Analysis
-
max time kernel
167s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
03-11-2022 13:01
Static task
static1
Behavioral task
behavioral1
Sample
14cdb3735feec79d1bfbbcca899bc209b20e97283e7e600ff930b0019abeaef6.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
14cdb3735feec79d1bfbbcca899bc209b20e97283e7e600ff930b0019abeaef6.exe
Resource
win10v2004-20220812-en
General
-
Target
14cdb3735feec79d1bfbbcca899bc209b20e97283e7e600ff930b0019abeaef6.exe
-
Size
3.1MB
-
MD5
e1cc5a67a7acc98647eb4602dcaa1e3c
-
SHA1
039f2dc817aa7db766334907674480eb808ef860
-
SHA256
14cdb3735feec79d1bfbbcca899bc209b20e97283e7e600ff930b0019abeaef6
-
SHA512
551f2767d56540761de105af0845f32d13eab2b90b8251ec6f1116729f2fc61a48622a1cd9250229a41c8e598e20b9bf7d0614061e5bacec1fca98806fabdaa1
-
SSDEEP
98304:dG9tUz0g6yFFHnDZs5998H5PBSh4+gNxii:UrUQgXFFVs5X8q4+Ov
Malware Config
Signatures
-
Detected Xorist Ransomware 1 IoCs
Processes:
resource yara_rule behavioral2/memory/5112-137-0x0000000000400000-0x0000000000785000-memory.dmp family_xorist -
Xorist Ransomware
Xorist is a ransomware first seen in 2020.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
You Are Hacked.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ You Are Hacked.exe -
Drops file in Drivers directory 8 IoCs
Processes:
You Are Hacked.exedescription ioc process File created C:\Windows\SysWOW64\drivers\es-ES\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\drivers\fr-FR\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt You Are Hacked.exe File created C:\Windows\SysWOW64\drivers\it-IT\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\drivers\ja-JP\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\drivers\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\drivers\de-DE\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\drivers\en-US\HOW TO DECRYPT FILES.txt You Are Hacked.exe -
Executes dropped EXE 1 IoCs
Processes:
You Are Hacked.exepid process 5112 You Are Hacked.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
14cdb3735feec79d1bfbbcca899bc209b20e97283e7e600ff930b0019abeaef6.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 14cdb3735feec79d1bfbbcca899bc209b20e97283e7e600ff930b0019abeaef6.exe -
Drops startup file 1 IoCs
Processes:
You Are Hacked.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt You Are Hacked.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
You Are Hacked.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Wine You Are Hacked.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
You Are Hacked.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run You Are Hacked.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\533OqvBH346eRq3.exe" You Are Hacked.exe -
Drops file in System32 directory 64 IoCs
Processes:
You Are Hacked.exedescription ioc process File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\default.help.txt You Are Hacked.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\it\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsDeveloperLicense\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\genericusbfn.inf_amd64_53931f0ae21d6d2c\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\MsDtc\es\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\hidtelephonydriver.inf_amd64_43fa6b1db642df7e\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmnttp2.inf_amd64_8c1e04ee38482578\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\netl1c63x64.inf_amd64_4d6630ce07a4fb42\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\InstallShield\setupdir\0009\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmaus.inf_amd64_f9b71b1d9c8643e2\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\lsi_sss.inf_amd64_503a2398f4c86893\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AssignedAccess\it-IT\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\amdi2c.inf_amd64_d7ae71f8eb52c084\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\usbport.inf_amd64_254cd5ae09de6b08\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\InstallShield\setupdir\0015\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_LogResource\fr-FR\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_WindowsOptionalFeature\es-ES\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmzyp.inf_amd64_19eb30e94285f2a6\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmcodex.inf_amd64_f5594a2af66d11ab\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_WindowsOptionalFeature\fr-FR\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmbsb.inf_amd64_0e44beb9cebe5a1e\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmnttd2.inf_amd64_76ccb77f33c66c43\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmusrg.inf_amd64_bb7c44c7bb3664d0\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\mlx4_bus.inf_amd64_4c426f3bebc68844\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\ntprint4.inf_amd64_0958c7cad3cd6075\Amd64\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\usbprint.inf_amd64_86cdf3e1f512cca1\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\wpdfs.inf_amd64_1183fd0f13045f2e\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\c_net.inf_amd64_32a9ad23c1ecc42d\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\perceptionsimulationsixdof.inf_amd64_3ff016f4df6d2b8a\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\ja-JP\Licenses\_Default\Professional\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\es-ES\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\netvg63a.inf_amd64_9f5493180b1252cf\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\net9500-x64-n650f.inf_amd64_e92c5a65e41993f9\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\wfpcapture.inf_amd64_54cf91ab0e4c9ac2\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\InstallShield\setupdir\000b\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Examples\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ScriptResource\it-IT\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmrock5.inf_amd64_e485f7ac03009434\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\npsvctrig.inf_amd64_b98e9a5325075265\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmaiwa.inf_amd64_7cfab61cbab23e11\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmgl005.inf_amd64_d9886a7bbe9e55ca\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\mgtdyn.inf_amd64_a6235e923dc4047c\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\ts_wpdmtp.inf_amd64_e0577000b188c16b\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\wceisvista.inf_amd64_07ad61d07466a58a\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\es-MX\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\International\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\c_monitor.inf_amd64_f02375bf47a4adb2\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\microsoft_bluetooth_a2dp_src.inf_amd64_0bdbb11733d87f9a\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\prnms012.inf_amd64_707d3849370b9d23\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\wmbclass_wmc_union.inf_amd64_a02e4111c770770d\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\ko-KR\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\Licenses\neutral\OEM\Professional\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\Speech\Common\it-IT\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\wbem\fr-FR\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\en-US\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\InstallShield\setupdir\0005\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ProcessResource\en-US\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\prnms002.inf_amd64_2176cc45624119a9\Amd64\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\bthmtpenum.inf_amd64_3abc48e730d08fde\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmcommu.inf_amd64_9d8718c8b82a0aeb\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmgl003.inf_amd64_6b639ff361f628eb\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\netvwififlt.inf_amd64_c5e19aab2305f37f\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\IME\SHARED\HOW TO DECRYPT FILES.txt You Are Hacked.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
You Are Hacked.exepid process 5112 You Are Hacked.exe -
Drops file in Program Files directory 64 IoCs
Processes:
You Are Hacked.exedescription ioc process File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pl-pl\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNotebookWideTile.scale-400.png You Are Hacked.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Programmer.targetsize-32_contrast-black.png You Are Hacked.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsSmallTile.scale-100.png You Are Hacked.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\en-il\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\Wide310x150Logo.scale-125.png You Are Hacked.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNotebookSmallTile.scale-200.png You Are Hacked.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-80.png You Are Hacked.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\WorldClockSmallTile.contrast-white_scale-200.png You Are Hacked.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailLargeTile.scale-100.png You Are Hacked.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarSmallTile.scale-100.png You Are Hacked.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-256.png You Are Hacked.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\sv-se\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubStoreLogo.scale-200_contrast-high.png You Are Hacked.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.scale-100.png You Are Hacked.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-32_altform-unplated_contrast-white.png You Are Hacked.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosLogoExtensions.targetsize-256.png You Are Hacked.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\css\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\es-es\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\Products.txt You Are Hacked.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraSmallTile.contrast-white_scale-200.png You Are Hacked.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-48.png You Are Hacked.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-white\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\NavigationIcons\nav_icons_store.targetsize-48.png You Are Hacked.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.scale-400_contrast-black.png You Are Hacked.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-24.png You Are Hacked.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-32_contrast-white.png You Are Hacked.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-white\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageLargeTile.scale-100_contrast-black.png You Are Hacked.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupMedTile.scale-125.png You Are Hacked.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.scale-200_contrast-white.png You Are Hacked.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\logo_retina.png You Are Hacked.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-100.png You Are Hacked.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubBadgeLogo.scale-200.png You Are Hacked.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-20_altform-unplated_contrast-black.png You Are Hacked.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Generic-Light.scale-150.png You Are Hacked.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\hr-hr\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\10.png You Are Hacked.exe File created C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-20_contrast-white.png You Are Hacked.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.scale-150.png You Are Hacked.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionWideTile.scale-100.png You Are Hacked.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-tw\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\cs-cz\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\Background_Cliffhouse.jpg You Are Hacked.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.scale-100.png You Are Hacked.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\it-it\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Acrobat Pro DC.pdf You Are Hacked.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptyView.scale-100.png You Are Hacked.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-black\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-black\SmallTile.scale-200.png You Are Hacked.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT You Are Hacked.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PROFILE\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-40_altform-unplated.png You Are Hacked.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailSmallTile.scale-125.png You Are Hacked.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNotePageMedTile.scale-125.png You Are Hacked.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-36.png You Are Hacked.exe -
Drops file in Windows directory 64 IoCs
Processes:
You Are Hacked.exedescription ioc process File created C:\Windows\WinSxS\amd64_microsoft-windows-ui-pcshell_31bf3856ad364e35_10.0.19041.746_none_f297ff1a159e7f05\r\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-v..skservice.resources_31bf3856ad364e35_10.0.19041.1_en-us_5801e9f68bdc3d85\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Windows\SystemResources\Windows.UI.ShellCommon\Images\WiFiNetworkManagerToast.scale-125.png You Are Hacked.exe File created C:\Windows\WinSxS\amd64_microsoft-onecore-actionqueue.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_fae0a0b9eaafe4be\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-d..ompat-adm.resources_31bf3856ad364e35_10.0.19041.1_it-it_ab858487faf33768\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-hotspotauth-adm_31bf3856ad364e35_10.0.19041.1_none_ea54f59ce460e3b7\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-mobilepc-sensors-api_31bf3856ad364e35_10.0.19041.746_none_e06926606d9d22f9\f\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-robocopy.resources_31bf3856ad364e35_10.0.19041.1_en-us_6abbcc8b8fcc07e3\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-peertopeerbase_31bf3856ad364e35_10.0.19041.1_none_21c94890c5647051\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\INF\ServiceModelService 3.0.0.0\0410\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Assets\Icons\contrast-black\AppListIcon.scale-125.png You Are Hacked.exe File created C:\Windows\WinSxS\amd64_cdrom.inf.resources_31bf3856ad364e35_10.0.19041.1_en-us_eeabdb05f6ee48e5\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-bth-cpl_31bf3856ad364e35_10.0.19041.1_none_0d0ae394ff68d5f5\@BthpropsNotificationLogo.png You Are Hacked.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_es-es_12451df02dbd2879\403-1.htm You Are Hacked.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-netbt_31bf3856ad364e35_10.0.19041.572_none_3e399e76562f6053\f\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Conversion.v4.0.resources\v4.0_4.0.0.0_de_b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Mobile.resources\v4.0_4.0.0.0_ja_b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\WinSxS\amd64_microsoft-hgattest-wmi.resources_31bf3856ad364e35_10.0.19041.1_es-es_c60bea0e87a424f7\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-c..ners-dynamic-device_31bf3856ad364e35_10.0.19041.1_none_b4a7fb8b678481c6\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-imapiv2-base_31bf3856ad364e35_10.0.19041.746_none_a103bab27170fd31\f\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_10.0.19041.1023_tr-tr_65cac6c981f17921\r\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_it-it_9f248a35f7c12459\401-1.htm You Are Hacked.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-p..talcontrolssettings_31bf3856ad364e35_10.0.19041.264_none_d1ce115a6e50bd32\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-security-aadauthhelper_31bf3856ad364e35_10.0.19041.1266_none_2cd716ad69707c0a\r\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-setx.resources_31bf3856ad364e35_10.0.19041.1_es-es_773802e77757f149\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.19041.1266_none_fb76f6fb7e78a373\InputApp\Assets\Ninja\CategorySticker.png You Are Hacked.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-w..ction-adm.resources_31bf3856ad364e35_10.0.19041.1_de-de_fa973ceb0cae15b6\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-wmiv2-mi-dll_31bf3856ad364e35_10.0.19041.546_none_683a88876ebd7c0a\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\WinSxS\amd64_c_camera.inf.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_23bf43948c55c007\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\WinSxS\amd64_microsoft-onecore-tiledatarepository_31bf3856ad364e35_10.0.19041.264_none_ac56521bfe3760e4\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_en-us_9b69330b34021c65\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-rpc-ns.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_58b032a3f5a9d787\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-s..estartup-change-pin_31bf3856ad364e35_10.0.19041.1237_none_665f7346099d6350\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-s..up-prompt.resources_31bf3856ad364e35_10.0.19041.1_de-de_68faace6a65a6796\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-i..ng-legacy.resources_31bf3856ad364e35_11.0.19041.1_de-de_2d07e35addcec99e\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-m..-schedule.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_50449f7d58a9ce42\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-r..-detector.resources_31bf3856ad364e35_10.0.19041.1_it-it_b2bccccd75b09d71\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\WinSxS\amd64_netfx-microsoft.vsa_b03f5f7f11d50a3a_10.0.19041.1_none_a25be6f87f8e8c7d\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_10.0.19041.1_tr-tr_a6e41dbf6c2a9394\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-n..tion_service_iasnap_31bf3856ad364e35_10.0.19041.746_none_57740b56b3f3bdad\r\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-r..tymanager.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_8d767e5cae4ff082\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-w..cationcompatibility_31bf3856ad364e35_10.0.19041.1_none_241b3b307ddfb152\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.SDHost.Resources\v4.0_1.0.0.0_es_31bf3856ad364e35\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.423_none_9de80b9d881a1ebd\debugger.html You Are Hacked.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-oleacc_31bf3856ad364e35_10.0.19041.746_none_487e089a81330048\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1_none_97b0a47239f6db64\PeopleLogo.targetsize-64_altform-unplated_contrast-black.png You Are Hacked.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-s..lers-siuf.resources_31bf3856ad364e35_10.0.19041.1_es-es_26d9d1c9b7ee55fc\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-t..onmanager.resources_31bf3856ad364e35_10.0.19041.1_en-us_9282db59dc3419f7\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\aspnet_compiler.resources\v4.0_4.0.0.0_ja_b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-l..wslconfig.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_cd375cf6e95c10aa\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-mobsync.resources_31bf3856ad364e35_10.0.19041.1_it-it_be3d62eb83507440\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-sechealthui.appxmain_31bf3856ad364e35_10.0.19041.153_none_90dc0b923cd83016\Square71x71Logo.contrast-white_scale-150.png You Are Hacked.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-u..ccess-userdatautils_31bf3856ad364e35_10.0.19041.1_none_94e6dd42406ad3a9\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\WinSxS\amd64_netfx4-nlslexicons0009_b03f5f7f11d50a3a_4.0.15805.0_none_a3ae349d43a0e1f0\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\WinSxS\amd64_dual_spaceport.inf_31bf3856ad364e35_10.0.19041.1_none_a5aee3d9428e55fa\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\oobe-bookend-cortanaout.gif You Are Hacked.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-d..b-standardcollector_31bf3856ad364e35_10.0.19041.928_none_0f531ea0d233243b\f\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-onecore-winrt-storage_31bf3856ad364e35_10.0.19041.1266_none_58f5a5acd2795abf\f\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-s..up-notify.resources_31bf3856ad364e35_10.0.19041.1_en-us_e98c1b2c31078c32\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-usbperf.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_322e74f6b3012f36\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\de-DE\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\Assets\PeopleLogo.targetsize-16_altform-unplated_contrast-black.png You Are Hacked.exe File created C:\Windows\WinSxS\amd64_microsoft-hyper-v-winhv_31bf3856ad364e35_10.0.19041.1_none_93cc37f483916b61\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..nt-browser.appxmain_31bf3856ad364e35_10.0.19041.1_none_b1e502c19c2a358b\Wide310x150Logo.contrast-white_scale-125.png You Are Hacked.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 10 IoCs
Processes:
You Are Hacked.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.anonymous You Are Hacked.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.anonymous\ = "CDOAEETJFTHWUGN" You Are Hacked.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CDOAEETJFTHWUGN\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\533OqvBH346eRq3.exe,0" You Are Hacked.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CDOAEETJFTHWUGN\shell\open\command You Are Hacked.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CDOAEETJFTHWUGN\shell You Are Hacked.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CDOAEETJFTHWUGN\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\533OqvBH346eRq3.exe" You Are Hacked.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CDOAEETJFTHWUGN You Are Hacked.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CDOAEETJFTHWUGN\ = "CRYPTED!" You Are Hacked.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CDOAEETJFTHWUGN\DefaultIcon You Are Hacked.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CDOAEETJFTHWUGN\shell\open You Are Hacked.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
You Are Hacked.exepid process 5112 You Are Hacked.exe 5112 You Are Hacked.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
14cdb3735feec79d1bfbbcca899bc209b20e97283e7e600ff930b0019abeaef6.exedescription pid process target process PID 4976 wrote to memory of 5112 4976 14cdb3735feec79d1bfbbcca899bc209b20e97283e7e600ff930b0019abeaef6.exe You Are Hacked.exe PID 4976 wrote to memory of 5112 4976 14cdb3735feec79d1bfbbcca899bc209b20e97283e7e600ff930b0019abeaef6.exe You Are Hacked.exe PID 4976 wrote to memory of 5112 4976 14cdb3735feec79d1bfbbcca899bc209b20e97283e7e600ff930b0019abeaef6.exe You Are Hacked.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\14cdb3735feec79d1bfbbcca899bc209b20e97283e7e600ff930b0019abeaef6.exe"C:\Users\Admin\AppData\Local\Temp\14cdb3735feec79d1bfbbcca899bc209b20e97283e7e600ff930b0019abeaef6.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe"C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Executes dropped EXE
- Drops startup file
- Identifies Wine through registry keys
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:5112
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.5MB
MD593412c40272361e258e4dc0de74f7075
SHA1c13b3cf156b76980c4eab4fae183758c4700440d
SHA2567e5992568dc614491fbc17c3efbac79f8eb3e8b9cab73a6c877bdc61342cdd6e
SHA51200c58f5c21ba59db1442e6761c60fdeeb756223b4d51f81cfb2b82aee415eb71a883d5d24086e6ad32c06f87d97d79f1123f20471350492597649eaa3e8d9067
-
Filesize
2.5MB
MD593412c40272361e258e4dc0de74f7075
SHA1c13b3cf156b76980c4eab4fae183758c4700440d
SHA2567e5992568dc614491fbc17c3efbac79f8eb3e8b9cab73a6c877bdc61342cdd6e
SHA51200c58f5c21ba59db1442e6761c60fdeeb756223b4d51f81cfb2b82aee415eb71a883d5d24086e6ad32c06f87d97d79f1123f20471350492597649eaa3e8d9067