koxic | 699159e695e230a48d94b6103b48940ed596d0b48fb6d936c04d86eed539cecd

Analysis

max time kernel
117s
max time network
117s
platform
windows7_x64
resource
win7-en-20211208
submitted
21-01-2022 11:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

enc.exe
Size

156KB
MD5

14ee62fcc9163509856671400429ad55
SHA1

7544332b52769ca853d900669ef5e272a2ae1665
SHA256

699159e695e230a48d94b6103b48940ed596d0b48fb6d936c04d86eed539cecd
SHA512

4d71c87be6f6ad7c9f3277b60850cd7136cecfd5f15621d1e56b1897008da8cc742578112ea955f8417c8d4cf13bcfb92e7ceafb34720017b47d81c4d2603bff

Score

10^/10

koxic evasion ransomware trojan

Malware Config

Extracted

Path

C:\Documents and Settings\WANNA_RECOVER_KOXIC_FILEZ_GWOFW.txt

Ransom Note

--=== Hello. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. All sensitive information also leaked. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should send sample to us to decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise-time is much more valuable than money. [+] How to contact us? [+] You have two ways: 1) [Recommended] Using an email Just write us an email to [email protected] 2) Quick contact with us or if you will not receive our letters download qTox and ADD our TOXID: F3C777D22A0686055A3558917315676D607026B680DA5C8D3D4D887017A2A844F546AE59F59F How to download QTOX: - https://tox.chat/download.html - https://github.com/qTox/qTox/releases/download/v1.17.3/setup-qtox-x86_64-release.exe Add our mails to contacts so as not to lose letters from us. Check your spam sometimes, our emails may get there. [+] Consequences if we do not find a common language [+] 1. The data were irretrievably lost. 2. Leaked data will be published or sold on blmarket (or to competitors). 3. In some cases, DDOS attacks will be applied to your inftastructure. !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!! Your UserID: 3CAAD560B9DD8BEA42D45863345B4FA3DFA1A4F158B1121D8B7364B60DEA6C28F64C2C3992975FFA26AE951BFA7EB56233C4A305A31F00909BD391B2569A841E77CB66EDF70C17F16631B154FC20D29BF2678AC751A5E6A2CF37ECA4E16B69C45FF1930E7DD73A17B284A9A64DFC64ADEB4D12D23A94FF5E2D57C4C923569CD9D15FD516EE37C068451B9A160C48A5AF452CBA532519BC6C27F1744BAF6D9A550AAB17B955BEC2AAF0B5DAD4DE192EE381087B8B18184F17A74F9BB3D735E026523B5AA1DBE35253A3637FDCC82E3B72643F539E73DD6DBE51A45FFA83E7A9A796463543D6850D860087F0E695DBDF7C6CB1011F4F0AC2A9BA26F0249D7696343082010A0282010100DF0C314434C1F9DC94B20FCB2448958BD49FD799BAFBAE622B3E4C6004DF9C47D5F6B817A80C8E1357E5352DADE7FD6AA10425BCB59594B06840486FA8861B0A5E1FC7E08DBB6A25D2074DEF5123BD6D7AAC7FA7A698BB93BC029B003F97F0840AC8387F75C8CE647F0AC559676F649321EEC5CFB47D5BA888130F90B051529EAAFB1E7BB1B49FA30EBDE6B06ABAFBB259DE780C8A2F540BDF0AD494501D1CC6A2864B601E47023C01A17B2D7D0251537F95C053B065A06C17A2B29EB4FB2D8DB15B6FCA52622BB136097BE9B1000F366AB73F81F83BD6C0F51391C37AE304F22B2DB861C95B42A1C12C371A4A547BFD3A5CA745EBC52E35538CC6CE493F2E31020301000194C3F43FF33E4E09FD6A544B8451758347574F4657

Emails

[email protected]

URLs

https://tox.chat/download.html

https://github.com/qTox/qTox/releases/download/v1.17.3/setup-qtox-x86_64-release.exe

Signatures

Koxic
A C++ written ransomware first seen in late 2021.
ransomware koxic
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Disables taskbar notifications via registry modification
evasion

Modifies extensions of user files 18 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\ExportStep.png => C:\Users\Admin\Pictures\ExportStep.png.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Users\Admin\Pictures\ExportStep.png.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Users\Admin\Pictures\EnterRestore.tiff.KOXIC_GWOFW	enc.exe
File renamed	C:\Users\Admin\Pictures\EnableAssert.tiff => C:\Users\Admin\Pictures\EnableAssert.tiff.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Users\Admin\Pictures\WatchCheckpoint.raw.KOXIC_GWOFW	enc.exe
File renamed	C:\Users\Admin\Pictures\SyncSave.crw => C:\Users\Admin\Pictures\SyncSave.crw.KOXIC_GWOFW	enc.exe
File renamed	C:\Users\Admin\Pictures\RevokeResolve.raw => C:\Users\Admin\Pictures\RevokeResolve.raw.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Users\Admin\Pictures\SyncSave.crw.KOXIC_GWOFW	enc.exe
File renamed	C:\Users\Admin\Pictures\EnterRestore.tiff => C:\Users\Admin\Pictures\EnterRestore.tiff.KOXIC_GWOFW	enc.exe
File renamed	C:\Users\Admin\Pictures\WatchCheckpoint.raw => C:\Users\Admin\Pictures\WatchCheckpoint.raw.KOXIC_GWOFW	enc.exe
File renamed	C:\Users\Admin\Pictures\ConvertUnprotect.tif => C:\Users\Admin\Pictures\ConvertUnprotect.tif.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Users\Admin\Pictures\EnableAssert.tiff.KOXIC_GWOFW	enc.exe
File renamed	C:\Users\Admin\Pictures\FormatRemove.raw => C:\Users\Admin\Pictures\FormatRemove.raw.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Users\Admin\Pictures\FormatRemove.raw.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Users\Admin\Pictures\ConvertUnprotect.tif.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Users\Admin\Pictures\RevokeResolve.raw.KOXIC_GWOFW	enc.exe
File renamed	C:\Users\Admin\Pictures\MountClear.raw => C:\Users\Admin\Pictures\MountClear.raw.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Users\Admin\Pictures\MountClear.raw.KOXIC_GWOFW	enc.exe

Deletes itself 1 IoCs

pid	Process
792	cmd.exe

Windows security modification 2 TTPs 8 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "2"	enc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\UX Configuration	enc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\UX Configuration\NotificationSuppress = "1"	enc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	enc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtectione = "0"	enc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet	enc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\DisableBlockAtFirstSeen = "1"	enc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\LocalSettingOverrideSpynetReporting = "0"	enc.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00297_.WMF.KOXIC_GWOFW	enc.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ckb\LC_MESSAGES\WANNA_RECOVER_KOXIC_FILEZ_GWOFW.txt	enc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Solstice.xml.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\de-DE\shvlzm.exe.mui.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\PROOF\MSWDS_FR.LEX.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PROPLUS\ProPlusWW.XML.KOXIC_GWOFW	enc.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Triedit\WANNA_RECOVER_KOXIC_FILEZ_GWOFW.txt	enc.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\en-US\msdaremr.dll.mui.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Shanghai.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\license.html.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\sd\icecast.luac.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_choosefont.gif.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\GrooveFormsMetaData.xml.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00443_.WMF.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\dotsdarkoverlay.png.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Samara.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png.KOXIC_GWOFW	enc.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RIPPLE\WANNA_RECOVER_KOXIC_FILEZ_GWOFW.txt	enc.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\diner_dot.png.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145373.JPG.KOXIC_GWOFW	enc.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\WANNA_RECOVER_KOXIC_FILEZ_GWOFW.txt	enc.exe
File opened for modification	C:\Program Files\Java\jre7\lib\ext\sunmscapi.jar.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Amsterdam.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0301418.WMF.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239063.WMF.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0186362.WMF.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH01329_.WMF.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.model.workbench.nl_ja_4.4.0.v20140623020002.jar.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files\Java\jre7\lib\meta-index.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\AccessWeb\CLNTWRAP.HTM.KOXIC_GWOFW	enc.exe
File created	C:\Program Files (x86)\Common Files\System\fr-FR\WANNA_RECOVER_KOXIC_FILEZ_GWOFW.txt	enc.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\fr-FR\mpvis.dll.mui.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD07804_.WMF.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.services_1.2.1.v20140808-1251.jar.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainBackground.wmv.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-modules-favorites.xml_hidden.KOXIC_GWOFW	enc.exe
File created	C:\Program Files\Windows Defender\en-US\WANNA_RECOVER_KOXIC_FILEZ_GWOFW.txt	enc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\settings.html.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\AccessMUISet.XML.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\mset7db.kic.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR3B.GIF.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239611.WMF.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Cairo.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files\Java\jre7\lib\alt-rt.jar.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\js\settings.js.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\San_Juan.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0171847.WMF.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00130_.WMF.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\STS2\HEADER.GIF.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Irkutsk.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Belize.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPreviewTemplateRTL.html.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ug\LC_MESSAGES\vlc.mo.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mn\LC_MESSAGES\vlc.mo.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATER\PREVIEW.GIF.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_hail.png.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsnor.xml.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\feature.xml.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\ECLIPSE_.RSA.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\localizedStrings.js.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\css\settings.css.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0196354.WMF.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0090027.WMF.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WPFT532.CNV.KOXIC_GWOFW	enc.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
1960	ipconfig.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1860	vssadmin.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
560	taskkill.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1056	notepad.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1592	PING.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	560	taskkill.exe
Token: SeBackupPrivilege	844	vssvc.exe
Token: SeRestorePrivilege	844	vssvc.exe
Token: SeAuditPrivilege	844	vssvc.exe
Token: SeBackupPrivilege	740	enc.exe
Token: SeRestorePrivilege	740	enc.exe
Token: SeManageVolumePrivilege	740	enc.exe
Token: SeTakeOwnershipPrivilege	740	enc.exe
Token: SeIncreaseQuotaPrivilege	1212	WMIC.exe
Token: SeSecurityPrivilege	1212	WMIC.exe
Token: SeTakeOwnershipPrivilege	1212	WMIC.exe
Token: SeLoadDriverPrivilege	1212	WMIC.exe
Token: SeSystemProfilePrivilege	1212	WMIC.exe
Token: SeSystemtimePrivilege	1212	WMIC.exe
Token: SeProfSingleProcessPrivilege	1212	WMIC.exe
Token: SeIncBasePriorityPrivilege	1212	WMIC.exe
Token: SeCreatePagefilePrivilege	1212	WMIC.exe
Token: SeBackupPrivilege	1212	WMIC.exe
Token: SeRestorePrivilege	1212	WMIC.exe
Token: SeShutdownPrivilege	1212	WMIC.exe
Token: SeDebugPrivilege	1212	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1212	WMIC.exe
Token: SeRemoteShutdownPrivilege	1212	WMIC.exe
Token: SeUndockPrivilege	1212	WMIC.exe
Token: SeManageVolumePrivilege	1212	WMIC.exe
Token: 33	1212	WMIC.exe
Token: 34	1212	WMIC.exe
Token: 35	1212	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1212	WMIC.exe
Token: SeSecurityPrivilege	1212	WMIC.exe
Token: SeTakeOwnershipPrivilege	1212	WMIC.exe
Token: SeLoadDriverPrivilege	1212	WMIC.exe
Token: SeSystemProfilePrivilege	1212	WMIC.exe
Token: SeSystemtimePrivilege	1212	WMIC.exe
Token: SeProfSingleProcessPrivilege	1212	WMIC.exe
Token: SeIncBasePriorityPrivilege	1212	WMIC.exe
Token: SeCreatePagefilePrivilege	1212	WMIC.exe
Token: SeBackupPrivilege	1212	WMIC.exe
Token: SeRestorePrivilege	1212	WMIC.exe
Token: SeShutdownPrivilege	1212	WMIC.exe
Token: SeDebugPrivilege	1212	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1212	WMIC.exe
Token: SeRemoteShutdownPrivilege	1212	WMIC.exe
Token: SeUndockPrivilege	1212	WMIC.exe
Token: SeManageVolumePrivilege	1212	WMIC.exe
Token: 33	1212	WMIC.exe
Token: 34	1212	WMIC.exe
Token: 35	1212	WMIC.exe
Token: SeIncreaseQuotaPrivilege	988	WMIC.exe
Token: SeSecurityPrivilege	988	WMIC.exe
Token: SeTakeOwnershipPrivilege	988	WMIC.exe
Token: SeLoadDriverPrivilege	988	WMIC.exe
Token: SeSystemProfilePrivilege	988	WMIC.exe
Token: SeSystemtimePrivilege	988	WMIC.exe
Token: SeProfSingleProcessPrivilege	988	WMIC.exe
Token: SeIncBasePriorityPrivilege	988	WMIC.exe
Token: SeCreatePagefilePrivilege	988	WMIC.exe
Token: SeBackupPrivilege	988	WMIC.exe
Token: SeRestorePrivilege	988	WMIC.exe
Token: SeShutdownPrivilege	988	WMIC.exe
Token: SeDebugPrivilege	988	WMIC.exe
Token: SeSystemEnvironmentPrivilege	988	WMIC.exe
Token: SeRemoteShutdownPrivilege	988	WMIC.exe
Token: SeUndockPrivilege	988	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 740 wrote to memory of 1672	740	enc.exe	27
PID 740 wrote to memory of 1672	740	enc.exe	27
PID 740 wrote to memory of 1672	740	enc.exe	27
PID 740 wrote to memory of 1672	740	enc.exe	27
PID 1672 wrote to memory of 560	1672	cmd.exe	29
PID 1672 wrote to memory of 560	1672	cmd.exe	29
PID 1672 wrote to memory of 560	1672	cmd.exe	29
PID 1672 wrote to memory of 560	1672	cmd.exe	29
PID 740 wrote to memory of 1148	740	enc.exe	31
PID 740 wrote to memory of 1148	740	enc.exe	31
PID 740 wrote to memory of 1148	740	enc.exe	31
PID 740 wrote to memory of 1148	740	enc.exe	31
PID 1148 wrote to memory of 1860	1148	cmd.exe	33
PID 1148 wrote to memory of 1860	1148	cmd.exe	33
PID 1148 wrote to memory of 1860	1148	cmd.exe	33
PID 1148 wrote to memory of 1860	1148	cmd.exe	33
PID 740 wrote to memory of 1848	740	enc.exe	35
PID 740 wrote to memory of 1848	740	enc.exe	35
PID 740 wrote to memory of 1848	740	enc.exe	35
PID 740 wrote to memory of 1848	740	enc.exe	35
PID 740 wrote to memory of 1648	740	enc.exe	37
PID 740 wrote to memory of 1648	740	enc.exe	37
PID 740 wrote to memory of 1648	740	enc.exe	37
PID 740 wrote to memory of 1648	740	enc.exe	37
PID 1648 wrote to memory of 1212	1648	cmd.exe	39
PID 1648 wrote to memory of 1212	1648	cmd.exe	39
PID 1648 wrote to memory of 1212	1648	cmd.exe	39
PID 1648 wrote to memory of 1212	1648	cmd.exe	39
PID 740 wrote to memory of 1820	740	enc.exe	40
PID 740 wrote to memory of 1820	740	enc.exe	40
PID 740 wrote to memory of 1820	740	enc.exe	40
PID 740 wrote to memory of 1820	740	enc.exe	40
PID 740 wrote to memory of 1956	740	enc.exe	42
PID 740 wrote to memory of 1956	740	enc.exe	42
PID 740 wrote to memory of 1956	740	enc.exe	42
PID 740 wrote to memory of 1956	740	enc.exe	42
PID 1956 wrote to memory of 988	1956	cmd.exe	44
PID 1956 wrote to memory of 988	1956	cmd.exe	44
PID 1956 wrote to memory of 988	1956	cmd.exe	44
PID 1956 wrote to memory of 988	1956	cmd.exe	44
PID 740 wrote to memory of 1036	740	enc.exe	45
PID 740 wrote to memory of 1036	740	enc.exe	45
PID 740 wrote to memory of 1036	740	enc.exe	45
PID 740 wrote to memory of 1036	740	enc.exe	45
PID 740 wrote to memory of 1324	740	enc.exe	47
PID 740 wrote to memory of 1324	740	enc.exe	47
PID 740 wrote to memory of 1324	740	enc.exe	47
PID 740 wrote to memory of 1324	740	enc.exe	47
PID 1324 wrote to memory of 288	1324	cmd.exe	49
PID 1324 wrote to memory of 288	1324	cmd.exe	49
PID 1324 wrote to memory of 288	1324	cmd.exe	49
PID 1324 wrote to memory of 288	1324	cmd.exe	49
PID 740 wrote to memory of 1952	740	enc.exe	50
PID 740 wrote to memory of 1952	740	enc.exe	50
PID 740 wrote to memory of 1952	740	enc.exe	50
PID 740 wrote to memory of 1952	740	enc.exe	50
PID 740 wrote to memory of 316	740	enc.exe	52
PID 740 wrote to memory of 316	740	enc.exe	52
PID 740 wrote to memory of 316	740	enc.exe	52
PID 740 wrote to memory of 316	740	enc.exe	52
PID 316 wrote to memory of 1944	316	cmd.exe	54
PID 316 wrote to memory of 1944	316	cmd.exe	54
PID 316 wrote to memory of 1944	316	cmd.exe	54
PID 316 wrote to memory of 1944	316	cmd.exe	54

C:\Users\Admin\AppData\Local\Temp\enc.exe
"C:\Users\Admin\AppData\Local\Temp\enc.exe"
1⤵
- Modifies extensions of user files
- Windows security modification
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:740
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /F /IM MSASCuiL.exe taskkill /F /IM MSMpeng.exe taskkill /F /IM msseces.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1672
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM MSASCuiL.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:560
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin delete shadows /all /quiet sc config browser sc config browser start=enabled sc stop vss sc config vss start=disabled sc stop MongoDB sc config MongoDB start=disabled sc stop SQLWriter sc config SQLWriter start=disabled sc stop MSSQLServerOLAPService sc config MSSQLServerOLAPService start=disabled sc stop MSSQLSERVER sc config MSSQLSERVER start=disabled sc stop MSSQL$SQLEXPRESS sc config MSSQL$SQLEXPRESS start=disabled sc stop ReportServer sc config ReportServer start=disabled sc stop OracleServiceORCL sc config OracleServiceORCL start=disabled sc stop OracleDBConsoleorcl sc config OracleDBConsoleorcl start=disabled sc stop OracleMTSRecoveryService sc config OracleMTSRecoveryService start=disabled sc stop OracleVssWriterORCL sc config OracleVssWriterORCL start=disabled sc stop MySQL sc config MySQL start=disabled
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1148
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1860
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo OS INFO: > %TEMP%\JDABUAUCS"
  2⤵
  PID:1848
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic OS get Caption,CSDVersion,OSArchitecture,Version >> %TEMP%\JDABUAUCS"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1648
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic OS get Caption,CSDVersion,OSArchitecture,Version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1212
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo BIOS INFO: >> %TEMP%\JDABUAUCS"
  2⤵
  PID:1820
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic BIOS get Manufacturer, Name, SMBIOSBIOSVersion, Version >> %TEMP%\JDABUAUCS"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1956
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic BIOS get Manufacturer, Name, SMBIOSBIOSVersion, Version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:988
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo CPU INFO: >> %TEMP%\JDABUAUCS"
  2⤵
  PID:1036
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic CPU get Name, NumberOfCores, NumberOfLogicalProcessors >> %TEMP%\JDABUAUCS"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1324
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic CPU get Name, NumberOfCores, NumberOfLogicalProcessors
    3⤵
    PID:288
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo MEMPHYSICAL INFO: >> %TEMP%\JDABUAUCS"
  2⤵
  PID:1952
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic MEMPHYSICAL get MaxCapacity >> %TEMP%\JDABUAUCS"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:316
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic MEMPHYSICAL get MaxCapacity
    3⤵
    PID:1944
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo MEMORYCHIP: INFO >> %TEMP%\JDABUAUCS"
  2⤵
  PID:1028
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic MEMORYCHIP get Capacity, DeviceLocator, PartNumber, Tag >> %TEMP%\JDABUAUCS"
  2⤵
  PID:1596
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic MEMORYCHIP get Capacity, DeviceLocator, PartNumber, Tag
    3⤵
    PID:1392
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo NIC INFO: >> %TEMP%\JDABUAUCS"
  2⤵
  PID:792
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic NIC get Description, MACAddress, NetEnabled, Speed >> %TEMP%\JDABUAUCS"
  2⤵
  PID:268
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic NIC get Description, MACAddress, NetEnabled, Speed
    3⤵
    PID:1668
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo DISKDRIVE INFO: >> %TEMP%\JDABUAUCS"
  2⤵
  PID:680
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic DISKDRIVE get InterfaceType, Name, Size, Status >> %TEMP%\JDABUAUCS"
  2⤵
  PID:1856
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic DISKDRIVE get InterfaceType, Name, Size, Status
    3⤵
    PID:1864
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo USERACCOUNT INFO: >> %TEMP%\JDABUAUCS"
  2⤵
  PID:1560
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic USERACCOUNT get Caption, Name, PasswordRequired, Status >> %TEMP%\JDABUAUCS"
  2⤵
  PID:1716
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic USERACCOUNT get Caption, Name, PasswordRequired, Status
    3⤵
    PID:604
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo IPCONFIG: >> %TEMP%\JDABUAUCS"
  2⤵
  PID:1868
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "ipconfig >> %TEMP%\JDABUAUCS"
  2⤵
  PID:1336
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig
    3⤵
    - Gathers network information
    PID:1960
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo DATABASES FILES: >> %TEMP%\JDABUAUCS"
  2⤵
  PID:1740
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe C:\Users\Admin\AppData\Local\Temp\WANNA_RECOVER_KOXIC_FILEZ_GWOFW.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1056
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\enc.exe"
  2⤵
  - Deletes itself
  PID:792
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - Runs ping.exe
    PID:1592

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:844

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/740-54-0x0000000075321000-0x0000000075323000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads