xorist | 90b23c1d63e4c8653e17a75f0eb2921b5190b6635fa49effe00e06d429f6d7a2

Analysis

max time kernel
116s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
09/12/2022, 08:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample.exe
Size

265KB
MD5

edb9ba4dec60f2fbabe50db587ed035b
SHA1

43ba0dc628d76092dd409a6d21f81e5045ddd24f
SHA256

99b8962d32d011802dfa8c8aafaf2c1464fa80d9fb107f7fe1abe7005b5af2cf
SHA512

7931e66b5c7fe59981835623f4fef3228aed943b49f3b44b1ad8831f28e9f8be8b1be82e1564fa33a843352345f95405198ba89c98bc3e62622b3ab081c7ecfc
SSDEEP

3072:hUQoKIo3zkikzwVNYWGN6ozfnQxct3VCyuVMAAbMIcEWSRgdOdLOfTg:Ryojkia2pGNbZ3EvVxIcEmOdM

Score

10^/10

xorist persistence ransomware spyware stealer upx

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-4063495947-34355257-727531523-1000\HOW TO DECRYPT FILES.txt

Ransom Note

Ooops, your files have been encrypted! -What Happen to my computer? Your important files are encrypted Many of your documents , photos , passwords , databases and other files are no longer accessible because they have been encrypted . Maybe you are busy looking for way to recover your files , but do not waste your time . Nobody can recover your files without our decryption KEY -Can i Recover My Files? Sure.We guarantee that you can recover all your files safely and easlly But You have not so enough time . So If you want to decrypt all your files, you need to pay . You only have 12H to submit the payment.After that price will be doubled Also, If the transaction is not completed within 24 hours your files will be permanently deleted. How To buy bitcoins https://www.bitcoin.com/buy-bitcoin And Send the the correct amount to this address 0.05 BTC 17pXroP4MruitJzpTa88FAPAGD5q5QAPzb

Wallets

17pXroP4MruitJzpTa88FAPAGD5q5QAPzb

URLs

https://www.bitcoin.com/buy-bitcoin

Signatures

Detected Xorist Ransomware 2 IoCs

resource	yara_rule
behavioral1/memory/1696-55-0x0000000000400000-0x0000000000551000-memory.dmp	family_xorist
behavioral1/memory/1696-56-0x0000000000400000-0x0000000000551000-memory.dmp	family_xorist

Xorist Ransomware
Xorist is a ransomware first seen in 2020.
ransomware xorist

Drops file in Drivers directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\es-ES\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\SysWOW64\drivers\fr-FR\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\SysWOW64\drivers\HOW TO DECRYPT FILES.txt	sample.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	sample.exe
File created	C:\Windows\SysWOW64\drivers\it-IT\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\SysWOW64\drivers\ja-JP\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\SysWOW64\drivers\de-DE\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\SysWOW64\drivers\en-US\HOW TO DECRYPT FILES.txt	sample.exe

Modifies extensions of user files 5 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\InvokeExit.png => C:\Users\Admin\Pictures\InvokeExit.png.HELLO	sample.exe
File renamed	C:\Users\Admin\Pictures\ResumeConvertFrom.png => C:\Users\Admin\Pictures\ResumeConvertFrom.png.HELLO	sample.exe
File renamed	C:\Users\Admin\Pictures\ShowWait.png => C:\Users\Admin\Pictures\ShowWait.png.HELLO	sample.exe
File renamed	C:\Users\Admin\Pictures\SplitClear.png => C:\Users\Admin\Pictures\SplitClear.png.HELLO	sample.exe
File renamed	C:\Users\Admin\Pictures\UseAdd.png => C:\Users\Admin\Pictures\UseAdd.png.HELLO	sample.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1696-55-0x0000000000400000-0x0000000000551000-memory.dmp	upx
behavioral1/memory/1696-56-0x0000000000400000-0x0000000000551000-memory.dmp	upx

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt	sample.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	sample.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\i92449jtMcCP2K0.exe"	sample.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_script_blocks.help.txt	sample.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmnttp2.inf_amd64_neutral_d218c42ac8635704\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnep304.inf_amd64_ja-jp_27c560b15d9928c0\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnsv003.inf_amd64_neutral_1e0c4fbb9b11b015\Amd64\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wstorvsc.inf_amd64_neutral_d7bf942e99bb1d41\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\eval\HomePremiumE\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\System32\DriverStore\FileRepository\angel64.inf_amd64_neutral_6bed16c93db1ccf3\HOW TO DECRYPT FILES.txt	sample.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Variables.help.txt	sample.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_parameters.help.txt	sample.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_locations.help.txt	sample.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\_Default\ProfessionalN\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnca00x.inf_amd64_neutral_eb0842aa932d01ee\Amd64\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wiabr006.inf_amd64_neutral_0232ca4f23224d01\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\eval\UltimateE\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\eval\HomePremium\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\_Default\Starter\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\System32\DriverStore\FileRepository\averfx2swtv_noavin_x64.inf_amd64_neutral_86943dd17860e449\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netk57a.inf_amd64_neutral_8b26ad5d0cc037a9\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnms001.inf_amd64_neutral_9fe8503f82ce60fa\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\SysWOW64\ro-RO\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\eval\HomePremium\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\System32\DriverStore\FileRepository\bthpan.inf_amd64_neutral_024281c0e4e954e2\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\System32\DriverStore\FileRepository\msmouse.inf_amd64_neutral_7a5f47d3150cc0eb\HOW TO DECRYPT FILES.txt	sample.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_profiles.help.txt	sample.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnrc005.inf_amd64_neutral_31e08a1c2f933124\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\SysWOW64\Speech\Engines\SR\fr-FR\HOW TO DECRYPT FILES.txt	sample.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_execution_policies.help.txt	sample.exe
File created	C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\HOW TO DECRYPT FILES.txt	sample.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Foreach.help.txt	sample.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_logical_operators.help.txt	sample.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_CommonParameters.help.txt	sample.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Automatic_Variables.help.txt	sample.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\eval\StarterE\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\OEM\HomeBasicN\HOW TO DECRYPT FILES.txt	sample.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_eventlogs.help.txt	sample.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_script_internationalization.help.txt	sample.exe
File created	C:\Windows\System32\DriverStore\FileRepository\lsi_sas.inf_amd64_neutral_a4d6780f72cbd5b4\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmpp.inf_amd64_neutral_a9cb77fe1985cd2c\HOW TO DECRYPT FILES.txt	sample.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_For.help.txt	sample.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\OEM\UltimateE\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\SysWOW64\wbem\ja-JP\HOW TO DECRYPT FILES.txt	sample.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\default.help.txt	sample.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\en-US\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hcw85c64.inf_amd64_neutral_96b71557b416d04a\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\OEM\HomeBasicE\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\SysWOW64\IME\shared\HOW TO DECRYPT FILES.txt	sample.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_prompts.help.txt	sample.exe
File created	C:\Windows\SysWOW64\com\it-IT\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnfx002.inf_amd64_neutral_b6dd354531184f64\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnrc007.inf_amd64_neutral_2df575afa0f7d35f\Amd64\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-RasServer-MigPlugin\HOW TO DECRYPT FILES.txt	sample.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_trap.help.txt	sample.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmgatew.inf_amd64_neutral_84eee4cc19fd00dc\HOW TO DECRYPT FILES.txt	sample.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_WMI_Cmdlets.help.txt	sample.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_History.help.txt	sample.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ehstorpwddrv.inf_amd64_neutral_ecd233d7cabbdebf\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmosi.inf_amd64_neutral_932d048a735b47c2\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnca00b.inf_amd64_neutral_4412894f52d39895\Amd64\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\OEM\HomeBasic\HOW TO DECRYPT FILES.txt	sample.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_objects.help.txt	sample.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmar1.inf_amd64_neutral_b8ebf59556c3dbf0\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnlx005.inf_amd64_neutral_f65eeb9bff6bd8f3\Amd64\HOW TO DECRYPT FILES.txt	sample.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Windows_PowerShell_ISE.help.txt	sample.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\eval\HomeBasicN\HOW TO DECRYPT FILES.txt	sample.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_ButtonGraphic.png	sample.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\js\HOW TO DECRYPT FILES.txt	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WebToolIconImages.jpg	sample.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Media Renderer\DMR_48.png	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\OOFL.ICO	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\ARROW.WAV	sample.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\HOW TO DECRYPT FILES.txt	sample.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_right_rest.png	sample.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\(144DPI)redStateIcon.png	sample.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VC\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\HOW TO DECRYPT FILES.txt	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Oasis\TAB_ON.GIF	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Form.zip	sample.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\HOW TO DECRYPT FILES.txt	sample.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_h.png	sample.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\RSSFeeds.html	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00037_.GIF	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB00760L.GIF	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Class.zip	sample.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\drag.png	sample.exe
