Analysis

  • max time kernel
    167s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-11-2022 13:01

General

  • Target

    14cdb3735feec79d1bfbbcca899bc209b20e97283e7e600ff930b0019abeaef6.exe

  • Size

    3.1MB

  • MD5

    e1cc5a67a7acc98647eb4602dcaa1e3c

  • SHA1

    039f2dc817aa7db766334907674480eb808ef860

  • SHA256

    14cdb3735feec79d1bfbbcca899bc209b20e97283e7e600ff930b0019abeaef6

  • SHA512

    551f2767d56540761de105af0845f32d13eab2b90b8251ec6f1116729f2fc61a48622a1cd9250229a41c8e598e20b9bf7d0614061e5bacec1fca98806fabdaa1

  • SSDEEP

    98304:dG9tUz0g6yFFHnDZs5998H5PBSh4+gNxii:UrUQgXFFVs5X8q4+Ov

Malware Config

Signatures

  • Detected Xorist Ransomware 1 IoCs
  • Xorist Ransomware

    Xorist is a ransomware first seen in 2020.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Drops file in Drivers directory 8 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in System32 directory 64 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\14cdb3735feec79d1bfbbcca899bc209b20e97283e7e600ff930b0019abeaef6.exe
    "C:\Users\Admin\AppData\Local\Temp\14cdb3735feec79d1bfbbcca899bc209b20e97283e7e600ff930b0019abeaef6.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4976
    • C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe
      "C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Drops startup file
      • Identifies Wine through registry keys
      • Adds Run key to start application
      • Drops file in System32 directory
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      PID:5112

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe

    Filesize

    2.5MB

    MD5

    93412c40272361e258e4dc0de74f7075

    SHA1

    c13b3cf156b76980c4eab4fae183758c4700440d

    SHA256

    7e5992568dc614491fbc17c3efbac79f8eb3e8b9cab73a6c877bdc61342cdd6e

    SHA512

    00c58f5c21ba59db1442e6761c60fdeeb756223b4d51f81cfb2b82aee415eb71a883d5d24086e6ad32c06f87d97d79f1123f20471350492597649eaa3e8d9067

  • C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe

    Filesize

    2.5MB

    MD5

    93412c40272361e258e4dc0de74f7075

    SHA1

    c13b3cf156b76980c4eab4fae183758c4700440d

    SHA256

    7e5992568dc614491fbc17c3efbac79f8eb3e8b9cab73a6c877bdc61342cdd6e

    SHA512

    00c58f5c21ba59db1442e6761c60fdeeb756223b4d51f81cfb2b82aee415eb71a883d5d24086e6ad32c06f87d97d79f1123f20471350492597649eaa3e8d9067

  • memory/5112-132-0x0000000000000000-mapping.dmp

  • memory/5112-135-0x0000000000400000-0x0000000000785000-memory.dmp

    Filesize

    3.5MB

  • memory/5112-136-0x00000000772E0000-0x0000000077483000-memory.dmp

    Filesize

    1.6MB

  • memory/5112-137-0x0000000000400000-0x0000000000785000-memory.dmp

    Filesize

    3.5MB

  • memory/5112-138-0x00000000772E0000-0x0000000077483000-memory.dmp

    Filesize

    1.6MB