koxic | d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333

Analysis

max time kernel
150s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2022 07:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
Size

158KB
MD5

3c4fa896e819cb8fada88a6fdd7b2cc7
SHA1

0ebf10867534cb472bb98344f80e3a8aac0aa507
SHA256

d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333
SHA512

e4486c33fc7bf99700fabec50ead10a6159758603d50eabe650436098a977b8c9dc728d0e8dbc3e3718393a7ba67cca8ea2799ef83e9194f178f04ae9784473e
SSDEEP

3072:Wkb6bwPcmQ1mbTw8Gt189VTG079sTGyAzbnuvXdIR:WkTPcmscw/1ETGgWGy0uvC

Score

10^/10

koxic evasion ransomware trojan

Malware Config

Extracted

Path

C:\Documents and Settings\WANNA_RECOVER_KOXIC_FILEZ_KATHC.txt

Ransom Note

--=== Hello ===--- [+] Whats Happen? [+] Your sensitive information and data were downloaded. Your files are encrypted, and currently unavailable just so you can contact us faster. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] We are not interested in distributing information, we are interested in agreeing with you - these are your guarantees. Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should send sample to us to decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise-time is much more valuable than money. [+] How to contact us? [+] Just write us an email to [email protected] [+] Consequences if we do not find a common language [+] 1. The data were irretrievably lost. 2. Leaked data will be published or sold on blmarket (or to competitors). 3. In some cases, DDOS attacks will be applied to your inftastructure. !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!! Your UserID: 24EADD82FBA2824EC1E638D92FE04653ED363AE7D9FC8D3C673E8D9E657F6D71A8011B534CFD9845E9 163EA8E62A04A7D87B84E84546B09EF384B2C6210882525247297BC989CD9A4E93C477084813F63F3D F5326526278E008AC844BD659929602AF573C52FF57BBB62A0F88BB679154612C9FC356CC8E6253D72 245C6AEA287C927556A4E880D091770C67BEACE735890DE54093BD8DFFBFEDB773B2DCCF536C9D2432 AA66926A3E79782BA405EB886F584CD2D9DDABB776442103E9E725824AA7F6AF77C6875C356D3A5B32 11BB1304CA4F95D04238A7FB438EACF69B5A0DCA06548C4AECB6F026A9A9CD7AF2CFCEBCD4EBEA6E29 25750CB3005A015FB6753082010A0282010100CE39DEC3B9DD61546019BCA3781B87905A41F7407C46 A232683D7400B05CCCC1562359C75FAA4206E474A72FE09CFD941E46F98DDB0CE54831891C4D87EAE4 20E801E1808F44E2F2D47F36347ADC1DE40870880BDEF8DE39C5A34988E428F1418323F5AD0DD13EEC EA343FC4444E4AC72BA7C577D0E0276A0E8709B32BBC74F7ACC25B46DCDACED80394B993D8A37961D0 9219EB7A7A19F63AD0BD3646EC3BD06BCA1FDCCBEEE7C6F45EF302E904119B62AD20A0025BE39EF101 443E15B012F1653261F9595335E0D147AC7EA29D4003E475F94C454806B9215CFE6DD2E18DAB35DE61 6679C689587D3058A48F47776ACE67347CBB67EBC1A2D8984D968FA3410203010001727ED086BA52EE B1C02A228802F9D1A14B41544843

Emails

[email protected]

Signatures

Koxic
A C++ written ransomware first seen in late 2021.
ransomware koxic

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe

Disables taskbar notifications via registry modification
evasion

Windows security modification 2 TTPs 8 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\DisableBlockAtFirstSeen = "1"	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\LocalSettingOverrideSpynetReporting = "0"	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "2"	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\UX Configuration	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\UX Configuration\NotificationSuppress = "1"	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtectione = "0"	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe

Drops file in Program Files directory 64 IoCs

Processes:

d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe

description	ioc	Process
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-100_8wekyb3d8bbwe\WANNA_RECOVER_KOXIC_FILEZ_KATHC.txt	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\vlc.mo.KOXIC_KATHC	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\WANNA_RECOVER_KOXIC_FILEZ_KATHC.txt	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LAYERS\PREVIEW.GIF.KOXIC_KATHC	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\hr\WANNA_RECOVER_KOXIC_FILEZ_KATHC.txt	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Trial-ul-oob.xrm-ms.KOXIC_KATHC	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\meta-index.KOXIC_KATHC	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sl-si\ui-strings.js.KOXIC_KATHC	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Author2String.XSL.KOXIC_KATHC	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_K_COL.HXK.KOXIC_KATHC	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-black\WANNA_RECOVER_KOXIC_FILEZ_KATHC.txt	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\cli.luac.KOXIC_KATHC	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\WANNA_RECOVER_KOXIC_FILEZ_KATHC.txt	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BREEZE\WANNA_RECOVER_KOXIC_FILEZ_KATHC.txt	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\assets\WANNA_RECOVER_KOXIC_FILEZ_KATHC.txt	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-options-api.xml.KOXIC_KATHC	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\locale\org-openide-util-lookup_ja.jar.KOXIC_KATHC	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\WANNA_RECOVER_KOXIC_FILEZ_KATHC.txt	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\WANNA_RECOVER_KOXIC_FILEZ_KATHC.txt	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\WANNA_RECOVER_KOXIC_FILEZ_KATHC.txt	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\tools.jar.KOXIC_KATHC	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\eu-es\ui-strings.js.KOXIC_KATHC	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\TableTextServiceArray.txt.KOXIC_KATHC	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Viewpoints\Dark\WANNA_RECOVER_KOXIC_FILEZ_KATHC.txt	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\Audio-48.png.KOXIC_KATHC	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_newfolder-default.svg.KOXIC_KATHC	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription2-pl.xrm-ms.KOXIC_KATHC	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.SF.KOXIC_KATHC	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\pt-br\WANNA_RECOVER_KOXIC_FILEZ_KATHC.txt	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-180.png.KOXIC_KATHC	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_Subscription-ul-oob.xrm-ms.KOXIC_KATHC	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\XboxApp.UI\WANNA_RECOVER_KOXIC_FILEZ_KATHC.txt	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\da-dk\WANNA_RECOVER_KOXIC_FILEZ_KATHC.txt	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ar-ae\ui-strings.js.KOXIC_KATHC	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\dark\cstm_brand_preview.png.KOXIC_KATHC	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\excluded.txt.KOXIC_KATHC	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\illustrations.png.KOXIC_KATHC	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-ppd.xrm-ms.KOXIC_KATHC	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File created	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\Json\WANNA_RECOVER_KOXIC_FILEZ_KATHC.txt	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\WANNA_RECOVER_KOXIC_FILEZ_KATHC.txt	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\plugin.js.KOXIC_KATHC	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\bg_patterns_header.png.KOXIC_KATHC	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\plugin.js.KOXIC_KATHC	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\nb-NO\WANNA_RECOVER_KOXIC_FILEZ_KATHC.txt	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\uk-ua\ui-strings.js.KOXIC_KATHC	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\tr-tr\ui-strings.js.KOXIC_KATHC	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\ext\access-bridge-64.jar.KOXIC_KATHC	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\plugin.xml.KOXIC_KATHC	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt.KOXIC_KATHC	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_ja_135x40.svg.KOXIC_KATHC	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\README_en_CA.txt.KOXIC_KATHC	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\cs-cz\ui-strings.js.KOXIC_KATHC	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.ini.KOXIC_KATHC	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\officeinventoryagentfallback.xml.KOXIC_KATHC	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-ul-phn.xrm-ms.KOXIC_KATHC	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\deploy\[email protected]_KATHC	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_SubTrial-ppd.xrm-ms.KOXIC_KATHC	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\sd\jamendo.luac.KOXIC_KATHC	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\be-BY\WANNA_RECOVER_KOXIC_FILEZ_KATHC.txt	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\tr-tr\ui-strings.js.KOXIC_KATHC	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\css\main-selector.css.KOXIC_KATHC	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT.KOXIC_KATHC	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ko-kr\WANNA_RECOVER_KOXIC_FILEZ_KATHC.txt	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\index.win32.stats.json.KOXIC_KATHC	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

Processes:

ipconfig.exe

pid	Process
4520	ipconfig.exe

Kills process with taskkill 1 IoCs

evasion

Processes:

taskkill.exe

pid	Process
4644	taskkill.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

Processes:

notepad.exe

pid	Process
3732	notepad.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
3236	PING.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskkill.exed2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exeWMIC.exeWMIC.exe

description	pid	Process
Token: SeDebugPrivilege	4644	taskkill.exe
Token: SeBackupPrivilege	4172	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
Token: SeRestorePrivilege	4172	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
Token: SeManageVolumePrivilege	4172	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
Token: SeTakeOwnershipPrivilege	4172	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
Token: SeIncreaseQuotaPrivilege	1296	WMIC.exe
Token: SeSecurityPrivilege	1296	WMIC.exe
Token: SeTakeOwnershipPrivilege	1296	WMIC.exe
Token: SeLoadDriverPrivilege	1296	WMIC.exe
Token: SeSystemProfilePrivilege	1296	WMIC.exe
Token: SeSystemtimePrivilege	1296	WMIC.exe
Token: SeProfSingleProcessPrivilege	1296	WMIC.exe
Token: SeIncBasePriorityPrivilege	1296	WMIC.exe
Token: SeCreatePagefilePrivilege	1296	WMIC.exe
Token: SeBackupPrivilege	1296	WMIC.exe
Token: SeRestorePrivilege	1296	WMIC.exe
Token: SeShutdownPrivilege	1296	WMIC.exe
Token: SeDebugPrivilege	1296	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1296	WMIC.exe
Token: SeRemoteShutdownPrivilege	1296	WMIC.exe
Token: SeUndockPrivilege	1296	WMIC.exe
Token: SeManageVolumePrivilege	1296	WMIC.exe
Token: 33	1296	WMIC.exe
Token: 34	1296	WMIC.exe
Token: 35	1296	WMIC.exe
Token: 36	1296	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1296	WMIC.exe
Token: SeSecurityPrivilege	1296	WMIC.exe
Token: SeTakeOwnershipPrivilege	1296	WMIC.exe
Token: SeLoadDriverPrivilege	1296	WMIC.exe
Token: SeSystemProfilePrivilege	1296	WMIC.exe
Token: SeSystemtimePrivilege	1296	WMIC.exe
Token: SeProfSingleProcessPrivilege	1296	WMIC.exe
Token: SeIncBasePriorityPrivilege	1296	WMIC.exe
Token: SeCreatePagefilePrivilege	1296	WMIC.exe
Token: SeBackupPrivilege	1296	WMIC.exe
Token: SeRestorePrivilege	1296	WMIC.exe
Token: SeShutdownPrivilege	1296	WMIC.exe
Token: SeDebugPrivilege	1296	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1296	WMIC.exe
Token: SeRemoteShutdownPrivilege	1296	WMIC.exe
Token: SeUndockPrivilege	1296	WMIC.exe
Token: SeManageVolumePrivilege	1296	WMIC.exe
Token: 33	1296	WMIC.exe
Token: 34	1296	WMIC.exe
Token: 35	1296	WMIC.exe
Token: 36	1296	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3764	WMIC.exe
Token: SeSecurityPrivilege	3764	WMIC.exe
Token: SeTakeOwnershipPrivilege	3764	WMIC.exe
Token: SeLoadDriverPrivilege	3764	WMIC.exe
Token: SeSystemProfilePrivilege	3764	WMIC.exe
Token: SeSystemtimePrivilege	3764	WMIC.exe
Token: SeProfSingleProcessPrivilege	3764	WMIC.exe
Token: SeIncBasePriorityPrivilege	3764	WMIC.exe
Token: SeCreatePagefilePrivilege	3764	WMIC.exe
Token: SeBackupPrivilege	3764	WMIC.exe
Token: SeRestorePrivilege	3764	WMIC.exe
Token: SeShutdownPrivilege	3764	WMIC.exe
Token: SeDebugPrivilege	3764	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3764	WMIC.exe
Token: SeRemoteShutdownPrivilege	3764	WMIC.exe
Token: SeUndockPrivilege	3764	WMIC.exe
Token: SeManageVolumePrivilege	3764	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	Process	procid_target
PID 4172 wrote to memory of 5048	4172	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	81
PID 4172 wrote to memory of 5048	4172	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	81
PID 4172 wrote to memory of 5048	4172	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	81
PID 5048 wrote to memory of 4644	5048	cmd.exe	84
PID 5048 wrote to memory of 4644	5048	cmd.exe	84
PID 5048 wrote to memory of 4644	5048	cmd.exe	84
PID 4172 wrote to memory of 2816	4172	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	85
PID 4172 wrote to memory of 2816	4172	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	85
PID 4172 wrote to memory of 2816	4172	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	85
PID 4172 wrote to memory of 3428	4172	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	87
PID 4172 wrote to memory of 3428	4172	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	87
PID 4172 wrote to memory of 3428	4172	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	87
PID 4172 wrote to memory of 896	4172	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	89
PID 4172 wrote to memory of 896	4172	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	89
PID 4172 wrote to memory of 896	4172	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	89
PID 896 wrote to memory of 1296	896	cmd.exe	91
PID 896 wrote to memory of 1296	896	cmd.exe	91
PID 896 wrote to memory of 1296	896	cmd.exe	91
PID 4172 wrote to memory of 4564	4172	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	92
PID 4172 wrote to memory of 4564	4172	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	92
PID 4172 wrote to memory of 4564	4172	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	92
PID 4172 wrote to memory of 3892	4172	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	94
PID 4172 wrote to memory of 3892	4172	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	94
PID 4172 wrote to memory of 3892	4172	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	94
PID 3892 wrote to memory of 3764	3892	cmd.exe	96
PID 3892 wrote to memory of 3764	3892	cmd.exe	96
PID 3892 wrote to memory of 3764	3892	cmd.exe	96
PID 4172 wrote to memory of 344	4172	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	97
PID 4172 wrote to memory of 344	4172	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	97
PID 4172 wrote to memory of 344	4172	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	97
PID 4172 wrote to memory of 4496	4172	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	99
PID 4172 wrote to memory of 4496	4172	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	99
PID 4172 wrote to memory of 4496	4172	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	99
PID 4496 wrote to memory of 4620	4496	cmd.exe	101
PID 4496 wrote to memory of 4620	4496	cmd.exe	101
PID 4496 wrote to memory of 4620	4496	cmd.exe	101
PID 4172 wrote to memory of 1352	4172	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	102
PID 4172 wrote to memory of 1352	4172	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	102
PID 4172 wrote to memory of 1352	4172	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	102
PID 4172 wrote to memory of 3344	4172	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	104
PID 4172 wrote to memory of 3344	4172	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	104
PID 4172 wrote to memory of 3344	4172	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	104
PID 3344 wrote to memory of 2104	3344	cmd.exe	106
PID 3344 wrote to memory of 2104	3344	cmd.exe	106
PID 3344 wrote to memory of 2104	3344	cmd.exe	106
PID 4172 wrote to memory of 4100	4172	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	107
PID 4172 wrote to memory of 4100	4172	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	107
PID 4172 wrote to memory of 4100	4172	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	107
PID 4172 wrote to memory of 4532	4172	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	109
PID 4172 wrote to memory of 4532	4172	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	109
PID 4172 wrote to memory of 4532	4172	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	109
PID 4532 wrote to memory of 3852	4532	cmd.exe	111
PID 4532 wrote to memory of 3852	4532	cmd.exe	111
PID 4532 wrote to memory of 3852	4532	cmd.exe	111
PID 4172 wrote to memory of 64	4172	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	112
PID 4172 wrote to memory of 64	4172	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	112
PID 4172 wrote to memory of 64	4172	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	112
PID 4172 wrote to memory of 5000	4172	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	114
PID 4172 wrote to memory of 5000	4172	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	114
PID 4172 wrote to memory of 5000	4172	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	114
PID 5000 wrote to memory of 4584	5000	cmd.exe	116
PID 5000 wrote to memory of 4584	5000	cmd.exe	116
PID 5000 wrote to memory of 4584	5000	cmd.exe	116
PID 4172 wrote to memory of 2324	4172	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	117

C:\Users\Admin\AppData\Local\Temp\d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
"C:\Users\Admin\AppData\Local\Temp\d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Windows security modification
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4172
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /F /IM MSASCuiL.exe taskkill /F /IM MSMpeng.exe taskkill /F /IM msseces.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5048
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM MSASCuiL.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4644
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin delete shadows /all /quiet sc config browser sc config browser start=enabled sc stop vss sc config vss start=disabled sc stop MongoDB sc config MongoDB start=disabled sc stop SQLWriter sc config SQLWriter start=disabled sc stop MSSQLServerOLAPService sc config MSSQLServerOLAPService start=disabled sc stop MSSQLSERVER sc config MSSQLSERVER start=disabled sc stop MSSQL$SQLEXPRESS sc config MSSQL$SQLEXPRESS start=disabled sc stop ReportServer sc config ReportServer start=disabled sc stop OracleServiceORCL sc config OracleServiceORCL start=disabled sc stop OracleDBConsoleorcl sc config OracleDBConsoleorcl start=disabled sc stop OracleMTSRecoveryService sc config OracleMTSRecoveryService start=disabled sc stop OracleVssWriterORCL sc config OracleVssWriterORCL start=disabled sc stop MySQL sc config MySQL start=disabled
  2⤵
  PID:2816
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo OS INFO: > %TEMP%\CPRELGBPU"
  2⤵
  PID:3428
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic OS get Caption,CSDVersion,OSArchitecture,Version >> %TEMP%\CPRELGBPU"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:896
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic OS get Caption,CSDVersion,OSArchitecture,Version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1296
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo BIOS INFO: >> %TEMP%\CPRELGBPU"
  2⤵
  PID:4564
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic BIOS get Manufacturer, Name, SMBIOSBIOSVersion, Version >> %TEMP%\CPRELGBPU"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3892
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic BIOS get Manufacturer, Name, SMBIOSBIOSVersion, Version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3764
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo CPU INFO: >> %TEMP%\CPRELGBPU"
  2⤵
  PID:344
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic CPU get Name, NumberOfCores, NumberOfLogicalProcessors >> %TEMP%\CPRELGBPU"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4496
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic CPU get Name, NumberOfCores, NumberOfLogicalProcessors
    3⤵
    PID:4620
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo MEMPHYSICAL INFO: >> %TEMP%\CPRELGBPU"
  2⤵
  PID:1352
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic MEMPHYSICAL get MaxCapacity >> %TEMP%\CPRELGBPU"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3344
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic MEMPHYSICAL get MaxCapacity
    3⤵
    PID:2104
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo MEMORYCHIP: INFO >> %TEMP%\CPRELGBPU"
  2⤵
  PID:4100
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic MEMORYCHIP get Capacity, DeviceLocator, PartNumber, Tag >> %TEMP%\CPRELGBPU"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4532
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic MEMORYCHIP get Capacity, DeviceLocator, PartNumber, Tag
    3⤵
    PID:3852
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo NIC INFO: >> %TEMP%\CPRELGBPU"
  2⤵
  PID:64
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic NIC get Description, MACAddress, NetEnabled, Speed >> %TEMP%\CPRELGBPU"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5000
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic NIC get Description, MACAddress, NetEnabled, Speed
    3⤵
    PID:4584
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo DISKDRIVE INFO: >> %TEMP%\CPRELGBPU"
  2⤵
  PID:2324
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic DISKDRIVE get InterfaceType, Name, Size, Status >> %TEMP%\CPRELGBPU"
  2⤵
  PID:4948
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic DISKDRIVE get InterfaceType, Name, Size, Status
    3⤵
    PID:1976
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo USERACCOUNT INFO: >> %TEMP%\CPRELGBPU"
  2⤵
  PID:2396
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic USERACCOUNT get Caption, Name, PasswordRequired, Status >> %TEMP%\CPRELGBPU"
  2⤵
  PID:4392
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic USERACCOUNT get Caption, Name, PasswordRequired, Status
    3⤵
    PID:2796
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo IPCONFIG: >> %TEMP%\CPRELGBPU"
  2⤵
  PID:3808
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "ipconfig >> %TEMP%\CPRELGBPU"
  2⤵
  PID:5064
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig
    3⤵
    - Gathers network information
    PID:4520
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo DATABASES FILES: >> %TEMP%\CPRELGBPU"
  2⤵
  PID:1212
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe C:\Users\Admin\AppData\Local\Temp\WANNA_RECOVER_KOXIC_FILEZ_KATHC.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:3732
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe"
  2⤵
  PID:3748
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - Runs ping.exe
    PID:3236

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CPRELGBPU

Filesize
11B

MD5
887ae0db192785398c154a027c858317

SHA1
9e1258a3444e7f54d4a2b23bec0c020d67f285b6

SHA256
9841fc54844c86d073907913cfd2fccc49d13db491e790c6aeb30b7159e62bf5

SHA512
65364e8797ecc23d9eac18cfe0c1393e9429ee15cde33b7b936c917608196da7bf53ba7c21d9bb637c9a91797eb58a4dbb2346dc4bd9e6c947a711b381dfcb76

Download Submit
C:\Users\Admin\AppData\Local\Temp\CPRELGBPU

Filesize
296B

MD5
e771e08346c6a2bc73c2a372cba333d8

SHA1
58a23e4ce4c758212d9cef74045c31dba35d4923

SHA256
12846bff5586d9a89874c612d9269e2ba1e5a730438373ce9a08919b58a0df6f

SHA512
0611c1d8f71ef330812f72ce0d7416253caf3a5feab48545dcd26f4b242949fd7f7fc58da069bec8bc2600c52d8df6d9b43012a429b1d96a88749951dd461c15

Download Submit
C:\Users\Admin\AppData\Local\Temp\CPRELGBPU

Filesize
296B

MD5
e771e08346c6a2bc73c2a372cba333d8

SHA1
58a23e4ce4c758212d9cef74045c31dba35d4923

SHA256
12846bff5586d9a89874c612d9269e2ba1e5a730438373ce9a08919b58a0df6f

SHA512
0611c1d8f71ef330812f72ce0d7416253caf3a5feab48545dcd26f4b242949fd7f7fc58da069bec8bc2600c52d8df6d9b43012a429b1d96a88749951dd461c15

Download Submit
C:\Users\Admin\AppData\Local\Temp\CPRELGBPU

Filesize
668B

MD5
fc4dd1d0772fb154de31953c2b421a26

SHA1
f8273a9f46597ef98632d8082a24210c5b0d1158

SHA256
17e67d6439097c6b6cb5105e6661d18678921cc5ae4d03f31d1ed950df738b1b

SHA512
605cd1b8d10b64e3ad0388e753c658bc0ee6a3c6262952705b9516f9df3a59b50aac01fe0d0da7193aa16d12dfcff3126a71485414818593a2d6fbed1edd162f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CPRELGBPU

Filesize
668B

MD5
fc4dd1d0772fb154de31953c2b421a26

SHA1
f8273a9f46597ef98632d8082a24210c5b0d1158

SHA256
17e67d6439097c6b6cb5105e6661d18678921cc5ae4d03f31d1ed950df738b1b

SHA512
605cd1b8d10b64e3ad0388e753c658bc0ee6a3c6262952705b9516f9df3a59b50aac01fe0d0da7193aa16d12dfcff3126a71485414818593a2d6fbed1edd162f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CPRELGBPU

Filesize
1KB

MD5
c71e901a4f65c7a50a11a3b836622873

SHA1
162f9bfcc801e7db8da1eb8ce42b21b1f50a09e9

SHA256
f33353dd1816be2913e1950ddc935aa9e70010a15abdbf7d1001a55edc82e52a

SHA512
b0de60436bea2d756e350b44be69252fd744f435a5b7e119452230eaf57a7ff339071be29eaa4b501eb01bf227bde590c36ef17683e090ddad745ceb4c4ed681

Download Submit
C:\Users\Admin\AppData\Local\Temp\CPRELGBPU

Filesize
1KB

MD5
c71e901a4f65c7a50a11a3b836622873

SHA1
162f9bfcc801e7db8da1eb8ce42b21b1f50a09e9

SHA256
f33353dd1816be2913e1950ddc935aa9e70010a15abdbf7d1001a55edc82e52a

SHA512
b0de60436bea2d756e350b44be69252fd744f435a5b7e119452230eaf57a7ff339071be29eaa4b501eb01bf227bde590c36ef17683e090ddad745ceb4c4ed681

Download Submit
C:\Users\Admin\AppData\Local\Temp\CPRELGBPU

Filesize
1KB

MD5
f4b09ff7e0b9d684242f02f3bfc973d2

SHA1
06572016df2cc5f83e1e29f28ca08ccd6adbcf31

SHA256
3a72d27644968b8c776cb9f865570eb038415fabb1acba749a88f39c5ca5a86c

SHA512
e02ddc00772434e25e98387afe56a5ec45d89ad98ee9dd204ca9d67458ec9f00bf5840b09bcdee090e507360f699903e402bb4c585c205eaa57dc67418ee3229

Download Submit
C:\Users\Admin\AppData\Local\Temp\CPRELGBPU

Filesize
1KB

MD5
f4b09ff7e0b9d684242f02f3bfc973d2

SHA1
06572016df2cc5f83e1e29f28ca08ccd6adbcf31

SHA256
3a72d27644968b8c776cb9f865570eb038415fabb1acba749a88f39c5ca5a86c

SHA512
e02ddc00772434e25e98387afe56a5ec45d89ad98ee9dd204ca9d67458ec9f00bf5840b09bcdee090e507360f699903e402bb4c585c205eaa57dc67418ee3229

Download Submit
C:\Users\Admin\AppData\Local\Temp\CPRELGBPU

Filesize
1KB

MD5
65c1247c68ad9d85a3b2d66beb9cea42

SHA1
71d429cf2722b43109a8823d06633c46e52c2a54

SHA256
9f08c7a43c50b013aff9ae8d8ad86520d55ddb4ac61b63b08380101ece9b00fb

SHA512
bfb9877a702b7cd7d53bf1d2ca5ddef36052048c6b832e00298cd32d259cfda8ccd2662d7e449a55334e738009b820a71fc955f758baf055f521aab527f7b658

Download Submit
C:\Users\Admin\AppData\Local\Temp\CPRELGBPU

Filesize
1KB

MD5
65c1247c68ad9d85a3b2d66beb9cea42

SHA1
71d429cf2722b43109a8823d06633c46e52c2a54

SHA256
9f08c7a43c50b013aff9ae8d8ad86520d55ddb4ac61b63b08380101ece9b00fb

SHA512
bfb9877a702b7cd7d53bf1d2ca5ddef36052048c6b832e00298cd32d259cfda8ccd2662d7e449a55334e738009b820a71fc955f758baf055f521aab527f7b658

Download Submit
C:\Users\Admin\AppData\Local\Temp\CPRELGBPU

Filesize
1KB

MD5
e1f2309a2ebc893ee7df0d6e26efe0b7

SHA1
ba95265f2657adc34fe574f87358835f76e13226

SHA256
23f01b0878f22f0fa494e9fc7c1189fbf144b033cba2a0b56869552efb977c46

SHA512
2f9f6cc0c52f3add919734dc6052309067398404bd5cd393e1f047afa83cffed9a2ce9cace9c6c635e27a924bd0c3d863580f2e1683e52f02e7667bc2529ff70

Download Submit
C:\Users\Admin\AppData\Local\Temp\CPRELGBPU

Filesize
1KB

MD5
e1f2309a2ebc893ee7df0d6e26efe0b7

SHA1
ba95265f2657adc34fe574f87358835f76e13226

SHA256
23f01b0878f22f0fa494e9fc7c1189fbf144b033cba2a0b56869552efb977c46

SHA512
2f9f6cc0c52f3add919734dc6052309067398404bd5cd393e1f047afa83cffed9a2ce9cace9c6c635e27a924bd0c3d863580f2e1683e52f02e7667bc2529ff70

Download Submit
C:\Users\Admin\AppData\Local\Temp\CPRELGBPU

Filesize
2KB

MD5
b448ba4585e69d9f1a5f00d763f57443

SHA1
2e7abbaea1bc96f98be5577e469f647f8ebb861c

SHA256
2ccecf8b7f74dd9e22b22a5ce79fac66683b11524461d0772b724f9ff085a18d

SHA512
cdcce8c11b6f830124f3516af266ae79cb2e0839c161954f510be3ab43c3e2e22cea87dcdbb2d75eee1acb319acde2611062637bf1296916e10ba5e29473cf93

Download Submit
C:\Users\Admin\AppData\Local\Temp\CPRELGBPU

Filesize
2KB

MD5
b448ba4585e69d9f1a5f00d763f57443

SHA1
2e7abbaea1bc96f98be5577e469f647f8ebb861c

SHA256
2ccecf8b7f74dd9e22b22a5ce79fac66683b11524461d0772b724f9ff085a18d

SHA512
cdcce8c11b6f830124f3516af266ae79cb2e0839c161954f510be3ab43c3e2e22cea87dcdbb2d75eee1acb319acde2611062637bf1296916e10ba5e29473cf93

Download Submit
C:\Users\Admin\AppData\Local\Temp\CPRELGBPU

Filesize
3KB

MD5
81eace4b65dd90b8fd473b0fe59bad48

SHA1
027f257055d708c0a0065ae83bf75cec9c1e5adf

SHA256
5cedfcd6daa9a56dfa0a31508ea689c565a3eaf4e482ede39648d380edeb41fd

SHA512
13f6c9baa3469884948b052884b6aa299d43846b4cf3319430959f6b5a30d0f425ce664a90dd9e059de319e69fe166b954f3f3e38415d7c2cecd3921abb5a212

Download Submit
C:\Users\Admin\AppData\Local\Temp\CPRELGBPU

Filesize
3KB

MD5
81eace4b65dd90b8fd473b0fe59bad48

SHA1
027f257055d708c0a0065ae83bf75cec9c1e5adf

SHA256
5cedfcd6daa9a56dfa0a31508ea689c565a3eaf4e482ede39648d380edeb41fd

SHA512
13f6c9baa3469884948b052884b6aa299d43846b4cf3319430959f6b5a30d0f425ce664a90dd9e059de319e69fe166b954f3f3e38415d7c2cecd3921abb5a212

Download Submit
C:\Users\Admin\AppData\Local\Temp\CPRELGBPU

Filesize
3KB

MD5
1e61470c7fea1633eff4f11a157a237b

SHA1
3c92cb458b7b26cb5ffe4d4143c7b32fca1030d2

SHA256
8202ab03be575f6d3639df46161d6f6a07e29ef3f9adfdaf2a5362d0ca9e9d11

SHA512
8f4ca44cbcc3e57721ec0d3328df2817de78617ec74e7592e50a485eeea5e86efd747182c3433e3875b0d27d3474f9f7ca99bc940d9473b391ca44e6dc31c641

Download Submit
C:\Users\Admin\AppData\Local\Temp\WANNA_RECOVER_KOXIC_FILEZ_KATHC.txt

Filesize
11KB

MD5
e776011b2f0dcff341187caffff17bab

SHA1
575c29dbd4a2bd355e4466ec366948344e44e94c

SHA256
6e5a69d23370592f9e9031cc43f557f4358d6b915f60772817b5ba0e00dfc604

SHA512
3dd43f72a9d7c97054359da35b12be44888ee817b922f3f8b7a47faa16cae2c3cb1f08ac2b8caaec1db3a89fa2d3cd7da44613d6fe475c92394e56e2c5c0d4d7

Download Submit
memory/64-160-0x0000000000000000-mapping.dmp

Download
memory/344-145-0x0000000000000000-mapping.dmp

Download
memory/896-137-0x0000000000000000-mapping.dmp

Download
memory/1212-180-0x0000000000000000-mapping.dmp

Download
memory/1296-139-0x0000000000000000-mapping.dmp

Download
memory/1352-150-0x0000000000000000-mapping.dmp

Download
memory/1976-169-0x0000000000000000-mapping.dmp

Download
memory/2104-154-0x0000000000000000-mapping.dmp

Download
memory/2324-165-0x0000000000000000-mapping.dmp

Download
memory/2396-170-0x0000000000000000-mapping.dmp

Download
memory/2796-174-0x0000000000000000-mapping.dmp

Download
memory/2816-135-0x0000000000000000-mapping.dmp

Download
memory/3236-186-0x0000000000000000-mapping.dmp

Download
memory/3344-152-0x0000000000000000-mapping.dmp

Download
memory/3428-136-0x0000000000000000-mapping.dmp

Download
memory/3732-183-0x0000000000000000-mapping.dmp

Download
memory/3748-184-0x0000000000000000-mapping.dmp

Download
memory/3764-144-0x0000000000000000-mapping.dmp

Download
memory/3808-175-0x0000000000000000-mapping.dmp

Download
memory/3852-159-0x0000000000000000-mapping.dmp

Download
memory/3892-142-0x0000000000000000-mapping.dmp

Download
memory/4100-155-0x0000000000000000-mapping.dmp

Download
memory/4172-132-0x0000000000E00000-0x0000000001E75000-memory.dmp

Filesize
16.5MB

Download
memory/4172-185-0x0000000000E00000-0x0000000001E75000-memory.dmp

Filesize
16.5MB

Download
memory/4172-182-0x0000000000E00000-0x0000000001E75000-memory.dmp

Filesize
16.5MB

Download
memory/4392-172-0x0000000000000000-mapping.dmp

Download
memory/4496-147-0x0000000000000000-mapping.dmp

Download
memory/4520-179-0x0000000000000000-mapping.dmp

Download
memory/4532-157-0x0000000000000000-mapping.dmp

Download
memory/4564-140-0x0000000000000000-mapping.dmp

Download
memory/4584-164-0x0000000000000000-mapping.dmp

Download
memory/4620-149-0x0000000000000000-mapping.dmp

Download
memory/4644-134-0x0000000000000000-mapping.dmp

Download
memory/4948-167-0x0000000000000000-mapping.dmp

Download
memory/5000-162-0x0000000000000000-mapping.dmp

Download
memory/5048-133-0x0000000000000000-mapping.dmp

Download
memory/5064-177-0x0000000000000000-mapping.dmp

Download