matrix | 669ba15b1fc970333c1ba980ba8ae143dbaacac92b4acb66df8d82a5c6fd6ba0

Resubmissions

03-11-2023 19:55

231103-ynbbhahe7x 10

18-09-2023 01:03

230918-betp6adf3z 10

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
03-11-2023 19:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NoBit.patched.exe
Size

546KB
MD5

5a5d6d6fade80634580e373be2c91924
SHA1

e2b08b0bacb84128af910735c8ce8903483d1e03
SHA256

669ba15b1fc970333c1ba980ba8ae143dbaacac92b4acb66df8d82a5c6fd6ba0
SHA512

4d418df5d3fe56717b8f0a45d0fcd0dafc6435abc7c547f715b4262639eee212ccf90f7943750a80d54f9149e0f7b660296b971e53128519d2441dba192727b7
SSDEEP

12288:oDQvjZR8N/3a4GY6bAYIV9MeOFv/glO0JhdBQqzma+v:WwR8dA2lO60oHcL

Score

10^/10

matrix ransomware spyware stealer

Malware Config

Signatures

Matrix Ransomware 3 IoCs

Targeted ransomware with information collection and encryption functionality.

ransomware matrix

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop//wallpaper.bit.png"	NoBit.patched.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\My Wallpaper.jpg"	NoBit.patched.exe
File created	C:\Users\Admin\Desktop\readme.rtf	decryptor.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (81) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

pid	Process
2352	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2184	decryptor.exe

Loads dropped DLL 1 IoCs

pid	Process
2260	NoBit.patched.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop//wallpaper.bit.png"	NoBit.patched.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\My Wallpaper.jpg"	NoBit.patched.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
1940	timeout.exe
3024	timeout.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2100	vssadmin.exe

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Control Panel\Desktop\WallpaperStyle = "2"	NoBit.patched.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Control Panel\Desktop\TileWallpaper = "0"	NoBit.patched.exe

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2656	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	2092	vssvc.exe
Token: SeRestorePrivilege	2092	vssvc.exe
Token: SeAuditPrivilege	2092	vssvc.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2656	WINWORD.EXE
2656	WINWORD.EXE
2656	WINWORD.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 2100	2260	NoBit.patched.exe	28
PID 2260 wrote to memory of 2100	2260	NoBit.patched.exe	28
PID 2260 wrote to memory of 2100	2260	NoBit.patched.exe	28
PID 2260 wrote to memory of 2100	2260	NoBit.patched.exe	28
PID 2260 wrote to memory of 2184	2260	NoBit.patched.exe	32
PID 2260 wrote to memory of 2184	2260	NoBit.patched.exe	32
PID 2260 wrote to memory of 2184	2260	NoBit.patched.exe	32
PID 2260 wrote to memory of 2184	2260	NoBit.patched.exe	32
PID 2260 wrote to memory of 2352	2260	NoBit.patched.exe	33
PID 2260 wrote to memory of 2352	2260	NoBit.patched.exe	33
PID 2260 wrote to memory of 2352	2260	NoBit.patched.exe	33
PID 2260 wrote to memory of 2352	2260	NoBit.patched.exe	33
PID 2352 wrote to memory of 1940	2352	cmd.exe	35
PID 2352 wrote to memory of 1940	2352	cmd.exe	35
PID 2352 wrote to memory of 1940	2352	cmd.exe	35
PID 2352 wrote to memory of 1940	2352	cmd.exe	35
PID 2352 wrote to memory of 3024	2352	cmd.exe	36
PID 2352 wrote to memory of 3024	2352	cmd.exe	36
PID 2352 wrote to memory of 3024	2352	cmd.exe	36
PID 2352 wrote to memory of 3024	2352	cmd.exe	36
PID 2656 wrote to memory of 1284	2656	WINWORD.EXE	44
PID 2656 wrote to memory of 1284	2656	WINWORD.EXE	44
PID 2656 wrote to memory of 1284	2656	WINWORD.EXE	44
PID 2656 wrote to memory of 1284	2656	WINWORD.EXE	44

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\NoBit.patched.exe
"C:\Users\Admin\AppData\Local\Temp\NoBit.patched.exe"
1⤵
- Matrix Ransomware
- Loads dropped DLL
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:2100
- C:\Users\Admin\Desktop\decryptor.exe
  "C:\Users\Admin\Desktop\decryptor.exe" C:\Users\Admin\AppData\Local\Temp//NoBit.patched.exe
  2⤵
  - Matrix Ransomware
  - Executes dropped EXE
  PID:2184
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\//destruct.bat""
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2352
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1940
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:3024

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2092

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n /f "C:\Users\Admin\Desktop\SuspendProtect.dotx"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico.bit

Filesize
4KB

MD5
8ec7f6e5b55bf049d377411c49478f37

SHA1
9a6911010df04451aba6a5970fca5d410d384a3d

SHA256
581801ddfee6fc99dd2e798f030a3e18842e3744750bb7df6450020c8dfc8e2f

SHA512
b286f0fdc123470eba344ed176653619b68858559dbfb6ae837d96465f45dac5377ca3dd3be8dc4b1f0e46b2fe48d10c57c37175a30e06a84e72d6e63f2628e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico.bit

Filesize
193KB

MD5
41c2eebff3a395d9abdf253a13b26e8e

SHA1
6f22a39b8d5cebc35ec7f845f19cf2e8257f0921

SHA256
41e93d9ac2d6ef6f48a672154060de503d2ee6c7d32e07eb5572301eac3a2965

SHA512
5e262dd74ceaa5e8ae8db0a3e1357f55e1393a58371bbf3e3b728807c678a82d703c107387e2b8f43a580d24b2ad4515eec859ce72ed4d172264783c5a9998a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\heavy_ad_intervention_opt_out.db.bit

