Overview

overview

10

Static

static

3

NoBit.patched.exe

windows7-x64

10

NoBit.patched.exe

windows10-2004-x64

3

Resubmissions

03-11-2023 19:55

231103-ynbbhahe7x 10

18-09-2023 01:03

230918-betp6adf3z 10

Analysis

  • max time kernel
    362s
  • max time network
    365s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    18-09-2023 01:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NoBit.patched.exe

  • Size

    546KB

  • MD5

    5a5d6d6fade80634580e373be2c91924

  • SHA1

    e2b08b0bacb84128af910735c8ce8903483d1e03

  • SHA256

    669ba15b1fc970333c1ba980ba8ae143dbaacac92b4acb66df8d82a5c6fd6ba0

  • SHA512

    4d418df5d3fe56717b8f0a45d0fcd0dafc6435abc7c547f715b4262639eee212ccf90f7943750a80d54f9149e0f7b660296b971e53128519d2441dba192727b7

  • SSDEEP

    12288:oDQvjZR8N/3a4GY6bAYIV9MeOFv/glO0JhdBQqzma+v:WwR8dA2lO60oHcL

Score
10/10
matrixransomwarespywarestealer

Malware Config

Signatures

  • Matrix Ransomware 3 IoCs

    Targeted ransomware with information collection and encryption functionality.

    ransomwarematrix
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 2 IoCs
    evasion
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Control Panel 2 IoCs
    evasion
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\NoBit.patched.exe
    "C:\Users\Admin\AppData\Local\Temp\NoBit.patched.exe"
    1⤵
    • Matrix Ransomware
    • Loads dropped DLL
    • Sets desktop wallpaper using registry
    • Modifies Control Panel
    • Suspicious use of WriteProcessMemory
    PID:2448
    • C:\Windows\SysWOW64\vssadmin.exe
      "vssadmin.exe" delete shadows /all /quiet
      2⤵
      • Interacts with shadow copies
      PID:2136
    • C:\Users\Admin\Desktop\decryptor.exe
      "C:\Users\Admin\Desktop\decryptor.exe" C:\Users\Admin\AppData\Local\Temp//NoBit.patched.exe
      2⤵
      • Matrix Ransomware
      • Executes dropped EXE
      PID:916
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\//destruct.bat""
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:3024
      • C:\Windows\SysWOW64\timeout.exe
        timeout 1
        3⤵
        • Delays execution with timeout.exe
        PID:2316
      • C:\Windows\SysWOW64\timeout.exe
        timeout 1
        3⤵
        • Delays execution with timeout.exe
        PID:1744
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2804

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Defacement

1
T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20230831_223456773.html.bit
    Filesize

    1.1MB

    MD5

    f4963feaf842d7c3561602a67ebe9949

    SHA1

    cea567c72b56f53bc650ab36db474e2f5fabbace

    SHA256

    656741ca57f003c42128959dfdda2766a75c377e6f0a249869d9d2410430c062

    SHA512

    a1135f775811e5c84079d0b21f7c0f3b905d5651aab6816c2de9531c3e3724beaacbea7a31d80393007c3eabf36b7f10c290d2ef671f7a4155a916c4f237fc75

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\destruct.bat
    Filesize

    94B

    MD5

    47cbff1bcd7df40f1af58b8398361beb

    SHA1

    49bae331c8a675f86e97a9290067ccf869892d40

    SHA256

    5242f34e2cb4a9dfb74b699c0c1d58192a73ca65368ba868338ce4a62fc12422

    SHA512

    75fcb43b4525a00962320145fd55ea38d2f2bf8695385d283cb88cb9ffd450d88d78da6197ab1a55f6cf9573d74de0edadbec1527dff830c29993b0f6f5e2c11

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\destruct.bat
    Filesize

    94B

    MD5

    47cbff1bcd7df40f1af58b8398361beb

    SHA1

    49bae331c8a675f86e97a9290067ccf869892d40

    SHA256

    5242f34e2cb4a9dfb74b699c0c1d58192a73ca65368ba868338ce4a62fc12422

    SHA512

    75fcb43b4525a00962320145fd55ea38d2f2bf8695385d283cb88cb9ffd450d88d78da6197ab1a55f6cf9573d74de0edadbec1527dff830c29993b0f6f5e2c11

    Download Submit
  • C:\Users\Admin\Desktop\decryptor.exe
    Filesize

    68KB

    MD5

    8841222817a49c74f8ca7284f3296bb9

    SHA1

    01821078d43a9b64b793a6bc2ce4496e4b97efca

    SHA256

    cb076b3d1aa8866e9546bbd8eeeeda40ebb1dbf1839ce8f16e77ff1e546a799d

    SHA512

    f0baca2f7353bf5a6ae3c72b5b80ee756d69f4456ba1daae124e7702334768e3bff423a4c7ee63b2bc668d99ca9f90a7c82856f36ae7c015f46649b540d48019

    Download Submit
  • C:\Users\Admin\Desktop\decryptor.exe
    Filesize

    68KB

    MD5

    8841222817a49c74f8ca7284f3296bb9

    SHA1

    01821078d43a9b64b793a6bc2ce4496e4b97efca

    SHA256

    cb076b3d1aa8866e9546bbd8eeeeda40ebb1dbf1839ce8f16e77ff1e546a799d

    SHA512

    f0baca2f7353bf5a6ae3c72b5b80ee756d69f4456ba1daae124e7702334768e3bff423a4c7ee63b2bc668d99ca9f90a7c82856f36ae7c015f46649b540d48019

    Download Submit
  • \Users\Admin\Desktop\decryptor.exe
    Filesize

    68KB

    MD5

    8841222817a49c74f8ca7284f3296bb9

    SHA1

    01821078d43a9b64b793a6bc2ce4496e4b97efca

    SHA256

    cb076b3d1aa8866e9546bbd8eeeeda40ebb1dbf1839ce8f16e77ff1e546a799d

    SHA512

    f0baca2f7353bf5a6ae3c72b5b80ee756d69f4456ba1daae124e7702334768e3bff423a4c7ee63b2bc668d99ca9f90a7c82856f36ae7c015f46649b540d48019

    Download Submit
  • memory/916-298-0x0000000000130000-0x0000000000148000-memory.dmp
    Filesize

    96KB

    Download
  • memory/916-300-0x0000000074B90000-0x000000007527E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/916-302-0x0000000004E40000-0x0000000004E80000-memory.dmp
    Filesize

    256KB

    Download
  • memory/916-306-0x0000000004E40000-0x0000000004E80000-memory.dmp
    Filesize

    256KB

    Download
  • memory/916-308-0x0000000004E40000-0x0000000004E80000-memory.dmp
    Filesize

    256KB

    Download
  • memory/916-309-0x0000000074B90000-0x000000007527E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/916-310-0x0000000004E40000-0x0000000004E80000-memory.dmp
    Filesize

    256KB

    Download
  • memory/916-311-0x0000000004E40000-0x0000000004E80000-memory.dmp
    Filesize

    256KB

    Download
  • memory/916-312-0x0000000004E40000-0x0000000004E80000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2448-2-0x0000000004C70000-0x0000000004CB0000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2448-0-0x0000000000F90000-0x000000000101E000-memory.dmp
    Filesize

    568KB

    Download
  • memory/2448-1-0x0000000074B90000-0x000000007527E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2448-301-0x0000000074B90000-0x000000007527E000-memory.dmp
    Filesize

    6.9MB

    Download