Analysis
-
max time kernel
202s -
max time network
210s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
11-10-2022 09:19
Static task
static1
Behavioral task
behavioral1
Sample
7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
13 signatures
150 seconds
General
-
Target
7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe
-
Size
379KB
-
MD5
5a44e1d5691ec9395281123ea0bd501f
-
SHA1
64566d5049479227d2eff3d983b127c0339974cd
-
SHA256
7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9
-
SHA512
55d85e77f70f25bae6cf8bbf5dd787d5771c2e38e99461b608f6375be9cb0b1031f3c0268b82eb03db05eb88ce37d5f37afbfc69ab0c4f90791a706013b168c8
-
SSDEEP
6144:iKhrG3sugbNHoLjmtbLC0Yq4L/mFWPLz2V0Pz2V0Pz2V0Pz2V0gqqi:i3sugbNHoLH/6WTnnnLqi
Score
10/10
Malware Config
Signatures
-
Koxic
A C++ written ransomware first seen in late 2021.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe -
Disables taskbar notifications via registry modification
-
Modifies extensions of user files 12 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File opened for modification C:\Users\Admin\Pictures\ExpandClose.tiff.KOXIC_BUJWJ 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe File renamed C:\Users\Admin\Pictures\DisableAssert.tiff => C:\Users\Admin\Pictures\DisableAssert.tiff.KOXIC_BUJWJ 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe File opened for modification C:\Users\Admin\Pictures\DenyGrant.png.KOXIC_BUJWJ 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe File renamed C:\Users\Admin\Pictures\GroupConvert.raw => C:\Users\Admin\Pictures\GroupConvert.raw.KOXIC_BUJWJ 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe File opened for modification C:\Users\Admin\Pictures\GroupConvert.raw.KOXIC_BUJWJ 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe File renamed C:\Users\Admin\Pictures\ExportResolve.raw => C:\Users\Admin\Pictures\ExportResolve.raw.KOXIC_BUJWJ 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe File opened for modification C:\Users\Admin\Pictures\ExportResolve.raw.KOXIC_BUJWJ 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe File opened for modification C:\Users\Admin\Pictures\BackupMeasure.tiff.KOXIC_BUJWJ 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe File renamed C:\Users\Admin\Pictures\ExpandClose.tiff => C:\Users\Admin\Pictures\ExpandClose.tiff.KOXIC_BUJWJ 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe File opened for modification C:\Users\Admin\Pictures\DisableAssert.tiff.KOXIC_BUJWJ 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe File renamed C:\Users\Admin\Pictures\DenyGrant.png => C:\Users\Admin\Pictures\DenyGrant.png.KOXIC_BUJWJ 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe File renamed C:\Users\Admin\Pictures\BackupMeasure.tiff => C:\Users\Admin\Pictures\BackupMeasure.tiff.KOXIC_BUJWJ 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\UX Configuration\NotificationSuppress = "1" 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtectione = "0" 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\DisableBlockAtFirstSeen = "1" 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\LocalSettingOverrideSpynetReporting = "0" 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "2" 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\UX Configuration 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Store.Purchase\WANNA_RECOVER_KOXIC_FILEZ_BUJWJ.txt 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\WANNA_RECOVER_KOXIC_FILEZ_BUJWJ.txt 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe File created C:\Program Files (x86)\WindowsPowerShell\Configuration\WANNA_RECOVER_KOXIC_FILEZ_BUJWJ.txt 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\WANNA_RECOVER_KOXIC_FILEZ_BUJWJ.txt 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\uk-ua\WANNA_RECOVER_KOXIC_FILEZ_BUJWJ.txt 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16ConsumerPerp_Bypass30-ul-oob.xrm-ms.KOXIC_BUJWJ 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Milk Glass.eftx.KOXIC_BUJWJ 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\WANNA_RECOVER_KOXIC_FILEZ_BUJWJ.txt 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Trial-ppd.xrm-ms.KOXIC_BUJWJ 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\pt-br\ui-strings.js.KOXIC_BUJWJ 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\pt_get.svg.KOXIC_BUJWJ 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\fr-ma\ui-strings.js.KOXIC_BUJWJ 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ja-jp\WANNA_RECOVER_KOXIC_FILEZ_BUJWJ.txt 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml.KOXIC_BUJWJ 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\MinionPro-It.otf.KOXIC_BUJWJ 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\es-es\WANNA_RECOVER_KOXIC_FILEZ_BUJWJ.txt 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-pl.xrm-ms.KOXIC_BUJWJ 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macTSFrame.png.KOXIC_BUJWJ 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\WANNA_RECOVER_KOXIC_FILEZ_BUJWJ.txt 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\JOURNAL\PREVIEW.GIF.KOXIC_BUJWJ 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\loc_archives\WANNA_RECOVER_KOXIC_FILEZ_BUJWJ.txt 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ca-es\ui-strings.js.KOXIC_BUJWJ 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-ul-phn.xrm-ms.KOXIC_BUJWJ 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\meta-index.KOXIC_BUJWJ 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\fr-FR\msdasqlr.dll.mui.KOXIC_BUJWJ 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Win32Bridge.Protocol.xml 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.felix.gogo.shell_0.10.0.v201212101605.jar.KOXIC_BUJWJ 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\WANNA_RECOVER_KOXIC_FILEZ_BUJWJ.txt 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe File created C:\Program Files\WindowsApps\WANNA_RECOVER_KOXIC_FILEZ_BUJWJ.txt 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL075.XML.KOXIC_BUJWJ 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\icudt26l.dat.KOXIC_BUJWJ 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-threaddump.xml.KOXIC_BUJWJ 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.addons.swt.nl_ja_4.4.0.v20140623020002.jar.KOXIC_BUJWJ 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.greychartplugin_5.5.0.165303.jar.KOXIC_BUJWJ 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe File created C:\Program Files\VideoLAN\VLC\locale\th\WANNA_RECOVER_KOXIC_FILEZ_BUJWJ.txt 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.2.2_2.2.27405.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-ul-oob.xrm-ms.KOXIC_BUJWJ 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe File created C:\Program Files\Java\jre1.8.0_66\lib\security\WANNA_RECOVER_KOXIC_FILEZ_BUJWJ.txt 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-core.xml.KOXIC_BUJWJ 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-white\WANNA_RECOVER_KOXIC_FILEZ_BUJWJ.txt 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-black\WANNA_RECOVER_KOXIC_FILEZ_BUJWJ.txt 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProMSDNR_Retail-pl.xrm-ms.KOXIC_BUJWJ 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\de-DE\MSFT_PackageManagement.strings.psd1.KOXIC_BUJWJ 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\Context.snippets.ps1xml.KOXIC_BUJWJ 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe File opened for modification C:\Program Files\Microsoft Office\root\rsod\powerpoint.x-none.msi.16.x-none.boot.tree.dat.KOXIC_BUJWJ 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x.KOXIC_BUJWJ 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-favorites_zh_CN.jar.KOXIC_BUJWJ 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CONCRETE\WANNA_RECOVER_KOXIC_FILEZ_BUJWJ.txt 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\zh-cn_get.svg.KOXIC_BUJWJ 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\selector.js.KOXIC_BUJWJ 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe File created C:\Program Files (x86)\Common Files\System\ado\WANNA_RECOVER_KOXIC_FILEZ_BUJWJ.txt 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe File created C:\Program Files\WindowsApps\Microsoft.ZuneMusic_2019.19071.19011.0_neutral_~_8wekyb3d8bbwe\WANNA_RECOVER_KOXIC_FILEZ_BUJWJ.txt 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\MS.GIF.KOXIC_BUJWJ 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\pl-pl\ui-strings.js.KOXIC_BUJWJ 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\el_get.svg.KOXIC_BUJWJ 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-200_8wekyb3d8bbwe\WANNA_RECOVER_KOXIC_FILEZ_BUJWJ.txt 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe File opened for modification C:\Program Files (x86)\Windows Media Player\de-DE\wmpnssui.dll.mui.KOXIC_BUJWJ 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\nb-no\WANNA_RECOVER_KOXIC_FILEZ_BUJWJ.txt 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\uk-ua\ui-strings.js.KOXIC_BUJWJ 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_gridview_selected-hover.svg.KOXIC_BUJWJ 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Grace-ppd.xrm-ms.KOXIC_BUJWJ 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_PrepidBypass-ul-oob.xrm-ms.KOXIC_BUJWJ 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\MSO.ACL.KOXIC_BUJWJ 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 4976 ipconfig.exe -
Kills process with taskkill 1 IoCs
pid Process 2284 taskkill.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 2036 notepad.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4088 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2284 taskkill.exe Token: SeBackupPrivilege 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe Token: SeRestorePrivilege 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe Token: SeManageVolumePrivilege 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe Token: SeTakeOwnershipPrivilege 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe Token: SeIncreaseQuotaPrivilege 4184 WMIC.exe Token: SeSecurityPrivilege 4184 WMIC.exe Token: SeTakeOwnershipPrivilege 4184 WMIC.exe Token: SeLoadDriverPrivilege 4184 WMIC.exe Token: SeSystemProfilePrivilege 4184 WMIC.exe Token: SeSystemtimePrivilege 4184 WMIC.exe Token: SeProfSingleProcessPrivilege 4184 WMIC.exe Token: SeIncBasePriorityPrivilege 4184 WMIC.exe Token: SeCreatePagefilePrivilege 4184 WMIC.exe Token: SeBackupPrivilege 4184 WMIC.exe Token: SeRestorePrivilege 4184 WMIC.exe Token: SeShutdownPrivilege 4184 WMIC.exe Token: SeDebugPrivilege 4184 WMIC.exe Token: SeSystemEnvironmentPrivilege 4184 WMIC.exe Token: SeRemoteShutdownPrivilege 4184 WMIC.exe Token: SeUndockPrivilege 4184 WMIC.exe Token: SeManageVolumePrivilege 4184 WMIC.exe Token: 33 4184 WMIC.exe Token: 34 4184 WMIC.exe Token: 