699159e695e230a48d94b6103b48940ed596d0b48fb6d936c04d86eed539cecd

Analysis

max time kernel
66s
max time network
54s
platform
windows7_x64
resource
win7-en-20211208
submitted
15/01/2022, 12:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

enc.exe
Size

156KB
MD5

14ee62fcc9163509856671400429ad55
SHA1

7544332b52769ca853d900669ef5e272a2ae1665
SHA256

699159e695e230a48d94b6103b48940ed596d0b48fb6d936c04d86eed539cecd
SHA512

4d71c87be6f6ad7c9f3277b60850cd7136cecfd5f15621d1e56b1897008da8cc742578112ea955f8417c8d4cf13bcfb92e7ceafb34720017b47d81c4d2603bff

Score

10^/10

evasion ransomware trojan

Malware Config

Extracted

Path

C:\Documents and Settings\Admin\Cookies\Low\WANNA_RECOVER_KOXIC_FILEZ_JEWLD.txt

Ransom Note

--=== Hello. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. All sensitive information also leaked. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should send sample to us to decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise-time is much more valuable than money. [+] How to contact us? [+] You have two ways: 1) [Recommended] Using an email Just write us an email to [email protected] 2) Quick contact with us or if you will not receive our letters download qTox and ADD our TOXID: F3C777D22A0686055A3558917315676D607026B680DA5C8D3D4D887017A2A844F546AE59F59F How to download QTOX: - https://tox.chat/download.html - https://github.com/qTox/qTox/releases/download/v1.17.3/setup-qtox-x86_64-release.exe Add our mails to contacts so as not to lose letters from us. Check your spam sometimes, our emails may get there. [+] Consequences if we do not find a common language [+] 1. The data were irretrievably lost. 2. Leaked data will be published or sold on blmarket (or to competitors). 3. In some cases, DDOS attacks will be applied to your inftastructure. !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!! Your UserID: 7A7483EFBB230F1AF454DEFDC275DC3B28FDECC31A7D792C4F07654230DC20BAE917723011722D886EC84F1818076A81378EEAE6D9682D4804DD8C6EB9D1965733AF86DCB04D35A1A436F36C327447D4FBC9E9CE2B6B19FD05DA2B92E8516738CFDF5D080D140AE5FB327884AD4850EDD7CCEBEF732CA5621A7EE333611666EE6A7D0A37DD55CAD80F0A45B88735AB2B59AB454E1F8E1B0707914EDE3478FC8FCFECB76547B5953F5850A8791C8CC2129F8270D0CE48092A1010997BC8932F7EAF24C9C48517931876520793F1C4B62A0465F36C50F4887B72829967D400C72B65EA4F9A2D1C35CB0D0AF6455EAD9F143C004E1FD1C316A46A50EA375BA8F33F3082010A0282010100CA0884DA183B3DF185C2154577450CD2AE596CC0C6C5D7F737898A1FCE3277AE34E010BB7E01AED9B87BDFB547BA9D2E9DE35918554C842C0678ACA42E3E9898E2269DB72B40056D3E7D3880B52FBA530EBE0492D54798EC0FFF65AF359BEC5B25661A560B28AA20F3F123B2AA687B0B751B4B8812202753DC9FB9B3A52B5C87CB9F0532AB5A11D70EFAA9D3796455DAF2D475FF31CB28FD6167418A5EA271E6E6B2C894D61DEF64DB3A64DD466866DBC5DA38F0CE565D773380A982D59810B50A35F85057B9678CFE0F5A7B7B0E492F09AB17EA14D74155443847A34558FC32935CC167B77B11208C4D2BC278F54DABC2989490D6D3686DA728DC64994D3A390203010001CCD38E2B9F45AFD06FF32FC77EF180DA4A45574C44

Emails

[email protected]

URLs

https://tox.chat/download.html

https://github.com/qTox/qTox/releases/download/v1.17.3/setup-qtox-x86_64-release.exe

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Disables taskbar notifications via registry modification
evasion

Deletes itself 1 IoCs

pid	Process
940	cmd.exe

Windows security modification 2 TTPs 8 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "2"	enc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\UX Configuration	enc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\UX Configuration\NotificationSuppress = "1"	enc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	enc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtectione = "0"	enc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet	enc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\DisableBlockAtFirstSeen = "1"	enc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\LocalSettingOverrideSpynetReporting = "0"	enc.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.CO.IN.XML.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_decreaseindent.gif.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02093_.WMF.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0075478.GIF.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)grayStateIcon.png.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_150.png.KOXIC_JEWLD	enc.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\WANNA_RECOVER_KOXIC_FILEZ_JEWLD.txt	enc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\CT_ROOTS.XML.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Bangkok.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.CO.ID.XML.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18253_.WMF.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00390_.WMF.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\management.properties.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\css\settings.css.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\COMPASS\COMPASS.INF.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE04050_.WMF.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01585_.WMF.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\uarrow.gif.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark.css.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-lib-profiler.jar.KOXIC_JEWLD	enc.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\WANNA_RECOVER_KOXIC_FILEZ_JEWLD.txt	enc.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\clock.js.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext.png.KOXIC_JEWLD	enc.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\WANNA_RECOVER_KOXIC_FILEZ_JEWLD.txt	enc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH.HXS.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00077_.WMF.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\vlc.mo.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ICE\PREVIEW.GIF.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.zh_CN_5.5.0.165303.jar.KOXIC_JEWLD	enc.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\WANNA_RECOVER_KOXIC_FILEZ_JEWLD.txt	enc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY00882_.WMF.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187835.WMF.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\tipresx.dll.mui.KOXIC_JEWLD	enc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\WANNA_RECOVER_KOXIC_FILEZ_JEWLD.txt	enc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\graph_up.png.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msado20.tlb.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-openide-compat.xml_hidden.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\flyout.html.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\4.png.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\localizedStrings.js.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18239_.WMF.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099191.JPG.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files\DVD Maker\audiodepthconverter.ax.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Atlantic\Reykjavik.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zu\LC_MESSAGES\vlc.mo.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\css\slideShow.css.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OneNote\SendtoOneNoteFilter.gpd.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152690.WMF.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files\Java\jre7\lib\security\blacklist.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Merida.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STRTEDGE\STRTEDGE.ELM.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-plaf_ja.jar.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\TipTsf.dll.mui.KOXIC_JEWLD	enc.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\css\WANNA_RECOVER_KOXIC_FILEZ_JEWLD.txt	enc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\drag.png.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02384_.WMF.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0292278.WMF.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099153.WMF.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\15x15dot.png.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationUp_ButtonGraphic.png.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00084_.WMF.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00136_.WMF.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\ja-JP\wmplayer.exe.mui.KOXIC_JEWLD	enc.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
1048	ipconfig.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
860	vssadmin.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
520	taskkill.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Search.apiC:\WANNA_RECOVER_KOXIC_FILEZ_JEWLD.txt	enc.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
1552	notepad.exe
1832	NOTEPAD.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1800	PING.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	520	taskkill.exe
Token: SeBackupPrivilege	1820	vssvc.exe
Token: SeRestorePrivilege	1820	vssvc.exe
Token: SeAuditPrivilege	1820	vssvc.exe
Token: SeBackupPrivilege	952	enc.exe
Token: SeRestorePrivilege	952	enc.exe
Token: SeManageVolumePrivilege	952	enc.exe
Token: SeTakeOwnershipPrivilege	952	enc.exe
Token: SeIncreaseQuotaPrivilege	2040	WMIC.exe
Token: SeSecurityPrivilege	2040	WMIC.exe
Token: SeTakeOwnershipPrivilege	2040	WMIC.exe
Token: SeLoadDriverPrivilege	2040	WMIC.exe
Token: SeSystemProfilePrivilege	2040	WMIC.exe
Token: SeSystemtimePrivilege	2040	WMIC.exe
Token: SeProfSingleProcessPrivilege	2040	WMIC.exe
Token: SeIncBasePriorityPrivilege	2040	WMIC.exe
Token: SeCreatePagefilePrivilege	2040	WMIC.exe
Token: SeBackupPrivilege	2040	WMIC.exe
Token: SeRestorePrivilege	2040	WMIC.exe
Token: SeShutdownPrivilege	2040	WMIC.exe
Token: SeDebugPrivilege	2040	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2040	WMIC.exe
Token: SeRemoteShutdownPrivilege	2040	WMIC.exe
Token: SeUndockPrivilege	2040	WMIC.exe
Token: SeManageVolumePrivilege	2040	WMIC.exe
Token: 33	2040	WMIC.exe
Token: 34	2040	WMIC.exe
Token: 35	2040	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2040	WMIC.exe
Token: SeSecurityPrivilege	2040	WMIC.exe
Token: SeTakeOwnershipPrivilege	2040	WMIC.exe
Token: SeLoadDriverPrivilege	2040	WMIC.exe
Token: SeSystemProfilePrivilege	2040	WMIC.exe
Token: SeSystemtimePrivilege	2040	WMIC.exe
Token: SeProfSingleProcessPrivilege	2040	WMIC.exe
Token: SeIncBasePriorityPrivilege	2040	WMIC.exe
Token: SeCreatePagefilePrivilege	2040	WMIC.exe
Token: SeBackupPrivilege	2040	WMIC.exe
Token: SeRestorePrivilege	2040	WMIC.exe
Token: SeShutdownPrivilege	2040	WMIC.exe
Token: SeDebugPrivilege	2040	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2040	WMIC.exe
Token: SeRemoteShutdownPrivilege	2040	WMIC.exe
Token: SeUndockPrivilege	2040	WMIC.exe
Token: SeManageVolumePrivilege	2040	WMIC.exe
Token: 33	2040	WMIC.exe
Token: 34	2040	WMIC.exe
Token: 35	2040	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1912	WMIC.exe
Token: SeSecurityPrivilege	1912	WMIC.exe
Token: SeTakeOwnershipPrivilege	1912	WMIC.exe
Token: SeLoadDriverPrivilege	1912	WMIC.exe
Token: SeSystemProfilePrivilege	1912	WMIC.exe
Token: SeSystemtimePrivilege	1912	WMIC.exe
Token: SeProfSingleProcessPrivilege	1912	WMIC.exe
Token: SeIncBasePriorityPrivilege	1912	WMIC.exe
Token: SeCreatePagefilePrivilege	1912	WMIC.exe
Token: SeBackupPrivilege	1912	WMIC.exe
Token: SeRestorePrivilege	1912	WMIC.exe
Token: SeShutdownPrivilege	1912	WMIC.exe
Token: SeDebugPrivilege	1912	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1912	WMIC.exe
Token: SeRemoteShutdownPrivilege	1912	WMIC.exe
Token: SeUndockPrivilege	1912	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 952 wrote to memory of 948	952	enc.exe	27
PID 952 wrote to memory of 948	952	enc.exe	27
PID 952 wrote to memory of 948	952	enc.exe	27
PID 952 wrote to memory of 948	952	enc.exe	27
PID 948 wrote to memory of 520	948	cmd.exe	29
PID 948 wrote to memory of 520	948	cmd.exe	29
PID 948 wrote to memory of 520	948	cmd.exe	29
PID 948 wrote to memory of 520	948	cmd.exe	29
PID 952 wrote to memory of 564	952	enc.exe	31
PID 952 wrote to memory of 564	952	enc.exe	31
PID 952 wrote to memory of 564	952	enc.exe	31
PID 952 wrote to memory of 564	952	enc.exe	31
PID 564 wrote to memory of 860	564	cmd.exe	33
PID 564 wrote to memory of 860	564	cmd.exe	33
PID 564 wrote to memory of 860	564	cmd.exe	33
PID 564 wrote to memory of 860	564	cmd.exe	33
PID 952 wrote to memory of 1176	952	enc.exe	35
PID 952 wrote to memory of 1176	952	enc.exe	35
PID 952 wrote to memory of 1176	952	enc.exe	35
PID 952 wrote to memory of 1176	952	enc.exe	35
PID 952 wrote to memory of 2044	952	enc.exe	37
PID 952 wrote to memory of 2044	952	enc.exe	37
PID 952 wrote to memory of 2044	952	enc.exe	37
PID 952 wrote to memory of 2044	952	enc.exe	37
PID 2044 wrote to memory of 2040	2044	cmd.exe	39
PID 2044 wrote to memory of 2040	2044	cmd.exe	39
PID 2044 wrote to memory of 2040	2044	cmd.exe	39
PID 2044 wrote to memory of 2040	2044	cmd.exe	39
PID 952 wrote to memory of 1800	952	enc.exe	40
PID 952 wrote to memory of 1800	952	enc.exe	40
PID 952 wrote to memory of 1800	952	enc.exe	40
PID 952 wrote to memory of 1800	952	enc.exe	40
PID 952 wrote to memory of 972	952	enc.exe	42
PID 952 wrote to memory of 972	952	enc.exe	42
PID 952 wrote to memory of 972	952	enc.exe	42
PID 952 wrote to memory of 972	952	enc.exe	42
PID 972 wrote to memory of 1912	972	cmd.exe	44
PID 972 wrote to memory of 1912	972	cmd.exe	44
PID 972 wrote to memory of 1912	972	cmd.exe	44
PID 972 wrote to memory of 1912	972	cmd.exe	44
PID 952 wrote to memory of 1064	952	enc.exe	45
PID 952 wrote to memory of 1064	952	enc.exe	45
PID 952 wrote to memory of 1064	952	enc.exe	45
PID 952 wrote to memory of 1064	952	enc.exe	45
PID 952 wrote to memory of 2008	952	enc.exe	47
PID 952 wrote to memory of 2008	952	enc.exe	47
PID 952 wrote to memory of 2008	952	enc.exe	47
PID 952 wrote to memory of 2008	952	enc.exe	47
PID 2008 wrote to memory of 1964	2008	cmd.exe	49
PID 2008 wrote to memory of 1964	2008	cmd.exe	49
PID 2008 wrote to memory of 1964	2008	cmd.exe	49
PID 2008 wrote to memory of 1964	2008	cmd.exe	49
PID 952 wrote to memory of 1612	952	enc.exe	50
PID 952 wrote to memory of 1612	952	enc.exe	50
PID 952 wrote to memory of 1612	952	enc.exe	50
PID 952 wrote to memory of 1612	952	enc.exe	50
PID 952 wrote to memory of 1112	952	enc.exe	52
PID 952 wrote to memory of 1112	952	enc.exe	52
PID 952 wrote to memory of 1112	952	enc.exe	52
PID 952 wrote to memory of 1112	952	enc.exe	52
PID 1112 wrote to memory of 1580	1112	cmd.exe	54
PID 1112 wrote to memory of 1580	1112	cmd.exe	54
PID 1112 wrote to memory of 1580	1112	cmd.exe	54
PID 1112 wrote to memory of 1580	1112	cmd.exe	54

C:\Users\Admin\AppData\Local\Temp\enc.exe
"C:\Users\Admin\AppData\Local\Temp\enc.exe"
1⤵
- Windows security modification
- Drops file in Program Files directory
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:952
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /F /IM MSASCuiL.exe taskkill /F /IM MSMpeng.exe taskkill /F /IM msseces.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:948
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM MSASCuiL.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:520
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin delete shadows /all /quiet sc config browser sc config browser start=enabled sc stop vss sc config vss start=disabled sc stop MongoDB sc config MongoDB start=disabled sc stop SQLWriter sc config SQLWriter start=disabled sc stop MSSQLServerOLAPService sc config MSSQLServerOLAPService start=disabled sc stop MSSQLSERVER sc config MSSQLSERVER start=disabled sc stop MSSQL$SQLEXPRESS sc config MSSQL$SQLEXPRESS start=disabled sc stop ReportServer sc config ReportServer start=disabled sc stop OracleServiceORCL sc config OracleServiceORCL start=disabled sc stop OracleDBConsoleorcl sc config OracleDBConsoleorcl start=disabled sc stop OracleMTSRecoveryService sc config OracleMTSRecoveryService start=disabled sc stop OracleVssWriterORCL sc config OracleVssWriterORCL start=disabled sc stop MySQL sc config MySQL start=disabled
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:564
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:860
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo OS INFO: > %TEMP%\NTNNFVAWI"
  2⤵
  PID:1176
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic OS get Caption,CSDVersion,OSArchitecture,Version >> %TEMP%\NTNNFVAWI"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic OS get Caption,CSDVersion,OSArchitecture,Version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2040
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo BIOS INFO: >> %TEMP%\NTNNFVAWI"
  2⤵
  PID:1800
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic BIOS get Manufacturer, Name, SMBIOSBIOSVersion, Version >> %TEMP%\NTNNFVAWI"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:972
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic BIOS get Manufacturer, Name, SMBIOSBIOSVersion, Version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1912
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo CPU INFO: >> %TEMP%\NTNNFVAWI"
  2⤵
  PID:1064
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic CPU get Name, NumberOfCores, NumberOfLogicalProcessors >> %TEMP%\NTNNFVAWI"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic CPU get Name, NumberOfCores, NumberOfLogicalProcessors
    3⤵
    PID:1964
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo MEMPHYSICAL INFO: >> %TEMP%\NTNNFVAWI"
  2⤵
  PID:1612
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic MEMPHYSICAL get MaxCapacity >> %TEMP%\NTNNFVAWI"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1112
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic MEMPHYSICAL get MaxCapacity
    3⤵
    PID:1580
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo MEMORYCHIP: INFO >> %TEMP%\NTNNFVAWI"
  2⤵
  PID:1608
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic MEMORYCHIP get Capacity, DeviceLocator, PartNumber, Tag >> %TEMP%\NTNNFVAWI"
  2⤵
  PID:576
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic MEMORYCHIP get Capacity, DeviceLocator, PartNumber, Tag
    3⤵
    PID:948
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo NIC INFO: >> %TEMP%\NTNNFVAWI"
  2⤵
  PID:1492
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic NIC get Description, MACAddress, NetEnabled, Speed >> %TEMP%\NTNNFVAWI"
  2⤵
  PID:916
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic NIC get Description, MACAddress, NetEnabled, Speed
    3⤵
    PID:1056
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo DISKDRIVE INFO: >> %TEMP%\NTNNFVAWI"
  2⤵
  PID:1144
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic DISKDRIVE get InterfaceType, Name, Size, Status >> %TEMP%\NTNNFVAWI"
  2⤵
  PID:1448
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic DISKDRIVE get InterfaceType, Name, Size, Status
    3⤵
    PID:1624
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo USERACCOUNT INFO: >> %TEMP%\NTNNFVAWI"
  2⤵
  PID:1728
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic USERACCOUNT get Caption, Name, PasswordRequired, Status >> %TEMP%\NTNNFVAWI"
  2⤵
  PID:1912
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic USERACCOUNT get Caption, Name, PasswordRequired, Status
    3⤵
    PID:1184
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo IPCONFIG: >> %TEMP%\NTNNFVAWI"
  2⤵
  PID:1992
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "ipconfig >> %TEMP%\NTNNFVAWI"
  2⤵
  PID:1964
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig
    3⤵
    - Gathers network information
    PID:1048
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo DATABASES FILES: >> %TEMP%\NTNNFVAWI"
  2⤵
  PID:1936
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe C:\Users\Admin\AppData\Local\Temp\WANNA_RECOVER_KOXIC_FILEZ_JEWLD.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1552
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\enc.exe"
  2⤵
  - Deletes itself
  PID:940
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - Runs ping.exe
    PID:1800

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1820

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1636

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\WANNA_RECOVER_KOXIC_FILEZ_JEWLD.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1832

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact