MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Ransomare.Koxic


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments

SHA256 hash: d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333
SHA3-384 hash: 7a30db45f724c438f80bca4e87550187c3dbcdf40852e7a2ee771ca01df4aea45ad57d9504dddacf3d2342d281b5361d
SHA1 hash: 0ebf10867534cb472bb98344f80e3a8aac0aa507
MD5 hash: 3c4fa896e819cb8fada88a6fdd7b2cc7
humanhash: high-batman-lactose-timing
File name:d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333
Download: download sample
Signature Ransomare.Koxic
File size:161'792 bytes
First seen:2022-10-11 07:35:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 07253c21dea4ccc980c087252fddc7a8 (2 x Ransomare.Koxic)
ssdeep 3072:Wkb6bwPcmQ1mbTw8Gt189VTG079sTGyAzbnuvXdIR:WkTPcmscw/1ETGgWGy0uvC
TLSH T1AFF3E16F686C1F25D827A33CB2076E3515F95B1F3AAA16ACEDFE9BB151709401E13083
TrID 32.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
28.9% (.EXE) Win32 Executable (generic) (4505/5/1)
13.0% (.EXE) OS/2 Executable (generic) (2029/13)
12.8% (.EXE) Generic Win/DOS Executable (2002/3)
12.8% (.EXE) DOS Executable Generic (2000/1)
Reporter petikvx
Tags:Ransomare.Koxic

Intelligence


File Origin
# of uploads :
1
# of downloads :
175
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Using the Windows Management Instrumentation requests
Searching for the window
Creating a file in the %temp% directory
Launching a process
Creating a file
Changing an executable file
Changing a file
Moving a file to the Program Files subdirectory
Replacing files
Creating a window
Blocking the Windows Defender launch
Hiding the Action Center notifications
Launching a tool to kill processes
Creating a file in the mass storage device
Encrypting user's files
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed shell32.dll
Result
Threat name:
Detection:
malicious
Classification:
rans.evad
Score:
100 / 100
Signature
Antivirus / Scanner detection for submitted sample
Deletes shadow drive data (may be related to ransomware)
Detected unpacking (changes PE section rights)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Uses ipconfig to lookup or modify the Windows network settings
Writes a notice file (html or txt) to demand a ransom
Yara detected Koxic Ransomware
Yara detected RansomwareGeneric
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 720319 Sample: AmRS96yNs2.exe Startdate: 11/10/2022 Architecture: WINDOWS Score: 100 49 Antivirus / Scanner detection for submitted sample 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 Yara detected Koxic Ransomware 2->53 55 3 other signatures 2->55 7 AmRS96yNs2.exe 501 2->7         started        11 notepad.exe 2->11         started        process3 file4 41 C:\...\WANNA_RECOVER_KOXIC_FILEZ_GGVOL.txt, Targa 7->41 dropped 43 C:\...\WANNA_RECOVER_KOXIC_FILEZ_GGVOL.txt, Targa 7->43 dropped 45 C:\...\WANNA_RECOVER_KOXIC_FILEZ_GGVOL.txt, Targa 7->45 dropped 47 7 other malicious files 7->47 dropped 65 Detected unpacking (changes PE section rights) 7->65 67 Writes a notice file (html or txt) to demand a ransom 7->67 13 cmd.exe 1 7->13         started        15 cmd.exe 1 7->15         started        18 cmd.exe 1 7->18         started        20 18 other processes 7->20 signatures5 process6 signatures7 22 WMIC.exe 1 13->22         started        25 conhost.exe 13->25         started        69 Deletes shadow drive data (may be related to ransomware) 15->69 71 Uses ipconfig to lookup or modify the Windows network settings 15->71 27 taskkill.exe 1 15->27         started        29 conhost.exe 15->29         started        37 2 other processes 18->37 31 WMIC.exe 1 20->31         started        33 WMIC.exe 1 20->33         started        35 WMIC.exe 1 20->35         started        39 23 other processes 20->39 process8 signatures9 57 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 22->57 59 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 22->59 61 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 22->61 63 2 other signatures 22->63
Threat name:
Win32.Trojan.DelShad
Status:
Malicious
First seen:
2022-10-10 23:38:47 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Verdict:
malicious
Result
Malware family:
Score:
  10/10
Tags:
family:koxic evasion ransomware trojan
Behaviour
Opens file in notepad (likely ransom note)
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Gathers network information
Interacts with shadow copies
Kills process with taskkill
Drops file in Program Files directory
Windows security modification
Disables taskbar notifications via registry modification
Deletes shadow copies
Koxic
Modifies Windows Defender Real-time Protection settings
Gathering data
Unpacked files
SH256 hash:
d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333
MD5 hash:
3c4fa896e819cb8fada88a6fdd7b2cc7
SHA1 hash:
0ebf10867534cb472bb98344f80e3a8aac0aa507
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
Author:ditekSHen
Description:Detects executables embedding registry key / value combination indicative of disabling Windows Defedner features
Rule name:MALWARE_Win_Koxic
Author:ditekSHen
Description:Detects Koxic ransomware
Rule name:Win32_Ransomware_Koxic
Author:ReversingLabs
Description:Yara rule that detects Koxic ransomware.

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments