Analysis
-
max time kernel
122s -
max time network
51s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
29-10-2022 23:26
Behavioral task
behavioral1
Sample
X.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
X.exe
Resource
win10v2004-20220812-en
General
-
Target
X.exe
-
Size
39KB
-
MD5
9a93a9d1477f55a4dfd90693c0c63d3c
-
SHA1
e59ef4b2e15307e64469b0a0c31d29bb88b3cd68
-
SHA256
990fb8e947d55d00381f5858ff19d266b766f284252abd1caf85045a4b947b4e
-
SHA512
fe0843cf358bd6e85bd9317826a3c35591902c3e3d98eb04675f4145525a003921f09018afa7cbf518bcc8c3fbc18b5c3585cc10cd7d58fdf895073579b00c09
-
SSDEEP
384:2ebFNw4Pk1itKkpAjj5r0XqYvjSXkDCgSikU8T7XtBbDv1Lo:20FmBkpKjTY73DChDjbDa
Malware Config
Signatures
-
Detected Xorist Ransomware 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1880-55-0x0000000000400000-0x000000000040D000-memory.dmp family_xorist behavioral1/memory/1880-56-0x0000000000400000-0x000000000040D000-memory.dmp family_xorist behavioral1/memory/1880-57-0x0000000000400000-0x000000000040D000-memory.dmp family_xorist -
Xorist Ransomware
Xorist is a ransomware first seen in 2020.
-
Drops file in Drivers directory 8 IoCs
Processes:
X.exedescription ioc process File created C:\Windows\SysWOW64\drivers\fr-FR\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\SysWOW64\drivers\HOW TO DECRYPT FILES.txt X.exe File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt X.exe File created C:\Windows\SysWOW64\drivers\it-IT\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\SysWOW64\drivers\ja-JP\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\SysWOW64\drivers\de-DE\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\SysWOW64\drivers\en-US\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\SysWOW64\drivers\es-ES\HOW TO DECRYPT FILES.txt X.exe -
Processes:
resource yara_rule behavioral1/memory/1880-55-0x0000000000400000-0x000000000040D000-memory.dmp upx behavioral1/memory/1880-56-0x0000000000400000-0x000000000040D000-memory.dmp upx behavioral1/memory/1880-57-0x0000000000400000-0x000000000040D000-memory.dmp upx -
Drops startup file 1 IoCs
Processes:
X.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt X.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
X.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run X.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vQVykYApjMM758B.exe" X.exe -
Drops file in System32 directory 64 IoCs
Processes:
X.exedescription ioc process File created C:\Windows\System32\DriverStore\FileRepository\ramdisk.inf_amd64_neutral_798b5d4dd3f22a07\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\SysWOW64\oobe\HOW TO DECRYPT FILES.txt X.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_script_internationalization.help.txt X.exe File created C:\Windows\System32\DriverStore\FileRepository\atiriol6.inf_amd64_neutral_bde34ad5722cca75\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\System32\DriverStore\FileRepository\prnbr006.inf_amd64_neutral_f156853def526447\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\en-US\HOW TO DECRYPT FILES.txt X.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_objects.help.txt X.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_wildcards.help.txt X.exe File created C:\Windows\System32\DriverStore\FileRepository\prnne30a.inf_amd64_ja-jp_b2245ba886355a9f\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-ActiveDirectory-WebServices-DL\HOW TO DECRYPT FILES.txt X.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Arithmetic_Operators.help.txt X.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_functions_cmdletbindingattribute.help.txt X.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmcomp.inf_amd64_neutral_e5ca2f01ca47bddb\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\System32\DriverStore\FileRepository\msdri.inf_amd64_neutral_86bb50f34c49ae71\HOW TO DECRYPT FILES.txt X.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Windows_PowerShell_2.0.help.txt X.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_type_operators.help.txt X.exe File created C:\Windows\System32\DriverStore\FileRepository\prnbr008.inf_amd64_neutral_0540370b0b1e348e\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\SysWOW64\it-IT\Licenses\OEM\HomeBasicN\HOW TO DECRYPT FILES.txt X.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_hash_tables.help.txt X.exe File created C:\Windows\SysWOW64\migwiz\dlmanifests\BITSExtensions-Server\HOW TO DECRYPT FILES.txt X.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_type_operators.help.txt X.exe File created C:\Windows\System32\DriverStore\FileRepository\prnok302.inf_amd64_ja-jp_708c81a8b0ad8846\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\SysWOW64\ro-RO\HOW TO DECRYPT FILES.txt X.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_scripts.help.txt X.exe File created C:\Windows\System32\DriverStore\FileRepository\mdm3com.inf_amd64_neutral_11abcf129a29fb9f\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\System32\DriverStore\FileRepository\netevbda.inf_amd64_neutral_bab421df9c31cc81\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\SysWOW64\Speech\Common\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmags64.inf_amd64_neutral_e68956e24e287714\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\SysWOW64\it-IT\Licenses\eval\HomeBasicN\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\System32\DriverStore\en-US\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\System32\DriverStore\FileRepository\prnxx002.inf_amd64_neutral_560fdd891b24f384\Amd64\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\SysWOW64\es-ES\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\SysWOW64\sl-SI\HOW TO DECRYPT FILES.txt X.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\default.help.txt X.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_parameters.help.txt X.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmmhrtz.inf_amd64_neutral_10affee00545fb45\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\System32\DriverStore\FileRepository\prnlx00a.inf_amd64_neutral_a89d2c01c0f43dfd\HOW TO DECRYPT FILES.txt X.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_join.help.txt X.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_eventlogs.help.txt X.exe File created C:\Windows\System32\DriverStore\ja-JP\HOW TO DECRYPT FILES.txt X.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Continue.help.txt X.exe File created C:\Windows\System32\DriverStore\FileRepository\tsprint.inf_amd64_neutral_c48d421ad2c1e3e3\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmairte.inf_amd64_neutral_0feacd08cb9c7fe3\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\System32\DriverStore\FileRepository\prnep00l.inf_amd64_neutral_f1fa021d2221e2c7\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\SysWOW64\ja-JP\Licenses\_Default\HomeBasicE\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\System32\DriverStore\FileRepository\battery.inf_amd64_neutral_cb8fa151a7b7cb80\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\System32\DriverStore\FileRepository\volume.inf_amd64_neutral_df8bea40ac96ca21\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\SysWOW64\InstallShield\setupdir\0009\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\System32\DriverStore\FileRepository\net44amd.inf_amd64_neutral_db76873d4261eb11\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\System32\DriverStore\FileRepository\prnlx00x.inf_amd64_neutral_808baf4e08594a59\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\SysWOW64\ja-JP\Licenses\OEM\StarterE\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\SysWOW64\es-ES\Licenses\eval\HomeBasicE\HOW TO DECRYPT FILES.txt X.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Arithmetic_Operators.help.txt X.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmzyxel.inf_amd64_neutral_ed1f16b3d0cae908\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\System32\DriverStore\FileRepository\prnxx002.inf_amd64_neutral_560fdd891b24f384\HOW TO DECRYPT FILES.txt X.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Foreach.help.txt X.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_type_operators.help.txt X.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\it-IT\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmelsa.inf_amd64_neutral_374f9d31af832d6b\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\System32\DriverStore\FileRepository\prnlx00e.inf_amd64_neutral_0a4797d9b127d3a7\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\SysWOW64\it-IT\Licenses\_Default\Enterprise\HOW TO DECRYPT FILES.txt X.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_command_precedence.help.txt X.exe File created C:\Windows\System32\DriverStore\FileRepository\prnrc302.inf_amd64_ja-jp_64ee91a0bf7b132c\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\SysWOW64\es-ES\Licenses\_Default\ProfessionalN\HOW TO DECRYPT FILES.txt X.exe -
Drops file in Program Files directory 64 IoCs
Processes:
X.exedescription ioc process File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\HOW TO DECRYPT FILES.txt X.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_FileOffMask.bmp X.exe File opened for modification C:\Program Files\7-Zip\Lang\ne.txt X.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyScenesBackground.wmv X.exe File created C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\HOW TO DECRYPT FILES.txt X.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\button_left_disable.gif X.exe File created C:\Program Files (x86)\Windows Media Player\Skins\HOW TO DECRYPT FILES.txt X.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationUp_SelectionSubpicture.png X.exe File created C:\Program Files\Windows Journal\Templates\HOW TO DECRYPT FILES.txt X.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\square_m.png X.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\corner.png X.exe File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\HOW TO DECRYPT FILES.txt X.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT X.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115865.GIF X.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsBlankPage.html X.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\HOW TO DECRYPT FILES.txt X.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\1047x576black.png X.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0164153.JPG X.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif X.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\RSSFeeds.html X.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationLeft_ButtonGraphic.png X.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-background.png X.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME.txt X.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_foggy.png X.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierBackgroundRTL.jpg X.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT X.exe File opened for modification C:\Program Files\Windows Media Player\Network Sharing\wmpnss_bw120.jpg X.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01265U.BMP X.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\PUSH.WAV X.exe File created C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\HOW TO DECRYPT FILES.txt X.exe File created C:\Program Files (x86)\Windows Media Player\es-ES\HOW TO DECRYPT FILES.txt X.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\diner_settings.png X.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\css\HOW TO DECRYPT FILES.txt X.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\7.png X.exe File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\HOW TO DECRYPT FILES.txt X.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\J0143744.GIF X.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\J0115856.GIF X.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\OutlineToolIconImages.jpg X.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\HOW TO DECRYPT FILES.txt X.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\HOW TO DECRYPT FILES.txt X.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Help\1041\HOW TO DECRYPT FILES.txt X.exe File created C:\Program Files (x86)\Common Files\System\it-IT\HOW TO DECRYPT FILES.txt X.