38aad76353ccdf608dcad9510cdf169f167586eaa39bc3f8e4f22e7a0cb37bf0

General

Target

ioxyfx.bin.exe
Size

7.1MB
MD5

d5f9fa1a8dca5319432f51a5891f7794
SHA1

2a937328f5b99eccb9b8c13ed71d6ffb9dff4521
SHA256

18f4123ee42f5a29f8df7bd1cf95ab73441f082584f390aa218c2dd1134f4055
SHA512

87013b63a9b153c5268784928394dfbf1eeff1b91eea6bdf187025e63d25c535e468e59a33f47d23682a386605bb314311e50a7edd1d6deb1b60f5008237a7d0

Score

8^/10

ransomware persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

ioxyfx.bin.exe

pid process

1348 ioxyfx.bin.exe
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
ransomware

Processes:

ioxyfx.bin.exe

description ioc process

File created C:\Users\Admin\Pictures\RestoreNew.crw.zhen ioxyfx.bin.exe

description	ioc	process
File created	C:\Users\Admin\Pictures\RestoreNew.crw.zhen	ioxyfx.bin.exe

Drops file in System32 directory 6 IoCs

Processes:

OfficeClickToRun.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-shm	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-wal	OfficeClickToRun.exe

Modifies service 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe

Drops file in Program Files directory 12028 IoCs

Processes:

ioxyfx.bin.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\6528_24x24x32.png	ioxyfx.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteSectionLargeTile.scale-400.png	ioxyfx.bin.exe
File created	C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_x64__8wekyb3d8bbwe\Assets\OneConnectAppList.targetsize-256.png.zhen	ioxyfx.bin.exe
File created	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-16_altform-unplated_contrast-black.png.zhen	ioxyfx.bin.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\10909_40x40x32.png.zhen	ioxyfx.bin.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-24_altform-unplated.png.zhen	ioxyfx.bin.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11701.1001.87.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml.zhen	ioxyfx.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\pt-br\ui-strings.js	ioxyfx.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\sign-in.png	ioxyfx.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\share_icons2x.png	ioxyfx.bin.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\challenge\Marathon_Unearned_small.png.zhen	ioxyfx.bin.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-black\WideTile.scale-125.png.zhen	ioxyfx.bin.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\MedTile.scale-125.png.zhen	ioxyfx.bin.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1702.301.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\VoiceRecorderWideTile.contrast-white_scale-200.png.zhen	ioxyfx.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-24_altform-unplated_contrast-black.png	ioxyfx.bin.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\rhp_world_icon_hover_2x.png.zhen	ioxyfx.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ca-es\ui-strings.js	ioxyfx.bin.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNotebookSmallTile.scale-125.png.zhen	ioxyfx.bin.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-black\SmallTile.scale-125.png.zhen	ioxyfx.bin.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.People_10.1.10531.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\PeopleAppStoreLogo.scale-125.png.zhen	ioxyfx.bin.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\sadsmile.png.zhen	ioxyfx.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-72_altform-colorize.png	ioxyfx.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorSmallTile.contrast-white_scale-200.png	ioxyfx.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\hu-hu\ui-strings.js	ioxyfx.bin.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\es-es\ui-strings.js.zhen	ioxyfx.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\7739_20x20x32.png	ioxyfx.bin.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionSmallTile.scale-200.png.zhen	ioxyfx.bin.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\plugin.js.zhen	ioxyfx.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\StopwatchWideTile.contrast-white_scale-100.png	ioxyfx.bin.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\pl-pl\ui-strings.js.zhen	ioxyfx.bin.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\css\main-selector.css.zhen	ioxyfx.bin.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.StarClub\Assets\lock.png.zhen	ioxyfx.bin.exe
File created	C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-16.png.zhen	ioxyfx.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-30_altform-unplated.png	ioxyfx.bin.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-64_altform-unplated.png.zhen	ioxyfx.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-96.png	ioxyfx.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\dark\nub.png	ioxyfx.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\2210_24x24x32.png	ioxyfx.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageSmallTile.scale-100.png	ioxyfx.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\fr-ma\ui-strings.js	ioxyfx.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-execution.xml	ioxyfx.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_neutral_split.scale-150_8wekyb3d8bbwe\Assets\starttile.smile.small.scale-150.png	ioxyfx.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-48.png	ioxyfx.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\index.html	ioxyfx.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-24_altform-unplated.png	ioxyfx.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\example_icons2x.png	ioxyfx.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\hr-hr\ui-strings.js	ioxyfx.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\muscle.png	ioxyfx.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\gb_60x42.png	ioxyfx.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNotePageLargeTile.scale-100.png	ioxyfx.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\ck_60x42.png	ioxyfx.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-black_targetsize-96.png	ioxyfx.bin.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-72.png.zhen	ioxyfx.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ui-strings.js	ioxyfx.bin.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\plugin.js.zhen	ioxyfx.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedMedTile.scale-100_contrast-white.png	ioxyfx.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.DailyChallenges\Assets\Tab\TabComing.png	ioxyfx.bin.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\fr-fr\ui-strings.js.zhen	ioxyfx.bin.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\eu-es\ui-strings.js.zhen	ioxyfx.bin.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\de-de\ui-strings.js.zhen	ioxyfx.bin.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ui-strings.js.zhen	ioxyfx.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\lalala.png	ioxyfx.bin.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-black\MedTile.scale-125.png	ioxyfx.bin.exe
File created	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_1.0.45.0_x64__8wekyb3d8bbwe\Assets\SplashScreen.scale-200.png.zhen	ioxyfx.bin.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

OfficeClickToRun.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	OfficeClickToRun.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

OfficeClickToRun.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	OfficeClickToRun.exe

Kills process with taskkill 7 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

280 taskkill.exe
4028 taskkill.exe
2996 taskkill.exe
4024 taskkill.exe
3032 taskkill.exe
3768 taskkill.exe
3800 taskkill.exe

pid	process
280	taskkill.exe
4028	taskkill.exe
2996	taskkill.exe
4024	taskkill.exe
3032	taskkill.exe
3768	taskkill.exe
3800	taskkill.exe

Modifies data under HKEY_USERS 42 IoCs

Processes:

OfficeClickToRun.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\TrustCenter\Experimentation	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry\Volatile	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,3462423,3702920,7168707,17110988,7153487,39965824,17962391,17962392,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617,41484365"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935}	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935}\DeviceId = "00188002041058D0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935}\ApplicationFlags = "1"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry\Volatile\MsaDevice = "t=GwAWAbuEBAAUzMHTehVs2ui3xDZ0BSZ6MDJ92usOZgAAECXNUT7DQTfj2xpykkgT+y3gAOw/6xskH3wuGUUl4fgqtxvDjHWbsj4kL8EXntMgG5dXQN1uSe5NaTndWQZgmvCRqbX/O2Okvl7v4cYEyitI8GuMpHzCV1F0j99+BOdBhjKQd6xTq30ZP4BHlWd+46X1FxWTVQyZCetUtCmaHffBfKTByjl8ppxpyduOdLeY/6HmDSMIN3lUWAojoAE2pV0EmggIRfrWyuYhi1xdKlg47k1izUs5XXEAk080yGXfss9BoFtR3hIDk8IPOVnukOFxURvTYoLhsEr26pgr3BEdWQy8e8xqpvRzDM2ChMCceGNXGwE=&p="	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession\officeclicktorun	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property\00188002041058D0 = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb0100000003041732c160674e93f353059f2948d200000000020000000000106600000001000020000000109f1a18905aa1f94264434bf1b30a74d7adf018889d6393f360dc6026858e5b000000000e8000000002000020000000a25f6e5c4f1747aed116c29d091a822413ed36157b90a6b429346e2ff537bd9f80000000790c0add105ab01f8be64e6007182b56e6dabdbe4249b4c9356d30c78a79a8f571ff1be8288e27284b1b5099c46102fb1feb8c95ce2a5f2949bdab90a4a056485c4c2fdaf6c69a965dbee065ba4ef4e3315f3b8fdae76116a5e71711135d51c215c77f7b32273a386e15a2083735b3310b846cd06f80855b4b2646e70076f78b40000000a6ac76ddb8bd1187d239257ca8cb420fb8b67c85f18e5e36d4a64b27604060955e12a81904b2a79a3e45526543a327a1aa0acb6b79ff17a8bb8afb0c1bb7a032	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	OfficeClickToRun.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 50,1329 10,941 10,1329 15,941 15,1329 100,941 6,1329 6"	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "2"	OfficeClickToRun.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb0100000003041732c160674e93f353059f2948d2000000000200000000001066000000010000200000007a49c538925368464d3b2d190bfff5186a19e959489841dc8931dfa90d204585000000000e80000000020000200000002f3a4adeb6b00b9aaf968af9e2dd56f73402da6531a17d38cd63ce89b90ac723f0030000c378aadcece48850a0672bbc5f80fa16b070668983cd884fe0fee6200a5e91648a3032cc9da0d9c4b78c618e843cfa7b9e11cfca3de41d9c48745cd1e5c8938abe471e8de94ae7b9b7d133a3005423cb19eabea2e007a0b5ac6a25a384f10f99584247197b7e809a95cd261f4d845b5b8d33cd609336ddeaecda64370f2670a2362c29dbb9451247f636db0528828e0318bc0146fd3887cf7701d0cd7a661f16a391176f8180c997c556080cc76e54a873857ed32ee27a85c37cc56ce5599b2c474ef5885a1e1a85fa9b2388a1ceb049a6c17c15cb200004360cf662a3b3a22fbc34b7ff203ef8fdf0a8564bf51de0d51585fc86dd4b60fe57a8fa3003104d2df86be1359a06500ed78ea004cc2394fb5b58917cea66a69f0da205843b3fdf59e68995b45f146af10744818a3e60b9499d0065d04e4744b71247f4a4a498d6135049af0b45a9b145d86ce66aadfb4cf94fad439278ed4cc8b99ea1b18a92bb006d01f3d646e62eeac54d166dbf116c66021c6ada5d57079d6c41ba79ee8bad67da6efcf7fffcb49c39716413f654012f5654b0056e33d8a443945384e02871cd0c053fc77dd90da6d82aecab1d0cae949a5c7375a259ac9b3515d6e440d241b7fea276d194b3d1a96028ca49f6c8188e39685aae1493407c1159669bb8120dcd2567fa11be123a39e5afbbbd7db1e14264e04a04c7967f4341dff056acdf9b353e57d3e6a91d6a7d2f2c431d99033675f8b0dbfc934b9da180dee243bc8a01d65fe2a97bea18341123d89be3e300bae4ccb0d2070458953a37efe9f0fe710502e68bad6a60964dd7a47a9a087dc4ee1ad28d1b5401dfef2ecb6b05c28dab34f5aa8bff1338138623633890ea4d4f467ce75e35b8a3f4e932d0a77b7eb46c5f9166ed66ebbfc51065a68596102585f30eafbd76de0e27a41647acb03cefec3aa3aaa5b9a006e34ffb8beda250bdaa4471b2d8e1de9f02269e261f872d998f89a11160d892cd0c0bf0f436119bca88050b5ab515e12f34355e6c9e176d1ced18ddbd5cbae6ecb4dc8b7a918e5bc07318fe87a7c52e05437363faae3fd4c3f45288ad003cae80c8ded7d916c2ff2df9e2662fb2ef17d64bff179c6475955651ea0cfe685c977724a5f93e1c4cb42f285cf545c81f4bcec5299e8e2cac2e736de85135a991593e55e041b66dbd826810d2ba7771752a021d8f22879fc69956111ae64fd83b1695903d9e2ef7114fcace29f9bbf39ee042994d94b9546fb36be3e3bb1fd6fe8fd900ebf06cec64c613ba087f922b019ca82d9cd53458d1e9e6af8e1cf058b997cf216fca1c01bbf91cd33508eb06f7c76d9e8129dc8a0b9629df0729293560ea9799babe7892dab9c1d65e711427f1951766563e926474573014a3b00d3678ec8717459ddc8771624a154c194000000026daf297429e8c7a047023be454251855a34b118d7705bd9e6a6734198f96da1cf9f0445e551554aab70f36846d5457a22cc485b660e2aa69e7a38e396a35361	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\officeclicktorun	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "1"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	OfficeClickToRun.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

ioxyfx.bin.exe

pid	process
1348	ioxyfx.bin.exe
1348	ioxyfx.bin.exe
1348	ioxyfx.bin.exe
1348	ioxyfx.bin.exe
1348	ioxyfx.bin.exe
1348	ioxyfx.bin.exe
1348	ioxyfx.bin.exe
1348	ioxyfx.bin.exe
1348	ioxyfx.bin.exe
1348	ioxyfx.bin.exe
1348	ioxyfx.bin.exe
1348	ioxyfx.bin.exe
1348	ioxyfx.bin.exe
1348	ioxyfx.bin.exe
1348	ioxyfx.bin.exe
1348	ioxyfx.bin.exe
1348	ioxyfx.bin.exe
1348	ioxyfx.bin.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

vssvc.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeBackupPrivilege	2676	vssvc.exe
Token: SeRestorePrivilege	2676	vssvc.exe
Token: SeAuditPrivilege	2676	vssvc.exe
Token: SeDebugPrivilege	4024	taskkill.exe
Token: SeDebugPrivilege	3768	taskkill.exe
Token: SeDebugPrivilege	2996	taskkill.exe
Token: SeDebugPrivilege	3032	taskkill.exe
Token: SeDebugPrivilege	3800	taskkill.exe
Token: SeDebugPrivilege	280	taskkill.exe
Token: SeDebugPrivilege	4028	taskkill.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

ioxyfx.bin.exeioxyfx.bin.exeOfficeClickToRun.exe

pid process

2180 ioxyfx.bin.exe
1348 ioxyfx.bin.exe
1836 OfficeClickToRun.exe

pid	process
2180	ioxyfx.bin.exe
1348	ioxyfx.bin.exe
1836	OfficeClickToRun.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

ioxyfx.bin.exeioxyfx.bin.exe

description	pid	process	target process
PID 2180 wrote to memory of 1348	2180	ioxyfx.bin.exe	ioxyfx.bin.exe
PID 2180 wrote to memory of 1348	2180	ioxyfx.bin.exe	ioxyfx.bin.exe
PID 2180 wrote to memory of 1348	2180	ioxyfx.bin.exe	ioxyfx.bin.exe
PID 1348 wrote to memory of 2996	1348	ioxyfx.bin.exe	taskkill.exe
PID 1348 wrote to memory of 2996	1348	ioxyfx.bin.exe	taskkill.exe
PID 1348 wrote to memory of 2996	1348	ioxyfx.bin.exe	taskkill.exe
PID 1348 wrote to memory of 4024	1348	ioxyfx.bin.exe	taskkill.exe
PID 1348 wrote to memory of 4024	1348	ioxyfx.bin.exe	taskkill.exe
PID 1348 wrote to memory of 4024	1348	ioxyfx.bin.exe	taskkill.exe
PID 1348 wrote to memory of 3032	1348	ioxyfx.bin.exe	taskkill.exe
PID 1348 wrote to memory of 3032	1348	ioxyfx.bin.exe	taskkill.exe
PID 1348 wrote to memory of 3032	1348	ioxyfx.bin.exe	taskkill.exe
PID 1348 wrote to memory of 3768	1348	ioxyfx.bin.exe	taskkill.exe
PID 1348 wrote to memory of 3768	1348	ioxyfx.bin.exe	taskkill.exe
PID 1348 wrote to memory of 3768	1348	ioxyfx.bin.exe	taskkill.exe
PID 1348 wrote to memory of 3800	1348	ioxyfx.bin.exe	taskkill.exe
PID 1348 wrote to memory of 3800	1348	ioxyfx.bin.exe	taskkill.exe
PID 1348 wrote to memory of 3800	1348	ioxyfx.bin.exe	taskkill.exe
PID 1348 wrote to memory of 280	1348	ioxyfx.bin.exe	taskkill.exe
PID 1348 wrote to memory of 280	1348	ioxyfx.bin.exe	taskkill.exe
PID 1348 wrote to memory of 280	1348	ioxyfx.bin.exe	taskkill.exe
PID 1348 wrote to memory of 4028	1348	ioxyfx.bin.exe	taskkill.exe
PID 1348 wrote to memory of 4028	1348	ioxyfx.bin.exe	taskkill.exe
PID 1348 wrote to memory of 4028	1348	ioxyfx.bin.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\ioxyfx.bin.exe
"C:\Users\Admin\AppData\Local\Temp\ioxyfx.bin.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2180
- C:\ProgramData\ioxyfx.bin.exe
  C:\ProgramData\ioxyfx.bin.exe
  2⤵
  - Executes dropped EXE
  - Modifies extensions of user files
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1348
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /F /IM MSExchange*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2996
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /F /IM Microsoft*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4024
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /F /IM ora*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3032
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /F /IM tns*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3768
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /F /IM mysql*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3800
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /F /IM sql*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:280
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /F /IM postgres*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4028

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1836

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:2676

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ioxyfx.bin.exe

Download Submit
C:\ProgramData\ioxyfx.bin.exe

Download Submit
memory/280-12-0x0000000000000000-mapping.dmp

Download
memory/1348-2-0x0000000000000000-mapping.dmp

Download
memory/2996-7-0x0000000000000000-mapping.dmp

Download
memory/3032-9-0x0000000000000000-mapping.dmp

Download
memory/3768-10-0x0000000000000000-mapping.dmp

Download
memory/3800-11-0x0000000000000000-mapping.dmp

Download
memory/4024-8-0x0000000000000000-mapping.dmp

Download
memory/4028-13-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads