Analysis
-
max time kernel
152s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
08-11-2022 20:10
Static task
static1
Behavioral task
behavioral1
Sample
7d3075d8426c817154b05b695d6196e5ea977a67d0132cf552851f237c166f5e.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
7d3075d8426c817154b05b695d6196e5ea977a67d0132cf552851f237c166f5e.exe
Resource
win10v2004-20220901-en
General
-
Target
7d3075d8426c817154b05b695d6196e5ea977a67d0132cf552851f237c166f5e.exe
-
Size
3.1MB
-
MD5
fcd1290482187d266d174f924c4b1e46
-
SHA1
c3f71f34c7bffd0cc0d49af56254d7f34d50b0c2
-
SHA256
7d3075d8426c817154b05b695d6196e5ea977a67d0132cf552851f237c166f5e
-
SHA512
de3b60739be065ee2620f407b1e51c40be007f1dddcf198b9d676973fcc0007178635534009de2649c7908736e2be3efaaea15b955651a7ca7a5c1f2ad6c9df8
-
SSDEEP
98304:dGZtUz0g6yFFHnDZs5998H5PBSh4+gNxiP:UPUQgXFFVs5X8q4+O4
Malware Config
Signatures
-
Detected Xorist Ransomware 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1520-65-0x0000000000400000-0x0000000000785000-memory.dmp family_xorist -
Xorist Ransomware
Xorist is a ransomware first seen in 2020.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
You Are Hacked.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ You Are Hacked.exe -
Drops file in Drivers directory 8 IoCs
Processes:
You Are Hacked.exedescription ioc process File created C:\Windows\SysWOW64\drivers\it-IT\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\drivers\ja-JP\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\drivers\de-DE\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\drivers\en-US\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\drivers\es-ES\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\drivers\fr-FR\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\drivers\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt You Are Hacked.exe -
Executes dropped EXE 1 IoCs
Processes:
You Are Hacked.exepid process 1520 You Are Hacked.exe -
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
You Are Hacked.exedescription ioc process File renamed C:\Users\Admin\Pictures\ApproveNew.png => C:\Users\Admin\Pictures\ApproveNew.png.anonymous You Are Hacked.exe -
Drops startup file 1 IoCs
Processes:
You Are Hacked.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt You Are Hacked.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
You Are Hacked.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Wine You Are Hacked.exe -
Loads dropped DLL 4 IoCs
Processes:
7d3075d8426c817154b05b695d6196e5ea977a67d0132cf552851f237c166f5e.exepid process 1636 7d3075d8426c817154b05b695d6196e5ea977a67d0132cf552851f237c166f5e.exe 1636 7d3075d8426c817154b05b695d6196e5ea977a67d0132cf552851f237c166f5e.exe 1636 7d3075d8426c817154b05b695d6196e5ea977a67d0132cf552851f237c166f5e.exe 1636 7d3075d8426c817154b05b695d6196e5ea977a67d0132cf552851f237c166f5e.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
You Are Hacked.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run You Are Hacked.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\533OqvBH346eRq3.exe" You Are Hacked.exe -
Processes:
You Are Hacked.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA You Are Hacked.exe -
Drops file in System32 directory 64 IoCs
Processes:
You Are Hacked.exedescription ioc process File created C:\Windows\System32\DriverStore\FileRepository\mdmgl002.inf_amd64_neutral_e204d4267d752eb7\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_For.help.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\prnrc005.inf_amd64_neutral_31e08a1c2f933124\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\ts_generic.inf_amd64_neutral_1a5c861fdb3aab0e\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_do.help.txt You Are Hacked.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_While.help.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\prnhp004.inf_amd64_neutral_53f688945cfc24cc\Amd64\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Comment_Based_Help.help.txt You Are Hacked.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Variables.help.txt You Are Hacked.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_functions_advanced_methods.help.txt You Are Hacked.exe File created C:\Windows\SysWOW64\de-DE\Licenses\OEM\HomePremiumE\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmati.inf_amd64_neutral_ded8f26cdee953c3\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\prnca00i.inf_amd64_neutral_09ff5ee0a0cf0233\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\prnin004.inf_amd64_neutral_c8902ae660ab1360\Amd64\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_regular_expressions.help.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\prnky302.inf_amd64_ja-jp_dd74fe49601b74f6\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\prnlx00v.inf_amd64_neutral_86ff307c66080d00\Amd64\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\qd3x64.inf_amd64_neutral_e8903726d63a3f07\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_PSSnapins.help.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmags64.inf_amd64_neutral_e68956e24e287714\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_escape_characters.help.txt You Are Hacked.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_profiles.help.txt You Are Hacked.