Analysis
-
max time kernel
105s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
03-11-2022 13:01
Static task
static1
Behavioral task
behavioral1
Sample
14cdb3735feec79d1bfbbcca899bc209b20e97283e7e600ff930b0019abeaef6.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
14cdb3735feec79d1bfbbcca899bc209b20e97283e7e600ff930b0019abeaef6.exe
Resource
win10v2004-20220812-en
General
-
Target
14cdb3735feec79d1bfbbcca899bc209b20e97283e7e600ff930b0019abeaef6.exe
-
Size
3.1MB
-
MD5
e1cc5a67a7acc98647eb4602dcaa1e3c
-
SHA1
039f2dc817aa7db766334907674480eb808ef860
-
SHA256
14cdb3735feec79d1bfbbcca899bc209b20e97283e7e600ff930b0019abeaef6
-
SHA512
551f2767d56540761de105af0845f32d13eab2b90b8251ec6f1116729f2fc61a48622a1cd9250229a41c8e598e20b9bf7d0614061e5bacec1fca98806fabdaa1
-
SSDEEP
98304:dG9tUz0g6yFFHnDZs5998H5PBSh4+gNxii:UrUQgXFFVs5X8q4+Ov
Malware Config
Signatures
-
Detected Xorist Ransomware 2 IoCs
Processes:
resource yara_rule behavioral1/memory/900-70-0x0000000000400000-0x0000000000785000-memory.dmp family_xorist behavioral1/memory/900-72-0x0000000000400000-0x0000000000785000-memory.dmp family_xorist -
Xorist Ransomware
Xorist is a ransomware first seen in 2020.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
You Are Hacked.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ You Are Hacked.exe -
Drops file in Drivers directory 8 IoCs
Processes:
You Are Hacked.exedescription ioc process File created C:\Windows\SysWOW64\drivers\en-US\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\drivers\es-ES\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\drivers\fr-FR\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\drivers\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt You Are Hacked.exe File created C:\Windows\SysWOW64\drivers\it-IT\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\drivers\ja-JP\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\drivers\de-DE\HOW TO DECRYPT FILES.txt You Are Hacked.exe -
Executes dropped EXE 1 IoCs
Processes:
You Are Hacked.exepid process 900 You Are Hacked.exe -
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
You Are Hacked.exedescription ioc process File renamed C:\Users\Admin\Pictures\SetSave.png => C:\Users\Admin\Pictures\SetSave.png.anonymous You Are Hacked.exe -
Drops startup file 1 IoCs
Processes:
You Are Hacked.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt You Are Hacked.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
You Are Hacked.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Wine You Are Hacked.exe -
Loads dropped DLL 4 IoCs
Processes:
14cdb3735feec79d1bfbbcca899bc209b20e97283e7e600ff930b0019abeaef6.exepid process 1368 14cdb3735feec79d1bfbbcca899bc209b20e97283e7e600ff930b0019abeaef6.exe 1368 14cdb3735feec79d1bfbbcca899bc209b20e97283e7e600ff930b0019abeaef6.exe 1368 14cdb3735feec79d1bfbbcca899bc209b20e97283e7e600ff930b0019abeaef6.exe 1368 14cdb3735feec79d1bfbbcca899bc209b20e97283e7e600ff930b0019abeaef6.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
You Are Hacked.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run You Are Hacked.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\533OqvBH346eRq3.exe" You Are Hacked.exe -
Processes:
You Are Hacked.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA You Are Hacked.exe -
Drops file in System32 directory 64 IoCs
Processes:
You Are Hacked.exedescription ioc process File created C:\Windows\SysWOW64\InstallShield\setupdir\001b\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmgsm.inf_amd64_neutral_dd3fbd8c64c7c87d\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\rawsilo.inf_amd64_neutral_8eb7e6403ddbb7a8\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_arrays.help.txt You Are Hacked.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Automatic_Variables.help.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\compositebus.inf_amd64_neutral_b9280780a8000d4b\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\prnlx00a.inf_amd64_neutral_a89d2c01c0f43dfd\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Command_Syntax.help.txt You Are Hacked.exe File created C:\Windows\SysWOW64\de-DE\Licenses\_Default\HomePremiumN\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_script_blocks.help.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmnis3t.inf_amd64_neutral_857ff0fa9c73850a\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\rdlsbuscbs.inf_amd64_neutral_351e56205fd4c200\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\it-IT\Licenses\eval\HomePremiumE\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\Speech\Engines\SR\en-US\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_History.help.txt You Are Hacked.exe File created C:\Windows\SysWOW64\de-DE\Licenses\_Default\ProfessionalE\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\prnca00y.inf_amd64_neutral_64560c72e81f6ad7\Amd64\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Windows\SysWOW64\ja-JP\erofflps.txt You Are Hacked.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_remote_troubleshooting.help.txt You Are Hacked.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_modules.help.txt You Are Hacked.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\default.help.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmrock.inf_amd64_neutral_2ec26aaad7a9d419\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\netk57a.inf_amd64_neutral_8b26ad5d0cc037a9\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_objects.help.txt You Are Hacked.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_hash_tables.help.txt You Are Hacked.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_requires.help.txt You Are Hacked.exe File created C:\Windows\SysWOW64\winrm\0409\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\hu-HU\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_logical_operators.help.txt You Are Hacked.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_scripts.help.txt You Are Hacked.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_functions.help.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmx5560.inf_amd64_neutral_e853cea0022c059a\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\prnlx007.inf_amd64_neutral_0b796ee4978458e2\Amd64\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\prnts003.inf_amd64_neutral_33a68664c7e7ae4b\Amd64\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\migwiz\replacementmanifests\microsoft-activedirectory-webservices\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\pl-PL\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\sk-SK\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_prompts.help.txt You Are Hacked.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\prnky007.inf_amd64_neutral_e637699044f367f3\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\Speech\Engines\SR\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_debuggers.help.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\mcx2.inf_amd64_neutral_8cf9cade8f7bba56\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\nulhpopr.inf_amd64_neutral_e078ec466987bb3b\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\ja-JP\Licenses\OEM\ProfessionalN\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Comparison_Operators.help.txt You Are Hacked.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_While.help.txt You Are Hacked.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_debuggers.help.txt You Are Hacked.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_requires.help.txt You Are Hacked.exe File created C:\Windows\SysWOW64\IME\IMEJP10\APPLETS\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\manifeststore\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Comparison_Operators.help.txt You Are Hacked.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_aliases.help.txt You Are Hacked.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_pipelines.help.txt You Are Hacked.exe File created C:\Windows\SysWOW64\de-DE\Licenses\_Default\Starter\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\faxca003.inf_amd64_neutral_5b8c7c1dda79bef4\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\keyboard.inf_amd64_neutral_0684fdc43059f486\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmtdkj4.inf_amd64_neutral_c150a510c4b85ce7\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\wbem\it-IT\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmjf56e.inf_amd64_neutral_328dabbf0aeed9bc\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\wiasa002.inf_amd64_neutral_6429a42f1243419a\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\es-ES\Licenses\OEM\HomeBasic\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_data_sections.help.txt You Are Hacked.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
You Are Hacked.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fkmnpacefhjkmopb.bmp" You Are Hacked.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\My Wallpaper.jpg" You Are Hacked.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
You Are Hacked.exepid process 900 You Are Hacked.exe -
Drops file in Program Files directory 64 IoCs
Processes:
You Are Hacked.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Places\WARN.WAV You Are Hacked.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_corner_top_left.png You Are Hacked.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainBackground_PAL.wmv You Are Hacked.exe File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\time-span-16.png You Are Hacked.exe File created C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Program Files\Java\jre7\lib\fonts\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Program Files\Microsoft Games\Solitaire\de-DE\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_MCELogo_mousedown.png You Are Hacked.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\ActiveTabImage.jpg You Are Hacked.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\button_left.gif You Are Hacked.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\setting_back.png You Are Hacked.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\play_hov.png You Are Hacked.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Program Files\VideoLAN\VLC\lua\meta\art\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\flower.png You Are Hacked.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02198_.GIF You Are Hacked.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\NextMenuButtonIcon.png You Are Hacked.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD15302_.GIF You Are Hacked.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\js\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Program Files\Windows Sidebar\es-ES\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Program Files (x86)\Internet Explorer\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01562U.BMP You Are Hacked.exe File created C:\Program Files (x86)\Windows Defender\en-US\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\7.png You Are Hacked.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PROFILE\THMBNAIL.PNG You Are Hacked.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\HEADER.GIF You Are Hacked.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToNotesBackground.wmv You Are Hacked.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.lnk You Are Hacked.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02398U.BMP You Are Hacked.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01304G.GIF You Are Hacked.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\day-of-week-16.png You Are Hacked.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_divider_right.png You Are Hacked.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01770_.GIF You Are Hacked.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR4F.GIF You Are Hacked.exe File created C:\Program Files (x86)\Windows Media Player\it-IT\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_m.png You Are Hacked.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\item_hover_docked.png You Are Hacked.exe File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_on.gif You Are Hacked.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_image-frame-backglow.png You Are Hacked.exe File created C:\Program Files\VideoLAN\VLC\locale\si\LC_MESSAGES\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115842.GIF You Are Hacked.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\scene_button_style_default_Thumbnail.bmp You Are Hacked.exe File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\css\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\MessageHistoryIconImages.jpg You Are Hacked.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\css\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\drag.png You Are Hacked.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waxing-gibbous.png You Are Hacked.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0175428.JPG You Are Hacked.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR1B.GIF You Are Hacked.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\1033\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\RSSFeeds.html You Are Hacked.exe File created C:\Program Files\Java\jre7\bin\plugin2\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\settings.html You Are Hacked.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Visualizer.zip You Are Hacked.exe File opened for modification C:\Program Files\7-Zip\Lang\lv.txt You Are Hacked.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\SAVE.GIF You Are Hacked.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-full_partly-cloudy.png You Are Hacked.exe -
Drops file in Windows directory 64 IoCs
Processes:
You Are Hacked.exedescription ioc process File created C:\Windows\winsxs\amd64_microsoft-windows-s..-ux-sppcc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_335533b06a051789\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_en_31bf3856ad364e35\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\wow64_microsoft-windows-fax-common.resources_31bf3856ad364e35_6.1.7600.16385_en-us_aff85da884c1c36e\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\x86_microsoft-windows-g..zards-mui.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_fa07334b836f9774\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.SDHost\6.1.0.0__31bf3856ad364e35\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\amd64_microsoft-windows-t..languages.resources_31bf3856ad364e35_6.1.7601.17514_th-th_9b29344948cfe05f\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\amd64_microsoft-windows-w..sh-helper.resources_31bf3856ad364e35_6.1.7600.16385_en-us_58f470aad14c25ff\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\wow64_microsoft-windows-storprop.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_5dbcb85c07e1a7ea\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\x86_microsoft-windows-i..ional-codepage-1251_31bf3856ad364e35_6.1.7600.16385_none_21809ded6be89410\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\x86_microsoft-windows-ldap-client.resources_31bf3856ad364e35_6.1.7600.16385_en-us_db423f80885aae7d\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\amd64_microsoft-windows-s..-spp-plugin-windows_31bf3856ad364e35_6.1.7601.17514_none_6fe02fb8134de429\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\amd64_microsoft-windows-t..languages.resources_31bf3856ad364e35_6.1.7601.17514_uk-ua_3b0c3f843d784b5b\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\amd64_netfx35linq-system.data.services_31bf3856ad364e35_6.1.7601.17514_none_4d80338bda6aae67\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\msil_microsoft.windows.d..otingpack.resources_31bf3856ad364e35_6.1.7601.17514_es-es_2eff5ca16eb08c20\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\amd64_microsoft-windows-w..umservice.resources_31bf3856ad364e35_6.1.7600.16385_it-it_54caca9fc5890277\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\amd64_microsoft-windowsdx..xperience.resources_31bf3856ad364e35_6.1.7600.16385_de-de_9efe081149283749\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\wow64_microsoft-windows-tapicore.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_02b4920e9d1320c3\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\amd64_microsoft-windows-powercpl_31bf3856ad364e35_6.1.7601.17514_none_c006f86a8ad7ce0f\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-e..rtingcore.resources_31bf3856ad364e35_6.1.7600.16385_it-it_8f94aa63624b0ac8\erofflps.txt You Are Hacked.exe File created C:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_fr_b77a5c561934e089\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\amd64_microsoft-windows-audio-volumecontrol_31bf3856ad364e35_6.1.7601.17514_none_244e76d61e1989e5\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\amd64_microsoft-windows-devinst-adm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_ac77d5b138db374f\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\amd64_microsoft-windows-t..languages.resources_31bf3856ad364e35_6.1.7601.17514_nb-no_cbcfb68d97390f4e\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\x86_microsoft-windows-n..entclient.resources_31bf3856ad364e35_6.1.7600.16385_es-es_f91805a91d12afc2\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Permissions\App_LocalResources\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\amd64_microsoft-windows-ehome-ehdebug_31bf3856ad364e35_6.1.7600.16385_none_8bd2a8c89bf31042\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\amd64_microsoft-windows-ipnat.resources_31bf3856ad364e35_6.1.7600.16385_de-de_974c889fb6e5e1fd\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\amd64_microsoft-windows-r..component.resources_31bf3856ad364e35_6.1.7601.17514_es-es_4a2131979606b12c\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\amd64_microsoft-windows-a..leshooter.resources_31bf3856ad364e35_6.1.7600.16385_es-es_666a30609fbbc043\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\amd64_microsoft-windows-p..ng-client.resources_31bf3856ad364e35_6.1.7600.16385_de-de_6276aeeebcd702c3\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\wow64_microsoft-windows-i..ectionsharingconfig_31bf3856ad364e35_6.1.7600.16385_none_167fe1ade2ab4f33\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\x86_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_sk-sk_4adc36503d558868\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\amd64_microsoft-windows-t..inkwatson.resources_31bf3856ad364e35_6.1.7600.16385_it-it_83df74751d14c3c7\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\wow64_microsoft-windows-streambufferengine_31bf3856ad364e35_6.1.7601.17514_none_9b0668f2fc6cec36\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\amd64_61883.inf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e90147c1d8688d8b\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\amd64_ksfilter.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_05716bfe9bc460c8\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\amd64_microsoft-windows-acledit.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_b40b4fc097a11d8a\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c02a16e1ae17ab94\about_data_sections.help.txt You Are Hacked.exe File created C:\Windows\winsxs\amd64_microsoft-windows-s..ssmanager.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_0e35d57f14f38d05\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\x86_microsoft-windows-s..-whitebox.resources_31bf3856ad364e35_6.1.7600.16385_en-us_3a0c3775fc1e561c\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\x86_microsoft-windows-where.resources_31bf3856ad364e35_6.1.7600.16385_en-us_fcd7cd8ec64e80f7\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Windows\Web\Wallpaper\Architecture\img13.jpg You Are Hacked.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-calendar_31bf3856ad364e35_6.1.7600.16385_none_6a1946701e0df451\bPrev-hot.png You Are Hacked.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\7.png You Are Hacked.exe File created C:\Windows\winsxs\amd64_microsoft-windows-l..essionaln.resources_31bf3856ad364e35_6.1.7601.17514_it-it_16b2136334d4d376\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_74b66e05cc4097c8\about_Variables.help.txt You Are Hacked.exe File created C:\Windows\winsxs\amd64_microsoft-windows-s..coreinstrumentation_31bf3856ad364e35_6.1.7600.16385_none_5c5b3d3cf793517b\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\msil_system.componentmod..notations.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_6295dbbd95eed936\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\x86_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_hu-hu_4c936d19ce8f71ba\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onWhite.gif You Are Hacked.exe File created C:\Windows\winsxs\amd64_microsoft-windows-a..grams-adm.resources_31bf3856ad364e35_6.1.7600.16385_de-de_b0f430da51572132\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\amd64_microsoft-windows-c..n-comrepl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_d62dd1b2f424ae49\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\amd64_microsoft-windows-m..-schedule.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_8295f8f49d4a45c7\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\x86_microsoft-windows-sud.resources_31bf3856ad364e35_6.1.7600.16385_de-de_ac91535ed7d90e6d\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\x86_microsoft-windows-i..ablenetworkgraphics_31bf3856ad364e35_8.0.7600.16385_none_08570c83ebbf01dd\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\x86_microsoft-windows-r..rtmanager.resources_31bf3856ad364e35_6.1.7600.16385_es-es_2be3743539fe8bc7\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Windows\Media\Afternoon\Windows Exclamation.wav You Are Hacked.exe File opened for modification C:\Windows\Media\Savanna\Windows User Account Control.wav You Are Hacked.exe File created C:\Windows\winsxs\amd64_microsoft-windows-msvcrt_31bf3856ad364e35_6.1.7600.16385_none_2d4a27c7b8972454\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\wow64_microsoft-windows-e..e-ehdebug.resources_31bf3856ad364e35_6.1.7600.16385_en-us_76acdf46fe057416\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\x86_microsoft-windows-i..favorites.resources_31bf3856ad364e35_8.0.7600.16385_it-it_3838a63f071c9c41\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\x86_microsoft-windows-n..entclient.resources_31bf3856ad364e35_6.1.7600.16385_de-de_505bd2cc2e0db258\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\x86_microsoft-windows-t..rk-ctfmon.resources_31bf3856ad364e35_6.1.7600.16385_es-es_961b4830979f02f2\HOW TO DECRYPT FILES.txt You Are Hacked.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 10 IoCs
Processes:
You Are Hacked.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CDOAEETJFTHWUGN\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\533OqvBH346eRq3.exe" You Are Hacked.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.anonymous You Are Hacked.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CDOAEETJFTHWUGN You Are Hacked.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CDOAEETJFTHWUGN\ = "CRYPTED!" You Are Hacked.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CDOAEETJFTHWUGN\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\533OqvBH346eRq3.exe,0" You Are Hacked.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CDOAEETJFTHWUGN\shell You Are Hacked.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CDOAEETJFTHWUGN\shell\open You Are Hacked.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.anonymous\ = "CDOAEETJFTHWUGN" You Are Hacked.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CDOAEETJFTHWUGN\DefaultIcon You Are Hacked.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CDOAEETJFTHWUGN\shell\open\command You Are Hacked.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
You Are Hacked.exepid process 900 You Are Hacked.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
14cdb3735feec79d1bfbbcca899bc209b20e97283e7e600ff930b0019abeaef6.exedescription pid process target process PID 1368 wrote to memory of 900 1368 14cdb3735feec79d1bfbbcca899bc209b20e97283e7e600ff930b0019abeaef6.exe You Are Hacked.exe PID 1368 wrote to memory of 900 1368 14cdb3735feec79d1bfbbcca899bc209b20e97283e7e600ff930b0019abeaef6.exe You Are Hacked.exe PID 1368 wrote to memory of 900 1368 14cdb3735feec79d1bfbbcca899bc209b20e97283e7e600ff930b0019abeaef6.exe You Are Hacked.exe PID 1368 wrote to memory of 900 1368 14cdb3735feec79d1bfbbcca899bc209b20e97283e7e600ff930b0019abeaef6.exe You Are Hacked.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\14cdb3735feec79d1bfbbcca899bc209b20e97283e7e600ff930b0019abeaef6.exe"C:\Users\Admin\AppData\Local\Temp\14cdb3735feec79d1bfbbcca899bc209b20e97283e7e600ff930b0019abeaef6.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe"C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Executes dropped EXE
- Modifies extensions of user files
- Drops startup file
- Identifies Wine through registry keys
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:900
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.5MB
MD593412c40272361e258e4dc0de74f7075
SHA1c13b3cf156b76980c4eab4fae183758c4700440d
SHA2567e5992568dc614491fbc17c3efbac79f8eb3e8b9cab73a6c877bdc61342cdd6e
SHA51200c58f5c21ba59db1442e6761c60fdeeb756223b4d51f81cfb2b82aee415eb71a883d5d24086e6ad32c06f87d97d79f1123f20471350492597649eaa3e8d9067
-
Filesize
2.5MB
MD593412c40272361e258e4dc0de74f7075
SHA1c13b3cf156b76980c4eab4fae183758c4700440d
SHA2567e5992568dc614491fbc17c3efbac79f8eb3e8b9cab73a6c877bdc61342cdd6e
SHA51200c58f5c21ba59db1442e6761c60fdeeb756223b4d51f81cfb2b82aee415eb71a883d5d24086e6ad32c06f87d97d79f1123f20471350492597649eaa3e8d9067
-
Filesize
2.5MB
MD593412c40272361e258e4dc0de74f7075
SHA1c13b3cf156b76980c4eab4fae183758c4700440d
SHA2567e5992568dc614491fbc17c3efbac79f8eb3e8b9cab73a6c877bdc61342cdd6e
SHA51200c58f5c21ba59db1442e6761c60fdeeb756223b4d51f81cfb2b82aee415eb71a883d5d24086e6ad32c06f87d97d79f1123f20471350492597649eaa3e8d9067
-
Filesize
2.5MB
MD593412c40272361e258e4dc0de74f7075
SHA1c13b3cf156b76980c4eab4fae183758c4700440d
SHA2567e5992568dc614491fbc17c3efbac79f8eb3e8b9cab73a6c877bdc61342cdd6e
SHA51200c58f5c21ba59db1442e6761c60fdeeb756223b4d51f81cfb2b82aee415eb71a883d5d24086e6ad32c06f87d97d79f1123f20471350492597649eaa3e8d9067
-
Filesize
2.5MB
MD593412c40272361e258e4dc0de74f7075
SHA1c13b3cf156b76980c4eab4fae183758c4700440d
SHA2567e5992568dc614491fbc17c3efbac79f8eb3e8b9cab73a6c877bdc61342cdd6e
SHA51200c58f5c21ba59db1442e6761c60fdeeb756223b4d51f81cfb2b82aee415eb71a883d5d24086e6ad32c06f87d97d79f1123f20471350492597649eaa3e8d9067
-
Filesize
2.5MB
MD593412c40272361e258e4dc0de74f7075
SHA1c13b3cf156b76980c4eab4fae183758c4700440d
SHA2567e5992568dc614491fbc17c3efbac79f8eb3e8b9cab73a6c877bdc61342cdd6e
SHA51200c58f5c21ba59db1442e6761c60fdeeb756223b4d51f81cfb2b82aee415eb71a883d5d24086e6ad32c06f87d97d79f1123f20471350492597649eaa3e8d9067