Analysis Overview
SHA256
398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72
Threat Level: Known bad
The file 398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72 was found to be: Known bad.
Malicious Activity Summary
Xorist Ransomware
Detected Xorist Ransomware
Modifies firewall policy service
Xorist family
Drops file in Drivers directory
Adds Run key to start application
Drops file in Windows directory
Drops file in Program Files directory
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Modifies registry class
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-25 21:11
Signatures
Detected Xorist Ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xorist family
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-25 21:11
Reported
2022-11-26 06:53
Platform
win7-20221111-en
Max time kernel
153s
Max time network
34s
Command Line
Signatures
Detected Xorist Ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xorist Ransomware
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\w8i9eHkHOwWwQlX.exe" | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\7-Zip\Lang\sq.txt | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\16_9-frame-image-inset.png | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File created | C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File created | C:\Program Files\Java\jre7\lib\zi\Africa\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File created | C:\Program Files\Microsoft Games\Multiplayer\Backgammon\de-DE\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\plugins\logger\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File created | C:\Program Files\Java\jre7\lib\zi\Indian\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\id\LC_MESSAGES\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File created | C:\Program Files\Windows Journal\it-IT\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationLeft_SelectionSubpicture.png | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationUp_ButtonGraphic.png | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationLeft_SelectionSubpicture.png | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passport.png | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File created | C:\Program Files\Windows Defender\de-DE\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\TitleButtonSubpicture.png | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page.wmv | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMain.wmv | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\include\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Chess\ChessMCE.lnk | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\da.txt | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\gu.txt | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File created | C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File created | C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File created | C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\mn.txt | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.jpg | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File created | C:\Program Files\Common Files\System\ado\it-IT\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_notes-txt-background.png | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationRight_SelectionSubpicture.png | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File created | C:\Program Files\Microsoft Games\Solitaire\es-ES\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File created | C:\Program Files\Windows NT\TableTextService\ja-JP\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File created | C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\1047x576black.png | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File created | C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\softedges.png | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\LogoCanary.png | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\COPYING.txt | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File created | C:\Program Files\Windows Media Player\Media Renderer\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File created | C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File created | C:\Program Files\Windows Mail\fr-FR\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ext.txt | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\hy.txt | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationLeft_SelectionSubpicture.png | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7TSFrame.png | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File created | C:\Program Files\Windows Journal\en-US\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Scene_loop.wmv | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\jre\bin\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\mix.gif | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\hprof-16.png | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File created | C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\lua\modules\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\plugins\video_output\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File created | C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Trans_Notes_PAL.wmv | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\new-trigger-wiz.gif | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7.png | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\WINDOWS\EXPLORER.EXE | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
Modifies registry class
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
C:\Windows\system32\wininit.exe
wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
\\?\C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Windows\system32\taskhost.exe
"taskhost.exe"
C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe
"C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
Network
Files
memory/2036-54-0x0000000076411000-0x0000000076413000-memory.dmp
memory/2036-55-0x0000000000400000-0x0000000000560000-memory.dmp
memory/2036-56-0x0000000000400000-0x0000000000560000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-11-25 21:11
Reported
2022-11-26 06:53
Platform
win10v2004-20221111-en
Max time kernel
231s
Max time network
239s
Command Line
Signatures
Detected Xorist Ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe:*:enabled:@shell32.dll,-1" | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
Xorist Ransomware
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\DRIVERS\ETC\HOSTS | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\w8i9eHkHOwWwQlX.exe" | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\7-Zip\Lang\mk.txt | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelGlyph.16.GrayF.png | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\1033\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUEPRNT\PREVIEW.GIF | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File created | C:\Program Files\Common Files\microsoft shared\ink\he-IL\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File created | C:\Program Files\Java\jdk1.8.0_66\jre\lib\amd64\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winClassicHandle.png | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macTSFrame.png | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-80.png | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\PROOF\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EDGE\THMBNAIL.PNG | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SLATE\PREVIEW.GIF | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File created | C:\Program Files\7-Zip\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File created | C:\Program Files\Common Files\microsoft shared\ink\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File created | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.scale-100.png | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-140.png | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CASCADE\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File created | C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File created | C:\Program Files\Common Files\microsoft shared\OFFICE16\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\SmallLogoCanary.png | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-180.png | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\assets\assets\images\assets_picker-account-addPerson-48.png | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUECALM\PREVIEW.GIF | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\IRIS\PREVIEW.GIF | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File created | C:\Program Files\Common Files\microsoft shared\ink\hu-HU\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\javafx-src.zip | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File created | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\3082\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File created | C:\Program Files\Common Files\microsoft shared\ink\ar-SA\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\prodbig.gif | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\1033\ClientARMRefer_eula.txt | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-80.png | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\IRIS\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File created | C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\asl-v20.txt | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\dragHandle.png | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winClassicTSFrame.png | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\en\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-80.png | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ru.txt | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File created | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\1033\Client2019_eula.txt | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\MEDIA\APPLAUSE.WAV | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\History.txt | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\uz.txt | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File created | C:\Program Files\Common Files\System\msadc\es-ES\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\MEDIA\VOLTAGE.WAV | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File created | C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File created | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\MSIPC\he\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\fre\StartMenu_Win10.mp4 | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_company.png | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File created | C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-100.png | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-checkmark.png | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUECALM\THMBNAIL.PNG | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\de.txt | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.PPT | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PAPYRUS\THMBNAIL.PNG | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
Modifies registry class
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s W32Time
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe
"C:\Users\Admin\AppData\Local\Temp\398575a09f41e8b1da28164960e72cdacb331e24922c999e1b9d1887a6ec5a72.exe"
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Network
| Country | Destination | Domain | Proto |
| N/A | 20.189.173.15:443 | tcp | |
| N/A | 20.54.89.106:443 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 8.8.8.8:53 | 176.122.125.40.in-addr.arpa | udp |
| N/A | 93.184.220.29:80 | tcp | |
| N/A | 8.8.8.8:53 | ilo.brenz.pl | udp |
| N/A | 148.81.111.121:80 | ilo.brenz.pl | tcp |
| N/A | 148.81.111.121:80 | ilo.brenz.pl | tcp |
| N/A | 8.8.8.8:53 | iedafi.com | udp |
| N/A | 8.8.8.8:53 | aukjge.com | udp |
| N/A | 8.8.8.8:53 | pujacf.com | udp |
| N/A | 8.8.8.8:53 | czycjs.com | udp |
| N/A | 8.8.8.8:53 | lfwxww.com | udp |
| N/A | 8.8.8.8:53 | goonpu.com | udp |
| N/A | 8.8.8.8:53 | ckunzl.com | udp |
| N/A | 8.8.8.8:53 | iixief.com | udp |
| N/A | 8.8.8.8:53 | oanyza.com | udp |
| N/A | 8.8.8.8:53 | ilsegf.com | udp |
| N/A | 8.8.8.8:53 | ieavsw.com | udp |
| N/A | 8.8.8.8:53 | ymesae.com | udp |
| N/A | 8.8.8.8:53 | refour.com | udp |
| N/A | 206.119.87.32:443 | refour.com | tcp |
| N/A | 148.81.111.121:80 | ilo.brenz.pl | tcp |
| N/A | 8.8.8.8:53 | awpmsz.com | udp |
| N/A | 8.8.8.8:53 | riznhz.com | udp |
| N/A | 8.8.8.8:53 | ktlaee.com | udp |
| N/A | 8.8.8.8:53 | phbqhy.com | udp |
| N/A | 8.8.8.8:53 | ovxiot.com | udp |
| N/A | 8.8.8.8:53 | oyhqah.com | udp |
| N/A | 8.8.8.8:53 | cgokpe.com | udp |
| N/A | 8.8.8.8:53 | rwcdlz.com | udp |
| N/A | 8.8.8.8:53 | sangua.com | udp |
| N/A | 67.21.93.246:443 | sangua.com | tcp |
| N/A | 8.8.8.8:53 | cewrql.com | udp |
| N/A | 8.8.8.8:53 | eacaui.com | udp |
| N/A | 8.8.8.8:53 | gjvyfa.com | udp |
| N/A | 8.8.8.8:53 | ibxacp.com | udp |
| N/A | 8.8.8.8:53 | zymiio.com | udp |
| N/A | 8.8.8.8:53 | oolske.com | udp |
| N/A | 8.8.8.8:53 | nhhxtx.com | udp |
| N/A | 8.8.8.8:53 | bdquuz.com | udp |
| N/A | 8.8.8.8:53 | bomeae.com | udp |
| N/A | 8.8.8.8:53 | ashlxh.com | udp |
| N/A | 8.8.8.8:53 | udgobs.com | udp |
| N/A | 8.8.8.8:53 | ghnudy.com | udp |
| N/A | 8.8.8.8:53 | cyopoc.com | udp |
| N/A | 8.8.8.8:53 | fiitza.com | udp |
| N/A | 8.8.8.8:53 | ppruay.com | udp |
| N/A | 8.8.8.8:53 | iygpvz.com | udp |
| N/A | 8.8.8.8:53 | iazaax.com | udp |
| N/A | 148.81.111.121:80 | ilo.brenz.pl | tcp |
| N/A | 8.8.8.8:53 | jlwuhl.com | udp |
| N/A | 8.8.8.8:53 | apunms.com | udp |
| N/A | 8.8.8.8:53 | hkogaz.com | udp |
| N/A | 8.8.8.8:53 | cqavss.com | udp |
| N/A | 8.8.8.8:53 | iqwyhy.com | udp |
| N/A | 8.8.8.8:53 | avuaie.com | udp |
| N/A | 8.8.8.8:53 | nbfkfo.com | udp |
| N/A | 8.8.8.8:53 | nofudz.com | udp |
| N/A | 8.8.8.8:53 | dzoplo.com | udp |
| N/A | 8.8.8.8:53 | xsyjpa.com | udp |
| N/A | 8.8.8.8:53 | oqaaxe.com | udp |
| N/A | 8.8.8.8:53 | idymar.com | udp |
| N/A | 185.230.63.107:443 | idymar.com | tcp |
Files
memory/1404-132-0x0000000000400000-0x0000000000560000-memory.dmp
memory/1404-133-0x0000000000400000-0x0000000000560000-memory.dmp