Filesize
16KB

MD5
0b0128e85292a06b99d97c5347bfc3ca

SHA1
2886cfabea9db399e918729091501a5a1a2d29eb

SHA256
974a64f7e891d16147bc0b6f377e545f5e9415936dc32ea1d7f0f8a0c0468f04

SHA512
bb68d4254b538a0b01cd584d1e862c213cea6526b7f590488724f48de883c96b2c81fa02c2b8726abc59a097bc82757539151e4a4d1f6833a907b2224f7674e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\chrome_shutdown_ms.txt.bit

Filesize
16B

MD5
f9d7f2fff6caf27d8d325247fec90cd8

SHA1
10fb35d42a2ff08af6b923f73679950f945c7bed

SHA256
91b2068a6cb696471998d3b23fb9a6c97e92d90b467a64b699f764c7b414a5dc

SHA512
748230ec7d8604e94c6280cd5e9244bf9516d794417bae810015dae2f3fbeb84a2c76e1a3fc30ec498b2cb732eda7c7a4b7c037ee92d0d2192921e65edba673b

Download Submit
C:\Users\Admin\AppData\Local\IconCache.db.bit

Filesize
763KB

MD5
cefb466e5b6680d9778f1890e90eb04b

SHA1
cfe3ce5db1bfbc9d70683c08b619b67d5a904bbf

SHA256
d8b002249f0683e4434efa6ee1736015cd9ef9420f3f9e237fc54732281d797f

SHA512
7da456d7fc2d858cff1e927a5dd1136839d8db53a870bcac6052e3d96e0b5d61664614c9379b8ab7fbb4cfc3479fde808eda2d8bc0b35b900d31239122f283ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt.bit

Filesize
5KB

MD5
c514b9643f8893c6d423eebe2ae06465

SHA1
695d4efdd8fd82612a22f2718c73c6c09c2c4adf

SHA256
f3ca56af34952c3cb75a62132789d2d5ec96fdabee31908cda5f40996c2c2637

SHA512
f707530088dd6096d83a48e804aae9231baa47b8eeedda79f977436058807be011b3c5eb5146d5b5b76b08b1be7e5394292c899d0c7b1c9b40fda87c1052a1b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp.bit

Filesize
48KB

MD5
3ea16d1289bb3c46bba0ec7c6ce89acb

SHA1
ec05d70bf1cc50fbfa248283cbb2fb41585d7487

SHA256
c62711d70f26eb89fdf677e2d900cb880ae33c90240ac59ea3a2a3044a676991

SHA512
1ed079f12351ea59b584e3bba2734cfc3e3c4b795fdab341834d4adbc22552c7cf700df24fa0e14ea261d36eae02dd6fa88eefba5a318415c08d7d5607cf18d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20231023_152338699-MSI_netfx_Full_x64.msi.txt.bit

Filesize
12.7MB

MD5
a82b34d8b1f61e940b4371e412cffaab

SHA1
69f05d8253159d94ab8eec0c7eabdbf116704000

SHA256
356f9b8bc2c29a503190a171d23695a2f049e8edede144ec1240abe7b2dd8bbe

SHA512
8ab3872bf033ed3494ddba869c0992bc666c2e0a190db3c174fd09935cbd29391feec454074b04807a39f813d9710baf8ff78ff67252181b8ef8b99a42f4d34f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20231023_152338699.html.bit

Filesize
1.1MB

MD5
cbb5911a3f43925875d87a99f4a471fd

SHA1
8cc8bcd9d91e3f34ddc74294ea702fa87d3ef7cb

SHA256
33e34dce6fae381e49493a325952e1c2e81516354f31dd420a41ba8bc1a92f0f

SHA512
15c27198a62ae737cbce8d88d8a073950b3e7cb9c390c2813d30729b75dac0fea2c23fe9bf21820dfb762697baecbb1a8d9c5c56c4c9c62daf4c18cc796f6c1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20231023_152338699.html.bit

Filesize
1.1MB

MD5
cbb5911a3f43925875d87a99f4a471fd

SHA1
8cc8bcd9d91e3f34ddc74294ea702fa87d3ef7cb

SHA256
33e34dce6fae381e49493a325952e1c2e81516354f31dd420a41ba8bc1a92f0f

SHA512
15c27198a62ae737cbce8d88d8a073950b3e7cb9c390c2813d30729b75dac0fea2c23fe9bf21820dfb762697baecbb1a8d9c5c56c4c9c62daf4c18cc796f6c1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt.bit

Filesize
1KB

MD5
e68855fadd2e127959ee94a2ad3431a3

SHA1
6a3a659f12bde17fd8725402d7a84689d7396eab

SHA256
43d26589d178d92b384cbf75d682e5dd5d0edf98ac58106c27ebbd18f47b7200

SHA512
818f4e263c1be3869ff6c2c6b66a962796d33141023d4dda3da89e3bf981797dffbc4e87b802a0d1712f2a56b9a8e8b8fdd99b04ec496ba0ebbcb061a0a2fa99

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_SetupUtility.txt.bit

Filesize
2KB

MD5
19584dc98356617b4fdaf4702f141530

SHA1
183442fbd6116e98b0af16665b7cc7b1e75fc131

SHA256
c7d882dbdaf6d85f066d59f23230fdfcdf62a102089a336e1d5a340be689ba52

SHA512
f115816cd32f90b5ece4d9b01086115bf298be57eb8fcb5e008d49dc8e534dc97e54f8b6b85807229945372987c7cb38f5886ee1684c79a55811355009e8d88e

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI7CDF.txt.bit

Filesize
425KB

MD5
552693a6f5108d03589dec3f69d45f42

SHA1
c4d711315dfb9af2420dbad3ad54617aaf329988

SHA256
dd9652f54f45ba7e0da81ce4a2254287b6429f3395084ac6fafb30a1111ec7ea

SHA512
e7fa191866a523e2523bba5447f4db4b9d6eb6eaf7b77b5b027353b2e69a066da0f01920c82d839ea6540f0694269385fbdc0f56fdfd0815f67f387b5696bac7

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI7D3B.txt.bit

Filesize
412KB

MD5
09b779a30203fe432e9f2755c889025f

SHA1
4504f23194eba25276e7fc72ea61df2d6e74ac02

SHA256
6f741034e2a063965b77bd2700961bbb46be64d1783c1b77f4967a49fbf4c407

SHA512
3ce168151b68afb1badec597cfe387f2739c29be9b031106db646d6865ade70bb07db749d0b6f84996698b0dfb070424300bf2a0def44cf79e1d8245769daf4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI7CDF.txt.bit

Filesize
11KB

MD5
e5ee22fe85e877c1f5c0c5c85519971c

SHA1
b44e940aec4ebf16f387b1872b7a5c598a01f661

SHA256
ed66dcf967c6fc4cef4d9625dc085b9c0d862497f5003fa13340bd1d9cc0bfa3

SHA512
dcfb9310fd4e23ed1c302b34ddc8d561b76ee43f051b0c2eebd2b732eae1fe0254e91138b9355bed93e84409fa11677c85e2bcf9fdd6f313c36797904e382864

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI7D3B.txt.bit

Filesize
11KB

MD5
85dd4c62b69dfd4dbfba949d5d5fb453

SHA1
84aa764809f8ccea1ec5023d42299aef7126a430

SHA256
1842d0ee8aec3ecc50edbe813cdc843e88c356150c3d6015617c470b38e2689c

SHA512
0820f904c739dab3fd76d535bbf5be36cef000082f7cc868c57ec8b66327af582646587cff1ceaf83a87030eb37a4c52dd37b65b7acc8792eaa7050cc7595a29

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_wcf_CA_smci_20231023_152356_841.txt.bit

Filesize
7KB

MD5
a203c59aaae4402207a12851dfeab358

SHA1
79967c783c845423511cd55046af32a156501da2

SHA256
1cdd6aaef77b3d56bbd82d0a337f9bad2aaae19ab28c0c03b28cd230719280b5

SHA512
b11253f1622429fd8fe841f11d514d45330d12af8e0d9c8bfcaec850e98414d06da4a08a6e1ce8a0c50ed466c0e09c752ab07c17ea28222f68d98e23dd56b1df

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_wcf_CA_smci_20231023_152358_495.txt.bit

Filesize
2KB

MD5
e1bd862211f776fe92faea2e3c69a586

SHA1
9fdb1bfe5f4fe9bbfa5a231bb241cbe399c13b3d

SHA256
ba7b0debd4bcb96b6fe1d2d32a1c4f42c3a102b76b3bed4fdc467f7a2dbca1fd

SHA512
0bdd410470113ac70d1d7db6a18a59acde99a3432a8b12de0b0fae7a23b11fd7239fcec310c0c1f4d8945d0971a46296c2c03eb85a1d2a779acb4c27f8e8a3d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\destruct.bat

Filesize
94B

MD5
47cbff1bcd7df40f1af58b8398361beb

SHA1
49bae331c8a675f86e97a9290067ccf869892d40

SHA256
5242f34e2cb4a9dfb74b699c0c1d58192a73ca65368ba868338ce4a62fc12422

SHA512
75fcb43b4525a00962320145fd55ea38d2f2bf8695385d283cb88cb9ffd450d88d78da6197ab1a55f6cf9573d74de0edadbec1527dff830c29993b0f6f5e2c11

Download Submit
C:\Users\Admin\AppData\Local\Temp\destruct.bat

Filesize
94B

MD5
47cbff1bcd7df40f1af58b8398361beb

SHA1
49bae331c8a675f86e97a9290067ccf869892d40

SHA256
5242f34e2cb4a9dfb74b699c0c1d58192a73ca65368ba868338ce4a62fc12422

SHA512
75fcb43b4525a00962320145fd55ea38d2f2bf8695385d283cb88cb9ffd450d88d78da6197ab1a55f6cf9573d74de0edadbec1527dff830c29993b0f6f5e2c11

Download Submit
C:\Users\Admin\AppData\Local\Temp\jawshtml.html.bit

Filesize
16B

MD5
38d17085bf2c7818778ae0a42ca7e812

SHA1
7001c9375d0e72f4ee173cda3b7994a65a7e085b

SHA256
554331cf81f8b382744c75a6b321c98c65ad9e2c7c88a4e159073fd74c53f86d

SHA512
6675abfc31d5502517d7103946d925dba436782c88e5d97967eb85ccaf69190d0ad4b6c78dc3d6953eb787ba9db4f314dd0ffa54a618e4ef02fde2ccd07ba3e5

Download Submit
C:\Users\Admin\AppData\Roaming\CheckpointLimit.svg.bit

Filesize
670KB

MD5
38924f8ae8a81c6a0f1750e054bc60d6

SHA1
a2df0d9991d864d6ba0de0932719bfe84177344c

SHA256
17c7844bbf5a93ea84e744836118059e918f501f4ae0385dda70f464bbcd0caf

SHA512
ab2a9344c3b2a83cdd454081676fdac698b6cc2e347e0de476f93df8b2609cfc082939dd6be9ba7c8c0dc6fcec9b7853079a0a67d04e01bcec2e88d18e3074d0

Download Submit
C:\Users\Admin\AppData\Roaming\InitializeConvert.jfif.bit

Filesize
327KB

MD5
5d9930c34d05b572bf8a78cedd1fd243

SHA1
35b8d0ff887136edde6b8c4acb83ef60fcafbc25

SHA256
ce26555ed2ace267bf4f2f8713330ba2a32017d7f052354d3f017f6258c7cef8

SHA512
e4d4159dc0b617974cca0ca8ab7d31d48a6119782bc6ca3d622a0a635ed53ea22467709edfe80a1ef4e9b92705758caab4c5f32bd5259b559afe00fdb6ebf4ec

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s5818u5m.default-release\SiteSecurityServiceState.txt.bit

Filesize
336B

MD5
229dc8b7aafdc44f8c73423af218b079

SHA1
f359e370e67ddf24f4cb922c892824fb4f41e5b0

SHA256
983ecc0aa03d9f11cbc00021782c0cc2697468401a86087bc90399a395ac7dc8

SHA512
95d7a7274c942833bc8c46de8ae5d729ea168ceb07eda9db565a034d1e75c3296900ea8fbcf99f44129902be31f6b4f44c79505eeed154c931b598bb5045b117

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s5818u5m.default-release\cert9.db.bit

Filesize
224KB

MD5
7cb4df21e76f01d54016a63b04c1b804

SHA1
0c2decc83fe213738b6acd4afafd38f110a5143f

SHA256
2727c100848051e0fcbcf80e8cfa0ba213576a1231f5acbfdc14666994929cd9

SHA512
e4a66b5a9d7928409fdff27168ec315fc37c9ae356a137c4e7aca52766529b315429ab55ee1d2cd82c415ff7775950fa8d0b0cb72c5eaf95c684899c5553e573

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s5818u5m.default-release\key4.db.bit

Filesize
288KB

MD5
d4b2838ebf60b983210388748281e951

SHA1
f4e576901bd42b1a24eb1a989f2a6ebe3d6a695f

SHA256
252c92b5f7701c1798e6d11d7705aeda0060abdaad25f5aba4f60a25eef64712

SHA512
3159a2087a3f88cc3726a89a15fe5752f51b6365df1e891b4601955e3345d59299a020566f93efd179bc3c430a1bb36d6228fbd689a4ea1fa46c46742d7630b6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s5818u5m.default-release\pkcs11.txt.bit

Filesize
528B

MD5
c63aa5d28d63fc4246dbd8a967af6b08

SHA1
b00ee8d3e1cdbeb4585e9d01182c2285d2a27976

SHA256
b1eac4f7046f67581863f3754f7b3e4cc8c2c2579629e8701cdf148a3f3ee5af

SHA512
ebbd3103a6abbba9d021505f5d64a9ed898e0eb2ff77ec0d21492d081df990235a61d7dbd8eca6573d542bc49aceb0827af3a71fe5127da10bf22fa79db93fad

Download Submit
C:\Users\Admin\AppData\Roaming\PingSend.xlt.bit

Filesize
483KB

MD5
0598fc644d7c17878c32308093f15636

SHA1
6ba4ddeb297410cea74d03091cf10d2d610550fd

SHA256
d77f0abb947a270a1b8dda13fbbcd3d177a35f54f9ce0a33b2366cef4a11c65f

SHA512
79cbc9dffe835279ad1124190152f82a7ef4e56ea73ba59d7022d35b110fbdfa087da3d4ce5a565fb664db012c7b49853b18fd575c3653628beff870d9711410

Download Submit
C:\Users\Admin\AppData\Roaming\ProtectFind.ico.bit

Filesize
452KB

MD5
f6e0e516297e0bee4c99b1b524ca2404

SHA1
549c421b0be1f5fd14fd2149648a3f142b980c20

SHA256
7a611f23af560214e081008c486049ea5dbfb79f2473df444ac10bd888705a78

SHA512
245ea4fd5774229efc551b46177b206052c80a76426d3af95714ee77720647d72a715484b03166d90fa993d618df9f1472b1b728d7a37f5fbf8e963eedb1bb07

Download Submit
C:\Users\Admin\AppData\Roaming\SetCheckpoint.html.bit

Filesize
795KB

MD5
58c26c7e725a60eaaf56e1a20a16670b

SHA1
f20b4ea995e19dca64b9db2dd289bb2199a554de

SHA256
3a5247be32959748a1490960e2d600a516ae881ff4fc1f37c8936e857b046586

SHA512
2718de982e4d1beaec154b5f60dd851188613c2cae72cd5db5092eefc6e4df9e245983e44ff8ea0bcf6d5ffa34deddfe1db49307b124d9656e0552340d89ea57

Download Submit
C:\Users\Admin\AppData\Roaming\TestConvertTo.png.bit

Filesize
421KB

MD5
28a7072f9d510031af914a7c99b6e201

SHA1
61214e1731ad681830afd5f472c434c4da31fbe3

SHA256
cec54099b9d4485720f195ea0693227bebd74076dd4f43fad249871a0a0e9d9e

SHA512
0d639598425509e999175ffb5a8a98679afd46aca8859daa80e6cee6dc4724148ecb59a344dbb1b7548d408c08e9630a8e96664852fe1dc993bcc95fec0f5fbb