35 4184 WMIC.exe Token: 36 4184 WMIC.exe Token: SeIncreaseQuotaPrivilege 4184 WMIC.exe Token: SeSecurityPrivilege 4184 WMIC.exe Token: SeTakeOwnershipPrivilege 4184 WMIC.exe Token: SeLoadDriverPrivilege 4184 WMIC.exe Token: SeSystemProfilePrivilege 4184 WMIC.exe Token: SeSystemtimePrivilege 4184 WMIC.exe Token: SeProfSingleProcessPrivilege 4184 WMIC.exe Token: SeIncBasePriorityPrivilege 4184 WMIC.exe Token: SeCreatePagefilePrivilege 4184 WMIC.exe Token: SeBackupPrivilege 4184 WMIC.exe Token: SeRestorePrivilege 4184 WMIC.exe Token: SeShutdownPrivilege 4184 WMIC.exe Token: SeDebugPrivilege 4184 WMIC.exe Token: SeSystemEnvironmentPrivilege 4184 WMIC.exe Token: SeRemoteShutdownPrivilege 4184 WMIC.exe Token: SeUndockPrivilege 4184 WMIC.exe Token: SeManageVolumePrivilege 4184 WMIC.exe Token: 33 4184 WMIC.exe Token: 34 4184 WMIC.exe Token: 35 4184 WMIC.exe Token: 36 4184 WMIC.exe Token: SeIncreaseQuotaPrivilege 736 WMIC.exe Token: SeSecurityPrivilege 736 WMIC.exe Token: SeTakeOwnershipPrivilege 736 WMIC.exe Token: SeLoadDriverPrivilege 736 WMIC.exe Token: SeSystemProfilePrivilege 736 WMIC.exe Token: SeSystemtimePrivilege 736 WMIC.exe Token: SeProfSingleProcessPrivilege 736 WMIC.exe Token: SeIncBasePriorityPrivilege 736 WMIC.exe Token: SeCreatePagefilePrivilege 736 WMIC.exe Token: SeBackupPrivilege 736 WMIC.exe Token: SeRestorePrivilege 736 WMIC.exe Token: SeShutdownPrivilege 736 WMIC.exe Token: SeDebugPrivilege 736 WMIC.exe Token: SeSystemEnvironmentPrivilege 736 WMIC.exe Token: SeRemoteShutdownPrivilege 736 WMIC.exe Token: SeUndockPrivilege 736 WMIC.exe Token: SeManageVolumePrivilege 736 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2436 wrote to memory of 4584 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 80 PID 2436 wrote to memory of 4584 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 80 PID 2436 wrote to memory of 4584 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 80 PID 4584 wrote to memory of 2284 4584 cmd.exe 82 PID 4584 wrote to memory of 2284 4584 cmd.exe 82 PID 4584 wrote to memory of 2284 4584 cmd.exe 82 PID 2436 wrote to memory of 1392 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 85 PID 2436 wrote to memory of 1392 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 85 PID 2436 wrote to memory of 1392 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 85 PID 2436 wrote to memory of 3512 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 87 PID 2436 wrote to memory of 3512 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 87 PID 2436 wrote to memory of 3512 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 87 PID 2436 wrote to memory of 2200 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 89 PID 2436 wrote to memory of 2200 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 89 PID 2436 wrote to memory of 2200 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 89 PID 2200 wrote to memory of 4184 2200 cmd.exe 91 PID 2200 wrote to memory of 4184 2200 cmd.exe 91 PID 2200 wrote to memory of 4184 2200 cmd.exe 91 PID 2436 wrote to memory of 1568 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 92 PID 2436 wrote to memory of 1568 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 92 PID 2436 wrote to memory of 1568 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 92 PID 2436 wrote to memory of 3768 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 94 PID 2436 wrote to memory of 3768 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 94 PID 2436 wrote to memory of 3768 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 94 PID 3768 wrote to memory of 736 