Analysis
-
max time kernel
154s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29-10-2022 23:26
Behavioral task
behavioral1
Sample
X.ex_.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
X.ex_.exe
Resource
win10v2004-20220812-en
General
-
Target
X.ex_.exe
-
Size
39KB
-
MD5
9a93a9d1477f55a4dfd90693c0c63d3c
-
SHA1
e59ef4b2e15307e64469b0a0c31d29bb88b3cd68
-
SHA256
990fb8e947d55d00381f5858ff19d266b766f284252abd1caf85045a4b947b4e
-
SHA512
fe0843cf358bd6e85bd9317826a3c35591902c3e3d98eb04675f4145525a003921f09018afa7cbf518bcc8c3fbc18b5c3585cc10cd7d58fdf895073579b00c09
-
SSDEEP
384:2ebFNw4Pk1itKkpAjj5r0XqYvjSXkDCgSikU8T7XtBbDv1Lo:20FmBkpKjTY73DChDjbDa
Malware Config
Signatures
-
Detected Xorist Ransomware 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4972-133-0x0000000000400000-0x000000000040D000-memory.dmp family_xorist behavioral2/memory/4972-134-0x0000000000400000-0x000000000040D000-memory.dmp family_xorist -
Xorist Ransomware
Xorist is a ransomware first seen in 2020.
-
Drops file in Drivers directory 8 IoCs
Processes:
X.ex_.exedescription ioc process File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt X.ex_.exe File created C:\Windows\SysWOW64\drivers\it-IT\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\SysWOW64\drivers\ja-JP\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\SysWOW64\drivers\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\SysWOW64\drivers\de-DE\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\SysWOW64\drivers\en-US\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\SysWOW64\drivers\es-ES\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\SysWOW64\drivers\fr-FR\HOW TO DECRYPT FILES.txt X.ex_.exe -
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
X.ex_.exedescription ioc process File renamed C:\Users\Admin\Pictures\SendUpdate.png => C:\Users\Admin\Pictures\SendUpdate.png.EnCiPhErEd X.ex_.exe File renamed C:\Users\Admin\Pictures\RestoreComplete.png => C:\Users\Admin\Pictures\RestoreComplete.png.EnCiPhErEd X.ex_.exe -
Processes:
resource yara_rule behavioral2/memory/4972-133-0x0000000000400000-0x000000000040D000-memory.dmp upx behavioral2/memory/4972-134-0x0000000000400000-0x000000000040D000-memory.dmp upx -
Drops startup file 1 IoCs
Processes:
X.ex_.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt X.ex_.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
X.ex_.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run X.ex_.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vQVykYApjMM758B.exe" X.ex_.exe -
Drops file in System32 directory 64 IoCs
Processes:
X.ex_.exedescription ioc process File created C:\Windows\SysWOW64\Com\it-IT\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\System32\DriverStore\FileRepository\iscsi.inf_amd64_c089962740ea1f84\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\System32\DriverStore\FileRepository\netvwifibus.inf_amd64_f52d5ad58116f6f0\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\System32\DriverStore\FileRepository\c_infrared.inf_amd64_3160910a003e1f11\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\System32\DriverStore\FileRepository\memory.inf_amd64_9af3a8a63d4cb5f9\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\System32\DriverStore\FileRepository\net1ic64.inf_amd64_5f033e913d34d111\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\System32\DriverStore\FileRepository\vdrvroot.inf_amd64_5dbe5e81fafe4636\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\System32\DriverStore\FileRepository\wgencounter.inf_amd64_f496147578cad554\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\SysWOW64\es\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\SysWOW64\IME\IMEKR\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\System32\DriverStore\FileRepository\wpdfs.inf_amd64_1183fd0f13045f2e\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmmc288.inf_amd64_3e3f05a8a446e75f\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\System32\DriverStore\FileRepository\prnms011.inf_amd64_f83138380f5fb6ab\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\System32\DriverStore\FileRepository\dc1-controller.inf_amd64_63236b4ab51ad398\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\System32\DriverStore\FileRepository\mbtr8897w81x64.inf_amd64_0d8225e7d2696ece\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\System32\DriverStore\FileRepository\netip6.inf_amd64_f29ffcd2b14f21f5\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_c62e9f8067f98247\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_x86_c62e9f8067f98247\I386\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\System32\DriverStore\FileRepository\displayoverride.inf_amd64_c7a5777273c98ebf\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\System32\DriverStore\FileRepository\netrtwlane01.inf_amd64_b02695ef070d7a42\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\System32\DriverStore\FileRepository\c_cdrom.inf_amd64_f08f2fe1cde58aef\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\System32\DriverStore\FileRepository\c_multifunction.inf_amd64_8bf0fd2423b20b97\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmnttte.inf_amd64_f017e7b18ec67a97\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\System32\DriverStore\FileRepository\microsoft_bluetooth_a2dp.inf_amd64_614ec8e6e63777b7\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\System32\DriverStore\FileRepository\c_mouse.inf_amd64_822333b41326bc2f\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmmega.inf_amd64_f35131186d3026aa\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\SysWOW64\en-US\Licenses\_Default\Professional\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\System32\DriverStore\FileRepository\c_netclient.inf_amd64_b7f9bb71730aaf1a\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\System32\DriverStore\FileRepository\ialpssi_gpio.inf_amd64_62ffa3c95446bcfc\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\System32\DriverStore\FileRepository\uicciso.inf_amd64_32023cb966fd5c8c\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\System32\DriverStore\FileRepository\usbstor.inf_amd64_2be0e52237040d42\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\System32\DriverStore\FileRepository\c_net.inf_amd64_32a9ad23c1ecc42d\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\System32\DriverStore\FileRepository\c_proximity.inf_amd64_e42355875c34e406\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\System32\DriverStore\FileRepository\ialpss2i_i2c_skl.inf_amd64_9d9dbb01837eba23\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmhandy.inf_amd64_d2feb24c2d3b69d4\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\System32\DriverStore\FileRepository\net8185.inf_amd64_7a30f5a9441cd55b\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\System32\DriverStore\FileRepository\net8192su64.inf_amd64_66c8bfc7a4b1feed\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\System32\DriverStore\FileRepository\netwsw00.inf_amd64_24d55504ae3587aa\HOW TO DECRYPT FILES.txt X.ex_.exe File opened for modification C:\Windows\SysWOW64\@AppHelpToast.png X.ex_.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmeiger.inf_amd64_05ca2a1836c16cab\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmmoto1.inf_amd64_5b5f11128afa2611\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\System32\DriverStore\FileRepository\ufxchipidea.inf_amd64_1c78775fffab6a0a\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmpin.inf_amd64_be5d923b5e701b62\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\SysWOW64\Licenses\neutral\Volume\Professional\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\System32\DriverStore\FileRepository\amdsata.inf_amd64_ea60132f1a9a7a62\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\System32\DriverStore\FileRepository\c_smrvolume.inf_amd64_1d430c5b72323a1c\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmcm28.inf_amd64_4b833c2630a2a287\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmmot64.inf_amd64_2afbe7d3ad20f42a\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\Amd64\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\System32\DriverStore\FileRepository\fdc.inf_amd64_7534987814b257b2\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmcom1.inf_amd64_cfd501781ae941c0\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\System32\DriverStore\FileRepository\netsstpa.inf_amd64_e76c5387d67e3fd6\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\System32\DriverStore\FileRepository\microsoft_bluetooth_a2dp_src.inf_amd64_0bdbb11733d87f9a\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\System32\DriverStore\FileRepository\netwmbclass.inf_amd64_dba6eeaf0544a4e0\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmgl002.inf_amd64_9076ffc34f080cc1\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\System32\DriverStore\FileRepository\megasr.inf_amd64_72258921635be994\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\System32\DriverStore\FileRepository\net8187se64.inf_amd64_99a4ca261f585f17\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\System32\DriverStore\FileRepository\acpidev.inf_amd64_0f7f041f33bd01cc\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\System32\DriverStore\FileRepository\bcmwdidhdpcie.inf_amd64_977dcc915465b0e9\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\System32\DriverStore\FileRepository\c_hidclass.inf_amd64_b37df5bd0922aeef\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\System32\DriverStore\FileRepository\c_fscfsmetadataserver.inf_amd64_ef3485e85c5c1b11\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\System32\DriverStore\FileRepository\halextintclpiodma.inf_amd64_7f59f2c73a7fab14\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\System32\DriverStore\FileRepository\uaspstor.inf_amd64_63788a81c4c628c5\HOW TO DECRYPT FILES.txt X.ex_.exe -
Drops file in Program Files directory 64 IoCs
Processes:
X.ex_.exedescription ioc process File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\it-it\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Program Files (x86)\Common Files\System\it-IT\HOW TO DECRYPT FILES.txt X.ex_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\4px.png X.ex_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\LargeTile.scale-200.png X.ex_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-32_altform-fullcolor.png X.ex_.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptyShare-Dark.scale-100.png X.ex_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\da-dk\HOW TO DECRYPT FILES.txt X.ex_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreLogo.png X.ex_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\OrientationControlInnerCircleHover.png X.ex_.exe File created C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Images\HOW TO DECRYPT FILES.txt X.ex_.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\Assets\Images\SkypeMedTile.scale-125_contrast-white.png X.ex_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-36_altform-unplated.png X.ex_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-125_8wekyb3d8bbwe\Win10\MicrosoftSolitaireSmallTile.scale-125.jpg X.ex_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNewNoteMedTile.scale-400.png X.ex_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-60_altform-colorize.png X.ex_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\[email protected] X.ex_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Program Files (x86)\Common Files\System\de-DE\HOW TO DECRYPT FILES.txt X.ex_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_Lollipop.png X.ex_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\156.png X.ex_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-40.png X.ex_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-36_altform-lightunplated.png X.ex_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\HOW TO DECRYPT FILES.txt X.ex_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-black\MedTile.scale-100.png X.ex_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-black\MedTile.scale-200.png X.ex_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\zh-cn\HOW TO DECRYPT FILES.txt X.ex_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\cstm_brand_preview2x.png X.ex_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\LibrarySquare71x71Logo.scale-200_contrast-black.png X.ex_.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraWideTile.contrast-black_scale-125.png X.ex_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\Weather_TileWide.scale-200.png X.ex_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GetStartedWideTile.scale-200_contrast-white.png X.ex_.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeMediumTile.scale-200.png X.ex_.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ExchangeSmallTile.scale-150.png X.ex_.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-180.png X.ex_.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-black\SmallTile.scale-125.png X.ex_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\TinyTile.scale-100_contrast-white.png X.ex_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-80_altform-unplated.png X.ex_.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Exchange.scale-300.png X.ex_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\SplashScreen.scale-100.png X.ex_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-36_contrast-black.png X.ex_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\onboarding\contacts_permission_android.gif X.ex_.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\GenericMailMediumTile.scale-200.png X.ex_.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-180.png X.ex_.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-black\SmallTile.scale-125.png X.ex_.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\LibrarySquare71x71Logo.scale-100_contrast-white.png X.ex_.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubStoreLogo.scale-125_contrast-white.png X.ex_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\LargeTile.scale-100_contrast-white.png X.ex_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Images\Ratings\Yelp5.scale-100.png X.ex_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\root\HOW TO DECRYPT FILES.txt X.ex_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNotePageWideTile.scale-150.png X.ex_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SmallTile.scale-200_contrast-black.png X.ex_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-black\LargeTile.scale-200.png X.ex_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-48_altform-lightunplated_devicefamily-colorfulunplated.png X.ex_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\tr-tr\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Program Files\Common Files\microsoft shared\ink\en-US\HOW TO DECRYPT FILES.txt X.ex_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalAppList.scale-200.png X.ex_.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeMediumTile.scale-400.png X.ex_.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarWideTile.scale-100.png X.ex_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ko-kr\HOW TO DECRYPT FILES.txt X.ex_.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\ThirdPartyNotices.txt X.ex_.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubMedTile.scale-125.png X.ex_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\Icons_Icon_PoP_sm.png X.ex_.exe -
Drops file in Windows directory 64 IoCs
Processes:
X.ex_.exedescription ioc process File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\aspnet_compiler.resources\v4.0_4.0.0.0_de_b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Users\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\assembly\GAC_MSIL\System.WorkflowServices.Resources\3.5.0.0_de_31bf3856ad364e35\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pefb7a36b#\c517b5de3ade40af4b13e1c7de729512\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Console\v4.0_4.0.0.0__b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Instrumentation.resources\v4.0_4.0.0.0_es_b77a5c561934e089\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S88747207#\6c6b5e42d2883b18fa1ce25d63405a98\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.We0722664#\b30f79be7900adae3fd58b81eff708f6\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\MMCEx\24e5a23b2c87e9237100d3f7b363969a\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\diagnostics\system\WindowsMediaPlayerPlayDVD\HOW TO DECRYPT FILES.txt X.ex_.exe File opened for modification C:\Windows\ImmersiveControlPanel\images\EaseOfAccess.png X.ex_.exe File opened for modification C:\Windows\Media\Windows Notify Messaging.wav X.ex_.exe File created C:\Windows\ImmersiveControlPanel\pris\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\INF\ServiceModelOperation 3.0.0.0\0409\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\de-DE\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group1\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\EventViewer\e7dd774251db1abf49179f2d4e109684\HOW TO DECRYPT FILES.txt X.ex_.exe File opened for modification C:\Windows\ImmersiveControlPanel\images\splashscreen.contrast-white_scale-125.png X.ex_.exe File opened for modification C:\Windows\ImmersiveControlPanel\images\TinyTile.contrast-white_scale-150.png X.ex_.exe File created C:\Windows\diagnostics\system\Keyboard\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\INF\ServiceModelOperation 3.0.0.0\040C\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.Commands.GetDiagInput\v4.0_10.0.0.0__31bf3856ad364e35\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.FileSystem.Watcher\v4.0_4.0.0.0__b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Workflow.Compiler.resources\v4.0_4.0.0.0_ja_31bf3856ad364e35\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\Microsoft.NET\Framework64\1036\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W193497eb#\07d0fee6b2ba31e14624c84d372674bd\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\ja-JP\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\ServiceState\WinHttpAutoProxySvc\Data\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility.Resources\1.0.0.0_de_31bf3856ad364e35\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.Transactions.Bridge.Dtc.Resources\3.0.0.0_fr_b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting.resources\v4.0_4.0.0.0_ja_b77a5c561934e089\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.DynamicData.resources\v4.0_4.0.0.0_ja_31bf3856ad364e35\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\TaskScheduler\980fa3ed3ab5c8682ba89accfb74e0c7\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Applications.Hosting\v4.0_10.0.0.0__b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics.Vectors.resources\v4.0_4.0.0.0_es_b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\es-ES\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\diagnostics\scheduled\Maintenance\es-ES\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\INF\Windows Workflow Foundation 3.0.0.0\0C0A\HOW TO DECRYPT FILES.txt X.ex_.exe File opened for modification C:\Windows\Media\Windows Shutdown.wav X.ex_.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions.Design.resources\v4.0_4.0.0.0_ja_31bf3856ad364e35\HOW TO DECRYPT FILES.txt X.ex_.exe File opened for modification C:\Windows\Media\Speech Sleep.wav X.ex_.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\04-1 - NetworkStatus.lnk X.ex_.exe File created C:\Windows\assembly\GAC_MSIL\System.ServiceProcess.Resources\2.0.0.0_fr_b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data\f091eefc9995f0971e4c1a5d394ca967\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\INF\.NETFramework\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\INF\WmiApRpl\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands.Resources\v4.0_10.0.0.0_es_31bf3856ad364e35\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.Resources\v4.0_10.0.0.0_fr_31bf3856ad364e35\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms.resources\v4.0_4.0.0.0_fr_b77a5c561934e089\HOW TO DECRYPT FILES.txt X.ex_.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\security_watermark.jpg X.ex_.exe File created C:\Windows\diagnostics\system\WindowsMediaPlayerMediaLibrary\ja-JP\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Workflow.Compiler.resources\v4.0_4.0.0.0_es_31bf3856ad364e35\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationCore.resources\v4.0_4.0.0.0_es_31bf3856ad364e35\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.resources\v4.0_4.0.0.0_fr_b77a5c561934e089\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.AddIn.resources\v4.0_4.0.0.0_fr_b77a5c561934e089\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem.resources\v4.0_4.0.0.0_de_b77a5c561934e089\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\INF\usbhub\0407\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\INF\Windows Workflow Foundation 4.0.0.0\0000\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.Tpm.Commands.Resources\v4.0_10.0.0.0_it_31bf3856ad364e35\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.GraphicalHost\v4.0_3.0.0.0__31bf3856ad364e35\HOW TO DECRYPT FILES.txt X.ex_.exe File created C:\Windows\Boot\EFI\fr-FR\HOW TO DECRYPT FILES.txt X.ex_.exe -
Modifies registry class 10 IoCs
Processes:
X.ex_.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZIBXKKHVYMVCCPW\shell\open\command X.ex_.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZIBXKKHVYMVCCPW\shell X.ex_.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd X.ex_.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZIBXKKHVYMVCCPW\DefaultIcon X.ex_.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ZIBXKKHVYMVCCPW\ = "CRYPTED!" X.ex_.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ZIBXKKHVYMVCCPW\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vQVykYApjMM758B.exe,0" X.ex_.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZIBXKKHVYMVCCPW\shell\open X.ex_.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ZIBXKKHVYMVCCPW\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vQVykYApjMM758B.exe" X.ex_.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd\ = "ZIBXKKHVYMVCCPW" X.ex_.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZIBXKKHVYMVCCPW X.ex_.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\X.ex_.exe"C:\Users\Admin\AppData\Local\Temp\X.ex_.exe"1⤵
- Drops file in Drivers directory
- Modifies extensions of user files
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:4972