Analysis

  • max time kernel
    105s
  • max time network
    49s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    03-11-2022 13:01

General

  • Target

    14cdb3735feec79d1bfbbcca899bc209b20e97283e7e600ff930b0019abeaef6.exe

  • Size

    3.1MB

  • MD5

    e1cc5a67a7acc98647eb4602dcaa1e3c

  • SHA1

    039f2dc817aa7db766334907674480eb808ef860

  • SHA256

    14cdb3735feec79d1bfbbcca899bc209b20e97283e7e600ff930b0019abeaef6

  • SHA512

    551f2767d56540761de105af0845f32d13eab2b90b8251ec6f1116729f2fc61a48622a1cd9250229a41c8e598e20b9bf7d0614061e5bacec1fca98806fabdaa1

  • SSDEEP

    98304:dG9tUz0g6yFFHnDZs5998H5PBSh4+gNxii:UrUQgXFFVs5X8q4+Ov

Malware Config

Signatures

  • Detected Xorist Ransomware 2 IoCs
  • Xorist Ransomware

    Xorist is a ransomware first seen in 2020.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Drops file in Drivers directory 8 IoCs
  • Executes dropped EXE 1 IoCs
  • Modifies extensions of user files 1 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Drops startup file 1 IoCs
  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Loads dropped DLL 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Drops file in System32 directory 64 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\14cdb3735feec79d1bfbbcca899bc209b20e97283e7e600ff930b0019abeaef6.exe
    "C:\Users\Admin\AppData\Local\Temp\14cdb3735feec79d1bfbbcca899bc209b20e97283e7e600ff930b0019abeaef6.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1368
    • C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe
      "C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Modifies extensions of user files
      • Drops startup file
      • Identifies Wine through registry keys
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Sets desktop wallpaper using registry
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      PID:900

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe

    Filesize

    2.5MB

    MD5

    93412c40272361e258e4dc0de74f7075

    SHA1

    c13b3cf156b76980c4eab4fae183758c4700440d

    SHA256

    7e5992568dc614491fbc17c3efbac79f8eb3e8b9cab73a6c877bdc61342cdd6e

    SHA512

    00c58f5c21ba59db1442e6761c60fdeeb756223b4d51f81cfb2b82aee415eb71a883d5d24086e6ad32c06f87d97d79f1123f20471350492597649eaa3e8d9067

  • C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe

    Filesize

    2.5MB

    MD5

    93412c40272361e258e4dc0de74f7075

    SHA1

    c13b3cf156b76980c4eab4fae183758c4700440d

    SHA256

    7e5992568dc614491fbc17c3efbac79f8eb3e8b9cab73a6c877bdc61342cdd6e

    SHA512

    00c58f5c21ba59db1442e6761c60fdeeb756223b4d51f81cfb2b82aee415eb71a883d5d24086e6ad32c06f87d97d79f1123f20471350492597649eaa3e8d9067

  • \Users\Admin\AppData\Local\Temp\You Are Hacked.exe

    Filesize

    2.5MB

    MD5

    93412c40272361e258e4dc0de74f7075

    SHA1

    c13b3cf156b76980c4eab4fae183758c4700440d

    SHA256

    7e5992568dc614491fbc17c3efbac79f8eb3e8b9cab73a6c877bdc61342cdd6e

    SHA512

    00c58f5c21ba59db1442e6761c60fdeeb756223b4d51f81cfb2b82aee415eb71a883d5d24086e6ad32c06f87d97d79f1123f20471350492597649eaa3e8d9067

  • \Users\Admin\AppData\Local\Temp\You Are Hacked.exe

    Filesize

    2.5MB

    MD5

    93412c40272361e258e4dc0de74f7075

    SHA1

    c13b3cf156b76980c4eab4fae183758c4700440d

    SHA256

    7e5992568dc614491fbc17c3efbac79f8eb3e8b9cab73a6c877bdc61342cdd6e

    SHA512

    00c58f5c21ba59db1442e6761c60fdeeb756223b4d51f81cfb2b82aee415eb71a883d5d24086e6ad32c06f87d97d79f1123f20471350492597649eaa3e8d9067

  • \Users\Admin\AppData\Local\Temp\You Are Hacked.exe

    Filesize

    2.5MB

    MD5

    93412c40272361e258e4dc0de74f7075

    SHA1

    c13b3cf156b76980c4eab4fae183758c4700440d

    SHA256

    7e5992568dc614491fbc17c3efbac79f8eb3e8b9cab73a6c877bdc61342cdd6e

    SHA512

    00c58f5c21ba59db1442e6761c60fdeeb756223b4d51f81cfb2b82aee415eb71a883d5d24086e6ad32c06f87d97d79f1123f20471350492597649eaa3e8d9067

  • \Users\Admin\AppData\Local\Temp\You Are Hacked.exe

    Filesize

    2.5MB

    MD5

    93412c40272361e258e4dc0de74f7075

    SHA1

    c13b3cf156b76980c4eab4fae183758c4700440d

    SHA256

    7e5992568dc614491fbc17c3efbac79f8eb3e8b9cab73a6c877bdc61342cdd6e

    SHA512

    00c58f5c21ba59db1442e6761c60fdeeb756223b4d51f81cfb2b82aee415eb71a883d5d24086e6ad32c06f87d97d79f1123f20471350492597649eaa3e8d9067

  • memory/900-68-0x0000000076FA0000-0x0000000077120000-memory.dmp

    Filesize

    1.5MB

  • memory/900-73-0x0000000076FA0000-0x0000000077120000-memory.dmp

    Filesize

    1.5MB

  • memory/900-72-0x0000000000400000-0x0000000000785000-memory.dmp

    Filesize

    3.5MB

  • memory/900-60-0x0000000000000000-mapping.dmp

  • memory/900-71-0x0000000076FA0000-0x0000000077120000-memory.dmp

    Filesize

    1.5MB

  • memory/900-65-0x0000000000400000-0x0000000000785000-memory.dmp

    Filesize

    3.5MB

  • memory/900-70-0x0000000000400000-0x0000000000785000-memory.dmp

    Filesize

    3.5MB

  • memory/1368-63-0x0000000003730000-0x0000000003AB5000-memory.dmp

    Filesize

    3.5MB

  • memory/1368-69-0x0000000003730000-0x0000000003AB5000-memory.dmp

    Filesize

    3.5MB

  • memory/1368-57-0x0000000003730000-0x0000000003AB5000-memory.dmp

    Filesize

    3.5MB

  • memory/1368-64-0x0000000003730000-0x0000000003AB5000-memory.dmp

    Filesize

    3.5MB

  • memory/1368-62-0x0000000003730000-0x0000000003AB5000-memory.dmp

    Filesize

    3.5MB

  • memory/1368-54-0x0000000074E41000-0x0000000074E43000-memory.dmp

    Filesize

    8KB