Analysis
-
max time kernel
130s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
08-11-2022 20:10
Static task
static1
Behavioral task
behavioral1
Sample
7d3075d8426c817154b05b695d6196e5ea977a67d0132cf552851f237c166f5e.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
7d3075d8426c817154b05b695d6196e5ea977a67d0132cf552851f237c166f5e.exe
Resource
win10v2004-20220901-en
General
-
Target
7d3075d8426c817154b05b695d6196e5ea977a67d0132cf552851f237c166f5e.exe
-
Size
3.1MB
-
MD5
fcd1290482187d266d174f924c4b1e46
-
SHA1
c3f71f34c7bffd0cc0d49af56254d7f34d50b0c2
-
SHA256
7d3075d8426c817154b05b695d6196e5ea977a67d0132cf552851f237c166f5e
-
SHA512
de3b60739be065ee2620f407b1e51c40be007f1dddcf198b9d676973fcc0007178635534009de2649c7908736e2be3efaaea15b955651a7ca7a5c1f2ad6c9df8
-
SSDEEP
98304:dGZtUz0g6yFFHnDZs5998H5PBSh4+gNxiP:UPUQgXFFVs5X8q4+O4
Malware Config
Signatures
-
Detected Xorist Ransomware 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3344-137-0x0000000000400000-0x0000000000785000-memory.dmp family_xorist behavioral2/memory/3344-139-0x0000000000400000-0x0000000000785000-memory.dmp family_xorist -
Xorist Ransomware
Xorist is a ransomware first seen in 2020.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
You Are Hacked.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ You Are Hacked.exe -
Drops file in Drivers directory 3 IoCs
Processes:
You Are Hacked.exedescription ioc process File created C:\Windows\SysWOW64\drivers\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\drivers\en-US\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt You Are Hacked.exe -
Executes dropped EXE 1 IoCs
Processes:
You Are Hacked.exepid process 3344 You Are Hacked.exe -
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
You Are Hacked.exedescription ioc process File renamed C:\Users\Admin\Pictures\WriteResume.png => C:\Users\Admin\Pictures\WriteResume.png.anonymous You Are Hacked.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
7d3075d8426c817154b05b695d6196e5ea977a67d0132cf552851f237c166f5e.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 7d3075d8426c817154b05b695d6196e5ea977a67d0132cf552851f237c166f5e.exe -
Drops startup file 1 IoCs
Processes:
You Are Hacked.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt You Are Hacked.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
You Are Hacked.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Wine You Are Hacked.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
You Are Hacked.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run You Are Hacked.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\533OqvBH346eRq3.exe" You Are Hacked.exe -
Drops file in System32 directory 64 IoCs
Processes:
You Are Hacked.exedescription ioc process File created C:\Windows\System32\DriverStore\FileRepository\c_securitydevices.inf_amd64_f10a5650b96630b9\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmairte.inf_amd64_a99a7ecb03853141\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\mwlu97w8x64.inf_amd64_23bc3dc6d91eebdc\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\perceptionsimulationheadset.inf_amd64_47c7e539c0156424\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\scunknown.inf_amd64_90993a57907d9959\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\stornvme.inf_amd64_1218fad01506b7af\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\ko-KR\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\c_tapedrive.inf_amd64_a3a36e8f2c921ed7\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\hidbth.inf_amd64_76fb27776958e530\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\hidi2c.inf_amd64_aad0f43cb9f97e75\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmhandy.inf_amd64_d2feb24c2d3b69d4\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Kds\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\mrvlpcie8897.inf_amd64_07fc330c5a5730ca\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\prnms004.inf_amd64_c28ee88ec1bd4178\Amd64\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\prnms005.inf_amd64_add71423ba73e797\Amd64\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\v_mscdsc.inf_amd64_05925c79fbad7433\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCClassResources\WindowsPackageCab\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Windows\SysWOW64\@EnrollmentToastIcon.png You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\bcmdhd64.inf_amd64_e0bae6831f60ea5f\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmsun1.inf_amd64_5b6db32fd04403a3\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmtexas.inf_amd64_ed0ab85128ed7a01\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\msgpiowin32.inf_amd64_46634fa071d1db0d\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\prnms014.inf_amd64_faec3fc366f8e1fa\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\termmou.inf_amd64_c4c8f901e3534194\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\ufxchipidea.inf_amd64_1c78775fffab6a0a\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\urssynopsys.inf_amd64_057fa37902020500\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmnis1u.inf_amd64_64035dd8a7571ba7\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\iSCSI\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\cpu.inf_amd64_0abeab1ee6572232\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\InstallShield\setupdir\0010\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\DriverStore\en-US\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\c_sdhost.inf_amd64_b71f983cb35bfde3\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\ja-JP\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DeliveryOptimization\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\MMAgent\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\c_usbfn.inf_amd64_64da5751ebd2f2f4\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmcpq.inf_amd64_3acec385f5d67bdf\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\bg-BG\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\Speech\SpeechUX\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DirectAccessClientComponents\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\DiagSvcs\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmcodex.inf_amd64_f5594a2af66d11ab\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmrock.inf_amd64_9b13bcc1f320d1ad\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\arcsas.inf_amd64_b3d75f82c617ac6a\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\c_system.inf_amd64_184528953a6fb673\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\iscsi.inf_amd64_c089962740ea1f84\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\mbtr8897w81x64.inf_amd64_0d8225e7d2696ece\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\netvf63a.inf_amd64_a090e6cfaf18cb5c\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\fi-FI\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\basicrender.inf_amd64_df49c4daa6251397\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\battery.inf_amd64_a239bc596073092a\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\c_volume.inf_amd64_a2da2b286ed77704\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\fdc.inf_amd64_7534987814b257b2\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\megasas2i.inf_amd64_ed501deb0beeb5cb\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\netmyk64.inf_amd64_1f949c30555f4111\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\CimCmdlets\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\c_avc.inf_amd64_8ee511eb19322856\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\c_cdrom.inf_amd64_f08f2fe1cde58aef\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmgl007.inf_amd64_41e31b5786c6884d\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Windows\SysWOW64\SecurityAndMaintenance_Alert.png You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmbsb.inf_amd64_0e44beb9cebe5a1e\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\transfercable.inf_amd64_911a60fb265ff111\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\System32\DriverStore\FileRepository\wvmic_ext.inf_amd64_34d742f3550dabd2\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SysWOW64\PerceptionSimulation\HOW TO DECRYPT FILES.txt You Are Hacked.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
You Are Hacked.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\opfknaehkobfiloc.bmp" You Are Hacked.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
You Are Hacked.exepid process 3344 You Are Hacked.exe -
Drops file in Program Files directory 64 IoCs
Processes:
You Are Hacked.exedescription ioc process File created C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Images\contrast-black\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNotebookSmallTile.scale-100.png You Are Hacked.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-40.png You Are Hacked.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\sk-sk\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\[email protected] You Are Hacked.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-180.png You Are Hacked.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] You Are Hacked.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\AppPackageSmallTile.scale-125_contrast-white.png You Are Hacked.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\en-US\about_should.help.txt You Are Hacked.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\MediumTile.scale-200_contrast-white.png You Are Hacked.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-48_altform-lightunplated.png You Are Hacked.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ExchangeMediumTile.scale-150.png You Are Hacked.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\LargeLogo.scale-125_contrast-black.png You Are Hacked.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\CortanaApp.ViewElements\Assets\[email protected] You Are Hacked.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageSplashScreen.scale-200.png You Are Hacked.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\themes\dark\rhp_world_icon.png You Are Hacked.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\review_poster.jpg You Are Hacked.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\css\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.scale-125.png You Are Hacked.