3768 cmd.exe 96 PID 3768 wrote to memory of 736 3768 cmd.exe 96 PID 3768 wrote to memory of 736 3768 cmd.exe 96 PID 2436 wrote to memory of 1324 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 97 PID 2436 wrote to memory of 1324 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 97 PID 2436 wrote to memory of 1324 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 97 PID 2436 wrote to memory of 3260 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 99 PID 2436 wrote to memory of 3260 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 99 PID 2436 wrote to memory of 3260 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 99 PID 3260 wrote to memory of 396 3260 cmd.exe 101 PID 3260 wrote to memory of 396 3260 cmd.exe 101 PID 3260 wrote to memory of 396 3260 cmd.exe 101 PID 2436 wrote to memory of 3648 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 102 PID 2436 wrote to memory of 3648 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 102 PID 2436 wrote to memory of 3648 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 102 PID 2436 wrote to memory of 3788 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 104 PID 2436 wrote to memory of 3788 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 104 PID 2436 wrote to memory of 3788 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 104 PID 3788 wrote to memory of 1828 3788 cmd.exe 106 PID 3788 wrote to memory of 1828 3788 cmd.exe 106 PID 3788 wrote to memory of 1828 3788 cmd.exe 106 PID 2436 wrote to memory of 844 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 107 PID 2436 wrote to memory of 844 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 107 PID 2436 wrote to memory of 844 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 107 PID 2436 wrote to memory of 4700 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 109 PID 2436 wrote to memory of 4700 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 109 PID 2436 wrote to memory of 4700 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 109 PID 4700 wrote to memory of 3996 4700 cmd.exe 111 PID 4700 wrote to memory of 3996 4700 cmd.exe 111 PID 4700 wrote to memory of 3996 4700 cmd.exe 111 PID 2436 wrote to memory of 4916 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 112 PID 2436 wrote to memory of 4916 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 112 PID 2436 wrote to memory of 4916 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 112 PID 2436 wrote to memory of 408 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 114 PID 2436 wrote to memory of 408 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 114 PID 2436 wrote to memory of 408 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 114 PID 408 wrote to memory of 4300 408 cmd.exe 116 PID 408 wrote to memory of 4300 408 cmd.exe 116 PID 408 wrote to memory of 4300 408 cmd.exe 116 PID 2436 wrote to memory of 1856 2436 7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe 117
Processes
-
C:\Users\Admin\AppData\Local\Temp\7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe"C:\Users\Admin\AppData\Local\Temp\7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe"1⤵
- Modifies Windows Defender Real-time Protection settings
- Modifies extensions of user files
- Windows security modification
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /F /IM MSASCuiL.exe taskkill /F /IM MSMpeng.exe taskkill /F /IM msseces.exe2⤵
- Suspicious use of WriteProcessMemory
PID:4584 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM MSASCuiL.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2284
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin delete shadows /all /quiet sc config browser sc config browser start=enabled sc stop vss sc config vss start=disabled sc stop MongoDB sc config MongoDB start=disabled sc stop SQLWriter sc config SQLWriter start=disabled sc stop MSSQLServerOLAPService sc config MSSQLServerOLAPService start=disabled sc stop MSSQLSERVER sc config MSSQLSERVER start=disabled sc stop MSSQL$SQLEXPRESS sc config MSSQL$SQLEXPRESS start=disabled sc stop ReportServer sc config ReportServer start=disabled sc stop OracleServiceORCL sc config OracleServiceORCL start=disabled sc stop OracleDBConsoleorcl sc config OracleDBConsoleorcl start=disabled sc stop OracleMTSRecoveryService sc config OracleMTSRecoveryService start=disabled sc stop OracleVssWriterORCL sc config OracleVssWriterORCL start=disabled sc stop MySQL sc config MySQL start=disabled2⤵PID:1392
-
-
C:\Windows\SysWOW64\cmd.execmd /c "echo OS INFO: > %TEMP%\XBKNPPIGG"2⤵PID:3512
-
-
C:\Windows\SysWOW64\cmd.execmd /c "wmic OS get Caption,CSDVersion,OSArchitecture,Version >> %TEMP%\XBKNPPIGG"2⤵
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic OS get Caption,CSDVersion,OSArchitecture,Version3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4184
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c "echo BIOS INFO: >> %TEMP%\XBKNPPIGG"2⤵PID:1568
-
-
C:\Windows\SysWOW64\cmd.execmd /c "wmic BIOS get Manufacturer, Name, SMBIOSBIOSVersion, Version >> %TEMP%\XBKNPPIGG"2⤵
- Suspicious use of WriteProcessMemory
PID:3768 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic BIOS get Manufacturer, Name, SMBIOSBIOSVersion, Version3⤵
- Suspicious use of AdjustPrivilegeToken
PID:736
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c "echo CPU INFO: >> %TEMP%\XBKNPPIGG"2⤵PID:1324
-
-
C:\Windows\SysWOW64\cmd.execmd /c "wmic CPU get Name, NumberOfCores, NumberOfLogicalProcessors >> %TEMP%\XBKNPPIGG"2⤵
- Suspicious use of WriteProcessMemory
PID:3260 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic CPU get Name, NumberOfCores, NumberOfLogicalProcessors3⤵PID:396
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c "echo MEMPHYSICAL INFO: >> %TEMP%\XBKNPPIGG"2⤵PID:3648
-
-
C:\Windows\SysWOW64\cmd.execmd /c "wmic MEMPHYSICAL get MaxCapacity >> %TEMP%\XBKNPPIGG"2⤵
- Suspicious use of WriteProcessMemory
PID:3788 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic MEMPHYSICAL get MaxCapacity3⤵PID:1828
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c "echo MEMORYCHIP: INFO >> %TEMP%\XBKNPPIGG"2⤵PID:844
-
-
C:\Windows\SysWOW64\cmd.execmd /c "wmic MEMORYCHIP get Capacity, DeviceLocator, PartNumber, Tag >> %TEMP%\XBKNPPIGG"2⤵
- Suspicious use of WriteProcessMemory
PID:4700 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic MEMORYCHIP get Capacity, DeviceLocator, PartNumber, Tag3⤵PID:3996
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c "echo NIC INFO: >> %TEMP%\XBKNPPIGG"2⤵PID:4916
-
-
C:\Windows\SysWOW64\cmd.execmd /c "wmic NIC get Description, MACAddress, NetEnabled, Speed >> %TEMP%\XBKNPPIGG"2⤵
- Suspicious use of WriteProcessMemory
PID:408 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic NIC get Description, MACAddress, NetEnabled, Speed3⤵PID:4300
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c "echo DISKDRIVE INFO: >> %TEMP%\XBKNPPIGG"2⤵PID:1856
-
-
C:\Windows\SysWOW64\cmd.execmd /c "wmic DISKDRIVE get InterfaceType, Name, Size, Status >> %TEMP%\XBKNPPIGG"2⤵PID:2660
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic DISKDRIVE get InterfaceType, Name, Size, Status3⤵PID:3832
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c "echo USERACCOUNT INFO: >> %TEMP%\XBKNPPIGG"2⤵PID:3268
-
-
C:\Windows\SysWOW64\cmd.execmd /c "wmic USERACCOUNT get Caption, Name, PasswordRequired, Status >> %TEMP%\XBKNPPIGG"2⤵PID:1180
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic USERACCOUNT get Caption, Name, PasswordRequired, Status3⤵PID:3940
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c "echo IPCONFIG: >> %TEMP%\XBKNPPIGG"2⤵PID:4936
-
-
C:\Windows\SysWOW64\cmd.execmd /c "ipconfig >> %TEMP%\XBKNPPIGG"2⤵PID:5072
-
C:\Windows\SysWOW64\ipconfig.exeipconfig3⤵
- Gathers network information
PID:4976
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c "echo DATABASES FILES: >> %TEMP%\XBKNPPIGG"2⤵PID:940
-
-
C:\Windows\SysWOW64\notepad.exenotepad.exe C:\Users\Admin\AppData\Local\Temp\WANNA_RECOVER_KOXIC_FILEZ_BUJWJ.txt2⤵
- Opens file in notepad (likely ransom note)
PID:2036
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\7a5e20e021dc29a07cad61f4d0bdb98e22749f13c3ace58220bfe978908bb7e9.exe"2⤵PID:2500
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30003⤵
- Runs ping.exe
PID:4088
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4848
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5a5d2dc0909920bbfc219ce16ed3c58a4
SHA15a783c26bd7acaf6b7341019c68b982321fac8bd
SHA256c495548632971cc0864ada48bfc2981ab3df6a958f246f2b8447fbe7f9b239a3
SHA5127042bc5a4b072ff09a28c988fb33c1c15d9230cf06bf09b163765fd7d2aeaa604ad2ebe94e8d7fb728b3cafe664d57c9bf96148a2a57db337e51d8a41553ea7f
-
Filesize
11B
MD5887ae0db192785398c154a027c858317
SHA19e1258a3444e7f54d4a2b23bec0c020d67f285b6
SHA2569841fc54844c86d073907913cfd2fccc49d13db491e790c6aeb30b7159e62bf5
SHA51265364e8797ecc23d9eac18cfe0c1393e9429ee15cde33b7b936c917608196da7bf53ba7c21d9bb637c9a91797eb58a4dbb2346dc4bd9e6c947a711b381dfcb76
-
Filesize
296B
MD5e771e08346c6a2bc73c2a372cba333d8
SHA158a23e4ce4c758212d9cef74045c31dba35d4923
SHA25612846bff5586d9a89874c612d9269e2ba1e5a730438373ce9a08919b58a0df6f
SHA5120611c1d8f71ef330812f72ce0d7416253caf3a5feab48545dcd26f4b242949fd7f7fc58da069bec8bc2600c52d8df6d9b43012a429b1d96a88749951dd461c15
-
Filesize
296B
MD5e771e08346c6a2bc73c2a372cba333d8
SHA158a23e4ce4c758212d9cef74045c31dba35d4923
SHA25612846bff5586d9a89874c612d9269e2ba1e5a730438373ce9a08919b58a0df6f
SHA5120611c1d8f71ef330812f72ce0d7416253caf3a5feab48545dcd26f4b242949fd7f7fc58da069bec8bc2600c52d8df6d9b43012a429b1d96a88749951dd461c15
-
Filesize
656B
MD5e156230fc1d7b01d9a982b15cff069d8
SHA174371a6db83dc162311d4084af559441e3051587
SHA2568fd4c3752ffc8d4a9c6fbbf779e3431d5053c46f979524b612ff0d264034d86b
SHA51291aa04b73105e48065ef95ebf9ad7914acbce668cb16dc4891218758e2e21462589cd658ed198f717e8ba0195ebb8565b66fce29a4bd28aac4543574547b42ba
-
Filesize
668B
MD5fc4dd1d0772fb154de31953c2b421a26
SHA1f8273a9f46597ef98632d8082a24210c5b0d1158
SHA25617e67d6439097c6b6cb5105e6661d18678921cc5ae4d03f31d1ed950df738b1b
SHA512605cd1b8d10b64e3ad0388e753c658bc0ee6a3c6262952705b9516f9df3a59b50aac01fe0d0da7193aa16d12dfcff3126a71485414818593a2d6fbed1edd162f
-
Filesize
1KB
MD5c71e901a4f65c7a50a11a3b836622873
SHA1162f9bfcc801e7db8da1eb8ce42b21b1f50a09e9
SHA256f33353dd1816be2913e1950ddc935aa9e70010a15abdbf7d1001a55edc82e52a
SHA512b0de60436bea2d756e350b44be69252fd744f435a5b7e119452230eaf57a7ff339071be29eaa4b501eb01bf227bde590c36ef17683e090ddad745ceb4c4ed681
-
Filesize
1KB
MD5c71e901a4f65c7a50a11a3b836622873
SHA1162f9bfcc801e7db8da1eb8ce42b21b1f50a09e9
SHA256f33353dd1816be2913e1950ddc935aa9e70010a15abdbf7d1001a55edc82e52a
SHA512b0de60436bea2d756e350b44be69252fd744f435a5b7e119452230eaf57a7ff339071be29eaa4b501eb01bf227bde590c36ef17683e090ddad745ceb4c4ed681
-
Filesize
1KB
MD5f4b09ff7e0b9d684242f02f3bfc973d2
SHA106572016df2cc5f83e1e29f28ca08ccd6adbcf31
SHA2563a72d27644968b8c776cb9f865570eb038415fabb1acba749a88f39c5ca5a86c
SHA512e02ddc00772434e25e98387afe56a5ec45d89ad98ee9dd204ca9d67458ec9f00bf5840b09bcdee090e507360f699903e402bb4c585c205eaa57dc67418ee3229
-
Filesize
1KB
MD5f4b09ff7e0b9d684242f02f3bfc973d2
SHA106572016df2cc5f83e1e29f28ca08ccd6adbcf31
SHA2563a72d27644968b8c776cb9f865570eb038415fabb1acba749a88f39c5ca5a86c
SHA512e02ddc00772434e25e98387afe56a5ec45d89ad98ee9dd204ca9d67458ec9f00bf5840b09bcdee090e507360f699903e402bb4c585c205eaa57dc67418ee3229
-
Filesize
1KB
MD565c1247c68ad9d85a3b2d66beb9cea42
SHA171d429cf2722b43109a8823d06633c46e52c2a54
SHA2569f08c7a43c50b013aff9ae8d8ad86520d55ddb4ac61b63b08380101ece9b00fb
SHA512bfb9877a702b7cd7d53bf1d2ca5ddef36052048c6b832e00298cd32d259cfda8ccd2662d7e449a55334e738009b820a71fc955f758baf055f521aab527f7b658
-
Filesize
1KB
MD565c1247c68ad9d85a3b2d66beb9cea42
SHA171d429cf2722b43109a8823d06633c46e52c2a54
SHA2569f08c7a43c50b013aff9ae8d8ad86520d55ddb4ac61b63b08380101ece9b00fb
SHA512bfb9877a702b7cd7d53bf1d2ca5ddef36052048c6b832e00298cd32d259cfda8ccd2662d7e449a55334e738009b820a71fc955f758baf055f521aab527f7b658
-
Filesize
1KB
MD581a65de2cdc5482dd76704b9e2a1dade
SHA1b3d178fc33a0bc96ef3dfe8a64ae680487d64459
SHA256d401976af4797b4c14140d8e1f714ce3501340531ee311bb51f7e57f013de083
SHA5125b750c66416c4d20fd5daf50ea89c7f6855546ab3557e28b80c297347839f5c9a5826c552b4f9d060f02fb269980e72539689213d2b1dc1b0ce53000680b9a6a
-
Filesize
1KB
MD581a65de2cdc5482dd76704b9e2a1dade
SHA1b3d178fc33a0bc96ef3dfe8a64ae680487d64459
SHA256d401976af4797b4c14140d8e1f714ce3501340531ee311bb51f7e57f013de083
SHA5125b750c66416c4d20fd5daf50ea89c7f6855546ab3557e28b80c297347839f5c9a5826c552b4f9d060f02fb269980e72539689213d2b1dc1b0ce53000680b9a6a
-
Filesize
2KB
MD510b728b48ee35a6b26bcb8c43480d35d
SHA1694e49bda2a22fca0e4c2b584f2a6aac135dfbe6
SHA25654d439cd4a2aa23aa19807c0a6f0852b6a7e1013b97c0534dee0034b1530b3aa
SHA5120a66d6cc6bbb9bb3403a73a626a56be2ceed9c017ed8fb44d7abe9d79a9f1d94fb78d7c6408b65502b8c5cb37e1763b281d0a956d4a69f0ebb875a5b7bd6df9c
-
Filesize
2KB
MD510b728b48ee35a6b26bcb8c43480d35d
SHA1694e49bda2a22fca0e4c2b584f2a6aac135dfbe6
SHA25654d439cd4a2aa23aa19807c0a6f0852b6a7e1013b97c0534dee0034b1530b3aa
SHA5120a66d6cc6bbb9bb3403a73a626a56be2ceed9c017ed8fb44d7abe9d79a9f1d94fb78d7c6408b65502b8c5cb37e1763b281d0a956d4a69f0ebb875a5b7bd6df9c
-
Filesize
3KB
MD53869cb0db7d0fa172c641cdff3f0747a
SHA11a62c2dbacdb93d5c046100f43a020c531818c95
SHA256640d99dbc0490b9801cfc4c86aabd83ec54dee2c981628ef311bef38eb28c81e
SHA51227c0f82f3af184e9717266fbea092ff19edcdbf734707120c6747bdb07ced8e6cbec29a72a35e47c2a2f6144511f098edba0de13a17bb962068ba95376c01812
-
Filesize
3KB
MD53869cb0db7d0fa172c641cdff3f0747a
SHA11a62c2dbacdb93d5c046100f43a020c531818c95
SHA256640d99dbc0490b9801cfc4c86aabd83ec54dee2c981628ef311bef38eb28c81e
SHA51227c0f82f3af184e9717266fbea092ff19edcdbf734707120c6747bdb07ced8e6cbec29a72a35e47c2a2f6144511f098edba0de13a17bb962068ba95376c01812
-
Filesize
3KB
MD52be5dccae06175662243b4691440b944
SHA1c4eeee2347bea5039555b5c27c6082b43592448e
SHA2567161d71fd599919325a34432917f377cd404627b7367fa0f6a5a372a1cc6efd2
SHA51242a1c1fed26145220d6d18b02ea798dc272dfecf386b6a519dd6da851c8b28db43d39367de6fa2832d36ad27cb1ebccf1d2355e882c82c4b4e7d90fa882e8f98
-
Filesize
3KB
MD54de0417935111aa440f91b98507910e0
SHA1e7b7608fe72273d4c3383e41ae3bdec765e5666a
SHA256d9d05517fbfad07713e44aef798228948ed79a50661d959f6880085927a117e7
SHA512e89bf6f319dc2f0653aa8cbcb569d30804f1af05c2475c48336c9330cd3fbf6a17b353e24c2345592b2b43b0b5a3cb228a1917d4349c5a6b170019dc82117f6e