Analysis

  • max time kernel
    129s
  • max time network
    49s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    03-11-2022 13:01

General

  • Target

    7d3075d8426c817154b05b695d6196e5ea977a67d0132cf552851f237c166f5e.exe

  • Size

    3.1MB

  • MD5

    fcd1290482187d266d174f924c4b1e46

  • SHA1

    c3f71f34c7bffd0cc0d49af56254d7f34d50b0c2

  • SHA256

    7d3075d8426c817154b05b695d6196e5ea977a67d0132cf552851f237c166f5e

  • SHA512

    de3b60739be065ee2620f407b1e51c40be007f1dddcf198b9d676973fcc0007178635534009de2649c7908736e2be3efaaea15b955651a7ca7a5c1f2ad6c9df8

  • SSDEEP

    98304:dGZtUz0g6yFFHnDZs5998H5PBSh4+gNxiP:UPUQgXFFVs5X8q4+O4

Malware Config

Signatures

  • Detected Xorist Ransomware 2 IoCs
  • Xorist Ransomware

    Xorist is a ransomware first seen in 2020.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Drops file in Drivers directory 8 IoCs
  • Executes dropped EXE 1 IoCs
  • Modifies extensions of user files 1 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Drops startup file 1 IoCs
  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Loads dropped DLL 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Drops file in System32 directory 64 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7d3075d8426c817154b05b695d6196e5ea977a67d0132cf552851f237c166f5e.exe
    "C:\Users\Admin\AppData\Local\Temp\7d3075d8426c817154b05b695d6196e5ea977a67d0132cf552851f237c166f5e.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1292
    • C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe
      "C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Modifies extensions of user files
      • Drops startup file
      • Identifies Wine through registry keys
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Sets desktop wallpaper using registry
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      PID:1408

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe

    Filesize

    2.5MB

    MD5

    93412c40272361e258e4dc0de74f7075

    SHA1

    c13b3cf156b76980c4eab4fae183758c4700440d

    SHA256

    7e5992568dc614491fbc17c3efbac79f8eb3e8b9cab73a6c877bdc61342cdd6e

    SHA512

    00c58f5c21ba59db1442e6761c60fdeeb756223b4d51f81cfb2b82aee415eb71a883d5d24086e6ad32c06f87d97d79f1123f20471350492597649eaa3e8d9067

  • C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe

    Filesize

    2.5MB

    MD5

    93412c40272361e258e4dc0de74f7075

    SHA1

    c13b3cf156b76980c4eab4fae183758c4700440d

    SHA256

    7e5992568dc614491fbc17c3efbac79f8eb3e8b9cab73a6c877bdc61342cdd6e

    SHA512

    00c58f5c21ba59db1442e6761c60fdeeb756223b4d51f81cfb2b82aee415eb71a883d5d24086e6ad32c06f87d97d79f1123f20471350492597649eaa3e8d9067

  • \Users\Admin\AppData\Local\Temp\You Are Hacked.exe

    Filesize

    2.5MB

    MD5

    93412c40272361e258e4dc0de74f7075

    SHA1

    c13b3cf156b76980c4eab4fae183758c4700440d

    SHA256

    7e5992568dc614491fbc17c3efbac79f8eb3e8b9cab73a6c877bdc61342cdd6e

    SHA512

    00c58f5c21ba59db1442e6761c60fdeeb756223b4d51f81cfb2b82aee415eb71a883d5d24086e6ad32c06f87d97d79f1123f20471350492597649eaa3e8d9067

  • \Users\Admin\AppData\Local\Temp\You Are Hacked.exe

    Filesize

    2.5MB

    MD5

    93412c40272361e258e4dc0de74f7075

    SHA1

    c13b3cf156b76980c4eab4fae183758c4700440d

    SHA256

    7e5992568dc614491fbc17c3efbac79f8eb3e8b9cab73a6c877bdc61342cdd6e

    SHA512

    00c58f5c21ba59db1442e6761c60fdeeb756223b4d51f81cfb2b82aee415eb71a883d5d24086e6ad32c06f87d97d79f1123f20471350492597649eaa3e8d9067

  • \Users\Admin\AppData\Local\Temp\You Are Hacked.exe

    Filesize

    2.5MB

    MD5

    93412c40272361e258e4dc0de74f7075

    SHA1

    c13b3cf156b76980c4eab4fae183758c4700440d

    SHA256

    7e5992568dc614491fbc17c3efbac79f8eb3e8b9cab73a6c877bdc61342cdd6e

    SHA512

    00c58f5c21ba59db1442e6761c60fdeeb756223b4d51f81cfb2b82aee415eb71a883d5d24086e6ad32c06f87d97d79f1123f20471350492597649eaa3e8d9067

  • \Users\Admin\AppData\Local\Temp\You Are Hacked.exe

    Filesize

    2.5MB

    MD5

    93412c40272361e258e4dc0de74f7075

    SHA1

    c13b3cf156b76980c4eab4fae183758c4700440d

    SHA256

    7e5992568dc614491fbc17c3efbac79f8eb3e8b9cab73a6c877bdc61342cdd6e

    SHA512

    00c58f5c21ba59db1442e6761c60fdeeb756223b4d51f81cfb2b82aee415eb71a883d5d24086e6ad32c06f87d97d79f1123f20471350492597649eaa3e8d9067

  • memory/1292-59-0x0000000003920000-0x0000000003CA5000-memory.dmp

    Filesize

    3.5MB

  • memory/1292-61-0x0000000003920000-0x0000000003CA5000-memory.dmp

    Filesize

    3.5MB

  • memory/1292-54-0x00000000762E1000-0x00000000762E3000-memory.dmp

    Filesize

    8KB

  • memory/1408-60-0x0000000000000000-mapping.dmp

  • memory/1408-63-0x0000000000400000-0x0000000000785000-memory.dmp

    Filesize

    3.5MB

  • memory/1408-66-0x0000000077B70000-0x0000000077CF0000-memory.dmp

    Filesize

    1.5MB

  • memory/1408-67-0x0000000000400000-0x0000000000785000-memory.dmp

    Filesize

    3.5MB

  • memory/1408-68-0x0000000077B70000-0x0000000077CF0000-memory.dmp

    Filesize

    1.5MB

  • memory/1408-69-0x0000000000400000-0x0000000000785000-memory.dmp

    Filesize

    3.5MB

  • memory/1408-70-0x0000000077B70000-0x0000000077CF0000-memory.dmp

    Filesize

    1.5MB