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-white\SmallTile.scale-100.png You Are Hacked.exe File created C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\Assets\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SplashScreen.scale-200_contrast-white.png You Are Hacked.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Generic-Light.scale-250.png You Are Hacked.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-white\MedTile.scale-100.png You Are Hacked.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreAppList.targetsize-16.png You Are Hacked.exe File created C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-125_8wekyb3d8bbwe\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.scale-100.png You Are Hacked.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-96.png You Are Hacked.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNewNoteSmallTile.scale-200.png You Are Hacked.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteWideTile.scale-100.png You Are Hacked.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\OutlookMailMediumTile.scale-200.png You Are Hacked.exe File created C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hr-hr\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.targetsize-256_altform-lightunplated.png You Are Hacked.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\30.png You Are Hacked.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MixedRealityPortalAppList.targetsize-256_altform-unplated_contrast-black.png You Are Hacked.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxAccountsSplashLogo.scale-100.png You Are Hacked.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\nb-no\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\nb-no\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\MobileUpsellImage-light.png You Are Hacked.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionMedTile.scale-400.png You Are Hacked.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-24_altform-unplated.png You Are Hacked.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\YellowAbstractNote.scale-100.png You Are Hacked.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\animations\OneNoteFirstRunCarousel_Animation1.mp4 You Are Hacked.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\OutlookMailMediumTile.scale-125.png You Are Hacked.exe File created C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MEDIA\EXPLODE.WAV You Are Hacked.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\91.jpg You Are Hacked.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Images\thumb_animation.png You Are Hacked.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-256_contrast-white.png You Are Hacked.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\zh-tw\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\eu-es\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] You Are Hacked.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionGroupWideTile.scale-125.png You Are Hacked.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\LargeTile.scale-100_contrast-black.png You Are Hacked.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\nb-no\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\print_poster.png You Are Hacked.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\go-mobile-2x.png You Are Hacked.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageBadgeLogo.scale-150_contrast-black.png You Are Hacked.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\FileAssociation\FileAssociation.targetsize-24.png You Are Hacked.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Images\BlankImage.png You Are Hacked.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Google.scale-125.png You Are Hacked.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ca-es\HOW TO DECRYPT FILES.txt You Are Hacked.exe -
Drops file in Windows directory 64 IoCs
Processes:
You Are Hacked.exedescription ioc process File created C:\Windows\WinSxS\wow64_microsoft-windows-r..ckgroundmediapolicy_31bf3856ad364e35_10.0.19041.746_none_2b52281297de22ce\f\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\oobeprovisioningstatus-main.html You Are Hacked.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-font-truetype-georgia_31bf3856ad364e35_10.0.19041.1_none_e6e6f93e1ad2f56c\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-gdi_31bf3856ad364e35_10.0.19041.264_none_87b4b95ab967b582\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-smi-engine_31bf3856ad364e35_10.0.19041.1266_none_0cdb0319c8143829\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\WinSxS\amd64_mshdc.inf.resources_31bf3856ad364e35_10.0.19041.1_en-us_24636be4acc48ef5\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-o..nefiles-extend-apis_31bf3856ad364e35_10.0.19041.746_none_7540b255c77bbc31\r\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\WinSxS\amd64_dual_c_proximity.inf_31bf3856ad364e35_10.0.19041.1_none_6df17a58cde4c0c2\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-lock-controller_31bf3856ad364e35_10.0.19041.964_none_d7b5a8dcc2e0959d\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-mfreadwrite_31bf3856ad364e35_10.0.19041.746_none_a1a3dd22ab3474de\r\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..nt-browser.appxmain_31bf3856ad364e35_10.0.19041.1_none_b1e502c19c2a358b\Square44x44Logo.targetsize-256_altform-unplated_contrast-black.png You Are Hacked.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-runtime-mediaframe_31bf3856ad364e35_10.0.19041.746_none_4b923aa3058360ed\r\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-mediafoundation-mfsvr_31bf3856ad364e35_10.0.19041.153_none_a6fd395b4e3ef24e\r\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\WinSxS\amd64_microsoft-media-cap..ternal-broadcastdvr_31bf3856ad364e35_10.0.19041.264_none_95569df974df5dab\r\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.19041.1_none_4a388618f6365227\NarratorUWPSquare44x44Logo.targetsize-96_altform-unplated_contrast-white.png You Are Hacked.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-ui-shell-component_31bf3856ad364e35_10.0.19041.746_none_2b9acc2d69574796\RequestedDownloadsLargeCloudIcon.contrast-white_scale-400.png You Are Hacked.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-i..mon-printexperience_31bf3856ad364e35_10.0.19041.1_none_5786a2eedd3fd2c9\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-ipnathlpclient_31bf3856ad364e35_10.0.19041.1_none_0bff87d904909f3f\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-microsoftedge_31bf3856ad364e35_10.0.19041.264_none_ef195f564f00d259\MicrosoftEdgeBooksSquare150x150.png You Are Hacked.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-oleacc_31bf3856ad364e35_10.0.19041.1_none_2075cb51c1c141fe\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-wwan-provisioning_31bf3856ad364e35_10.0.19041.746_none_d086cb61c5526770\f\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-a..installagent-binary_31bf3856ad364e35_10.0.19041.1_none_64eb1934f79c8eed\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-management-oobe_31bf3856ad364e35_10.0.19041.207_none_504b6becabbef9fe\autopilotwhitegloveresult-main.html You Are Hacked.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..honyinteractiveuser_31bf3856ad364e35_10.0.19041.264_none_a61d15efb6291d40\YourPhoneCallingToast.scale-400_contrast-black.png You Are Hacked.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-d..airingdll.resources_31bf3856ad364e35_10.0.19041.1_en-us_8023568f44e77bf7\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\WinSxS\amd64_microsoft-onecore-quiethours_31bf3856ad364e35_10.0.19041.746_none_86e52a0f94bec6a2\f\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-c..egrity-driverpolicy_31bf3856ad364e35_10.0.19041.1_none_6a270ae8836eb4ca\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-i..p-support.resources_31bf3856ad364e35_11.0.19041.1_en-us_88f3b3af5bf180c7\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-uianimation_31bf3856ad364e35_10.0.19041.1_none_416e172e0ef99479\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-printing-fdprint_31bf3856ad364e35_10.0.19041.1_none_0e211e3b24a05820\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-s..y-spp-plugin-common_31bf3856ad364e35_10.0.19041.264_none_a0f2741fe53eb880\f\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\WinSxS\amd64_netrtwlane.inf.resources_31bf3856ad364e35_10.0.19041.1_en-us_92837139cc0cf0b6\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\INF\usbhub\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\WinSxS\amd64_dual_usbser.inf_31bf3856ad364e35_10.0.19041.1202_none_11c19bf5388cd12f\r\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\WinSxS\amd64_hyperv-vmserial_31bf3856ad364e35_10.0.19041.928_none_78249a563018069c\f\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-mfvdsp_31bf3856ad364e35_10.0.19041.746_none_d7b5ee41b03d3323\f\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-i..l-keyboard-0000043a_31bf3856ad364e35_10.0.19041.1_none_bcd0f0692a472833\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-e..mgmt-mdmdiagnostics_31bf3856ad364e35_10.0.19041.153_none_c53a7431a32f351e\f\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\WinSxS\amd64_windows-media-speech-winrt.resources_31bf3856ad364e35_10.0.19041.789_da-dk_9bc6f58302dbd449\r\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\WinSxS\wow64_microsoft-onecore-c..experiencehost-user_31bf3856ad364e35_10.0.19041.264_none_a538c3cfe55ee9da\f\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-a..on-authui-component_31bf3856ad364e35_10.0.19041.906_none_c5508380a2e74b53\f\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-wimgapi_31bf3856ad364e35_10.0.19041.84_none_8af369f4775cb563\r\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_10.0.19041.1_da-dk_729e661a448c2b42\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-propsys.resources_31bf3856ad364e35_7.0.19041.1_en-us_4a8890ed170f3fda\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\WinSxS\amd64_networking-mpssvc-powershell-core_31bf3856ad364e35_10.0.19041.964_none_891cdb0d77da2ff3\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\SystemApps\NcsiUwpApp_8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\WinSxS\amd64_hyperv-proxy-onecore_31bf3856ad364e35_10.0.19041.153_none_495b8d7e5bbefe3d\f\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-appmanagement-appvwow_31bf3856ad364e35_10.0.19041.1202_none_27f9f931a79d1cbe\r\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-i..lineid-wamextension_31bf3856ad364e35_10.0.19041.1151_none_74dbc950b4727647\r\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-ui-xaml-maps_31bf3856ad364e35_10.0.19041.264_none_7f83f8425d6002aa\f\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_en-us_1279c10c2d9636d4\404-2.htm You Are Hacked.exe File opened for modification C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorUWPSquare44x44Logo.targetsize-64.png You Are Hacked.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Assets\HCWhite_Search_TraySearchBox_Glyph_100.png You Are Hacked.exe File created C:\Windows\WinSxS\amd64_mdmsettingsprov_31bf3856ad364e35_10.0.19041.746_none_92d7a780d25ea9dc\r\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..nt-browser.appxmain_31bf3856ad364e35_10.0.19041.1_none_b1e502c19c2a358b\Square71x71Logo.contrast-white_scale-100.png You Are Hacked.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-msf-core_31bf3856ad364e35_10.0.19041.1_none_0212956dba610c5e\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\WinSxS\x86_microsoft-windows-photoacquire.resources_31bf3856ad364e35_10.0.19041.1_en-us_3c0bd3d0ee40e6f8\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\WinSxS\amd64_gpuvirtualizationumed_31bf3856ad364e35_10.0.19041.1202_none_f01aec96bf53968c\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-c..erecovery.resources_31bf3856ad364e35_10.0.19041.1_en-us_800b95e199a379c1\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.423_none_9de80b9d881a1ebd\i_f12_chartselection_clear.png You Are Hacked.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-p..iondialog.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_5f1081b1c1cd1c92\f\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-p..package-managed-api_31bf3856ad364e35_10.0.19041.153_none_5ed8a2e007374256\HOW TO DECRYPT FILES.txt You Are Hacked.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-p..rtmonitor-tcpmibdll_31bf3856ad364e35_10.0.19041.1_none_1671a257e4615ff6\HOW TO DECRYPT FILES.txt You Are Hacked.exe File opened for modification C:\Windows\Media\Speech Misrecognition.wav You Are Hacked.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 10 IoCs
Processes:
You Are Hacked.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CDOAEETJFTHWUGN You Are Hacked.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CDOAEETJFTHWUGN\ = "CRYPTED!" You Are Hacked.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CDOAEETJFTHWUGN\shell\open\command You Are Hacked.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CDOAEETJFTHWUGN\shell You Are Hacked.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CDOAEETJFTHWUGN\shell\open You Are Hacked.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.anonymous You Are Hacked.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.anonymous\ = "CDOAEETJFTHWUGN" You Are Hacked.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CDOAEETJFTHWUGN\DefaultIcon You Are Hacked.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CDOAEETJFTHWUGN\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\533OqvBH346eRq3.exe,0" You Are Hacked.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CDOAEETJFTHWUGN\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\533OqvBH346eRq3.exe" You Are Hacked.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
You Are Hacked.exepid process 3344 You Are Hacked.exe 3344 You Are Hacked.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
7d3075d8426c817154b05b695d6196e5ea977a67d0132cf552851f237c166f5e.exedescription pid process target process PID 796 wrote to memory of 3344 796 7d3075d8426c817154b05b695d6196e5ea977a67d0132cf552851f237c166f5e.exe You Are Hacked.exe PID 796 wrote to memory of 3344 796 7d3075d8426c817154b05b695d6196e5ea977a67d0132cf552851f237c166f5e.exe You Are Hacked.exe PID 796 wrote to memory of 3344 796 7d3075d8426c817154b05b695d6196e5ea977a67d0132cf552851f237c166f5e.exe You Are Hacked.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7d3075d8426c817154b05b695d6196e5ea977a67d0132cf552851f237c166f5e.exe"C:\Users\Admin\AppData\Local\Temp\7d3075d8426c817154b05b695d6196e5ea977a67d0132cf552851f237c166f5e.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:796 -
C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe"C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Executes dropped EXE
- Modifies extensions of user files
- Drops startup file
- Identifies Wine through registry keys
- Adds Run key to start application
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3344
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.5MB
MD593412c40272361e258e4dc0de74f7075
SHA1c13b3cf156b76980c4eab4fae183758c4700440d
SHA2567e5992568dc614491fbc17c3efbac79f8eb3e8b9cab73a6c877bdc61342cdd6e
SHA51200c58f5c21ba59db1442e6761c60fdeeb756223b4d51f81cfb2b82aee415eb71a883d5d24086e6ad32c06f87d97d79f1123f20471350492597649eaa3e8d9067
-
Filesize
2.5MB
MD593412c40272361e258e4dc0de74f7075
SHA1c13b3cf156b76980c4eab4fae183758c4700440d
SHA2567e5992568dc614491fbc17c3efbac79f8eb3e8b9cab73a6c877bdc61342cdd6e
SHA51200c58f5c21ba59db1442e6761c60fdeeb756223b4d51f81cfb2b82aee415eb71a883d5d24086e6ad32c06f87d97d79f1123f20471350492597649eaa3e8d9067