Analysis
-
max time kernel
66s -
max time network
54s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
15-01-2022 12:32
Static task
static1
Behavioral task
behavioral1
Sample
enc.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
enc.exe
Resource
win10v2004-en-20220113
General
-
Target
enc.exe
-
Size
156KB
-
MD5
14ee62fcc9163509856671400429ad55
-
SHA1
7544332b52769ca853d900669ef5e272a2ae1665
-
SHA256
699159e695e230a48d94b6103b48940ed596d0b48fb6d936c04d86eed539cecd
-
SHA512
4d71c87be6f6ad7c9f3277b60850cd7136cecfd5f15621d1e56b1897008da8cc742578112ea955f8417c8d4cf13bcfb92e7ceafb34720017b47d81c4d2603bff
Malware Config
Extracted
C:\Documents and Settings\Admin\Cookies\Low\WANNA_RECOVER_KOXIC_FILEZ_JEWLD.txt
wilhelmkox@tutanota.com
https://tox.chat/download.html
https://github.com/qTox/qTox/releases/download/v1.17.3/setup-qtox-x86_64-release.exe
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Disables taskbar notifications via registry modification
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 940 cmd.exe -
Processes:
enc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "2" enc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\UX Configuration enc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\UX Configuration\NotificationSuppress = "1" enc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features enc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtectione = "0" enc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet enc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\DisableBlockAtFirstSeen = "1" enc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\LocalSettingOverrideSpynetReporting = "0" enc.exe -
Drops file in Program Files directory 64 IoCs
Processes:
enc.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.CO.IN.XML.KOXIC_JEWLD enc.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_decreaseindent.gif.KOXIC_JEWLD enc.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02093_.WMF.KOXIC_JEWLD enc.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0075478.GIF.KOXIC_JEWLD enc.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)grayStateIcon.png.KOXIC_JEWLD enc.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_150.png.KOXIC_JEWLD enc.exe File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\WANNA_RECOVER_KOXIC_FILEZ_JEWLD.txt enc.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\CT_ROOTS.XML.KOXIC_JEWLD enc.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Bangkok.KOXIC_JEWLD enc.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.CO.ID.XML.KOXIC_JEWLD enc.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18253_.WMF.KOXIC_JEWLD enc.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00390_.WMF.KOXIC_JEWLD enc.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\management.properties.KOXIC_JEWLD enc.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\css\settings.css.KOXIC_JEWLD enc.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf.KOXIC_JEWLD enc.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\COMPASS\COMPASS.INF.KOXIC_JEWLD enc.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE04050_.WMF.KOXIC_JEWLD enc.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01585_.WMF.KOXIC_JEWLD enc.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\uarrow.gif.KOXIC_JEWLD enc.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark.css.KOXIC_JEWLD enc.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-lib-profiler.jar.KOXIC_JEWLD enc.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\WANNA_RECOVER_KOXIC_FILEZ_JEWLD.txt enc.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\clock.js.KOXIC_JEWLD enc.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext.png.KOXIC_JEWLD enc.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\WANNA_RECOVER_KOXIC_FILEZ_JEWLD.txt enc.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH.HXS.KOXIC_JEWLD enc.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00077_.WMF.KOXIC_JEWLD enc.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\vlc.mo.KOXIC_JEWLD enc.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ICE\PREVIEW.GIF.KOXIC_JEWLD enc.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.zh_CN_5.5.0.165303.jar.KOXIC_JEWLD enc.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\WANNA_RECOVER_KOXIC_FILEZ_JEWLD.txt enc.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY00882_.WMF.KOXIC_JEWLD enc.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187835.WMF.KOXIC_JEWLD enc.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\tipresx.dll.mui.KOXIC_JEWLD enc.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\WANNA_RECOVER_KOXIC_FILEZ_JEWLD.txt enc.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\graph_up.png.KOXIC_JEWLD enc.exe File opened for modification C:\Program Files\Common Files\System\ado\msado20.tlb.KOXIC_JEWLD enc.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-openide-compat.xml_hidden.KOXIC_JEWLD enc.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\flyout.html.KOXIC_JEWLD enc.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\4.png.KOXIC_JEWLD enc.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\localizedStrings.js.KOXIC_JEWLD enc.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18239_.WMF.KOXIC_JEWLD enc.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099191.JPG.KOXIC_JEWLD enc.exe File opened for modification C:\Program Files\DVD Maker\audiodepthconverter.ax.KOXIC_JEWLD enc.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Atlantic\Reykjavik.KOXIC_JEWLD enc.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\zu\LC_MESSAGES\vlc.mo.KOXIC_JEWLD enc.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\css\slideShow.css.KOXIC_JEWLD enc.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OneNote\SendtoOneNoteFilter.gpd.KOXIC_JEWLD enc.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152690.WMF.KOXIC_JEWLD enc.exe File opened for modification C:\Program Files\Java\jre7\lib\security\blacklist.KOXIC_JEWLD enc.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Merida.KOXIC_JEWLD enc.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STRTEDGE\STRTEDGE.ELM.KOXIC_JEWLD enc.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-plaf_ja.jar.KOXIC_JEWLD enc.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\TipTsf.dll.mui.KOXIC_JEWLD enc.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\css\WANNA_RECOVER_KOXIC_FILEZ_JEWLD.txt enc.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\drag.png.KOXIC_JEWLD enc.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02384_.WMF.KOXIC_JEWLD enc.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0292278.WMF.KOXIC_JEWLD enc.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099153.WMF.KOXIC_JEWLD enc.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\15x15dot.png.KOXIC_JEWLD enc.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationUp_ButtonGraphic.png.KOXIC_JEWLD enc.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00084_.WMF.KOXIC_JEWLD enc.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00136_.WMF.KOXIC_JEWLD enc.exe File opened for modification C:\Program Files (x86)\Windows Media Player\ja-JP\wmplayer.exe.mui.KOXIC_JEWLD enc.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 1048 ipconfig.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 860 vssadmin.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 520 taskkill.exe -
NTFS ADS 1 IoCs
Processes:
enc.exedescription ioc process File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Search.apiC:\WANNA_RECOVER_KOXIC_FILEZ_JEWLD.txt enc.exe -
Opens file in notepad (likely ransom note) 2 IoCs
Processes:
notepad.exeNOTEPAD.EXEpid process 1552 notepad.exe 1832 NOTEPAD.EXE -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
taskkill.exevssvc.exeenc.exeWMIC.exeWMIC.exedescription pid process Token: SeDebugPrivilege 520 taskkill.exe Token: SeBackupPrivilege 1820 vssvc.exe Token: SeRestorePrivilege 1820 vssvc.exe Token: SeAuditPrivilege 1820 vssvc.exe Token: SeBackupPrivilege 952 enc.exe Token: SeRestorePrivilege 952 enc.exe Token: SeManageVolumePrivilege 952 enc.exe Token: SeTakeOwnershipPrivilege 952 enc.exe Token: SeIncreaseQuotaPrivilege 2040 WMIC.exe Token: SeSecurityPrivilege 2040 WMIC.exe Token: SeTakeOwnershipPrivilege 2040 WMIC.exe Token: SeLoadDriverPrivilege 2040 WMIC.exe Token: SeSystemProfilePrivilege 2040 WMIC.exe Token: SeSystemtimePrivilege 2040 WMIC.exe Token: SeProfSingleProcessPrivilege 2040 WMIC.exe Token: SeIncBasePriorityPrivilege 2040 WMIC.exe Token: SeCreatePagefilePrivilege 2040 WMIC.exe Token: SeBackupPrivilege 2040 WMIC.exe Token: SeRestorePrivilege 2040 WMIC.exe Token: SeShutdownPrivilege 2040 WMIC.exe Token: SeDebugPrivilege 2040 WMIC.exe Token: SeSystemEnvironmentPrivilege 2040 WMIC.exe Token: SeRemoteShutdownPrivilege 2040 WMIC.exe Token: SeUndockPrivilege 2040 WMIC.exe Token: SeManageVolumePrivilege 2040 WMIC.exe Token: 33 2040 WMIC.exe Token: 34 2040 WMIC.exe Token: 35 2040 WMIC.exe Token: SeIncreaseQuotaPrivilege 2040 WMIC.exe Token: SeSecurityPrivilege 2040 WMIC.exe Token: SeTakeOwnershipPrivilege 2040 WMIC.exe Token: SeLoadDriverPrivilege 2040 WMIC.exe Token: SeSystemProfilePrivilege 2040 WMIC.exe Token: SeSystemtimePrivilege 2040 WMIC.exe Token: SeProfSingleProcessPrivilege 2040 WMIC.exe Token: SeIncBasePriorityPrivilege 2040 WMIC.exe Token: SeCreatePagefilePrivilege 2040 WMIC.exe Token: SeBackupPrivilege 2040 WMIC.exe Token: SeRestorePrivilege 2040 WMIC.exe Token: SeShutdownPrivilege 2040 WMIC.exe Token: SeDebugPrivilege 2040 WMIC.exe Token: SeSystemEnvironmentPrivilege 2040 WMIC.exe Token: SeRemoteShutdownPrivilege 2040 WMIC.exe Token: SeUndockPrivilege 2040 WMIC.exe Token: SeManageVolumePrivilege 2040 WMIC.exe Token: 33 2040 WMIC.exe Token: 34 2040 WMIC.exe Token: 35 2040 WMIC.exe Token: SeIncreaseQuotaPrivilege 1912 WMIC.exe Token: SeSecurityPrivilege 1912 WMIC.exe Token: SeTakeOwnershipPrivilege 1912 WMIC.exe Token: SeLoadDriverPrivilege 1912 WMIC.exe Token: SeSystemProfilePrivilege 1912 WMIC.exe Token: SeSystemtimePrivilege 1912 WMIC.exe Token: SeProfSingleProcessPrivilege 1912 WMIC.exe Token: SeIncBasePriorityPrivilege 1912 WMIC.exe Token: SeCreatePagefilePrivilege 1912 WMIC.exe Token: SeBackupPrivilege 1912 WMIC.exe Token: SeRestorePrivilege 1912 WMIC.exe Token: SeShutdownPrivilege 1912 WMIC.exe Token: SeDebugPrivilege 1912 WMIC.exe Token: SeSystemEnvironmentPrivilege 1912 WMIC.exe Token: SeRemoteShutdownPrivilege 1912 WMIC.exe Token: SeUndockPrivilege 1912 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
enc.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 952 wrote to memory of 948 952 enc.exe cmd.exe PID 952 wrote to memory of 948 952 enc.exe cmd.exe PID 952 wrote to memory of 948 952 enc.exe cmd.exe PID 952 wrote to memory of 948 952 enc.exe cmd.exe PID 948 wrote to memory of 520 948 cmd.exe taskkill.exe PID 948 wrote to memory of 520 948 cmd.exe taskkill.exe PID 948 wrote to memory of 520 948 cmd.exe taskkill.exe PID 948 wrote to memory of 520 948 cmd.exe taskkill.exe PID 952 wrote to memory of 564 952 enc.exe cmd.exe PID 952 wrote to memory of 564 952 enc.exe cmd.exe PID 952 wrote to memory of 564 952 enc.exe cmd.exe PID 952 wrote to memory of 564 952 enc.exe cmd.exe PID 564 wrote to memory of 860 564 cmd.exe vssadmin.exe PID 564 wrote to memory of 860 564 cmd.exe vssadmin.exe PID 564 wrote to memory of 860 564 cmd.exe vssadmin.exe PID 564 wrote to memory of 860 564 cmd.exe vssadmin.exe PID 952 wrote to memory of 1176 952 enc.exe cmd.exe PID 952 wrote to memory of 1176 952 enc.exe cmd.exe PID 952 wrote to memory of 1176 952 enc.exe cmd.exe PID 952 wrote to memory of 1176 952 enc.exe cmd.exe PID 952 wrote to memory of 2044 952 enc.exe cmd.exe PID 952 wrote to memory of 2044 952 enc.exe cmd.exe PID 952 wrote to memory of 2044 952 enc.exe cmd.exe PID 952 wrote to memory of 2044 952 enc.exe cmd.exe PID 2044 wrote to memory of 2040 2044 cmd.exe WMIC.exe PID 2044 wrote to memory of 2040 2044 cmd.exe WMIC.exe PID 2044 wrote to memory of 2040 2044 cmd.exe WMIC.exe PID 2044 wrote to memory of 2040 2044 cmd.exe WMIC.exe PID 952 wrote to memory of 1800 952 enc.exe cmd.exe PID 952 wrote to memory of 1800 952 enc.exe cmd.exe PID 952 wrote to memory of 1800 952 enc.exe cmd.exe PID 952 wrote to memory of 1800 952 enc.exe cmd.exe PID 952 wrote to memory of 972 952 enc.exe cmd.exe PID 952 wrote to memory of 972 952 enc.exe cmd.exe PID 952 wrote to memory of 972 952 enc.exe cmd.exe PID 952 wrote to memory of 972 952 enc.exe cmd.exe PID 972 wrote to memory of 1912 972 cmd.exe WMIC.exe PID 972 wrote to memory of 1912 972 cmd.exe WMIC.exe PID 972 wrote to memory of 1912 972 cmd.exe WMIC.exe PID 972 wrote to memory of 1912 972 cmd.exe WMIC.exe PID 952 wrote to memory of 1064 952 enc.exe cmd.exe PID 952 wrote to memory of 1064 952 enc.exe cmd.exe PID 952 wrote to memory of 1064 952 enc.exe cmd.exe PID 952 wrote to memory of 1064 952 enc.exe cmd.exe PID 952 wrote to memory of 2008 952 enc.exe cmd.exe PID 952 wrote to memory of 2008 952 enc.exe cmd.exe PID 952 wrote to memory of 2008 952 enc.exe cmd.exe PID 952 wrote to memory of 2008 952 enc.exe cmd.exe PID 2008 wrote to memory of 1964 2008 cmd.exe WMIC.exe PID 2008 wrote to memory of 1964 2008 cmd.exe WMIC.exe PID 2008 wrote to memory of 1964 2008 cmd.exe WMIC.exe PID 2008 wrote to memory of 1964 2008 cmd.exe WMIC.exe PID 952 wrote to memory of 1612 952 enc.exe cmd.exe PID 952 wrote to memory of 1612 952 enc.exe cmd.exe PID 952 wrote to memory of 1612 952 enc.exe cmd.exe PID 952 wrote to memory of 1612 952 enc.exe cmd.exe PID 952 wrote to memory of 1112 952 enc.exe cmd.exe PID 952 wrote to memory of 1112 952 enc.exe cmd.exe PID 952 wrote to memory of 1112 952 enc.exe cmd.exe PID 952 wrote to memory of 1112 952 enc.exe cmd.exe PID 1112 wrote to memory of 1580 1112 cmd.exe WMIC.exe PID 1112 wrote to memory of 1580 1112 cmd.exe WMIC.exe PID 1112 wrote to memory of 1580 1112 cmd.exe WMIC.exe PID 1112 wrote to memory of 1580 1112 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\enc.exe"C:\Users\Admin\AppData\Local\Temp\enc.exe"1⤵
- Windows security modification
- Drops file in Program Files directory
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /F /IM MSASCuiL.exe taskkill /F /IM MSMpeng.exe taskkill /F /IM msseces.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM MSASCuiL.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin delete shadows /all /quiet sc config browser sc config browser start=enabled sc stop vss sc config vss start=disabled sc stop MongoDB sc config MongoDB start=disabled sc stop SQLWriter sc config SQLWriter start=disabled sc stop MSSQLServerOLAPService sc config MSSQLServerOLAPService start=disabled sc stop MSSQLSERVER sc config MSSQLSERVER start=disabled sc stop MSSQL$SQLEXPRESS sc config MSSQL$SQLEXPRESS start=disabled sc stop ReportServer sc config ReportServer start=disabled sc stop OracleServiceORCL sc config OracleServiceORCL start=disabled sc stop OracleDBConsoleorcl sc config OracleDBConsoleorcl start=disabled sc stop OracleMTSRecoveryService sc config OracleMTSRecoveryService start=disabled sc stop OracleVssWriterORCL sc config OracleVssWriterORCL start=disabled sc stop MySQL sc config MySQL start=disabled2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.execmd /c "echo OS INFO: > %TEMP%\NTNNFVAWI"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c "wmic OS get Caption,CSDVersion,OSArchitecture,Version >> %TEMP%\NTNNFVAWI"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic OS get Caption,CSDVersion,OSArchitecture,Version3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c "echo BIOS INFO: >> %TEMP%\NTNNFVAWI"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c "wmic BIOS get Manufacturer, Name, SMBIOSBIOSVersion, Version >> %TEMP%\NTNNFVAWI"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic BIOS get Manufacturer, Name, SMBIOSBIOSVersion, Version3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c "echo CPU INFO: >> %TEMP%\NTNNFVAWI"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c "wmic CPU get Name, NumberOfCores, NumberOfLogicalProcessors >> %TEMP%\NTNNFVAWI"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic CPU get Name, NumberOfCores, NumberOfLogicalProcessors3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c "echo MEMPHYSICAL INFO: >> %TEMP%\NTNNFVAWI"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c "wmic MEMPHYSICAL get MaxCapacity >> %TEMP%\NTNNFVAWI"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic MEMPHYSICAL get MaxCapacity3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c "echo MEMORYCHIP: INFO >> %TEMP%\NTNNFVAWI"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c "wmic MEMORYCHIP get Capacity, DeviceLocator, PartNumber, Tag >> %TEMP%\NTNNFVAWI"2⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic MEMORYCHIP get Capacity, DeviceLocator, PartNumber, Tag3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c "echo NIC INFO: >> %TEMP%\NTNNFVAWI"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c "wmic NIC get Description, MACAddress, NetEnabled, Speed >> %TEMP%\NTNNFVAWI"2⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic NIC get Description, MACAddress, NetEnabled, Speed3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c "echo DISKDRIVE INFO: >> %TEMP%\NTNNFVAWI"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c "wmic DISKDRIVE get InterfaceType, Name, Size, Status >> %TEMP%\NTNNFVAWI"2⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic DISKDRIVE get InterfaceType, Name, Size, Status3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c "echo USERACCOUNT INFO: >> %TEMP%\NTNNFVAWI"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c "wmic USERACCOUNT get Caption, Name, PasswordRequired, Status >> %TEMP%\NTNNFVAWI"2⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic USERACCOUNT get Caption, Name, PasswordRequired, Status3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c "echo IPCONFIG: >> %TEMP%\NTNNFVAWI"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c "ipconfig >> %TEMP%\NTNNFVAWI"2⤵
-
C:\Windows\SysWOW64\ipconfig.exeipconfig3⤵
- Gathers network information
-
C:\Windows\SysWOW64\cmd.execmd /c "echo DATABASES FILES: >> %TEMP%\NTNNFVAWI"2⤵
-
C:\Windows\SysWOW64\notepad.exenotepad.exe C:\Users\Admin\AppData\Local\Temp\WANNA_RECOVER_KOXIC_FILEZ_JEWLD.txt2⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\enc.exe"2⤵
- Deletes itself
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30003⤵
- Runs ping.exe
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\WANNA_RECOVER_KOXIC_FILEZ_JEWLD.txt1⤵
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\NTNNFVAWIMD5
e5e9a3387c8b9b00285476ce23f70238
SHA1cb7da250ddf0c84c03c8f2d7a96af35977c300ed
SHA2569698cf6cdb8c1a9055230dfade39e9ee0652b553ba026e83f83787d6fc193e89
SHA5125b94f33ab753f30b2beb5d5ff725bff467ff57811425dd9a3f73db046eb4f8fcbc856cd90b4cfcdeccc90372195fa5d1fcea702ecd7f2ecdce331ba6943861e4
-
C:\Users\Admin\AppData\Local\Temp\NTNNFVAWIMD5
e5e9a3387c8b9b00285476ce23f70238
SHA1cb7da250ddf0c84c03c8f2d7a96af35977c300ed
SHA2569698cf6cdb8c1a9055230dfade39e9ee0652b553ba026e83f83787d6fc193e89
SHA5125b94f33ab753f30b2beb5d5ff725bff467ff57811425dd9a3f73db046eb4f8fcbc856cd90b4cfcdeccc90372195fa5d1fcea702ecd7f2ecdce331ba6943861e4
-
C:\Users\Admin\AppData\Local\Temp\NTNNFVAWIMD5
b59995780f2fc96f4b8c1816ada0da48
SHA1107a7a63addbfae2ebd90562a5daad5d5c2ee294
SHA2566193f83543908470f2c3d184c559113b24038905b7b315d010f6a98f18f421b6
SHA5120f7ee84e313362fa57294651cfe1965a5fc830a93dd2aaf9a4cd4639014319b1c4f40120b36c694cf3b34d2d2082f421da731c6019166031724266a12f25e363
-
C:\Users\Admin\AppData\Local\Temp\NTNNFVAWIMD5
e51f5e8dab0dc1694b49e64a63307a66
SHA1f20971ab59bdfb11707e0f145a0866f8ea256356
SHA25685c22e208c80c3e20bda78fd418ff563ee786d68f3719e6784aeb93eaaa38854
SHA5128501e473e57ca8c964b0c20cbabdd5278274aaca50d2f578a352eb3e7f761b756edd6916bc62dc9157161b237dd0bac3aa1905a89e40efed925646a8814f25fe
-
C:\Users\Admin\AppData\Local\Temp\NTNNFVAWIMD5
887ae0db192785398c154a027c858317
SHA19e1258a3444e7f54d4a2b23bec0c020d67f285b6
SHA2569841fc54844c86d073907913cfd2fccc49d13db491e790c6aeb30b7159e62bf5
SHA51265364e8797ecc23d9eac18cfe0c1393e9429ee15cde33b7b936c917608196da7bf53ba7c21d9bb637c9a91797eb58a4dbb2346dc4bd9e6c947a711b381dfcb76
-
C:\Users\Admin\AppData\Local\Temp\NTNNFVAWIMD5
e6403f25d17fafd94d88dab8d559f954
SHA1e17199a85b3f639f7e4958f66a6d11aea472f737
SHA2564f7cd25d024340380515e1647d23d6bc46c5fec3f437d8c2d7f933eb86eab2b4
SHA5120b4389edfad1635810fbf3b69d58ba1181147164e033c1ea325dbbb2361eca74c992d1ea3c83355b6a9249600efeea04e58643cdfbc90cd4d1349f42ede88e18
-
C:\Users\Admin\AppData\Local\Temp\NTNNFVAWIMD5
e6403f25d17fafd94d88dab8d559f954
SHA1e17199a85b3f639f7e4958f66a6d11aea472f737
SHA2564f7cd25d024340380515e1647d23d6bc46c5fec3f437d8c2d7f933eb86eab2b4
SHA5120b4389edfad1635810fbf3b69d58ba1181147164e033c1ea325dbbb2361eca74c992d1ea3c83355b6a9249600efeea04e58643cdfbc90cd4d1349f42ede88e18
-
C:\Users\Admin\AppData\Local\Temp\NTNNFVAWIMD5
87cf292058eb08c907e2129e15100ed2
SHA10533d6387da50f84333707ac6a4165a9e46e6f17
SHA2563f9f7a3913d2fde0c1cc93c537641f3a5de4fa2859790a5e5defa2522ee38532
SHA5121da4950cc8fbc1efd84ae92f6419dc92b1ebb0d5211b5bb65d3fdf0ebf1823d447555c12327f83002a7d2b8354e6200af6ec59141774f7551df5acedf2c211d7
-
C:\Users\Admin\AppData\Local\Temp\NTNNFVAWIMD5
87cf292058eb08c907e2129e15100ed2
SHA10533d6387da50f84333707ac6a4165a9e46e6f17
SHA2563f9f7a3913d2fde0c1cc93c537641f3a5de4fa2859790a5e5defa2522ee38532
SHA5121da4950cc8fbc1efd84ae92f6419dc92b1ebb0d5211b5bb65d3fdf0ebf1823d447555c12327f83002a7d2b8354e6200af6ec59141774f7551df5acedf2c211d7
-
C:\Users\Admin\AppData\Local\Temp\NTNNFVAWIMD5
0f2e565e7cd9df67ed466c68285c92f8
SHA1dac129b57aab5a16b0490fbdaa2bf13d451a7941
SHA256cc270aa8f1bd55907831d0c54748347f3d81252c1711e878b117b01cdeaed490
SHA512c3a7713fe3d203e1bed9d468ec3de2b590db8e5a4a9b5486b2e9bea157808aeee19231aba5f7a0c3216fa2118c002bf62ef68ec51dc5349341a92ced205a4435
-
C:\Users\Admin\AppData\Local\Temp\NTNNFVAWIMD5
0f2e565e7cd9df67ed466c68285c92f8
SHA1dac129b57aab5a16b0490fbdaa2bf13d451a7941
SHA256cc270aa8f1bd55907831d0c54748347f3d81252c1711e878b117b01cdeaed490
SHA512c3a7713fe3d203e1bed9d468ec3de2b590db8e5a4a9b5486b2e9bea157808aeee19231aba5f7a0c3216fa2118c002bf62ef68ec51dc5349341a92ced205a4435
-
C:\Users\Admin\AppData\Local\Temp\NTNNFVAWIMD5
a28aec31cbd38485181a7079419aa66b
SHA194aa44c58417a4195fe786679b1feb793e69d135
SHA2568828e5a883a98217828f794f9405e06e2ef2ca1025288e52b70c477d045e19ad
SHA5123914be3a8745d604175f208940dba77455e8ad76f8629e1bdf4f3b340b0198a8a1c42f101f4eb70c5f47b8eeca48eceed119175a3641dd37811192cc24661468
-
C:\Users\Admin\AppData\Local\Temp\NTNNFVAWIMD5
a28aec31cbd38485181a7079419aa66b
SHA194aa44c58417a4195fe786679b1feb793e69d135
SHA2568828e5a883a98217828f794f9405e06e2ef2ca1025288e52b70c477d045e19ad
SHA5123914be3a8745d604175f208940dba77455e8ad76f8629e1bdf4f3b340b0198a8a1c42f101f4eb70c5f47b8eeca48eceed119175a3641dd37811192cc24661468
-
C:\Users\Admin\AppData\Local\Temp\NTNNFVAWIMD5
7f4ef85a6ca9054885e55a4185aa3d23
SHA17691ddefe6f344b335beca9d79657c9c52785050
SHA256f85c1ee56d5d04e677ae8dfbdf9deb8111a1007f30218a1a2bc0806847c82422
SHA512a77d1e2aac9711ec873714964b4933057d7a092b591321173e249bf770e22e8f7926179374a6161baa0c92e6cc3ff5846292cd55a58af9d8b8b0bfbff589fe36
-
C:\Users\Admin\AppData\Local\Temp\NTNNFVAWIMD5
84fc9373ea5f54c4ed110d319224d35e
SHA1431978d9a749a7ca3812f73997b8400c2af3be79
SHA256f59f1a3808b6783a19ba4d4196cbf48acfd42eb8e60b8e9d3ba836e558e3512e
SHA5124d7c97ae3fe0904d548dc77c05c674d40284b8452dffe5a11411287e0242bb7658f3834b92f4935dcb1b22341c4572891524120d5e8af4a606d71e0b76a6c9d7
-
C:\Users\Admin\AppData\Local\Temp\NTNNFVAWIMD5
f5e6a7e5b545d3992410a229bd5a673c
SHA101d9a711d64aeef514131a680b641ef878c7e6f6
SHA2564453eda2d3e1d286ff5ef8e429fb5e8d5d2fde33483a9a732269192c2630ffbe
SHA512bc829ef60ec9fedc8442bef19c391d877ea3d33dbcc9be8d2d12696f482eadd81794f456b0776e3b1d78cd67482b389202b600e3b639aa72a7a73ed0fc05429c
-
C:\Users\Admin\AppData\Local\Temp\NTNNFVAWIMD5
f5e6a7e5b545d3992410a229bd5a673c
SHA101d9a711d64aeef514131a680b641ef878c7e6f6
SHA2564453eda2d3e1d286ff5ef8e429fb5e8d5d2fde33483a9a732269192c2630ffbe
SHA512bc829ef60ec9fedc8442bef19c391d877ea3d33dbcc9be8d2d12696f482eadd81794f456b0776e3b1d78cd67482b389202b600e3b639aa72a7a73ed0fc05429c
-
C:\Users\Admin\AppData\Local\Temp\NTNNFVAWIMD5
8777218f7fa6d1abc647e4c1ec1e15aa
SHA10fc95c851b83a0facdf5d3ca7ebce8c64d619558
SHA2565d89c95e905478727637e3a54a3eb03acbb775b0ed306b8c55f1e51fbd3c20f5
SHA5127fb0530e5d22f02b6af0ad0f9cf64dda5d35a4c523ae000805103efb9c22515cc3aaabc388c1589ffded324157612d675bed0678f93931534b5bf77402016271
-
C:\Users\Admin\AppData\Local\Temp\NTNNFVAWIMD5
e8184159f8122495035adbe865f48acc
SHA160d64f750dfb7d0870eea5b679a3ce2acca05aed
SHA256cb706b49ab3c92ac8e571d9d3089802991570262003356fec979a54b2a87e4e4
SHA512612ec0297a756e7f6bf70561ada2c1b223119dce1451f66eaa5495d8a35b701f602af991bed25f1982a802333e8bb3da38e5fa3e8b4635e7d978d317e3203de0
-
C:\Users\Admin\AppData\Local\Temp\WANNA_RECOVER_KOXIC_FILEZ_JEWLD.txtMD5
713c96a1a987aae2cdbab30cb6181817
SHA14fc34abe161d90159605b10c0f838fa0789a7c69
SHA256f39847e43b3453b2799ea13380287d882b145734efc0ef17e316b855ffa40d59
SHA512193df4c2609a0c2129d12519aa695c12d1dd6217623b25c7c8368bfb130cd6979720d07466952cfada81d16bd033b449fcaa18ce6a2449a65fdae5f6ab387bdd
-
C:\Users\Public\Desktop\WANNA_RECOVER_KOXIC_FILEZ_JEWLD.txtMD5
713c96a1a987aae2cdbab30cb6181817
SHA14fc34abe161d90159605b10c0f838fa0789a7c69
SHA256f39847e43b3453b2799ea13380287d882b145734efc0ef17e316b855ffa40d59
SHA512193df4c2609a0c2129d12519aa695c12d1dd6217623b25c7c8368bfb130cd6979720d07466952cfada81d16bd033b449fcaa18ce6a2449a65fdae5f6ab387bdd
-
memory/520-57-0x0000000000000000-mapping.dmp
-
memory/564-58-0x0000000000000000-mapping.dmp
-
memory/576-81-0x0000000000000000-mapping.dmp
-
memory/860-59-0x0000000000000000-mapping.dmp
-
memory/916-86-0x0000000000000000-mapping.dmp
-
memory/940-112-0x0000000000000000-mapping.dmp
-
memory/948-83-0x0000000000000000-mapping.dmp
-
memory/948-56-0x0000000000000000-mapping.dmp
-
memory/952-55-0x0000000076B81000-0x0000000076B83000-memory.dmpFilesize
8KB
-
memory/972-66-0x0000000000000000-mapping.dmp
-
memory/1048-103-0x0000000000000000-mapping.dmp
-
memory/1056-88-0x0000000000000000-mapping.dmp
-
memory/1064-69-0x0000000000000000-mapping.dmp
-
memory/1112-76-0x0000000000000000-mapping.dmp
-
memory/1144-89-0x0000000000000000-mapping.dmp
-
memory/1176-60-0x0000000000000000-mapping.dmp
-
memory/1184-98-0x0000000000000000-mapping.dmp
-
memory/1448-91-0x0000000000000000-mapping.dmp
-
memory/1492-84-0x0000000000000000-mapping.dmp
-
memory/1552-111-0x0000000000000000-mapping.dmp
-
memory/1580-78-0x0000000000000000-mapping.dmp
-
memory/1608-79-0x0000000000000000-mapping.dmp
-
memory/1612-74-0x0000000000000000-mapping.dmp
-
memory/1624-93-0x0000000000000000-mapping.dmp
-
memory/1636-107-0x000007FEFC2A1000-0x000007FEFC2A3000-memory.dmpFilesize
8KB
-
memory/1728-94-0x0000000000000000-mapping.dmp
-
memory/1800-64-0x0000000000000000-mapping.dmp
-
memory/1800-114-0x0000000000000000-mapping.dmp
-
memory/1912-68-0x0000000000000000-mapping.dmp
-
memory/1912-96-0x0000000000000000-mapping.dmp
-
memory/1936-105-0x0000000000000000-mapping.dmp
-
memory/1964-73-0x0000000000000000-mapping.dmp
-
memory/1964-101-0x0000000000000000-mapping.dmp
-
memory/1992-99-0x0000000000000000-mapping.dmp
-
memory/2008-71-0x0000000000000000-mapping.dmp
-
memory/2040-63-0x0000000000000000-mapping.dmp
-
memory/2044-61-0x0000000000000000-mapping.dmp