File opened for modification	C:\Program Files\Windows Media Player\Media Renderer\DMR_48.jpg	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00165_.GIF	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21298_.GIF	sample.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\currency.html	sample.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\7.png	sample.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_divider_left.png	sample.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\notes-static.png	sample.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\calendar.html	sample.exe
File created	C:\Program Files (x86)\Common Files\System\msadc\fr-FR\HOW TO DECRYPT FILES.txt	sample.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_s.png	sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt	sample.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\circleround_videoinset.png	sample.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\text_renderer\HOW TO DECRYPT FILES.txt	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Biscay\TAB_ON.GIF	sample.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_snow.png	sample.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\css\HOW TO DECRYPT FILES.txt	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewAttachmentIcons.jpg	sample.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_photo_Thumbnail.bmp	sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\QUAD\THMBNAIL.PNG	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21299_.GIF	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_choosefont.gif	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectToolsetIconImages.jpg	sample.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\HOW TO DECRYPT FILES.txt	sample.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\26.png	sample.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\HOW TO DECRYPT FILES.txt	sample.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\TableTextServiceArray.txt	sample.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\39.png	sample.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Psychedelic.jpg	sample.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\1040\HOW TO DECRYPT FILES.txt	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR48F.GIF	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR50B.GIF	sample.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Soft Blue.htm	sample.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationUp_SelectionSubpicture.png	sample.exe
File created	C:\Program Files\Mozilla Firefox\defaults\pref\HOW TO DECRYPT FILES.txt	sample.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked-loading.png	sample.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ESEN\HOW TO DECRYPT FILES.txt	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Oasis\HEADER.GIF	sample.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Media Renderer\DMR_120.png	sample.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_75_ffe45c_1x100.png	sample.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_top.png	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10301_.GIF	sample.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_aa520d2885499112\about_Assignment_Operators.help.txt	sample.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-audio-dsound_31bf3856ad364e35_6.1.7600.16385_none_5872147ba3367471\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-autoplay.resources_31bf3856ad364e35_6.1.7600.16385_en-us_966fdd8e8dce3b49\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..-ringtone.resources_31bf3856ad364e35_6.1.7600.16385_en-us_e218b286eb401969\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..rverifier.resources_31bf3856ad364e35_6.1.7601.17514_es-es_6d901f196f4d190d\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.Commands.UpdateDiagRootcause.Resources\1.0.0.0_en_31bf3856ad364e35\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-c..lter-mime.resources_31bf3856ad364e35_7.0.7600.16385_es-es_8c088e500f57cc02\HOW TO DECRYPT FILES.txt	sample.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-g..-calendar.resources_31bf3856ad364e35_6.1.7600.16385_es-es_397fc58b493f7a97\calendar.html	sample.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..tivexcore.resources_31bf3856ad364e35_6.1.7601.17514_de-de_28f6e087ae3fd202\HOW TO DECRYPT FILES.txt	sample.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\404-9.htm	sample.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-wpd-legacywmdmapi_31bf3856ad364e35_6.1.7600.16385_none_b59f82ea895b94d5\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\winsxs\msil_system.xml.resources_b77a5c561934e089_6.1.7600.16385_it-it_01747077542479b0\HOW TO DECRYPT FILES.txt	sample.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-g..picturepuzzlegadget_31bf3856ad364e35_6.1.7600.16385_none_725857cf41f74c3f\0.png	sample.exe
File created	C:\Windows\winsxs\x86_networking-mpssvc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_f7657c98047b1a14\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..mc-snapin.resources_31bf3856ad364e35_6.1.7600.16385_en-us_cbaee6d9c8e8beea\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-security-kerberos_31bf3856ad364e35_6.1.7601.17514_none_44fce29ac76d1a39\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-v..eocontrol.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1e4cbc67ccce19ee\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\winsxs\x86_netfx-aspnet_rc_dll_res_b03f5f7f11d50a3a_6.1.7600.16385_none_04a12c6aba11825e\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.InfoPath.SemiTrust\11.0.0.0__71e9bce111e9429c\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-b..ents-main.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_405d09a695c177d5\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\winsxs\amd64_msbuild_b03f5f7f11d50a3a_3.5.7601.17514_none_ea8ca0c25e350957\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-com-oleui.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_6a6892f8344a2677\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Activities\v4.0_4.0.0.0__31bf3856ad364e35\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-anytime-upgradeui_31bf3856ad364e35_6.1.7600.16385_none_4aadf3be188c056d\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-dcom-adm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_ba2db6fbd8860506\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..iagnostic.resources_31bf3856ad364e35_6.1.7601.17514_de-de_7041b95d9e5d428e\HOW TO DECRYPT FILES.txt	sample.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-g..-currency.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_5c4791cafd126e03\currency.html	sample.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..onal-codepage-28596_31bf3856ad364e35_6.1.7600.16385_none_b15d407cfdd6e95b\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-w..umservice.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_6aa2d458ee571cf9\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-w..e-utility.resources_31bf3856ad364e35_6.1.7600.16385_it-it_8bde4585eccdab34\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-wmi-tools.resources_31bf3856ad364e35_6.1.7600.16385_en-us_a36bf8093e2548af\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\winsxs\msil_uiautomationtypes.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_3032858bc7f7902e\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-m..confg-rll.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_338f6f5baad7f740\HOW TO DECRYPT FILES.txt	sample.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_56cc3687acc564e8\about_functions_advanced_parameters.help.txt	sample.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-cryptext-dll_31bf3856ad364e35_6.1.7600.16385_none_ff6918de770cb659\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-s..iprovider.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_0301cbcb983c9a65\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\assembly\GAC_32\naphlpr\6.1.0.0__31bf3856ad364e35\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-dot3svc_31bf3856ad364e35_6.1.7601.17514_none_c99214378a23d63b\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-e..-ehchhime.resources_31bf3856ad364e35_6.1.7600.16385_de-de_733270a78f6199cf\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..iagnostic.resources_31bf3856ad364e35_6.1.7601.17514_de-de_9a22c201bfc85eec\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-isoburn.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_cf65eeeb41e66063\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-w..omponents.resources_31bf3856ad364e35_6.1.7600.16385_es-es_912246ee1073420f\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\winsxs\amd64_xnacc.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_8d98680e3b66b3d0\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-i..l-keyboard-0002083b_31bf3856ad364e35_6.1.7600.16385_none_a986e4f489704cb4\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.GroupPolicy.Reporting.Resources\2.0.0.0_es_31bf3856ad364e35\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\winsxs\amd64_mdmzyp.inf_31bf3856ad364e35_6.1.7600.16385_none_a9dc75825db86521\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-com-adm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_e3e16a4b19f6d518\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..vdsupport.resources_31bf3856ad364e35_6.1.7600.16385_en-us_a2a92c5710d7278a\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.1.7600.16385_pt-br_20f45663f3f88da5\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-opengl.resources_31bf3856ad364e35_6.1.7600.16385_de-de_f62d0137474f79ea\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-packager.resources_31bf3856ad364e35_6.1.7600.16385_de-de_985e7717c199b9df\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-scrnsave.resources_31bf3856ad364e35_6.1.7600.16385_en-us_a50ca627012e104f\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-u..em-config.resources_31bf3856ad364e35_6.1.7600.16385_it-it_7a60e7beae811506\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-help-desk.resources_31bf3856ad364e35_6.1.7600.16385_es-es_d60136489cb08af2\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..mentation.resources_31bf3856ad364e35_8.0.7600.16385_ja-jp_bdd02c1aa7a230d9\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\winsxs\amd64_net8185.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_e5a2faedb7866860\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-directx-directplay4_31bf3856ad364e35_6.1.7600.16385_none_76e6c1802136b090\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\servicing\fr-FR\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-font-truetype-simsunb_31bf3856ad364e35_6.1.7600.16385_none_ecef7b9d35a0dabd\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-simpletcp.resources_31bf3856ad364e35_6.1.7600.16385_de-de_205d87d632734790\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\winsxs\amd64_prnbr009.inf_31bf3856ad364e35_6.1.7600.16385_none_4d88ba167403f57d\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-u..erservice.resources_31bf3856ad364e35_6.1.7600.16385_en-us_4cbc6858ab8583f8\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\winsxs\amd64_server-help-chm.ipsecmonitor.resources_31bf3856ad364e35_6.1.7600.16385_it-it_a7c01a54f64c21fc\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-m..ents-mdac.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_66df39372ddc410d\HOW TO DECRYPT FILES.txt	sample.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.HELLO	sample.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\HZBRREFORVMFWWE\ = "CRYPTED!"	sample.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\HZBRREFORVMFWWE\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\i92449jtMcCP2K0.exe,0"	sample.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HZBRREFORVMFWWE\shell\open\command	sample.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HZBRREFORVMFWWE\shell\open	sample.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.HELLO\ = "HZBRREFORVMFWWE"	sample.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HZBRREFORVMFWWE	sample.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HZBRREFORVMFWWE\DefaultIcon	sample.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HZBRREFORVMFWWE\shell	sample.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\HZBRREFORVMFWWE\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\i92449jtMcCP2K0.exe"	sample.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1696	sample.exe

C:\Users\Admin\AppData\Local\Temp\sample.exe
"C:\Users\Admin\AppData\Local\Temp\sample.exe"
1⤵
- Drops file in Drivers directory
- Modifies extensions of user files
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:1696

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\HOW TO DECRYPT FILES.txt
1⤵
PID:1324

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\HOW TO DECRYPT FILES.txt

Filesize
949B

MD5
f1bad9df68fd2048163760286e7ba0e6

SHA1
bda9081d420f6b80728811bfc9b551efbc6dddce

SHA256
ba55982fc1d90fdaef69c6b069f39aef64685973f304303f203eaa35b151db05

SHA512
6c2d8f2fc91d8e843b93e6996050649dfa564dc3ee0b8c1c34ef98c65d22ed47e95b9a59bbb11d6414d9101512b626a3eff1b8c5136e14d6b4d598222b141573

Download Submit
memory/1324-57-0x000007FEFC2F1000-0x000007FEFC2F3000-memory.dmp

Filesize
8KB

Download
memory/1696-54-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download
memory/1696-55-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/1696-56-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download