Overview

overview

10

Static

static

3

Botox-0xb.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    104s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/04/2025, 01:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Botox-0xb.exe

  • Size

    170KB

  • MD5

    8f0da65b1714819a26b959b6530cc576

  • SHA1

    01145678908c0d379467e37f6679d248f1b7a3a4

  • SHA256

    f2f15ed5568b4ea4c9ccf7f772347651c2aa13b266ddbbf3893795794214bb2f

  • SHA512

    c4aa9db30de6cb03c2d24a8931e2ee2701aa634fdddd4d666e0b08e165ac9c190d28fb7fefbbbfa84ecda9bf2843fc15ca0a8387d15a4e18f85aa5cf45ad9dd3

  • SSDEEP

    1536:4lX4Sg8k5hRaWsgB7VIzYn2YxBTpchbpMApZNoJj2010v0s0fqStAkGpV/ITZDdx:49tg5v5P7Vo010v0s0QRe3olYkbLdA

Score
10/10
credential_accessdiscoveryransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\case_id.txt

Ransom Note
Case ID: OXFO4L ## ⚠️ YOUR FILES HAVE BEEN ENCRYPTED ⚠️ Your important files have been **encrypted** by **Moroccan Dragons** using military-grade encryption. This includes all documents, photos, videos, databases, and other critical data. You cannot access them without our decryption key. ### What Happened? We have locked your files with a unique encryption algorithm. Decryption is **impossible** without the corresponding private key. ### How to Recover Your Files? To restore access, you must pay **1.103301 Monero (XMR) [230 US Dollar]** to our secure wallet: 💰 **Payment Amount:** 1.103301 📥 **Monero Wallet Address:** [Monero Address] ### After Payment: 1. Send proof of payment along with your **Case ID** to our email: **[Contact Email]** 2. Our system will verify the transaction. 3. We will provide the **decryption software** and **unique key** to unlock your files. ### IMPORTANT WARNINGS: ⏳ **You have 48H to pay** before the price **doubles**. 🚨 If you fail to pay within **48H**, your files will be **permanently lost**. ❌ Attempting manual recovery or using third-party tools **will corrupt your data**. 🚫 Do not contact authorities—they cannot help you, and failure to comply will result in total data loss. ### How to Pay? 1. Buy **Monero (XMR)** from a cryptocurrency exchange (Binance, Kraken, etc.). 2. Transfer the required amount to our wallet address. 3. Email proof of payment and your **Case ID**, and we will handle the rest. 🔒 **Your files are locked. The choice is yours. Act now before it's too late.**

Signatures

  • Renames multiple (2330) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 2 IoCs
    ransomware
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Botox-0xb.exe
    "C:\Users\Admin\AppData\Local\Temp\Botox-0xb.exe"
    1⤵
    • Checks computer location settings
    • Enumerates connected drives
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2016
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\case_id.txt
      2⤵
      • Opens file in notepad (likely ransom note)
      PID:2820
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\case_id.txt
      2⤵
      • Opens file in notepad (likely ransom note)
      PID:1752

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi.vico
    Filesize

    140KB

    MD5

    4c8487b9f094f4a0fa68780963851364

    SHA1

    588f792922c3342351166a93de4751a3f833141a

    SHA256

    2c0681b37f208aa7084e9ee09c89b23ad154774fa78303279c63abd08c45cd17

    SHA512

    91e8f3150eaef2b7e998f0c6420767e513a8436397d61b2bbf786829da5b1bacd6e5463a38fb6b58613d4ba0033eda633b5560ba94f1368a7fc38483fbebcbf9

    Download Submit

  • C:\ProgramData\Package Cache\{9F51D16B-42E8-4A4A-8228-75045541A2AE}v56.64.8781\dotnet-host-7.0.16-win-x64.msi.vico
    Filesize

    744KB

    MD5

    fbd038ea003d48d61204860417e80660

    SHA1

    4a3c27b34db468eb67a2b0ee0b70f2396332e6ab

    SHA256

    1d5d7004cf0abbcd83b4f6d8d0954c9d914c82873c489cc27f5db5d6d750b26b

    SHA512

    5a0124426ea0ba8b08e6020797cbb6c7772878df95b825912656119287c46bdc61c708b8cd05d3671539394e833e7b26bbbf6ac3a72ae0f80421c65857fa66f2

    Download Submit

  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\CURRENT.vico
    Filesize

    16B

    MD5

    f9fc2166e85a3a7a863ba08a18f41a81

    SHA1

    4e214128bb9d9ef659082e6b36d8843e271e3c93

    SHA256

    a3aa63ad4ebd56e603249ef478be04f0bd915cbd1361f229ebfcd93da0e5a7ab

    SHA512

    8907f04ea5c649d440dbf6e91442fac2e95835e2c3098660eebbcc64e37f0a5c9492c2fa9c7bac06984db68d2ce1f19ff68109065604e0c8660f541e83b350a8

    Download Submit

  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\MANIFEST-000001.vico
    Filesize

    41B

    MD5

    22a64855e66e2021e80f27b1d40a0999

    SHA1

    93dce869dc46f5bdccf696bcd1ca0b51ff4ec419

    SHA256

    2b2d4a5eaebe68c2d89a95d731b35589b83805da8cf108a7f6eeb52ddf24e53c

    SHA512

    41767c06d23af31945fb49867c0520272deb4e1bfce114dbd158b2e246a1b1b5f853d46a2c65da530b3592bda95c314896a317dc74b232318fe7c231521a4942

    Download Submit

  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm\index.vico
    Filesize

    24B

    MD5

    04b178b6f305406f9e2e98e2af608ced

    SHA1

    94ef1d825404a87a613c2b08905b2e24e98254a4

    SHA256

    4107b989dce6e640b795e3c0b79726a95444a617924ae3aae156158658ebae6a

    SHA512

    d8e5af24029a3d0149789f9fcf3fc46372994d22f957a3478a050756361800bba20cac3df3e82193f817322686fbd5907e15ed49a307efb786ac0e41d385efd4

    Download Submit

  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnWebGPUCache\data_1.vico
    Filesize

    264KB

    MD5

    88ef11437082d69b01fec2f3470067a8

    SHA1

    1d20f0ba64ac8059c33d0ce0acf604b92f102bb2

    SHA256

    cee62621542f618bc0aeb9715e6702fc4c8588f047e13ef18327a49af8484a0e

    SHA512

    b9b92e7150d1fe6f9c0341825fc280516830afb99cd154a340ec14bbce2bf7827de6e6f476e37168b63c2d391c129982458408c45be001537f001e9e60d57194

    Download Submit

  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnWebGPUCache\data_2.vico
    Filesize

    8KB

    MD5

    3e088502f2699e3e1002903bd6b860fc

    SHA1

    4cef27262a2fc55d2aa5590bee852747e30accd5

    SHA256

    c4cb667e3b66aef532b5ffeae719e20530870dc04cb9e02c7fea2c04e185150d

    SHA512

    2b0772c1c2aaec91a4a40ca3dae1ebb81ec669374395977c849e7a208c8e263316c16cb68d1aa31ad19d4bbb51a6f2c726035215b3057cf79265f237a51b66b3

    Download Submit

  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnWebGPUCache\data_3.vico
    Filesize

    8KB

    MD5

    fc6f4ff47c8143bc37b7cf8b61fd6e23

    SHA1

    ebede683d9b3273f5b48e8323a66188b8052849f

    SHA256

    b320ffa0f211ceec6322b6fa85ce4aa5f39aa520b1d491e789b025e0e0874c21

    SHA512

    00be79b5b96d68cddc81e537bd7a08c8ef3a33d176e22c92332330e9374ba935115439bbaa53a9c2779eeb0e518c3c93a53504da1a100acc1db37d3ba94c0a03

    Download Submit

  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache\data_0.vico
    Filesize