Download Submit
C:\Users\Admin\Desktop\ImportCompare.ppt.bit

Filesize
316KB

MD5
95115ec33941be1c0d3561b97befe719

SHA1
100bc7fd36b2cbf1323b278c3fabb371ebf28474

SHA256
5370df1a236926224d2ccf93510110631e7a950c765b8f3689c8ed179a700f17

SHA512
a07a32c9b67be2dcb0a595059302875346b92e7748537c5fd72739ae2fbbf03454322680bb4c6c81b36b949deea9adee38ef2a4fc8d86c27b727c38e639bec10

Download Submit
C:\Users\Admin\Desktop\InvokeUnprotect.avi.bit

Filesize
209KB

MD5
54a129274654a4d2224add8c540cd7b5

SHA1
b0131b5b1f59900f3ba31cc193f05cf7942b2489

SHA256
5900697ac5beb697979efdc4be67f2fdbb5bfdd319d95752e068b8093b1317da

SHA512
26cd3ba6da3e738fac32723901d3cb7fb263f61cbe8c7c8372615d1ad8ee30b8f881c50197787f2bf71a069539ab2ac662c98b5e53d8482cf09e202eed84253a

Download Submit
C:\Users\Admin\Desktop\RestartMount.bmp.bit

Filesize
355KB

MD5
7c4d2131f551702e2c4dac419b52f251

SHA1
039eb1a006821c909b3a97251b05bafaacdaf250

SHA256
ff94500747397e4dc8d4fc526af35bdb4a4266e9c9f118d302c838dc9f97dfee

SHA512
4455ecd9cc8e0555154434f84bd0873755898c1d4b8d96faf6091a87fe298a8080e5c8e411980c3e4681002bd356ed601b300d57dbe4d67a88b931398b78e4da

Download Submit
C:\Users\Admin\Desktop\StopWrite.bmp.bit

Filesize
336KB

MD5
e498d5d1c56b4fdb78100f2527482826

SHA1
994eb7f7b217d5d350714e660f645f007a50e3de

SHA256
6a2d6753bc968b434f96a108cbf7f902a9674f9ec32fa257dab8fda9bef68c97

SHA512
a422e343db6e7b1d333e427a80f6e4add3dedd43d06583c47297346357bd6833be57fcc95a5ee24bf7a127db910f76e073d2b91620835246b8a05ed1f005c311

Download Submit
C:\Users\Admin\Desktop\decryptor.exe

Filesize
68KB

MD5
8841222817a49c74f8ca7284f3296bb9

SHA1
01821078d43a9b64b793a6bc2ce4496e4b97efca

SHA256
cb076b3d1aa8866e9546bbd8eeeeda40ebb1dbf1839ce8f16e77ff1e546a799d

SHA512
f0baca2f7353bf5a6ae3c72b5b80ee756d69f4456ba1daae124e7702334768e3bff423a4c7ee63b2bc668d99ca9f90a7c82856f36ae7c015f46649b540d48019

Download Submit
C:\Users\Admin\Desktop\decryptor.exe

Filesize
68KB

MD5
8841222817a49c74f8ca7284f3296bb9

SHA1
01821078d43a9b64b793a6bc2ce4496e4b97efca

SHA256
cb076b3d1aa8866e9546bbd8eeeeda40ebb1dbf1839ce8f16e77ff1e546a799d

SHA512
f0baca2f7353bf5a6ae3c72b5b80ee756d69f4456ba1daae124e7702334768e3bff423a4c7ee63b2bc668d99ca9f90a7c82856f36ae7c015f46649b540d48019

Download Submit
C:\Users\Admin\Documents\AddUninstall.txt.bit

Filesize
708KB

MD5
8a994a4817b8e776eea766606003300c

SHA1
e09ba2b45497821f1b96a3d9882d990181c6d612

SHA256
c1b5ab150fb3467cb750b90818cb5d6396f5aceb532b7becbd364b03ac8966f8

SHA512
8871c9b1fcf05637bd252dad4b6ddca2a250f807e53930a761a210810ca08557467bf8ae8d650e63d3794ea09967afdbc343c913dd3d2c1f4f5adf89bd4cd54f

Download Submit
C:\Users\Admin\Documents\Are.docx.bit

Filesize
11KB

MD5
60751cca80ec5e718deabeb987e8deef

SHA1
b05c361cb91a5afb73a05cec5d071731282120f6

SHA256
770b8552b3ecd50bc18598d0cbf07cfb09800e33d441e2f8d87206caf0fa48f6

SHA512
b9627ae0e6242b714e470c224d134ecff4a09e2aa9e24f05b89a65f7bde99327ed3a5744e587deb13a26ebc629c58ccd06fcd062b14a1b1f36b5c469122c214c

Download Submit
C:\Users\Admin\Documents\BlockRemove.html.bit

Filesize
787KB

MD5
a4ed2807250c3fa29f83f2834c5d7595

SHA1
47be9a44ee43d2b2cf1cd6683aa4e7e28203f84b

SHA256
e9b2a44a5d2896bb0a5b8312987b7c36c28a32233b6e5965f12aaf6fcb617ab2

SHA512
2f6cbc595484992e33d570a314588a8e69c69d3d56b5040d51592ab2fef95a385a5b12a3c73ba92dc7778f59c920194d6bd424a642fd7bc96c58820d25d54730

Download Submit
C:\Users\Admin\Documents\DisconnectRepair.xlsx.bit

Filesize
866KB

MD5
3a1d2d89b83019ac3ce132559cab1366

SHA1
62b569ec26d98d8119480ae0d0cecb104fd25bbd

SHA256
bc654acfec712928a39aec4c2c9f53cab860632b59c9fe0b5ee393ca88da2010

SHA512
5cba3f0395160667e3f555ee38788cc403b5433b332d7e7093c735f8e0498468a871e88624a5557a66ea5622d982dfc242bbc66d4bbe23c3cbd6f7f17e8ff115

Download Submit
C:\Users\Admin\Documents\Files.docx.bit

Filesize
11KB

MD5
08d0dc7cfbd5140f2c08f1486c2fe79e

SHA1
904a12c73b574ab54a0551ceb0268e45067c051e

SHA256
1a68c820fcd0cbc0a1a9bd5d04731b3e9cff51729d86cf8678d5dd62d28ec48a

SHA512
742f87d7ffea34f52f80ba15350f984236e394b92eb31698363f7fb4fba758d4fd4eaf9d01a20062d7e24bc0175771b8aa2f43eeccab8571655087e63ff9cd3a

Download Submit
C:\Users\Admin\Documents\InitializeDebug.xls.bit

Filesize
2.0MB

MD5
f2389fa28805d5842d10f3f63b06117c

SHA1
f695ee36c5a10d782f8a622a497d7a4005c91aac

SHA256
9bf17e3d3b6e4ea8801e071ae4003eae4afde01c497d34802528dc02b23ba4da

SHA512
03591acb1f2eeec0347f781ff7d5057d6c9c096578b58dc8ee44ea41909b827ff79b2463d9cb71c1a1c35be45f0f4de5a9f9c8fc713f85e4deddaea54b44411d

Download Submit
C:\Users\Admin\Documents\InitializeMove.xlsx.bit

Filesize
1.1MB

MD5
a2a7d6d3968168cc01895db02e5acae1

SHA1
a61e6eaec16ae3261200b7a7d1e88473d4a6472c

SHA256
c70ad21c6d0906dfd493aceb836b4d124ead31160c6f34cd4c7868fc52f3fa79

SHA512
c0e530730f84056dade3c55b7f439b694677dafa2b5e9897ed3a11f982ab43d8d56ff9bf2e6154318e8b61363080cda944af261bed6b530992e9eed791466904

Download Submit
C:\Users\Admin\Documents\LockGrant.pptx.bit

Filesize
1.4MB

MD5
0407aca65be0979e61f3ba18ff3ed3a8

SHA1
3c1cedeac63f8b17a4382c35c822f1dcf883ce88

SHA256
726019acb65158ab06d204c13fbadb2e42faee6a2170259cec48700e83be98c0

SHA512
8ea0aa777ce384689fbf5751195ca0b3e2b57ab1cc8957671ae5a1469d7a8b2244d0df7c6cad676fad5421c1e905f64c3fd2d66bdf8fcbfeab07f481f0e54243

Download Submit
C:\Users\Admin\Documents\Opened.docx.bit

Filesize
11KB

MD5
4ea942e6d12ce429a5db27a142bd5d33

SHA1
85da4273ad93bb7ff7015c1ea9ce788323a18470

SHA256
03b1c34fc0946955aade1457fef4b94950dfd5bd8c2990c18e93b5735b5c6082

SHA512
fef9a24195d47d35ad72d3175ab5160f755c8122d5bf84edeb8c230315ddf9618c97455ecbb974523cc8f4e59af63c3d2c2e6aa9e19c3af3971677211801efee

Download Submit
C:\Users\Admin\Documents\Recently.docx.bit

Filesize
11KB

MD5
f6b2ce485b360fd48611ce1aee939908

SHA1
0c87bbc7a26b207158714d8f675cc2fa91547b7f

SHA256
3b6a7007ff305306b8b03d0a30cba7f78a731db8e15394778021bf9ef924bd5e

SHA512
64634242fc2202b056853191e9f33126590ec80f94f6a0834b507473b1022563d46c88b9120e2fb78bc471951343f8cc0d332bdbf5c1282c277cb8c992fa76f8

Download Submit
C:\Users\Admin\Documents\RequestSubmit.html.bit

Filesize
1.4MB

MD5
8827cfe079fa0cc26cc66634182458f7

SHA1
6bc878f3b90efecdbd352105b9e7f7590b238e37

SHA256
05fc222b126aec47a5a1b4ea04ee5200bb6b623cbc444dc7d6d9221fd15c116d

SHA512
b7cdb3be2a4ad4fef8edf0a80902ef3d49a548946e9be6a65c228cb0880580a97caa4a86504e29e1692da13acc0a20212fc14628fc56dab85a822ff02a2fae52

Download Submit
C:\Users\Admin\Documents\These.docx.bit

Filesize
11KB

MD5
9e15cb4f83b0e5580eaceaf26085f2c0

SHA1
2fbd51900a37fc59cce3befb0b6001e692d147f6

SHA256
ca21e2ef932917ea860966cc1962cd48c22e2d8e86e27abc8c431045069c0c6f

SHA512
90d0807d4738e29fd190da68135936306fb94559ec642cc7f4b3227efab90241d2b04f19bb5ba4ee47967c07111168195a864b8ef3c3740d2a3457973476a3e9

Download Submit
C:\Users\Admin\Downloads\AssertResolve.odt.bit

Filesize
678KB

MD5
9f9449128e7ac773fbd549f31747714c

SHA1
67dd7d6fa42a92bb6a5a1e236f0d46312de85813

SHA256
c52ea29ba1a904f243ec6893070f84375d13ff7bcd47cb1ee5678e60dbf60597

SHA512
ced48010b677b6298b70ca459b46e3d381e859c82727cba1c8e1cca0a8e2112d57be6579a2997201c5925ae9b72ab8d742ad3622e49776e5200586e8af16c116

Download Submit
C:\Users\Admin\Downloads\ConvertFromSuspend.ppt.bit

Filesize
759KB

MD5
369af6466ff245eead9637aa814956e4

SHA1
9e8b29cbe6739546011da2965523b79ba6ac1c38

SHA256
6ca9bd75f9723818685308f9d8ecf639b9c8d4f57c5a600fbd31773da2fe0298

SHA512
ce0ed9c3470add16382b49b3140497eab856bc111c9ed2d45e52a9f7bd03db7a7a9a0014d195f00964e77f98aa4f6d981c5792bfe2547ddf34935ddcb2bbce55

Download Submit
C:\Users\Admin\Downloads\DisableMount.php.bit

Filesize
840KB

MD5
06ce08381be425a984837feb59af7990

SHA1
7abc4ed87006d716433555367549b0f9d235a510

SHA256
98f6f67dba093105710d427bdc0e16cb1defb43628b90416d0e2c07b921cbda1

SHA512
05e8edb0af3dd4734e615fc25824bcc4a881d2ed8288a84eac8b187d1cf082c0370de796159a91d3f612d55d41e0c0fb987e82f58720d504c47951ed40132f1e

Download Submit
C:\Users\Admin\Downloads\DisableSend.png.bit

Filesize
313KB

MD5
0989f0f4815e5429355191d87e87fd2a

SHA1
5c21821d96692493f3503ab41c578d82cb82f865

SHA256
7bd51d14f1ecb81ce517879c091e864a20429d08182577ee58bd2532bba20ee3

SHA512
234b0519d5210e36b441167911da4e5d247931cfb3444c29b4bebb9a70be57f603d33af23ab849a3c1218b1acfb75450ebdae86a6c28b92150d796dfff67f395

Download Submit
C:\Users\Admin\Downloads\DismountSearch.ico.bit

Filesize
516KB

MD5
9c7f25d836401903ed6abf32f1188089

SHA1
a592c9e18cab5a446634ec610659cc221b85949f

SHA256
02d141706c40f1cdff7513090445f773a72d0c9c875e9b23eba949a6222de1e2

SHA512
9e741207fea0fc963c64e1b346b137d304406c4eb42cc36e1a3171b7955d707441eb5125ef184ffee83d7a9012f71c1815c003dbcdc6ab9dfc596ee3dc25b499

Download Submit
C:\Users\Admin\Downloads\RestoreMount.mp4.bit

Filesize
577KB

MD5
a349f50becb52c203b6e9a4b38cd472e

SHA1
04663587e103272e40986ea2b3408ec3446dd968

SHA256
589df4830b0ef26a72c0c8fc05046145cea7d16036831757e461aa2f1b889b29

SHA512
4f1ee5704f6dd706cd7d9f23f89194a1bc664fbdd1df1d5c7d29ca1d3fec29cf9d0601cf4b5ad99d98fa287f2d0c5189c88925f87568ed759bcba29ad6a64b05

Download Submit
C:\Users\Admin\Downloads\SendCompare.vb.bit

Filesize
617KB

MD5
cfb5da91e112c2f3b23038cfda13d3fc

SHA1
b53f123688cbb43a6675f56b9f878f2a5d32a117

SHA256
336a2861db5113f15182cb29f5ff0c7880d1532fc00296b0c6a0abfc99993212

SHA512
6c9e7bcf15a5ce5d23ad6c133d12e22f385672a6580b5b764c46178bb807de3dd6a0d99e4215dbcd50602835ae01c46c1b1ba28065c6776c3d4ab90116377c1f

Download Submit
C:\Users\Admin\Music\BlockApprove.gif.bit

Filesize
739KB

MD5
0db4e54941077fd3258182cf8e157407

SHA1
32dd71eec6dc99a3261b1c338bd1c4de6109a7bc

SHA256
1fe18c8d39735034b893b3ff1071be9753ae9f613b252bb6804af22ed3283867

SHA512
dce3dfb27a79c067d24d2ac7155e835ab1ed039f139b2cd4b665109c7cdce5db873bcad0127a3e9996c1298291395b262185e19d635b6b881f03c8a93918564c

Download Submit
C:\Users\Admin\Music\ClearCheckpoint.mp4.bit

Filesize
616KB

MD5
1cb74e1fc3503ca6ff61ae68ad2697ba

SHA1
939f96a28cdf8571d46da03dfb8138ef4ab3eb78

SHA256
3e3ae6865ae2ee6ce3cfbd74740ef3ae3332343ecb82b76460e5efe12a227609

SHA512
aee339382f42bbe6002632b84873fc94b8416a08201e30708bc7d35d7bcf335051069700b28c1be46992b75778bb6df1db1e109a8828775c4f85a95eaf6bc3c7

Download Submit
C:\Users\Admin\Music\ConfirmInstall.svg.bit

Filesize
534KB

MD5
ea9476a9fa15d54e05fce752c1e1ae31

SHA1
2d603d691f84ee3dd7216f617c9459051f51be9e

SHA256
b926636ea6871a93430c2f6ca7a3ba61f20c3aec88b882a023fa9cc323f6154e

SHA512
42c3251ae55d55e035823cd3e409f148e3dbaece7f05b2d630121c253e235290d762ec3c968b64fafd4400920b1fd2e5b732c94c69d38d3ee8df16f997e66a61

Download Submit
C:\Users\Admin\Music\DisableImport.ico.bit

Filesize
451KB

MD5
ff2a3fd2933cefe51f5b4dc7a7cfcc85

SHA1
a89fcd9c129746e2f5abc28503929e857e32c7ea

SHA256
668ab03ef02a645b1aa759ae1a0491d328ad150ff7f667f9b3bc123c39acc4fa

SHA512
3ca0ea0283b866b7e2d78576b983fd567743d7b1109196f4f60bf6abb6c84c98a5310fbf4c2f9c25c960ccb0d5b2e073324dd01776e71426b500d0adf832604d

Download Submit
C:\Users\Admin\Music\OutRepair.pptx.bit

Filesize
698KB

MD5
9af0302cf27f378dc7a661b0bf49970d

SHA1
90c0b11723e1a99ad99513d37d854467768f6e99

SHA256
ddca20b778e3b546df9e060bff3cdde69732c2bb806b66d6f7f26d3e2472d426

SHA512
1240cc93e9e53a14d78e57dd43d160b97631745d07a3ebf6a1fa50a9ef587b6d0a7502e68c9a679cbfc44421a63bb42a164a67cd31395e7a2124bc49f1bae370

Download Submit
C:\vcredist2010_x64.log-MSI_vc_red.msi.txt.bit

Filesize
362KB

MD5
2c232cfbf324cb94ba9add7d05df607a

SHA1
0bd6112eb6b419c63496985736527c9730f1fed1

SHA256
93e97cfefe24d2f018a330059879f4c3208543db551feb2f2d8d9d17f269071c

SHA512
ff0265ac4ac10cd9f689ae099db1d7d7e6cb0ace68c16f06fdf574f6bbf60711d1567e795b71d708fa9ad896624e9fd969cb1f97f40af0d2e6c78d5adf5af772

Download Submit
C:\vcredist2010_x64.log.html.bit

Filesize
86KB

MD5
af145eafb883283ad7e6bab5837f9e5d

SHA1
946e9d141f1cdef23577de8fd8716aaac5587658

SHA256
78271392bd443e4c4b2af4d744b951928f52165b651ccf09c824a09e0e3feb48

SHA512
c527720455ce663bfaf667c13babc08bb02db7210299a12b77f75cd5a95752c819a0a9886ad31dd4e0750ffdc735a5ec8ad911afbd2b75a7aea5b6338a932944

Download Submit
C:\vcredist2010_x86.log-MSI_vc_red.msi.txt.bit

Filesize
379KB

MD5
079aac7fdbf364a8bfd10b8a279963b4

SHA1
c29580c015aadd4ad3bc3893d5c6aef89c7449af

SHA256
19779d28e5af843200d26acca90cdaa9ae506fc5a41154fbaf06ce35e1033a88

SHA512
5048ae10a511fbb5af992d756fd25125b490b5be14283c8b3ac6666aa3ab5af1ab7d2446d347fad10786a6d9399c68edea8c16435df0e5169bf12a1f834561ac

Download Submit
C:\vcredist2010_x86.log.html.bit

Filesize
82KB

MD5
e68df190b01099fecf0e261b34f36b24

SHA1
a2f5899f2772c8245a255312913096f6b51890fc

SHA256
0953973b21b8c3a2379033f6afbcd0c2a4d36f5fa7b6f5cfa5ff53566fdb10f0

SHA512
a72da18452a0c5778ce353c8dcbabef48ce6ea0c35cc0d2bee049045bc621b3d3d07dc323ae4e45ea367b2dacc8a465452bbac933fc1724793f7f1fcbda78b38

Download Submit
\Users\Admin\Desktop\decryptor.exe

Filesize
68KB

MD5
8841222817a49c74f8ca7284f3296bb9

SHA1
01821078d43a9b64b793a6bc2ce4496e4b97efca

SHA256
cb076b3d1aa8866e9546bbd8eeeeda40ebb1dbf1839ce8f16e77ff1e546a799d

SHA512
f0baca2f7353bf5a6ae3c72b5b80ee756d69f4456ba1daae124e7702334768e3bff423a4c7ee63b2bc668d99ca9f90a7c82856f36ae7c015f46649b540d48019

Download Submit
memory/2184-286-0x00000000012D0000-0x00000000012E8000-memory.dmp

Filesize
96KB

Download
memory/2184-295-0x0000000004C10000-0x0000000004C50000-memory.dmp

Filesize
256KB

Download
memory/2184-299-0x0000000004C10000-0x0000000004C50000-memory.dmp

Filesize
256KB

Download
memory/2184-296-0x0000000074840000-0x0000000074F2E000-memory.dmp

Filesize
6.9MB

Download
memory/2184-361-0x0000000074840000-0x0000000074F2E000-memory.dmp

Filesize
6.9MB

Download
memory/2184-291-0x0000000004C10000-0x0000000004C50000-memory.dmp

Filesize
256KB

Download
memory/2184-287-0x0000000074840000-0x0000000074F2E000-memory.dmp

Filesize
6.9MB

Download
memory/2184-298-0x0000000004C10000-0x0000000004C50000-memory.dmp

Filesize
256KB

Download
memory/2184-297-0x0000000004C10000-0x0000000004C50000-memory.dmp

Filesize
256KB

Download
memory/2260-2-0x0000000004EE0000-0x0000000004F20000-memory.dmp

Filesize
256KB

Download
memory/2260-289-0x0000000074840000-0x0000000074F2E000-memory.dmp

Filesize
6.9MB

Download
memory/2260-1-0x0000000074840000-0x0000000074F2E000-memory.dmp

Filesize
6.9MB

Download
memory/2260-0-0x0000000000CC0000-0x0000000000D4E000-memory.dmp

Filesize
568KB

Download
memory/2656-362-0x000000002F791000-0x000000002F792000-memory.dmp

Filesize
4KB

Download
memory/2656-363-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2656-364-0x000000007141D000-0x0000000071428000-memory.dmp

Filesize
44KB

Download
memory/2656-374-0x000000007141D000-0x0000000071428000-memory.dmp

Filesize
44KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads