xorist | 5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a

General

Target

5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
Size

7KB
MD5

31b39332874eca4bca19319073c479e2
SHA1

2038839be53dc9ef2d3981d2ddbfb8ff5cfb2eaf
SHA256

5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a
SHA512

8347c8b63d03d1248e1b505ca171837a0a73237183b14ab2044336013c06cc0cc8f651baf33b5009b4411ad40000e89e423463f3f7192e5a69e5ed388b13c301
SSDEEP

96:FHZhl8wdS+r3yOYW189fTwUVF0CWHyjk8P1LOmjXfihExs3aWOjj7jRmW+1xSqMB:9zdrr1FG1WDCgmjPZs3TgXMlSqMUA

Score

10^/10

xorist persistence ransomware spyware stealer upx

Malware Config

Signatures

Detected Xorist Ransomware 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1640-55-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/1640-56-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist

Xorist Ransomware
Xorist is a ransomware first seen in 2020.
ransomware xorist

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\DisableHide.png => C:\Users\Admin\Pictures\DisableHide.png.4500	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1640-55-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1640-56-0x0000000000400000-0x000000000040C000-memory.dmp	upx

Drops startup file 1 IoCs

Processes:

5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0g81EtiCH2QMn87.exe"	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe

Drops file in Program Files directory 64 IoCs

Processes:

5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR7F.GIF	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_dot.png	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\9.png	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Shades of Blue.htm	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty.png	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\11.png	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\css\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145361.JPG	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR4B.GIF	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File created	C:\Program Files\Microsoft Games\Chess\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File created	C:\Program Files\Microsoft Games\FreeCell\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\tile_drop_shadow.png	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AXIS\THMBNAIL.PNG	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File created	C:\Program Files (x86)\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00167_.GIF	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\send-email-16.png	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\js\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\combo-hover-right.png	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ERROR.GIF	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\bear_formatted_rgb6.wmv	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02738U.BMP	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01294_.GIF	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02085_.GIF	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File created	C:\Program Files\Common Files\System\ado\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21297_.GIF	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\ShadesOfBlue.jpg	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21399_.GIF	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WebToolImages16x16.jpg	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_foggy.png	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File created	C:\Program Files\Common Files\System\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\css\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\css\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SONORA\PREVIEW.GIF	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Swirl\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR18F.GIF	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\pushplaysubpicture.png	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\system.png	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\29.png	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsImageTemplate.html	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\Passport_PAL.wmv	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\curl.png	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\item_hover_flyout.png	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Welcome Tool\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-cn.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe

Drops file in Windows directory 64 IoCs

Processes:

5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe

description	ioc	process
File created	C:\Windows\AppPatch\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File created	C:\Windows\assembly\GAC_64\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop\6.1.0.0__31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Transacti#\af058f98427f47670e70468a36d84ee4\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\System.AddIn.Contra#\78ce3fd89c50ab2d8d0ffc42ad838644\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Data.Linq.resources\3.5.0.0_it_b77a5c561934e089\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File created	C:\Windows\assembly\GAC_MSIL\system.servicemodel.resources\3.0.0.0_de_b77a5c561934e089\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File created	C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.Tpm.Resources\6.1.0.0_es_31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File created	C:\Windows\assembly\GAC_MSIL\Policy.11.0.Microsoft.Office.Interop.Word\14.0.0.0__71e9bce111e9429c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Data.Services.Design.resources\3.5.0.0_fr_b77a5c561934e089\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.JScript\b3fde69f9642ab464bd3389f1fe3c5bd\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\UIAutomationProvider\ab8ac659d9525c6a0cd22c6f3734862f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Wind5abb17e9#\5e166029e28675fbb6e2fc59ac6fa167\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File created	C:\Windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\SMSvcHost\1bc1ee3c3aa45d28dcf4657bceb2fcb4\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Managemen#\e72886c96b63be364c0205b6c4ff4413\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Reflc3377498#\4bacb26b271de887973e78086440e694\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Utilities.v3.5\3.5.0.0__b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File created	C:\Windows\assembly\GAC_MSIL\MMCFxCommon.Resources\3.0.0.0_fr_31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File created	C:\Windows\assembly\GAC_MSIL\sysglobl.resources\2.0.0.0_it_b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Baa2ca56b#\b2f6d024120fb8ac1b0225c025d7c1fa\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Web.Entity\3.5.0.0__b77a5c561934e089\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Web.Mobile\5ea81699d36a1938a0ff618380506f11\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Accessibility\bbbbd997a1621cf1e739f922fe653459\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\ComSvcConfig\2bd538d545e15452202ef3b41080e2ce\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data.Entity\831aa231315a31ed3efeba1feb3bb936\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File created	C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_de_31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File created	C:\Windows\assembly\GAC_64\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0\10.0.0.0__b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File created	C:\Windows\assembly\GAC_MSIL\Policy.11.0.Microsoft.Office.Interop.Excel\14.0.0.0__71e9bce111e9429c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File created	C:\Windows\assembly\GAC_MSIL\Policy.12.0.Microsoft.Office.Interop.Excel\14.0.0.0__71e9bce111e9429c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Data.OracleClient.resources\2.0.0.0_it_b77a5c561934e089\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\ComSvcConfig\5f1a06c0108b2c81cde1dc491d74043d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\MMCFxCommon\18e41c018ceff36c2512d12f570f0be7\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.MediaCent#\1f517ecba89b0f399021bdbc8fb3db82\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File created	C:\Windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File created	C:\Windows\assembly\GAC_32\ehexthost32\6.1.0.0__31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Tasks.resources\2.0.0.0_ja_b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.PowerPoint\14.0.0.0__71e9bce111e9429c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\8df695fb80187f65208d87229e81e8a2\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Build\ca807340cc583efabfc0f3ded2609280\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Presentatiob3047ded#\778cdd008b007e2abc066f000cb5b1db\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File created	C:\Windows\assembly\GAC_32\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.ManagementConsole.Resources\3.0.0.0_fr_31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management.Resources\1.0.0.0_fr_31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Web.Extensions.resources\3.5.0.0_de_31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\MIGUIControls\5d7e85e3ad81826e2e1d7131284c63fe\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Runtime.Seri#\8ad0e1382ab6565741bbb64b965f2748\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.Office.InfoPath.FormControl\14.0.0.0__71e9bce111e9429c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File created	C:\Windows\assembly\GAC_MSIL\MiguiControls.Resources\1.0.0.0_ja_31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Core.resources\3.5.0.0_es_b77a5c561934e089\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\ReachFramework\34177215bbd2e05eb6d59d40a0a98f96\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Web.2486c0f5#\8e1a0ff5d2f22bb7de74bb93081c8fba\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File created	C:\Windows\assembly\GAC_64\naphlpr\6.1.0.0__31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File created	C:\Windows\assembly\GAC_MSIL\napsnap\6.1.0.0__31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap.resources\2.0.0.0_de_b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Web.Entity.resources\3.5.0.0_de_b77a5c561934e089\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Core\83e2f6909980da7347e7806d8c26670e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File created	C:\Windows\assembly\GAC_64\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.GPowerShell.Resources\1.0.0.0_es_31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File created	C:\Windows\assembly\GAC_MSIL\SecurityAuditPoliciesSnapIn.resources\6.1.0.0_es_31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\BDATunePIA\2823d3be9334fea94dce8001b247589b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe

Modifies registry class 10 IoCs

Processes:

5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.4500\ = "DKWJUSNRKPYSAQA"	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DKWJUSNRKPYSAQA	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DKWJUSNRKPYSAQA\DefaultIcon	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DKWJUSNRKPYSAQA\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0g81EtiCH2QMn87.exe,0"	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DKWJUSNRKPYSAQA\shell	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.4500	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DKWJUSNRKPYSAQA\ = "CRYPTED!"	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DKWJUSNRKPYSAQA\shell\open\command	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DKWJUSNRKPYSAQA\shell\open	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DKWJUSNRKPYSAQA\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0g81EtiCH2QMn87.exe"	5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe

C:\Users\Admin\AppData\Local\Temp\5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe
"C:\Users\Admin\AppData\Local\Temp\5777ba5324a693756b82284f7388e8b57a8ee3f014cf09b9127c9db06269604a.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:1640

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1640-54-0x00000000757B1000-0x00000000757B3000-memory.dmp

Filesize
8KB

Download
memory/1640-55-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1640-56-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads