbe292cd6ecb141845813734bc0f41bd45f751bec4a0909

      SHA512

      c2373025f9b2dadac0dc6abe0292d08ba666e4b012c6c906df2ee91d24c1030546eb12fe298ef029da1b15f00c24e51dff081b6fb2fd3f17a605ebccb59026e9

      Download Submit

    • C:\Users\Admin\Desktop\WatchCopy.pot
      Filesize

      904KB

      MD5

      ec65585c32a2f16523a90e5d149f48fb

      SHA1

      58008e7331d4df572a28081b0b97263ba241c5d3

      SHA256

      a970552065d385ef670dd1fc8c9db7c44150c2efdf521e7062637d0109aa0e87

      SHA512

      db119bd6c247fb6dc370eacd1784b8fea1c5f5a48554dc3fa30725ff83b37033154aaa9b882a168b1736cbca6d9e53abb63393ee7620239930d8f4139ba8d410

      Download Submit

    • C:\Users\Admin\Desktop\decryptor.exe
      Filesize

      26KB

      MD5

      0b2326b571dec3bfe1c58338bd50e766

      SHA1

      5939e2a436e2afb971e56c6083289a7840be2d05

      SHA256

      24a324dbf20536f81b2ff7868a9aeaa10cb0b2ddfb9619e22de0303cad69012b

      SHA512

      78cac3555bc43a8ee8ff0851fe132876f2a398d6f9006b4338d50c6aaf758067fff344e2ca0436c978d5e85f7923d7a9696d2311b99abba2d67a24d30e29aa7b

      Download Submit

    • C:\Users\Admin\Desktop\decryptor.exe
      Filesize

      26KB

      MD5

      0b2326b571dec3bfe1c58338bd50e766

      SHA1

      5939e2a436e2afb971e56c6083289a7840be2d05

      SHA256

      24a324dbf20536f81b2ff7868a9aeaa10cb0b2ddfb9619e22de0303cad69012b

      SHA512

      78cac3555bc43a8ee8ff0851fe132876f2a398d6f9006b4338d50c6aaf758067fff344e2ca0436c978d5e85f7923d7a9696d2311b99abba2d67a24d30e29aa7b

      Download Submit

    • \Users\Admin\Desktop\decryptor.exe
      Filesize

      26KB

      MD5

      0b2326b571dec3bfe1c58338bd50e766

      SHA1

      5939e2a436e2afb971e56c6083289a7840be2d05

      SHA256

      24a324dbf20536f81b2ff7868a9aeaa10cb0b2ddfb9619e22de0303cad69012b

      SHA512

      78cac3555bc43a8ee8ff0851fe132876f2a398d6f9006b4338d50c6aaf758067fff344e2ca0436c978d5e85f7923d7a9696d2311b99abba2d67a24d30e29aa7b

      Download Submit

    • memory/1712-358-0x0000000074760000-0x0000000074E4E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/1712-53-0x0000000000200000-0x000000000023C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/1712-55-0x0000000004CE0000-0x0000000004D20000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1712-54-0x0000000074760000-0x0000000074E4E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2768-352-0x0000000004C00000-0x0000000004C40000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2768-356-0x0000000004C00000-0x0000000004C40000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2768-357-0x0000000004C00000-0x0000000004C40000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2768-359-0x0000000074760000-0x0000000074E4E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2768-349-0x0000000000FA0000-0x0000000000FAC000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2768-348-0x0000000074760000-0x0000000074E4E000-memory.dmp

      Filesize

      6.9MB

      Download