Analysis
-
max time kernel
132s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05-11-2024 12:22
Static task
static1
Behavioral task
behavioral1
Sample
Ransomware Mallox.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Ransomware Mallox.exe
Resource
win10v2004-20241007-en
General
-
Target
Ransomware Mallox.exe
-
Size
346KB
-
MD5
9099859494363864de61fb30d6c201e6
-
SHA1
90378c5fd151128287c12eea0ea3761833b0ad03
-
SHA256
06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784
-
SHA512
cae8c4970c6d8891d2da8924e6ba2331242c112ee5eec5823d8e55c29b40822b0f4287b64e5b6b5d71c0aa2cb8b998ac4533e2dd6326af820f29e9e5eadd59ba
-
SSDEEP
6144:lbjhsyXpHunpQE/T/iSIDexeohXdbVeb:7XpOpplI8eoT
Malware Config
Extracted
\Device\HarddiskVolume1\HOW TO BACK FILES.txt
targetcompany
http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin
http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion
Signatures
-
TargetCompany,Mallox
TargetCompany (aka Mallox) is a ransomware which encrypts files using a combination of ChaCha20, AES-128, and Curve25519, first seen in June 2021.
-
Targetcompany family
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 448 bcdedit.exe 1692 bcdedit.exe -
Renames multiple (356) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation Ransomware Mallox.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Z: Ransomware Mallox.exe File opened (read-only) \??\K: Ransomware Mallox.exe File opened (read-only) \??\N: Ransomware Mallox.exe File opened (read-only) \??\O: Ransomware Mallox.exe File opened (read-only) \??\V: Ransomware Mallox.exe File opened (read-only) \??\Y: Ransomware Mallox.exe File opened (read-only) \??\A: Ransomware Mallox.exe File opened (read-only) \??\B: Ransomware Mallox.exe File opened (read-only) \??\G: Ransomware Mallox.exe File opened (read-only) \??\R: Ransomware Mallox.exe File opened (read-only) \??\P: Ransomware Mallox.exe File opened (read-only) \??\Q: Ransomware Mallox.exe File opened (read-only) \??\S: Ransomware Mallox.exe File opened (read-only) \??\T: Ransomware Mallox.exe File opened (read-only) \??\D: Ransomware Mallox.exe File opened (read-only) \??\H: Ransomware Mallox.exe File opened (read-only) \??\J: Ransomware Mallox.exe File opened (read-only) \??\M: Ransomware Mallox.exe File opened (read-only) \??\U: Ransomware Mallox.exe File opened (read-only) \??\W: Ransomware Mallox.exe File opened (read-only) \??\X: Ransomware Mallox.exe File opened (read-only) \??\E: Ransomware Mallox.exe File opened (read-only) \??\I: Ransomware Mallox.exe File opened (read-only) \??\L: Ransomware Mallox.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 8 api.ipify.org -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\tr-TR\HOW TO BACK FILES.txt Ransomware Mallox.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\SplashScreen.scale-100.png Ransomware Mallox.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNewNoteLargeTile.scale-200.png Ransomware Mallox.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ArchiveToastQuickAction.scale-80.png Ransomware Mallox.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_2019.430.2026.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml Ransomware Mallox.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\OrientationControlCone.png Ransomware Mallox.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-black\SmallTile.scale-125_contrast-black.png Ransomware Mallox.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-16_altform-unplated_contrast-white.png Ransomware Mallox.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-256_altform-lightunplated.png Ransomware Mallox.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailLargeTile.scale-200.png Ransomware Mallox.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-36_altform-lightunplated.png Ransomware Mallox.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_2019.716.2316.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x Ransomware Mallox.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-96_altform-unplated_contrast-white.png Ransomware Mallox.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\BadgeLogo.scale-400_contrast-black.png Ransomware Mallox.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-96.png Ransomware Mallox.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxAccountsSplashLogo.scale-180.png Ransomware Mallox.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-64_altform-unplated.png Ransomware Mallox.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-16_altform-lightunplated.png Ransomware Mallox.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.scale-200_contrast-black.png Ransomware Mallox.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\BadgeLogo.scale-100.png Ransomware Mallox.exe File opened for modification C:\Program Files\Windows Media Player\Media Renderer\connectionmanager_dmr.xml Ransomware Mallox.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubAppList.scale-125_contrast-white.png Ransomware Mallox.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-48_altform-lightunplated.png Ransomware Mallox.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNotePageLargeTile.scale-200.png Ransomware Mallox.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\BadgeLogo.scale-150_contrast-white.png Ransomware Mallox.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Inbox.winmd Ransomware Mallox.exe File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\HOW TO BACK FILES.txt Ransomware Mallox.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\HOW TO BACK FILES.txt Ransomware Mallox.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\offlineUtilities.js Ransomware Mallox.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-60_contrast-black.png Ransomware Mallox.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-24.png Ransomware Mallox.exe File created C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Assets\HOW TO BACK FILES.txt Ransomware Mallox.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\HOW TO BACK FILES.txt Ransomware Mallox.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\Json\CallAction-AdaptiveCard.json Ransomware Mallox.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-60.png Ransomware Mallox.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-black\HOW TO BACK FILES.txt Ransomware Mallox.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\Background_RoomTracing_06.jpg Ransomware Mallox.exe File created C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\AppxMetadata\HOW TO BACK FILES.txt Ransomware Mallox.exe File opened for modification C:\Program Files\Windows Media Player\fr-FR\wmlaunch.exe.mui Ransomware Mallox.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ExchangeBadge.scale-150.png Ransomware Mallox.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\OutlookMailLargeTile.scale-200.png Ransomware Mallox.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\cmm\HOW TO BACK FILES.txt Ransomware Mallox.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-white\HOW TO BACK FILES.txt Ransomware Mallox.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\HOW TO BACK FILES.txt Ransomware Mallox.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\LargeTile.scale-100_contrast-black.png Ransomware Mallox.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-black_targetsize-96.png Ransomware Mallox.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\AppIcon.targetsize-256_altform-unplated_contrast-black.png Ransomware Mallox.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\hi-IN\HOW TO BACK FILES.txt Ransomware Mallox.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-60_contrast-white.png Ransomware Mallox.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-80.png Ransomware Mallox.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-36_altform-unplated.png Ransomware Mallox.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\models\it-IT.PhoneNumber.ot Ransomware Mallox.