Analysis
-
max time kernel
129s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
03-11-2022 13:01
Static task
static1
Behavioral task
behavioral1
Sample
7d3075d8426c817154b05b695d6196e5ea977a67d0132cf552851f237c166f5e.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
7d3075d8426c817154b05b695d6196e5ea977a67d0132cf552851f237c166f5e.exe
Resource
win10v2004-20220812-en
General
-
Target
7d3075d8426c817154b05b695d6196e5ea977a67d0132cf552851f237c166f5e.exe
-
Size
3.1MB
-
MD5
fcd1290482187d266d174f924c4b1e46
-
SHA1
c3f71f34c7bffd0cc0d49af56254d7f34d50b0c2
-
SHA256
7d3075d8426c817154b05b695d6196e5ea977a67d0132cf552851f237c166f5e
-
SHA512
de3b60739be065ee2620f407b1e51c40be007f1dddcf198b9d676973fcc0007178635534009de2649c7908736e2be3efaaea15b955651a7ca7a5c1f2ad6c9df8
-
SSDEEP
98304:dGZtUz0g6yFFHnDZs5998H5PBSh4+gNxiP:UPUQgXFFVs5X8q4+O4
Malware Config
Signatures
-
Detected Xorist Ransomware 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1408-67-0x0000000000400000-0x0000000000785000-memory.dmp family_xorist behavioral1/memory/1408-69-0x0000000000400000-0x0000000000785000-memory.dmp family_xorist -
Xorist Ransomware
Xorist is a ransomware first seen in 2020.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
You Are Hacked.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ You Are Hacked.exe -
Drops file in Drivers directory 8 IoCs
Processes:
You Are Hacked.exedescription ioc process File created C:\Windows\SysWOW64\drivers\es-ES\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\drivers\fr-FR\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\drivers\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt You Are Hacked.exe File created C:\Windows\SysWOW64\drivers\it-IT\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\drivers\ja-JP\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\drivers\de-DE\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\drivers\en-US\HOW TO DECRYPT FILES.txt You Are Hacked.exe -
Executes dropped EXE 1 IoCs
Processes:
You Are Hacked.exepid process 1408 You Are Hacked.exe -
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
You Are Hacked.exedescription ioc process File renamed C:\Users\Admin\Pictures\SelectRead.png => C:\Users\Admin\Pictures\SelectRead.png.anonymous You Are Hacked.exe -
Drops startup file 1 IoCs
Processes:
You Are Hacked.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt You Are Hacked.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
You Are Hacked.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Wine You Are Hacked.exe -
Loads dropped DLL 4 IoCs
Processes:
7d3075d8426c817154b05b695d6196e5ea977a67d0132cf552851f237c166f5e.exepid process 1292 7d3075d8426c817154b05b695d6196e5ea977a67d0132cf552851f237c166f5e.exe 1292 7d3075d8426c817154b05b695d6196e5ea977a67d0132cf552851f237c166f5e.exe 1292 7d3075d8426c817154b05b695d6196e5ea977a67d0132cf552851f237c166f5e.exe 1292 7d3075d8426c817154b05b695d6196e5ea977a67d0132cf552851f237c166f5e.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
You Are Hacked.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run You Are Hacked.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\533OqvBH346eRq3.exe" You Are Hacked.exe -
Processes:
You Are Hacked.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA You Are Hacked.exe -
Drops file in System32 directory 64 IoCs
Processes:
You Are Hacked.exedescription ioc process File created C:\Windows\System32\DriverStore\FileRepository\mdmtexas.inf_amd64_neutral_7572473d88d69307\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\en-US\Licenses\OEM\EnterpriseN\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\en-US\Licenses\_Default\EnterpriseE\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\LogFiles\AIT\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\prnlx00y.inf_amd64_neutral_977318f2317f5ddd\Amd64\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\wiaca00e.inf_amd64_neutral_5a376e6a7cb007d5\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_properties.help.txt You Are Hacked.exe File created C:\Windows\SysWOW64\zh-TW\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\hpoa1ss.inf_amd64_neutral_8cae09a2238d64e0\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\IME\imekr8\applets\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_eventlogs.help.txt You Are Hacked.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_remote_jobs.help.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\usbprint.inf_amd64_neutral_54948be2bc4bcdd1\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\en-US\Licenses\_Default\Ultimate\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\slmgr\0411\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Break.help.txt You Are Hacked.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\it-IT\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\TroubleshootingPack\ja-JP\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\XPSViewer\es-ES\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\wpdcomp.inf_amd64_neutral_11bbf54c8508434e\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\TroubleshootingPack\en-US\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Throw.help.txt You Are Hacked.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_do.help.txt You Are Hacked.exe File created C:\Windows\System32\catroot2\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\de-DE\Licenses\_Default\HomeBasicN\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\fr-FR\Licenses\OEM\Enterprise\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\prnbr004.inf_amd64_neutral_a78e168d6944619a\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\termkbd.inf_amd64_neutral_e561157e16aa2357\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\es-ES\Licenses\OEM\Enterprise\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Parsing.help.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\digitalmediadevice.inf_amd64_neutral_6fd673519d66ab20\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\volume.inf_amd64_neutral_df8bea40ac96ca21\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_format.ps1xml.help.txt You Are Hacked.exe File created C:\Windows\SysWOW64\de-DE\Licenses\OEM\StarterN\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\prnbr009.inf_amd64_neutral_fd2ac5b9c40bd465\Amd64\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\prnca00z.inf_amd64_neutral_27f402ce616c3ebc\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\prnky007.inf_amd64_neutral_e637699044f367f3\Amd64\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\en-US\Licenses\_Default\Starter\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\ja-JP\Licenses\eval\HomePremiumN\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\hal.inf_amd64_neutral_232b95977cf6d84c\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmmcom.inf_amd64_neutral_716a306ec3899e04\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\net1qx64.inf_amd64_neutral_85d10fa4c777b7be\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_command_precedence.help.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\prnky305.inf_amd64_ja-jp_4d77cc4802b17ec3\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\vhdmp.inf_amd64_neutral_c3910bbf4fbccf97\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\it-IT\Licenses\eval\Starter\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_profiles.help.txt You Are Hacked.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\fr-FR\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\it-IT\Licenses\_Default\ProfessionalN\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\ja-JP\Licenses\_Default\Enterprise\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_do.help.txt You Are Hacked.exe File created C:\Windows\SysWOW64\InstallShield\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\XPSViewer\ja-JP\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\prnlx008.inf_amd64_neutral_75545721835fd863\Amd64\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\en-US\Licenses\eval\Starter\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\en-US\Licenses\OEM\HomePremium\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_do.help.txt You Are Hacked.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\TroubleshootingPack\fr-FR\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmgl004.inf_amd64_neutral_1874f16002601f78\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\megasr.inf_amd64_neutral_30b367f92ca46598\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\prnky304.inf_amd64_ja-jp_1b1a158086a263a4\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\wiahp001.inf_amd64_neutral_aee49cdf3b352e58\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_remote_jobs.help.txt You Are Hacked.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
You Are Hacked.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hmnadhmbfkpeincg.bmp" You Are Hacked.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\My Wallpaper.jpg" You Are Hacked.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
You Are Hacked.exepid process 1408 You Are Hacked.exe -
Drops file in Program Files directory 64 IoCs
Processes:
You Are Hacked.exedescription ioc process File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\settings.html You Are Hacked.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\33.png You Are Hacked.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Portal\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Slate\TAB_ON.GIF You Are Hacked.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\AssemblyInfoInternal.zip You Are Hacked.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\license.html You Are Hacked.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21377_.GIF You Are Hacked.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsPrintTemplate.html You Are Hacked.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\slideShow.html You Are Hacked.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationLeft_SelectionSubpicture.png You Are Hacked.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\performance.png You Are Hacked.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\gtkTSFrame.png You Are Hacked.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\currency.html You Are Hacked.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\timer_up.png You Are Hacked.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341742.JPG You Are Hacked.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\button_right.gif You Are Hacked.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationLeft_SelectionSubpicture.png You Are Hacked.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14883_.GIF You Are Hacked.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationUp_SelectionSubpicture.png You Are Hacked.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR35F.GIF You Are Hacked.exe File created C:\Program Files (x86)\Windows Defender\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EXPEDITN\PREVIEW.GIF You Are Hacked.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01838_.GIF You Are Hacked.exe File created C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Program Files\7-Zip\Lang\kaa.txt You Are Hacked.exe File opened for modification C:\Program Files\7-Zip\Lang\nb.txt You Are Hacked.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_left.png You Are Hacked.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\icon.png You Are Hacked.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightYellow\HEADER.GIF You Are Hacked.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\FlickAnimation.avi You Are Hacked.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\rings-dock.png You Are Hacked.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waning-gibbous.png You Are Hacked.exe File created C:\Program Files (x86)\Common Files\microsoft shared\ink\it-IT\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR51B.GIF You Are Hacked.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_alignleft.gif You Are Hacked.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\row_over.png You Are Hacked.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBlue.png You Are Hacked.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\settings.html You Are Hacked.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waning-gibbous.png You Are Hacked.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT You Are Hacked.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_SelectionSubpicture.png You Are Hacked.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationUp_SelectionSubpicture.png You Are Hacked.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT You Are Hacked.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\TABON.JPG You Are Hacked.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_snow.png You Are Hacked.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\TAB_ON.GIF You Are Hacked.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR34B.GIF You Are Hacked.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-new.png You Are Hacked.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\NETWORK\THMBNAIL.PNG You Are Hacked.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\weather.html You Are Hacked.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145669.JPG You Are Hacked.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD10289_.GIF You Are Hacked.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\STS2\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\RSSFeeds.html You Are Hacked.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\cpyr.htm You Are Hacked.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\31.png You Are Hacked.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03143I.JPG You Are Hacked.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21348_.GIF You Are Hacked.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationRight_SelectionSubpicture.png You Are Hacked.exe -
Drops file in Windows directory 64 IoCs
Processes:
You Are Hacked.exedescription ioc process File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b4a6b77ab9aa530d\about_format.ps1xml.help.txt You Are Hacked.exe File created C:\Windows\winsxs\x86_microsoft-windows-t..chxreadingstringime_31bf3856ad364e35_6.1.7600.16385_none_0f8ba5ee52454454\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\amd64_microsoft-windows-b..xthandler.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_6c99918b70a0dfca\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\amd64_netfx35linq-system.web.entity_31bf3856ad364e35_6.1.7601.17514_none_9354893ea98f539e\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\amd64_prnxx002.inf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_17d11ca62802f41b\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-gadgets-clock_31bf3856ad364e35_6.1.7600.16385_none_d7244b05e242e449\modern_settings.png You Are Hacked.exe File created C:\Windows\winsxs\amd64_microsoft-windows-p..i-asyncui.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e97be7029257dedc\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\amd64_microsoft-windows-taskhost_31bf3856ad364e35_6.1.7601.18010_none_86608c5a70f925bc\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\amd64_microsoft-windows-secinit_31bf3856ad364e35_6.1.7600.16385_none_e3ace21ee6af3fb6\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\amd64_adp94xx.inf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_7d1934d0258df2c9\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\amd64_microsoft-windows-t..cesclient.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_0194025d4203e7d0\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\amd64_prnca00e.inf_31bf3856ad364e35_6.1.7600.16385_none_deda1dd628caac71\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\msil_srpuxsnapin.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_2a06ef8775bc24df\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\x86_netfx-ado_net_diag_b03f5f7f11d50a3a_6.1.7600.16385_none_41e26933a436d37d\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.Commands.UpdateDiagReport.Resources\1.0.0.0_it_31bf3856ad364e35\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\amd64_prnlx005.inf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_d301437819241fc2\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\x86_netfx35linq-system.web.entity.design_31bf3856ad364e35_6.1.7601.17514_none_9b02b0c871489614\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\ZA-wp4.jpg You Are Hacked.exe File created C:\Windows\winsxs\wow64_microsoft-windows-i..l-keyboard-00000411_31bf3856ad364e35_6.1.7600.16385_none_4d8ba97cb2499bcd\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\x86_netfx-mscorsvc__dll_b03f5f7f11d50a3a_6.1.7601.17514_none_2f4c7f14c0acdcc3\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\amd64_microsoft-windows-t..-tlntsess.resources_31bf3856ad364e35_6.1.7600.16385_it-it_e75bb32b3b137fb4\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\Microsoft.NET\Framework64\v3.5\1031\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\amd64_microsoft-windows-help-fus.resources_31bf3856ad364e35_6.1.7600.16385_en-us_bf4af7304aacbbae\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\amd64_microsoft-windows-s..iprovider.resources_31bf3856ad364e35_6.1.7600.16385_de-de_875f491fa4760076\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\amd64_microsoft-windows-taskkill.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_fec089582ae52264\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\amd64_microsoft-windows-xpsifilter.resources_31bf3856ad364e35_6.1.7600.16385_es-es_6d0cfec0652782fb\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\x86_microsoft-windows-b..xthandler.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_107af607b8436e94\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\x86_microsoft-windows-sethc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_573476d3c931e4ee\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\assembly\GAC_MSIL\System.EnterpriseServices.resources\2.0.0.0_it_b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\x86_microsoft-windows-security-spp-ux-data_31bf3856ad364e35_6.1.7601.17514_none_61e7a64867b553a6\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_ru-ru_924a71ae0e077dae\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\amd64_microsoft-windows-r..stion-detector-core_31bf3856ad364e35_6.1.7600.16385_none_54dd4ad229c92897\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\amd64_microsoft-windows-msls31_31bf3856ad364e35_11.2.9600.16428_none_ae56e6c4b781ef91\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\amd64_microsoft-windows-c..gement-perfcounters_31bf3856ad364e35_6.1.7600.16385_none_814c249ec2a32783\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_Ref.help.txt You Are Hacked.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-shell-sounds_31bf3856ad364e35_6.1.7600.16385_none_73076dd9cf3a9dce\Windows Print complete.wav You Are Hacked.exe File created C:\Windows\winsxs\amd64_lsi_scsi.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_246d4081ec3276cc\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\amd64_microsoft-windows-i..timezones.resources_31bf3856ad364e35_6.1.7601.17514_it-it_6e4620a36290fd66\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-quirky_31bf3856ad364e35_6.1.7600.16385_none_e55404efe49bb9cb\Windows Logon Sound.wav You Are Hacked.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-shell-sounds_31bf3856ad364e35_6.1.7600.16385_none_73076dd9cf3a9dce\Windows Ding.wav You Are Hacked.exe File created C:\Windows\winsxs\amd64_microsoft-windows-w..ouppolicy.resources_31bf3856ad364e35_6.1.7600.16385_de-de_f1d1bd913694f1d0\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\amd64_rndiscmp.inf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_cc6791b6f3c7fd13\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\x86_microsoft-windows-class_ss_31bf3856ad364e35_6.1.7600.16385_none_17723c290c0f2178\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\x86_microsoft-windows-t..atahelper.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_259b9bb0f00b1308\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\amd64_microsoft-windows-e..-mcplayer.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_1268989a682b8fa1\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\x86_microsoft-windows-w..registrar.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4b1e5a8ec846054b\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4c778c357864a2ed\about_pssessions.help.txt You Are Hacked.exe File created C:\Windows\winsxs\amd64_microsoft-windows-smss_31bf3856ad364e35_6.1.7600.16385_none_082f99a432e2a661\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.1.7601.17514_none_720e868d9b0b6a44\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\inf\ASP.NET_4.0.30319\0019\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\amd64_microsoft-windows-t..ork-msutb.resources_31bf3856ad364e35_6.1.7600.16385_es-es_41b68dd3b0f81962\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-g..-currency.resources_31bf3856ad364e35_6.1.7600.16385_es-es_d1240af48795ef12\currency.html You Are Hacked.exe File created C:\Windows\winsxs\amd64_microsoft-windows-s..cingstack.resources_31bf3856ad364e35_6.1.7600.16385_it-it_75597592789f1a85\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\amd64_microsoft-windows-d2d.resources_31bf3856ad364e35_7.1.7601.16492_da-dk_4099a4adfbeefa1e\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\amd64_tape.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ada822601850b6f6\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\amd64_amdsbs.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_267caec07f213aec\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-e..ebargadgetresources_31bf3856ad364e35_6.1.7600.16385_none_88767a95b8bbf001\Gadget_Star_Empty.png You Are Hacked.exe File created C:\Windows\winsxs\amd64_microsoft-windows-s..madvanced.resources_31bf3856ad364e35_6.1.7600.16385_de-de_62497c70b6d3816f\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\msil_system.core.resources_b77a5c561934e089_6.1.7600.16385_ja-jp_c240b1366b990e94\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\amd64_infocard.resources_b77a5c561934e089_6.1.7600.16385_fr-fr_49d88c0d5cf1bf75\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\amd64_microsoft-windows-u..anagement.resources_31bf3856ad364e35_6.1.7600.16385_es-es_610344214443bd26\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\amd64_microsoft-windows-wlan-dialog.resources_31bf3856ad364e35_6.1.7600.16385_es-es_deb8ae3579e8c0be\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-wmpnss-service_31bf3856ad364e35_6.1.7601.17514_none_61acd141e5332baf\wmpnss_bw48.bmp You Are Hacked.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 10 IoCs
Processes:
You Are Hacked.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.anonymous\ = "CDOAEETJFTHWUGN" You Are Hacked.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CDOAEETJFTHWUGN\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\533OqvBH346eRq3.exe,0" You Are Hacked.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CDOAEETJFTHWUGN\shell You Are Hacked.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CDOAEETJFTHWUGN\shell\open You Are Hacked.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CDOAEETJFTHWUGN\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\533OqvBH346eRq3.exe" You Are Hacked.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.anonymous You Are Hacked.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CDOAEETJFTHWUGN You Are Hacked.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CDOAEETJFTHWUGN\ = "CRYPTED!" You Are Hacked.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CDOAEETJFTHWUGN\DefaultIcon You Are Hacked.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CDOAEETJFTHWUGN\shell\open\command You Are Hacked.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
You Are Hacked.exepid process 1408 You Are Hacked.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
7d3075d8426c817154b05b695d6196e5ea977a67d0132cf552851f237c166f5e.exedescription pid process target process PID 1292 wrote to memory of 1408 1292 7d3075d8426c817154b05b695d6196e5ea977a67d0132cf552851f237c166f5e.exe You Are Hacked.exe PID 1292 wrote to memory of 1408 1292 7d3075d8426c817154b05b695d6196e5ea977a67d0132cf552851f237c166f5e.exe You Are Hacked.exe PID 1292 wrote to memory of 1408 1292 7d3075d8426c817154b05b695d6196e5ea977a67d0132cf552851f237c166f5e.exe You Are Hacked.exe PID 1292 wrote to memory of 1408 1292 7d3075d8426c817154b05b695d6196e5ea977a67d0132cf552851f237c166f5e.exe You Are Hacked.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7d3075d8426c817154b05b695d6196e5ea977a67d0132cf552851f237c166f5e.exe"C:\Users\Admin\AppData\Local\Temp\7d3075d8426c817154b05b695d6196e5ea977a67d0132cf552851f237c166f5e.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe"C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Executes dropped EXE
- Modifies extensions of user files
- Drops startup file
- Identifies Wine through registry keys
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1408
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.5MB
MD593412c40272361e258e4dc0de74f7075
SHA1c13b3cf156b76980c4eab4fae183758c4700440d
SHA2567e5992568dc614491fbc17c3efbac79f8eb3e8b9cab73a6c877bdc61342cdd6e
SHA51200c58f5c21ba59db1442e6761c60fdeeb756223b4d51f81cfb2b82aee415eb71a883d5d24086e6ad32c06f87d97d79f1123f20471350492597649eaa3e8d9067
-
Filesize
2.5MB
MD593412c40272361e258e4dc0de74f7075
SHA1c13b3cf156b76980c4eab4fae183758c4700440d
SHA2567e5992568dc614491fbc17c3efbac79f8eb3e8b9cab73a6c877bdc61342cdd6e
SHA51200c58f5c21ba59db1442e6761c60fdeeb756223b4d51f81cfb2b82aee415eb71a883d5d24086e6ad32c06f87d97d79f1123f20471350492597649eaa3e8d9067
-
Filesize
2.5MB
MD593412c40272361e258e4dc0de74f7075
SHA1c13b3cf156b76980c4eab4fae183758c4700440d
SHA2567e5992568dc614491fbc17c3efbac79f8eb3e8b9cab73a6c877bdc61342cdd6e
SHA51200c58f5c21ba59db1442e6761c60fdeeb756223b4d51f81cfb2b82aee415eb71a883d5d24086e6ad32c06f87d97d79f1123f20471350492597649eaa3e8d9067
-
Filesize
2.5MB
MD593412c40272361e258e4dc0de74f7075
SHA1c13b3cf156b76980c4eab4fae183758c4700440d
SHA2567e5992568dc614491fbc17c3efbac79f8eb3e8b9cab73a6c877bdc61342cdd6e
SHA51200c58f5c21ba59db1442e6761c60fdeeb756223b4d51f81cfb2b82aee415eb71a883d5d24086e6ad32c06f87d97d79f1123f20471350492597649eaa3e8d9067
-
Filesize
2.5MB
MD593412c40272361e258e4dc0de74f7075
SHA1c13b3cf156b76980c4eab4fae183758c4700440d
SHA2567e5992568dc614491fbc17c3efbac79f8eb3e8b9cab73a6c877bdc61342cdd6e
SHA51200c58f5c21ba59db1442e6761c60fdeeb756223b4d51f81cfb2b82aee415eb71a883d5d24086e6ad32c06f87d97d79f1123f20471350492597649eaa3e8d9067
-
Filesize
2.5MB
MD593412c40272361e258e4dc0de74f7075
SHA1c13b3cf156b76980c4eab4fae183758c4700440d
SHA2567e5992568dc614491fbc17c3efbac79f8eb3e8b9cab73a6c877bdc61342cdd6e
SHA51200c58f5c21ba59db1442e6761c60fdeeb756223b4d51f81cfb2b82aee415eb71a883d5d24086e6ad32c06f87d97d79f1123f20471350492597649eaa3e8d9067