xorist | 3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901

Target

3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901.exe
Size

583KB
MD5

74d4e0e6dcf5cc7942c35e630036af0c
SHA1

c7c4bb3907344aed022d181eb73f8fd812e06f88
SHA256

3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901
SHA512

110bb901dacc153fb484673fd033d2c0f9a3f7cbfd73a46f54c44c1f699796844b68db5a860cbbb5be08c03f4ad9dfcd25feb71fc8a9b37445e137a002e6a8eb

Score

10^/10

xorist persistence ransomware spyware upx

Malware Config

Signatures

Detected Xorist Ransomware 4 IoCs

resource	yara_rule
behavioral1/files/0x00040000000130e5-7.dat	family_xorist
behavioral1/files/0x00040000000130e5-9.dat	family_xorist
behavioral1/files/0x00030000000130ec-14.dat	family_xorist
behavioral1/files/0x00030000000130ec-15.dat	family_xorist

Xorist Ransomware
Xorist is a ransomware first seen in 2020.
ransomware xorist

Executes dropped EXE 3 IoCs

pid	Process
1176	javas.exe
1988	javas2.exe
1728	asat2.exe

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\ExitSet.tiff	javas2.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00040000000130e4-4.dat	upx
behavioral1/files/0x00040000000130e4-5.dat	upx
behavioral1/files/0x00040000000130e5-7.dat	upx
behavioral1/files/0x00040000000130e5-9.dat	upx
behavioral1/files/0x00030000000130ec-14.dat	upx
behavioral1/files/0x00030000000130ec-15.dat	upx

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt	javas2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	javas2.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	javas.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\34kNWi9RL6j2fe9.exe"	javas.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	javas2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\x6R50fCWES1x3c1.exe"	javas2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	asat2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8wph9ejU2DmPc9F.exe"	asat2.exe

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	javas2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	javas2.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	javas2.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	javas2.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	javas2.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	javas2.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	javas2.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	javas2.exe
File opened for modification	C:\Program Files\desktop.ini	javas2.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini	javas2.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini	javas2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	javas2.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	javas2.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	javas2.exe
File opened for modification	C:\Users\Public\desktop.ini	javas2.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	javas2.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M1AZJ0WQ\desktop.ini	javas2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	javas2.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	javas2.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3825035466-2522850611-591511364-1000\desktop.ini	javas.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\F6O5NPVK\desktop.ini	javas2.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	javas2.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	javas2.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	javas2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	javas2.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	javas2.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	javas2.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F6QQJELO\desktop.ini	javas2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	javas2.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	javas2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	javas2.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	javas2.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	javas2.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	javas2.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	javas2.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	javas2.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\AT22T7OH\desktop.ini	javas2.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	javas2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	javas2.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	javas2.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	javas2.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	javas2.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	javas2.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	javas2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	javas2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	javas2.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\RKGIF8TT\desktop.ini	javas2.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	javas2.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	javas2.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	javas2.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	javas2.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	javas2.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\desktop.ini	javas2.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	javas2.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NXBH52U7\desktop.ini	javas2.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	javas2.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\8DDKLDOL\desktop.ini	javas2.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	javas2.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	javas2.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D08RECS3\desktop.ini	javas2.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	javas2.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	javas2.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	javas2.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	javas2.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Services.dll	javas2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.eclipse.nl_ja_4.4.0.v20140623020002.jar.pethya zaplat zasifrovano	javas.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_ButtonGraphic.png	javas2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\visualvm.conf	javas2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\epl-v10.html.pethya zaplat zasifrovano	javas.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64.nl_zh_4.4.0.v20140623020002.jar.pethya zaplat zasifrovano	asat2.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToNotesBackground.wmv	javas.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\about.html.pethya zaplat zasifrovano.pethya zaplat zasifrovano	javas.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\PhotoBase.dll	javas2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD.DEV.HXS	javas2.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\47.png	javas2.exe
File created	C:\Program Files (x86)\Common Files\System\msadc\HOW TO DECRYPT FILES.txt	javas2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0093905.WMF	javas2.exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy\messages_ja.properties	javas2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0200383.WMF	javas2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-execution.xml.pethya zaplat zasifrovano.pethya zaplat zasifrovano	asat2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	javas2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Bahia	javas2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\QuizShow.potx	javas2.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\diner_h.png	javas2.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\PNG32.FLT	javas2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BZCD98SP.POC	javas2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00154_.GIF	javas2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Riga.pethya zaplat zasifrovano.pethya zaplat zasifrovano	asat2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONPPTAddin.dll	javas2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Samarkand	javas2.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\QUAD\PREVIEW.GIF	javas2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15169_.GIF	javas2.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\stream_filter\HOW TO DECRYPT FILES.txt	javas2.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationLeft_ButtonGraphic.png	javas2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Atikokan	javas2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\feature.properties	javas2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help_3.6.0.v20130326-1254.jar	javas2.exe
File created	C:\Program Files\Windows Media Player\Media Renderer\HOW TO DECRYPT FILES.txt	javas2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\ED00019_.WMF	javas2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Black Tie.xml	javas2.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\msadcf.dll	javas2.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\adcvbs.inc	javas.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Minsk	javas2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\engphon.env	javas2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\management-agent.jar.pethya zaplat zasifrovano	javas.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\REPLTMPL.CFG	javas2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN107.XML	javas2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\AssemblyInfo.zip	javas2.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\HOW TO DECRYPT FILES.txt	javas2.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	javas2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSPUB.DEV_COL.HXT	javas2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSSP7FR.LEX	javas2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPTSFrame.png.pethya zaplat zasifrovano.pethya zaplat zasifrovano	javas.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02439_.WMF	javas2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB00760L.GIF	javas2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WNTER_01.MID	javas2.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_double_bkg.png	javas2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATHEDITOR_COL.HXC	javas2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.win32.nl_zh_4.4.0.v20140623020002.jar.pethya zaplat zasifrovano	javas.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\Welcome.html	javas2.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_222222_256x240.png	javas2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-javahelp_ja.jar	javas2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Search.api	javas2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Fakaofo.pethya zaplat zasifrovano	javas.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Title_Page_Ref_PAL.wmv	javas2.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_plain_Thumbnail.bmp	javas.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\prev_down.png	javas2.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\AddIns.store	javas2.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.SDHost.Resources\1.0.0.0_en_31bf3856ad364e35\HOW TO DECRYPT FILES.txt	javas2.exe
File opened for modification	C:\Windows\assembly\GAC_64\mcupdate\6.1.0.0__31bf3856ad364e35\mcupdate.exe	javas2.exe
File created	C:\Windows\assembly\GAC_64\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\HOW TO DECRYPT FILES.txt	javas2.exe
File created	C:\Windows\assembly\GAC_MSIL\ehiBmlDataCarousel\6.1.0.0__31bf3856ad364e35\HOW TO DECRYPT FILES.txt	javas2.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0\9.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	javas2.exe
File opened for modification	C:\Windows\AppPatch\sysmain.sdb	javas2.exe
File opened for modification	C:\Windows\assembly\GAC_32\Policy.1.7.Microsoft.Ink\6.1.0.0__31bf3856ad364e35\Policy.1.7.Microsoft.Ink.dll	javas2.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.Commands.UpdateDiagReport\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.Commands.UpdateDiagReport.dll	javas2.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt	javas2.exe
File opened for modification	C:\Windows\assembly\GAC_64\System.Printing\3.0.0.0__31bf3856ad364e35\System.Printing.dll	javas2.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll	javas2.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt	javas2.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Policy.12.0.Microsoft.Office.Interop.InfoPath\14.0.0.0__71e9bce111e9429c\Policy.12.0.Microsoft.Office.Interop.InfoPath.config	javas2.exe
File opened for modification	C:\Windows\assembly\GAC_64\AuditPolicyGPManagedStubs.Interop\6.1.0.0__31bf3856ad364e35\AuditPolicyGPManagedStubs.Interop.dll	javas2.exe
File created	C:\Windows\assembly\GAC_64\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt	javas2.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt	javas2.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.WSMan.Runtime\1.0.0.0__31bf3856ad364e35\HOW TO DECRYPT FILES.txt	javas2.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll	javas2.exe
File created	C:\Windows\assembly\GAC_32\Microsoft.Office.Access.BusinessDataCatalog\14.0.0.0__71e9bce111e9429c\HOW TO DECRYPT FILES.txt	javas2.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll	javas2.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Policy.11.0.Microsoft.Office.Interop.Graph\14.0.0.0__71e9bce111e9429c\Policy.11.0.Microsoft.Office.Interop.Graph.dll	javas2.exe
File created	C:\Windows\assembly\GAC_MSIL\PresentationBuildTasks\3.0.0.0__31bf3856ad364e35\HOW TO DECRYPT FILES.txt	javas2.exe
File created	C:\Windows\assembly\GAC_MSIL\Policy.12.0.Microsoft.Office.Interop.SmartTag\14.0.0.0__71e9bce111e9429c\HOW TO DECRYPT FILES.txt	javas2.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Synchronization.Data.Server\1.0.0.0__89845dcd8080cc91\Microsoft.Synchronization.Data.Server.dll	javas2.exe
File created	C:\Windows\assembly\GAC_MSIL\Policy.12.0.Microsoft.Office.InfoPath.FormControl\14.0.0.0__71e9bce111e9429c\HOW TO DECRYPT FILES.txt	javas2.exe
File created	C:\Windows\assembly\GAC_MSIL\ehiwmp\6.1.0.0__31bf3856ad364e35\HOW TO DECRYPT FILES.txt	javas2.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.Office.BusinessApplications.SyncServices\14.0.0.0__71e9bce111e9429c\HOW TO DECRYPT FILES.txt	javas2.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\MMCEx\3.0.0.0__31bf3856ad364e35\MMCEx.dll	javas2.exe
File created	C:\Windows\assembly\GAC_MSIL\System.ComponentModel.DataAnnotations\3.5.0.0__31bf3856ad364e35\HOW TO DECRYPT FILES.txt	javas2.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll	javas2.exe
File opened for modification	C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_en_31bf3856ad364e35\Microsoft.GroupPolicy.AdmTmplEditor.Resources.dll	javas2.exe
File opened for modification	C:\Windows\assembly\GAC_64\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll	javas2.exe
File opened for modification	C:\Windows\assembly\GAC_32\Policy.1.0.Microsoft.Ink\6.1.0.0__31bf3856ad364e35\Policy.1.0.Microsoft.Ink.dll	javas2.exe
File opened for modification	C:\Windows\assembly\GAC_64\MSBuild\3.5.0.0__b03f5f7f11d50a3a\msbuild.exe.config	javas2.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\ComSvcConfig\3.0.0.0__b03f5f7f11d50a3a\ComSvcConfig.exe	javas2.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.Office.BusinessApplications.Diagnostics\14.0.0.0__71e9bce111e9429c\HOW TO DECRYPT FILES.txt	javas2.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll	javas2.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\napinit\6.1.0.0__31bf3856ad364e35\NAPINIT.DLL	javas2.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Office.Contract.v9.0\9.0.0.0__b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt	javas2.exe
File created	C:\Windows\assembly\GAC_MSIL\napinit\6.1.0.0__31bf3856ad364e35\HOW TO DECRYPT FILES.txt	javas2.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Policy.6.0.ehRecObj\6.1.0.0__31bf3856ad364e35\Policy.6.0.ehRecObj.dll	javas2.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.ManagementConsole.Resources\3.0.0.0_en_31bf3856ad364e35\Microsoft.ManagementConsole.Resources.dll	javas2.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.GroupPolicy.Reporting.Resources\2.0.0.0_en_31bf3856ad364e35\HOW TO DECRYPT FILES.txt	javas2.exe
File created	C:\Windows\assembly\GAC_MSIL\loadmxf\6.1.0.0__31bf3856ad364e35\HOW TO DECRYPT FILES.txt	javas2.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager\6.1.0.0__31bf3856ad364e35\HOW TO DECRYPT FILES.txt	javas2.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Applications.Hosting.v9.0\9.0.0.0__b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt	javas2.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Applications.ServerDocument.v9.0\9.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualStudio.Tools.Applications.ServerDocument.v9.0.dll	javas2.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Office.Contract.v10.0\10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll	javas2.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.MediaCenter.UI\6.1.0.0__31bf3856ad364e35\Microsoft.MediaCenter.UI.dll	javas2.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0\9.0.0.0__b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt	javas2.exe
File created	C:\Windows\assembly\GAC_MSIL\Policy.11.0.Microsoft.Office.Interop.Graph\14.0.0.0__71e9bce111e9429c\HOW TO DECRYPT FILES.txt	javas2.exe
File created	C:\Windows\assembly\GAC_64\Microsoft.MediaCenter.Interop\6.1.0.0__31bf3856ad364e35\HOW TO DECRYPT FILES.txt	javas2.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualC.STLCLR\1.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.STLCLR.dll	javas2.exe
File created	C:\Windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt	javas2.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Applications.Contract\8.0.0.0__b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt	javas2.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.WSMan.Management.Resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.WSMan.Management.resources.dll	javas2.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security\1.0.0.0__31bf3856ad364e35\HOW TO DECRYPT FILES.txt	javas2.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.Resources\6.1.0.0_en_31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.dll-Help.xml	javas2.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Policy.11.0.Microsoft.Office.Interop.OutlookViewCtl\14.0.0.0__71e9bce111e9429c\Policy.11.0.Microsoft.Office.Interop.OutlookViewCtl.dll	javas2.exe
File created	C:\Windows\assembly\GAC_64\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt	javas2.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\PresentationFontCache\3.0.0.0__31bf3856ad364e35\PresentationFontCache.exe	javas2.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Office.BusinessApplications.Runtime\14.0.0.0__71e9bce111e9429c\Microsoft.Office.BusinessApplications.Runtime.dll	javas2.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Policy.12.0.Microsoft.Office.Interop.SmartTag\14.0.0.0__71e9bce111e9429c\Policy.12.0.Microsoft.Office.Interop.SmartTag.dll	javas2.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt	javas2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 30 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QTWVCXAHKDHGIML\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8wph9ejU2DmPc9F.exe,0"	asat2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.pethya zaplat zasifrovano	javas.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PJVOKWEVLGZLZWN\DefaultIcon	javas.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PJVOKWEVLGZLZWN\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\34kNWi9RL6j2fe9.exe,0"	javas.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pethya zaplat zasifrovano\ = "QTWVCXAHKDHGIML"	asat2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QTWVCXAHKDHGIML\DefaultIcon	asat2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QTWVCXAHKDHGIML\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8wph9ejU2DmPc9F.exe"	asat2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PJVOKWEVLGZLZWN\ = "CRYPTED!"	javas.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QTWVCXAHKDHGIML\shell\open\command	asat2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QTWVCXAHKDHGIML\shell	asat2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YYCMXMJNMOUGWFB\shell\open\command	javas2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PJVOKWEVLGZLZWN\shell	javas.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PJVOKWEVLGZLZWN\shell\open	javas.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PJVOKWEVLGZLZWN	javas.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YYCMXMJNMOUGWFB\ = "CRYPTED!"	javas2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QTWVCXAHKDHGIML\shell\open	asat2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pethya zaplat zasifrovano\ = "YYCMXMJNMOUGWFB"	javas2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YYCMXMJNMOUGWFB\DefaultIcon	javas2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YYCMXMJNMOUGWFB	javas2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YYCMXMJNMOUGWFB\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\x6R50fCWES1x3c1.exe,0"	javas2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YYCMXMJNMOUGWFB\shell	javas2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YYCMXMJNMOUGWFB\shell\open	javas2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YYCMXMJNMOUGWFB\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\x6R50fCWES1x3c1.exe"	javas2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QTWVCXAHKDHGIML	asat2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.pethya zaplat zasifrovano	javas2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PJVOKWEVLGZLZWN\shell\open\command	javas.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PJVOKWEVLGZLZWN\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\34kNWi9RL6j2fe9.exe"	javas.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.pethya zaplat zasifrovano	asat2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QTWVCXAHKDHGIML\ = "CRYPTED!"	asat2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pethya zaplat zasifrovano\ = "PJVOKWEVLGZLZWN"	javas.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	484	3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 484 wrote to memory of 1176	484	3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901.exe	26
PID 484 wrote to memory of 1176	484	3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901.exe	26
PID 484 wrote to memory of 1176	484	3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901.exe	26
PID 484 wrote to memory of 1176	484	3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901.exe	26
PID 484 wrote to memory of 1988	484	3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901.exe	27
PID 484 wrote to memory of 1988	484	3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901.exe	27
PID 484 wrote to memory of 1988	484	3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901.exe	27
PID 484 wrote to memory of 1988	484	3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901.exe	27
PID 484 wrote to memory of 1728	484	3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901.exe	28
PID 484 wrote to memory of 1728	484	3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901.exe	28
PID 484 wrote to memory of 1728	484	3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901.exe	28
PID 484 wrote to memory of 1728	484	3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901.exe	28

C:\Users\Admin\AppData\Local\Temp\3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901.exe
"C:\Users\Admin\AppData\Local\Temp\3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:484
- C:\Users\Admin\AppData\Local\Temp\javas.exe
  "C:\Users\Admin\AppData\Local\Temp\javas.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Drops file in Program Files directory
  - Modifies registry class
  PID:1176
- C:\Users\Admin\AppData\Local\Temp\javas2.exe
  "C:\Users\Admin\AppData\Local\Temp\javas2.exe"
  2⤵
  - Executes dropped EXE
  - Modifies extensions of user files
  - Drops startup file
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies registry class
  PID:1988
- C:\Users\Admin\AppData\Local\Temp\asat2.exe
  "C:\Users\Admin\AppData\Local\Temp\asat2.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Modifies registry class
  PID:1728

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/484-1-0x00000000010C0000-0x00000000010C1000-memory.dmp

Filesize
4KB

Download
memory/484-0-0x000007FEF5C60000-0x000007FEF664C000-memory.dmp

Filesize
9.9MB

Download

Resubmissions

Analysis

Sharing

General