koxic | 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9

Analysis

max time kernel
137s
max time network
158s
platform
windows10_x64
resource
win10-en-20211208
submitted
30-01-2022 23:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
Size

379KB
MD5

5a44e1d5691ec9395281123ea0bd501f
SHA1

64566d5049479227d2eff3d983b127c0339974cd
SHA256

7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9
SHA512

55d85e77f70f25bae6cf8bbf5dd787d5771c2e38e99461b608f6375be9cb0b1031f3c0268b82eb03db05eb88ce37d5f37afbfc69ab0c4f90791a706013b168c8

Score

10^/10

koxic evasion ransomware trojan

Malware Config

Extracted

Path

C:\Documents and Settings\WANNA_RECOVER_KOXIC_FILEZ_IHLCL.txt

Ransom Note

Hello, all your important files are encrypted and sensitive data leaked. To decrypt your files and avoid other unpleasant things you need to buy special decryption tool. Contact us via [email protected] or [email protected] and tell your UserID. This is the only way to decrypt your files and avoid publi? disclosure of data . Do not try to use third party software (it may corrupt your files). We respect black market rules. We can confirm the ability to decrypt your files (and of course the evidence of the leak ), Send us several unimportant files (do not try to deceive us). Your UserID (send it to us for decryption): 2AD7DD888D6514F5D319045EDC7B8F080A23A192B1170665FB6D3DC23A984A9566360840A3B4272AE4698E903D89C81D94111B1623723CE4E27D7A21AFE9B1E061675D09C287BDAF42FB1190BCF2EF96359D78F4358EF600200577B7514C49C255B344E6386B9F730231A195F3B5F6A335E5ADAD46F0A74433AADA6D58CD72F8774574B970D12CD04292C4D9556A39158963C834AB28B58AE43364F9BE6A1409DECA5132AFF6B8FC76A000479F1413E4AE2CE53B71EEDF60697A5157556EDBCE7D3A990E3F43FD39C6BD655DAE8D4B7722B92FE6A881E407DB05571875EB66BD6251F4C3DA6458164301708A9D46FF2BF164570D657B73495526A94884EB15463082010A0282010100BC1B0639F36CA2C5CC202A706AE7F2F7CC47FEE93FF57C16EDE5EE5A0DBDDF106E04F1D2586162A4DB3E4D71CC52F77803EEDAB64D8A7CBA78662642889F5F69FE8B4D368895A9DE54CED962031800E5A882E9CF0C8BBB80F93BB93E3A24D4A03AECCB64F8D24041CEFC7204C7EAFD79B9D123616D41A83A1EB9F3DDAC679474E178A9F1A79AAB1AC2E385DADCCDDB62445AAEC65230A02657379306F70324A1B668B17F2F105082FB3CAC1DFB0BE102BC0C4F3183A42D65BBE92C4DCF91586FE97E67BA46228C8514CD43D7157F374487FC3733D9D679CA58256DAB89469F2E1F8C9E3197D0E2D9CB9AA2CA8A63FEA0C8399A1E30DBE7902BFAA7D093FA73A30203010001DC43F80F875F6C9CE81B93705319B8CD49484C434C

Emails

[email protected]

Signatures

Koxic
A C++ written ransomware first seen in late 2021.
ransomware koxic
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Disables taskbar notifications via registry modification
evasion

Windows security modification 2 TTPs 8 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\DisableBlockAtFirstSeen = "1"	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\LocalSettingOverrideSpynetReporting = "0"	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "2"	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\UX Configuration	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\UX Configuration\NotificationSuppress = "1"	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtectione = "0"	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe

Drops file in Program Files directory 64 IoCs

Processes:

7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe

description	ioc	process
File created	C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.1.4_1.4.24201.0_x64__8wekyb3d8bbwe\WANNA_RECOVER_KOXIC_FILEZ_IHLCL.txt	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\add_reviewer.gif.KOXIC_IHLCL	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File created	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-140_8wekyb3d8bbwe\WANNA_RECOVER_KOXIC_FILEZ_IHLCL.txt	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\MANIFEST.MF.KOXIC_IHLCL	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2017.125.40.0_neutral_split.scale-200_8wekyb3d8bbwe\WANNA_RECOVER_KOXIC_FILEZ_IHLCL.txt	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\AppCore\Location\WANNA_RECOVER_KOXIC_FILEZ_IHLCL.txt	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_hu.jar.KOXIC_IHLCL	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\eula.ini.KOXIC_IHLCL	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PIXEL\THMBNAIL.PNG.KOXIC_IHLCL	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File created	C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\_Resources\WANNA_RECOVER_KOXIC_FILEZ_IHLCL.txt	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File created	C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\WANNA_RECOVER_KOXIC_FILEZ_IHLCL.txt	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement_Uninstall.mfl.KOXIC_IHLCL	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe\Office16\WANNA_RECOVER_KOXIC_FILEZ_IHLCL.txt	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\WANNA_RECOVER_KOXIC_FILEZ_IHLCL.txt	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\SharpDXEngine\Rendering\Shaders\Builtin\HLSL\WANNA_RECOVER_KOXIC_FILEZ_IHLCL.txt	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BREEZE\BREEZE.INF.KOXIC_IHLCL	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ar-ae\WANNA_RECOVER_KOXIC_FILEZ_IHLCL.txt	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Orange Circles.htm.KOXIC_IHLCL	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\arrow-left.png.KOXIC_IHLCL	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Livetiles\WANNA_RECOVER_KOXIC_FILEZ_IHLCL.txt	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\spider\WANNA_RECOVER_KOXIC_FILEZ_IHLCL.txt	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\sr-cyrl-cs\WANNA_RECOVER_KOXIC_FILEZ_IHLCL.txt	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.15.2003.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml.KOXIC_IHLCL	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-windows.xml.KOXIC_IHLCL	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\DatabaseCompare.HxS.KOXIC_IHLCL	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2017.125.40.0_neutral_split.scale-200_8wekyb3d8bbwe\microsoft.system.package.metadata\WANNA_RECOVER_KOXIC_FILEZ_IHLCL.txt	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EDGE\WANNA_RECOVER_KOXIC_FILEZ_IHLCL.txt	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\pt-PT\WANNA_RECOVER_KOXIC_FILEZ_IHLCL.txt	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-tools.jar.KOXIC_IHLCL	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\shortcuts_log.ini.KOXIC_IHLCL	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Content\mobile\en-US\doc_offline_getconnected.xml	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.SF.KOXIC_IHLCL	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification.ja_5.5.0.165303.jar.KOXIC_IHLCL	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\vlc.mo.KOXIC_IHLCL	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\en-US\wordpad.exe.mui.KOXIC_IHLCL	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\AppxManifest.xml	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\Images\Ratings\WANNA_RECOVER_KOXIC_FILEZ_IHLCL.txt	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\eclipse.inf.KOXIC_IHLCL	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File created	C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\WANNA_RECOVER_KOXIC_FILEZ_IHLCL.txt	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\WANNA_RECOVER_KOXIC_FILEZ_IHLCL.txt	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\ShouldNotBeNullOrEmpty.snippets.ps1xml.KOXIC_IHLCL	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\vscroll-thumb.png.KOXIC_IHLCL	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA.KOXIC_IHLCL	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\http.luac.KOXIC_IHLCL	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.1.25002.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml.KOXIC_IHLCL	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Microsoft.PowerShell.Operation.Validation.psm1.KOXIC_IHLCL	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\WANNA_RECOVER_KOXIC_FILEZ_IHLCL.txt	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\images\WANNA_RECOVER_KOXIC_FILEZ_IHLCL.txt	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\GamePlayAssets\Pyramid\WANNA_RECOVER_KOXIC_FILEZ_IHLCL.txt	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-ui.xml.KOXIC_IHLCL	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-threaddump.xml.KOXIC_IHLCL	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\js\controllers.js.KOXIC_IHLCL	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\WANNA_RECOVER_KOXIC_FILEZ_IHLCL.txt	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File opened for modification	C:\Program Files\Windows Media Player\es-ES\wmpnssui.dll.mui.KOXIC_IHLCL	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\AppxManifest.xml	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\WANNA_RECOVER_KOXIC_FILEZ_IHLCL.txt	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\dt.jar.KOXIC_IHLCL	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zu\LC_MESSAGES\WANNA_RECOVER_KOXIC_FILEZ_IHLCL.txt	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File created	C:\Program Files\WindowsApps\WANNA_RECOVER_KOXIC_FILEZ_IHLCL.txt	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\ECLIPSE_.SF.KOXIC_IHLCL	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Videos\Help\WANNA_RECOVER_KOXIC_FILEZ_IHLCL.txt	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\bin\stopNetworkServer.bat.KOXIC_IHLCL	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\WANNA_RECOVER_KOXIC_FILEZ_IHLCL.txt	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-modules-appui.xml.KOXIC_IHLCL	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

2168 ipconfig.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1112 vssadmin.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1092 taskkill.exe

pid	process
2168	ipconfig.exe

pid	process
1112	vssadmin.exe

pid	process
1092	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe

pid	process
2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskkill.exevssvc.exe7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	1092	taskkill.exe
Token: SeBackupPrivilege	2128	vssvc.exe
Token: SeRestorePrivilege	2128	vssvc.exe
Token: SeAuditPrivilege	2128	vssvc.exe
Token: SeBackupPrivilege	2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
Token: SeRestorePrivilege	2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
Token: SeManageVolumePrivilege	2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
Token: SeTakeOwnershipPrivilege	2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
Token: SeIncreaseQuotaPrivilege	1564	WMIC.exe
Token: SeSecurityPrivilege	1564	WMIC.exe
Token: SeTakeOwnershipPrivilege	1564	WMIC.exe
Token: SeLoadDriverPrivilege	1564	WMIC.exe
Token: SeSystemProfilePrivilege	1564	WMIC.exe
Token: SeSystemtimePrivilege	1564	WMIC.exe
Token: SeProfSingleProcessPrivilege	1564	WMIC.exe
Token: SeIncBasePriorityPrivilege	1564	WMIC.exe
Token: SeCreatePagefilePrivilege	1564	WMIC.exe
Token: SeBackupPrivilege	1564	WMIC.exe
Token: SeRestorePrivilege	1564	WMIC.exe
Token: SeShutdownPrivilege	1564	WMIC.exe
Token: SeDebugPrivilege	1564	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1564	WMIC.exe
Token: SeRemoteShutdownPrivilege	1564	WMIC.exe
Token: SeUndockPrivilege	1564	WMIC.exe
Token: SeManageVolumePrivilege	1564	WMIC.exe
Token: 33	1564	WMIC.exe
Token: 34	1564	WMIC.exe
Token: 35	1564	WMIC.exe
Token: 36	1564	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1564	WMIC.exe
Token: SeSecurityPrivilege	1564	WMIC.exe
Token: SeTakeOwnershipPrivilege	1564	WMIC.exe
Token: SeLoadDriverPrivilege	1564	WMIC.exe
Token: SeSystemProfilePrivilege	1564	WMIC.exe
Token: SeSystemtimePrivilege	1564	WMIC.exe
Token: SeProfSingleProcessPrivilege	1564	WMIC.exe
Token: SeIncBasePriorityPrivilege	1564	WMIC.exe
Token: SeCreatePagefilePrivilege	1564	WMIC.exe
Token: SeBackupPrivilege	1564	WMIC.exe
Token: SeRestorePrivilege	1564	WMIC.exe
Token: SeShutdownPrivilege	1564	WMIC.exe
Token: SeDebugPrivilege	1564	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1564	WMIC.exe
Token: SeRemoteShutdownPrivilege	1564	WMIC.exe
Token: SeUndockPrivilege	1564	WMIC.exe
Token: SeManageVolumePrivilege	1564	WMIC.exe
Token: 33	1564	WMIC.exe
Token: 34	1564	WMIC.exe
Token: 35	1564	WMIC.exe
Token: 36	1564	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2168	WMIC.exe
Token: SeSecurityPrivilege	2168	WMIC.exe
Token: SeTakeOwnershipPrivilege	2168	WMIC.exe
Token: SeLoadDriverPrivilege	2168	WMIC.exe
Token: SeSystemProfilePrivilege	2168	WMIC.exe
Token: SeSystemtimePrivilege	2168	WMIC.exe
Token: SeProfSingleProcessPrivilege	2168	WMIC.exe
Token: SeIncBasePriorityPrivilege	2168	WMIC.exe
Token: SeCreatePagefilePrivilege	2168	WMIC.exe
Token: SeBackupPrivilege	2168	WMIC.exe
Token: SeRestorePrivilege	2168	WMIC.exe
Token: SeShutdownPrivilege	2168	WMIC.exe
Token: SeDebugPrivilege	2168	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2168	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2416 wrote to memory of 3700	2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe	cmd.exe
PID 2416 wrote to memory of 3700	2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe	cmd.exe
PID 2416 wrote to memory of 3700	2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe	cmd.exe
PID 3700 wrote to memory of 1092	3700	cmd.exe	taskkill.exe
PID 3700 wrote to memory of 1092	3700	cmd.exe	taskkill.exe
PID 3700 wrote to memory of 1092	3700	cmd.exe	taskkill.exe
PID 2416 wrote to memory of 4080	2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe	cmd.exe
PID 2416 wrote to memory of 4080	2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe	cmd.exe
PID 2416 wrote to memory of 4080	2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe	cmd.exe
PID 4080 wrote to memory of 1112	4080	cmd.exe	vssadmin.exe
PID 4080 wrote to memory of 1112	4080	cmd.exe	vssadmin.exe
PID 4080 wrote to memory of 1112	4080	cmd.exe	vssadmin.exe
PID 2416 wrote to memory of 376	2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe	cmd.exe
PID 2416 wrote to memory of 376	2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe	cmd.exe
PID 2416 wrote to memory of 376	2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe	cmd.exe
PID 2416 wrote to memory of 748	2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe	cmd.exe
PID 2416 wrote to memory of 748	2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe	cmd.exe
PID 2416 wrote to memory of 748	2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe	cmd.exe
PID 748 wrote to memory of 1564	748	cmd.exe	WMIC.exe
PID 748 wrote to memory of 1564	748	cmd.exe	WMIC.exe
PID 748 wrote to memory of 1564	748	cmd.exe	WMIC.exe
PID 2416 wrote to memory of 2528	2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe	cmd.exe
PID 2416 wrote to memory of 2528	2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe	cmd.exe
PID 2416 wrote to memory of 2528	2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe	cmd.exe
PID 2416 wrote to memory of 2356	2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe	cmd.exe
PID 2416 wrote to memory of 2356	2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe	cmd.exe
PID 2416 wrote to memory of 2356	2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe	cmd.exe
PID 2356 wrote to memory of 2168	2356	cmd.exe	WMIC.exe
PID 2356 wrote to memory of 2168	2356	cmd.exe	WMIC.exe
PID 2356 wrote to memory of 2168	2356	cmd.exe	WMIC.exe
PID 2416 wrote to memory of 4084	2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe	cmd.exe
PID 2416 wrote to memory of 4084	2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe	cmd.exe
PID 2416 wrote to memory of 4084	2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe	cmd.exe
PID 2416 wrote to memory of 3160	2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe	cmd.exe
PID 2416 wrote to memory of 3160	2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe	cmd.exe
PID 2416 wrote to memory of 3160	2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe	cmd.exe
PID 3160 wrote to memory of 3060	3160	cmd.exe	WMIC.exe
PID 3160 wrote to memory of 3060	3160	cmd.exe	WMIC.exe
PID 3160 wrote to memory of 3060	3160	cmd.exe	WMIC.exe
PID 2416 wrote to memory of 3128	2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe	cmd.exe
PID 2416 wrote to memory of 3128	2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe	cmd.exe
PID 2416 wrote to memory of 3128	2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe	cmd.exe
PID 2416 wrote to memory of 2984	2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe	cmd.exe
PID 2416 wrote to memory of 2984	2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe	cmd.exe
PID 2416 wrote to memory of 2984	2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe	cmd.exe
PID 2984 wrote to memory of 2076	2984	cmd.exe	WMIC.exe
PID 2984 wrote to memory of 2076	2984	cmd.exe	WMIC.exe
PID 2984 wrote to memory of 2076	2984	cmd.exe	WMIC.exe
PID 2416 wrote to memory of 3684	2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe	cmd.exe
PID 2416 wrote to memory of 3684	2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe	cmd.exe
PID 2416 wrote to memory of 3684	2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe	cmd.exe
PID 2416 wrote to memory of 3308	2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe	cmd.exe
PID 2416 wrote to memory of 3308	2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe	cmd.exe
PID 2416 wrote to memory of 3308	2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe	cmd.exe
PID 3308 wrote to memory of 2184	3308	cmd.exe	WMIC.exe
PID 3308 wrote to memory of 2184	3308	cmd.exe	WMIC.exe
PID 3308 wrote to memory of 2184	3308	cmd.exe	WMIC.exe
PID 2416 wrote to memory of 980	2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe	cmd.exe
PID 2416 wrote to memory of 980	2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe	cmd.exe
PID 2416 wrote to memory of 980	2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe	cmd.exe
PID 2416 wrote to memory of 1172	2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe	cmd.exe
PID 2416 wrote to memory of 1172	2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe	cmd.exe
PID 2416 wrote to memory of 1172	2416	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe	cmd.exe
PID 1172 wrote to memory of 812	1172	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
"C:\Users\Admin\AppData\Local\Temp\7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe"
1⤵
- Windows security modification
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /F /IM MSASCuiL.exe taskkill /F /IM MSMpeng.exe taskkill /F /IM msseces.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3700
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM MSASCuiL.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1092
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin delete shadows /all /quiet sc config browser sc config browser start=enabled sc stop vss sc config vss start=disabled sc stop MongoDB sc config MongoDB start=disabled sc stop SQLWriter sc config SQLWriter start=disabled sc stop MSSQLServerOLAPService sc config MSSQLServerOLAPService start=disabled sc stop MSSQLSERVER sc config MSSQLSERVER start=disabled sc stop MSSQL$SQLEXPRESS sc config MSSQL$SQLEXPRESS start=disabled sc stop ReportServer sc config ReportServer start=disabled sc stop OracleServiceORCL sc config OracleServiceORCL start=disabled sc stop OracleDBConsoleorcl sc config OracleDBConsoleorcl start=disabled sc stop OracleMTSRecoveryService sc config OracleMTSRecoveryService start=disabled sc stop OracleVssWriterORCL sc config OracleVssWriterORCL start=disabled sc stop MySQL sc config MySQL start=disabled
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4080
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1112
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo OS INFO: > %TEMP%\KLHWARDQM"
  2⤵
  PID:376
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic OS get Caption,CSDVersion,OSArchitecture,Version >> %TEMP%\KLHWARDQM"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:748
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic OS get Caption,CSDVersion,OSArchitecture,Version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1564
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo BIOS INFO: >> %TEMP%\KLHWARDQM"
  2⤵
  PID:2528
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic BIOS get Manufacturer, Name, SMBIOSBIOSVersion, Version >> %TEMP%\KLHWARDQM"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2356
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic BIOS get Manufacturer, Name, SMBIOSBIOSVersion, Version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2168
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo CPU INFO: >> %TEMP%\KLHWARDQM"
  2⤵
  PID:4084
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic CPU get Name, NumberOfCores, NumberOfLogicalProcessors >> %TEMP%\KLHWARDQM"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3160
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic CPU get Name, NumberOfCores, NumberOfLogicalProcessors
    3⤵
    PID:3060
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo MEMPHYSICAL INFO: >> %TEMP%\KLHWARDQM"
  2⤵
  PID:3128
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic MEMPHYSICAL get MaxCapacity >> %TEMP%\KLHWARDQM"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic MEMPHYSICAL get MaxCapacity
    3⤵
    PID:2076
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo MEMORYCHIP: INFO >> %TEMP%\KLHWARDQM"
  2⤵
  PID:3684
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic MEMORYCHIP get Capacity, DeviceLocator, PartNumber, Tag >> %TEMP%\KLHWARDQM"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3308
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic MEMORYCHIP get Capacity, DeviceLocator, PartNumber, Tag
    3⤵
    PID:2184
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo NIC INFO: >> %TEMP%\KLHWARDQM"
  2⤵
  PID:980
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic NIC get Description, MACAddress, NetEnabled, Speed >> %TEMP%\KLHWARDQM"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1172
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic NIC get Description, MACAddress, NetEnabled, Speed
    3⤵
    PID:812
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo DISKDRIVE INFO: >> %TEMP%\KLHWARDQM"
  2⤵
  PID:3772
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic DISKDRIVE get InterfaceType, Name, Size, Status >> %TEMP%\KLHWARDQM"
  2⤵
  PID:1252
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic DISKDRIVE get InterfaceType, Name, Size, Status
    3⤵
    PID:1484
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo USERACCOUNT INFO: >> %TEMP%\KLHWARDQM"
  2⤵
  PID:1028
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic USERACCOUNT get Caption, Name, PasswordRequired, Status >> %TEMP%\KLHWARDQM"
  2⤵
  PID:1412
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic USERACCOUNT get Caption, Name, PasswordRequired, Status
    3⤵
    PID:1564
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo IPCONFIG: >> %TEMP%\KLHWARDQM"
  2⤵
  PID:2036
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "ipconfig >> %TEMP%\KLHWARDQM"
  2⤵
  PID:2120
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig
    3⤵
    - Gathers network information
    PID:2168
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo DATABASES FILES: >> %TEMP%\KLHWARDQM"
  2⤵
  PID:1820

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2128

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\KLHWARDQM

MD5
887ae0db192785398c154a027c858317

SHA1
9e1258a3444e7f54d4a2b23bec0c020d67f285b6

SHA256
9841fc54844c86d073907913cfd2fccc49d13db491e790c6aeb30b7159e62bf5

SHA512
65364e8797ecc23d9eac18cfe0c1393e9429ee15cde33b7b936c917608196da7bf53ba7c21d9bb637c9a91797eb58a4dbb2346dc4bd9e6c947a711b381dfcb76

Download Submit
C:\Users\Admin\AppData\Local\Temp\KLHWARDQM

MD5
fe1f5baac0c9c57e000f0b6893756a21

SHA1
9c10748ecaa3905c40c902add707423d73d4ae09

SHA256
6cb0bdecbb75635586f36934b07f790081f4379be12afc40336f8728eebfd9d7

SHA512
b5ebe05e180b70f59a2ead7a901a469259bfed7f422222b6948ad5303951ea053fb4871f4f27f1709145e9e796c40480eb37fba85fa7aea3756fdb6450f8c973

Download Submit
C:\Users\Admin\AppData\Local\Temp\KLHWARDQM

MD5
fe1f5baac0c9c57e000f0b6893756a21

SHA1
9c10748ecaa3905c40c902add707423d73d4ae09

SHA256
6cb0bdecbb75635586f36934b07f790081f4379be12afc40336f8728eebfd9d7

SHA512
b5ebe05e180b70f59a2ead7a901a469259bfed7f422222b6948ad5303951ea053fb4871f4f27f1709145e9e796c40480eb37fba85fa7aea3756fdb6450f8c973

Download Submit
C:\Users\Admin\AppData\Local\Temp\KLHWARDQM

MD5
939c9e3c24b2bbfce9481e0f93161314

SHA1
6ae00d847e39b81322b2bd811b404a8eea6f6bbf

SHA256
1ec908abfd3ebc4d6bfbccbe7804967a902dc9f33d86efe01c0d6599c8eb96c8

SHA512
a5dfac17d09dbbd509a0e1384f93e7b918d457d96838b6d6fa1e987f40a299a3033aaa49173f92335b2c69d60796ea6df2e87396e50717eb91f67a9e529d4b25

Download Submit
C:\Users\Admin\AppData\Local\Temp\KLHWARDQM

MD5
939c9e3c24b2bbfce9481e0f93161314

SHA1
6ae00d847e39b81322b2bd811b404a8eea6f6bbf

SHA256
1ec908abfd3ebc4d6bfbccbe7804967a902dc9f33d86efe01c0d6599c8eb96c8

SHA512
a5dfac17d09dbbd509a0e1384f93e7b918d457d96838b6d6fa1e987f40a299a3033aaa49173f92335b2c69d60796ea6df2e87396e50717eb91f67a9e529d4b25

Download Submit
C:\Users\Admin\AppData\Local\Temp\KLHWARDQM

MD5
9f1031d3d358291f8aa365cdabc62caa

SHA1
0461c9a737817d42067f5501285287fc31a75829

SHA256
47a6222d9263aa5d15140456277b69988f90faec312cca62697c00a6a4f6a179

SHA512
15b33a0a4ae931c0f2046b05184b7a49bada17ed888d50ef2beb67ec67b2ceb6d4d6f63f2f242b88fd4e8f9f97db73b6ef3e92fdf9dc0cf278fdcc9fb8df6dba

Download Submit
C:\Users\Admin\AppData\Local\Temp\KLHWARDQM

MD5
e5063f8c24b17f86f75e7210e31d4ae4

SHA1
92c47a085bf46e0fa8f5c374ce21b6839c9c9bbd

SHA256
cbe64f5f0dc7b2098137d2cf11a535bbfc9806eb94f7289955e1ac5e7db358df

SHA512
eefff9a7f2a1867bd8f38680b08c45b7300b7f60586c55c621004b7baaf61d5662230a2afaf1d51acee165f617952b6c2ff55f7449841ae6af64be37092a7005

Download Submit
C:\Users\Admin\AppData\Local\Temp\KLHWARDQM

MD5
15115f7a7c6cfaa3d543c945eab674e8

SHA1
d48394c27046cd455ac78cec54eaf1d0e33e352c

SHA256
b87d7d297c65e29aea0ecc0c0ea6c986759f43a2f62a9b366ed5606994ab1472

SHA512
43345aeed683bccd97a0d5203b517e7245af0582fb73df1b6806819d796973ecbd4c6b057da84e0a07c47b02446f71176cbfd151a16436ea797ecec71c973b41

Download Submit
C:\Users\Admin\AppData\Local\Temp\KLHWARDQM

MD5
15115f7a7c6cfaa3d543c945eab674e8

SHA1
d48394c27046cd455ac78cec54eaf1d0e33e352c

SHA256
b87d7d297c65e29aea0ecc0c0ea6c986759f43a2f62a9b366ed5606994ab1472

SHA512
43345aeed683bccd97a0d5203b517e7245af0582fb73df1b6806819d796973ecbd4c6b057da84e0a07c47b02446f71176cbfd151a16436ea797ecec71c973b41

Download Submit
C:\Users\Admin\AppData\Local\Temp\KLHWARDQM

MD5
4f2739444101f387b1aa7174bc9b9a48

SHA1
cdbd86b7ecadec8a07495fe68aaf4d20ba555c08

SHA256
180d7908d52e06c5b0c82d0c45ddd103a213070f34890d6281efd5f944b1b05a

SHA512
c56d829d8f405c60872c122f610247aaf3c22f875569a06dd68bd219f93d4bcd1f512b45605efa7d433421da41150aa0ee533d6792b7bc038c2db0fb61c9e314

Download Submit
C:\Users\Admin\AppData\Local\Temp\KLHWARDQM

MD5
4f2739444101f387b1aa7174bc9b9a48

SHA1
cdbd86b7ecadec8a07495fe68aaf4d20ba555c08

SHA256
180d7908d52e06c5b0c82d0c45ddd103a213070f34890d6281efd5f944b1b05a

SHA512
c56d829d8f405c60872c122f610247aaf3c22f875569a06dd68bd219f93d4bcd1f512b45605efa7d433421da41150aa0ee533d6792b7bc038c2db0fb61c9e314

Download Submit
C:\Users\Admin\AppData\Local\Temp\KLHWARDQM

MD5
93c7ae0227551011328bc4648319179b

SHA1
a620b943781e770bcbd8227b3a5f42a6f3c9d2bd

SHA256
6462b607e94f6b4f9ad589dcf5ebaf7c3b3ef03d6abb64b50a5b65ad71e3d76b

SHA512
09a340bef8c227c65b6c04913f1a860983feddb242f69c2804bde0e1cddc019f73341df818bf826e353f4ed6cc917be5dd38bbd257306e41553867de0d7af80b

Download Submit
C:\Users\Admin\AppData\Local\Temp\KLHWARDQM

MD5
93c7ae0227551011328bc4648319179b

SHA1
a620b943781e770bcbd8227b3a5f42a6f3c9d2bd

SHA256
6462b607e94f6b4f9ad589dcf5ebaf7c3b3ef03d6abb64b50a5b65ad71e3d76b

SHA512
09a340bef8c227c65b6c04913f1a860983feddb242f69c2804bde0e1cddc019f73341df818bf826e353f4ed6cc917be5dd38bbd257306e41553867de0d7af80b

Download Submit
C:\Users\Admin\AppData\Local\Temp\KLHWARDQM

MD5
a0a88df4c48842adea84cccc90096623

SHA1
d6468dc7c58564910627748a0a8bfe945efeef26

SHA256
f1c220d8509e4945278b01d69d6040c12e378c8c19bf97602fef26c9257f9700

SHA512
1cbd92826c43f61710dc6932a80f9bfd6b06a3a1df72a18196e120a216da740fb6459c0b93ebd82fce562e16582e6889a46a6fb0dc3660931bd80999db994377

Download Submit
C:\Users\Admin\AppData\Local\Temp\KLHWARDQM

MD5
a0a88df4c48842adea84cccc90096623

SHA1
d6468dc7c58564910627748a0a8bfe945efeef26

SHA256
f1c220d8509e4945278b01d69d6040c12e378c8c19bf97602fef26c9257f9700

SHA512
1cbd92826c43f61710dc6932a80f9bfd6b06a3a1df72a18196e120a216da740fb6459c0b93ebd82fce562e16582e6889a46a6fb0dc3660931bd80999db994377

Download Submit
C:\Users\Admin\AppData\Local\Temp\KLHWARDQM

MD5
76298b8d34293a5ba79a1f6050f15241

SHA1
36bb00dbb59392a3b579e27a7b82fae7302283df

SHA256
8b50b42f423b09c3b11c163256aae5833b1c96ef2cc5f0a6784d083fb9b5986b

SHA512
b10f3c99cb08b403aab06dde5244fbc5f58207ecffe049d6f726e53ee8f8c41f2c3d3ba653e6de338d6f43cb48d82c62437c39b90c546350ad97ca22aed5c036

Download Submit
C:\Users\Admin\AppData\Local\Temp\KLHWARDQM

MD5
76298b8d34293a5ba79a1f6050f15241

SHA1
36bb00dbb59392a3b579e27a7b82fae7302283df

SHA256
8b50b42f423b09c3b11c163256aae5833b1c96ef2cc5f0a6784d083fb9b5986b

SHA512
b10f3c99cb08b403aab06dde5244fbc5f58207ecffe049d6f726e53ee8f8c41f2c3d3ba653e6de338d6f43cb48d82c62437c39b90c546350ad97ca22aed5c036

Download Submit
C:\Users\Admin\AppData\Local\Temp\KLHWARDQM

MD5
3c8ee9258b7a594eba87d9da62e283ec

SHA1
61b429b00d56d9b5aaa29a643f251e2b57d11ab9

SHA256
cce9d3ce333bff07624eedd279905733ec8f3b49f37ce7fb4737296cdf8b076c

SHA512
6e5f40ee7f497a62db44c987ed4cbd781f6a8380b5cbcbc5329780be052f97af1c38a9703e95640aef146cd20458ccef74d0aee0695f63ae1a2b1836f9aebae0

Download Submit
C:\Users\Admin\AppData\Local\Temp\KLHWARDQM

MD5
11b2a3521b0fae7efc1f3507daf469a8

SHA1
ee140068d7c16aa6eef2000c06cb72f224eecc10

SHA256
0d08ccde9bfed1346858f6232c1ce13edc618bcb0f9a42024092a61fa3b0ba8c

SHA512
c5ada6c488aad0c6e3ce95dfefe8fc6f440640e816bf8843cc62b4fb28c5acb5851ee96b0ff3ab5fb2738da98c1d461e5c952b06f2fe152ee1255aad20c0574a

Download Submit