matrix | 016061f330faaeffdd84628f613a719a2f617c8145909d047b5721429ee5b451

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
03-04-2024 17:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FoxRansomware/6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
Size

1.2MB
MD5

907636b28d162f7110b067a8178fa38c
SHA1

048ae4691fe267e7c8d9eda5361663593747142a
SHA256

6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b
SHA512

501a7ee7fc8c0869d3cb57be3a75be02f6a17583e524fae9fa29e149a7391a5ed79c45143c09c667eed7d2fe217503121e23edd6f1bac47c8ba7ec7a4ecbe04a
SSDEEP

24576:R/SA+2lraRrjSJR5ezmT1dM9tZBb5t+wb8fq/81mkvfW:3XlayIsy81hvf

Score

10^/10

matrix discovery evasion persistence ransomware upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://myexternalip.com/raw

Extracted

Path

C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\#CORE_README#.rtf

Ransom Note

{\rtf1\ansi\ansicpg1251\deff0\nouicompat\deflang1049{\fonttbl{\f0\fnil\fcharset0 Calibri;}{\f1\fnil\fcharset204 Calibri;}} {\colortbl ;\red255\green0\blue0;\red0\green77\blue187;\red0\green176\blue80;\red0\green0\blue255;\red255\green255\blue255;} {\*\generator Riched20 10.0.15063}\viewkind4\uc1 \pard\ri-500\sa200\sl240\slmult1\qc\tx8804\ul\b\f0\fs28\lang1033 HOW TO RECOVER YOUR FILES INSTRUCTION\ulnone\f1\lang1049\par \pard\ri-74\sl240\slmult1\tx8378\cf1\f0\fs24\lang1033 ATENTION!!!\par \cf0\b0 We are realy sorry to inform you that \b ALL YOUR FILES WERE ENCRYPTED \par \b0 by our automatic software. It became possible because of bad server security. \par \cf1\b ATENTION!!!\par \cf0\b0 Please don't worry, we can help you to \b RESTORE\b0 your server to original\par state and decrypt all your files quickly and safely!\par \b\par \cf2 INFORMATION!!!\par \cf0\b0 Files are not broken!!!\par Files were encrypted with AES-128+RSA-2048 crypto algorithms.\par There is no way to decrypt your files without unique decryption key and special software. Your unique decryption key is securely stored on our server. For our safety, all information about your server and your decryption key will be automaticaly \b DELETED AFTER 7 DAYS! \b0 You will irrevocably lose all your data!\par \i * Please note that all the attempts to recover your files by yourself or using third party tools will result only in irrevocable loss of your data!\par * Please note that you can recover files only with your unique decryption key, which stored on our side. If you will use the help of third parties, you will only add a middleman.\f1\lang1049\par \i0\f0\lang1033\par \cf3\b HOW TO RECOVER FILES???\par \cf0\b0 Please write us to the e-mail \i (write on English or use professional translator)\i0 :\par \pard\sl240\slmult1\b\fs28 [email protected]\par [email protected]\par [email protected]\cf1\fs24\par You have to send your message on each of our 3 emails\f1\lang1049 \f0\lang1033 due to the fact that the message may not reach their intended recipient for a variety of reasons!\fs28\par \pard\ri-74\sl240\slmult1\tx8378\cf0\b0\fs24 \par In subject line write your personal ID:\par \b\fs28 115AA390B4995FD2\par \b0\fs24 We recommed you to attach 3 encrypted files to your message. We will demonstrate that we can recover your files. \f1\lang1049\par \i * \f0\lang1033 \f1\lang1049 \f0\lang1033 Please note that files must not contain any valuable information and their total size must be less than 5Mb. \par \i0\par \cf1\b OUR ADVICE!!!\par \cf0\b0 Please be sure that we will find common languge. We will restore all the data and give you recommedations how to configure the protection of your server.\par \ul\b\par We will definitely reach an agreement ;) !!!\b0\par \ulnone\par \fs20 \par \par \par \par \par \par \par \pard\ri-74\sl240\slmult1\qc\tx8378\b\fs24 ALTERNATIVE COMMUNICATION\par \b0\fs20\par \pard\ri-74\sl240\slmult1\tx8378 \f1\lang1049 If y\'eeu did n\'eet r\'e5c\'e5iv\'e5 th\'e5 \'e0nsw\'e5r fr\'eem th\'e5 \'e0f\'eer\'e5cit\'e5d \'e5m\'e0il\f0\lang1033 s\f1\lang1049 f\'eer m\'eer\'e5 th\f0\lang1033 e\f1\lang1049 n \f0\lang1033 24\f1\lang1049 h\f0\lang1033 o\f1\lang1049 urs\f0\lang1033 please s\f1\lang1049\'e5\f0\lang1033 nd us Bitm\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 s fr\f1\lang1049\'ee\f0\lang1033 m \f1\lang1049\'e0\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 b br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r thr\f1\lang1049\'ee\f0\lang1033 ugh th\f1\lang1049\'e5\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 bp\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 {{\field{\*\fldinst{HYPERLINK https://bitmsg.me }}{\fldrslt{https://bitmsg.me\ul0\cf0}}}}\f0\fs20 . B\f1\lang1049\'e5\f0\lang1033 l\f1\lang1049\'ee\f0\lang1033 w is \f1\lang1049\'e0\f0\lang1033 tut\f1\lang1049\'ee\f0\lang1033 ri\f1\lang1049\'e0\f0\lang1033 l \f1\lang1049\'ee\f0\lang1033 n h\f1\lang1049\'ee\f0\lang1033 w t\f1\lang1049\'ee\f0\lang1033 s\f1\lang1049\'e5\f0\lang1033 nd bitm\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 vi\f1\lang1049\'e0\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 b br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r:\par 1. \f1\lang1049\'ce\f0\lang1033 p\f1\lang1049\'e5\f0\lang1033 n in y\f1\lang1049\'ee\f0\lang1033 ur br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r th\f1\lang1049\'e5\f0\lang1033 link {{\field{\*\fldinst{HYPERLINK https://bitmsg.me/users/sign_up }}{\fldrslt{https://bitmsg.me/users/sign_up\ul0\cf0}}}}\f0\fs20 \f1\lang1049\'e0\f0\lang1033 nd m\f1\lang1049\'e0\f0\lang1033 k\f1\lang1049\'e5\f0\lang1033 th\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 gistr\f1\lang1049\'e0\f0\lang1033 ti\f1\lang1049\'ee\f0\lang1033 n b\f1\lang1049\'f3\f0\lang1033 \f1\lang1049\'e5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 ring n\f1\lang1049\'e0\f0\lang1033 m\f1\lang1049\'e5\f0\lang1033 \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd p\f1\lang1049\'e0\f0\lang1033 ssw\f1\lang1049\'ee\f0\lang1033 rd.\par 2. \f1\lang1049\'d3\'ee\f0\lang1033 u must c\f1\lang1049\'ee\f0\lang1033 nfirm th\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 gistr\f1\lang1049\'e0\f0\lang1033 ti\f1\lang1049\'ee\f0\lang1033 n, r\f1\lang1049\'e5\f0\lang1033 turn t\f1\lang1049\'ee\f0\lang1033 \f1\lang1049\'f3\'ee\f0\lang1033 ur \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd f\f1\lang1049\'ee\f0\lang1033 ll\f1\lang1049\'ee\f0\lang1033 w th\f1\lang1049\'e5\f0\lang1033 instructi\f1\lang1049\'ee\f0\lang1033 ns th\f1\lang1049\'e0\f0\lang1033 t w\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 s\f1\lang1049\'e5\f0\lang1033 nt t\f1\lang1049\'ee\f0\lang1033 \f1\lang1049\'f3\'ee\f0\lang1033 u.\par 3. R\f1\lang1049\'e5\f0\lang1033 turn t\f1\lang1049\'ee\f0\lang1033 sit\f1\lang1049\'e5\f0\lang1033 \f1\lang1049\'e0\f0\lang1033 nd \f1\lang1049\'f1\f0\lang1033 lick \f1\lang1049 "\f0\lang1033 L\f1\lang1049\'ee\f0\lang1033 gin\f1\lang1049 "\f0\lang1033 l\f1\lang1049\'e0\f0\lang1033 b\f1\lang1049\'e5\f0\lang1033 l \f1\lang1049\'ee\f0\lang1033 r us\f1\lang1049\'e5\f0\lang1033 link {{\field{\*\fldinst{HYPERLINK https://bitmsg.me/users/sign_in }}{\fldrslt{https://bitmsg.me/users/sign_in\ul0\cf0}}}}\f0\fs20 , \f1\lang1049\'e5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'f3\'ee\f0\lang1033 ur \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd p\f1\lang1049\'e0\f0\lang1033 ssw\f1\lang1049\'ee\f0\lang1033 rd \f1\lang1049\'e0\f0\lang1033 nd click th\f1\lang1049\'e5\f0\lang1033 "Sign in" butt\f1\lang1049\'ee\f0\lang1033 n. \f1\lang1049 \f0\lang1033\par 4. \f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "\f1\lang1049\'d1\f0\lang1033 r\f1\lang1049\'e5\'e0\f0\lang1033 t\f1\lang1049\'e5\f0\lang1033 R\f1\lang1049\'e0\f0\lang1033 nd\f1\lang1049\'ee\f0\lang1033 m \f1\lang1049\'e0\f0\lang1033 ddr\f1\lang1049\'e5\f0\lang1033 ss" butt\f1\lang1049\'ee\f0\lang1033 n.\par 5. \f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "N\f1\lang1049\'e5\f0\lang1033 w m\f1\lang1049\'e0\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 " butt\f1\lang1049\'ee\f0\lang1033 n.\par \b 6. S\f1\lang1049\'e5\f0\lang1033 nding m\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 :\par T\f1\lang1049\'ee\f0\lang1033 :\b0 \f1\lang1049\'c5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'e0\f0\lang1033 ddr\f1\lang1049\'e5\f0\lang1033 ss: \b BM-2cXRWRW5Jv5hxbhgu2HJSJrtPf92iKshhm\par \pard\sl240\slmult1 Subj\f1\lang1049\'e5\'f1\f0\lang1033 t:\b0 \f1\lang1049\'c5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'f3\'ee\f0\lang1033 ur ID: \b 115AA390B4995FD2\par M\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 : \b0 D\f1\lang1049\'e5\f0\lang1033 scrib\f1\lang1049\'e5\f0\lang1033 wh\f1\lang1049\'e0\f0\lang1033 t \f1\lang1049\'f3\'ee\f0\lang1033 u think n\f1\lang1049\'e5\f0\lang1033 c\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 r\f1\lang1049\'f3\f0\lang1033 .\par \pard\ri-74\sa200\sl240\slmult1\tx8378\f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "S\f1\lang1049\'e5\f0\lang1033 nd m\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 " butt\f1\lang1049\'ee\f0\lang1033 n.\cf5\b\par \pard\sa200\sl240\slmult1\fs28 NHVzmtIk\cf0\f1\fs32\lang1049\par \par }

Emails

[email protected]\par

[email protected]\cf1\fs24\par

URLs

https://bitmsg.me

https://bitmsg.me/users/sign_up

https://bitmsg.me/users/sign_in

Signatures

Matrix Ransomware 64 IoCs

Targeted ransomware with information collection and encryption functionality.

ransomware matrix

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\1033\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Library\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\VideoLAN\VLC\locale\oc\LC_MESSAGES\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\VideoLAN\VLC\lua\intf\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\VideoLAN\VLC\locale\kn\LC_MESSAGES\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\People\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Library\Analysis\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Users\All Users\Microsoft\Assistance\Client\1.0\fr-FR\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Users\Public\Libraries\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\Java\jre7\lib\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\VideoLAN\VLC\locale\wa\LC_MESSAGES\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\VideoLAN\VLC\skins\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Sort\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Library\SOLVER\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\7-Zip\Lang\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Users\Admin\Documents\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\Java\jre7\lib\fonts\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\VideoLAN\VLC\locale\lg\LC_MESSAGES\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\VideoLAN\VLC\locale\tr\LC_MESSAGES\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\Java\jre7\lib\deploy\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\Verisign\Components\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\MSBuild\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Users\All Users\Microsoft\Assistance\Client\1.0\ja-JP\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Users\All Users\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Users\All Users\Microsoft\Assistance\Client\1.0\es-ES\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Users\Admin\Contacts\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Users\All Users\Microsoft\Crypto\RSA\S-1-5-18\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\Basic\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
4600	bcdedit.exe
4612	bcdedit.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
9	1448	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\Drivers\PROCEXP152.SYS	UGJb67Tc64.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PROCEXP152\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\PROCEXP152.SYS"	UGJb67Tc64.exe

Executes dropped EXE 3 IoCs

pid	Process
2724	NWyeUGTy.exe
2468	UGJb67Tc.exe
1592	UGJb67Tc64.exe

Loads dropped DLL 4 IoCs

pid	Process
1288	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
1288	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
2496	cmd.exe
2468	UGJb67Tc.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1092	takeown.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral7/files/0x0006000000015d24-2306.dat	upx
behavioral7/memory/2468-2355-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral7/memory/2468-14629-0x0000000000400000-0x0000000000477000-memory.dmp	upx

Enumerates connected drives 3 TTPs 44 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	UGJb67Tc64.exe
File opened (read-only)	\??\L:	UGJb67Tc64.exe
File opened (read-only)	\??\N:	UGJb67Tc64.exe
File opened (read-only)	\??\S:	UGJb67Tc64.exe
File opened (read-only)	\??\V:	UGJb67Tc64.exe
File opened (read-only)	\??\Y:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\W:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\O:	UGJb67Tc64.exe
File opened (read-only)	\??\U:	UGJb67Tc64.exe
File opened (read-only)	\??\W:	UGJb67Tc64.exe
File opened (read-only)	\??\K:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\G:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\I:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\G:	UGJb67Tc64.exe
File opened (read-only)	\??\T:	UGJb67Tc64.exe
File opened (read-only)	\??\Y:	UGJb67Tc64.exe
File opened (read-only)	\??\R:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\J:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\Z:	UGJb67Tc64.exe
File opened (read-only)	\??\S:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\A:	UGJb67Tc64.exe
File opened (read-only)	\??\H:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\B:	UGJb67Tc64.exe
File opened (read-only)	\??\K:	UGJb67Tc64.exe
File opened (read-only)	\??\P:	UGJb67Tc64.exe
File opened (read-only)	\??\X:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\V:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\N:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\M:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\L:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\E:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\E:	UGJb67Tc64.exe
File opened (read-only)	\??\I:	UGJb67Tc64.exe
File opened (read-only)	\??\Z:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\Q:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\M:	UGJb67Tc64.exe
File opened (read-only)	\??\Q:	UGJb67Tc64.exe
File opened (read-only)	\??\J:	UGJb67Tc64.exe
File opened (read-only)	\??\R:	UGJb67Tc64.exe
File opened (read-only)	\??\P:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\O:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\X:	UGJb67Tc64.exe
File opened (read-only)	\??\U:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\T:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	myexternalip.com

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\eGmoEQxM.bmp"	reg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01297_.GIF	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01123_.WMF	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\jfluid-server_ja.jar	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00045_.WMF	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01575_.WMF	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00152_.WMF	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Argentina\Jujuy	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd.otf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18211_.WMF	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\StarterApplicationDescriptors.xml	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\header-background.png	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00161_.GIF	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107308.WMF	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR4B.GIF	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\license.html	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro.zh_CN_5.5.0.165303.jar	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer.httpclient4_1.0.800.v20140827-1444.jar	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr.jar	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-sampler_ja.jar	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21503_.GIF	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\DVD Maker\rtstreamsource.ax	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Toronto	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\vlc.mo	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Simferopol	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\feature.xml	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099197.GIF	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\ECLIPSE_.RSA	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Phoenix	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.console_1.1.0.v20140131-1639.jar	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Belem	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\VideoLAN\VLC\lua\extensions\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.operations_2.4.0.v20131119-0908.jar	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105292.WMF	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\ACCSBAR.POC	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\QUERIES\MSN MoneyCentral Investor Stock Quotes.iqy	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\IMAGE.JPG	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.natives.nl_ja_4.4.0.v20140623020002.jar	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21303_.GIF	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-previous-over-select.png	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\SUBMIT.JS	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02094_.WMF	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Projects.accdt	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Baghdad	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0297757.WMF	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107492.WMF	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_FormsHomePageBlank.gif	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\Document.gif	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Bahia_Banderas	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-core-kit.jar	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309598.JPG	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Jamaica	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099169.WMF	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGMASTHD.DPV	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsPrintTemplate.html	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.docs_5.5.0.165303.jar	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Australia\Lord_Howe	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-text_zh_CN.jar	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01157_.WMF	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Black Tie.xml	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WCOMP98.POC	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21328_.GIF	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\AppConfigInternal.zip	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
876	schtasks.exe

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
4540	vssadmin.exe
2732	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1448	powershell.exe
1592	UGJb67Tc64.exe
1592	UGJb67Tc64.exe
1592	UGJb67Tc64.exe
4356	powershell.exe
4356	powershell.exe
4356	powershell.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
1592	UGJb67Tc64.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

description	pid	Process
Token: SeDebugPrivilege	1448	powershell.exe
Token: SeDebugPrivilege	1592	UGJb67Tc64.exe
Token: SeLoadDriverPrivilege	1592	UGJb67Tc64.exe
Token: SeBackupPrivilege	1696	vssvc.exe
Token: SeRestorePrivilege	1696	vssvc.exe
Token: SeAuditPrivilege	1696	vssvc.exe
Token: SeIncreaseQuotaPrivilege	4376	WMIC.exe
Token: SeSecurityPrivilege	4376	WMIC.exe
Token: SeTakeOwnershipPrivilege	4376	WMIC.exe
Token: SeLoadDriverPrivilege	4376	WMIC.exe
Token: SeSystemProfilePrivilege	4376	WMIC.exe
Token: SeSystemtimePrivilege	4376	WMIC.exe
Token: SeProfSingleProcessPrivilege	4376	WMIC.exe
Token: SeIncBasePriorityPrivilege	4376	WMIC.exe
Token: SeCreatePagefilePrivilege	4376	WMIC.exe
Token: SeBackupPrivilege	4376	WMIC.exe
Token: SeRestorePrivilege	4376	WMIC.exe
Token: SeShutdownPrivilege	4376	WMIC.exe
Token: SeDebugPrivilege	4376	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4376	WMIC.exe
Token: SeRemoteShutdownPrivilege	4376	WMIC.exe
Token: SeUndockPrivilege	4376	WMIC.exe
Token: SeManageVolumePrivilege	4376	WMIC.exe
Token: 33	4376	WMIC.exe
Token: 34	4376	WMIC.exe
Token: 35	4376	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4376	WMIC.exe
Token: SeSecurityPrivilege	4376	WMIC.exe
Token: SeTakeOwnershipPrivilege	4376	WMIC.exe
Token: SeLoadDriverPrivilege	4376	WMIC.exe
Token: SeSystemProfilePrivilege	4376	WMIC.exe
Token: SeSystemtimePrivilege	4376	WMIC.exe
Token: SeProfSingleProcessPrivilege	4376	WMIC.exe
Token: SeIncBasePriorityPrivilege	4376	WMIC.exe
Token: SeCreatePagefilePrivilege	4376	WMIC.exe
Token: SeBackupPrivilege	4376	WMIC.exe
Token: SeRestorePrivilege	4376	WMIC.exe
Token: SeShutdownPrivilege	4376	WMIC.exe
Token: SeDebugPrivilege	4376	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4376	WMIC.exe
Token: SeRemoteShutdownPrivilege	4376	WMIC.exe
Token: SeUndockPrivilege	4376	WMIC.exe
Token: SeManageVolumePrivilege	4376	WMIC.exe
Token: 33	4376	WMIC.exe
Token: 34	4376	WMIC.exe
Token: 35	4376	WMIC.exe
Token: SeDebugPrivilege	4356	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1288 wrote to memory of 2528	1288	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe	29
PID 1288 wrote to memory of 2528	1288	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe	29
PID 1288 wrote to memory of 2528	1288	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe	29
PID 1288 wrote to memory of 2528	1288	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe	29
PID 1288 wrote to memory of 2724	1288	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe	31
PID 1288 wrote to memory of 2724	1288	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe	31
PID 1288 wrote to memory of 2724	1288	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe	31
PID 1288 wrote to memory of 2724	1288	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe	31
PID 1288 wrote to memory of 2908	1288	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe	33
PID 1288 wrote to memory of 2908	1288	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe	33
PID 1288 wrote to memory of 2908	1288	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe	33
PID 1288 wrote to memory of 2908	1288	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe	33
PID 2908 wrote to memory of 1448	2908	cmd.exe	35
PID 2908 wrote to memory of 1448	2908	cmd.exe	35
PID 2908 wrote to memory of 1448	2908	cmd.exe	35
PID 2908 wrote to memory of 1448	2908	cmd.exe	35
PID 1288 wrote to memory of 2872	1288	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe	36
PID 1288 wrote to memory of 2872	1288	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe	36
PID 1288 wrote to memory of 2872	1288	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe	36
PID 1288 wrote to memory of 2872	1288	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe	36
PID 1288 wrote to memory of 2888	1288	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe	37
PID 1288 wrote to memory of 2888	1288	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe	37
PID 1288 wrote to memory of 2888	1288	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe	37
PID 1288 wrote to memory of 2888	1288	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe	37
PID 2872 wrote to memory of 1956	2872	cmd.exe	40
PID 2872 wrote to memory of 1956	2872	cmd.exe	40
PID 2872 wrote to memory of 1956	2872	cmd.exe	40
PID 2872 wrote to memory of 1956	2872	cmd.exe	40
PID 2888 wrote to memory of 2336	2888	cmd.exe	41
PID 2888 wrote to memory of 2336	2888	cmd.exe	41
PID 2888 wrote to memory of 2336	2888	cmd.exe	41
PID 2888 wrote to memory of 2336	2888	cmd.exe	41
PID 2872 wrote to memory of 1416	2872	cmd.exe	42
PID 2872 wrote to memory of 1416	2872	cmd.exe	42
PID 2872 wrote to memory of 1416	2872	cmd.exe	42
PID 2872 wrote to memory of 1416	2872	cmd.exe	42
PID 2872 wrote to memory of 900	2872	cmd.exe	43
PID 2872 wrote to memory of 900	2872	cmd.exe	43
PID 2872 wrote to memory of 900	2872	cmd.exe	43
PID 2872 wrote to memory of 900	2872	cmd.exe	43
PID 1288 wrote to memory of 2180	1288	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe	44
PID 1288 wrote to memory of 2180	1288	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe	44
PID 1288 wrote to memory of 2180	1288	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe	44
PID 1288 wrote to memory of 2180	1288	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe	44
PID 2180 wrote to memory of 772	2180	cmd.exe	46
PID 2180 wrote to memory of 772	2180	cmd.exe	46
PID 2180 wrote to memory of 772	2180	cmd.exe	46
PID 2180 wrote to memory of 772	2180	cmd.exe	46
PID 2336 wrote to memory of 1044	2336	wscript.exe	47
PID 2336 wrote to memory of 1044	2336	wscript.exe	47
PID 2336 wrote to memory of 1044	2336	wscript.exe	47
PID 2336 wrote to memory of 1044	2336	wscript.exe	47
PID 2180 wrote to memory of 2860	2180	cmd.exe	48
PID 2180 wrote to memory of 2860	2180	cmd.exe	48
PID 2180 wrote to memory of 2860	2180	cmd.exe	48
PID 2180 wrote to memory of 2860	2180	cmd.exe	48
PID 2180 wrote to memory of 1092	2180	cmd.exe	50
PID 2180 wrote to memory of 1092	2180	cmd.exe	50
PID 2180 wrote to memory of 1092	2180	cmd.exe	50
PID 2180 wrote to memory of 1092	2180	cmd.exe	50
PID 2180 wrote to memory of 2496	2180	cmd.exe	51
PID 2180 wrote to memory of 2496	2180	cmd.exe	51
PID 2180 wrote to memory of 2496	2180	cmd.exe	51
PID 2180 wrote to memory of 2496	2180	cmd.exe	51