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\TroubleshootingPack\de-DE\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\migwiz\replacementmanifests\microsoft-international-core\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\netvwifibus.inf_amd64_neutral_9d0740f32ce81d24\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_eventlogs.help.txt You Are Hacked.exe File created C:\Windows\SysWOW64\ja-JP\Licenses\_Default\Starter\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\de-DE\Licenses\OEM\Professional\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmpn1.inf_amd64_neutral_e44cc033b67e7d04\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\Speech\Engines\SR\it-IT\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_types.ps1xml.help.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\prnep002.inf_amd64_neutral_efc4a7485b172c07\Amd64\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\prnky303.inf_amd64_ja-jp_b054bb0d59e0a3ad\Amd64\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\prnlx007.inf_amd64_neutral_0b796ee4978458e2\Amd64\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\es-ES\Licenses\OEM\ProfessionalN\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_regular_expressions.help.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmgl010.inf_amd64_neutral_46f466c9e68abb4a\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmsupra.inf_amd64_neutral_c4fe81ea47c6df87\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\InstallShield\setupdir\0019\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Arithmetic_Operators.help.txt You Are Hacked.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Continue.help.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\prnlx005.inf_amd64_neutral_f65eeb9bff6bd8f3\Amd64\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\ja-JP\Licenses\eval\EnterpriseN\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\migwiz\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_script_blocks.help.txt You Are Hacked.exe File created C:\Windows\SysWOW64\es-ES\Licenses\OEM\HomeBasicE\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Windows\SysWOW64\migwiz\PostMigRes\Web\base_images\WindowsMail.bmp You Are Hacked.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_do.help.txt You Are Hacked.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\prnsh002.inf_amd64_neutral_42b7a64f45c7554c\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\es-ES\Licenses\eval\EnterpriseE\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Windows_PowerShell_ISE.help.txt You Are Hacked.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_regular_expressions.help.txt You Are Hacked.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_hash_tables.help.txt You Are Hacked.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LIXMVQOA\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\cdrom.inf_amd64_neutral_0b3d0d1942ab684b\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmhaeu.inf_amd64_neutral_6611a858035bf482\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\prnrc302.inf_amd64_ja-jp_64ee91a0bf7b132c\Amd64\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\wbem\de-DE\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\de-DE\Licenses\eval\HomePremium\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\brmfcumd.inf_amd64_neutral_db43b26810939b3e\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\faxcn001.inf_amd64_neutral_d23021a1eb548156\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_requires.help.txt You Are Hacked.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
You Are Hacked.exepid process 1520 You Are Hacked.exe -
Drops file in Program Files directory 64 IoCs
Processes:
You Are Hacked.exedescription ioc process File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LAYERS\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg You Are Hacked.exe File created C:\Program Files (x86)\Windows Media Player\it-IT\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\203x8subpicture.png You Are Hacked.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_LightSpirit.gif You Are Hacked.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382948.JPG You Are Hacked.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\AccessWeb\CLNTWRAP.HTM You Are Hacked.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_highlights_Thumbnail.bmp You Are Hacked.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\next_rest.png You Are Hacked.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EVRGREEN\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PAPYRUS\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\1033\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ESEN\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\ADD.GIF You Are Hacked.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\BG_ADOBE.GIF You Are Hacked.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\LAUNCH.GIF You Are Hacked.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\12.png You Are Hacked.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\curtains.png You Are Hacked.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\combo-hover-right.png You Are Hacked.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02039_.GIF You Are Hacked.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\TAB_OFF.GIF You Are Hacked.exe File created C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Program Files (x86)\Windows NT\TableTextService\en-US\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\10.png You Are Hacked.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_divider_left.png You Are Hacked.exe File created C:\Program Files\VideoLAN\VLC\locale\cy\LC_MESSAGES\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_corner_top_left.png You Are Hacked.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationLeft_ButtonGraphic.png You Are Hacked.exe File opened for modification C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color120.png You Are Hacked.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_double_orange.png You Are Hacked.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382927.JPG You Are Hacked.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01840_.GIF You Are Hacked.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsScenesBackground_PAL.wmv You Are Hacked.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif You Are Hacked.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.txt You Are Hacked.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\CalendarToolIconImages.jpg You Are Hacked.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\css\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\hint_up.png You Are Hacked.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\redStateIcon.png You Are Hacked.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\J0143744.GIF You Are Hacked.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14867_.GIF You Are Hacked.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\css\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LAYERS\PREVIEW.GIF You Are Hacked.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Slate\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\en-US\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Program Files\7-Zip\Lang\kab.txt You Are Hacked.exe File created C:\Program Files\Common Files\System\Ole DB\ja-JP\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00004_.GIF You Are Hacked.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00021_.GIF You Are Hacked.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH00780U.BMP You Are Hacked.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationLeft_SelectionSubpicture.png You Are Hacked.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationUp_SelectionSubpicture.png You Are Hacked.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Stars.htm You Are Hacked.exe File created C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInViews\HOW TO DECRYPT FILES.txt You Are Hacked.exe -
Drops file in Windows directory 64 IoCs
Processes:
You Are Hacked.exedescription ioc process File created C:\Windows\winsxs\x86_microsoft-windows-u..dem-voice.resources_31bf3856ad364e35_6.1.7600.16385_es-es_ed9a54ad162a8850\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\amd64_microsoft-windows-b..ironment-dvd-efisys_31bf3856ad364e35_6.1.7601.17514_none_c0c6eceaf97c4827\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\undocked_black_few-showers.png You Are Hacked.exe File created C:\Windows\winsxs\amd64_microsoft-windows-l..epremiume.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_4d3ea5f68c65dc1f\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\x86_microsoft-windows-d..rectplay4.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_1f6725588fa7ac8e\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\x86_microsoft-windows-scrnsave.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_79ef66a203052213\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\x86_microsoft-windows-t..-inputdll.resources_31bf3856ad364e35_6.1.7600.16385_de-de_d52f5e3c786f113f\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\amd64_microsoft-windows-a..core-base.resources_31bf3856ad364e35_6.1.7600.16385_de-de_1d2f90411ea5c48a\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\x86_microsoft-windows-o..lfeatures.resources_31bf3856ad364e35_6.1.7600.16385_de-de_89874fb883d78fc4\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\amd64_microsoft-windows-m..-autoplay.resources_31bf3856ad364e35_6.1.7600.16385_de-de_2631adcfd6a3b75a\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\amd64_microsoft-windows-s..icsprovider-library_31bf3856ad364e35_6.1.7600.16385_none_adb6e8740a39ba16\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\x86_microsoft-windows-rasmprddm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_34cf53d745f6224b\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\docked_blue_partly-cloudy.png You Are Hacked.exe File created C:\Windows\winsxs\amd64_microsoft-windows-help-pwrmgm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_cff815f8e8326db4\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\amd64_microsoft-windows-ntfs.resources_31bf3856ad364e35_6.1.7600.16385_it-it_cd51f74e42113440\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\amd64_microsoft-windows-s..trolpanel.resources_31bf3856ad364e35_6.1.7600.16385_en-us_4c50bfb30d2e9d0b\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\x86_microsoft-windows-n..icysnapin.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_86d6c5f1d40ac742\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\amd64_microsoft-windows-peerdist-adm.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_71e2c0b54626c130\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\amd64_microsoft-windows-rasauto-mui.