zhen | 18f4123ee42f5a29f8df7bd1cf95ab73441f082584f390aa218c2dd1134f4055

Target

ioxyfx.dat.exe
Size

7.1MB
MD5

d5f9fa1a8dca5319432f51a5891f7794
SHA1

2a937328f5b99eccb9b8c13ed71d6ffb9dff4521
SHA256

18f4123ee42f5a29f8df7bd1cf95ab73441f082584f390aa218c2dd1134f4055
SHA512

87013b63a9b153c5268784928394dfbf1eeff1b91eea6bdf187025e63d25c535e468e59a33f47d23682a386605bb314311e50a7edd1d6deb1b60f5008237a7d0

Score

10^/10

zhen discovery evasion exploit persistence pyinstaller ransomware spyware

Malware Config

Signatures

Deletes Windows Defender Definitions 2 TTPs 1 IoCs

Uses mpcmdrun utility to delete all AV definitions.

evasion

Impair Defenses

T1562

Command-Line Interface

T1059

pid	Process
220	mpcmdrun.exe

Zhen Executable 6 IoCs

resource	yara_rule
behavioral1/files/0x00040000000131b9-2.dat	family_zhen
behavioral1/files/0x00040000000131b9-3.dat	family_zhen
behavioral1/files/0x00040000000131b9-5.dat	family_zhen
behavioral1/files/0x00040000000131b9-8.dat	family_zhen
behavioral1/files/0x00040000000131b9-9.dat	family_zhen
behavioral1/files/0x00040000000131b9-17.dat	family_zhen

Zhen Ransomware
First seen in September 2020. Drops ransomnote as .ini file.
ransomware zhen

Executes dropped EXE 2 IoCs

pid	Process
1616	ioxyfx.dat.exe
208	x64.exe

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File created	C:\Users\Admin\Pictures\GetUpdate.png.zhen	ioxyfx.dat.exe
File created	C:\Users\Admin\Pictures\HideEdit.png.zhen	ioxyfx.dat.exe

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
1928	icacls.exe
548	takeown.exe

