koxic | d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333

Resubmissions

11-10-2022 07:47

221011-jmlcracher 10

11-10-2022 07:35

221011-jeym4sccd3 10

Analysis

max time kernel
152s
max time network
41s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
11-10-2022 07:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
Size

158KB
MD5

3c4fa896e819cb8fada88a6fdd7b2cc7
SHA1

0ebf10867534cb472bb98344f80e3a8aac0aa507
SHA256

d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333
SHA512

e4486c33fc7bf99700fabec50ead10a6159758603d50eabe650436098a977b8c9dc728d0e8dbc3e3718393a7ba67cca8ea2799ef83e9194f178f04ae9784473e
SSDEEP

3072:Wkb6bwPcmQ1mbTw8Gt189VTG079sTGyAzbnuvXdIR:WkTPcmscw/1ETGgWGy0uvC

Score

10^/10

koxic evasion ransomware trojan

Malware Config

Extracted

Path

C:\Documents and Settings\WANNA_RECOVER_KOXIC_FILEZ_SAGRV.txt

Ransom Note

--=== Hello ===--- [+] Whats Happen? [+] Your sensitive information and data were downloaded. Your files are encrypted, and currently unavailable just so you can contact us faster. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] We are not interested in distributing information, we are interested in agreeing with you - these are your guarantees. Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should send sample to us to decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise-time is much more valuable than money. [+] How to contact us? [+] Just write us an email to [email protected] [+] Consequences if we do not find a common language [+] 1. The data were irretrievably lost. 2. Leaked data will be published or sold on blmarket (or to competitors). 3. In some cases, DDOS attacks will be applied to your inftastructure. !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!! Your UserID: 4E7E5A6F17A3378038320AEB0CA744BA36026D0EC958642212CA2E7CAD03F1831D39B5672BF30BCC95 CCB2163770E1F633075C6EA3CC4A922C7ECE05782D7056BD17A79B146246FB7444109530771F772BED 6FDBF0BDA4AC9BB8130870DFF5F56B8ACED4FEAC0B8279B8E1E63FFC8981C2B5FB853E071DDA38F533 97EBE6E5DC584C6D19AFF801711F19F661867056C6C47EB8355BCC3524D52DE6D7BCBE178F9D3798B2 B22DF1ED355A37B2F45018286F3D17029AAA939AEFA59C647D3EBEEE7175CA6752F2022458A1DE3ADD 553F418D97F6DA14B8B42957AD7032D543DA138D4D5F3D115907356809D3BEA100F9F01DF8D218575F D6C42EA43018EB8651C73082010A0282010100CD70BA8422E5A7D8006CB3FA70C82BBA6EE645BFC0BF 2A99B797BFA4D8EF9ECA507F8EDBFEF6B2B0E443B4D5CF51CED25FDFDE91A411083EC90BAC2662AF04 C73BD5ECE08ECF9EC17151D218051866FCD3DF54A2DB48C973394A76B45AF92E9606EB5FA4D1DD85A3 318FA61EC09E4D88B574285703FDFB5C5E3150CB4D06F7CACF1BBC27D5098D02A88A6FC237798089F9 A58D3DD749452685157760F5E327C27D08AA99E37AF26ADF71F9F825E3CC4555E319E552FCC942E8AC F754E19180D6A7A76CCF0FBEF847749B79B224B904B38F1FFE99FCC7597C1AFD0181259B2F30003D57 551E68225CFBE7F979F3BFC3C160A2C8D15A823EC4941DC94116FB442F02030100015CBBA624107476 FCE94F40FC79A74A5F5341475256

Emails

[email protected]

Signatures

Koxic
A C++ written ransomware first seen in late 2021.
ransomware koxic

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Disables taskbar notifications via registry modification
evasion

Modifies extensions of user files 20 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\ReadStart.tif => C:\Users\Admin\Pictures\ReadStart.tif.KOXIC_SAGRV	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Users\Admin\Pictures\MoveOpen.tif.KOXIC_SAGRV	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File renamed	C:\Users\Admin\Pictures\RemoveReceive.raw => C:\Users\Admin\Pictures\RemoveReceive.raw.KOXIC_SAGRV	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File renamed	C:\Users\Admin\Pictures\SendUnblock.crw => C:\Users\Admin\Pictures\SendUnblock.crw.KOXIC_SAGRV	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Users\Admin\Pictures\SendUnblock.crw.KOXIC_SAGRV	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Users\Admin\Pictures\RequestFind.tiff.KOXIC_SAGRV	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File renamed	C:\Users\Admin\Pictures\DismountUpdate.tiff => C:\Users\Admin\Pictures\DismountUpdate.tiff.KOXIC_SAGRV	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File renamed	C:\Users\Admin\Pictures\DismountSave.tif => C:\Users\Admin\Pictures\DismountSave.tif.KOXIC_SAGRV	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Users\Admin\Pictures\DismountUpdate.tiff.KOXIC_SAGRV	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File renamed	C:\Users\Admin\Pictures\UnpublishWrite.raw => C:\Users\Admin\Pictures\UnpublishWrite.raw.KOXIC_SAGRV	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File renamed	C:\Users\Admin\Pictures\SuspendReceive.crw => C:\Users\Admin\Pictures\SuspendReceive.crw.KOXIC_SAGRV	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File renamed	C:\Users\Admin\Pictures\RequestFind.tiff => C:\Users\Admin\Pictures\RequestFind.tiff.KOXIC_SAGRV	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Users\Admin\Pictures\ReadStart.tif.KOXIC_SAGRV	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Users\Admin\Pictures\UnpublishWrite.raw.KOXIC_SAGRV	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Users\Admin\Pictures\WaitRestore.tiff.KOXIC_SAGRV	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Users\Admin\Pictures\SuspendReceive.crw.KOXIC_SAGRV	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Users\Admin\Pictures\RemoveReceive.raw.KOXIC_SAGRV	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File renamed	C:\Users\Admin\Pictures\MoveOpen.tif => C:\Users\Admin\Pictures\MoveOpen.tif.KOXIC_SAGRV	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Users\Admin\Pictures\DismountSave.tif.KOXIC_SAGRV	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File renamed	C:\Users\Admin\Pictures\WaitRestore.tiff => C:\Users\Admin\Pictures\WaitRestore.tiff.KOXIC_SAGRV	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe

Windows security modification 2 TTPs 8 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\UX Configuration\NotificationSuppress = "1"	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtectione = "0"	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\DisableBlockAtFirstSeen = "1"	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\LocalSettingOverrideSpynetReporting = "0"	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "2"	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\UX Configuration	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe

Drops file in Program Files directory 64 IoCs

Processes:

d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\System\Ole DB\sqloledb.rll.KOXIC_SAGRV	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPAPERS.INI.KOXIC_SAGRV	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Windows Media Player\it-IT\wmpnetwk.exe.mui.KOXIC_SAGRV	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Aspect.xml.KOXIC_SAGRV	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01357_.WMF.KOXIC_SAGRV	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\CalendarViewButtonImages.jpg.KOXIC_SAGRV	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ExecutiveLetter.dotx.KOXIC_SAGRV	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18210_.WMF.KOXIC_SAGRV	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME30.CSS.KOXIC_SAGRV	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\WANNA_RECOVER_KOXIC_FILEZ_SAGRV.txt	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Winnipeg.KOXIC_SAGRV	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zh_CN\LC_MESSAGES\WANNA_RECOVER_KOXIC_FILEZ_SAGRV.txt	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File created	C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\WANNA_RECOVER_KOXIC_FILEZ_SAGRV.txt	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\RevokeAdd.cfg.KOXIC_SAGRV	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File created	C:\Program Files\Windows Mail\WANNA_RECOVER_KOXIC_FILEZ_SAGRV.txt	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Things\WANNA_RECOVER_KOXIC_FILEZ_SAGRV.txt	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\RE00006_.WMF.KOXIC_SAGRV	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_foggy.png.KOXIC_SAGRV	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\HST.KOXIC_SAGRV	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winClassicTSFrame.png.KOXIC_SAGRV	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File created	C:\Program Files\Microsoft Games\More Games\it-IT\WANNA_RECOVER_KOXIC_FILEZ_SAGRV.txt	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0188513.WMF.KOXIC_SAGRV	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107264.WMF.KOXIC_SAGRV	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationUp_ButtonGraphic.png.KOXIC_SAGRV	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Windows Mail\de-DE\msoeres.dll.mui.KOXIC_SAGRV	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02753U.BMP.KOXIC_SAGRV	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGSIDEBRV.XML.KOXIC_SAGRV	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\Groove Starter Template.xsn.KOXIC_SAGRV	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\WANNA_RECOVER_KOXIC_FILEZ_SAGRV.txt	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSQRY32.CHM.KOXIC_SAGRV	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\gadget.xml.KOXIC_SAGRV	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\fr-FR\wmlaunch.exe.mui.KOXIC_SAGRV	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\micaut.dll.mui.KOXIC_SAGRV	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\flyout.css.KOXIC_SAGRV	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\WANNA_RECOVER_KOXIC_FILEZ_SAGRV.txt	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.VisualElementsManifest.xml.KOXIC_SAGRV	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\ENVELOPR.DLL.IDX_DLL.KOXIC_SAGRV	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\abcpy.ini.KOXIC_SAGRV	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\it-IT\TipRes.dll.mui.KOXIC_SAGRV	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File created	C:\Program Files\VideoLAN\VLC\locale\wa\LC_MESSAGES\WANNA_RECOVER_KOXIC_FILEZ_SAGRV.txt	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\WANNA_RECOVER_KOXIC_FILEZ_SAGRV.txt	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif.KOXIC_SAGRV	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\ACCESS12.ACC.KOXIC_SAGRV	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03470_.WMF.KOXIC_SAGRV	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.http_8.1.14.v20131031.jar.KOXIC_SAGRV	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Indiana\Vincennes.KOXIC_SAGRV	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\fr-FR\ShvlRes.dll.mui.KOXIC_SAGRV	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00351_.WMF.KOXIC_SAGRV	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Windows Journal\fr-FR\PDIALOG.exe.mui.KOXIC_SAGRV	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSCOL11.PPD.KOXIC_SAGRV	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341634.JPG.KOXIC_SAGRV	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\WANNA_RECOVER_KOXIC_FILEZ_SAGRV.txt	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\clock.html.KOXIC_SAGRV	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File created	C:\Program Files\Windows NT\TableTextService\es-ES\WANNA_RECOVER_KOXIC_FILEZ_SAGRV.txt	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File created	C:\Program Files\Common Files\System\en-US\WANNA_RECOVER_KOXIC_FILEZ_SAGRV.txt	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_highlights_Thumbnail.bmp.KOXIC_SAGRV	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\TableTextServiceYi.txt.KOXIC_SAGRV	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\THIRDPARTYLICENSEREADME-JAVAFX.txt.KOXIC_SAGRV	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00052_.WMF.KOXIC_SAGRV	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\QuickTime.mpp.KOXIC_SAGRV	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\settings.html.KOXIC_SAGRV	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\RSSFeeds.html.KOXIC_SAGRV	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\WANNA_RECOVER_KOXIC_FILEZ_SAGRV.txt	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME46.CSS.KOXIC_SAGRV	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

840 ipconfig.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1764 vssadmin.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1572 taskkill.exe

pid	process
840	ipconfig.exe

pid	process
1764	vssadmin.exe

pid	process
1572	taskkill.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskkill.exevssvc.exed2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	1572	taskkill.exe
Token: SeBackupPrivilege	1800	vssvc.exe
Token: SeRestorePrivilege	1800	vssvc.exe
Token: SeAuditPrivilege	1800	vssvc.exe
Token: SeBackupPrivilege	1452	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
Token: SeRestorePrivilege	1452	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
Token: SeManageVolumePrivilege	1452	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
Token: SeTakeOwnershipPrivilege	1452	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
Token: SeIncreaseQuotaPrivilege	1684	WMIC.exe
Token: SeSecurityPrivilege	1684	WMIC.exe
Token: SeTakeOwnershipPrivilege	1684	WMIC.exe
Token: SeLoadDriverPrivilege	1684	WMIC.exe
Token: SeSystemProfilePrivilege	1684	WMIC.exe
Token: SeSystemtimePrivilege	1684	WMIC.exe
Token: SeProfSingleProcessPrivilege	1684	WMIC.exe
Token: SeIncBasePriorityPrivilege	1684	WMIC.exe
Token: SeCreatePagefilePrivilege	1684	WMIC.exe
Token: SeBackupPrivilege	1684	WMIC.exe
Token: SeRestorePrivilege	1684	WMIC.exe
Token: SeShutdownPrivilege	1684	WMIC.exe
Token: SeDebugPrivilege	1684	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1684	WMIC.exe
Token: SeRemoteShutdownPrivilege	1684	WMIC.exe
Token: SeUndockPrivilege	1684	WMIC.exe
Token: SeManageVolumePrivilege	1684	WMIC.exe
Token: 33	1684	WMIC.exe
Token: 34	1684	WMIC.exe
Token: 35	1684	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1684	WMIC.exe
Token: SeSecurityPrivilege	1684	WMIC.exe
Token: SeTakeOwnershipPrivilege	1684	WMIC.exe
Token: SeLoadDriverPrivilege	1684	WMIC.exe
Token: SeSystemProfilePrivilege	1684	WMIC.exe
Token: SeSystemtimePrivilege	1684	WMIC.exe
Token: SeProfSingleProcessPrivilege	1684	WMIC.exe
Token: SeIncBasePriorityPrivilege	1684	WMIC.exe
Token: SeCreatePagefilePrivilege	1684	WMIC.exe
Token: SeBackupPrivilege	1684	WMIC.exe
Token: SeRestorePrivilege	1684	WMIC.exe
Token: SeShutdownPrivilege	1684	WMIC.exe
Token: SeDebugPrivilege	1684	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1684	WMIC.exe
Token: SeRemoteShutdownPrivilege	1684	WMIC.exe
Token: SeUndockPrivilege	1684	WMIC.exe
Token: SeManageVolumePrivilege	1684	WMIC.exe
Token: 33	1684	WMIC.exe
Token: 34	1684	WMIC.exe
Token: 35	1684	WMIC.exe
Token: SeIncreaseQuotaPrivilege	760	WMIC.exe
Token: SeSecurityPrivilege	760	WMIC.exe
Token: SeTakeOwnershipPrivilege	760	WMIC.exe
Token: SeLoadDriverPrivilege	760	WMIC.exe
Token: SeSystemProfilePrivilege	760	WMIC.exe
Token: SeSystemtimePrivilege	760	WMIC.exe
Token: SeProfSingleProcessPrivilege	760	WMIC.exe
Token: SeIncBasePriorityPrivilege	760	WMIC.exe
Token: SeCreatePagefilePrivilege	760	WMIC.exe
Token: SeBackupPrivilege	760	WMIC.exe
Token: SeRestorePrivilege	760	WMIC.exe
Token: SeShutdownPrivilege	760	WMIC.exe
Token: SeDebugPrivilege	760	WMIC.exe
Token: SeSystemEnvironmentPrivilege	760	WMIC.exe
Token: SeRemoteShutdownPrivilege	760	WMIC.exe
Token: SeUndockPrivilege	760	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1452 wrote to memory of 1964	1452	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 1452 wrote to memory of 1964	1452	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 1452 wrote to memory of 1964	1452	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 1452 wrote to memory of 1964	1452	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 1964 wrote to memory of 1572	1964	cmd.exe	taskkill.exe
PID 1964 wrote to memory of 1572	1964	cmd.exe	taskkill.exe
PID 1964 wrote to memory of 1572	1964	cmd.exe	taskkill.exe
PID 1964 wrote to memory of 1572	1964	cmd.exe	taskkill.exe
PID 1452 wrote to memory of 960	1452	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 1452 wrote to memory of 960	1452	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 1452 wrote to memory of 960	1452	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 1452 wrote to memory of 960	1452	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 960 wrote to memory of 1764	960	cmd.exe	vssadmin.exe
PID 960 wrote to memory of 1764	960	cmd.exe	vssadmin.exe
PID 960 wrote to memory of 1764	960	cmd.exe	vssadmin.exe
PID 960 wrote to memory of 1764	960	cmd.exe	vssadmin.exe
PID 1452 wrote to memory of 1860	1452	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 1452 wrote to memory of 1860	1452	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 1452 wrote to memory of 1860	1452	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 1452 wrote to memory of 1860	1452	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 1452 wrote to memory of 560	1452	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 1452 wrote to memory of 560	1452	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 1452 wrote to memory of 560	1452	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 1452 wrote to memory of 560	1452	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 560 wrote to memory of 1684	560	cmd.exe	WMIC.exe
PID 560 wrote to memory of 1684	560	cmd.exe	WMIC.exe
PID 560 wrote to memory of 1684	560	cmd.exe	WMIC.exe
PID 560 wrote to memory of 1684	560	cmd.exe	WMIC.exe
PID 1452 wrote to memory of 808	1452	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 1452 wrote to memory of 808	1452	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 1452 wrote to memory of 808	1452	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 1452 wrote to memory of 808	1452	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 1452 wrote to memory of 1056	1452	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 1452 wrote to memory of 1056	1452	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 1452 wrote to memory of 1056	1452	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 1452 wrote to memory of 1056	1452	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 1056 wrote to memory of 760	1056	cmd.exe	WMIC.exe
PID 1056 wrote to memory of 760	1056	cmd.exe	WMIC.exe
PID 1056 wrote to memory of 760	1056	cmd.exe	WMIC.exe
PID 1056 wrote to memory of 760	1056	cmd.exe	WMIC.exe
PID 1452 wrote to memory of 580	1452	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 1452 wrote to memory of 580	1452	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 1452 wrote to memory of 580	1452	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 1452 wrote to memory of 580	1452	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 1452 wrote to memory of 552	1452	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 1452 wrote to memory of 552	1452	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 1452 wrote to memory of 552	1452	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 1452 wrote to memory of 552	1452	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 552 wrote to memory of 364	552	cmd.exe	WMIC.exe
PID 552 wrote to memory of 364	552	cmd.exe	WMIC.exe
PID 552 wrote to memory of 364	552	cmd.exe	WMIC.exe
PID 552 wrote to memory of 364	552	cmd.exe	WMIC.exe
PID 1452 wrote to memory of 1620	1452	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 1452 wrote to memory of 1620	1452	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 1452 wrote to memory of 1620	1452	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 1452 wrote to memory of 1620	1452	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 1452 wrote to memory of 1644	1452	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 1452 wrote to memory of 1644	1452	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 1452 wrote to memory of 1644	1452	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 1452 wrote to memory of 1644	1452	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 1644 wrote to memory of 1084	1644	cmd.exe	WMIC.exe
PID 1644 wrote to memory of 1084	1644	cmd.exe	WMIC.exe
PID 1644 wrote to memory of 1084	1644	cmd.exe	WMIC.exe
PID 1644 wrote to memory of 1084	1644	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
"C:\Users\Admin\AppData\Local\Temp\d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Modifies extensions of user files
- Windows security modification
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1452
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /F /IM MSASCuiL.exe taskkill /F /IM MSMpeng.exe taskkill /F /IM msseces.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1964
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM MSASCuiL.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1572
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin delete shadows /all /quiet sc config browser sc config browser start=enabled sc stop vss sc config vss start=disabled sc stop MongoDB sc config MongoDB start=disabled sc stop SQLWriter sc config SQLWriter start=disabled sc stop MSSQLServerOLAPService sc config MSSQLServerOLAPService start=disabled sc stop MSSQLSERVER sc config MSSQLSERVER start=disabled sc stop MSSQL$SQLEXPRESS sc config MSSQL$SQLEXPRESS start=disabled sc stop ReportServer sc config ReportServer start=disabled sc stop OracleServiceORCL sc config OracleServiceORCL start=disabled sc stop OracleDBConsoleorcl sc config OracleDBConsoleorcl start=disabled sc stop OracleMTSRecoveryService sc config OracleMTSRecoveryService start=disabled sc stop OracleVssWriterORCL sc config OracleVssWriterORCL start=disabled sc stop MySQL sc config MySQL start=disabled
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:960
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1764
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo OS INFO: > %TEMP%\MIQXSKQOT"
  2⤵
  PID:1860
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic OS get Caption,CSDVersion,OSArchitecture,Version >> %TEMP%\MIQXSKQOT"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:560
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic OS get Caption,CSDVersion,OSArchitecture,Version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1684
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo BIOS INFO: >> %TEMP%\MIQXSKQOT"
  2⤵
  PID:808
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic BIOS get Manufacturer, Name, SMBIOSBIOSVersion, Version >> %TEMP%\MIQXSKQOT"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1056
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic BIOS get Manufacturer, Name, SMBIOSBIOSVersion, Version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:760
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo CPU INFO: >> %TEMP%\MIQXSKQOT"
  2⤵
  PID:580
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic CPU get Name, NumberOfCores, NumberOfLogicalProcessors >> %TEMP%\MIQXSKQOT"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:552
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic CPU get Name, NumberOfCores, NumberOfLogicalProcessors
    3⤵
    PID:364
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo MEMPHYSICAL INFO: >> %TEMP%\MIQXSKQOT"
  2⤵
  PID:1620
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic MEMPHYSICAL get MaxCapacity >> %TEMP%\MIQXSKQOT"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1644
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic MEMPHYSICAL get MaxCapacity
    3⤵
    PID:1084
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo MEMORYCHIP: INFO >> %TEMP%\MIQXSKQOT"
  2⤵
  PID:904
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic MEMORYCHIP get Capacity, DeviceLocator, PartNumber, Tag >> %TEMP%\MIQXSKQOT"
  2⤵
  PID:1964
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic MEMORYCHIP get Capacity, DeviceLocator, PartNumber, Tag
    3⤵
    PID:1544
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo NIC INFO: >> %TEMP%\MIQXSKQOT"
  2⤵
  PID:1012
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic NIC get Description, MACAddress, NetEnabled, Speed >> %TEMP%\MIQXSKQOT"
  2⤵
  PID:432
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic NIC get Description, MACAddress, NetEnabled, Speed
    3⤵
    PID:1520
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo DISKDRIVE INFO: >> %TEMP%\MIQXSKQOT"
  2⤵
  PID:1748
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic DISKDRIVE get InterfaceType, Name, Size, Status >> %TEMP%\MIQXSKQOT"
  2⤵
  PID:1980
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic DISKDRIVE get InterfaceType, Name, Size, Status
    3⤵
    PID:520
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo USERACCOUNT INFO: >> %TEMP%\MIQXSKQOT"
  2⤵
  PID:1092
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic USERACCOUNT get Caption, Name, PasswordRequired, Status >> %TEMP%\MIQXSKQOT"
  2⤵
  PID:672
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic USERACCOUNT get Caption, Name, PasswordRequired, Status
    3⤵
    PID:852
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo IPCONFIG: >> %TEMP%\MIQXSKQOT"
  2⤵
  PID:752
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "ipconfig >> %TEMP%\MIQXSKQOT"
  2⤵
  PID:532
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig
    3⤵
    - Gathers network information
    PID:840
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo DATABASES FILES: >> %TEMP%\MIQXSKQOT"
  2⤵
  PID:1768

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1496

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1800

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MIQXSKQOT

Filesize
4KB

MD5
bacffcd17d4d245984611c6100cc7040

SHA1
cc090a4202e2ec51a44477ba9718bdc8bfbfd27c

SHA256
b51153fdd57aa8777344f43215c612ec11dc4e0275fd8b6ab698b6e45f952c50

SHA512
797d0f3b5c541dc994496a0ff3b4161545c16fbd5ecdc56ae5061135a27cc975ab5dd7c0e0926def8b8819700f6d705cdc8d63975a90f84dcde5f6d132660510

Download Submit
C:\Users\Admin\AppData\Local\Temp\MIQXSKQOT

Filesize
4KB

MD5
bacffcd17d4d245984611c6100cc7040

SHA1
cc090a4202e2ec51a44477ba9718bdc8bfbfd27c

SHA256
b51153fdd57aa8777344f43215c612ec11dc4e0275fd8b6ab698b6e45f952c50

SHA512
797d0f3b5c541dc994496a0ff3b4161545c16fbd5ecdc56ae5061135a27cc975ab5dd7c0e0926def8b8819700f6d705cdc8d63975a90f84dcde5f6d132660510

Download Submit
C:\Users\Admin\AppData\Local\Temp\MIQXSKQOT

Filesize
4KB

MD5
b550be32fa7c95d6cec53f22ff45b477

SHA1
7c07854f25b3378dc4f548598c3087d524fe675d

SHA256
91b878c26e566741852a07be00aee04d143699aecab29d9f9e934c0c1e678924

SHA512
83589650177e9f958ad7f990217d912aa2bfbb497ed3a97831765adfb174e48286841970c4ebc66d61b87f836a1e008fde488d3eb688b3d10f8022662ce64d8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MIQXSKQOT

Filesize
11B

MD5
887ae0db192785398c154a027c858317

SHA1
9e1258a3444e7f54d4a2b23bec0c020d67f285b6

SHA256
9841fc54844c86d073907913cfd2fccc49d13db491e790c6aeb30b7159e62bf5

SHA512
65364e8797ecc23d9eac18cfe0c1393e9429ee15cde33b7b936c917608196da7bf53ba7c21d9bb637c9a91797eb58a4dbb2346dc4bd9e6c947a711b381dfcb76

Download Submit
C:\Users\Admin\AppData\Local\Temp\MIQXSKQOT

Filesize
320B

MD5
e6403f25d17fafd94d88dab8d559f954

SHA1
e17199a85b3f639f7e4958f66a6d11aea472f737

SHA256
4f7cd25d024340380515e1647d23d6bc46c5fec3f437d8c2d7f933eb86eab2b4

SHA512
0b4389edfad1635810fbf3b69d58ba1181147164e033c1ea325dbbb2361eca74c992d1ea3c83355b6a9249600efeea04e58643cdfbc90cd4d1349f42ede88e18

Download Submit
C:\Users\Admin\AppData\Local\Temp\MIQXSKQOT

Filesize
320B

MD5
e6403f25d17fafd94d88dab8d559f954

SHA1
e17199a85b3f639f7e4958f66a6d11aea472f737

SHA256
4f7cd25d024340380515e1647d23d6bc46c5fec3f437d8c2d7f933eb86eab2b4

SHA512
0b4389edfad1635810fbf3b69d58ba1181147164e033c1ea325dbbb2361eca74c992d1ea3c83355b6a9249600efeea04e58643cdfbc90cd4d1349f42ede88e18

Download Submit
C:\Users\Admin\AppData\Local\Temp\MIQXSKQOT

Filesize
692B

MD5
87cf292058eb08c907e2129e15100ed2

SHA1
0533d6387da50f84333707ac6a4165a9e46e6f17

SHA256
3f9f7a3913d2fde0c1cc93c537641f3a5de4fa2859790a5e5defa2522ee38532

SHA512
1da4950cc8fbc1efd84ae92f6419dc92b1ebb0d5211b5bb65d3fdf0ebf1823d447555c12327f83002a7d2b8354e6200af6ec59141774f7551df5acedf2c211d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\MIQXSKQOT

Filesize
692B

MD5
87cf292058eb08c907e2129e15100ed2

SHA1
0533d6387da50f84333707ac6a4165a9e46e6f17

SHA256
3f9f7a3913d2fde0c1cc93c537641f3a5de4fa2859790a5e5defa2522ee38532

SHA512
1da4950cc8fbc1efd84ae92f6419dc92b1ebb0d5211b5bb65d3fdf0ebf1823d447555c12327f83002a7d2b8354e6200af6ec59141774f7551df5acedf2c211d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\MIQXSKQOT

Filesize
1KB

MD5
0f2e565e7cd9df67ed466c68285c92f8

SHA1
dac129b57aab5a16b0490fbdaa2bf13d451a7941

SHA256
cc270aa8f1bd55907831d0c54748347f3d81252c1711e878b117b01cdeaed490

SHA512
c3a7713fe3d203e1bed9d468ec3de2b590db8e5a4a9b5486b2e9bea157808aeee19231aba5f7a0c3216fa2118c002bf62ef68ec51dc5349341a92ced205a4435

Download Submit
C:\Users\Admin\AppData\Local\Temp\MIQXSKQOT

Filesize
1KB

MD5
0f2e565e7cd9df67ed466c68285c92f8

SHA1
dac129b57aab5a16b0490fbdaa2bf13d451a7941

SHA256
cc270aa8f1bd55907831d0c54748347f3d81252c1711e878b117b01cdeaed490

SHA512
c3a7713fe3d203e1bed9d468ec3de2b590db8e5a4a9b5486b2e9bea157808aeee19231aba5f7a0c3216fa2118c002bf62ef68ec51dc5349341a92ced205a4435

Download Submit
C:\Users\Admin\AppData\Local\Temp\MIQXSKQOT

Filesize
1KB

MD5
a28aec31cbd38485181a7079419aa66b

SHA1
94aa44c58417a4195fe786679b1feb793e69d135

SHA256
8828e5a883a98217828f794f9405e06e2ef2ca1025288e52b70c477d045e19ad

SHA512
3914be3a8745d604175f208940dba77455e8ad76f8629e1bdf4f3b340b0198a8a1c42f101f4eb70c5f47b8eeca48eceed119175a3641dd37811192cc24661468

Download Submit
C:\Users\Admin\AppData\Local\Temp\MIQXSKQOT

Filesize
1KB

MD5
a28aec31cbd38485181a7079419aa66b

SHA1
94aa44c58417a4195fe786679b1feb793e69d135

SHA256
8828e5a883a98217828f794f9405e06e2ef2ca1025288e52b70c477d045e19ad

SHA512
3914be3a8745d604175f208940dba77455e8ad76f8629e1bdf4f3b340b0198a8a1c42f101f4eb70c5f47b8eeca48eceed119175a3641dd37811192cc24661468

Download Submit
C:\Users\Admin\AppData\Local\Temp\MIQXSKQOT

Filesize
1KB

MD5
84fc9373ea5f54c4ed110d319224d35e

SHA1
431978d9a749a7ca3812f73997b8400c2af3be79

SHA256
f59f1a3808b6783a19ba4d4196cbf48acfd42eb8e60b8e9d3ba836e558e3512e

SHA512
4d7c97ae3fe0904d548dc77c05c674d40284b8452dffe5a11411287e0242bb7658f3834b92f4935dcb1b22341c4572891524120d5e8af4a606d71e0b76a6c9d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\MIQXSKQOT

Filesize
1KB

MD5
84fc9373ea5f54c4ed110d319224d35e

SHA1
431978d9a749a7ca3812f73997b8400c2af3be79

SHA256
f59f1a3808b6783a19ba4d4196cbf48acfd42eb8e60b8e9d3ba836e558e3512e

SHA512
4d7c97ae3fe0904d548dc77c05c674d40284b8452dffe5a11411287e0242bb7658f3834b92f4935dcb1b22341c4572891524120d5e8af4a606d71e0b76a6c9d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\MIQXSKQOT

Filesize
3KB

MD5
3e5a6a63c8eeb90c0a741b6911c35ad8

SHA1
60d8396627b59ccb416857e2eef26d3eb941b464

SHA256
97bd19d1d4bb781188323907624d317f4b8b73953af7f9b9e8c5bf796766279c

SHA512
ee9de159f1d330a5389944aa02f25ff1582da3d2b59ba7d92b474e0043456b17129b346775b4dc8ed5449d6d1ebbce86efd7d4c6bcf1379c0b1f92dfba007a52

Download Submit
C:\Users\Admin\AppData\Local\Temp\MIQXSKQOT

Filesize
3KB

MD5
3e5a6a63c8eeb90c0a741b6911c35ad8

SHA1
60d8396627b59ccb416857e2eef26d3eb941b464

SHA256
97bd19d1d4bb781188323907624d317f4b8b73953af7f9b9e8c5bf796766279c

SHA512
ee9de159f1d330a5389944aa02f25ff1582da3d2b59ba7d92b474e0043456b17129b346775b4dc8ed5449d6d1ebbce86efd7d4c6bcf1379c0b1f92dfba007a52

Download Submit
C:\Users\Admin\AppData\Local\Temp\MIQXSKQOT

Filesize
3KB

MD5
1e7fed4661138045222e431e174a5ec9

SHA1
731aff947eb25c5c7d39701994664782e238aa8e

SHA256
089f80158ca9fdde41d31e610fbe7899d745b82a179a6593c832b3e209fcc63b

SHA512
b6d9980689ccab19cc64f4cbbfad307bc2ad2b47591bdc972d827eec025b7bca5497350f8427565a63a1fd2396d67a8aa1879329ba62ee8d0981e5d4b6d1433f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MIQXSKQOT

Filesize
3KB

MD5
1e7fed4661138045222e431e174a5ec9

SHA1
731aff947eb25c5c7d39701994664782e238aa8e

SHA256
089f80158ca9fdde41d31e610fbe7899d745b82a179a6593c832b3e209fcc63b

SHA512
b6d9980689ccab19cc64f4cbbfad307bc2ad2b47591bdc972d827eec025b7bca5497350f8427565a63a1fd2396d67a8aa1879329ba62ee8d0981e5d4b6d1433f

Download Submit
memory/364-75-0x0000000000000000-mapping.dmp

Download
memory/432-88-0x0000000000000000-mapping.dmp

Download
memory/520-95-0x0000000000000000-mapping.dmp

Download
memory/532-103-0x0000000000000000-mapping.dmp

Download
memory/552-73-0x0000000000000000-mapping.dmp

Download
memory/560-62-0x0000000000000000-mapping.dmp

Download
memory/580-71-0x0000000000000000-mapping.dmp

Download
memory/672-98-0x0000000000000000-mapping.dmp

Download
memory/752-101-0x0000000000000000-mapping.dmp

Download
memory/760-70-0x0000000000000000-mapping.dmp

Download
memory/808-66-0x0000000000000000-mapping.dmp

Download
memory/840-105-0x0000000000000000-mapping.dmp

Download
memory/852-100-0x0000000000000000-mapping.dmp

Download
memory/904-81-0x0000000000000000-mapping.dmp

Download
memory/960-59-0x0000000000000000-mapping.dmp

Download
memory/1012-86-0x0000000000000000-mapping.dmp

Download
memory/1056-68-0x0000000000000000-mapping.dmp

Download
memory/1084-80-0x0000000000000000-mapping.dmp

Download
memory/1092-96-0x0000000000000000-mapping.dmp

Download
memory/1452-65-0x0000000000380000-0x00000000013F5000-memory.dmp

Filesize
16.5MB

Download
memory/1452-55-0x0000000075041000-0x0000000075043000-memory.dmp

Filesize
8KB

Download
memory/1452-54-0x0000000000380000-0x00000000013F5000-memory.dmp

Filesize
16.5MB

Download
memory/1496-58-0x000007FEFBC61000-0x000007FEFBC63000-memory.dmp

Filesize
8KB

Download
memory/1520-90-0x0000000000000000-mapping.dmp

Download
memory/1544-85-0x0000000000000000-mapping.dmp

Download
memory/1572-57-0x0000000000000000-mapping.dmp

Download
memory/1620-76-0x0000000000000000-mapping.dmp

Download
memory/1644-78-0x0000000000000000-mapping.dmp

Download
memory/1684-64-0x0000000000000000-mapping.dmp

Download
memory/1748-91-0x0000000000000000-mapping.dmp

Download
memory/1764-60-0x0000000000000000-mapping.dmp

Download
memory/1768-107-0x0000000000000000-mapping.dmp

Download
memory/1860-61-0x0000000000000000-mapping.dmp

Download
memory/1964-56-0x0000000000000000-mapping.dmp

Download
memory/1964-83-0x0000000000000000-mapping.dmp

Download
memory/1980-93-0x0000000000000000-mapping.dmp

Download