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-80_altform-unplated.png Ransomware Mallox.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\SearchPlaceholder-dark.png Ransomware Mallox.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\contrast-standard\AboutBoxLogo.png Ransomware Mallox.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Store.Purchase\Controls\SignInControl.xaml Ransomware Mallox.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\LinkedInboxWideTile.scale-100.png Ransomware Mallox.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Store.Purchase\Controls\HOW TO BACK FILES.txt Ransomware Mallox.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-40.png Ransomware Mallox.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-64_contrast-black.png Ransomware Mallox.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-48_altform-unplated_contrast-black.png Ransomware Mallox.exe File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\HOW TO BACK FILES.txt Ransomware Mallox.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\ScreenSketchSquare150x150Logo.scale-100_contrast-white.png Ransomware Mallox.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\EmptySearch.scale-100.png Ransomware Mallox.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 5008 Ransomware Mallox.exe 5008 Ransomware Mallox.exe 5008 Ransomware Mallox.exe 5008 Ransomware Mallox.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 5008 Ransomware Mallox.exe Token: SeDebugPrivilege 5008 Ransomware Mallox.exe Token: SeTakeOwnershipPrivilege 5008 Ransomware Mallox.exe Token: SeTakeOwnershipPrivilege 5008 Ransomware Mallox.exe Token: SeTakeOwnershipPrivilege 5008 Ransomware Mallox.exe Token: SeTakeOwnershipPrivilege 5008 Ransomware Mallox.exe Token: SeTakeOwnershipPrivilege 5008 Ransomware Mallox.exe Token: SeTakeOwnershipPrivilege 5008 Ransomware Mallox.exe Token: SeTakeOwnershipPrivilege 5008 Ransomware Mallox.exe Token: SeTakeOwnershipPrivilege 5008 Ransomware Mallox.exe Token: SeTakeOwnershipPrivilege 5008 Ransomware Mallox.exe Token: SeTakeOwnershipPrivilege 5008 Ransomware Mallox.exe Token: SeTakeOwnershipPrivilege 5008 Ransomware Mallox.exe Token: SeTakeOwnershipPrivilege 5008 Ransomware Mallox.exe Token: SeTakeOwnershipPrivilege 5008 Ransomware Mallox.exe Token: SeTakeOwnershipPrivilege 5008 Ransomware Mallox.exe Token: SeTakeOwnershipPrivilege 5008 Ransomware Mallox.exe Token: SeTakeOwnershipPrivilege 5008 Ransomware Mallox.exe Token: SeTakeOwnershipPrivilege 5008 Ransomware Mallox.exe Token: SeTakeOwnershipPrivilege 5008 Ransomware Mallox.exe Token: SeTakeOwnershipPrivilege 5008 Ransomware Mallox.exe Token: SeTakeOwnershipPrivilege 5008 Ransomware Mallox.exe Token: SeTakeOwnershipPrivilege 5008 Ransomware Mallox.exe Token: SeTakeOwnershipPrivilege 5008 Ransomware Mallox.exe Token: SeTakeOwnershipPrivilege 5008 Ransomware Mallox.exe Token: SeTakeOwnershipPrivilege 5008 Ransomware Mallox.exe Token: SeTakeOwnershipPrivilege 5008 Ransomware Mallox.exe Token: SeTakeOwnershipPrivilege 5008 Ransomware Mallox.exe Token: SeTakeOwnershipPrivilege 5008 Ransomware Mallox.exe Token: SeTakeOwnershipPrivilege 5008 Ransomware Mallox.exe Token: SeTakeOwnershipPrivilege 5008 Ransomware Mallox.exe Token: SeTakeOwnershipPrivilege 5008 Ransomware Mallox.exe Token: SeTakeOwnershipPrivilege 5008 Ransomware Mallox.exe Token: SeTakeOwnershipPrivilege 5008 Ransomware Mallox.exe Token: SeTakeOwnershipPrivilege 5008 Ransomware Mallox.exe Token: SeTakeOwnershipPrivilege 5008 Ransomware Mallox.exe Token: SeTakeOwnershipPrivilege 5008 Ransomware Mallox.exe Token: SeTakeOwnershipPrivilege 5008 Ransomware Mallox.exe Token: SeTakeOwnershipPrivilege 5008 Ransomware Mallox.exe Token: SeTakeOwnershipPrivilege 5008 Ransomware Mallox.exe Token: SeTakeOwnershipPrivilege 5008 Ransomware Mallox.exe Token: SeTakeOwnershipPrivilege 5008 Ransomware Mallox.exe Token: SeTakeOwnershipPrivilege 5008 Ransomware Mallox.exe Token: SeTakeOwnershipPrivilege 5008 Ransomware Mallox.exe Token: SeTakeOwnershipPrivilege 5008 Ransomware Mallox.exe Token: SeTakeOwnershipPrivilege 5008 Ransomware Mallox.exe Token: SeTakeOwnershipPrivilege 5008 Ransomware Mallox.exe Token: SeTakeOwnershipPrivilege 5008 Ransomware Mallox.exe Token: SeTakeOwnershipPrivilege 5008 Ransomware Mallox.exe Token: SeTakeOwnershipPrivilege 5008 Ransomware Mallox.exe Token: SeTakeOwnershipPrivilege 5008 Ransomware Mallox.exe Token: SeTakeOwnershipPrivilege 5008 Ransomware Mallox.exe Token: SeTakeOwnershipPrivilege 5008 Ransomware Mallox.exe Token: SeTakeOwnershipPrivilege 5008 Ransomware Mallox.exe Token: SeTakeOwnershipPrivilege 5008 Ransomware Mallox.exe Token: SeTakeOwnershipPrivilege 5008 Ransomware Mallox.exe Token: SeTakeOwnershipPrivilege 5008 Ransomware Mallox.exe Token: SeTakeOwnershipPrivilege 5008 Ransomware Mallox.exe Token: SeTakeOwnershipPrivilege 5008 Ransomware Mallox.exe Token: SeTakeOwnershipPrivilege 5008 Ransomware Mallox.exe Token: SeTakeOwnershipPrivilege 5008 Ransomware Mallox.exe Token: SeTakeOwnershipPrivilege 5008 Ransomware Mallox.exe Token: SeTakeOwnershipPrivilege 5008 Ransomware Mallox.exe Token: SeTakeOwnershipPrivilege 5008 Ransomware Mallox.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 5008 wrote to memory of 3872 5008 Ransomware Mallox.exe 87 PID 5008 wrote to memory of 3872 5008 Ransomware Mallox.exe 87 PID 5008 wrote to memory of 2408 5008 Ransomware Mallox.exe 89 PID 5008 wrote to memory of 2408 5008 Ransomware Mallox.exe 89 PID 3872 wrote to memory of 448 3872 cmd.exe 93 PID 3872 wrote to memory of 448 3872 cmd.exe 93 PID 2408 wrote to memory of 1692 2408 cmd.exe 94 PID 2408 wrote to memory of 1692 2408 cmd.exe 94 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0" Ransomware Mallox.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Ransomware Mallox.exe"C:\Users\Admin\AppData\Local\Temp\Ransomware Mallox.exe"1⤵
- Checks computer location settings
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5008 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
PID:3872 -
C:\Windows\system32\bcdedit.exebcdedit /set {current} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:448
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {current} recoveryenabled no2⤵
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\system32\bcdedit.exebcdedit /set {current} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
PID:1692
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\S-1-5-21-2437139445-1151884604-3026847218-1000-MergedResources-0.pri
Filesize16KB
MD5b34ba69985108e663421f2501c584231
SHA1e2ea1c1d032a57097cf99c939f3d34d4dbd564a0
SHA2569749d50393c72185af998e42daf90a7c6006bcedf4dbd9e7f3d09d0fc0467b09
SHA512cd6a31ee5af9523b5a72709e09c8d606966753ca4b77ecd01e8e83456b68c6aa04eaa14afdc4c404987f85af1521577b5a39a5404a690cdd1da9a592f9e04f82
-
C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\S-1-5-21-2437139445-1151884604-3026847218-1000-MergedResources-0.pri
Filesize80KB
MD55274a23cf348574b5b365b1880e09ead
SHA1601d2446544629c829db2fe6826dd795ce2edad8
SHA256d02722532f859e839b0549a7680e810f6890f36a19b4010184c9a4fedb4a52a7
SHA5126c7fea6d5ea723069349ac4ce6f49935a87d2da5dbd5f1136e2ad09315da72a9376a4e9da8c4bbfc3a7ee0dca10fb13c5791dcaa178f755c119fe6e46238b292
-
C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\resources.e1dabada.pri
Filesize100KB
MD523272440ef2815a0c71c693c8deb1285
SHA1faca8cef9971f0559d029c9f93e708b57491c842
SHA2566b17356e9c4f34c71702702f8b63aefa770abd8d90d6cf851033324eb1e39dee
SHA512891858d12fe1e6e511b7600dac30c8b8e37c5dfb73a4cc1a0228d4a710881ee58a368e553f828b4566f40446a71583b3c06f72fa80cb32e66e34755a608276fa
-
Filesize
1KB
MD5b588a7788be7ab00d0d89b6b5c460ac6
SHA1cad1c989ab63c6800de9096425fa6268fd1e94b2
SHA25664c32d4b81e44d4ac032fbe83ab7697dbdfdb90157cee3af4de2cbdff9234c70
SHA512e7f3f0b9b1bfc42e8ee36f58be87c37c3aa8c27eb22a3d1a7fc79e32896c59c811291937434a43d1c7f3f005453a55c266c93db9d718df5e5a880dd7f1079e61