Loads dropped DLL 13 IoCs

pid	Process
1240	ioxyfx.dat.exe
1240	ioxyfx.dat.exe
1616	ioxyfx.dat.exe
1616	ioxyfx.dat.exe
1616	ioxyfx.dat.exe
1616	ioxyfx.dat.exe
1616	ioxyfx.dat.exe
1616	ioxyfx.dat.exe
1616	ioxyfx.dat.exe
2016	WerFault.exe
2016	WerFault.exe
2016	WerFault.exe
2016	WerFault.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
548	takeown.exe
1928	icacls.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Windows\CurrentVersion\Run\TSUGJN = "\"C:\\ProgramData\\ioxyfx.dat.exe\" -ui"	ioxyfx.dat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TSUGJN = "\"C:\\ProgramData\\ioxyfx.dat.exe\" -ui"	ioxyfx.dat.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\1.bmp"	ioxyfx.dat.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH01046J.JPG	ioxyfx.dat.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\PAGESIZE\PGMN092.XML	ioxyfx.dat.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME17.CSS.zhen	ioxyfx.dat.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\ResourceInternal.zip.zhen	ioxyfx.dat.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsHomePageScript.js	ioxyfx.dat.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0341551.JPG	ioxyfx.dat.exe
File created	C:\Program Files\Microsoft Office\Office14\ONENOTEIRM.XML.zhen	ioxyfx.dat.exe
File created	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg.zhen	ioxyfx.dat.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\feature.xml.zhen	ioxyfx.dat.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\dragHandle.png.zhen	ioxyfx.dat.exe
File created	C:\Program Files\Microsoft Office\Office14\Groove\ToolBMPs\LoginDialogBackground.jpg.zhen	ioxyfx.dat.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis.css	ioxyfx.dat.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\PAGESIZE\PGLBL104.XML	ioxyfx.dat.exe
File created	C:\Program Files\Microsoft Office\Office14\PAGESIZE\PGMN081.XML.zhen	ioxyfx.dat.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffd27a_256x240.png.zhen	ioxyfx.dat.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipscsy.xml.zhen	ioxyfx.dat.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\form_edit.js	ioxyfx.dat.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\THEMES14\SKY\THMBNAIL.PNG	ioxyfx.dat.exe
File opened for modification	C:\Program Files\Microsoft Office\Document Themes 14\Theme Colors\Grayscale.xml	ioxyfx.dat.exe
File created	C:\Program Files\Microsoft Office\Office14\PUBWIZ\DGZIPC.XML.zhen	ioxyfx.dat.exe
File created	C:\Program Files\7-Zip\Lang\lv.txt.zhen	ioxyfx.dat.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME52.CSS	ioxyfx.dat.exe
File created	C:\Program Files\Microsoft Office\Templates\1033\Pitchbook.potx.zhen	ioxyfx.dat.exe
File created	C:\Program Files\Common Files\Microsoft Shared\THEMES14\ARCTIC\THMBNAIL.PNG.zhen	ioxyfx.dat.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\mobile_equalizer.html.zhen	ioxyfx.dat.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\console_view.png.zhen	ioxyfx.dat.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\feature.xml	ioxyfx.dat.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPrintTemplate.html	ioxyfx.dat.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0387895.JPG	ioxyfx.dat.exe
File opened for modification	C:\Program Files\Microsoft Office\Document Themes 14\Theme Fonts\Flow.xml	ioxyfx.dat.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.htm	ioxyfx.dat.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-progress-ui.xml	ioxyfx.dat.exe
File created	C:\Program Files\Microsoft Office\Templates\1033\BlackTieResume.dotx.zhen	ioxyfx.dat.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\README.html	ioxyfx.dat.exe
File opened for modification	C:\Program Files\Microsoft Office\Document Themes 14\Theme Fonts\Black Tie.xml	ioxyfx.dat.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0145707.JPG	ioxyfx.dat.exe
File created	C:\Program Files\Microsoft Office\Office14\Groove\ToolBMPs\NotifierDisableUpArrow.jpg.zhen	ioxyfx.dat.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\PAGESIZE\PGLBL093.XML	ioxyfx.dat.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\Discussion\DiscussionToolIconImages.jpg	ioxyfx.dat.exe
File opened for modification	C:\Program Files\Microsoft Office\Templates\1033\UrbanResume.Dotx	ioxyfx.dat.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kab.txt	ioxyfx.dat.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\FORMS\1033\POSTIT.CFG	ioxyfx.dat.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Resource.zip.zhen	ioxyfx.dat.exe
File created	C:\Program Files\VideoLAN\VLC\AUTHORS.txt.zhen	ioxyfx.dat.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_gloss-wave_35_f6a828_500x100.png.zhen	ioxyfx.dat.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Lime.css	ioxyfx.dat.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-uisupport.xml	ioxyfx.dat.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jvmstat.xml	ioxyfx.dat.exe
File created	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0145168.JPG.zhen	ioxyfx.dat.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Slate.css	ioxyfx.dat.exe
File created	C:\Program Files\Microsoft Office\Document Themes 14\Theme Colors\Elemental.xml.zhen	ioxyfx.dat.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\flight_recorder.png	ioxyfx.dat.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-loaders.xml.zhen	ioxyfx.dat.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\WPGIMP32.FLT	ioxyfx.dat.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME18.CSS.zhen	ioxyfx.dat.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\Bibliography\BIBFORM.XML	ioxyfx.dat.exe
File created	C:\Program Files\Microsoft Office\Office14\PAGESIZE\PGLBL087.XML.zhen	ioxyfx.dat.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\css\calendar.css	ioxyfx.dat.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\drag.png	ioxyfx.dat.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\gadget.xml.zhen	ioxyfx.dat.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-annotations-common.xml	ioxyfx.dat.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Discussion.css	ioxyfx.dat.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\logo.png.zhen	ioxyfx.dat.exe
File created	C:\Program Files\Microsoft Office\Office14\FORMS\1033\SECURE.CFG.zhen	ioxyfx.dat.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Web\Wallpaper\Windows\img0.jpg	ioxyfx.dat.exe

Detects Pyinstaller 6 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x00040000000131b9-2.dat	pyinstaller
behavioral1/files/0x00040000000131b9-3.dat	pyinstaller
behavioral1/files/0x00040000000131b9-5.dat	pyinstaller
behavioral1/files/0x00040000000131b9-8.dat	pyinstaller
behavioral1/files/0x00040000000131b9-9.dat	pyinstaller
behavioral1/files/0x00040000000131b9-17.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2016	208	WerFault.exe	54

