Analysis
-
max time kernel
151s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
29-10-2022 23:26
Behavioral task
behavioral1
Sample
X.ex_.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
X.ex_.exe
Resource
win10v2004-20220812-en
General
-
Target
X.ex_.exe
-
Size
39KB
-
MD5
9a93a9d1477f55a4dfd90693c0c63d3c
-
SHA1
e59ef4b2e15307e64469b0a0c31d29bb88b3cd68
-
SHA256
990fb8e947d55d00381f5858ff19d266b766f284252abd1caf85045a4b947b4e
-
SHA512
fe0843cf358bd6e85bd9317826a3c35591902c3e3d98eb04675f4145525a003921f09018afa7cbf518bcc8c3fbc18b5c3585cc10cd7d58fdf895073579b00c09
-
SSDEEP
384:2ebFNw4Pk1itKkpAjj5r0XqYvjSXkDCgSikU8T7XtBbDv1Lo:20FmBkpKjTY73DChDjbDa
Malware Config
Signatures
-
Detected Xorist Ransomware 2 IoCs
Processes:
resource yara_rule behavioral1/memory/604-55-0x0000000000400000-0x000000000040D000-memory.dmp family_xorist behavioral1/memory/604-56-0x0000000000400000-0x000000000040D000-memory.dmp family_xorist -
Xorist Ransomware
Xorist is a ransomware first seen in 2020.
-
Drops file in Drivers directory 8 IoCs
Processes:
X.ex_.exedescription ioc process File created C:\Windows\SysWOW64\drivers\en-US\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\SysWOW64\drivers\es-ES\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\SysWOW64\drivers\fr-FR\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\SysWOW64\drivers\HOW TO DECRYPT FILES.txt X.ex_.exe File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt X.ex_.exe File created C:\Windows\SysWOW64\drivers\it-IT\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\SysWOW64\drivers\ja-JP\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\SysWOW64\drivers\de-DE\HOW TO DECRYPT FILES.txt X.ex_.exe -
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
X.ex_.exedescription ioc process File renamed C:\Users\Admin\Pictures\WaitTrace.png => C:\Users\Admin\Pictures\WaitTrace.png.EnCiPhErEd X.ex_.exe -
Processes:
resource yara_rule behavioral1/memory/604-55-0x0000000000400000-0x000000000040D000-memory.dmp upx behavioral1/memory/604-56-0x0000000000400000-0x000000000040D000-memory.dmp upx -
Drops startup file 1 IoCs
Processes:
X.ex_.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt X.ex_.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
X.ex_.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run X.ex_.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vQVykYApjMM758B.exe" X.ex_.exe -
Drops file in System32 directory 64 IoCs
Processes:
X.ex_.exedescription ioc process File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\fr-FR\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\TroubleshootingPack\es-ES\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\SysWOW64\Dism\ja-JP\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\System32\DriverStore\FileRepository\netg664.inf_amd64_neutral_b4e8ccc6ba210e97\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\System32\DriverStore\FileRepository\prnle004.inf_amd64_neutral_beb9bf23b7202bff\Amd64\HOW TO DECRYPT FILES.txt X.ex_.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_debuggers.help.txt X.ex_.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Arithmetic_Operators.help.txt X.ex_.exe File created C:\Windows\System32\DriverStore\FileRepository\prnrc003.inf_amd64_neutral_47e09b7cc0d9e993\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\System32\DriverStore\FileRepository\prnrc006.inf_amd64_neutral_7e12a60cc98d3f89\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\SysWOW64\en-US\Licenses\OEM\HomePremium\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\SysWOW64\wbem\xml\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\System32\DriverStore\FileRepository\prnms002.inf_amd64_neutral_d834e48846616289\Amd64\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\SysWOW64\IME\IMESC5\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\SysWOW64\wbem\fr-FR\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\System32\DriverStore\FileRepository\vhdmp.inf_amd64_neutral_c3910bbf4fbccf97\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\System32\DriverStore\FileRepository\xcbdav.inf_amd64_neutral_cf80e4da1c95e6e2\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\System32\DriverStore\it-IT\HOW TO DECRYPT FILES.txt X.ex_.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_join.help.txt X.ex_.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_providers.help.txt X.ex_.exe File created C:\Windows\System32\DriverStore\FileRepository\arc.inf_amd64_neutral_11b52dec8e94d9aa\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmpin.inf_amd64_neutral_2415474b9db0a888\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\System32\DriverStore\FileRepository\sensorsalsdriver.inf_amd64_neutral_1c5bc8e71eb90127\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\SysWOW64\MUI\0410\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\SysWOW64\fr-FR\Licenses\_Default\HomeBasic\HOW TO DECRYPT FILES.txt X.ex_.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_hash_tables.help.txt X.ex_.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\de-DE\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\System32\DriverStore\FileRepository\prnky303.inf_amd64_ja-jp_b054bb0d59e0a3ad\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\SysWOW64\fr-FR\Licenses\OEM\Starter\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\SysWOW64\fr-FR\Licenses\_Default\HomePremiumE\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\SysWOW64\InstallShield\setupdir\000a\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\SysWOW64\Speech\Engines\SR\fr-FR\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\System32\DriverStore\FileRepository\angelu64.inf_amd64_neutral_3d6079dd78127f5e\HOW TO DECRYPT FILES.txt X.ex_.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_hash_tables.help.txt X.ex_.exe File created C:\Windows\System32\DriverStore\FileRepository\acpipmi.inf_amd64_neutral_256ad642985694b3\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\System32\DriverStore\FileRepository\hal.inf_amd64_neutral_232b95977cf6d84c\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmbtmdm.inf_amd64_neutral_2e4da8629fc5904e\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\System32\DriverStore\FileRepository\tdibth.inf_amd64_neutral_6ad685957123daf1\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmdp2.inf_amd64_neutral_ab710894455d7b9a\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\System32\DriverStore\FileRepository\prnbr008.inf_amd64_neutral_0540370b0b1e348e\Amd64\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\System32\DriverStore\FileRepository\rndiscmp.inf_amd64_neutral_4ca64d28e1be8fa9\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\System32\DriverStore\FileRepository\averfx2swtv_noavin_x64.inf_amd64_neutral_86943dd17860e449\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmgl001.inf_amd64_neutral_9209e816461a1a73\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\SysWOW64\migwiz\en-US\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\SysWOW64\DriverStore\de-DE\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmnokia.inf_amd64_neutral_a8e9a41983d33a0b\HOW TO DECRYPT FILES.txt X.ex_.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Assignment_Operators.help.txt X.ex_.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmdcm5.inf_amd64_neutral_0bb09f3e5a59f3a8\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\SysWOW64\fr-FR\Licenses\eval\HomePremiumE\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\SysWOW64\fr-FR\Licenses\eval\UltimateN\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\SysWOW64\ja-JP\Licenses\_Default\HomePremiumE\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-WMI-Core\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\SysWOW64\ja-JP\Licenses\OEM\HomePremiumN\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_neutral_4616c3de1949be6d\Amd64\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\System32\DriverStore\FileRepository\prnrc00c.inf_amd64_neutral_53a58f4fd7d88575\Amd64\HOW TO DECRYPT FILES.txt X.ex_.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Windows_PowerShell_2.0.help.txt X.ex_.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_profiles.help.txt X.ex_.exe File created C:\Windows\SysWOW64\com\fr-FR\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\System32\DriverStore\FileRepository\digitalmediadevice.inf_amd64_neutral_6fd673519d66ab20\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\System32\DriverStore\FileRepository\input.inf_amd64_neutral_8693053514b10ee9\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\System32\DriverStore\FileRepository\prnca00c.inf_amd64_neutral_510c36849918ce92\Amd64\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\SysWOW64\it-IT\Licenses\_Default\Starter\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\System32\DriverStore\FileRepository\net8185.inf_amd64_neutral_4ab014d645098f5f\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\System32\DriverStore\FileRepository\wpdmtp.inf_amd64_neutral_28f06ca2e38e8979\HOW TO DECRYPT FILES.txt X.ex_.exe -
Drops file in Program Files directory 64 IoCs
Processes:
X.ex_.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\uarrow.gif X.ex_.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\HOW TO DECRYPT FILES.txt X.ex_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR32F.GIF X.ex_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\spacer_highlights.png X.ex_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_divider.png X.ex_.exe File created C:\Program Files\DVD Maker\it-IT\HOW TO DECRYPT FILES.txt X.ex_.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Perf_Scenes_Subpicture1.png X.ex_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\MS.JPG X.ex_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01745_.GIF X.ex_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\TABON.JPG X.ex_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0390072.JPG X.ex_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR47F.GIF X.ex_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR49B.GIF X.ex_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Stationery\1033\PAWPRINT.GIF X.ex_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\logo.png X.ex_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Help\1036\HOW TO DECRYPT FILES.txt X.ex_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\1.png X.ex_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR3F.GIF X.ex_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\setting_back.png X.ex_.exe File created C:\Program Files\VideoLAN\VLC\plugins\codec\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\ja-JP\HOW TO DECRYPT FILES.txt X.ex_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\rings-dock.png X.ex_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\js\HOW TO DECRYPT FILES.txt X.ex_.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page_PAL.wmv X.ex_.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\Mso Example Intl Setup File B.txt X.ex_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\40.png X.ex_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14794_.GIF X.ex_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21399_.GIF X.ex_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightOrange\tab_off.gif X.ex_.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\HOW TO DECRYPT FILES.txt X.ex_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_divider_right.png X.ex_.exe File created C:\Program Files\Java\jre7\lib\zi\America\Argentina\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Program Files\Microsoft Games\Chess\HOW TO DECRYPT FILES.txt X.ex_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\shuffle_down.png X.ex_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\drag.png X.ex_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\currency.html X.ex_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Slate\TAB_ON.GIF X.ex_.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\LogoDev.png X.ex_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\HOW TO DECRYPT FILES.txt X.ex_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00175_.GIF X.ex_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\hint_down.png X.ex_.exe File created C:\Program Files\Windows Journal\de-DE\HOW TO DECRYPT FILES.txt X.ex_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099145.JPG X.ex_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341328.JPG X.ex_.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Program Files\Java\jre7\lib\fonts\HOW TO DECRYPT FILES.txt X.ex_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14578_.GIF X.ex_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14692_.GIF X.ex_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR20F.GIF X.ex_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\info.png X.ex_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\HOW TO DECRYPT FILES.txt X.ex_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_snow.png X.ex_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14538_.GIF X.ex_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\LINE.JPG X.ex_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\HOW TO DECRYPT FILES.txt X.ex_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14792_.GIF X.ex_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\curl-hot.png X.ex_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR41F.GIF X.ex_.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Program Files\Java\jre7\bin\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Program Files\Java\jre7\lib\zi\Pacific\HOW TO DECRYPT FILES.txt X.ex_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\MarkupIconImagesMask.bmp X.ex_.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PrivateAssemblies\HOW TO DECRYPT FILES.txt X.ex_.exe -
Drops file in Windows directory 64 IoCs
Processes:
X.ex_.exedescription ioc process File created C:\Windows\winsxs\amd64_microsoft-windows-dskquoui.resources_31bf3856ad364e35_6.1.7600.16385_en-us_92135babaa5d7f09\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\winsxs\amd64_fdphost.resources_31bf3856ad364e35_6.1.7600.16385_de-de_bbfdcc637cb59110\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\winsxs\amd64_microsoft-windows-directwrite.resources_31bf3856ad364e35_7.1.7601.16492_pt-pt_e33e6437dc28fba4\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\inf\SMSvcHost 4.0.0.0\0816\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\winsxs\amd64_mdmsmart.inf_31bf3856ad364e35_6.1.7600.16385_none_775101986362762d\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\winsxs\amd64_microsoft-windows-a..ercomtool.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_d659d940714c1243\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\winsxs\amd64_microsoft-windows-f..ruetype-trebuchetms_31bf3856ad364e35_6.1.7600.16385_none_d9b57888a1592ef4\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\inf\aspnet_state\0010\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\winsxs\amd64_eventviewersettings_31bf3856ad364e35_6.1.7600.16385_none_50ecc9ae1d642aa9\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\winsxs\amd64_microsoft-windows-e..-mcupdate.resources_31bf3856ad364e35_6.1.7600.16385_it-it_8b5a4cefe14d8ba7\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\winsxs\amd64_hidir.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0194907186781ad7\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\winsxs\amd64_microsoft-windows-console.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_08e6bc4e1946c48f\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\inf\aspnet_state\0005\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\Media\Heritage\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\winsxs\amd64_microsoft-windows-d..providers.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_fdf90fd23c7151cb\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\assembly\GAC_MSIL\sysglobl.resources\2.0.0.0_es_b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\winsxs\amd64_1394.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_6132b23b2e89a646\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\winsxs\amd64_microsoft-windows-certutil.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_5ae806b9f528e0f0\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.Resources\6.1.0.0_it_31bf3856ad364e35\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\winsxs\amd64_microsoft-windows-d..x-directxdiagnostic_31bf3856ad364e35_6.1.7601.17514_none_81e99da174638311\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\winsxs\amd64_microsoft-windows-displayswitch_31bf3856ad364e35_6.1.7600.16385_none_48b6a2a03e2c7b21\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.MediaCent#\140714964f3afbcea38cb33d548c5d3c\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\Microsoft.NET\Framework64\v3.5\MOF\de\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\winsxs\amd64_microsoft-windows-bits-client.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_90a36239772dc5bf\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Messaging\v4.0_4.0.0.0__b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\winsxs\amd64_microsoft-windows-at.resources_31bf3856ad364e35_6.1.7600.16385_es-es_bbd233571ba32958\HOW TO DECRYPT FILES.txt X.ex_.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-e..eady_eula.resources_31bf3856ad364e35_6.1.7600.16385_it-it_227e33fb04382aa3\playready_eula.txt X.ex_.exe File created C:\Windows\winsxs\amd64_microsoft-windows-g..licy-base.resources_31bf3856ad364e35_6.1.7600.16385_it-it_a9d4566c54c223de\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\assembly\GAC_MSIL\System.EnterpriseServices.resources\2.0.0.0_fr_b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\assembly\GAC_MSIL\System.WorkflowServices\3.5.0.0__31bf3856ad364e35\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\Microsoft.NET\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\HOW TO DECRYPT FILES.txt X.ex_.exe File opened for modification C:\Windows\Media\Delta\Windows Ding.wav X.ex_.exe File created C:\Windows\winsxs\amd64_microsoft-windows-a..oldertool.resources_31bf3856ad364e35_6.1.7600.16385_it-it_fbf011367e39ac1f\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\winsxs\amd64_microsoft-windows-a..on-authui.resources_31bf3856ad364e35_6.1.7600.16385_es-es_e73ce5f9b6e1733a\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\winsxs\amd64_microsoft-windows-e..rtingcore.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5ed3d9a150a4801e\HOW TO DECRYPT FILES.txt X.ex_.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-clock_31bf3856ad364e35_6.1.7600.16385_none_3342e6899aa0557f\trad_s.png X.ex_.exe File created C:\Windows\Microsoft.NET\Framework\v3.5\SQL\fr\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\winsxs\amd64_cdrom.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_94afbf297141c911\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\winsxs\amd64_microsoft-windows-d2d.resources_31bf3856ad364e35_7.1.7601.16492_el-gr_e65b677cecdab746\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\inf\TermService\0410\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\winsxs\amd64_microsoft-windows-a..lprovider.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_6fe87f3f7efbec00\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\Microsoft.NET\Framework64\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\winsxs\amd64_microsoft-windows-d..quota-adm.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_f944bee7e3adc7c8\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\winsxs\amd64_microsoft-windows-e..ocol-legacy-schemas_31bf3856ad364e35_6.1.7600.16385_none_1403086062c9f8bf\HOW TO DECRYPT FILES.txt X.ex_.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\folder.gif X.ex_.exe File created C:\Windows\winsxs\amd64_microsoft-windows-e..e-ehrecvr.resources_31bf3856ad364e35_6.1.7600.16385_en-us_fe1b0408d1ebbdce\HOW TO DECRYPT FILES.txt X.ex_.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-clock_31bf3856ad364e35_6.1.7600.16385_none_3342e6899aa0557f\square_dot.png X.ex_.exe File created C:\Windows\inf\.NET CLR Networking 4.0.0.0\001F\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\winsxs\amd64_gameport.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_cf695fd87f2f785b\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\winsxs\amd64_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_it-it_d5c6fcd450b860a2\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\winsxs\amd64_amdsbs.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b32777ea494c2871\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\winsxs\amd64_microsoft-windows-c..lter-html.resources_31bf3856ad364e35_7.0.7600.16385_en-us_79f0fd1584c8b6ec\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0\10.0.0.0__b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt X.ex_.exe File opened for modification C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\ZA-wp1.jpg X.ex_.exe File created C:\Windows\Microsoft.NET\Framework\v3.5\SQL\EN\HOW TO DECRYPT FILES.txt X.ex_.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-calendar_31bf3856ad364e35_6.1.7600.16385_none_6a1946701e0df451\rings-desk.png X.ex_.exe File created C:\Windows\inf\ASP.NET_4.0.30319\0010\HOW TO DECRYPT FILES.txt X.ex_.exe File opened for modification C:\Windows\Media\Raga\Windows Logon Sound.wav X.ex_.exe File created C:\Windows\winsxs\amd64_microsoft-windows-b..-ultimate.resources_31bf3856ad364e35_6.1.7601.17514_de-de_b955db5d3c8b9cdc\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\Boot\DVD\PCAT\HOW TO DECRYPT FILES.txt X.ex_.exe -
Modifies registry class 10 IoCs
Processes:
X.ex_.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd X.ex_.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZIBXKKHVYMVCCPW X.ex_.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ZIBXKKHVYMVCCPW\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vQVykYApjMM758B.exe,0" X.ex_.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZIBXKKHVYMVCCPW\shell X.ex_.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ZIBXKKHVYMVCCPW\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vQVykYApjMM758B.exe" X.ex_.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd\ = "ZIBXKKHVYMVCCPW" X.ex_.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ZIBXKKHVYMVCCPW\ = "CRYPTED!" X.ex_.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZIBXKKHVYMVCCPW\DefaultIcon X.ex_.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZIBXKKHVYMVCCPW\shell\open\command X.ex_.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZIBXKKHVYMVCCPW\shell\open X.ex_.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\X.ex_.exe"C:\Users\Admin\AppData\Local\Temp\X.ex_.exe"1⤵
- Drops file in Drivers directory
- Modifies extensions of user files
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:604