MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 699159e695e230a48d94b6103b48940ed596d0b48fb6d936c04d86eed539cecd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Ransomare.Koxic


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 699159e695e230a48d94b6103b48940ed596d0b48fb6d936c04d86eed539cecd
SHA3-384 hash: 7ac1d3520c8c23be29f25a4257a75821add4fec94286320d2beeb7cb2e0230ce19e75ee40c308480aace24a049f5142a
SHA1 hash: 7544332b52769ca853d900669ef5e272a2ae1665
MD5 hash: 14ee62fcc9163509856671400429ad55
humanhash: one-green-washington-artist
File name:enc.exe
Download: download sample
Signature Ransomare.Koxic
Create hunting rule
File size:160'256 bytes
First seen:2022-01-21 11:23:38 UTC
Last seen:2022-01-21 12:32:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 07253c21dea4ccc980c087252fddc7a8 (2 x Ransomare.Koxic)
ssdeep 3072:bD7p4cx5vL2RyigBpUfoatwV6amXjc725K40A6v:bDnx1s/fo5mA212
Threatray 1'851 similar samples on MalwareBazaar
TLSH T1B2F3E18BB1DA3C51C3F445F9720FAFB7644A9A336868A380D7BF6B47D174F001A92646
Reporter JAMESWT_WT
Tags:exe Ransomare.Koxic

Intelligence

File Origin
# of uploads :
2
# of downloads :
237
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Spynet
Create hunting rule
Link:
https://www.capesandbox.com/analysis/221443/
Detection(s):
PUA.Win.Packer.Upolyx-12
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Running batch commands
Using the Windows Management Instrumentation requests
Creating a file in the %temp% directory
Launching a process
DNS request
Creating a file
Changing an executable file
Changing a file
Moving a file to the Program Files subdirectory
Creating a file in the Program Files subdirectories
Replacing files
Blocking the Windows Defender launch
Hiding the Action Center notifications
Launching a tool to kill processes
Encrypting user's files
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed shell32.dll
Link:
https://www.filescan.io/uploads/61ea97dbd32385db6314b92f/reports/c5abdf4a-e974-49f9-84f8-07c040e5aba0/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f1c9e9a6-3160-4d33-a955-f85b2bd5b6c0
Result
Threat name:
Koxic
Create hunting rule
Detection:
malicious
Classification:
rans.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/925173
Signature
Antivirus / Scanner detection for submitted sample
Deletes shadow drive data (may be related to ransomware)
Disable Windows Defender real time protection (registry)
Hides the Windows control panel from the task bar
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: Shadow Copies Deletion Using Operating Systems Utilities
Uses ipconfig to lookup or modify the Windows network settings
Uses taskkill to terminate AV processes
Yara detected Koxic Ransomware
Yara detected RansomwareGeneric
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 557651 Sample: enc.exe Startdate: 21/01/2022 Architecture: WINDOWS Score: 100 45 Antivirus / Scanner detection for submitted sample 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 Yara detected Koxic Ransomware 2->49 51 4 other signatures 2->51 8 enc.exe 22 445 2->8         started        11 notepad.exe 2->11         started        process3 signatures4 61 Uses taskkill to terminate AV processes 8->61 63 Hides the Windows control panel from the task bar 8->63 65 Disable Windows Defender real time protection (registry) 8->65 13 cmd.exe 1 8->13         started        15 cmd.exe 1 8->15         started        18 cmd.exe 1 8->18         started        20 18 other processes 8->20 process5 signatures6 22 WMIC.exe 1 13->22         started        25 conhost.exe 13->25         started        67 Deletes shadow drive data (may be related to ransomware) 15->67 69 Uses ipconfig to lookup or modify the Windows network settings 15->69 27 taskkill.exe 1 15->27         started        35 3 other processes 15->35 37 2 other processes 18->37 29 conhost.exe 20->29         started        31 WMIC.exe 1 20->31         started        33 WMIC.exe 1 20->33         started        39 19 other processes 20->39 process7 signatures8 53 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 22->53 55 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 22->55 57 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 22->57 59 2 other signatures 22->59 41 conhost.exe 29->41         started        43 WMIC.exe 29->43         started        process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/699159e695e230a48d94b6103b48940ed596d0b48fb6d936c04d86eed539cecd/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-01-14 11:26:47 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
30 of 43 (69.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ngivtzuv4iykjdmuwyidwseub3kznufur63nsnwajwdo5vjzz3gq._file
Verdict:
malicious
Label(s):
ryuk
Create hunting rule
Similar samples:
1d3e38b463d2d98d6aadb8109f21a59946bf65d2d355f7aac925dcd9cb2123e8
Ransomare.Koxic
1de7d120de2ceb094ba479b868b7ed8a0f16d5ef95e476707a1ccb94b6631457
Ransomare.Koxic
488aeadb7b5bfdcf2b7bf7f25518f6ccaf136e90bf81409838d7f8051938d076
Ransomare.Koxic
5ee8500fe1a2f22029908d4e2b32e7fb85aec03ffea714f3b5e82ebb2bc10f21
Ransomare.Koxic
6c37bb680dc9c51f9c15e988fa3586cb9f0fe8786f2b9c9408aa953894c10180
Ransomare.Koxic
84cbffb84b7c9ced79b511f82a15414d9202ab68479dfe44cec7b745ed12f973
Ransomare.Koxic
a0fb8417720da120c09f19ad62030bf1dc7f51b74326582f2f9d4488d426a800
Ransomare.Koxic
d41295c513c151fa5a6a0afd777b1f6cd7d8b7c94af994e22d76f6c7b402f796
Ransomare.Koxic
+ 1'841 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion ransomware trojan upx
Link:
https://tria.ge/reports/220121-nhqtwscgbj/
Behaviour
Gathers network information
Interacts with shadow copies
Kills process with taskkill
Opens file in notepad (likely ransom note)
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Deletes itself
Windows security modification
Disables taskbar notifications via registry modification
Modifies extensions of user files
Deletes shadow copies
Modifies Windows Defender Real-time Protection settings
Unpacked files
SH256 hash:
95202fe13309a9b1651766298c833b21494a92f0b210fc6469d79d3fa444db81
MD5 hash:
060d27d25844b408e0d5d6d42684b669
SHA1 hash:
5105db84660209f5481880e09145536254c6995b
Link:
https://www.unpac.me/results/9ddb3187-5f04-433e-bd74-2b7870f1587b/
SH256 hash:
699159e695e230a48d94b6103b48940ed596d0b48fb6d936c04d86eed539cecd
MD5 hash:
14ee62fcc9163509856671400429ad55
SHA1 hash:
7544332b52769ca853d900669ef5e272a2ae1665
Link:
https://www.unpac.me/results/9ddb3187-5f04-433e-bd74-2b7870f1587b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/699159e695e230a48d94b6103b48940ed596d0b48fb6d936c04d86eed539cecd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding registry key / value combination indicative of disabling Windows Defedner features
Rule name:INDICATOR_SUSPICIOUS_GENRansomware
Create hunting rule
Author:ditekSHen
Description:detects command variations typically used by ransomware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Ransomare.Koxic

Executable exe 699159e695e230a48d94b6103b48940ed596d0b48fb6d936c04d86eed539cecd

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/221443/
  
URLhaus
https://urlhaus.abuse.ch/url/1995484/
  
Delivery method
Distributed via web download

Comments