Overview

overview

10

Static

static

3

NoBit.patched.exe

windows7-x64

10

NoBit.patched.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    120s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    12-10-2023 17:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NoBit.patched.exe

  • Size

    546KB

  • MD5

    5a5d6d6fade80634580e373be2c91924

  • SHA1

    e2b08b0bacb84128af910735c8ce8903483d1e03

  • SHA256

    669ba15b1fc970333c1ba980ba8ae143dbaacac92b4acb66df8d82a5c6fd6ba0

  • SHA512

    4d418df5d3fe56717b8f0a45d0fcd0dafc6435abc7c547f715b4262639eee212ccf90f7943750a80d54f9149e0f7b660296b971e53128519d2441dba192727b7

  • SSDEEP

    12288:oDQvjZR8N/3a4GY6bAYIV9MeOFv/glO0JhdBQqzma+v:WwR8dA2lO60oHcL

Score
10/10
matrixransomwarespywarestealer

Malware Config

Signatures

  • Matrix Ransomware 3 IoCs

    Targeted ransomware with information collection and encryption functionality.

    ransomwarematrix
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Renames multiple (82) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 2 IoCs
    evasion
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Control Panel 2 IoCs
    evasion
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\NoBit.patched.exe
    "C:\Users\Admin\AppData\Local\Temp\NoBit.patched.exe"
    1⤵
    • Matrix Ransomware
    • Loads dropped DLL
    • Sets desktop wallpaper using registry
    • Modifies Control Panel
    • Suspicious use of WriteProcessMemory
    PID:2224
    • C:\Windows\SysWOW64\vssadmin.exe
      "vssadmin.exe" delete shadows /all /quiet
      2⤵
      • Interacts with shadow copies
      PID:1248
    • C:\Users\Admin\Desktop\decryptor.exe
      "C:\Users\Admin\Desktop\decryptor.exe" C:\Users\Admin\AppData\Local\Temp//NoBit.patched.exe
      2⤵
      • Matrix Ransomware
      • Executes dropped EXE
      PID:2756
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\//destruct.bat""
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:644
      • C:\Windows\SysWOW64\timeout.exe
        timeout 1
        3⤵
        • Delays execution with timeout.exe
        PID:1736
      • C:\Windows\SysWOW64\timeout.exe
        timeout 1
        3⤵
        • Delays execution with timeout.exe
        PID:1212
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2564

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20230901_003412126.html.bit
    Filesize

    1.1MB

    MD5

    4abf231d683a2ad07a17d615189ed350

    SHA1

    3ff7ebca07f35951c2e0624c11e59a786e770c9f

    SHA256

    f8002fb7a791ef6e94fd6958ea63cb7df80927d0343a009b8568d473b96749e0

    SHA512

    a1a028d043f3af04a4f5e3aed34caeba7094549c3ccc27e3aecc9f9d48bcfabf6bea1c8c5985561ea9c3449450028881bc70962a91082fd5ae51033a8ba8905d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\destruct.bat
    Filesize

    94B

    MD5

    47cbff1bcd7df40f1af58b8398361beb

    SHA1

    49bae331c8a675f86e97a9290067ccf869892d40

    SHA256

    5242f34e2cb4a9dfb74b699c0c1d58192a73ca65368ba868338ce4a62fc12422

    SHA512

    75fcb43b4525a00962320145fd55ea38d2f2bf8695385d283cb88cb9ffd450d88d78da6197ab1a55f6cf9573d74de0edadbec1527dff830c29993b0f6f5e2c11

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\destruct.bat
    Filesize

    94B

    MD5

    47cbff1bcd7df40f1af58b8398361beb

    SHA1

    49bae331c8a675f86e97a9290067ccf869892d40

    SHA256

    5242f34e2cb4a9dfb74b699c0c1d58192a73ca65368ba868338ce4a62fc12422

    SHA512

    75fcb43b4525a00962320145fd55ea38d2f2bf8695385d283cb88cb9ffd450d88d78da6197ab1a55f6cf9573d74de0edadbec1527dff830c29993b0f6f5e2c11

    Download Submit

  • C:\Users\Admin\Desktop\decryptor.exe
    Filesize

    68KB

    MD5

    8841222817a49c74f8ca7284f3296bb9

    SHA1

    01821078d43a9b64b793a6bc2ce4496e4b97efca

    SHA256

    cb076b3d1aa8866e9546bbd8eeeeda40ebb1dbf1839ce8f16e77ff1e546a799d

    SHA512

    f0baca2f7353bf5a6ae3c72b5b80ee756d69f4456ba1daae124e7702334768e3bff423a4c7ee63b2bc668d99ca9f90a7c82856f36ae7c015f46649b540d48019

    Download Submit

  • C:\Users\Admin\Desktop\decryptor.exe
    Filesize

    68KB

    MD5

    8841222817a49c74f8ca7284f3296bb9

    SHA1

    01821078d43a9b64b793a6bc2ce4496e4b97efca

    SHA256

    cb076b3d1aa8866e9546bbd8eeeeda40ebb1dbf1839ce8f16e77ff1e546a799d

    SHA512

    f0baca2f7353bf5a6ae3c72b5b80ee756d69f4456ba1daae124e7702334768e3bff423a4c7ee63b2bc668d99ca9f90a7c82856f36ae7c015f46649b540d48019

    Download Submit

  • \Users\Admin\Desktop\decryptor.exe
    Filesize

    68KB

    MD5

    8841222817a49c74f8ca7284f3296bb9

    SHA1

    01821078d43a9b64b793a6bc2ce4496e4b97efca

    SHA256

    cb076b3d1aa8866e9546bbd8eeeeda40ebb1dbf1839ce8f16e77ff1e546a799d

    SHA512

    f0baca2f7353bf5a6ae3c72b5b80ee756d69f4456ba1daae124e7702334768e3bff423a4c7ee63b2bc668d99ca9f90a7c82856f36ae7c015f46649b540d48019

    Download Submit

  • memory/2224-292-0x0000000074D50000-0x000000007543E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2224-1-0x0000000074D50000-0x000000007543E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2224-2-0x0000000005020000-0x0000000005060000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2224-0-0x00000000012E0000-0x000000000136E000-memory.dmp

    Filesize

    568KB

    Download

  • memory/2756-289-0x0000000000EE0000-0x0000000000EF8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2756-291-0x0000000074D50000-0x000000007543E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2756-294-0x0000000074D50000-0x000000007543E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2756-296-0x0000000000B90000-0x0000000000BD0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2756-299-0x0000000000B90000-0x0000000000BD0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2756-300-0x0000000000B90000-0x0000000000BD0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2756-301-0x0000000000B90000-0x0000000000BD0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2756-302-0x0000000000B90000-0x0000000000BD0000-memory.dmp

    Filesize

    256KB

    Download