Overview

overview

10

Static

static

ioxyfx.dat.exe

windows7_x64

10

ioxyfx.dat.exe

windows10_x64

10

Resubmissions

20-09-2020 09:53

200920-9rh6v6y6ga 10

20-09-2020 09:09

200920-94a3wvdaln 10

20-09-2020 07:26

200920-gyqrj2hcqj 10

20-09-2020 07:11

200920-xak2q5j4ha 10

Analysis

  • max time kernel
    151s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7v200722
  • submitted
    20-09-2020 07:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ioxyfx.dat.exe

  • Size

    7.1MB

  • MD5

    d5f9fa1a8dca5319432f51a5891f7794

  • SHA1

    2a937328f5b99eccb9b8c13ed71d6ffb9dff4521

  • SHA256

    18f4123ee42f5a29f8df7bd1cf95ab73441f082584f390aa218c2dd1134f4055

  • SHA512

    87013b63a9b153c5268784928394dfbf1eeff1b91eea6bdf187025e63d25c535e468e59a33f47d23682a386605bb314311e50a7edd1d6deb1b60f5008237a7d0

Score
10/10
spywareransomwarediscoveryexploitpersistencezhenevasion

Malware Config

Signatures

  • Deletes Windows Defender Definitions 2 TTPs 1 IoCs

    Uses mpcmdrun utility to delete all AV definitions.

    evasion
  • Zhen Ransomware

    First seen in September 2020. Drops ransomnote as .ini file.

    ransomwarezhen
  • Executes dropped EXE 2 IoCs
  • Modifies extensions of user files 2 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Possible privilege escalation attempt 2 IoCs
    exploit
  • Loads dropped DLL 13 IoCs
  • Modifies file permissions 1 TTPs 2 IoCs
    discovery
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Modifies service 2 TTPs 5 IoCs
    persistence
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 3932 IoCs
  • Drops file in Windows directory 1 IoCs
  • Program crash 1 IoCs
  • Kills process with taskkill 7 IoCs
    evasion
  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies data under HKEY_USERS 17 IoCs
  • Modifies registry class 81 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 51 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ioxyfx.dat.exe
    "C:\Users\Admin\AppData\Local\Temp\ioxyfx.dat.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1000
    • C:\ProgramData\ioxyfx.dat.exe
      C:\ProgramData\ioxyfx.dat.exe
      2⤵
      • Executes dropped EXE
      • Modifies extensions of user files
      • Loads dropped DLL
      • Adds Run key to start application
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1772
      • C:\Windows\SysWOW64\taskkill.exe
        "C:\Windows\System32\taskkill.exe" /F /IM MSExchange*
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:224
      • C:\Windows\SysWOW64\taskkill.exe
        "C:\Windows\System32\taskkill.exe" /F /IM Microsoft*
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1108
      • C:\Windows\SysWOW64\taskkill.exe
        "C:\Windows\System32\taskkill.exe" /F /IM ora*
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1708
      • C:\Windows\SysWOW64\taskkill.exe
        "C:\Windows\System32\taskkill.exe" /F /IM tns*
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2044
      • C:\Windows\SysWOW64\taskkill.exe
        "C:\Windows\System32\taskkill.exe" /F /IM mysql*
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:428
      • C:\Windows\SysWOW64\taskkill.exe
        "C:\Windows\System32\taskkill.exe" /F /IM sql*
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1048
      • C:\Windows\SysWOW64\taskkill.exe
        "C:\Windows\System32\taskkill.exe" /F /IM postgres*
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1504
      • C:\Windows\SysWOW64\takeown.exe
        "C:\Windows\System32\takeown.exe" /F C:\Windows\Web\Wallpaper\Windows\img0.jpg
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:1504
      • C:\Windows\SysWOW64\icacls.exe
        "C:\Windows\System32\icacls.exe" C:\Windows\Web\Wallpaper\Windows\img0.jpg /grant Users:F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:1780
      • C:\Program Files\Windows Defender\mpcmdrun.exe
        "C:\Program Files\Windows Defender\mpcmdrun.exe" -removedefinitions -all
        3⤵
        • Deletes Windows Defender Definitions
        PID:1472
      • C:\ProgramData\x64.exe
        C:\ProgramData\x64.exe 04298718c4ed4c0a282605560f30b8f0::72a50cf6d7d1042c8b2514f9768fa499 cfad00e8748eaea::7e9372bd97ed3aec6 25427320e7f946c9::7c3a5807a37a26a9 39d6c0440ea63b::33854dce8ddd35e877 exit
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1048
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -u -p 1048 -s 556
          4⤵
          • Loads dropped DLL
          • Program crash
          PID:852
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Modifies service
    • Suspicious use of AdjustPrivilegeToken
    PID:556

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1
T1059

Persistence

Registry Run Keys / Startup Folder

1
T1060

Modify Existing Service

1
T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

1
T1089

File Permissions Modification

1
T1222

Modify Registry

3
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Replay Monitor

Loading Replay Monitor...

Downloads