Overview

overview

10

Static

static

3

FoxRansomware.zip

windows10-1703-x64

1

FoxRansomw...65.exe

windows10-1703-x64

10

FoxRansomw...a7.exe

windows10-1703-x64

10

FoxRansomw...20.exe

windows10-1703-x64

10

FoxRansomw...0b.exe

windows10-1703-x64

10

FoxRansomw...53.exe

windows10-1703-x64

10

FoxRansomw...b1.exe

windows10-1703-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows10-1703_x64
  • resource
    win10-20240611-en
  • resource tags

    arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
  • submitted
    25-07-2024 07:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    FoxRansomware/0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe

  • Size

    1.2MB

  • MD5

    607d292bdcdde297252e002e613282ae

  • SHA1

    0161d2dd582d064f7e7f50ccb43478ff0884916a

  • SHA256

    0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65

  • SHA512

    2bdc2ff857f9f52aac5071d3a695f7baf822a971969ba263ad03769c41af7916b558bada6bfe76fe78f730235a4ca5d2dd1cf3eaa2a59c5efef06af0a798acb8

  • SSDEEP

    24576:J/SA+2lraRrjSJR5ezmT1dM9bB5slYQt2e8F/KpXcd:PXlOslYQt+5

Score
10/10
matrixcredential_accessdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomwarespywarestealerupx

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://myexternalip.com/raw

Extracted

Path

C:\Program Files\Google\Chrome\Application\106.0.5249.119\#ANN_README#.rtf

Ransom Note
{\rtf1\ansi\ansicpg1251\deff0\nouicompat\deflang1049{\fonttbl{\f0\fnil\fcharset0 Calibri;}{\f1\fnil\fcharset204 Calibri;}} {\colortbl ;\red255\green0\blue0;\red0\green77\blue187;\red0\green176\blue80;\red0\green0\blue255;\red255\green255\blue255;} {\*\generator Riched20 10.0.15063}\viewkind4\uc1 \pard\ri-500\sa200\sl240\slmult1\qc\tx8804\ul\b\f0\fs28\lang1033 HOW TO RECOVER YOUR FILES INSTRUCTION\ulnone\f1\lang1049\par \pard\ri-74\sl240\slmult1\tx8378\cf1\f0\fs24\lang1033 ATENTION!!!\par \cf0\b0 We are realy sorry to inform you that \b ALL YOUR FILES WERE ENCRYPTED \par \b0 by our automatic software. It became possible because of bad server security. \par \cf1\b ATENTION!!!\par \cf0\b0 Please don't worry, we can help you to \b RESTORE\b0 your server to original\par state and decrypt all your files quickly and safely!\par \b\par \cf2 INFORMATION!!!\par \cf0\b0 Files are not broken!!!\par Files were encrypted with AES-128+RSA-2048 crypto algorithms.\par There is no way to decrypt your files without unique decryption key and special software. Your unique decryption key is securely stored on our server. For our safety, all information about your server and your decryption key will be automaticaly \b DELETED AFTER 7 DAYS! \b0 You will irrevocably lose all your data!\par \i * Please note that all the attempts to recover your files by yourself or using third party tools will result only in irrevocable loss of your data!\par * Please note that you can recover files only with your unique decryption key, which stored on our side. If you will use the help of third parties, you will only add a middleman.\f1\lang1049\par \i0\f0\lang1033\par \cf3\b HOW TO RECOVER FILES???\par \cf0\b0 Please write us to the e-mail \i (write on English or use professional translator)\i0 :\par \pard\sl240\slmult1\b\fs28 [email protected]\par [email protected]\par [email protected]\cf1\fs24\par You have to send your message on each of our 3 emails\f1\lang1049 \f0\lang1033 due to the fact that the message may not reach their intended recipient for a variety of reasons!\fs28\par \pard\ri-74\sl240\slmult1\tx8378\cf0\b0\fs24 \par In subject line write your personal ID:\par \b\fs28 0C94E15EA725688F\par \b0\fs24 We recommed you to attach 3 encrypted files to your message. We will demonstrate that we can recover your files. \f1\lang1049\par \i * \f0\lang1033 \f1\lang1049 \f0\lang1033 Please note that files must not contain any valuable information and their total size must be less than 5Mb. \par \i0\par \cf1\b OUR ADVICE!!!\par \cf0\b0 Please be sure that we will find common languge. We will restore all the data and give you recommedations how to configure the protection of your server.\par \ul\b\par We will definitely reach an agreement ;) !!!\b0\par \ulnone\par \fs20 \par \par \par \par \par \par \par \pard\ri-74\sl240\slmult1\qc\tx8378\b\fs24 ALTERNATIVE COMMUNICATION\par \b0\fs20\par \pard\ri-74\sl240\slmult1\tx8378 \f1\lang1049 If y\'eeu did n\'eet r\'e5c\'e5iv\'e5 th\'e5 \'e0nsw\'e5r fr\'eem th\'e5 \'e0f\'eer\'e5cit\'e5d \'e5m\'e0il\f0\lang1033 s\f1\lang1049 f\'eer m\'eer\'e5 th\f0\lang1033 e\f1\lang1049 n \f0\lang1033 24\f1\lang1049 h\f0\lang1033 o\f1\lang1049 urs\f0\lang1033 please s\f1\lang1049\'e5\f0\lang1033 nd us Bitm\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 s fr\f1\lang1049\'ee\f0\lang1033 m \f1\lang1049\'e0\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 b br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r thr\f1\lang1049\'ee\f0\lang1033 ugh th\f1\lang1049\'e5\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 bp\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 {{\field{\*\fldinst{HYPERLINK https://bitmsg.me }}{\fldrslt{https://bitmsg.me\ul0\cf0}}}}\f0\fs20 . B\f1\lang1049\'e5\f0\lang1033 l\f1\lang1049\'ee\f0\lang1033 w is \f1\lang1049\'e0\f0\lang1033 tut\f1\lang1049\'ee\f0\lang1033 ri\f1\lang1049\'e0\f0\lang1033 l \f1\lang1049\'ee\f0\lang1033 n h\f1\lang1049\'ee\f0\lang1033 w t\f1\lang1049\'ee\f0\lang1033 s\f1\lang1049\'e5\f0\lang1033 nd bitm\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 vi\f1\lang1049\'e0\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 b br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r:\par 1. \f1\lang1049\'ce\f0\lang1033 p\f1\lang1049\'e5\f0\lang1033 n in y\f1\lang1049\'ee\f0\lang1033 ur br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r th\f1\lang1049\'e5\f0\lang1033 link {{\field{\*\fldinst{HYPERLINK https://bitmsg.me/users/sign_up }}{\fldrslt{https://bitmsg.me/users/sign_up\ul0\cf0}}}}\f0\fs20 \f1\lang1049\'e0\f0\lang1033 nd m\f1\lang1049\'e0\f0\lang1033 k\f1\lang1049\'e5\f0\lang1033 th\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 gistr\f1\lang1049\'e0\f0\lang1033 ti\f1\lang1049\'ee\f0\lang1033 n b\f1\lang1049\'f3\f0\lang1033 \f1\lang1049\'e5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 ring n\f1\lang1049\'e0\f0\lang1033 m\f1\lang1049\'e5\f0\lang1033 \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd p\f1\lang1049\'e0\f0\lang1033 ssw\f1\lang1049\'ee\f0\lang1033 rd.\par 2. \f1\lang1049\'d3\'ee\f0\lang1033 u must c\f1\lang1049\'ee\f0\lang1033 nfirm th\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 gistr\f1\lang1049\'e0\f0\lang1033 ti\f1\lang1049\'ee\f0\lang1033 n, r\f1\lang1049\'e5\f0\lang1033 turn t\f1\lang1049\'ee\f0\lang1033 \f1\lang1049\'f3\'ee\f0\lang1033 ur \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd f\f1\lang1049\'ee\f0\lang1033 ll\f1\lang1049\'ee\f0\lang1033 w th\f1\lang1049\'e5\f0\lang1033 instructi\f1\lang1049\'ee\f0\lang1033 ns th\f1\lang1049\'e0\f0\lang1033 t w\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 s\f1\lang1049\'e5\f0\lang1033 nt t\f1\lang1049\'ee\f0\lang1033 \f1\lang1049\'f3\'ee\f0\lang1033 u.\par 3. R\f1\lang1049\'e5\f0\lang1033 turn t\f1\lang1049\'ee\f0\lang1033 sit\f1\lang1049\'e5\f0\lang1033 \f1\lang1049\'e0\f0\lang1033 nd \f1\lang1049\'f1\f0\lang1033 lick \f1\lang1049 "\f0\lang1033 L\f1\lang1049\'ee\f0\lang1033 gin\f1\lang1049 "\f0\lang1033 l\f1\lang1049\'e0\f0\lang1033 b\f1\lang1049\'e5\f0\lang1033 l \f1\lang1049\'ee\f0\lang1033 r us\f1\lang1049\'e5\f0\lang1033 link {{\field{\*\fldinst{HYPERLINK https://bitmsg.me/users/sign_in }}{\fldrslt{https://bitmsg.me/users/sign_in\ul0\cf0}}}}\f0\fs20 , \f1\lang1049\'e5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'f3\'ee\f0\lang1033 ur \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd p\f1\lang1049\'e0\f0\lang1033 ssw\f1\lang1049\'ee\f0\lang1033 rd \f1\lang1049\'e0\f0\lang1033 nd click th\f1\lang1049\'e5\f0\lang1033 "Sign in" butt\f1\lang1049\'ee\f0\lang1033 n. \f1\lang1049 \f0\lang1033\par 4. \f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "\f1\lang1049\'d1\f0\lang1033 r\f1\lang1049\'e5\'e0\f0\lang1033 t\f1\lang1049\'e5\f0\lang1033 R\f1\lang1049\'e0\f0\lang1033 nd\f1\lang1049\'ee\f0\lang1033 m \f1\lang1049\'e0\f0\lang1033 ddr\f1\lang1049\'e5\f0\lang1033 ss" butt\f1\lang1049\'ee\f0\lang1033 n.\par 5. \f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "N\f1\lang1049\'e5\f0\lang1033 w m\f1\lang1049\'e0\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 " butt\f1\lang1049\'ee\f0\lang1033 n.\par \b 6. S\f1\lang1049\'e5\f0\lang1033 nding m\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 :\par T\f1\lang1049\'ee\f0\lang1033 :\b0 \f1\lang1049\'c5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'e0\f0\lang1033 ddr\f1\lang1049\'e5\f0\lang1033 ss: \b BM-2cUPmiEDYswzWC3ZmbtybDJeUNHqSpERL1\par \pard\sl240\slmult1 Subj\f1\lang1049\'e5\'f1\f0\lang1033 t:\b0 \f1\lang1049\'c5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'f3\'ee\f0\lang1033 ur ID: \b 0C94E15EA725688F\par M\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 : \b0 D\f1\lang1049\'e5\f0\lang1033 scrib\f1\lang1049\'e5\f0\lang1033 wh\f1\lang1049\'e0\f0\lang1033 t \f1\lang1049\'f3\'ee\f0\lang1033 u think n\f1\lang1049\'e5\f0\lang1033 c\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 r\f1\lang1049\'f3\f0\lang1033 .\par \pard\ri-74\sa200\sl240\slmult1\tx8378\f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "S\f1\lang1049\'e5\f0\lang1033 nd m\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 " butt\f1\lang1049\'ee\f0\lang1033 n.\cf5\b\par \pard\sa200\sl240\slmult1\fs28 3cKUre4m\cf0\f1\fs32\lang1049\par \par }
Emails
URLs

https://bitmsg.me

https://bitmsg.me/users/sign_up

https://bitmsg.me/users/sign_in

Signatures

  • Matrix Ransomware 64 IoCs

    Targeted ransomware with information collection and encryption functionality.

    ransomwarematrix
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Blocklisted process makes network request 1 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Executes dropped EXE 3 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Drops desktop.ini file(s) 26 IoCs
  • Enumerates connected drives 3 TTPs 44 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 49 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\FoxRansomware\0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe
    "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe"
    1⤵
    • Matrix Ransomware
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4416
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65.exe" "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWUnNYt8.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4520
    • C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWUnNYt8.exe
      "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWUnNYt8.exe" -n
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:4728
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /C powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')">"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\RHax0tzX.txt"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4332
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4812
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\VhmQvgn4.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4512
      • C:\Windows\SysWOW64\reg.exe
        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\VhmQvgn4.bmp" /f
        3⤵
        • Sets desktop wallpaper using registry
        • System Location Discovery: System Language Discovery
        PID:6480
      • C:\Windows\SysWOW64\reg.exe
        reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f
        3⤵
        • System Location Discovery: System Language Discovery
        PID:7328
      • C:\Windows\SysWOW64\reg.exe
        reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2780
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\QfGEYNHK.vbs"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2924
      • C:\Windows\SysWOW64\wscript.exe
        wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\QfGEYNHK.vbs"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4760
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\Tft0eRs0.bat" /sc minute /mo 5 /RL HIGHEST /F
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:7336
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\Tft0eRs0.bat" /sc minute /mo 5 /RL HIGHEST /F
            5⤵
            • System Location Discovery: System Language Discovery
            • Scheduled Task/Job: Scheduled Task
            PID:4452
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:7696
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /Run /I /tn DSHCA
            5⤵
            • System Location Discovery: System Language Discovery
            PID:5260
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\ZwgCRX8S.bat" "C:\ProgramData\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db""
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3704
      • C:\Windows\SysWOW64\attrib.exe
        attrib -R -A -S "C:\ProgramData\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db"
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:7344
      • C:\Windows\SysWOW64\cacls.exe
        cacls "C:\ProgramData\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db" /E /G Admin:F /C
        3⤵
        • System Location Discovery: System Language Discovery
        PID:5948
      • C:\Windows\SysWOW64\takeown.exe
        takeown /F "C:\ProgramData\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db"
        3⤵
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:7108
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c JjJUR8ht.exe -accepteula "SmsInterceptStore.db" -nobanner
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4212
        • C:\Users\Admin\AppData\Local\Temp\FoxRansomware\JjJUR8ht.exe
          JjJUR8ht.exe -accepteula "SmsInterceptStore.db" -nobanner
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1544
          • C:\Users\Admin\AppData\Local\Temp\JjJUR8ht64.exe
            JjJUR8ht.exe -accepteula "SmsInterceptStore.db" -nobanner
            5⤵
            • Drops file in Drivers directory
            • Sets service image path in registry
            • Executes dropped EXE
            • Enumerates connected drives
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: LoadsDriver
            • Suspicious use of AdjustPrivilegeToken
            PID:6272
  • C:\Windows\SYSTEM32\cmd.exe
    C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Tft0eRs0.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:6672
    • C:\Windows\system32\vssadmin.exe
      vssadmin Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:6972
    • C:\Windows\System32\Wbem\WMIC.exe
      wmic SHADOWCOPY DELETE
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:6520
    • C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} recoveryenabled No
      2⤵
      • Modifies boot configuration data using bcdedit
      PID:7072
    • C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} bootstatuspolicy ignoreallfailures
      2⤵
      • Modifies boot configuration data using bcdedit
      PID:7548
    • C:\Windows\system32\schtasks.exe
      SCHTASKS /Delete /TN DSHCA /F
      2⤵
        PID:7576
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:7252

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Command and Scripting Interpreter

    1
    T1059

    PowerShell

    1
    T1059.001

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Windows Management Instrumentation

    1
    T1047

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Defense Evasion

    Direct Volume Access

    1
    T1006

    File and Directory Permissions Modification

    1
    T1222

    Hide Artifacts

    1
    T1564

    Hidden Files and Directories

    1
    T1564.001

    Indicator Removal

    2
    T1070

    File Deletion

    2
    T1070.004

    Modify Registry

    2
    T1112

    Credential Access

    Credentials from Password Stores

    2
    T1555

    Credentials from Web Browsers

    1
    T1555.003

    Windows Credential Manager

    1
    T1555.004

    Unsecured Credentials

    1
    T1552

    Credentials In Files

    1
    T1552.001

    Discovery

    Browser Information Discovery

    1
    T1217

    Peripheral Device Discovery

    1
    T1120

    Query Registry

    2
    T1012

    System Information Discovery

    2
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Command and Control

    Exfiltration

    Impact

    Defacement

    1
    T1491

    Inhibit System Recovery

    3
    T1490

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\Google\Chrome\Application\106.0.5249.119\#ANN_README#.rtf
      Filesize

      8KB

      MD5

      aae39b0ba631162ec347199822643010

      SHA1

      0b75557a7d5537b6881d643f40c0e5f33edf05f8

      SHA256

      e3b3d04e78ea887451087ec1ec744ed24fe6bcea57022bf8528b642d3c15c7d2

      SHA512

      68292a206d3778dab4a7b31b8ec231cb42d4bb7de7a35eac442866307e1d5a4a92334f8c74de4a4fba829de6dd35604ea4caa7644d3c831272e42c2156cce22a

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      3KB

      MD5

      13a42ba5408120d272a1392c1a83e82b

      SHA1

      d2f3867d67d3891dc8a3294e1d1da7783beb763f

      SHA256

      67a8b3a49793e366721c85819deb8be5aaa331573f73e2c7ec61ea038bb28bab

      SHA512

      7dd52af6ef678d3b0902dc1f35cd1908f07c2f6f882dcc69ca76399c321c5a97a3906e29c11ab71db5736a3387573c7eda203a131d131ba6b29e7ba40ce9e411

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\FoxRansomware\JjJUR8ht.exe
      Filesize

      181KB

      MD5

      2f5b509929165fc13ceab9393c3b911d

      SHA1

      b016316132a6a277c5d8a4d7f3d6e2c769984052

      SHA256

      0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

      SHA512

      c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWUnNYt8.exe
      Filesize

      1.2MB

      MD5

      607d292bdcdde297252e002e613282ae

      SHA1

      0161d2dd582d064f7e7f50ccb43478ff0884916a

      SHA256

      0676816e9e450dea861a65a0b29f44179e1999f09a24e488ec6756528a5e6b65

      SHA512

      2bdc2ff857f9f52aac5071d3a695f7baf822a971969ba263ad03769c41af7916b558bada6bfe76fe78f730235a4ca5d2dd1cf3eaa2a59c5efef06af0a798acb8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\FoxRansomware\RHax0tzX.txt
      Filesize

      15B

      MD5

      494436e38cfbff698c30e72dd63813e1

      SHA1

      1ed10def48a1622c8a75e9e197d6c600d617cf98

      SHA256

      705d6eb22b78adf67cc9ac523602bbe8c5cdd363c6d187a374a9387a1b98d355

      SHA512

      9309bb0a409cb106f998aac62d084dee577252ec8ceeeff928a0a2b262c444824085d7ae64fd96dcdb180401d02c3e527de43cd7c80969ea8d84518a21b27c05

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\FoxRansomware\ZwgCRX8S.bat
      Filesize

      246B

      MD5

      349e0603236fd78e59606440dffcaa5a

      SHA1

      f39717c75402953e481448f87b2f6fb1e2ff5f56

      SHA256

      437a91915c0eb7de4e30a86f259f80b6a62d1234871cd2a7ab1962377766016d

      SHA512

      15b12f713f1462005699c6dbce51c4fe0848e25611bc19708447ab5b44836997e57319abee95b5c6fa23b27e2a5420adf11bd54245ce3cc158dd5dc57df6ae45

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\FoxRansomware\bad_0C94E15EA725688F.txt
      Filesize

      14KB

      MD5

      b86a1a8e645c095045c59447ddd9648a

      SHA1

      de2cb2352e9d87b7d3ad0e6d15ad41dac91e659e

      SHA256

      4f2fde9c1de9961567831987362d1710bce2c783c02e15a41146b023a99bae68

      SHA512

      626af37e3af66c6049bba68b38d250222906a10ba354e509f438d048da2f3f1352735a2d21c0984b6710d4d680641e93d133e2b2ecb58e234a72703805d8a07f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\FoxRansomware\elog_0C94E15EA725688F.txt
      Filesize

      61KB

      MD5

      771457d7af3acf81a2b3b8036f211135

      SHA1

      77721fb9fea6e5f5d1c57edf0494d179b6592d55

      SHA256

      3212293b2d2d6479179b1319f0f4a43db947d909a31c25909ae393522ccc5443

      SHA512

      fefcca98e4d349f538703e8c592aedab470952383863eb5f56008641339a384b75cc533cb7cdeae76c03e4706d3e8f326b212a84ecc35e25d9a39e9ab1d1e723

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\JjJUR8ht64.exe
      Filesize

      221KB

      MD5

      3026bc2448763d5a9862d864b97288ff

      SHA1

      7d93a18713ece2e7b93e453739ffd7ad0c646e9e

      SHA256

      7adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec

      SHA512

      d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_weqjpxhi.tkg.ps1
      Filesize

      1B

      MD5

      c4ca4238a0b923820dcc509a6f75849b

      SHA1

      356a192b7913b04c54574d18c28d46e6395428ab

      SHA256

      6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

      SHA512

      4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

      Download Submit

    • C:\Users\Admin\AppData\Roaming\QfGEYNHK.vbs
      Filesize

      260B

      MD5

      430b8878882a9ec31b78c82eb8ccfb83

      SHA1

      2cf39b29a6879a13e86e5f6eb6c57a714f0cfe66

      SHA256

      9b6db81e25760854fb32bd91e1152886876ff1704a9d65b6165cb408059c352c

      SHA512

      d4b5fb49f0fcda23141e6f245ea6f3ad07275f692ea26f3a6d2d89a734270d9c5d0770b575f674b976ae8f5c50acee1cf69c7a378f8548a047ce12ce62ddf110

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Tft0eRs0.bat
      Filesize

      265B

      MD5

      6b124179e454a2978e03761130cf16f2

      SHA1

      91935a24a2339bf4af13135c35f8624f695f5ecb

      SHA256

      92533c6217b5c6d907351c53e5d4bd1f0cfd6813b9c397c1d4a6e4155428ad19

      SHA512

      fddb4d7d1f5fceb6a92ba5dfa49deaae7ea4b4e9ad1a2cddaac06a0d0146d6a1a5d3de1c774334dea445eb9dcc1b97415c19b5ff1fb5234da9a7ffd9c434c0dd

      Download Submit

    • C:\Users\Admin\Music\desktop.ini
      Filesize

      1KB

      MD5

      51a5866c9e71d8cdf8c03056eaf73815

      SHA1

      3675351ebd8d55de2c17599422a189a08fe40f64

      SHA256

      802353a13ef02d8557e637d1d8f211dafb8009e5b54d6d0ae84889cfce6a1579

      SHA512

      4c8d36d3f2fa0a9f3d8b1111151a357d2a016820edfacc721bab6d79e4efaff46ca95aef712221ea14f957176637a5c427b61c716ec74096c0cec95209bd1420

      Download Submit

    • C:\Users\Admin\Pictures\desktop.ini
      Filesize

      1KB

      MD5

      bb34b32e439a56618bf917522ee94f32

      SHA1

      7c3360c3d24f9ed330cc5c030a97897d511dba74

      SHA256

      e31a7c7ddde21a776cf15b708c043e40dd40a95df33b0cb4907e86a1e04e675c

      SHA512

      230bdd2348ec6f1e863a2b13d10f66e9ef302944834428f9ae77492217f126c3252350e479a58559bd64fd81cd8eb2a154db44e372a3c6bec42478253c8acd96

      Download Submit

    • C:\Users\Admin\Videos\desktop.ini
      Filesize

      1KB

      MD5

      ba07c45e501b5a38fdce445721ea05da

      SHA1

      18ff040a6413a5eb2cc079a65fe05171699bac2f

      SHA256

      090ed0a364d4defdf4263578fe894acfcd153a1f2c2f90148e1d039e1db5e220

      SHA512

      b7357c012c3c74aaab3b477477271b326e054ba9d5fb325ea5615226f4d847dd8d7647a683052f3cda415a0380436c382051c1b0233297b030d365ff7732c41d

      Download Submit

    • memory/1544-9050-0x0000000000400000-0x0000000000477000-memory.dmp

      Filesize

      476KB

      Download

    • memory/1544-7615-0x0000000000400000-0x0000000000477000-memory.dmp

      Filesize

      476KB

      Download

    • memory/4416-9090-0x0000000000400000-0x000000000053F000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/4416-9048-0x0000000000400000-0x000000000053F000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/4416-7-0x0000000000400000-0x000000000053F000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/4416-7554-0x0000000000400000-0x000000000053F000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/4416-5066-0x0000000000400000-0x000000000053F000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/4416-13-0x0000000000400000-0x000000000053F000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/4728-5067-0x0000000000400000-0x000000000053F000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/4728-8-0x0000000000400000-0x000000000053F000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/4728-9182-0x0000000000400000-0x000000000053F000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/4728-9139-0x0000000000400000-0x000000000053F000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/4728-9118-0x0000000000400000-0x000000000053F000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/4728-9070-0x0000000000400000-0x000000000053F000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/4812-37-0x0000000009430000-0x000000000944A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4812-16-0x00000000075F0000-0x0000000007656000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4812-18-0x0000000007FD0000-0x0000000008320000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4812-15-0x0000000007550000-0x0000000007572000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4812-36-0x0000000009C90000-0x000000000A308000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/4812-19-0x0000000007D10000-0x0000000007D2C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/4812-17-0x0000000007E80000-0x0000000007EE6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4812-21-0x00000000085D0000-0x0000000008646000-memory.dmp

      Filesize

      472KB

      Download

    • memory/4812-11-0x0000000004B30000-0x0000000004B66000-memory.dmp

      Filesize

      216KB

      Download

    • memory/4812-12-0x0000000007670000-0x0000000007C98000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/4812-20-0x0000000008360000-0x00000000083AB000-memory.dmp

      Filesize

      300KB

      Download