Kills process with taskkill 7 IoCs

evasion

pid	Process
1136	taskkill.exe
208	taskkill.exe
224	taskkill.exe
2024	taskkill.exe
1732	taskkill.exe
1644	taskkill.exe
1332	taskkill.exe

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\ProgramData\\1.bmp"	ioxyfx.dat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Control Panel\Desktop\TileWallpaper = "0"	ioxyfx.dat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Control Panel\Desktop\WallpaperStyle = "10"	ioxyfx.dat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Control Panel\Desktop\OriginalWallpaper = "C:\\ProgramData\\1.bmp"	ioxyfx.dat.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-20\Control Panel\Desktop\ConvertedWallpaper = "C:\\ProgramData\\1.bmp"	ioxyfx.dat.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\TileWallpaper = "0"	ioxyfx.dat.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\1.bmp"	ioxyfx.dat.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Control Panel\Desktop\WallpaperStyle = "10"	ioxyfx.dat.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\1.bmp"	ioxyfx.dat.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Run\TSUGJN = "\"C:\\ProgramData\\ioxyfx.dat.exe\" -ui"	ioxyfx.dat.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallpaperStyle = "10"	ioxyfx.dat.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Control Panel\Desktop\TileWallpaper = "0"	ioxyfx.dat.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Control Panel\Desktop\OriginalWallpaper = "C:\\ProgramData\\1.bmp"	ioxyfx.dat.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Control Panel\Desktop\ConvertedWallpaper = "C:\\ProgramData\\1.bmp"	ioxyfx.dat.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Control Panel\Desktop\TileWallpaper = "0"	ioxyfx.dat.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Control Panel\Desktop\WallpaperStyle = "10"	ioxyfx.dat.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\1.bmp"	ioxyfx.dat.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Run\TSUGJN = "\"C:\\ProgramData\\ioxyfx.dat.exe\" -ui"	ioxyfx.dat.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Control Panel\Desktop\OriginalWallpaper = "C:\\ProgramData\\1.bmp"	ioxyfx.dat.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\OriginalWallpaper = "C:\\ProgramData\\1.bmp"	ioxyfx.dat.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\ConvertedWallpaper = "C:\\ProgramData\\1.bmp"	ioxyfx.dat.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	ioxyfx.dat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	ioxyfx.dat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	ioxyfx.dat.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	ioxyfx.dat.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer	ioxyfx.dat.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1	ioxyfx.dat.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version	ioxyfx.dat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1\ = "132497"	ioxyfx.dat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS\ = "2"	ioxyfx.dat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	ioxyfx.dat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID\ = "MSWinsock.Winsock"	ioxyfx.dat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version\ = "1.0"	ioxyfx.dat.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1	ioxyfx.dat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	ioxyfx.dat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	ioxyfx.dat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\ = "Microsoft WinSock Control, version 6.0"	ioxyfx.dat.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID	ioxyfx.dat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID\ = "MSWinsock.Winsock.1"	ioxyfx.dat.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	ioxyfx.dat.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}	ioxyfx.dat.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}	ioxyfx.dat.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32	ioxyfx.dat.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	ioxyfx.dat.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	ioxyfx.dat.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	ioxyfx.dat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ = "C:\\ProgramData\\MSWINSCK.OCX"	ioxyfx.dat.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID	ioxyfx.dat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"	ioxyfx.dat.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}	ioxyfx.dat.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}	ioxyfx.dat.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	ioxyfx.dat.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}	ioxyfx.dat.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock	ioxyfx.dat.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Programmable	ioxyfx.dat.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	ioxyfx.dat.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32	ioxyfx.dat.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR	ioxyfx.dat.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	ioxyfx.dat.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}	ioxyfx.dat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32\ = "C:\\ProgramData\\MSWINSCK.OCX, 1"	ioxyfx.dat.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}	ioxyfx.dat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\ = "Microsoft Winsock Control 6.0"	ioxyfx.dat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ioxyfx.dat.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	ioxyfx.dat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents"	ioxyfx.dat.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}	ioxyfx.dat.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}	ioxyfx.dat.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}	ioxyfx.dat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	ioxyfx.dat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\ = "Microsoft WinSock Control, version 6.0"	ioxyfx.dat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\ = "0"	ioxyfx.dat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl"	ioxyfx.dat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl"	ioxyfx.dat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ioxyfx.dat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	ioxyfx.dat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	ioxyfx.dat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ThreadingModel = "Apartment"	ioxyfx.dat.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus	ioxyfx.dat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer\ = "MSWinsock.Winsock.1"	ioxyfx.dat.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	ioxyfx.dat.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32	ioxyfx.dat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR\	ioxyfx.dat.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32	ioxyfx.dat.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS	ioxyfx.dat.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1616	ioxyfx.dat.exe
1616	ioxyfx.dat.exe
1616	ioxyfx.dat.exe
1616	ioxyfx.dat.exe
1616	ioxyfx.dat.exe
1616	ioxyfx.dat.exe
1616	ioxyfx.dat.exe
1616	ioxyfx.dat.exe
208	x64.exe
208	x64.exe
208	x64.exe
208	x64.exe
208	x64.exe
208	x64.exe
208	x64.exe
208	x64.exe
208	x64.exe
208	x64.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeBackupPrivilege	1312	vssvc.exe
Token: SeRestorePrivilege	1312	vssvc.exe
Token: SeAuditPrivilege	1312	vssvc.exe
Token: SeDebugPrivilege	224	taskkill.exe
Token: SeDebugPrivilege	208	taskkill.exe
Token: SeDebugPrivilege	2024	taskkill.exe
Token: SeDebugPrivilege	1644	taskkill.exe
Token: SeDebugPrivilege	1732	taskkill.exe
Token: SeDebugPrivilege	1332	taskkill.exe
Token: SeDebugPrivilege	1136	taskkill.exe
Token: SeTakeOwnershipPrivilege	548	takeown.exe
Token: SeDebugPrivilege	208	x64.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1240	ioxyfx.dat.exe
1616	ioxyfx.dat.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 1240 wrote to memory of 1616	1240	ioxyfx.dat.exe	25
PID 1240 wrote to memory of 1616	1240	ioxyfx.dat.exe	25
PID 1240 wrote to memory of 1616	1240	ioxyfx.dat.exe	25
PID 1240 wrote to memory of 1616	1240	ioxyfx.dat.exe	25
PID 1616 wrote to memory of 1136	1616	ioxyfx.dat.exe	33
PID 1616 wrote to memory of 1136	1616	ioxyfx.dat.exe	33
PID 1616 wrote to memory of 1136	1616	ioxyfx.dat.exe	33
PID 1616 wrote to memory of 1136	1616	ioxyfx.dat.exe	33
PID 1616 wrote to memory of 208	1616	ioxyfx.dat.exe	35
PID 1616 wrote to memory of 208	1616	ioxyfx.dat.exe	35
PID 1616 wrote to memory of 208	1616	ioxyfx.dat.exe	35
PID 1616 wrote to memory of 208	1616	ioxyfx.dat.exe	35
PID 1616 wrote to memory of 224	1616	ioxyfx.dat.exe	36
PID 1616 wrote to memory of 224	1616	ioxyfx.dat.exe	36
PID 1616 wrote to memory of 224	1616	ioxyfx.dat.exe	36
PID 1616 wrote to memory of 224	1616	ioxyfx.dat.exe	36
PID 1616 wrote to memory of 2024	1616	ioxyfx.dat.exe	39
PID 1616 wrote to memory of 2024	1616	ioxyfx.dat.exe	39
PID 1616 wrote to memory of 2024	1616	ioxyfx.dat.exe	39
PID 1616 wrote to memory of 2024	1616	ioxyfx.dat.exe	39
PID 1616 wrote to memory of 1732	1616	ioxyfx.dat.exe	41
PID 1616 wrote to memory of 1732	1616	ioxyfx.dat.exe	41
PID 1616 wrote to memory of 1732	1616	ioxyfx.dat.exe	41
PID 1616 wrote to memory of 1732	1616	ioxyfx.dat.exe	41
PID 1616 wrote to memory of 1644	1616	ioxyfx.dat.exe	43
PID 1616 wrote to memory of 1644	1616	ioxyfx.dat.exe	43
PID 1616 wrote to memory of 1644	1616	ioxyfx.dat.exe	43
PID 1616 wrote to memory of 1644	1616	ioxyfx.dat.exe	43
PID 1616 wrote to memory of 1332	1616	ioxyfx.dat.exe	44
PID 1616 wrote to memory of 1332	1616	ioxyfx.dat.exe	44
PID 1616 wrote to memory of 1332	1616	ioxyfx.dat.exe	44
PID 1616 wrote to memory of 1332	1616	ioxyfx.dat.exe	44
PID 1616 wrote to memory of 548	1616	ioxyfx.dat.exe	48
PID 1616 wrote to memory of 548	1616	ioxyfx.dat.exe	48
PID 1616 wrote to memory of 548	1616	ioxyfx.dat.exe	48
PID 1616 wrote to memory of 548	1616	ioxyfx.dat.exe	48
PID 1616 wrote to memory of 1928	1616	ioxyfx.dat.exe	50
PID 1616 wrote to memory of 1928	1616	ioxyfx.dat.exe	50
PID 1616 wrote to memory of 1928	1616	ioxyfx.dat.exe	50
PID 1616 wrote to memory of 1928	1616	ioxyfx.dat.exe	50
PID 1616 wrote to memory of 220	1616	ioxyfx.dat.exe	52
PID 1616 wrote to memory of 220	1616	ioxyfx.dat.exe	52
PID 1616 wrote to memory of 220	1616	ioxyfx.dat.exe	52
PID 1616 wrote to memory of 220	1616	ioxyfx.dat.exe	52
PID 1616 wrote to memory of 208	1616	ioxyfx.dat.exe	54
PID 1616 wrote to memory of 208	1616	ioxyfx.dat.exe	54
PID 1616 wrote to memory of 208	1616	ioxyfx.dat.exe	54
PID 1616 wrote to memory of 208	1616	ioxyfx.dat.exe	54
PID 208 wrote to memory of 2016	208	x64.exe	56
PID 208 wrote to memory of 2016	208	x64.exe	56
PID 208 wrote to memory of 2016	208	x64.exe	56

C:\Users\Admin\AppData\Local\Temp\ioxyfx.dat.exe
"C:\Users\Admin\AppData\Local\Temp\ioxyfx.dat.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1240
- C:\ProgramData\ioxyfx.dat.exe
  C:\ProgramData\ioxyfx.dat.exe
  2⤵
  - Executes dropped EXE
  - Modifies extensions of user files
  - Loads dropped DLL
  - Adds Run key to start application
  - Sets desktop wallpaper using registry
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1616
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /F /IM MSExchange*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1136
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /F /IM Microsoft*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:208
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /F /IM ora*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:224
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /F /IM tns*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2024
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /F /IM mysql*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1732
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /F /IM sql*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1644
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /F /IM postgres*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1332
- - C:\Windows\SysWOW64\takeown.exe
    "C:\Windows\System32\takeown.exe" /F C:\Windows\Web\Wallpaper\Windows\img0.jpg
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:548
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" C:\Windows\Web\Wallpaper\Windows\img0.jpg /grant Users:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1928
- - C:\Program Files\Windows Defender\mpcmdrun.exe
    "C:\Program Files\Windows Defender\mpcmdrun.exe" -removedefinitions -all
    3⤵
    - Deletes Windows Defender Definitions
    PID:220
- - C:\ProgramData\x64.exe
    C:\ProgramData\x64.exe 04298718c4ed4c0a282605560f30b8f0::72a50cf6d7d1042c8b2514f9768fa499 cfad00e8748eaea::7e9372bd97ed3aec6 25427320e7f946c9::7c3a5807a37a26a9 39d6c0440ea63b::33854dce8ddd35e877 exit
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:208
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 208 -s 556
      4⤵
      Loads dropped DLL
      Program crash
      PID:2016

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1312

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2016-29-0x0000000001E40000-0x0000000001E51000-memory.dmp

Filesize
68KB

Download
memory/2016-34-0x0000000002580000-0x0000000002591000-memory.dmp

Filesize
68KB

Download