Analysis

  • max time kernel
    153s
  • max time network
    34s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    25-11-2022 21:11

General

  • Target

    398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe

  • Size

    1.4MB

  • MD5

    12a328ce6651249030f5370f255ca63e

  • SHA1

    a8048a259c2aeb4bee82eea524e402add040aa35

  • SHA256

    398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72

  • SHA512

    ae03500bd52eff224135ffa4ac5030b6d24538b07e8a01db0cd2ffa5a3ba5202c4eb61fd53722886610299d0994895d6fce7538bf6735f4b348d9c47ef0668b0

  • SSDEEP

    24576:z9WQitvyUilzOUxaOWk01G4fbu/F41jen6KXYzkEEknJS7DFN4L3GmPA705sCvsF:z9WDAUozOUxaOyGau6I6WPDvlAAoefk1

Malware Config

Signatures

  • Detected Xorist Ransomware 2 IoCs
  • Xorist Ransomware

    Xorist is a ransomware first seen in 2020.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Modifies registry class 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: MapViewOfSection 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\lsass.exe
    C:\Windows\system32\lsass.exe
    1⤵
      PID:472
    • C:\Windows\system32\services.exe
      C:\Windows\system32\services.exe
      1⤵
        PID:464
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k LocalService
          2⤵
            PID:832
          • C:\Windows\system32\sppsvc.exe
            C:\Windows\system32\sppsvc.exe
            2⤵
              PID:748
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
              2⤵
                PID:908
              • C:\Windows\system32\taskhost.exe
                "taskhost.exe"
                2⤵
                  PID:1216
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
                  2⤵
                    PID:1036
                  • C:\Windows\System32\spoolsv.exe
                    C:\Windows\System32\spoolsv.exe
                    2⤵
                      PID:1008
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k NetworkService
                      2⤵
                        PID:108
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe -k netsvcs
                        2⤵
                          PID:876
                        • C:\Windows\System32\svchost.exe
                          C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
                          2⤵
                            PID:800
                          • C:\Windows\System32\svchost.exe
                            C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
                            2⤵
                              PID:752
                            • C:\Windows\system32\svchost.exe
                              C:\Windows\system32\svchost.exe -k RPCSS
                              2⤵
                                PID:668
                              • C:\Windows\system32\svchost.exe
                                C:\Windows\system32\svchost.exe -k DcomLaunch
                                2⤵
                                  PID:588
                              • C:\Windows\system32\winlogon.exe
                                winlogon.exe
                                1⤵
                                  PID:416
                                • C:\Windows\system32\csrss.exe
                                  %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
                                  1⤵
                                    PID:380
                                  • C:\Windows\system32\wininit.exe
                                    wininit.exe
                                    1⤵
                                      PID:368
                                      • C:\Windows\system32\lsm.exe
                                        C:\Windows\system32\lsm.exe
                                        2⤵
                                          PID:480
                                      • C:\Windows\system32\wbem\wmiprvse.exe
                                        C:\Windows\system32\wbem\wmiprvse.exe
                                        1⤵
                                          PID:1972
                                        • \\?\C:\Windows\system32\wbem\WMIADAP.EXE
                                          wmiadap.exe /F /T /R
                                          1⤵
                                            PID:1704
                                          • C:\Windows\Explorer.EXE
                                            C:\Windows\Explorer.EXE
                                            1⤵
                                              PID:1376
                                              • C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe
                                                "C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe"
                                                2⤵
                                                • Adds Run key to start application
                                                • Drops file in Program Files directory
                                                • Drops file in Windows directory
                                                • Modifies registry class
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious behavior: MapViewOfSection
                                                • Suspicious use of AdjustPrivilegeToken
                                                • Suspicious use of WriteProcessMemory
                                                PID:2036
                                            • C:\Windows\system32\Dwm.exe
                                              "C:\Windows\system32\Dwm.exe"
                                              1⤵
                                                PID:1304

                                              Network

                                              MITRE ATT&CK Enterprise v6

                                              Replay Monitor

                                              Loading Replay Monitor...

                                              Downloads

                                              • memory/2036-54-0x0000000076411000-0x0000000076413000-memory.dmp

                                                Filesize

                                                8KB

                                              • memory/2036-55-0x0000000000400000-0x0000000000560000-memory.dmp

                                                Filesize

                                                1.4MB

                                              • memory/2036-56-0x0000000000400000-0x0000000000560000-memory.dmp

                                                Filesize

                                                1.4MB