Koxic Ransomware Deep-dive Analysis

Ransomware groups are posing a more significant and multi-pronged danger to organizations worldwide. The biggest hazard to businesses is losing access to their systems and data. Furthermore, ransomware gangs’ potential to expose data if their ransom demands are rejected or reported to law enforcement agencies has become more concerning.

Cyble Research Labs have come through new ransomware known as Koxic. This blog showcases the deep-dive analysis of one of the Koxic ransomware samples to identify their capabilities and the way to secure yourself/your organization from them.

Technical Analysis

Based on static analysis, we found that the malicious file is a 32-bit Graphical User Interface (GUI) based binary, as shown in Figure 1.

Figure 1 Static File Information of Koxic Sample

After execution, Koxic Ransomware tries to get system information using GetSystemInfo() API, which extracts the information such as ProcessorType, NumberOfProcessors, etc.

Figure 2 Koxic Ransomware Collect System Info

The following Registry values are added/modified by the ransomware, which helps the attacker set the Remote Desktop services settings, disables windows defender features, removes security and maintenance icons, and disables notifications and action centers.

  • SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services\\MaxDisconnectionTime
  • SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services\\MaxIdleTime
  • SOFTWARE\\Policies\\Microsoft\\Windows\\HomeGroup\\DisableHomeGroup
  • SOFTWARE\\Policies\\Microsoft\\Windows Defender\\DisableAntiSpyware
  • SOFTWARE\\Policies\\Microsoft\\Windows Defender\\AllowFastServiceStartup
  • SOFTWARE\\Policies\\Microsoft\\Windows Defender\\ServiceKeepAlive
  • SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableRealtimeMonitoring
  • SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableBehaviorMonitoring
  • SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableScanOnRealtimeEnable
  • SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableIOAVProtection
  • SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableOnAccessProtection
  • SOFTWARE\\Microsoft\\Windows Defender\\Spynet\\DisableBlockAtFirstSeen
  • SOFTWARE\\Microsoft\\Windows Defender\\Spynet\\SubmitSamplesConsent
  • SOFTWARE\\Microsoft\\Windows Defender\\UX Configuration\\NotificationSuppress
  • SOFTWARE\\Microsoft\\Windows Defender\\Features\\TamperProtection
  • Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\HideSCAHealth
  • Software\\Policies\\Microsoft\\Windows\\Explorer\\DisableNotificationCenter

If they are actively running in the system, the ransomware terminates processes such as MSASCuiL.exe, MSMpeng.exe, and msseces.exe.

Figure 3 Kills Windows Security Apps

The malware also deletes the shadow copies using vssadmin and disables the database applications such as MongoDB, SQLWrite, and MSSQLServerOLAPService before starting the encryption.

Figure 4 Deletes Shadow Copies

Then, it executes a custom decryption logic for getting the name of the ransom note, as shown in the below figure.

Figure 5 Decryption Loop

After identifying the ransom note name, the ransomware calls the following APIs for getting the system privileges which supports the encryption process.

  • SeBackupPriviledge(): This API grants access to the attacker for reading files for their encryption process.
  • SeRestorePriviledge(): Grants access to attacker for writing files.
  •  SeManageVolumePriviledge(): Allows attackers to understand the volume details for their encryption process.
  • SeTakeOwnershipPriviledge(): Allows attackers to take ownership of files or other objects.

The ransomware then steals sensitive system information and writes it to a file named “MOJPMLVBJ” in the TEMP folder, as shown in Figures 6 and 7. After the encryption process, the stolen information ends up with the attacker.

Figure 6 Commands to steal system information
Figure 7 Stolen information

The malware calls GetLogicalDrives() function to get the details of the drive in the victim’s machine for encrypting the files. Next, the malware creates a mutex named “atus” to make sure another instance of the same program is not running on the machine. Finally, it drops ransom notes in all the locations.

The below figure demonstrates the ransom note dropped by the malware with the name “WANNA_RECOVER_KOXIC_FILEZ_KLIBD.txt” to instruct the victims to pay the ransom money for the decryption keys.

Figure 8 Ransom note

In their ransom note, the TAs have instructed victims to contact them via qTox on their TOXID: F3C777D22A0686055A3558917315676D607026B680DA5C8D3D4D887017A2A844F546AE59F59F and have also given an Email ID: wilhelmkox@tutanota[.]com. In case the victim does not pay the ransom, the attackers, through the ransom note, threaten the victims to leak or sell their data to black-market or to competitors, and they also threaten for DDOS attack on the victim’s infrastructure.

After dropping the ransom notes, the malware encrypts the files on the victim’s machine and appends the extension with “KOXIC_KLIBD” as shown in the below figure.

Figure 9 Encrypted Files on the Machine

Finally, the malware deletes itself using CreateProcess() API, as shown in Figure 10.

Figure 10 Malware Deletes Executable after Execution


To update their Ransomware programs with new Tactics, Techniques, and Procedures (TTPs) to target devices, TAs continually add new functionality to their code. Based on these interpretations, we can reasonably predict that future Koxic versions will include even more improvements.

We continuously monitor Koxic’s extortion campaigns and update our readers with the latest information.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:  

Safety measures needed to prevent ransomware attacks

  • Conduct regular backup practices and keep those backups offline or in a separate network.
  • Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic. 
  • Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.
  • Refrain from opening untrusted links and email attachments without verifying their authenticity.

Users should take the following steps after the ransomware attack

  • Detach infected devices on the same network.
  • Disconnect external storage devices if connected.
  • Inspect system logs for suspicious events.

Impacts and cruciality Of Koxic Ransomware

  • Loss of Valuable data.
  • Loss of organization’s reliability or integrity.
  • Loss of organization’s businesses information.
  • Disruption in organization operation.
  • Economic loss.

MITRE ATT&CK® Techniques

TacticTechnique IDTechnique Name
Initial AccessT1078-Valid Accounts
ExecutionT1059-Command and Scripting Interpreter
Privilege EscalationT1548-Abuse Elevation Control Mechanism
Defense EvasionT1112
-Modify Registry
-Obfuscated Files or Information
-Impair Defenses: Disable or Modify Tools
-System Information Discovery
-File and Directory Discovery
-Inhibit System Recovery 
-Service Stop
-Data Encrypted for Impact

Indicators of Compromise (IOCs)

IndicatorsIndicator typeDescription
699159e695e230a48d94b6103b48940ed596d0b48fb6d936c04d86eed539cecdSHA256Koxic Executable
wilhelmkox@tutanota[.]comEmail IDEmail ID mentioned in Koxic Ransom Note

Scroll to Top