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c5a9614052e986a8\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\amd64_microsoft-windows-wmi-core-svc.resources_31bf3856ad364e35_6.1.7601.17514_es-es_ea99aa6d431922eb\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.In#\08d77067bceade0839fda4c78a304038\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\inf\.NET CLR Networking 4.0.0.0\0804\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\inf\.NET CLR Networking 4.0.0.0\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\amd64_microsoft-windows-p..ncecounterinstaller_1122334455667788_6.1.7600.16385_none_92c5129cb38bb828\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\amd64_microsoft-windows-printing-oleprn_31bf3856ad364e35_6.1.7600.16385_none_d71bce0178f3a60d\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\amd64_microsoft-windows-s..mes-chess.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_bbb1c7b789d49aaa\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\amd64_microsoft-windows-fdeploy-adm_31bf3856ad364e35_6.1.7600.16385_none_12a79dbfde8042f1\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\amd64_microsoft-windows-l..-startere.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_78dc6b5cebc32226\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\amd64_microsoft-windows-recdisc-main.resources_31bf3856ad364e35_6.1.7600.16385_de-de_5cfcd8191c319f86\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\amd64_microsoft-windows-s..erbox-isv.resources_31bf3856ad364e35_6.1.7600.16385_en-us_d6e7b259751e89a9\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Serv14b62006#\2c7e795fb7d690d3b8931d360e4ce7f5\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\amd64_microsoft-windows-w..-provider.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ab26c700600ca015\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\x86_microsoft-windows-eudcedit.resources_31bf3856ad364e35_6.1.7600.16385_de-de_faad07b2e5533b64\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\x86_wpf-winfxlist_31bf3856ad364e35_6.1.7600.16385_none_40b32988515caa44\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.ApplicationId.RuleWizard.Resources\6.1.0.0_ja_31bf3856ad364e35\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\wow64_microsoft-windows-uianimation.resources_31bf3856ad364e35_6.1.7600.16385_en-us_3dd1cb9a2943d5bb\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\amd64_server-help-chm.wmicontrol.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c839793674b5e4fc\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.Office.BusinessApplications.Tools.AutoGen\14.0.0.0__71e9bce111e9429c\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\amd64_microsoft-windows-chkwudrv.resources_31bf3856ad364e35_6.1.7600.16385_en-us_281b3e7d53de40c6\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\amd64_microsoft-windows-d2d.resources_31bf3856ad364e35_7.1.7601.16492_de-de_3dc539e9fdc54eb8\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\amd64_microsoft-windows-h..statement.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_30da4a65071b6499\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\amd64_microsoft-windows-n..35wpfcomp.resources_31bf3856ad364e35_6.1.7600.16385_it-it_5214cd7f66d64580\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..oundthemes-heritage_31bf3856ad364e35_6.1.7600.16385_none_5872c0830d0c4747\Windows Information Bar.wav You Are Hacked.exe File created C:\Windows\winsxs\amd64_microsoft-windows-tpm-adm.resources_31bf3856ad364e35_6.1.7600.16385_it-it_f346aca15e519487\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\amd64_prnep00b.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0f806f340851851a\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\x86_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_en-us_62a019eef7369a97\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\amd64_microsoft-windows-a..e-apphelp.resources_31bf3856ad364e35_6.1.7600.16385_de-de_39224f16bcadf7c9\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\amd64_prnhp005.inf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_898c5fd12ecfe1c8\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\x86_microsoft-windows-c..-migregdb.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c088724b83089c59\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\x86_microsoft-windows-s..ssmanager.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8346f1c49f501c6f\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\assembly\GAC_MSIL\System.Web.Abstractions.resources\3.5.0.0_de_31bf3856ad364e35\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\amd64_microsoft-windows-kernelbase_31bf3856ad364e35_6.1.7601.17514_none_85287dc2cb339adb\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\x86_microsoft-windows-i..onal-codepage-20866_31bf3856ad364e35_6.1.7600.16385_none_53e1c8c7465becbb\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\x86_microsoft-windows-i..rendering.resources_31bf3856ad364e35_11.2.9600.16428_en-us_9320e311601de665\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\x86_microsoft-windows-f..utilities.resources_31bf3856ad364e35_6.1.7600.16385_es-es_830c2a2b31fda44f\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\x86_microsoft-windows-m..dac-rds-persist-rll_31bf3856ad364e35_6.1.7600.16385_none_949185e7889c96d3\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Windows\Media\Raga\Windows Print complete.wav You Are Hacked.exe File created C:\Windows\winsxs\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_6.1.7600.16385_en-us_12de4907a4bd1cfc\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\amd64_microsoft-windows-p..ystem-web.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_af2ea846d5480405\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\amd64_nfrd960.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_4b5b2024613eadff\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\wow64_microsoft-windows-i..gbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_a6a131ad251bf830\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\wow64_microsoft-windows-tcpip_31bf3856ad364e35_6.1.7601.17514_none_ca00459dda59f6f4\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\assembly\GAC_MSIL\WindowsBase.resources\3.0.0.0_es_31bf3856ad364e35\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\winsxs\amd64_hdaudss.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_287846c95992ab4a\HOW TO DECRYPT FILES.txt You Are Hacked.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 10 IoCs
Processes:
You Are Hacked.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.anonymous\ = "CDOAEETJFTHWUGN" You Are Hacked.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CDOAEETJFTHWUGN\DefaultIcon You Are Hacked.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CDOAEETJFTHWUGN\shell\open\command You Are Hacked.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CDOAEETJFTHWUGN\shell\open You Are Hacked.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CDOAEETJFTHWUGN\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\533OqvBH346eRq3.exe" You Are Hacked.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.anonymous You Are Hacked.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CDOAEETJFTHWUGN You Are Hacked.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CDOAEETJFTHWUGN\ = "CRYPTED!" You Are Hacked.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CDOAEETJFTHWUGN\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\533OqvBH346eRq3.exe,0" You Are Hacked.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CDOAEETJFTHWUGN\shell You Are Hacked.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
You Are Hacked.exepid process 1520 You Are Hacked.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
7d3075d8426c817154b05b695d6196e5ea977a67d0132cf552851f237c166f5e.exedescription pid process target process PID 1636 wrote to memory of 1520 1636 7d3075d8426c817154b05b695d6196e5ea977a67d0132cf552851f237c166f5e.exe You Are Hacked.exe PID 1636 wrote to memory of 1520 1636 7d3075d8426c817154b05b695d6196e5ea977a67d0132cf552851f237c166f5e.exe You Are Hacked.exe PID 1636 wrote to memory of 1520 1636 7d3075d8426c817154b05b695d6196e5ea977a67d0132cf552851f237c166f5e.exe You Are Hacked.exe PID 1636 wrote to memory of 1520 1636 7d3075d8426c817154b05b695d6196e5ea977a67d0132cf552851f237c166f5e.exe You Are Hacked.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7d3075d8426c817154b05b695d6196e5ea977a67d0132cf552851f237c166f5e.exe"C:\Users\Admin\AppData\Local\Temp\7d3075d8426c817154b05b695d6196e5ea977a67d0132cf552851f237c166f5e.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe"C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Executes dropped EXE
- Modifies extensions of user files
- Drops startup file
- Identifies Wine through registry keys
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1520
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.5MB
MD593412c40272361e258e4dc0de74f7075
SHA1c13b3cf156b76980c4eab4fae183758c4700440d
SHA2567e5992568dc614491fbc17c3efbac79f8eb3e8b9cab73a6c877bdc61342cdd6e
SHA51200c58f5c21ba59db1442e6761c60fdeeb756223b4d51f81cfb2b82aee415eb71a883d5d24086e6ad32c06f87d97d79f1123f20471350492597649eaa3e8d9067
-
Filesize
2.5MB
MD593412c40272361e258e4dc0de74f7075
SHA1c13b3cf156b76980c4eab4fae183758c4700440d
SHA2567e5992568dc614491fbc17c3efbac79f8eb3e8b9cab73a6c877bdc61342cdd6e
SHA51200c58f5c21ba59db1442e6761c60fdeeb756223b4d51f81cfb2b82aee415eb71a883d5d24086e6ad32c06f87d97d79f1123f20471350492597649eaa3e8d9067
-
Filesize
2.5MB
MD593412c40272361e258e4dc0de74f7075
SHA1c13b3cf156b76980c4eab4fae183758c4700440d
SHA2567e5992568dc614491fbc17c3efbac79f8eb3e8b9cab73a6c877bdc61342cdd6e
SHA51200c58f5c21ba59db1442e6761c60fdeeb756223b4d51f81cfb2b82aee415eb71a883d5d24086e6ad32c06f87d97d79f1123f20471350492597649eaa3e8d9067
-
Filesize
2.5MB
MD593412c40272361e258e4dc0de74f7075
SHA1c13b3cf156b76980c4eab4fae183758c4700440d
SHA2567e5992568dc614491fbc17c3efbac79f8eb3e8b9cab73a6c877bdc61342cdd6e
SHA51200c58f5c21ba59db1442e6761c60fdeeb756223b4d51f81cfb2b82aee415eb71a883d5d24086e6ad32c06f87d97d79f1123f20471350492597649eaa3e8d9067
-
Filesize
2.5MB
MD593412c40272361e258e4dc0de74f7075
SHA1c13b3cf156b76980c4eab4fae183758c4700440d
SHA2567e5992568dc614491fbc17c3efbac79f8eb3e8b9cab73a6c877bdc61342cdd6e
SHA51200c58f5c21ba59db1442e6761c60fdeeb756223b4d51f81cfb2b82aee415eb71a883d5d24086e6ad32c06f87d97d79f1123f20471350492597649eaa3e8d9067
-
Filesize
2.5MB
MD593412c40272361e258e4dc0de74f7075
SHA1c13b3cf156b76980c4eab4fae183758c4700440d
SHA2567e5992568dc614491fbc17c3efbac79f8eb3e8b9cab73a6c877bdc61342cdd6e
SHA51200c58f5c21ba59db1442e6761c60fdeeb756223b4d51f81cfb2b82aee415eb71a883d5d24086e6ad32c06f87d97d79f1123f20471350492597649eaa3e8d9067