Overview
overview
10Static
static
3FoxRansomw...65.exe
windows7-x64
10FoxRansomw...65.exe
windows10-2004-x64
10FoxRansomw...a7.exe
windows7-x64
10FoxRansomw...a7.exe
windows10-2004-x64
10FoxRansomw...20.exe
windows7-x64
10FoxRansomw...20.exe
windows10-2004-x64
10FoxRansomw...0b.exe
windows7-x64
10FoxRansomw...0b.exe
windows10-2004-x64
10FoxRansomw...53.exe
windows7-x64
10FoxRansomw...53.exe
windows10-2004-x64
10FoxRansomw...b1.exe
windows7-x64
10FoxRansomw...b1.exe
windows10-2004-x64
10Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240319-en -
resource tags
arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system -
submitted
03-04-2024 17:42
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
FoxRansomware/0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
Resource
win7-20240319-en
windows7-x64
26 signatures
150 seconds
Behavioral task
behavioral2
Sample
FoxRansomware/0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
26 signatures
150 seconds
Behavioral task
behavioral3
Sample
FoxRansomware/0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
Resource
win7-20240221-en
windows7-x64
25 signatures
150 seconds
Behavioral task
behavioral4
Sample
FoxRansomware/0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
24 signatures
150 seconds
Behavioral task
behavioral5
Sample
FoxRansomware/42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
Resource
win7-20240220-en
windows7-x64
25 signatures
150 seconds
Behavioral task
behavioral6
Sample
FoxRansomware/42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
25 signatures
150 seconds
Behavioral task
behavioral7
Sample
FoxRansomware/6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
Resource
win7-20240215-en
windows7-x64
25 signatures
150 seconds
Behavioral task
behavioral8
Sample
FoxRansomware/6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
24 signatures
150 seconds
Behavioral task
behavioral9
Sample
FoxRansomware/91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
Resource
win7-20240319-en
windows7-x64
26 signatures
150 seconds
Behavioral task
behavioral10
Sample
FoxRansomware/91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
24 signatures
150 seconds
Behavioral task
behavioral11
Sample
FoxRansomware/941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
Resource
win7-20240221-en
windows7-x64
25 signatures
150 seconds
Behavioral task
behavioral12
Sample
FoxRansomware/941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
FoxRansomware/91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
-
Size
1.2MB
-
MD5
1fa1b6d4b3ed867c1d4baffc77417611
-
SHA1
afb5e385f9cc8910d7a970b6c32b8d79295579da
-
SHA256
91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53
-
SHA512
0600b92914a7489a6428b8e4217e5f24e1d149fc5807d86cc4de91b43be2470a1ddf77093c8732d4371a87fd163cc556e09d11a2c6655382a35a5f5741ae05a5
-
SSDEEP
24576:K/SA+2lraRrjSJR5ezmT1dM9bBkNIDreFqO:2Xl9Ife
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
ps1.dropper
http://myexternalip.com/raw
Extracted
Path
C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\1033\14\#FOX_README#.rtf
Ransom Note
{\rtf1\ansi\ansicpg1251\deff0\nouicompat\deflang1049{\fonttbl{\f0\fnil\fcharset0 Calibri;}{\f1\fnil\fcharset204 Calibri;}}
{\colortbl ;\red255\green0\blue0;\red0\green77\blue187;\red0\green176\blue80;\red0\green0\blue255;\red255\green255\blue255;}
{\*\generator Riched20 10.0.15063}\viewkind4\uc1
\pard\ri-500\sa200\sl240\slmult1\qc\tx8804\ul\b\f0\fs28\lang1033 HOW TO RECOVER YOUR FILES INSTRUCTION\ulnone\f1\lang1049\par
\pard\ri-74\sl240\slmult1\tx8378\cf1\f0\fs24\lang1033 ATENTION!!!\par
\cf0\b0 We are realy sorry to inform you that \b ALL YOUR FILES WERE ENCRYPTED \par
\b0 by our automatic software. It became possible because of bad server security. \par
\cf1\b ATENTION!!!\par
\cf0\b0 Please don't worry, we can help you to \b RESTORE\b0 your server to original\par
state and decrypt all your files quickly and safely!\par
\b\par
\cf2 INFORMATION!!!\par
\cf0\b0 Files are not broken!!!\par
Files were encrypted with AES-128+RSA-2048 crypto algorithms.\par
There is no way to decrypt your files without unique decryption key and special software. Your unique decryption key is securely stored on our server. For our safety, all information about your server and your decryption key will be automaticaly \b DELETED AFTER 7 DAYS! \b0 You will irrevocably lose all your data!\par
\i * Please note that all the attempts to recover your files by yourself or using third party tools will result only in irrevocable loss of your data!\par
* Please note that you can recover files only with your unique decryption key, which stored on our side. If you will use the help of third parties, you will only add a middleman.\f1\lang1049\par
\i0\f0\lang1033\par
\cf3\b HOW TO RECOVER FILES???\par
\cf0\b0 Please write us to the e-mail \i (write on English or use professional translator)\i0 :\par
\pard\sl240\slmult1\b\fs28 [email protected] \par
[email protected]\par
[email protected]\cf1\fs24\par
You have to send your message on each of our 3 emails\f1\lang1049 \f0\lang1033 due to the fact that the message may not reach their intended recipient for a variety of reasons!\fs28\par
\pard\ri-74\sl240\slmult1\tx8378\cf0\b0\fs24 \par
In subject line write your personal ID:\par
\b\fs28 5181A1BDCF739F54\par
\b0\fs24 We recommed you to attach 3 encrypted files to your message. We will demonstrate that we can recover your files. \f1\lang1049\par
\i * \f0\lang1033 \f1\lang1049 \f0\lang1033 Please note that files must not contain any valuable information and their total size must be less than 5Mb. \par
\i0\par
\cf1\b OUR ADVICE!!!\par
\cf0\b0 Please be sure that we will find common languge. We will restore all the data and give you recommedations how to configure the protection of your server.\par
\ul\b\par
We will definitely reach an agreement ;) !!!\b0\par
\ulnone\par
\fs20 \par
\par
\par
\par
\par
\par
\par
\pard\ri-74\sl240\slmult1\qc\tx8378\b\fs24 ALTERNATIVE COMMUNICATION\par
\b0\fs20\par
\pard\ri-74\sl240\slmult1\tx8378 \f1\lang1049 If y\'eeu did n\'eet r\'e5c\'e5iv\'e5 th\'e5 \'e0nsw\'e5r fr\'eem th\'e5 \'e0f\'eer\'e5cit\'e5d \'e5m\'e0il\f0\lang1033 s\f1\lang1049 f\'eer m\'eer\'e5 th\f0\lang1033 e\f1\lang1049 n \f0\lang1033 24\f1\lang1049 h\f0\lang1033 o\f1\lang1049 urs\f0\lang1033 please s\f1\lang1049\'e5\f0\lang1033 nd us Bitm\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 s fr\f1\lang1049\'ee\f0\lang1033 m \f1\lang1049\'e0\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 b br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r thr\f1\lang1049\'ee\f0\lang1033 ugh th\f1\lang1049\'e5\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 bp\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 {{\field{\*\fldinst{HYPERLINK https://bitmsg.me }}{\fldrslt{https://bitmsg.me\ul0\cf0}}}}\f0\fs20 . B\f1\lang1049\'e5\f0\lang1033 l\f1\lang1049\'ee\f0\lang1033 w is \f1\lang1049\'e0\f0\lang1033 tut\f1\lang1049\'ee\f0\lang1033 ri\f1\lang1049\'e0\f0\lang1033 l \f1\lang1049\'ee\f0\lang1033 n h\f1\lang1049\'ee\f0\lang1033 w t\f1\lang1049\'ee\f0\lang1033 s\f1\lang1049\'e5\f0\lang1033 nd bitm\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 vi\f1\lang1049\'e0\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 b br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r:\par
1. \f1\lang1049\'ce\f0\lang1033 p\f1\lang1049\'e5\f0\lang1033 n in y\f1\lang1049\'ee\f0\lang1033 ur br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r th\f1\lang1049\'e5\f0\lang1033 link {{\field{\*\fldinst{HYPERLINK https://bitmsg.me/users/sign_up }}{\fldrslt{https://bitmsg.me/users/sign_up\ul0\cf0}}}}\f0\fs20 \f1\lang1049\'e0\f0\lang1033 nd m\f1\lang1049\'e0\f0\lang1033 k\f1\lang1049\'e5\f0\lang1033 th\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 gistr\f1\lang1049\'e0\f0\lang1033 ti\f1\lang1049\'ee\f0\lang1033 n b\f1\lang1049\'f3\f0\lang1033 \f1\lang1049\'e5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 ring n\f1\lang1049\'e0\f0\lang1033 m\f1\lang1049\'e5\f0\lang1033 \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd p\f1\lang1049\'e0\f0\lang1033 ssw\f1\lang1049\'ee\f0\lang1033 rd.\par
2. \f1\lang1049\'d3\'ee\f0\lang1033 u must c\f1\lang1049\'ee\f0\lang1033 nfirm th\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 gistr\f1\lang1049\'e0\f0\lang1033 ti\f1\lang1049\'ee\f0\lang1033 n, r\f1\lang1049\'e5\f0\lang1033 turn t\f1\lang1049\'ee\f0\lang1033 \f1\lang1049\'f3\'ee\f0\lang1033 ur \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd f\f1\lang1049\'ee\f0\lang1033 ll\f1\lang1049\'ee\f0\lang1033 w th\f1\lang1049\'e5\f0\lang1033 instructi\f1\lang1049\'ee\f0\lang1033 ns th\f1\lang1049\'e0\f0\lang1033 t w\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 s\f1\lang1049\'e5\f0\lang1033 nt t\f1\lang1049\'ee\f0\lang1033 \f1\lang1049\'f3\'ee\f0\lang1033 u.\par
3. R\f1\lang1049\'e5\f0\lang1033 turn t\f1\lang1049\'ee\f0\lang1033 sit\f1\lang1049\'e5\f0\lang1033 \f1\lang1049\'e0\f0\lang1033 nd \f1\lang1049\'f1\f0\lang1033 lick \f1\lang1049 "\f0\lang1033 L\f1\lang1049\'ee\f0\lang1033 gin\f1\lang1049 "\f0\lang1033 l\f1\lang1049\'e0\f0\lang1033 b\f1\lang1049\'e5\f0\lang1033 l \f1\lang1049\'ee\f0\lang1033 r us\f1\lang1049\'e5\f0\lang1033 link {{\field{\*\fldinst{HYPERLINK https://bitmsg.me/users/sign_in }}{\fldrslt{https://bitmsg.me/users/sign_in\ul0\cf0}}}}\f0\fs20 , \f1\lang1049\'e5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'f3\'ee\f0\lang1033 ur \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd p\f1\lang1049\'e0\f0\lang1033 ssw\f1\lang1049\'ee\f0\lang1033 rd \f1\lang1049\'e0\f0\lang1033 nd click th\f1\lang1049\'e5\f0\lang1033 "Sign in" butt\f1\lang1049\'ee\f0\lang1033 n. \f1\lang1049 \f0\lang1033\par
4. \f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "\f1\lang1049\'d1\f0\lang1033 r\f1\lang1049\'e5\'e0\f0\lang1033 t\f1\lang1049\'e5\f0\lang1033 R\f1\lang1049\'e0\f0\lang1033 nd\f1\lang1049\'ee\f0\lang1033 m \f1\lang1049\'e0\f0\lang1033 ddr\f1\lang1049\'e5\f0\lang1033 ss" butt\f1\lang1049\'ee\f0\lang1033 n.\par
5. \f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "N\f1\lang1049\'e5\f0\lang1033 w m\f1\lang1049\'e0\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 " butt\f1\lang1049\'ee\f0\lang1033 n.\par
\b 6. S\f1\lang1049\'e5\f0\lang1033 nding m\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 :\par
T\f1\lang1049\'ee\f0\lang1033 :\b0 \f1\lang1049\'c5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'e0\f0\lang1033 ddr\f1\lang1049\'e5\f0\lang1033 ss: \b BM-2cXRWRW5Jv5hxbhgu2HJSJrtPf92iKshhm\par
\pard\sl240\slmult1 Subj\f1\lang1049\'e5\'f1\f0\lang1033 t:\b0 \f1\lang1049\'c5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'f3\'ee\f0\lang1033 ur ID: \b 5181A1BDCF739F54\par
M\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 : \b0 D\f1\lang1049\'e5\f0\lang1033 scrib\f1\lang1049\'e5\f0\lang1033 wh\f1\lang1049\'e0\f0\lang1033 t \f1\lang1049\'f3\'ee\f0\lang1033 u think n\f1\lang1049\'e5\f0\lang1033 c\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 r\f1\lang1049\'f3\f0\lang1033 .\par
\pard\ri-74\sa200\sl240\slmult1\tx8378\f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "S\f1\lang1049\'e5\f0\lang1033 nd m\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 " butt\f1\lang1049\'ee\f0\lang1033 n.\cf5\b\par
\pard\sa200\sl240\slmult1\fs28 dhW7jBJ0\cf0\f1\fs32\lang1049\par
\par
}
Emails
URLs
https://bitmsg.me
https://bitmsg.me/users/sign_up
https://bitmsg.me/users/sign_in
Signatures
-
Matrix Ransomware 64 IoCs
Targeted ransomware with information collection and encryption functionality.
description ioc Process File created C:\Program Files (x86)\Microsoft Office\Office14\Library\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\VideoLAN\VLC\plugins\packetizer\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\Mozilla Firefox\defaults\pref\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\VideoLAN\VLC\skins\fonts\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Servers\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\Microsoft Games\Chess\de-DE\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\Microsoft Games\Minesweeper\es-ES\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\Microsoft Games\Multiplayer\Checkers\it-IT\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\VideoLAN\VLC\lua\meta\art\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\Java\jre7\bin\dtplugin\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\VideoLAN\VLC\locale\hi\LC_MESSAGES\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\VideoLAN\VLC\locale\ie\LC_MESSAGES\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Protect\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\Microsoft Games\Multiplayer\Spades\es-ES\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\Microsoft Games\SpiderSolitaire\ja-JP\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\Microsoft Games\FreeCell\fr-FR\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\Microsoft Games\Multiplayer\Backgammon\de-DE\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\InfoPathOMFormServicesV12\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Users\Public\Libraries\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightYellow\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\Microsoft Games\Multiplayer\Backgammon\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Americana\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Slate\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SpringGreen\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\ProgramData\Microsoft\Assistance\Client\1.0\en-US\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\VideoLAN\VLC\plugins\services_discovery\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\Java\jre7\lib\fonts\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\Microsoft Games\Hearts\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\VideoLAN\VLC\plugins\stream_extractor\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Biscay\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files (x86)\Microsoft Office\Office14\OneNote\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\Mozilla Firefox\browser\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 3160 bcdedit.exe 3852 bcdedit.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 7 2824 powershell.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\Drivers\PROCEXP152.SYS ffaSuZcG64.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PROCEXP152\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\PROCEXP152.SYS" ffaSuZcG64.exe -
Executes dropped EXE 3 IoCs
pid Process 2892 NWy8kGmv.exe 2260 ffaSuZcG.exe 3880 ffaSuZcG64.exe -
Loads dropped DLL 4 IoCs
pid Process 1720 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 1720 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 1944 cmd.exe 2260 ffaSuZcG.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 2024 takeown.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral9/files/0x00060000000174fc-2314.dat upx behavioral9/memory/2260-2547-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral9/memory/2260-10502-0x0000000000400000-0x0000000000477000-memory.dmp upx -
Drops desktop.ini file(s) 43 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\G5DX35ZA\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Admin\Searches\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Public\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Admin\Links\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\P8PFHBEX\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\QY1C4128\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Public\Downloads\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Public\Libraries\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-2610426812-2871295383-373749122-1000\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Public\Music\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Public\Videos\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Admin\Videos\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\6ZEZX6DE\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Admin\Documents\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Admin\Music\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Public\Documents\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2610426812-2871295383-373749122-1000\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Public\Recorded TV\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Public\Desktop\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Public\Pictures\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe -
Enumerates connected drives 3 TTPs 44 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: ffaSuZcG64.exe File opened (read-only) \??\J: ffaSuZcG64.exe File opened (read-only) \??\P: ffaSuZcG64.exe File opened (read-only) \??\Z: 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened (read-only) \??\S: 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened (read-only) \??\I: 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened (read-only) \??\Q: 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened (read-only) \??\G: ffaSuZcG64.exe File opened (read-only) \??\W: ffaSuZcG64.exe File opened (read-only) \??\Q: ffaSuZcG64.exe File opened (read-only) \??\X: ffaSuZcG64.exe File opened (read-only) \??\W: 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened (read-only) \??\E: 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened (read-only) \??\B: ffaSuZcG64.exe File opened (read-only) \??\R: ffaSuZcG64.exe File opened (read-only) \??\X: 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened (read-only) \??\U: 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened (read-only) \??\K: ffaSuZcG64.exe File opened (read-only) \??\E: ffaSuZcG64.exe File opened (read-only) \??\U: ffaSuZcG64.exe File opened (read-only) \??\P: 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened (read-only) \??\N: 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened (read-only) \??\H: 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened (read-only) \??\G: 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened (read-only) \??\L: ffaSuZcG64.exe File opened (read-only) \??\V: ffaSuZcG64.exe File opened (read-only) \??\V: 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened (read-only) \??\O: 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened (read-only) \??\J: 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened (read-only) \??\S: ffaSuZcG64.exe File opened (read-only) \??\Z: ffaSuZcG64.exe File opened (read-only) \??\T: 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened (read-only) \??\M: 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened (read-only) \??\H: ffaSuZcG64.exe File opened (read-only) \??\K: 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened (read-only) \??\I: ffaSuZcG64.exe File opened (read-only) \??\M: ffaSuZcG64.exe File opened (read-only) \??\N: ffaSuZcG64.exe File opened (read-only) \??\O: ffaSuZcG64.exe File opened (read-only) \??\Y: 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened (read-only) \??\R: 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened (read-only) \??\L: 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened (read-only) \??\T: ffaSuZcG64.exe File opened (read-only) \??\Y: ffaSuZcG64.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 6 myexternalip.com -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\LQYJrNcW.bmp" reg.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR48B.GIF 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386120.JPG 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Microsoft Games\Chess\Chess.exe 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\WindowsBase.resources.dll 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsHomePageScript.js 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\index.gif 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.transport.ecf.nl_zh_4.4.0.v20140623020002.jar 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04369_.WMF 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\System.IdentityModel.Selectors.Resources.dll 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\Other-48.png 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\SaslPrepProfile_norm_bidi.spp 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\BHOINTL.DLL 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\Microsoft.Build.Utilities.v3.5.resources.dll 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\LINE.JPG 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBluTSFrame.png 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.services.nl_zh_4.4.0.v20140623020002.jar 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00732_.WMF 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\vlc.mo 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02041_.WMF 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\El_Aaiun 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0106208.WMF 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\mset7en.kic 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\kcms.dll 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_uk.dll 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Module.thmx 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02746G.GIF 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\EntityPicker.dll 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BS53BOXS.POC 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.IO.Log.Resources.dll 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Riga 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Java\jre7\lib\accessibility.properties 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AXE8SharedExpat.dll 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.nl_zh_4.4.0.v20140623020002.jar 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\psmachine_64.dll 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02465_.WMF 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\WORDIRM.XML 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-editor-mimelookup-impl.xml 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Santo_Domingo 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-modules-appui_zh_CN.jar 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Java\jre7\bin\server\jvm.dll 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_20_666666_40x40.png 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01179J.JPG 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\MarkupIconImages.jpg 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_ko_KR.jar 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105280.WMF 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR8B.GIF 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\stdole.dll 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.cpl 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Java\jre7\lib\plugin.jar 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SL01394_.WMF 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS01639_.WMF 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0182898.WMF 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\1033\#FOX_README#.rtf 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.application.ja_5.5.0.165303.jar 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Services.Client.resources.dll 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15018_.GIF 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BZCD98SP.POC 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\UIAutomationClient.dll 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\vlc.mo 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04196_.WMF 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2244 schtasks.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2488 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2824 powershell.exe 3880 ffaSuZcG64.exe 3880 ffaSuZcG64.exe 3880 ffaSuZcG64.exe 3880 ffaSuZcG64.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 3880 ffaSuZcG64.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeDebugPrivilege 2824 powershell.exe Token: SeDebugPrivilege 3880 ffaSuZcG64.exe Token: SeLoadDriverPrivilege 3880 ffaSuZcG64.exe Token: SeBackupPrivilege 1040 vssvc.exe Token: SeRestorePrivilege 1040 vssvc.exe Token: SeAuditPrivilege 1040 vssvc.exe Token: SeIncreaseQuotaPrivilege 2380 WMIC.exe Token: SeSecurityPrivilege 2380 WMIC.exe Token: SeTakeOwnershipPrivilege 2380 WMIC.exe Token: SeLoadDriverPrivilege 2380 WMIC.exe Token: SeSystemProfilePrivilege 2380 WMIC.exe Token: SeSystemtimePrivilege 2380 WMIC.exe Token: SeProfSingleProcessPrivilege 2380 WMIC.exe Token: SeIncBasePriorityPrivilege 2380 WMIC.exe Token: SeCreatePagefilePrivilege 2380 WMIC.exe Token: SeBackupPrivilege 2380 WMIC.exe Token: SeRestorePrivilege 2380 WMIC.exe Token: SeShutdownPrivilege 2380 WMIC.exe Token: SeDebugPrivilege 2380 WMIC.exe Token: SeSystemEnvironmentPrivilege 2380 WMIC.exe Token: SeRemoteShutdownPrivilege 2380 WMIC.exe Token: SeUndockPrivilege 2380 WMIC.exe Token: SeManageVolumePrivilege 2380 WMIC.exe Token: 33 2380 WMIC.exe Token: 34 2380 WMIC.exe Token: 35 2380 WMIC.exe Token: SeIncreaseQuotaPrivilege 2380 WMIC.exe Token: SeSecurityPrivilege 2380 WMIC.exe Token: SeTakeOwnershipPrivilege 2380 WMIC.exe Token: SeLoadDriverPrivilege 2380 WMIC.exe Token: SeSystemProfilePrivilege 2380 WMIC.exe Token: SeSystemtimePrivilege 2380 WMIC.exe Token: SeProfSingleProcessPrivilege 2380 WMIC.exe Token: SeIncBasePriorityPrivilege 2380 WMIC.exe Token: SeCreatePagefilePrivilege 2380 WMIC.exe Token: SeBackupPrivilege 2380 WMIC.exe Token: SeRestorePrivilege 2380 WMIC.exe Token: SeShutdownPrivilege 2380 WMIC.exe Token: SeDebugPrivilege 2380 WMIC.exe Token: SeSystemEnvironmentPrivilege 2380 WMIC.exe Token: SeRemoteShutdownPrivilege 2380 WMIC.exe Token: SeUndockPrivilege 2380 WMIC.exe Token: SeManageVolumePrivilege 2380 WMIC.exe Token: 33 2380 WMIC.exe Token: 34 2380 WMIC.exe Token: 35 2380 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1720 wrote to memory of 2024 1720 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 29 PID 1720 wrote to memory of 2024 1720 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 29 PID 1720 wrote to memory of 2024 1720 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 29 PID 1720 wrote to memory of 2024 1720 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 29 PID 1720 wrote to memory of 2892 1720 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 31 PID 1720 wrote to memory of 2892 1720 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 31 PID 1720 wrote to memory of 2892 1720 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 31 PID 