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01748_.GIF X.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationRight_SelectionSubpicture.png X.exe File created C:\Program Files\Java\jre7\lib\zi\Australia\HOW TO DECRYPT FILES.txt X.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\12.png X.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\timer_up.png X.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightYellow\HEADER.GIF X.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\31.png X.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\logo.png X.exe File opened for modification C:\Program Files\7-Zip\Lang\fy.txt X.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\dial.png X.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waning-crescent.png X.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101863.BMP X.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14871_.GIF X.exe File opened for modification C:\Program Files\7-Zip\Lang\mng.txt X.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Full\full.png X.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\HOW TO DECRYPT FILES.txt X.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_right_hover.png X.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_few-showers.png X.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_thunderstorm.png X.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_corner_top_left.png X.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03425I.JPG X.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\macroprogress.gif X.exe -
Drops file in Windows directory 64 IoCs
Processes:
X.exedescription ioc process File created C:\Windows\winsxs\amd64_microsoft-windows-localizeddrivers_31bf3856ad364e35_6.1.7601.17514_en-us_dcf2e275db57da01\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\winsxs\amd64_microsoft-windows-onlineidcpl.resources_31bf3856ad364e35_6.1.7600.16385_it-it_6ab30227b2ec5996\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\winsxs\amd64_microsoft-windows-s..ty-spp-ux.resources_31bf3856ad364e35_6.1.7600.16385_de-de_abea0cec26556a09\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\winsxs\x86_microsoft-windows-msinfo32-exe.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_fb44f8a772b78547\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\winsxs\amd64_microsoft-windows-l..epremiumn.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_bc8aa7bd88265509\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\winsxs\x86_microsoft-windows-cabview.resources_31bf3856ad364e35_6.1.7600.16385_es-es_e0b09fe034932aee\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\winsxs\amd64_microsoft-windows-t..duler-adm.resources_31bf3856ad364e35_6.1.7600.16385_de-de_9143953d2cb8221e\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\winsxs\amd64_wpdcomp.inf_31bf3856ad364e35_6.1.7601.17514_none_d7b74761221e6838\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\assembly\GAC_MSIL\System.Web.Entity.Design.resources\3.5.0.0_es_b77a5c561934e089\HOW TO DECRYPT FILES.txt X.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-shell-soundthemes-raga_31bf3856ad364e35_6.1.7600.16385_none_2fe300bf8e73cdbd\Windows Exclamation.wav X.exe File created C:\Windows\winsxs\x86_microsoft-windows-fontext.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45e3b841877ae657\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\winsxs\x86_microsoft-windows-l..ultimaten.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_3425764920890548\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\winsxs\x86_microsoft-windows-msports.resources_31bf3856ad364e35_6.1.7600.16385_de-de_31e85d3d52806d0f\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\winsxs\x86_microsoft-windows-shimgvw.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_582f7d465d43cd60\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\winsxs\amd64_microsoft-windows-d..irectdraw.resources_31bf3856ad364e35_6.1.7600.16385_de-de_21b960f797ba24d0\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\winsxs\amd64_windowssideshowenha..river.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_4a634e0fe8292e19\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\winsxs\amd64_microsoft-windows-c..tasp1.res.resources_31bf3856ad364e35_6.1.7600.16385_en-us_6d98c8f79d52bc7d\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\winsxs\wow64_microsoft-windows-t..onmanager.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_a79f991083516f36\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\winsxs\x86_microsoft-windows-sethc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_863962268650f2a9\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\winsxs\amd64_ql40xx.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_0272c26ce89b1b67\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\winsxs\x86_microsoft-windows-msmpeg2vdec_31bf3856ad364e35_7.1.7601.16492_none_8416bfe4a16d5fb1\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.MediaCent#\4e9468fdc6937145e65c6434787e2fa5\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\winsxs\amd64_microsoft-windows-i..keyboard-korean_103_31bf3856ad364e35_6.1.7600.16385_none_1339db6bbca0b453\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\winsxs\amd64_microsoft-windows-help-video.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_1eb090549ca8f9ff\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\winsxs\amd64_microsoft-windows-m..nsors-cpl.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_15c2272c8a95ffcb\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\winsxs\amd64_microsoft-windows-s..artup-cpl.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_d02a2d803af91b63\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\winsxs\amd64_microsoft-windows-t..k-msctfui.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1550130d91939363\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\winsxs\amd64_rdvgwddm.inf.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_c54e0eb981362165\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\winsxs\amd64_server-help-chm.resmon.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_64eff883e725c0d4\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\winsxs\amd64_megasas.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c81ca7fcade09f13\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\winsxs\amd64_microsoft-windows-acproxy_31bf3856ad364e35_6.1.7600.16385_none_520444733f7b8add\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\winsxs\x86_microsoft-windows-p..utilities.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_bae2afd67cac20ab\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\winsxs\x86_wpf-presentationframework.royale_31bf3856ad364e35_6.1.7600.16385_none_ea8b871d0b961460\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\winsxs\amd64_microsoft-windows-m..do-backcompat-tlb25_31bf3856ad364e35_6.1.7601.17514_none_490721c608dddcf4\HOW TO DECRYPT FILES.txt X.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-o..adisc-style-babyboy_31bf3856ad364e35_6.1.7600.16385_none_f13596916b261f67\LightBlueRectangle.PNG X.exe File created C:\Windows\winsxs\wow64_microsoft-windows-remoteassistance-exe_31bf3856ad364e35_6.1.7600.16385_none_9da1b3254ff796e9\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\winsxs\x86_microsoft-windows-m..cconf-exe.resources_31bf3856ad364e35_6.1.7600.16385_es-es_68e57da8199bff23\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0\9.0.0.0__b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\winsxs\amd64_microsoft-windows-a..istant-ui.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_343ffdd9e09f996c\HOW TO DECRYPT FILES.txt X.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-g..edsgadget.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8734fb86705288a7\flyout.html X.exe File created C:\Windows\winsxs\amd64_microsoft-windows-help-locatep.resources_31bf3856ad364e35_6.1.7600.16385_en-us_25311841ec2aa490\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\winsxs\amd64_microsoft-windows-smi-engine.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_80319c33636a43d3\HOW TO DECRYPT FILES.txt X.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_preference_variables.help.txt X.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_56cc3687acc564e8\about_parameters.help.txt X.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data7706cdc8#\0f5d7a58829ce83220e8765313c62608\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\winsxs\amd64_microsoft-windows-b..trics-adm.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_b3d71f9488f5fa1a\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\winsxs\amd64_microsoft-windows-mediaplayer-wmpdxm_31bf3856ad364e35_6.1.7601.17514_none_025e28c93e6b1358\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\winsxs\msil_system.directoryser..protocols.resources_b03f5f7f11d50a3a_6.1.7600.16385_ja-jp_bee19db5e755dafa\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\assembly\GAC_MSIL\smdiagnostics.resources\3.0.0.0_ja_b77a5c561934e089\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\winsxs\amd64_microsoft-windows-i..rityzones.resources_31bf3856ad364e35_8.0.7600.16385_it-it_71dcb3a83c5754f3\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\winsxs\amd64_microsoft-windows-halftone-ui.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_11659fed3eedfa29\HOW TO DECRYPT FILES.txt X.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5b0078129ae2bf07\401-5.htm X.exe File created C:\Windows\winsxs\amd64_microsoft-windows-s..ls-setspn.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5037c80d5ab49569\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\winsxs\amd64_microsoft-windows-u..anagement.resources_31bf3856ad364e35_6.1.7600.16385_es-es_610344214443bd26\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\winsxs\x86_microsoft-windows-c..ermodepnp.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_1a2f0b6630a66a2f\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\en-US\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\winsxs\amd64_hidirkbd.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_7db1154eb14b3370\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\winsxs\x86_microsoft-windows-i..timezones.resources_31bf3856ad364e35_6.1.7601.17514_it-it_1227851faa338c30\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\winsxs\x86_microsoft-windows-msident.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_50ed13d9717067a3\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\winsxs\amd64_microsoft-windows-com-oleui.resources_31bf3856ad364e35_6.1.7600.16385_en-us_24045b98f9ae8fa6\HOW TO DECRYPT FILES.txt X.exe File created C:\Windows\winsxs\amd64_microsoft-windows-d2d.resources_31bf3856ad364e35_7.1.7601.16492_nb-no_a182b603747f4caf\HOW TO DECRYPT FILES.txt X.exe -
Modifies registry class 10 IoCs
Processes:
X.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd\ = "ZIBXKKHVYMVCCPW" X.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZIBXKKHVYMVCCPW X.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ZIBXKKHVYMVCCPW\ = "CRYPTED!" X.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZIBXKKHVYMVCCPW\shell X.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZIBXKKHVYMVCCPW\shell\open X.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd X.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZIBXKKHVYMVCCPW\DefaultIcon X.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ZIBXKKHVYMVCCPW\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vQVykYApjMM758B.exe,0" X.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZIBXKKHVYMVCCPW\shell\open\command X.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ZIBXKKHVYMVCCPW\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vQVykYApjMM758B.exe" X.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\X.exe"C:\Users\Admin\AppData\Local\Temp\X.exe"1⤵
- Drops file in Drivers directory
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:1880