Overview
overview
10Static
static
3FoxRansomw...65.exe
windows7-x64
10FoxRansomw...65.exe
windows10-2004-x64
10FoxRansomw...a7.exe
windows7-x64
10FoxRansomw...a7.exe
windows10-2004-x64
10FoxRansomw...20.exe
windows7-x64
10FoxRansomw...20.exe
windows10-2004-x64
10FoxRansomw...0b.exe
windows7-x64
10FoxRansomw...0b.exe
windows10-2004-x64
10FoxRansomw...53.exe
windows7-x64
10FoxRansomw...53.exe
windows10-2004-x64
10FoxRansomw...b1.exe
windows7-x64
10FoxRansomw...b1.exe
windows10-2004-x64
10Analysis
-
max time kernel
149s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
13-02-2024 05:15
Static task
static1
Behavioral task
behavioral1
Sample
FoxRansomware/0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
FoxRansomware/0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
FoxRansomware/0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
FoxRansomware/0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
FoxRansomware/42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
Resource
win7-20231215-en
Behavioral task
behavioral6
Sample
FoxRansomware/42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral7
Sample
FoxRansomware/6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
Resource
win7-20231215-en
Behavioral task
behavioral8
Sample
FoxRansomware/6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral9
Sample
FoxRansomware/91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
Resource
win7-20231215-en
Behavioral task
behavioral10
Sample
FoxRansomware/91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral11
Sample
FoxRansomware/941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
Resource
win7-20231215-en
Behavioral task
behavioral12
Sample
FoxRansomware/941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
Resource
win10v2004-20231215-en
General
-
Target
FoxRansomware/0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
-
Size
1.2MB
-
MD5
607d292bdcdde297252e002e613282ae
-
SHA1
0161d2dd582d064f7e7f50ccb43478ff0884916a
-
SHA256
0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65
-
SHA512
2bdc2ff857f9f52aac5071d3a695f7baf822a971969ba263ad03769c41af7916b558bada6bfe76fe78f730235a4ca5d2dd1cf3eaa2a59c5efef06af0a798acb8
-
SSDEEP
24576:J/SA+2lraRrjSJR5ezmT1dM9bB5slYQt2e8F/KpXcd:PXlOslYQt+5
Malware Config
Extracted
http://myexternalip.com/raw
Extracted
C:\Program Files\Google\Chrome\Application\#ANN_README#.rtf
https://bitmsg.me
https://bitmsg.me/users/sign_up
https://bitmsg.me/users/sign_in
Signatures
-
Matrix Ransomware 64 IoCs
Targeted ransomware with information collection and encryption functionality.
description ioc Process File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\Microsoft Games\More Games\it-IT\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\Microsoft Games\Multiplayer\Backgammon\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Users\Public\Music\Sample Music\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\Java\jre7\lib\zi\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\VideoLAN\VLC\lua\http\js\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\VideoLAN\VLC\plugins\mux\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\Microsoft Games\Mahjong\fr-FR\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\Microsoft Games\Minesweeper\ja-JP\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\Microsoft Games\More Games\de-DE\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\Microsoft Games\Multiplayer\Checkers\en-US\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\Microsoft Games\Purble Place\en-US\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\VideoLAN\VLC\skins\fonts\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Users\Public\Documents\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\Microsoft Games\Multiplayer\Backgammon\en-US\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\Microsoft Games\FreeCell\it-IT\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\VFIJ47B3\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\Java\jre7\lib\zi\Africa\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\Microsoft Games\Multiplayer\Spades\en-US\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\Microsoft Games\Purble Place\fr-FR\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\VideoLAN\VLC\locale\uz\LC_MESSAGES\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\VideoLAN\VLC\locale\or\LC_MESSAGES\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\VideoLAN\VLC\locale\gd\LC_MESSAGES\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\Microsoft Games\Minesweeper\it-IT\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\VideoLAN\VLC\locale\si\LC_MESSAGES\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\Microsoft Games\Purble Place\es-ES\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\VideoLAN\VLC\plugins\video_filter\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\VideoLAN\VLC\lua\sd\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\Mozilla Firefox\fonts\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\z2ud2i1e.default-release\cache2\entries\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\ProgramData\Microsoft\Assistance\Client\1.0\it-IT\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Users\Admin\AppData\Local\Microsoft\Feeds\Feeds for United States~\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 1616 bcdedit.exe 436 bcdedit.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 9 2892 powershell.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\Drivers\PROCEXP152.SYS dOTEiSx964.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PROCEXP152\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\PROCEXP152.SYS" dOTEiSx964.exe -
Executes dropped EXE 3 IoCs
pid Process 2668 NWSrMQJj.exe 2604 dOTEiSx9.exe 340 dOTEiSx964.exe -
Loads dropped DLL 4 IoCs
pid Process 2120 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe 2120 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe 1912 cmd.exe 2604 dOTEiSx9.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 1484 takeown.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/files/0x0006000000018b91-1321.dat upx behavioral1/memory/2604-1407-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral1/memory/2604-7937-0x0000000000400000-0x0000000000477000-memory.dmp upx -
Drops desktop.ini file(s) 40 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Users\Admin\Searches\desktop.ini 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\desktop.ini 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\EW3J74TG\desktop.ini 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Users\Admin\Music\desktop.ini 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Users\Public\Documents\desktop.ini 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\VFIJ47B3\desktop.ini 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Users\Public\Music\desktop.ini 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Users\Public\Libraries\desktop.ini 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Users\Admin\Links\desktop.ini 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Users\Public\Downloads\desktop.ini 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Users\Public\Recorded TV\desktop.ini 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Users\Admin\Videos\desktop.ini 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\V17S5RKJ\desktop.ini 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Users\Public\desktop.ini 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Users\Admin\Documents\desktop.ini 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Users\Public\Desktop\desktop.ini 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Users\Public\Pictures\desktop.ini 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\TNEMG9GL\desktop.ini 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files (x86)\desktop.ini 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Users\Public\Videos\desktop.ini 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe -
Enumerates connected drives 3 TTPs 44 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\O: dOTEiSx964.exe File opened (read-only) \??\X: dOTEiSx964.exe File opened (read-only) \??\X: 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened (read-only) \??\K: 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened (read-only) \??\G: 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened (read-only) \??\E: dOTEiSx964.exe File opened (read-only) \??\K: dOTEiSx964.exe File opened (read-only) \??\L: dOTEiSx964.exe File opened (read-only) \??\Z: 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened (read-only) \??\S: 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened (read-only) \??\T: dOTEiSx964.exe File opened (read-only) \??\U: dOTEiSx964.exe File opened (read-only) \??\W: dOTEiSx964.exe File opened (read-only) \??\Y: dOTEiSx964.exe File opened (read-only) \??\O: 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened (read-only) \??\L: 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened (read-only) \??\A: dOTEiSx964.exe File opened (read-only) \??\G: dOTEiSx964.exe File opened (read-only) \??\J: dOTEiSx964.exe File opened (read-only) \??\R: 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened (read-only) \??\Q: 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened (read-only) \??\J: 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened (read-only) \??\N: dOTEiSx964.exe File opened (read-only) \??\R: dOTEiSx964.exe File opened (read-only) \??\Z: dOTEiSx964.exe File opened (read-only) \??\W: 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened (read-only) \??\H: 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened (read-only) \??\V: dOTEiSx964.exe File opened (read-only) \??\U: 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened (read-only) \??\T: 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened (read-only) \??\P: 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened (read-only) \??\E: 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened (read-only) \??\Q: dOTEiSx964.exe File opened (read-only) \??\N: 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened (read-only) \??\I: 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened (read-only) \??\I: dOTEiSx964.exe File opened (read-only) \??\S: dOTEiSx964.exe File opened (read-only) \??\P: dOTEiSx964.exe File opened (read-only) \??\Y: 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened (read-only) \??\V: 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened (read-only) \??\M: 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened (read-only) \??\B: dOTEiSx964.exe File opened (read-only) \??\H: dOTEiSx964.exe File opened (read-only) \??\M: dOTEiSx964.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 8 myexternalip.com -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\deuNEF1q.bmp" reg.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\libEGL.dll 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-nodes_ja.jar 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaire.exe 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\Microsoft Games\Hearts\ja-JP\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.services.nl_ja_4.4.0.v20140623020002.jar 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\VideoLAN\VLC\locale\id\LC_MESSAGES\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-loaders_zh_CN.jar 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\feature.xml 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_18_b81900_40x40.png 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libdshow_plugin.dll 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Cordoba 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Rome 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.compatibility.state_1.0.1.v20140709-1414.jar 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Abidjan 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\Java\jre7\lib\management\jmxremote.access 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_70.png 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libkaraoke_plugin.dll 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Volgograd 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\as80.xsl 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.compatibility.state.nl_zh_4.4.0.v20140623020002.jar 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\vlc.mo 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbytools.jar 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveDrop32x32.gif 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Santiago 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\Java\jre7\lib\images\cursors\win32_LinkDrop32x32.gif 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\date-span-16.png 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\plugin.xml 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\vlc.mo 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\Informix.xsl 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libscaletempo_pitch_plugin.dll 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi422_yuy2_mmx_plugin.dll 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\ReceiveConvertFrom.odt 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.services_3.4.0.v20140312-2051.jar 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64.nl_zh_4.4.0.v20140623020002.jar 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler.xml 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-loaders.jar 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\ZoneInfoMappings 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Wallis 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Gibraltar 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\gui\libskins2_plugin.dll 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\Microsoft Games\Mahjong\es-ES\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\vlc.mo 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\TextFile.zip 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\sunmscapi.jar 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\Java\jre7\bin\java.exe 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-coredump_ja.jar 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\Mozilla Firefox\libGLESv2.dll 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\th\LC_MESSAGES\vlc.mo 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Windhoek 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Curacao 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\indxicon.gif 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\console_view.png 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\Java\jre7\bin\WindowsAccessBridge-64.dll 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Indiana\Vevay 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Mexico_City 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_output\libwaveout_plugin.dll 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_cycle_plugin.dll 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1132 schtasks.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1772 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2892 powershell.exe 340 dOTEiSx964.exe 340 dOTEiSx964.exe 340 dOTEiSx964.exe 340 dOTEiSx964.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 340 dOTEiSx964.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeDebugPrivilege 2892 powershell.exe Token: SeDebugPrivilege 340 dOTEiSx964.exe Token: SeLoadDriverPrivilege 340 dOTEiSx964.exe Token: SeBackupPrivilege 3972 vssvc.exe Token: SeRestorePrivilege 3972 vssvc.exe Token: SeAuditPrivilege 3972 vssvc.exe Token: SeIncreaseQuotaPrivilege 1656 WMIC.exe Token: SeSecurityPrivilege 1656 WMIC.exe Token: SeTakeOwnershipPrivilege 1656 WMIC.exe Token: SeLoadDriverPrivilege 1656 WMIC.exe Token: SeSystemProfilePrivilege 1656 WMIC.exe Token: SeSystemtimePrivilege 1656 WMIC.exe Token: SeProfSingleProcessPrivilege 1656 WMIC.exe Token: SeIncBasePriorityPrivilege 1656 WMIC.exe Token: SeCreatePagefilePrivilege 1656 WMIC.exe Token: SeBackupPrivilege 1656 WMIC.exe Token: SeRestorePrivilege 1656 WMIC.exe Token: SeShutdownPrivilege 1656 WMIC.exe Token: SeDebugPrivilege 1656 WMIC.exe Token: SeSystemEnvironmentPrivilege 1656 WMIC.exe Token: SeRemoteShutdownPrivilege 1656 WMIC.exe Token: SeUndockPrivilege 1656 WMIC.exe Token: SeManageVolumePrivilege 1656 WMIC.exe Token: 33 1656 WMIC.exe Token: 34 1656 WMIC.exe Token: 35 1656 WMIC.exe Token: SeIncreaseQuotaPrivilege 1656 WMIC.exe Token: SeSecurityPrivilege 1656 WMIC.exe Token: SeTakeOwnershipPrivilege 1656 WMIC.exe Token: SeLoadDriverPrivilege 1656 WMIC.exe Token: SeSystemProfilePrivilege 1656 WMIC.exe Token: SeSystemtimePrivilege 1656 WMIC.exe Token: SeProfSingleProcessPrivilege 1656 WMIC.exe Token: SeIncBasePriorityPrivilege 1656 WMIC.exe Token: SeCreatePagefilePrivilege 1656 WMIC.exe Token: SeBackupPrivilege 1656 WMIC.exe Token: SeRestorePrivilege 1656 WMIC.exe Token: SeShutdownPrivilege 1656 WMIC.exe Token: SeDebugPrivilege 1656 WMIC.exe Token: SeSystemEnvironmentPrivilege 1656 WMIC.exe Token: SeRemoteShutdownPrivilege 1656 WMIC.exe Token: SeUndockPrivilege 1656 WMIC.exe Token: SeManageVolumePrivilege 1656 WMIC.exe Token: 33 1656 WMIC.exe Token: 34 1656 WMIC.exe Token: 35 1656 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2120 wrote to memory of 2368 2120 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe 4 PID 2120 wrote to memory of 2368 2120 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe 4 PID 2120 wrote to memory of 2368 2120 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe 4 PID 2120 wrote to memory of 2368 2120 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe 4 PID 2120 wrote to memory of 2668 2120 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe 2 PID 2120 wrote to memory of 2668 2120 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe 2 PID 2120 wrote to memory of 2668 2120 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe 2 PID 2120 wrote to memory of 2668 2120 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe 2 PID 2120 wrote to memory of 2848 2120 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe 33 PID 2120 wrote to memory of 2848 2120 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe 33 PID 2120 wrote to memory of 2848 2120 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe 33 PID 2120 wrote to memory of 2848 2120 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe 33 PID 2848 wrote to memory of 2892 2848 cmd.exe 35 PID 2848 wrote to memory of 2892 2848 cmd.exe 35 PID 2848 wrote to memory of 2892 2848 cmd.exe 35 PID 2848 wrote to memory of 2892 2848 cmd.exe 35 PID 2120 wrote to memory of 2268 2120 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe 36 PID 2120 wrote to memory of 2268 2120 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe 36 PID 2120 wrote to memory of 2268 2120 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe 36 PID 2120 wrote to memory of 2268 2120 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe 36 PID 2120 wrote to memory of 2468 2120 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe 38 PID 2120 wrote to memory of 2468 2120 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe 38 PID 2120 wrote to memory of 2468 2120 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe 38 PID 2120 wrote to memory of 2468 2120 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe 38 PID 2268 wrote to memory of 1588 2268 cmd.exe 40 PID 2268 wrote to memory of 1588 2268 cmd.exe 40 PID 2268 wrote to memory of 1588 2268 cmd.exe 40 PID 2268 wrote to memory of 1588 2268 cmd.exe 40 PID 2268 wrote to memory of 1160 2268 cmd.exe 42 PID 2268 wrote to memory of 1160 2268 cmd.exe 42 PID 2268 wrote to memory of 1160 2268 cmd.exe 42 PID 2268 wrote to memory of 1160 2268 cmd.exe 42 PID 2468 wrote to memory of 2768 2468 cmd.exe 41 PID 2468 wrote to memory of 2768 2468 cmd.exe 41 PID 2468 wrote to memory of 2768 2468 cmd.exe 41 PID 2468 wrote to memory of 2768 2468 cmd.exe 41 PID 2268 wrote to memory of 1880 2268 cmd.exe 43 PID 2268 wrote to memory of 1880 2268 cmd.exe 43 PID 2268 wrote to memory of 1880 2268 cmd.exe 43 PID 2268 wrote to memory of 1880 2268 cmd.exe 43 PID 2120 wrote to memory of 796 2120 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe 45 PID 2120 wrote to memory of 796 2120 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe 45 PID 2120 wrote to memory of 796 2120 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe 45 PID 2120 wrote to memory of 796 2120 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe 45 PID 796 wrote to memory of 2736 796 cmd.exe 46 PID 796 wrote to memory of 2736 796 cmd.exe 46 PID 796 wrote to memory of 2736 796 cmd.exe 46 PID 796 wrote to memory of 2736 796 cmd.exe 46 PID 796 wrote to memory of 3028 796 cmd.exe 51 PID 796 wrote to memory of 3028 796 cmd.exe 51 PID 796 wrote to memory of 3028 796 cmd.exe 51 PID 796 wrote to memory of 3028 796 cmd.exe 51 PID 796 wrote to memory of 1484 796 cmd.exe 48 PID 796 wrote to memory of 1484 796 cmd.exe 48 PID 796 wrote to memory of 1484 796 cmd.exe 48 PID 796 wrote to memory of 1484 796 cmd.exe 48 PID 796 wrote to memory of 1912 796 cmd.exe 50 PID 796 wrote to memory of 1912 796 cmd.exe 50 PID 796 wrote to memory of 1912 796 cmd.exe 50 PID 796 wrote to memory of 1912 796 cmd.exe 50 PID 1912 wrote to memory of 2604 1912 cmd.exe 53 PID 1912 wrote to memory of 2604 1912 cmd.exe 53 PID 1912 wrote to memory of 2604 1912 cmd.exe 53 PID 1912 wrote to memory of 2604 1912 cmd.exe 53 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 2736 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWSrMQJj.exe"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWSrMQJj.exe" -n1⤵
- Executes dropped EXE
PID:2668
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe" "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWSrMQJj.exe"1⤵PID:2368
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe"1⤵
- Matrix Ransomware
- Loads dropped DLL
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')">"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\vdam32qB.txt"2⤵
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')"3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2892
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\deuNEF1q.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\deuNEF1q.bmp" /f3⤵
- Sets desktop wallpaper using registry
PID:1588
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f3⤵PID:1160
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f3⤵PID:1880
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\xwyMIp7x.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\wscript.exewscript //B //Nologo "C:\Users\Admin\AppData\Roaming\xwyMIp7x.vbs"3⤵PID:2768
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\HbkYF590.bat" /sc minute /mo 5 /RL HIGHEST /F4⤵PID:2880
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\HbkYF590.bat" /sc minute /mo 5 /RL HIGHEST /F5⤵
- Creates scheduled task(s)
PID:1132
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA4⤵PID:2324
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /I /tn DSHCA5⤵PID:760
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\4TIUmeBd.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf""2⤵
- Suspicious use of WriteProcessMemory
PID:796 -
C:\Windows\SysWOW64\attrib.exeattrib -R -A -S "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf"3⤵
- Views/modifies file attributes
PID:2736
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf" /E /G Admin:F /C3⤵PID:3028
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf"3⤵
- Modifies file permissions
PID:1484
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c dOTEiSx9.exe -accepteula "DefaultID.pdf" -nobanner3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\dOTEiSx9.exedOTEiSx9.exe -accepteula "DefaultID.pdf" -nobanner4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2604 -
C:\Users\Admin\AppData\Local\Temp\dOTEiSx964.exedOTEiSx9.exe -accepteula "DefaultID.pdf" -nobanner5⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:340
-
-
-
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "4271383521583077221-1187407218-50388744316234968398165325838953693401401790295"1⤵PID:3028
-
C:\Windows\system32\taskeng.exetaskeng.exe {FB947233-C91B-42E6-BA15-C3FF2A2AAC6D} S-1-5-21-452311807-3713411997-1028535425-1000:OZEMQECW\Admin:Interactive:[1]1⤵PID:2896
-
C:\Windows\SYSTEM32\cmd.exeC:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\HbkYF590.bat"2⤵PID:2712
-
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
PID:1772
-
-
C:\Windows\System32\Wbem\WMIC.exewmic SHADOWCOPY DELETE3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1656
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No3⤵
- Modifies boot configuration data using bcdedit
PID:1616
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:436
-
-
C:\Windows\system32\schtasks.exeSCHTASKS /Delete /TN DSHCA /F3⤵PID:1212
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3972
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
File and Directory Permissions Modification
1Hide Artifacts
1Hidden Files and Directories
1Indicator Removal
2File Deletion
2Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5ca6cc353a0a38fbd75ef7754437b0ebd
SHA187ce1b6bda1a044f04fae9e0773207883f9562f5
SHA2569c827eae6072fbce97af46f0b42ac5c4076c21bdc915fb727bd047947dd0a0b8
SHA5127b681b40eae96356ac97ce115deb5cc49c250c580e0251522d22fcf697616577cceb35931b9888d754f8c5d4720b7e21b3a5d927a274a2c2afdc659faeead90d
-
Filesize
246B
MD5ac19f820b572be9c936b293c37fb2b50
SHA10606d70b4e9deb0c2f28e66e5472fef5f71d1396
SHA25618ca7126c00e488748aa6f95b9b2369fd8d4912e907cdcb68a0afb8a3d3ced2a
SHA512210edbe95f70525b038a12d7c85f3837b452955799b67b118e73ab93bff44438bd456f0cb5be2474a8228233f0c67338d41768a83b9e905021e44e4f11629d83
-
Filesize
31KB
MD5eb910a3a9a54500dc5f66cd897bb1574
SHA19eaa970c732dedb0f9be4697b0480b4a04cb17be
SHA2568a195dee433d8b7149a6bbb3c10ef1ba136dcbdfdc49e11cfaffd61547a59fad
SHA512c5747c94fa851d28ba813835329a5d0ceea7f25afb79176438b323b87bd3983f45596799e0647ee2df51210c6d20c445ac02172836f0e4f4e32061e77fdac77f
-
Filesize
14B
MD5c74dacdd9331a6698efffe81ff66ac08
SHA179e8ce4bb5cc2436e95fad4a74a31aee7aa63043
SHA25682ad297f8577dd8f868d0068e253c3d6b61a1e332d7038ed18d23da65b03ad6c
SHA51224620715fb4e07f73db38962b2f95b77396d09a65f153c138f4d873e7f83f9cc72a16423ce2af745f8a04d1e657dfa7d9136ec3fd9ff5794b385ec33edae89da
-
Filesize
221KB
MD53026bc2448763d5a9862d864b97288ff
SHA17d93a18713ece2e7b93e453739ffd7ad0c646e9e
SHA2567adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec
SHA512d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6
-
Filesize
265B
MD5ac43b2ebc34f9f3778d0002e4fac71c4
SHA13c5954ec19dd0aaa77199aa57fbc122573af9c4c
SHA2569bba67f8a4275952df677e02d11ec45011a34d869390ffa2d3400de3c2a41710
SHA512c0d1a35234d67f625329297eed5e7eb9ed45bd4adc3ecd6dbff34b0a208d8d872b4ad0c76ef4f5299017ac54ffbbdef91fb5ce3f92b603bf253407a167803f39
-
Filesize
260B
MD5afc291a3771fa24c4ff20a0fa986120e
SHA1b8fafbb0f289e16f9079a88cb271653aa69b7487
SHA2563f207977ea639c0ce41d6bdd009dc3be7be055c5d2fbe1fc34a0e7fce18c71fc
SHA51271d9cb3c26b04a08e0696186e3f047d5b3f6bcc363bc202877b4e4f095f8f2e9b475e74fd5aefa93695db791ccac570c3da1b13bba0538f6d7fe94b68c93ec20
-
Filesize
1.2MB
MD5607d292bdcdde297252e002e613282ae
SHA10161d2dd582d064f7e7f50ccb43478ff0884916a
SHA2560676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65
SHA5122bdc2ff857f9f52aac5071d3a695f7baf822a971969ba263ad03769c41af7916b558bada6bfe76fe78f730235a4ca5d2dd1cf3eaa2a59c5efef06af0a798acb8
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8