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
772	attrib.exe

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe"
1⤵
- Matrix Ransomware
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1288
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe" "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWyeUGTy.exe"
  2⤵
  PID:2528
- C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWyeUGTy.exe
  "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWyeUGTy.exe" -n
  2⤵
  - Executes dropped EXE
  PID:2724
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')">"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\VqhcwqJA.txt"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2908
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1448
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\eGmoEQxM.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\eGmoEQxM.bmp" /f
    3⤵
    - Sets desktop wallpaper using registry
    PID:1956
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f
    3⤵
    PID:1416
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
    3⤵
    PID:900
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\R63k7hiw.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Windows\SysWOW64\wscript.exe
    wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\R63k7hiw.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2336
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\C9ngRXEN.bat" /sc minute /mo 5 /RL HIGHEST /F
      4⤵
      PID:1044
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\C9ngRXEN.bat" /sc minute /mo 5 /RL HIGHEST /F
        5⤵
        Creates scheduled task(s)
        
        PID:876
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA
      4⤵
      PID:2476
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Run /I /tn DSHCA
        5⤵
        
        PID:1984
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\F14X1gUF.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf"
    3⤵
    - Views/modifies file attributes
    PID:772
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf" /E /G Admin:F /C
    3⤵
    PID:2860
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf"
    3⤵
    - Modifies file permissions
    PID:1092
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c UGJb67Tc.exe -accepteula "PDFSigQFormalRep.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:2496
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\UGJb67Tc.exe
      UGJb67Tc.exe -accepteula "PDFSigQFormalRep.pdf" -nobanner
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2468
    - - C:\Users\Admin\AppData\Local\Temp\UGJb67Tc64.exe
        
        UGJb67Tc.exe -accepteula "PDFSigQFormalRep.pdf" -nobanner
        5⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Executes dropped EXE
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: LoadsDriver
        Suspicious use of AdjustPrivilegeToken
        
        PID:1592

C:\Windows\system32\taskeng.exe
taskeng.exe {78B0E0BE-B14E-4B76-84DF-B0FD8D38A4F7} S-1-5-21-2248906074-2862704502-246302768-1000:GHPZRGFC\Admin:Interactive:[1]
1⤵
PID:1652
- C:\Windows\SYSTEM32\cmd.exe
  C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\C9ngRXEN.bat"
  2⤵
  PID:1448
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:2732
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic SHADOWCOPY DELETE
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4376
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Exec Unrestricted try {start-process -FilePath "vssadmin" -ArgumentList "delete","shadows","/all","/quiet" -WindowStyle Hidden} catch {}
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4356
  - - C:\Windows\system32\vssadmin.exe
      "C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:4540
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled No
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:4600
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:4612
- - C:\Windows\system32\schtasks.exe
    SCHTASKS /Delete /TN DSHCA /F
    3⤵
    PID:4620

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\#CORE_README#.rtf

Filesize
8KB

MD5
e61660ac3f26f8d1ed6a5a4c4d9c38b4

SHA1
e0a0ef786dbbd24d0845efb48df140edae8f82c7

SHA256
391963825fef6011f67057173ad83318f1b077760d65c92fb9d565ba231666ff

SHA512
75a11584299cf1c1fbe432e385cb801e71e44940bc0e9c6734c63d930a93b99efaa31fc2d29ab217a0a34bc65ed32e75992db3d3657bb573c91144b447a1b659

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\F14X1gUF.bat

Filesize
246B

MD5
2caeecb432828e4491c8cb5477fc997a

SHA1
042007cf8d89339518aca6f4d1cfb0b011b2d041

SHA256
10f263402d0b7c8089b74a7aa7e04d42c7eed1a5c3facaccd6678071530d44fa

SHA512
e3e81320015e8fc9dc116b6cda5d804beedae1d1f4ff59a70b33ba9611c6b73159c1291c41f0f7a3e9eacb80b94a1be1a50bc8ee35b5fcd10dc8e0aabf61f8ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\VqhcwqJA.txt

Filesize
16B

MD5
17d432845dc7cb55ac69d75cf72f7f5d

SHA1
7f3b6e6ab91b3a13c0611fe6e95befab691d5cc3

SHA256
a7cd0523e7aca4fd8db39d49ce1fe6198b92956509bd360dae646798c2a251a4

SHA512
25054cd4ec03675f28d0aa1aa09b691beacb9f9a1cf538179777d74a713e97457c39d56c787becc378fcdc31c62cbdf56546f8cee41f5f99f11b8798663104e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\elog_115AA390B4995FD2.txt

Filesize
63KB

MD5
68d1ce46524048cc9aa01050360063c3

SHA1
04bf608350eed1bcc49de5671b7b23822f5b3dca

SHA256
55873560908a2e5036a72f6bffe74edcd4d27c1e839b3bb59d8f5713f2924203

SHA512
ba8337ab320b4913b5acffaa4ccc7efde5812f1430297831c3e70da9479a976789dbc828140ab004c1c0aaa3af2e4c9911e4b60e0a4018cc8c6efb115c46070f

Download Submit
C:\Users\Admin\AppData\Local\Temp\UGJb67Tc64.exe

Filesize
221KB

MD5
3026bc2448763d5a9862d864b97288ff

SHA1
7d93a18713ece2e7b93e453739ffd7ad0c646e9e

SHA256
7adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec

SHA512
d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6

Download Submit
C:\Users\Admin\AppData\Roaming\C9ngRXEN.bat

Filesize
415B

MD5
c1781efb8524c72cd1f452b4f2971f3b

SHA1
09e4992d0eaf307990b18fd0b06db09f533af494

SHA256
abc514debb58821897ffed02374eda6d47e2a6e05c431101eef0098974a7c98a

SHA512
d1193b765cc2fd0316b9849dc328b93aa9679bee637af03e49fd927c718bd32c8c8452f9ca52c0b37a1c3da7ea3db55237266d97387af318c8eebd0b17c235ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2G0VNWOGKRGE4F9HVR05.temp

Filesize
7KB

MD5
69a5db534b51eb8ed400150ae4a0f6c1

SHA1
7942220292f7a309701ee38629165496089ad075

SHA256
c3d8b11c9cf10b07f3f77e948c7ef6bce7a9e17f8f49248aa4fde00a746c279f

SHA512
970668f5c49f12af5a642b20529c682277215de4aaeb18606da165a38b3f469fb96bf0444f2694b1d7cc950c664a53b79c86920baa2a506e1be90f6444f4d668

Download Submit
C:\Users\Admin\AppData\Roaming\R63k7hiw.vbs

Filesize
260B

MD5
74e45ac380a070e5193a07a5006c7a5e

SHA1
893a22b9e22cf767fefb3f2f8c29318f5fd83d41

SHA256
097054bbfd0bb596928127a74ab3deb31cf2afaf100ebe2adb121a6b37947066

SHA512
09e98ebe8f892bc7d9500c47ae9a1bfc06c408e343c3a8bcf0f7130c0a68f0de2b4907fbdbfcbe2fbe31e0c71618dfaad6908078b70cf52064ed68e5983864ed

Download Submit
\Users\Admin\AppData\Local\Temp\FoxRansomware\NWyeUGTy.exe

Filesize
1.2MB

MD5
907636b28d162f7110b067a8178fa38c

SHA1
048ae4691fe267e7c8d9eda5361663593747142a

SHA256
6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b

SHA512
501a7ee7fc8c0869d3cb57be3a75be02f6a17583e524fae9fa29e149a7391a5ed79c45143c09c667eed7d2fe217503121e23edd6f1bac47c8ba7ec7a4ecbe04a

Download Submit
\Users\Admin\AppData\Local\Temp\FoxRansomware\UGJb67Tc.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
memory/1288-13433-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/1288-14644-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/1288-14632-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/1448-12-0x0000000073780000-0x0000000073D2B000-memory.dmp

Filesize
5.7MB

Download
memory/1448-13-0x0000000002A60000-0x0000000002AA0000-memory.dmp

Filesize
256KB

Download
memory/1448-14-0x0000000002A60000-0x0000000002AA0000-memory.dmp

Filesize
256KB

Download
memory/1448-11-0x0000000073780000-0x0000000073D2B000-memory.dmp

Filesize
5.7MB

Download
memory/1448-15-0x0000000073780000-0x0000000073D2B000-memory.dmp

Filesize
5.7MB

Download
memory/2468-2355-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2468-14629-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2496-2353-0x0000000002300000-0x0000000002377000-memory.dmp

Filesize
476KB

Download
memory/2496-14633-0x0000000002300000-0x0000000002377000-memory.dmp

Filesize
476KB

Download
memory/2724-8-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/4356-14618-0x0000000002620000-0x0000000002628000-memory.dmp

Filesize
32KB

Download
memory/4356-14621-0x000007FEF4750000-0x000007FEF50ED000-memory.dmp

Filesize
9.6MB

Download
memory/4356-14619-0x000007FEF4750000-0x000007FEF50ED000-memory.dmp

Filesize
9.6MB

Download
memory/4356-14624-0x00000000028F0000-0x0000000002970000-memory.dmp

Filesize
512KB

Download
memory/4356-14625-0x000007FEF4750000-0x000007FEF50ED000-memory.dmp

Filesize
9.6MB

Download
memory/4356-14622-0x00000000028F0000-0x0000000002970000-memory.dmp

Filesize
512KB

Download
memory/4356-14623-0x00000000028F0000-0x0000000002970000-memory.dmp

Filesize
512KB

Download
memory/4356-14620-0x00000000028F0000-0x0000000002970000-memory.dmp

Filesize
512KB

Download
memory/4356-14617-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

Filesize
2.9MB

Download