matrix | 0dd9abb0081f113cd3adc5670f8b0f826cf1047b6e713a3c76451a55673ff705

Analysis

max time kernel
299s
max time network
270s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
01-09-2023 05:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
Size

3.8MB
MD5

ac42a9b2338847bb398152b1bf6401fd
SHA1

02daf9ff6773da4d134c94fdb7630af2cc01e399
SHA256

3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63
SHA512

016c848cf8c2ffc1343d9242eaae19e9d41488f752282787f4f62cb841c121583f7673b21ddd7b624f39ef775c167fd2733eba495c84ebdf20103f09400e0ac1
SSDEEP

49152:PXlOslYQt+5oXlabPyyNHb/GMO6d+5M+HKo:PEUYQtXQFC6s5M+HH

Score

10^/10

matrix discovery evasion persistence ransomware spyware stealer upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://myexternalip.com/raw

Extracted

Path

C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\#ANN_README#.rtf

Ransom Note

{\rtf1\ansi\ansicpg1251\deff0\nouicompat\deflang1049{\fonttbl{\f0\fnil\fcharset0 Calibri;}{\f1\fnil\fcharset204 Calibri;}} {\colortbl ;\red255\green0\blue0;\red0\green77\blue187;\red0\green176\blue80;\red0\green0\blue255;\red255\green255\blue255;} {\*\generator Riched20 10.0.15063}\viewkind4\uc1 \pard\ri-500\sa200\sl240\slmult1\qc\tx8804\ul\b\f0\fs28\lang1033 HOW TO RECOVER YOUR FILES INSTRUCTION\ulnone\f1\lang1049\par \pard\ri-74\sl240\slmult1\tx8378\cf1\f0\fs24\lang1033 ATENTION!!!\par \cf0\b0 We are realy sorry to inform you that \b ALL YOUR FILES WERE ENCRYPTED \par \b0 by our automatic software. It became possible because of bad server security. \par \cf1\b ATENTION!!!\par \cf0\b0 Please don't worry, we can help you to \b RESTORE\b0 your server to original\par state and decrypt all your files quickly and safely!\par \b\par \cf2 INFORMATION!!!\par \cf0\b0 Files are not broken!!!\par Files were encrypted with AES-128+RSA-2048 crypto algorithms.\par There is no way to decrypt your files without unique decryption key and special software. Your unique decryption key is securely stored on our server. For our safety, all information about your server and your decryption key will be automaticaly \b DELETED AFTER 7 DAYS! \b0 You will irrevocably lose all your data!\par \i * Please note that all the attempts to recover your files by yourself or using third party tools will result only in irrevocable loss of your data!\par * Please note that you can recover files only with your unique decryption key, which stored on our side. If you will use the help of third parties, you will only add a middleman.\f1\lang1049\par \i0\f0\lang1033\par \cf3\b HOW TO RECOVER FILES???\par \cf0\b0 Please write us to the e-mail \i (write on English or use professional translator)\i0 :\par \pard\sl240\slmult1\b\fs28 [email protected]\par [email protected]\par [email protected]\cf1\fs24\par You have to send your message on each of our 3 emails\f1\lang1049 \f0\lang1033 due to the fact that the message may not reach their intended recipient for a variety of reasons!\fs28\par \pard\ri-74\sl240\slmult1\tx8378\cf0\b0\fs24 \par In subject line write your personal ID:\par \b\fs28 263AF7BACF6C40C2\par \b0\fs24 We recommed you to attach 3 encrypted files to your message. We will demonstrate that we can recover your files. \f1\lang1049\par \i * \f0\lang1033 \f1\lang1049 \f0\lang1033 Please note that files must not contain any valuable information and their total size must be less than 5Mb. \par \i0\par \cf1\b OUR ADVICE!!!\par \cf0\b0 Please be sure that we will find common languge. We will restore all the data and give you recommedations how to configure the protection of your server.\par \ul\b\par We will definitely reach an agreement ;) !!!\b0\par \ulnone\par \fs20 \par \par \par \par \par \par \par \pard\ri-74\sl240\slmult1\qc\tx8378\b\fs24 ALTERNATIVE COMMUNICATION\par \b0\fs20\par \pard\ri-74\sl240\slmult1\tx8378 \f1\lang1049 If y\'eeu did n\'eet r\'e5c\'e5iv\'e5 th\'e5 \'e0nsw\'e5r fr\'eem th\'e5 \'e0f\'eer\'e5cit\'e5d \'e5m\'e0il\f0\lang1033 s\f1\lang1049 f\'eer m\'eer\'e5 th\f0\lang1033 e\f1\lang1049 n \f0\lang1033 24\f1\lang1049 h\f0\lang1033 o\f1\lang1049 urs\f0\lang1033 please s\f1\lang1049\'e5\f0\lang1033 nd us Bitm\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 s fr\f1\lang1049\'ee\f0\lang1033 m \f1\lang1049\'e0\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 b br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r thr\f1\lang1049\'ee\f0\lang1033 ugh th\f1\lang1049\'e5\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 bp\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 {{\field{\*\fldinst{HYPERLINK https://bitmsg.me }}{\fldrslt{https://bitmsg.me\ul0\cf0}}}}\f0\fs20 . B\f1\lang1049\'e5\f0\lang1033 l\f1\lang1049\'ee\f0\lang1033 w is \f1\lang1049\'e0\f0\lang1033 tut\f1\lang1049\'ee\f0\lang1033 ri\f1\lang1049\'e0\f0\lang1033 l \f1\lang1049\'ee\f0\lang1033 n h\f1\lang1049\'ee\f0\lang1033 w t\f1\lang1049\'ee\f0\lang1033 s\f1\lang1049\'e5\f0\lang1033 nd bitm\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 vi\f1\lang1049\'e0\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 b br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r:\par 1. \f1\lang1049\'ce\f0\lang1033 p\f1\lang1049\'e5\f0\lang1033 n in y\f1\lang1049\'ee\f0\lang1033 ur br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r th\f1\lang1049\'e5\f0\lang1033 link {{\field{\*\fldinst{HYPERLINK https://bitmsg.me/users/sign_up }}{\fldrslt{https://bitmsg.me/users/sign_up\ul0\cf0}}}}\f0\fs20 \f1\lang1049\'e0\f0\lang1033 nd m\f1\lang1049\'e0\f0\lang1033 k\f1\lang1049\'e5\f0\lang1033 th\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 gistr\f1\lang1049\'e0\f0\lang1033 ti\f1\lang1049\'ee\f0\lang1033 n b\f1\lang1049\'f3\f0\lang1033 \f1\lang1049\'e5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 ring n\f1\lang1049\'e0\f0\lang1033 m\f1\lang1049\'e5\f0\lang1033 \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd p\f1\lang1049\'e0\f0\lang1033 ssw\f1\lang1049\'ee\f0\lang1033 rd.\par 2. \f1\lang1049\'d3\'ee\f0\lang1033 u must c\f1\lang1049\'ee\f0\lang1033 nfirm th\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 gistr\f1\lang1049\'e0\f0\lang1033 ti\f1\lang1049\'ee\f0\lang1033 n, r\f1\lang1049\'e5\f0\lang1033 turn t\f1\lang1049\'ee\f0\lang1033 \f1\lang1049\'f3\'ee\f0\lang1033 ur \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd f\f1\lang1049\'ee\f0\lang1033 ll\f1\lang1049\'ee\f0\lang1033 w th\f1\lang1049\'e5\f0\lang1033 instructi\f1\lang1049\'ee\f0\lang1033 ns th\f1\lang1049\'e0\f0\lang1033 t w\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 s\f1\lang1049\'e5\f0\lang1033 nt t\f1\lang1049\'ee\f0\lang1033 \f1\lang1049\'f3\'ee\f0\lang1033 u.\par 3. R\f1\lang1049\'e5\f0\lang1033 turn t\f1\lang1049\'ee\f0\lang1033 sit\f1\lang1049\'e5\f0\lang1033 \f1\lang1049\'e0\f0\lang1033 nd \f1\lang1049\'f1\f0\lang1033 lick \f1\lang1049 "\f0\lang1033 L\f1\lang1049\'ee\f0\lang1033 gin\f1\lang1049 "\f0\lang1033 l\f1\lang1049\'e0\f0\lang1033 b\f1\lang1049\'e5\f0\lang1033 l \f1\lang1049\'ee\f0\lang1033 r us\f1\lang1049\'e5\f0\lang1033 link {{\field{\*\fldinst{HYPERLINK https://bitmsg.me/users/sign_in }}{\fldrslt{https://bitmsg.me/users/sign_in\ul0\cf0}}}}\f0\fs20 , \f1\lang1049\'e5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'f3\'ee\f0\lang1033 ur \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd p\f1\lang1049\'e0\f0\lang1033 ssw\f1\lang1049\'ee\f0\lang1033 rd \f1\lang1049\'e0\f0\lang1033 nd click th\f1\lang1049\'e5\f0\lang1033 "Sign in" butt\f1\lang1049\'ee\f0\lang1033 n. \f1\lang1049 \f0\lang1033\par 4. \f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "\f1\lang1049\'d1\f0\lang1033 r\f1\lang1049\'e5\'e0\f0\lang1033 t\f1\lang1049\'e5\f0\lang1033 R\f1\lang1049\'e0\f0\lang1033 nd\f1\lang1049\'ee\f0\lang1033 m \f1\lang1049\'e0\f0\lang1033 ddr\f1\lang1049\'e5\f0\lang1033 ss" butt\f1\lang1049\'ee\f0\lang1033 n.\par 5. \f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "N\f1\lang1049\'e5\f0\lang1033 w m\f1\lang1049\'e0\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 " butt\f1\lang1049\'ee\f0\lang1033 n.\par \b 6. S\f1\lang1049\'e5\f0\lang1033 nding m\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 :\par T\f1\lang1049\'ee\f0\lang1033 :\b0 \f1\lang1049\'c5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'e0\f0\lang1033 ddr\f1\lang1049\'e5\f0\lang1033 ss: \b BM-2cUPmiEDYswzWC3ZmbtybDJeUNHqSpERL1\par \pard\sl240\slmult1 Subj\f1\lang1049\'e5\'f1\f0\lang1033 t:\b0 \f1\lang1049\'c5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'f3\'ee\f0\lang1033 ur ID: \b 263AF7BACF6C40C2\par M\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 : \b0 D\f1\lang1049\'e5\f0\lang1033 scrib\f1\lang1049\'e5\f0\lang1033 wh\f1\lang1049\'e0\f0\lang1033 t \f1\lang1049\'f3\'ee\f0\lang1033 u think n\f1\lang1049\'e5\f0\lang1033 c\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 r\f1\lang1049\'f3\f0\lang1033 .\par \pard\ri-74\sa200\sl240\slmult1\tx8378\f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "S\f1\lang1049\'e5\f0\lang1033 nd m\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 " butt\f1\lang1049\'ee\f0\lang1033 n.\cf5\b\par \pard\sa200\sl240\slmult1\fs28 awgA9UAg\cf0\f1\fs32\lang1049\par \par }

Emails

[email protected]\par

[email protected]\cf1\fs24\par

URLs

https://bitmsg.me

https://bitmsg.me/users/sign_up

https://bitmsg.me/users/sign_in

Signatures

Matrix Ransomware 64 IoCs

Targeted ransomware with information collection and encryption functionality.

ransomware matrix

Processes:

3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe

description	ioc	process
File created	C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\#ANN_README#.rtf	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\win_x64\#ANN_README#.rtf	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\#ANN_README#.rtf	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\#ANN_README#.rtf	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\#ANN_README#.rtf	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\nl\#ANN_README#.rtf	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\th\#ANN_README#.rtf	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\jfr\#ANN_README#.rtf	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File created	C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\#ANN_README#.rtf	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File created	C:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\#ANN_README#.rtf	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MLModels\#ANN_README#.rtf	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir\#ANN_README#.rtf	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\#ANN_README#.rtf	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\az-Latn-AZ\#ANN_README#.rtf	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File created	C:\Users\Admin\Videos\#ANN_README#.rtf	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\tg\#ANN_README#.rtf	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\#ANN_README#.rtf	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\sl\#ANN_README#.rtf	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ml-IN\#ANN_README#.rtf	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\#ANN_README#.rtf	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\#ANN_README#.rtf	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_mixer\#ANN_README#.rtf	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\#ANN_README#.rtf	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File created	C:\ProgramData\Microsoft OneDrive\setup\#ANN_README#.rtf	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\fr_CA\#ANN_README#.rtf	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\pa\#ANN_README#.rtf	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\#ANN_README#.rtf	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File created	C:\Program Files\VideoLAN\VLC\locale\az\LC_MESSAGES\#ANN_README#.rtf	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File created	C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\#ANN_README#.rtf	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\#ANN_README#.rtf	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\#ANN_README#.rtf	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ja\#ANN_README#.rtf	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File created	C:\ProgramData\Microsoft\SmsRouter\MessageStore\#ANN_README#.rtf	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File created	C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\#ANN_README#.rtf	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\#ANN_README#.rtf	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\sr\#ANN_README#.rtf	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\pl\#ANN_README#.rtf	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\gu\#ANN_README#.rtf	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\#ANN_README#.rtf	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\VisualElements\#ANN_README#.rtf	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Office\#ANN_README#.rtf	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File created	C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\#ANN_README#.rtf	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\zh_CN\#ANN_README#.rtf	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\sk\#ANN_README#.rtf	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\#ANN_README#.rtf	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\#ANN_README#.rtf	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\PenWorkspace\#ANN_README#.rtf	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\#ANN_README#.rtf	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File created	C:\Program Files\VideoLAN\VLC\locale\lg\LC_MESSAGES\#ANN_README#.rtf	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\am\#ANN_README#.rtf	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File created	C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\#ANN_README#.rtf	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\sr\#ANN_README#.rtf	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\#ANN_README#.rtf	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\fil-PH\#ANN_README#.rtf	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File created	C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\#ANN_README#.rtf	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\#ANN_README#.rtf	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\adm\es\#ANN_README#.rtf	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\#ANN_README#.rtf	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File created	C:\Program Files\VideoLAN\VLC\locale\nb\LC_MESSAGES\#ANN_README#.rtf	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File created	C:\Program Files\VideoLAN\VLC\lua\playlist\#ANN_README#.rtf	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\mn\#ANN_README#.rtf	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\sv\#ANN_README#.rtf	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File created	C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hdxf54l3.default-release\settings\main\ms-language-packs\browser\newtab\#ANN_README#.rtf	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File created	C:\Users\Admin\Searches\#ANN_README#.rtf	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

3744 bcdedit.exe
4868 bcdedit.exe
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

153 4240 powershell.exe
Drops file in Drivers directory 1 IoCs

Processes:

LqC3I9JZ64.exe

description ioc process

File created C:\Windows\system32\Drivers\PROCEXP152.SYS LqC3I9JZ64.exe

pid	process
3744	bcdedit.exe
4868	bcdedit.exe

flow	pid	process
153	4240	powershell.exe

description	ioc	process
File created	C:\Windows\system32\Drivers\PROCEXP152.SYS	LqC3I9JZ64.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