    8KB

    MD5

    1131ddfdff3c25f5349ff99b4d09065d

    SHA1

    92567499a81f024fa4369460418f7a0e5000b915

    SHA256

    198dd2b8d275c8e3b496397b5ccb4d34bf6bbca711fc5cecbfe99e0edcf582b9

    SHA512

    ee1feefa5134ad82b354f83d78b21da5883d2506ff4398ae48278e056676af1fe261c2184a1a112324bb0973a480612f7d5311ea4d10a4969259a1ceae1dcb60

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\SharedStorage.vico
    Filesize

    4KB

    MD5

    d832c8499ea81d5fc4a59c66d66f96c9

    SHA1

    2d76352293d96870c001fbe551d116951b5c545b

    SHA256

    ef22440c0e0e5a3f7f2f1b188b6f13989b00ba6f96980e57a75c7bbf061b6e27

    SHA512

    af1cd32a6b50f967b31f4744b466026c067ae955595befd8042f534749f8babf7b4520e41e56ca600befcac7dcf8b4db84d92c49d824ad46d8fa8a11240b4ae3

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\Settings\settings.dat.vico
    Filesize

    8KB

    MD5

    57414129aca0f9242090995b247d2d22

    SHA1

    2b7fc5660c2b70d348094fa82f8c4f1d759b84d3

    SHA256

    421c213cb2ad4320e252981e3d0b35f6067d980e736059f7562525ef234adf14

    SHA512

    af17e3ff13843d2c83e556c33d418ff9373ca3db10ff6742516fd0e7a667b3d2855a209dc2e778fe5bbf3ce4a8d619835df620516b862c384e1477973304db38

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\places.sqlite-shm.vico
    Filesize

    32KB

    MD5

    bae792bab784fc897eeaff1fd5b8c426

    SHA1

    1d094ed8fd09a7ab7231015ab546c387a5178d8d

    SHA256

    dd47b97f09e79a3575efe8db7614b02e4372f8f0a321b38a53b257609f022551

    SHA512

    62a3eeb09bd887ab94e99f37f8e52bd872b928a6521dbdef505556f6e3c5951b038c0cd75bb136673658398e8b641504b1a01fbeb8865fa7c1cc57ce06ba0f80

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite.vico
    Filesize

    48KB

    MD5

    004862dce40ce1fc68194465ddeb56d4

    SHA1

    b56c843e7e4a4e1123ad2087e35716198c37f3fe

    SHA256

    fbf65831c650f137abf9bb13866d31665bea070b8760dd75b23044593ab9785e

    SHA512

    9410b79d7d678d3ad5268b04db62b562ecee0e8769df92cad9a7a0633059a34f33499d83028a1430c7fbcd9951e56b2da518916e0877804a38ebd236f7d4ab77

    Download Submit

  • C:\Users\Admin\Desktop\case_id.txt
    Filesize

    1KB

    MD5

    9cda0e378c213ce41bffadbf4fa9f45d

    SHA1

    6683b726d76073c2e6d71ec6a0ccad29fe848104

    SHA256

    a301172bfdf4587eda5f6229623f46b3455dd37b42c7a38ae73b886e2a4ccb3c

    SHA512

    b2e5b200c379af5901622e2c057f73cf615cf782ff280c86d182750e8d8ed8122e3b57d215f500e16877994a0971eff4af37c50004636ded7fa2fd0caa3fd414

    Download Submit

  • C:\Users\Admin\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000002.regtrans-ms.vico
    Filesize

    512KB

    MD5

    c62bdfaee8d3c1c53101d9d8549029a5

    SHA1

    129d750058a3a452fc89db5860c636e2ea79838c

    SHA256

    6cf5d0c41e2419cb04b4223642d9b85e44b41c416ad178aba0ef51cda91d5eaa

    SHA512

    9ef71e625ac23659c2d9a96b9ef24fb217a2ae6d72bc7794045ea1e7dcce0921c34ccf1f2726177686a111c011ed96bb1bb93d64d50638002ca04ac8e9464639

    Download Submit

  • memory/2016-2324-0x00007FF75C330000-0x00007FF75C35C000-memory.dmp

    Filesize

    176KB

    Download