Overview

overview

10

Static

static

7a5e20e021...e9.exe

windows7_x64

10

7a5e20e021...e9.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.bin

  • Size

    379KB

  • Sample

    220130-3k79aacbcp

  • MD5

    5a44e1d5691ec9395281123ea0bd501f

  • SHA1

    64566d5049479227d2eff3d983b127c0339974cd

  • SHA256

    7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9

  • SHA512

    55d85e77f70f25bae6cf8bbf5dd787d5771c2e38e99461b608f6375be9cb0b1031f3c0268b82eb03db05eb88ce37d5f37afbfc69ab0c4f90791a706013b168c8

Score
10/10
koxicevasionransomwaretrojan

Malware Config

Extracted

Path

C:\Documents and Settings\WANNA_RECOVER_KOXIC_FILEZ_VGHUC.txt

Ransom Note
Hello, all your important files are encrypted and sensitive data leaked. To decrypt your files and avoid other unpleasant things you need to buy special decryption tool. Contact us via koxic@cock.li or koxic@protonmail.com and tell your UserID. This is the only way to decrypt your files and avoid publi? disclosure of data . Do not try to use third party software (it may corrupt your files). We respect black market rules. We can confirm the ability to decrypt your files (and of course the evidence of the leak ), Send us several unimportant files (do not try to deceive us). Your UserID (send it to us for decryption): 84222351EF2E20E5077175242CB95DB7FBEE6B49F2F512FF56C05598307AF97F42BFFDA5D75FB1E1031538380F611B70DB843490CDC03972470FA637FA7923E8A295843653962D9CB71B8C64B000C7BC40586B31E1B6F0E6FB75828D700C57C467B4C1348F8166E6069F541DF3BCAD38A16CBDEFBCB360A381B188D48B6D7EF2C24F286DBAF1FAB547E8C4A525D7CD5FB8518764CD2C8A028358B5A0E6D013FB63BBBCC573BD5E10973040491D835996D51785CE5EE4BFBD9404C41E4F4AB20627915932C2B5936BC5E816BD2B3458EC92BA3052D5C1FD6048076EBEB4C243B37557F3B9DF46B2FBE42EE1D1CC91331AE83F48FC66C045E536496B1034152EE13082010A0282010100C6D7B70D3A1EBB1375D0B11122BA2E1713CDD236D88FAD514CD1ED06573687D8FF7B57A0C6E9841D2BD5D82D8DB92AC23247AE69BDD417F07D8610DCB9F47DEB11A3380FB01897BECC5AD13D253F0FE71ED043FC643956BBCF908D9BD5915AAC4126799B10FBB5CF158B25E16ED8CD8E69C37A42455FE3F74CD683397F5790D65FFDE39BC2626488936670F8544B9012C9FC44BF5710C1C3BCB0F797C09303326008797C7F216F76380AA8F5705A7E160ECBB77144250AF3BDAEA3BBFE1372392A6F914B5D7D86A76D3B0F7951F7573AE260146BC620E513FC8F0172489FD55AED12C6C2E26A2791E0D9E6D2C66B3437350EFA0CF289F78F73D4F8D09A87C1DF0203010001F1C7387879FD0B42E561F310F3DFC5405647485543
Emails

koxic@cock.li

koxic@protonmail.com

Extracted

Path

C:\Documents and Settings\WANNA_RECOVER_KOXIC_FILEZ_IHLCL.txt

Ransom Note
Hello, all your important files are encrypted and sensitive data leaked. To decrypt your files and avoid other unpleasant things you need to buy special decryption tool. Contact us via koxic@cock.li or koxic@protonmail.com and tell your UserID. This is the only way to decrypt your files and avoid publi? disclosure of data . Do not try to use third party software (it may corrupt your files). We respect black market rules. We can confirm the ability to decrypt your files (and of course the evidence of the leak ), Send us several unimportant files (do not try to deceive us). Your UserID (send it to us for decryption): 2AD7DD888D6514F5D319045EDC7B8F080A23A192B1170665FB6D3DC23A984A9566360840A3B4272AE4698E903D89C81D94111B1623723CE4E27D7A21AFE9B1E061675D09C287BDAF42FB1190BCF2EF96359D78F4358EF600200577B7514C49C255B344E6386B9F730231A195F3B5F6A335E5ADAD46F0A74433AADA6D58CD72F8774574B970D12CD04292C4D9556A39158963C834AB28B58AE43364F9BE6A1409DECA5132AFF6B8FC76A000479F1413E4AE2CE53B71EEDF60697A5157556EDBCE7D3A990E3F43FD39C6BD655DAE8D4B7722B92FE6A881E407DB05571875EB66BD6251F4C3DA6458164301708A9D46FF2BF164570D657B73495526A94884EB15463082010A0282010100BC1B0639F36CA2C5CC202A706AE7F2F7CC47FEE93FF57C16EDE5EE5A0DBDDF106E04F1D2586162A4DB3E4D71CC52F77803EEDAB64D8A7CBA78662642889F5F69FE8B4D368895A9DE54CED962031800E5A882E9CF0C8BBB80F93BB93E3A24D4A03AECCB64F8D24041CEFC7204C7EAFD79B9D123616D41A83A1EB9F3DDAC679474E178A9F1A79AAB1AC2E385DADCCDDB62445AAEC65230A02657379306F70324A1B668B17F2F105082FB3CAC1DFB0BE102BC0C4F3183A42D65BBE92C4DCF91586FE97E67BA46228C8514CD43D7157F374487FC3733D9D679CA58256DAB89469F2E1F8C9E3197D0E2D9CB9AA2CA8A63FEA0C8399A1E30DBE7902BFAA7D093FA73A30203010001DC43F80F875F6C9CE81B93705319B8CD49484C434C
Emails

koxic@cock.li

koxic@protonmail.com

Targets

    • Target

      7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.bin

    • Size

      379KB

    • MD5

      5a44e1d5691ec9395281123ea0bd501f

    • SHA1

      64566d5049479227d2eff3d983b127c0339974cd

    • SHA256

      7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9

    • SHA512

      55d85e77f70f25bae6cf8bbf5dd787d5771c2e38e99461b608f6375be9cb0b1031f3c0268b82eb03db05eb88ce37d5f37afbfc69ab0c4f90791a706013b168c8

    Score
    10/10
    koxicevasionransomwaretrojan

    • Koxic

      A C++ written ransomware first seen in late 2021.

      ransomwarekoxic

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Disables taskbar notifications via registry modification

      evasion

    • Windows security modification

      evasiontrojan
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1
T1059

Persistence

Modify Existing Service

1
T1031

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Disabling Security Tools

2
T1089

File Deletion

2
T1107

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Tasks