LqC3I9JZ64.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PROCEXP152\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\PROCEXP152.SYS"	LqC3I9JZ64.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

wscript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\Control Panel\International\Geo\Nation wscript.exe
Executes dropped EXE 3 IoCs

Processes:

NWDyMrAh.exeLqC3I9JZ.exeLqC3I9JZ64.exe

pid process

4260 NWDyMrAh.exe
692 LqC3I9JZ.exe
5904 LqC3I9JZ64.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exe

pid process

1424 takeown.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\Control Panel\International\Geo\Nation	wscript.exe

pid	process
4260	NWDyMrAh.exe
692	LqC3I9JZ.exe
5904	LqC3I9JZ64.exe

pid	process
1424	takeown.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/692-2431-0x0000000000400000-0x0000000000477000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\LqC3I9JZ.exe	upx
C:\Users\Admin\AppData\Local\Temp\LqC3I9JZ.exe	upx
behavioral2/memory/692-10133-0x0000000000400000-0x0000000000477000-memory.dmp	upx

Drops desktop.ini file(s) 27 IoCs

Processes:

3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe

description	ioc	process
File opened for modification	C:\Users\Public\Videos\desktop.ini	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened for modification	C:\Program Files\desktop.ini	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened for modification	C:\Users\Public\desktop.ini	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe

Enumerates connected drives 3 TTPs 44 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

LqC3I9JZ64.exe3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe

description	ioc	process
File opened (read-only)	\??\I:	LqC3I9JZ64.exe
File opened (read-only)	\??\L:	LqC3I9JZ64.exe
File opened (read-only)	\??\M:	LqC3I9JZ64.exe
File opened (read-only)	\??\Y:	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened (read-only)	\??\K:	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened (read-only)	\??\H:	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened (read-only)	\??\E:	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened (read-only)	\??\H:	LqC3I9JZ64.exe
File opened (read-only)	\??\U:	LqC3I9JZ64.exe
File opened (read-only)	\??\W:	LqC3I9JZ64.exe
File opened (read-only)	\??\Z:	LqC3I9JZ64.exe
File opened (read-only)	\??\W:	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened (read-only)	\??\N:	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened (read-only)	\??\G:	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened (read-only)	\??\K:	LqC3I9JZ64.exe
File opened (read-only)	\??\V:	LqC3I9JZ64.exe
File opened (read-only)	\??\X:	LqC3I9JZ64.exe
File opened (read-only)	\??\S:	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened (read-only)	\??\I:	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened (read-only)	\??\A:	LqC3I9JZ64.exe
File opened (read-only)	\??\B:	LqC3I9JZ64.exe
File opened (read-only)	\??\T:	LqC3I9JZ64.exe
File opened (read-only)	\??\X:	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened (read-only)	\??\T:	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened (read-only)	\??\Q:	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened (read-only)	\??\O:	LqC3I9JZ64.exe
File opened (read-only)	\??\Q:	LqC3I9JZ64.exe
File opened (read-only)	\??\Z:	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened (read-only)	\??\V:	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened (read-only)	\??\M:	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened (read-only)	\??\S:	LqC3I9JZ64.exe
File opened (read-only)	\??\R:	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened (read-only)	\??\P:	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened (read-only)	\??\E:	LqC3I9JZ64.exe
File opened (read-only)	\??\G:	LqC3I9JZ64.exe
File opened (read-only)	\??\R:	LqC3I9JZ64.exe
File opened (read-only)	\??\N:	LqC3I9JZ64.exe
File opened (read-only)	\??\Y:	LqC3I9JZ64.exe
File opened (read-only)	\??\P:	LqC3I9JZ64.exe
File opened (read-only)	\??\U:	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened (read-only)	\??\O:	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened (read-only)	\??\L:	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened (read-only)	\??\J:	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened (read-only)	\??\J:	LqC3I9JZ64.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

152 myexternalip.com

flow	ioc
152	myexternalip.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\8XFNKXtw.bmp"	reg.exe

Drops file in Program Files directory 64 IoCs

Processes:

3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe

description	ioc	process
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libstereo_widen_plugin.dll	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host_zh_CN.jar	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-core.jar	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\vi.pak.DATA	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\#ANN_README#.rtf	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\bin\setNetworkServerCP	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libschroedinger_plugin.dll	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\[email protected]	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\hu.pak	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.swt.nl_zh_4.4.0.v20140623020002.jar	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-threaddump_ja.jar	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-applemenu.xml	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sv.pak	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\vk_swiftshader_icd.json	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\locale\boot_zh_CN.jar	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libanaglyph_plugin.dll	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\feature.properties	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-jvmstat.jar	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\eventlog_provider.dll	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-impl_zh_CN.jar	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.repository.nl_ja_4.4.0.v20140623020002.jar	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-progress-ui_zh_CN.jar	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\COPYRIGHT	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Notifications\SoftLandingAssetLight.gif.DATA	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\LICENSE	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\el.pak	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\zh-CN.pak	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jli.dll	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\mix.gif	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\#ANN_README#.rtf	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-tools.jar	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-loaders_zh_CN.jar	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened for modification	C:\Program Files\CheckpointSearch.mpe	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\luac.luac	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\ro.pak.DATA	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\lv.pak	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\meta\art\00_musicbrainz.luac	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\vccorlib140.dll	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdateres_vi.dll	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\unpack200.exe	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\ECLIPSE_.SF	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EdgeWebView.dat	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\feature.xml	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\deploy\splash.gif	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_hr.dll	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-heapdump.xml	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\cue.luac	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jfr.dll	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\feature.xml	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\currency.data	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\vlc.mo	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\j2pcsc.dll	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\deploy\messages_it.properties	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\asl-v20.txt	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-openide-awt.jar	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-profiling_zh_CN.jar	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\javaws.jar	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\ext\#ANN_README#.rtf	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-lib-uihandler_ja.jar	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.transport.ecf.nl_zh_4.4.0.v20140623020002.jar	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler.xml	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi422_yuy2_mmx_plugin.dll	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

5836 schtasks.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

4092 vssadmin.exe

pid	process
5836	schtasks.exe

pid	process
4092	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

powershell.exeLqC3I9JZ64.exe

pid	process
4240	powershell.exe
4240	powershell.exe
5904	LqC3I9JZ64.exe
5904	LqC3I9JZ64.exe
5904	LqC3I9JZ64.exe
5904	LqC3I9JZ64.exe
5904	LqC3I9JZ64.exe
5904	LqC3I9JZ64.exe
5904	LqC3I9JZ64.exe
5904	LqC3I9JZ64.exe
5904	LqC3I9JZ64.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

LqC3I9JZ64.exe

pid process

5904 LqC3I9JZ64.exe

pid	process
5904	LqC3I9JZ64.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

powershell.exetakeown.exeLqC3I9JZ64.exevssvc.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	4240	powershell.exe
Token: SeTakeOwnershipPrivilege	1424	takeown.exe
Token: SeDebugPrivilege	5904	LqC3I9JZ64.exe
Token: SeLoadDriverPrivilege	5904	LqC3I9JZ64.exe
Token: SeBackupPrivilege	3624	vssvc.exe
Token: SeRestorePrivilege	3624	vssvc.exe
Token: SeAuditPrivilege	3624	vssvc.exe
Token: SeIncreaseQuotaPrivilege	5620	WMIC.exe
Token: SeSecurityPrivilege	5620	WMIC.exe
Token: SeTakeOwnershipPrivilege	5620	WMIC.exe
Token: SeLoadDriverPrivilege	5620	WMIC.exe
Token: SeSystemProfilePrivilege	5620	WMIC.exe
Token: SeSystemtimePrivilege	5620	WMIC.exe
Token: SeProfSingleProcessPrivilege	5620	WMIC.exe
Token: SeIncBasePriorityPrivilege	5620	WMIC.exe
Token: SeCreatePagefilePrivilege	5620	WMIC.exe
Token: SeBackupPrivilege	5620	WMIC.exe
Token: SeRestorePrivilege	5620	WMIC.exe
Token: SeShutdownPrivilege	5620	WMIC.exe
Token: SeDebugPrivilege	5620	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5620	WMIC.exe
Token: SeRemoteShutdownPrivilege	5620	WMIC.exe
Token: SeUndockPrivilege	5620	WMIC.exe
Token: SeManageVolumePrivilege	5620	WMIC.exe
Token: 33	5620	WMIC.exe
Token: 34	5620	WMIC.exe
Token: 35	5620	WMIC.exe
Token: 36	5620	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5620	WMIC.exe
Token: SeSecurityPrivilege	5620	WMIC.exe
Token: SeTakeOwnershipPrivilege	5620	WMIC.exe
Token: SeLoadDriverPrivilege	5620	WMIC.exe
Token: SeSystemProfilePrivilege	5620	WMIC.exe
Token: SeSystemtimePrivilege	5620	WMIC.exe
Token: SeProfSingleProcessPrivilege	5620	WMIC.exe
Token: SeIncBasePriorityPrivilege	5620	WMIC.exe
Token: SeCreatePagefilePrivilege	5620	WMIC.exe
Token: SeBackupPrivilege	5620	WMIC.exe
Token: SeRestorePrivilege	5620	WMIC.exe
Token: SeShutdownPrivilege	5620	WMIC.exe
Token: SeDebugPrivilege	5620	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5620	WMIC.exe
Token: SeRemoteShutdownPrivilege	5620	WMIC.exe
Token: SeUndockPrivilege	5620	WMIC.exe
Token: SeManageVolumePrivilege	5620	WMIC.exe
Token: 33	5620	WMIC.exe
Token: 34	5620	WMIC.exe
Token: 35	5620	WMIC.exe
Token: 36	5620	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.execmd.execmd.execmd.execmd.execmd.exeLqC3I9JZ.exewscript.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4396 wrote to memory of 3784	4396	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe	cmd.exe
PID 4396 wrote to memory of 3784	4396	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe	cmd.exe
PID 4396 wrote to memory of 3784	4396	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe	cmd.exe
PID 4396 wrote to memory of 4260	4396	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe	NWDyMrAh.exe
PID 4396 wrote to memory of 4260	4396	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe	NWDyMrAh.exe
PID 4396 wrote to memory of 4260	4396	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe	NWDyMrAh.exe
PID 4396 wrote to memory of 4116	4396	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe	cmd.exe
PID 4396 wrote to memory of 4116	4396	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe	cmd.exe
PID 4396 wrote to memory of 4116	4396	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe	cmd.exe
PID 4116 wrote to memory of 4240	4116	cmd.exe	powershell.exe
PID 4116 wrote to memory of 4240	4116	cmd.exe	powershell.exe
PID 4116 wrote to memory of 4240	4116	cmd.exe	powershell.exe
PID 4396 wrote to memory of 4636	4396	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe	cmd.exe
PID 4396 wrote to memory of 4636	4396	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe	cmd.exe
PID 4396 wrote to memory of 4636	4396	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe	cmd.exe
PID 4396 wrote to memory of 2872	4396	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe	cmd.exe
PID 4396 wrote to memory of 2872	4396	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe	cmd.exe
PID 4396 wrote to memory of 2872	4396	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe	cmd.exe
PID 4636 wrote to memory of 1400	4636	cmd.exe	reg.exe
PID 4636 wrote to memory of 1400	4636	cmd.exe	reg.exe
PID 4636 wrote to memory of 1400	4636	cmd.exe	reg.exe
PID 4636 wrote to memory of 1716	4636	cmd.exe	reg.exe
PID 4636 wrote to memory of 1716	4636	cmd.exe	reg.exe
PID 4636 wrote to memory of 1716	4636	cmd.exe	reg.exe
PID 2872 wrote to memory of 4080	2872	cmd.exe	wscript.exe
PID 2872 wrote to memory of 4080	2872	cmd.exe	wscript.exe
PID 2872 wrote to memory of 4080	2872	cmd.exe	wscript.exe
PID 4636 wrote to memory of 1608	4636	cmd.exe	reg.exe
PID 4636 wrote to memory of 1608	4636	cmd.exe	reg.exe
PID 4636 wrote to memory of 1608	4636	cmd.exe	reg.exe
PID 4396 wrote to memory of 2136	4396	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe	cmd.exe
PID 4396 wrote to memory of 2136	4396	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe	cmd.exe
PID 4396 wrote to memory of 2136	4396	3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe	cmd.exe
PID 2136 wrote to memory of 4552	2136	cmd.exe	attrib.exe
PID 2136 wrote to memory of 4552	2136	cmd.exe	attrib.exe
PID 2136 wrote to memory of 4552	2136	cmd.exe	attrib.exe
PID 2136 wrote to memory of 1416	2136	cmd.exe	cacls.exe
PID 2136 wrote to memory of 1416	2136	cmd.exe	cacls.exe
PID 2136 wrote to memory of 1416	2136	cmd.exe	cacls.exe
PID 2136 wrote to memory of 1424	2136	cmd.exe	takeown.exe
PID 2136 wrote to memory of 1424	2136	cmd.exe	takeown.exe
PID 2136 wrote to memory of 1424	2136	cmd.exe	takeown.exe
PID 2136 wrote to memory of 1224	2136	cmd.exe	cmd.exe
PID 2136 wrote to memory of 1224	2136	cmd.exe	cmd.exe
PID 2136 wrote to memory of 1224	2136	cmd.exe	cmd.exe
PID 1224 wrote to memory of 692	1224	cmd.exe	LqC3I9JZ.exe
PID 1224 wrote to memory of 692	1224	cmd.exe	LqC3I9JZ.exe
PID 1224 wrote to memory of 692	1224	cmd.exe	LqC3I9JZ.exe
PID 692 wrote to memory of 5904	692	LqC3I9JZ.exe	LqC3I9JZ64.exe
PID 692 wrote to memory of 5904	692	LqC3I9JZ.exe	LqC3I9JZ64.exe
PID 4080 wrote to memory of 5568	4080	wscript.exe	cmd.exe
PID 4080 wrote to memory of 5568	4080	wscript.exe	cmd.exe
PID 4080 wrote to memory of 5568	4080	wscript.exe	cmd.exe
PID 5568 wrote to memory of 5836	5568	cmd.exe	schtasks.exe
PID 5568 wrote to memory of 5836	5568	cmd.exe	schtasks.exe
PID 5568 wrote to memory of 5836	5568	cmd.exe	schtasks.exe
PID 4080 wrote to memory of 5960	4080	wscript.exe	cmd.exe
PID 4080 wrote to memory of 5960	4080	wscript.exe	cmd.exe
PID 4080 wrote to memory of 5960	4080	wscript.exe	cmd.exe
PID 5960 wrote to memory of 1928	5960	cmd.exe	schtasks.exe
PID 5960 wrote to memory of 1928	5960	cmd.exe	schtasks.exe
PID 5960 wrote to memory of 1928	5960	cmd.exe	schtasks.exe
PID 5492 wrote to memory of 4092	5492	cmd.exe	vssadmin.exe
PID 5492 wrote to memory of 4092	5492	cmd.exe	vssadmin.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

4552 attrib.exe

pid	process
4552	attrib.exe

C:\Users\Admin\AppData\Local\Temp\3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe
"C:\Users\Admin\AppData\Local\Temp\3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe"
1⤵
- Matrix Ransomware
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4396
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63.exe" "C:\Users\Admin\AppData\Local\Temp\NWDyMrAh.exe"
  2⤵
  PID:3784
- C:\Users\Admin\AppData\Local\Temp\NWDyMrAh.exe
  "C:\Users\Admin\AppData\Local\Temp\NWDyMrAh.exe" -n
  2⤵
  - Executes dropped EXE
  PID:4260
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')">"C:\Users\Admin\AppData\Local\Temp\qbixSRn6.txt"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4116
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4240
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\8XFNKXtw.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4636
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\8XFNKXtw.bmp" /f
    3⤵
    - Sets desktop wallpaper using registry
    PID:1400
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f
    3⤵
    PID:1716
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
    3⤵
    PID:1608
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\CnE33OpS.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Windows\SysWOW64\wscript.exe
    wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\CnE33OpS.vbs"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:4080
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\3nfEvclS.bat" /sc minute /mo 5 /RL HIGHEST /F
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5568
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\3nfEvclS.bat" /sc minute /mo 5 /RL HIGHEST /F
        5⤵
        Creates scheduled task(s)
        
        PID:5836
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5960
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Run /I /tn DSHCA
        5⤵
        
        PID:1928
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xyRbkJVx.bat" "C:\Users\All Users\USOPrivate\UpdateStore\store.db""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2136
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Users\All Users\USOPrivate\UpdateStore\store.db"
    3⤵
    - Views/modifies file attributes
    PID:4552
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\USOPrivate\UpdateStore\store.db" /E /G Admin:F /C
    3⤵
    PID:1416
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\USOPrivate\UpdateStore\store.db"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1424
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c LqC3I9JZ.exe -accepteula "store.db" -nobanner
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1224
  - - C:\Users\Admin\AppData\Local\Temp\LqC3I9JZ.exe
      LqC3I9JZ.exe -accepteula "store.db" -nobanner
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:692
    - - C:\Users\Admin\AppData\Local\Temp\LqC3I9JZ64.exe
        
        LqC3I9JZ.exe -accepteula "store.db" -nobanner
        5⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Executes dropped EXE
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: LoadsDriver
        Suspicious use of AdjustPrivilegeToken
        
        PID:5904

C:\Windows\SYSTEM32\cmd.exe
C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\3nfEvclS.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:5492
- C:\Windows\system32\vssadmin.exe
  vssadmin Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:4092
- C:\Windows\System32\Wbem\WMIC.exe
  wmic SHADOWCOPY DELETE
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5620
- C:\Windows\system32\bcdedit.exe
  bcdedit /set {default} recoveryenabled No
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:3744
- C:\Windows\system32\bcdedit.exe
  bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:4868
- C:\Windows\system32\schtasks.exe
  SCHTASKS /Delete /TN DSHCA /F
  2⤵
  PID:3532

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\#ANN_README#.rtf

Filesize
8KB

MD5
b2d09ca627235e8e390dafb01172dd68

SHA1
1946ce5c16d7a98ea111d509edcd54297dc3f789

SHA256
a245c05d485dd0f93e10609fc3ab350ab1e8cb88f7089a8735e43449af713b8b

SHA512
e681e40d81be6950a11a9b3e8dbb074b7b0a193488c2d5011997d7d0cef1fd8bb41e42f806cd009e555f8ca2169340d95a510980e40fd445cf5a925b2b9668e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\LqC3I9JZ.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\LqC3I9JZ.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\LqC3I9JZ64.exe

Filesize
221KB

MD5
3026bc2448763d5a9862d864b97288ff

SHA1
7d93a18713ece2e7b93e453739ffd7ad0c646e9e

SHA256
7adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec

SHA512
d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6

Download Submit
C:\Users\Admin\AppData\Local\Temp\LqC3I9JZ64.exe

Filesize
221KB

MD5
3026bc2448763d5a9862d864b97288ff

SHA1
7d93a18713ece2e7b93e453739ffd7ad0c646e9e

SHA256
7adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec

SHA512
d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6

Download Submit
C:\Users\Admin\AppData\Local\Temp\NWDyMrAh.exe

Filesize
3.8MB

MD5
ac42a9b2338847bb398152b1bf6401fd

SHA1
02daf9ff6773da4d134c94fdb7630af2cc01e399

SHA256
3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63

SHA512
016c848cf8c2ffc1343d9242eaae19e9d41488f752282787f4f62cb841c121583f7673b21ddd7b624f39ef775c167fd2733eba495c84ebdf20103f09400e0ac1

Download Submit
C:\Users\Admin\AppData\Local\Temp\NWDyMrAh.exe

Filesize
3.8MB

MD5
ac42a9b2338847bb398152b1bf6401fd

SHA1
02daf9ff6773da4d134c94fdb7630af2cc01e399

SHA256
3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63

SHA512
016c848cf8c2ffc1343d9242eaae19e9d41488f752282787f4f62cb841c121583f7673b21ddd7b624f39ef775c167fd2733eba495c84ebdf20103f09400e0ac1

Download Submit
C:\Users\Admin\AppData\Local\Temp\NWDyMrAh.exe

Filesize
3.8MB

MD5
ac42a9b2338847bb398152b1bf6401fd

SHA1
02daf9ff6773da4d134c94fdb7630af2cc01e399

SHA256
3eff2f818a0dac4bd17d8da95962be78bca0b466e4325d2c2fd718ec54668f63

SHA512
016c848cf8c2ffc1343d9242eaae19e9d41488f752282787f4f62cb841c121583f7673b21ddd7b624f39ef775c167fd2733eba495c84ebdf20103f09400e0ac1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uey4tbqi.siz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\elog_263AF7BACF6C40C2.txt

Filesize
37KB

MD5
ac557f20c0778689546cd944762ba740

SHA1
2081b7cbba20653beb11b9ddd2250b4de79fa71b

SHA256
55ea10d81e7775c3733fa8cfda377d898b5c033870083a72a1405209c7152b81

SHA512
d1770b44f9136010381c1f93fafd092cb50c0fc80c16a781ecf32ec46aab5012109dd538c428d74b3b340f4aebb2cbd1a42d6dd4177c73d473fa12c150f27e78

Download Submit
C:\Users\Admin\AppData\Local\Temp\qbixSRn6.txt

Filesize
14B

MD5
8eb51985066cb0782077f624013d47a2

SHA1
0549d07d51454e73b937946ba1887cacfce71835

SHA256
5537d10911f09132033b185344f75ea1a0ed7e5509b3be00bd8bc93d477baa44

SHA512
539a7160bb41366a74d8859b080724f5838132428f672c2bba7ef9c9a259823f15074adec75567bea6724f09d681c04b8763a2f495eff3436ff17420cb7bf0f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\xyRbkJVx.bat

Filesize
246B

MD5
f5a5e7bbf6260715c3d3080cac360820

SHA1
196fbbe9f76d411d282ebee2dfbada3205c3b69c

SHA256
005c28d79652cf68f5194574c8eb3c99f62d7ea84b8700c2f4bb9f74a3fa5ff1

SHA512
4dc966b010f9d2be838c41b4324f9ad27793a1e6ef09b29c5d9ec752b774064d437dac0f4cb78ff1438f6ecd967fe0a2f5376f64c6a1507e496cb672730f5b63

Download Submit
C:\Users\Admin\AppData\Roaming\3nfEvclS.bat

Filesize
265B

MD5
978bdb091c97c9c0b3b4765bcd378704

SHA1
c7e771bf4cce39f82e6f4b78a8a40753a573caaf

SHA256
b981a8f3ac84e24930eecba33264d7ad368ecbf0b141e8c20e7faf19eb95db29

SHA512
4e1d45d5ebbc5c262ec54f9a8ad7c3c564f3258f94809efb3e1042547e1a402993782b94db4f87f8263b03402993e7d078881f9c9340a0f127a9d628af1b400e

Download Submit
C:\Users\Admin\AppData\Roaming\CnE33OpS.vbs

Filesize
260B

MD5
365338073e5ce38eb6781b5890a09756

SHA1
95a7166c1c209794218e733c9d3593e94aa16cc6

SHA256
981c16209873dcd090f48b21f4484dd13af7ee5daf50e037c1750d5a758dabb2

SHA512
19e4d2da003bd42b6ee1bec13e78c190860edc4b9b7d684f50f56b6f737304d88810d10621007e74e746cbb983c4c67b2b2c3c813bf9ebe67c788d20886a570d

Download Submit
memory/692-2431-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/692-10133-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4240-13-0x0000000006220000-0x0000000006286000-memory.dmp

Filesize
408KB

Download
memory/4240-9-0x0000000003190000-0x00000000031A0000-memory.dmp

Filesize
64KB

Download
memory/4240-31-0x00000000740D0000-0x0000000074880000-memory.dmp

Filesize
7.7MB

Download
memory/4240-28-0x0000000008020000-0x000000000869A000-memory.dmp

Filesize
6.5MB

Download
memory/4240-27-0x0000000003190000-0x00000000031A0000-memory.dmp

Filesize
64KB

Download
memory/4240-26-0x00000000069D0000-0x00000000069EE000-memory.dmp

Filesize
120KB

Download
memory/4240-29-0x0000000006EB0000-0x0000000006ECA000-memory.dmp

Filesize
104KB

Download
memory/4240-7-0x00000000740D0000-0x0000000074880000-memory.dmp

Filesize
7.7MB

Download
memory/4240-14-0x0000000006300000-0x0000000006366000-memory.dmp

Filesize
408KB

Download
memory/4240-12-0x0000000005B00000-0x0000000005B22000-memory.dmp

Filesize
136KB

Download
memory/4240-11-0x0000000005B80000-0x00000000061A8000-memory.dmp

Filesize
6.2MB

Download
memory/4240-10-0x0000000003190000-0x00000000031A0000-memory.dmp

Filesize
64KB

Download
memory/4240-8-0x0000000003090000-0x00000000030C6000-memory.dmp

Filesize
216KB

Download
memory/4260-25-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/4260-10773-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/4260-10811-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/4260-10850-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/4260-10872-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/4396-4600-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/4396-24-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/4396-10768-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download