1720 wrote to memory of 2892 1720 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 31 PID 1720 wrote to memory of 1640 1720 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 33 PID 1720 wrote to memory of 1640 1720 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 33 PID 1720 wrote to memory of 1640 1720 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 33 PID 1720 wrote to memory of 1640 1720 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 33 PID 1640 wrote to memory of 2824 1640 cmd.exe 35 PID 1640 wrote to memory of 2824 1640 cmd.exe 35 PID 1640 wrote to memory of 2824 1640 cmd.exe 35 PID 1640 wrote to memory of 2824 1640 cmd.exe 35 PID 1720 wrote to memory of 2312 1720 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 36 PID 1720 wrote to memory of 2312 1720 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 36 PID 1720 wrote to memory of 2312 1720 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 36 PID 1720 wrote to memory of 2312 1720 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 36 PID 1720 wrote to memory of 2656 1720 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 37 PID 1720 wrote to memory of 2656 1720 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 37 PID 1720 wrote to memory of 2656 1720 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 37 PID 1720 wrote to memory of 2656 1720 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 37 PID 2312 wrote to memory of 2624 2312 cmd.exe 40 PID 2312 wrote to memory of 2624 2312 cmd.exe 40 PID 2312 wrote to memory of 2624 2312 cmd.exe 40 PID 2312 wrote to memory of 2624 2312 cmd.exe 40 PID 2312 wrote to memory of 2224 2312 cmd.exe 42 PID 2312 wrote to memory of 2224 2312 cmd.exe 42 PID 2312 wrote to memory of 2224 2312 cmd.exe 42 PID 2312 wrote to memory of 2224 2312 cmd.exe 42 PID 2656 wrote to memory of 1448 2656 cmd.exe 41 PID 2656 wrote to memory of 1448 2656 cmd.exe 41 PID 2656 wrote to memory of 1448 2656 cmd.exe 41 PID 2656 wrote to memory of 1448 2656 cmd.exe 41 PID 2312 wrote to memory of 1540 2312 cmd.exe 43 PID 2312 wrote to memory of 1540 2312 cmd.exe 43 PID 2312 wrote to memory of 1540 2312 cmd.exe 43 PID 2312 wrote to memory of 1540 2312 cmd.exe 43 PID 1720 wrote to memory of 1768 1720 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 44 PID 1720 wrote to memory of 1768 1720 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 44 PID 1720 wrote to memory of 1768 1720 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 44 PID 1720 wrote to memory of 1768 1720 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe 44 PID 1768 wrote to memory of 1588 1768 cmd.exe 46 PID 1768 wrote to memory of 1588 1768 cmd.exe 46 PID 1768 wrote to memory of 1588 1768 cmd.exe 46 PID 1768 wrote to memory of 1588 1768 cmd.exe 46 PID 1768 wrote to memory of 2272 1768 cmd.exe 47 PID 1768 wrote to memory of 2272 1768 cmd.exe 47 PID 1768 wrote to memory of 2272 1768 cmd.exe 47 PID 1768 wrote to memory of 2272 1768 cmd.exe 47 PID 1768 wrote to memory of 2024 1768 cmd.exe 49 PID 1768 wrote to memory of 2024 1768 cmd.exe 49 PID 1768 wrote to memory of 2024 1768 cmd.exe 49 PID 1768 wrote to memory of 2024 1768 cmd.exe 49 PID 1768 wrote to memory of 1944 1768 cmd.exe 50 PID 1768 wrote to memory of 1944 1768 cmd.exe 50 PID 1768 wrote to memory of 1944 1768 cmd.exe 50 PID 1768 wrote to memory of 1944 1768 cmd.exe 50 PID 1448 wrote to memory of 1488 1448 wscript.exe 51 PID 1448 wrote to memory of 1488 1448 wscript.exe 51 PID 1448 wrote to memory of 1488 1448 wscript.exe 51 PID 1448 wrote to memory of 1488 1448 wscript.exe 51 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 1588 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe"1⤵
- Matrix Ransomware
- Loads dropped DLL
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe" "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWy8kGmv.exe"2⤵PID:2024
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWy8kGmv.exe"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWy8kGmv.exe" -n2⤵
- Executes dropped EXE
PID:2892
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')">"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\BVaumgPF.txt"2⤵
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')"3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2824
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\LQYJrNcW.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\LQYJrNcW.bmp" /f3⤵
- Sets desktop wallpaper using registry
PID:2624
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f3⤵PID:2224
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f3⤵PID:1540
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\N5ugo4Ap.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\wscript.exewscript //B //Nologo "C:\Users\Admin\AppData\Roaming\N5ugo4Ap.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\aMMJNR22.bat" /sc minute /mo 5 /RL HIGHEST /F4⤵PID:1488
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\aMMJNR22.bat" /sc minute /mo 5 /RL HIGHEST /F5⤵
- Creates scheduled task(s)
PID:2244
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA4⤵PID:2084
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /I /tn DSHCA5⤵PID:2008
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\RGoVkDn0.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf""2⤵
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\SysWOW64\attrib.exeattrib -R -A -S "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf"3⤵
- Views/modifies file attributes
PID:1588
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf" /E /G Admin:F /C3⤵PID:2272
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf"3⤵
- Modifies file permissions
PID:2024
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ffaSuZcG.exe -accepteula "PDFSigQFormalRep.pdf" -nobanner3⤵
- Loads dropped DLL
PID:1944 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\ffaSuZcG.exeffaSuZcG.exe -accepteula "PDFSigQFormalRep.pdf" -nobanner4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2260 -
C:\Users\Admin\AppData\Local\Temp\ffaSuZcG64.exeffaSuZcG.exe -accepteula "PDFSigQFormalRep.pdf" -nobanner5⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:3880
-
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {9215738A-80EB-4850-AD46-290EAA1B40BB} S-1-5-21-2610426812-2871295383-373749122-1000:UEITMFAB\Admin:Interactive:[1]1⤵PID:3656
-
C:\Windows\SYSTEM32\cmd.exeC:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\aMMJNR22.bat"2⤵PID:3900
-
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
PID:2488
-
-
C:\Windows\System32\Wbem\WMIC.exewmic SHADOWCOPY DELETE3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2380
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No3⤵
- Modifies boot configuration data using bcdedit
PID:3160
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:3852
-
-
C:\Windows\system32\schtasks.exeSCHTASKS /Delete /TN DSHCA /F3⤵PID:3780
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1040
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
File and Directory Permissions Modification
1Hide Artifacts
1Hidden Files and Directories
1Indicator Removal
2File Deletion
2Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD557ba17624eaef06762aa2e20299bffaa
SHA1d6d7c96915f38003d85679a25b048f5978883af1
SHA256f24eab91acf23bb9ceb7f48374192f789d22dd78ce16754ad1c22da284b82626
SHA51205f60db1d87b1bc6d50867d790cbc73af97a65345435e2e348e36d93ae6e0b1a87993d14102b9798de6fbc83b1a5d7e444ec70bbace0a01130b5b089c44fc1bc
-
Filesize
8KB
MD5824a657326fe69d26be6c5f426846610
SHA10e23186fe0f8593834a059f47f00c3a193f614aa
SHA2567633c97c4c930f7d6c7eaebd7f4882f4d2dea6b801240332dd2ca8bc9d404370
SHA512fb8723734df8202401b6243dcf61f71de192af28e43601ac9369d91b1f82c6fc4506c5630ef615271287c21a168bcb64ed40b93ad4c508e74000d3a8004474d7
-
Filesize
16B
MD517d432845dc7cb55ac69d75cf72f7f5d
SHA17f3b6e6ab91b3a13c0611fe6e95befab691d5cc3
SHA256a7cd0523e7aca4fd8db39d49ce1fe6198b92956509bd360dae646798c2a251a4
SHA51225054cd4ec03675f28d0aa1aa09b691beacb9f9a1cf538179777d74a713e97457c39d56c787becc378fcdc31c62cbdf56546f8cee41f5f99f11b8798663104e0
-
Filesize
246B
MD5528851234f4b9caada5f2cf314c201b2
SHA18c99ee7b970d80b213da29fcf6b0bd9c0a603391
SHA2562590c30cc726b6a34ca94c89edd82647896d8c50dbb2e4e3a0be28323b61f2a4
SHA512d47e5a4b88b509ae0809aed99f0d4f4b3daa31912d28af33954bc51c577510c68d7e866a37c8a5fe76ca33d4916d29b3e7b483579111744172374e95fcd11dd6
-
Filesize
2KB
MD52af6c210b1a4401f7d57900ca2e29b34
SHA1b63131801516a843d08442a9aab64cd21b47e3dd
SHA2563425e9c62a0a6d521ad646a4466ad344a3ac10af5c25a625044c2ae5ac2815b9
SHA5123d509ec1778efbf9324350f73e71f281668e87d0c20ef048bdd393b9512c175b11a9ffdff7b59d0d30518b2a4e5beff3576cfde68ceacffd9524294ab35e845e
-
Filesize
36KB
MD52b912aacb5657572ced74fa4da587829
SHA1f666505f0be862f8750871a8768ae37f65bb3f1c
SHA2566fb5b70263f8ac94be6ade73e96ece92202f3eb151e3099e2a301a6f312fded7
SHA512407774473f21ee431fdca0a0fa9c60637912b7ddff3e1c6879ce588ce0620c830bfcb6b04f48ad0b6b46b924fb03c9e5b1237ac78d85095910a62522a81f4410
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
260B
MD55dcef8e16ac7b560b4733f4dda4095b8
SHA159eaac42631691c09a673dd4e36737f7b7cf11eb
SHA256fac19f5e9ea4e6a8303bfddd10c3b119ff6e7e87360c6ea70c904a3c8b583010
SHA51243097c79c379437fb06c9ea1e5825d8e1524be796beb7b8df3d83532b89f57bf02875902fcd5ef889924bf61c340b974be49ed40356fa4f0c4a1199c4e90bc6b
-
Filesize
265B
MD5b214b5561adddc5e1dfc56fd3fc68920
SHA1bb76397077e848e280bddc00b982c04738e84329
SHA2560c19646cae23657f4508e5b2e84e5c79ed4400a212b2e4651789b56629827267
SHA5129e34beb62c5dacbef10b4e85679dcf8b74d001ebcaac2b4b576de459e9718e61b9540bd2f67f72af5dc4bfcc971089c01c9e67e494080b94f50f41305b12c1cd
-
Filesize
1.2MB
MD51fa1b6d4b3ed867c1d4baffc77417611
SHA1afb5e385f9cc8910d7a970b6c32b8d79295579da
SHA25691d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53
SHA5120600b92914a7489a6428b8e4217e5f24e1d149fc5807d86cc4de91b43be2470a1ddf77093c8732d4371a87fd163cc556e09d11a2c6655382a35a5f5741ae05a5
-
Filesize
221KB
MD53026bc2448763d5a9862d864b97288ff
SHA17d93a18713ece2e7b93e453739ffd7ad0c646e9e
SHA2567adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec
SHA512d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6