Overview

overview

10

Static

static

10

5acebee8f4...1c.exe

windows7_x64

10

5acebee8f4...1c.exe

windows10_x64

10

Analysis

  • max time kernel
    126s
  • max time network
    110s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    19-04-2021 11:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe

  • Size

    70KB

  • MD5

    0a6cc2a5fd2701a3d80cca1438c4950d

  • SHA1

    260f28d8fde4bccee35b4c5a80568ca431e13435

  • SHA256

    5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c

  • SHA512

    e70ce320f088aec289b9ae8c5ed539d6f10581544b53a23053746514744f51556c8fcdb193f6c88421b1bc22e5bdfd1270c5048e9fb8da391e5dcc0d2a157152

Score
10/10
xoristpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-1594587808-2047097707-2163810515-1000\HOW TO DECRYPT FILES.txt

Ransom Note
your network has been infected due to improper browsing with infected html :( * all data has been locked with a unique key and has become .btCry_zip :( * without the unique key, it is impossible to bring your data to the state of origin :( * with the exclusive key in hand, it takes 20 minutes to unlock your data :) * you can get this key for just a fee. contact us email: btcontact@protonmail.com send id along with email id-67588824752785452767452345237499285 PS: * do not rename or change the extension of the files, as this will corrupt the renamed file : ( * no need to format or reinstall Windows :) * do not post this message on a third party website, as they will block the only contact email :( as proof of trust send me a file of up to 1 mb which i will return to you in its original state :)))) contact us until 04/13/2021
Emails

btcontact@protonmail.com

Signatures

  • Detected Xorist Ransomware 2 IoCs
  • Xorist Ransomware

    Xorist is a ransomware first seen in 2020.

    ransomwarexorist
  • Drops file in Drivers directory 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Modifies Installed Components in the registry 2 TTPs
    persistence
  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Program crash 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 12 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies Internet Explorer settings 1 TTPs 6 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 29 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 59 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe
    "C:\Users\Admin\AppData\Local\Temp\5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c.exe"
    1⤵
    • Drops file in Drivers directory
    • Drops startup file
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    PID:2840
  • C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 3020 -s 7416
    1⤵
    • Program crash
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:3544
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2760
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2760 -s 4172
      2⤵
      • Program crash
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3104
  • C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
    1⤵
    • Enumerates system info in registry
    • Suspicious use of SetWindowsHookEx
    PID:3732
  • C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
    "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:780
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3632
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\HOW TO DECRYPT FILES.txt
      2⤵
        PID:732
      • C:\Users\Admin\AppData\Local\Temp\6f6Um0t6lTX1txd.exe
        "C:\Users\Admin\AppData\Local\Temp\6f6Um0t6lTX1txd.exe"
        2⤵
        • Executes dropped EXE
        PID:2220
    • C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
      "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:3388
    • C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
      1⤵
      • Enumerates system info in registry
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:3524
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:3832

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Registry Run Keys / Startup Folder

      2
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      3
      T1112

      Credential Access

      Credentials in Files

      1
      T1081

      Discovery

      Query Registry

      3
      T1012

      Peripheral Device Discovery

      2
      T1120

      System Information Discovery

      3
      T1082

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\Microsoft\Windows\Caches\cversions.2.db
        MD5

        19925a6583093334fd73fd22a6c258d8

        SHA1

        536c492cdf58e3d66653781f3bf3e0c0285ba783

        SHA256

        a6e3d7696a31918deeb55dd86932f06fa8a90dd1bca6c945fb79f78a31b59a6e

        SHA512

        346420bdbaee6073077294b046c8dd880c3e8b72579ec7d07dfd67c1f18157ad36fb83bae74094d48995849b5a5eb53ec82cfdc9440c2e092094f239a9087a39

        Download Submit
      • C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db
        MD5

        d640c7c9780ef19f3042bbc3c4abf3a8

        SHA1

        23aae1a0b9ff7f1e5c31812e1b38645584d6b3aa

        SHA256

        194c8420b3788da8f6f90c3265696fe746f2246735b7848800b53d098eeac225

        SHA512

        02ba30a071ff7ac0d155f9e48528e3df57edeff5c2e92f0a533c13687e2ae101cc8e19da7088556d8950e7db981f63a630b8b3fc124df26403c552a481e9d900

        Download Submit
      • C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db.btCry_zip
        MD5

        b49339d686de442f8a300e8c5e1833a8

        SHA1

        24f53b3073b266fdd8adb91e4f79f3025fab98e8

        SHA256

        f3e3db5624988feb2bf625a633c18632abf4dcfd914b7b96bc444a4a40ef0ddf

        SHA512

        b33b6226be96bafe6504f90be9e244b787c6d07d62a2b9465f60bca415929c13891df984dae3f2d6d33cdf138891afe7570917d75feed03173b112696d160021

        Download Submit
      • C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.btCry_zip
        MD5

        a0d1086b50b66907c76ecabd78b4624d

        SHA1

        41d648ca84595e078baf0ae6be813d97a797036b

        SHA256

        8d3e1c3600847d84691c0f00ccda506924feedebb02bac9a2e06d5e422b4b26d

        SHA512

        8ebe71d1742693f477dea70bc2afec6938f836596f7277f40e85a6ebb24d42ce2705958784ea7e95513c81570595cc5a081d22ef8345d5356582a8de0edb5b31

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{03BA58C4-B905-4D30-88C9-B63C603DA134}.3.ver0x0000000000000001.db.btCry_zip
        MD5

        e6df94332cb28939e1f082207ba02649

        SHA1

        b6a32f4f38a88934a3659cc6b803f3820883e61f

        SHA256

        50eb18710589ef3449c8fbe0bfc337390b833c2a4a3eaceab8acaa12637d3405

        SHA512

        e6d293ae12a0e14bcc1142eca1eb6788e4635cf6d39145d2f627fc7f7ce3672a03d584f68bd3c4fad142ac5626f9180315b175c0c5b7fab13b3eee980f6e9dd9

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000001d.db.btCry_zip
        MD5

        fcf1b9d9bd1d92ccfc0ec4dc8ff216a2

        SHA1

        f20c577e73c5da651982b5b1d7b44d00c89be21d

        SHA256

        8786917cb52e1892d0fcd1474b542948f5d2abfd4e944994e428c506065ae43f

        SHA512

        7ddbfeb844e7396ac21a2c5ea389bdb4d4359900fdba122251351b86f6d6617f18f3a3bc542dbb48d511050cc0ce0bcc5e2bf6cf181fcd2c37867751df7b2055

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_16.db
        MD5

        12f7b7dc9907300d761e88b3ad48c86c

        SHA1

        29bafa813ccb606a33fd4a8d2b3f3b6ac2abe43d

        SHA256

        e3ef4f1374f7925f6d5f8a72f5d99a7fbd319e92370ce6d8865231104c257dbd

        SHA512

        0f9f3c2acb4ebbe6cbcd6694c8f6f04588aa0c7faadc2b86ad9d49307bfd71205073ac42609aab0fe3c4a4042cc2b41d4ca7d15870737f107bcfda6f08e2d2b7

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db
        MD5

        e0b4b6cd8300a2a528869a1eaee4ef18

        SHA1

        21c2d348732c5d2b3c170cbb9ea16dd921b5b529

        SHA256

        fa0a32639b38bda273e8e0c48880255d0df984b82de69186781e8a4384f10553

        SHA512

        ab3276615424cd83e614909342c98cf12359946506c06c63778da4eadc9044735098cae09c8b27c453da755b18b13483795f25ea36d490282e9a2bdba6b48b62

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_48.db
        MD5

        ae6fbded57f9f7d048b95468ddee47ca

        SHA1

        c4473ea845be2fb5d28a61efd72f19d74d5fc82e

        SHA256

        d3c9d1ff7b54b653c6a1125cac49f52070338a2dd271817bba8853e99c0f33a9

        SHA512

        f119d5ad9162f0f5d376e03a9ea15e30658780e18dd86e81812dda8ddf59addd1daa0706b2f5486df8f17429c2c60aa05d4f041a2082fd2ec6ea8cc9469fade3

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db
        MD5

        580c0e3985d0c9f5774ab8ec15513321

        SHA1

        f9e5850a58d0b15eb5d8b983d357bdd06e21f2fa

        SHA256

        e7c96072622637716ae2bc83edcadd0f04609f393605bc512f0d2dae52430452

        SHA512

        7bf110ed4592e8d30f81e58a9557894630e994758e3b09a98f3843b7722de603fe7d4040122a2bdd637854085871946932f29f8b95ed3928118d90c74b03fbe6

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\6f6Um0t6lTX1txd.exe
        MD5

        0a6cc2a5fd2701a3d80cca1438c4950d

        SHA1

        260f28d8fde4bccee35b4c5a80568ca431e13435

        SHA256

        5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c

        SHA512

        e70ce320f088aec289b9ae8c5ed539d6f10581544b53a23053746514744f51556c8fcdb193f6c88421b1bc22e5bdfd1270c5048e9fb8da391e5dcc0d2a157152

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg.btCry_zip
        MD5

        65845a4fb81f635208b9ffce737db63f

        SHA1

        09b93c92823b26eddd559c6e5e5e0a263b3bfce9

        SHA256

        57ffe97f4caa710f7fc3525dece4d1c452bcf8d6fb1ae826ab6f3864a5693ee1

        SHA512

        40c26799cec6a9f72000558d0a8e1777edf83f26e6c44cfadb5c4562d9d1f26756030122bacefeff2208178cb2a818cdba15d5ea0cdea7857d3846060280aa3e

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\HOW TO DECRYPT FILES.txt
        MD5

        9cc0c76ca19b1a4e97de6fabc092b1ac

        SHA1

        8370d3eeb719c63044b5809139ffbd983bcb2465

        SHA256

        69bdf98042a2f33105977111ddfd707bdca5c445ce9c5421112829c098a50fe3

        SHA512

        0b6ca3779a28287ef1cc6e760103fd5fc3d631e975125cc6d12cdaa895f9781a7b643441cfc829f38f66f179e6a3098cd1df7ae4ee3422502373bc45506711ae

        Download Submit
      • C:\Users\Admin\Desktop\HOW TO DECRYPT FILES.txt
        MD5

        9cc0c76ca19b1a4e97de6fabc092b1ac

        SHA1

        8370d3eeb719c63044b5809139ffbd983bcb2465

        SHA256

        69bdf98042a2f33105977111ddfd707bdca5c445ce9c5421112829c098a50fe3

        SHA512

        0b6ca3779a28287ef1cc6e760103fd5fc3d631e975125cc6d12cdaa895f9781a7b643441cfc829f38f66f179e6a3098cd1df7ae4ee3422502373bc45506711ae

        Download Submit
      • C:\Users\Admin\Desktop\RestartTest.xls.btCry_zip
        MD5

        3d66d7885a7f7c071852af211c2e62ed

        SHA1

        8e5447fb1ea731815aaf61155817f5a6090e2bb5

        SHA256

        ee12d407ba2046f30eb973996ee4f18353cccfc7273278d2b05208927eb95c0f

        SHA512

        89733c1c29e5ce1137ed9f19a4dc4868af7d9dea2e5ed6c46ec519586a98387cf6fcd3e3502f9ff01270f24ed43d41902b2b7af22db8c57df16d5a421dbb39f2

        Download Submit
      • \??\c:\users\admin\appdata\local\temp\6f6um0t6ltx1txd.exe
        MD5

        0a6cc2a5fd2701a3d80cca1438c4950d

        SHA1

        260f28d8fde4bccee35b4c5a80568ca431e13435

        SHA256

        5acebee8f450c294dcaad9165a1e3dd27ff027e99cca65564546e6ea2818b91c

        SHA512

        e70ce320f088aec289b9ae8c5ed539d6f10581544b53a23053746514744f51556c8fcdb193f6c88421b1bc22e5bdfd1270c5048e9fb8da391e5dcc0d2a157152

        Download Submit
      • memory/732-129-0x0000000000000000-mapping.dmp
        Download
      • memory/2220-131-0x0000000000000000-mapping.dmp
        Download
      • memory/3632-123-0x00000000025A0000-0x00000000025A1000-memory.dmp
        Filesize

        4KB

        Download