xorist | 90b23c1d63e4c8653e17a75f0eb2921b5190b6635fa49effe00e06d429f6d7a2

General

Target

sample.exe
Size

265KB
MD5

edb9ba4dec60f2fbabe50db587ed035b
SHA1

43ba0dc628d76092dd409a6d21f81e5045ddd24f
SHA256

99b8962d32d011802dfa8c8aafaf2c1464fa80d9fb107f7fe1abe7005b5af2cf
SHA512

7931e66b5c7fe59981835623f4fef3228aed943b49f3b44b1ad8831f28e9f8be8b1be82e1564fa33a843352345f95405198ba89c98bc3e62622b3ab081c7ecfc
SSDEEP

3072:hUQoKIo3zkikzwVNYWGN6ozfnQxct3VCyuVMAAbMIcEWSRgdOdLOfTg:Ryojkia2pGNbZ3EvVxIcEmOdM

Score

10^/10

xorist persistence ransomware spyware stealer upx

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-2295526160-1155304984-640977766-1000\HOW TO DECRYPT FILES.txt

Ransom Note

Ooops, your files have been encrypted! -What Happen to my computer? Your important files are encrypted Many of your documents , photos , passwords , databases and other files are no longer accessible because they have been encrypted . Maybe you are busy looking for way to recover your files , but do not waste your time . Nobody can recover your files without our decryption KEY -Can i Recover My Files? Sure.We guarantee that you can recover all your files safely and easlly But You have not so enough time . So If you want to decrypt all your files, you need to pay . You only have 12H to submit the payment.After that price will be doubled Also, If the transaction is not completed within 24 hours your files will be permanently deleted. How To buy bitcoins https://www.bitcoin.com/buy-bitcoin And Send the the correct amount to this address 0.05 BTC 17pXroP4MruitJzpTa88FAPAGD5q5QAPzb

Wallets

17pXroP4MruitJzpTa88FAPAGD5q5QAPzb

URLs

https://www.bitcoin.com/buy-bitcoin

Signatures

Detected Xorist Ransomware 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1672-132-0x0000000000400000-0x0000000000551000-memory.dmp	family_xorist
behavioral2/memory/1672-133-0x0000000000400000-0x0000000000551000-memory.dmp	family_xorist

Xorist Ransomware
Xorist is a ransomware first seen in 2020.
ransomware xorist

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1672-132-0x0000000000400000-0x0000000000551000-memory.dmp	upx
behavioral2/memory/1672-133-0x0000000000400000-0x0000000000551000-memory.dmp	upx

Drops startup file 1 IoCs

Processes:

sample.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt sample.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt	sample.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

sample.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	sample.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\i92449jtMcCP2K0.exe"	sample.exe

Drops file in Program Files directory 64 IoCs

Processes:

sample.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\icons_retina.png	sample.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\en-US\about_TestDrive.help.txt	sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\MS.JPG	sample.exe
File created	C:\Program Files\VideoLAN\VLC\lua\playlist\HOW TO DECRYPT FILES.txt	sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\StoreLogo.scale-150_contrast-black.png	sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-36.png	sample.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\FetchingMail-Dark.scale-200.png	sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-white\SmallTile.scale-100.png	sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubStoreLogo.scale-100_contrast-high.png	sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\WideLogo.scale-200_contrast-black.png	sample.exe
File created	C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\HOW TO DECRYPT FILES.txt	sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\15.png	sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionWideTile.scale-125.png	sample.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\LinkedInboxBadge.scale-200.png	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT	sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\AppCS\Assets\EmptyStoryCover.png	sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Standard.targetsize-64_contrast-white.png	sample.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.scale-200.png	sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-100_contrast-white.png	sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-256_altform-unplated.png	sample.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Fonts\HOW TO DECRYPT FILES.txt	sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-16.png	sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\tr-tr\HOW TO DECRYPT FILES.txt	sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionLargeTile.scale-400.png	sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-256_altform-unplated_contrast-black_devicefamily-colorfulunplated.png	sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\pl-pl\HOW TO DECRYPT FILES.txt	sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\MS.GIF	sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLENDS\PREVIEW.GIF	sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-white\WideTile.scale-100.png	sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-white\SmallTile.scale-200.png	sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\TimerWideTile.contrast-black_scale-200.png	sample.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\font\HOW TO DECRYPT FILES.txt	sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\node_modules\reactxp-experimental-navigation\NavigationExperimental\assets\back-icon.png	sample.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-64.png	sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xe804.png	sample.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HOW TO DECRYPT FILES.txt	sample.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-white\MedTile.scale-125.png	sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\MediumTile.scale-200_contrast-black.png	sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-64.png	sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\es-es\HOW TO DECRYPT FILES.txt	sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-256_altform-lightunplated.png	sample.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailBadge.scale-125.png	sample.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-black\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Content\HOW TO DECRYPT FILES.txt	sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\TimerMedTile.contrast-black_scale-100.png	sample.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Outlook.scale-300.png	sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\AppIcon.scale-100_contrast-black.png	sample.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Google.scale-100.png	sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ca-es\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\nb-no\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\cs-cz\HOW TO DECRYPT FILES.txt	sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-140.png	sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\1px.png	sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\LargeTile.scale-125.png	sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-white_targetsize-64.png	sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\ShareProvider_CopyLink24x24.scale-200.png	sample.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\1113_20x20x32.png	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\themes\dark\rhp_world_icon_hover.png	sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\HOW TO DECRYPT FILES.txt	sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\NewComment.White@2x.png	sample.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\PhotosLargeTile.contrast-white_scale-100.png	sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Fur.jpg	sample.exe

Drops file in Windows directory 64 IoCs

Processes:

sample.exe

description	ioc	process
File created	C:\Windows\assembly\GAC_MSIL\System.Management.Automation.Resources\1.0.0.0_ja_31bf3856ad364e35\HOW TO DECRYPT FILES.txt	sample.exe
File opened for modification	C:\Windows\ImmersiveControlPanel\images\logo.contrast-white_scale-200.png	sample.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build\v4.0_4.0.0.0__b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Tasks.v4.0\v4.0_4.0.0.0__b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Transactions.Bridge.Dtc.resources\v4.0_4.0.0.0_it_b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Activities.Core.Presentation\v4.0_4.0.0.0__31bf3856ad364e35\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Abstractions\v4.0_4.0.0.0__31bf3856ad364e35\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.ManagementConsole.Resources\3.0.0.0_de_31bf3856ad364e35\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\assembly\GAC_MSIL\System.DirectoryServices.AccountManagement.Resources\3.5.0.0_ja_b77a5c561934e089\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Windows.Forms.Resources\2.0.0.0_de_b77a5c561934e089\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\diagnostics\system\Apps\ja-JP\HOW TO DECRYPT FILES.txt	sample.exe
File opened for modification	C:\Windows\ImmersiveControlPanel\images\TileSmall.scale-100.png	sample.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\MiguiControls.Resources\v4.0_1.0.0.0_it_31bf3856ad364e35\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Routing.resources\v4.0_4.0.0.0_es_31bf3856ad364e35\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.C26a36d2b#\cc60c54c3dde798a43317ec502c0ca47\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\diagnostics\system\WindowsMediaPlayerConfiguration\ja-JP\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility.Resources\v4.0_3.0.0.0_es_31bf3856ad364e35\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ISECommon.Resources\v4.0_3.0.0.0_en_31bf3856ad364e35\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Office.ContainerControl\v4.0_10.0.0.0__b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WSMan.Management.Resources\v4.0_3.0.0.0_es_31bf3856ad364e35\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Workflow.ServiceCore.Resources\v4.0_3.0.0.0_ja_31bf3856ad364e35\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework.Classic\v4.0_4.0.0.0__31bf3856ad364e35\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics.Resources\1.0.0.0_ja_31bf3856ad364e35\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\assembly\GAC_MSIL\System.IdentityModel.Selectors.Resources\3.0.0.0_es_b77a5c561934e089\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap.Resources\2.0.0.0_ja_b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.D0ff51f83#\43665f9aaca15fa115fc03eb3e946324\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\diagnostics\system\IESecurity\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Tasks.v4.0.resources\v4.0_4.0.0.0_ja_b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Device\v4.0_4.0.0.0__b77a5c561934e089\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\assembly\GAC_MSIL\MMCEx.Resources\3.0.0.0_it_31bf3856ad364e35\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Configuration.Install.Resources\2.0.0.0_es_b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\assembly\GAC_MSIL\System.ServiceModel.Resources\3.0.0.0_es_b77a5c561934e089\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.ApplicationId.RuleWizard.Resources\v4.0_10.0.0.0_es_31bf3856ad364e35\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.StartLayout.Commands.Resources\v4.0_10.0.0.0_de_31bf3856ad364e35\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Routing.resources\v4.0_4.0.0.0_it_31bf3856ad364e35\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.WSMan.Runtime\1.0.0.0__31bf3856ad364e35\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\assembly\GAC_MSIL\PresentationFramework.Resources\3.0.0.0_es_31bf3856ad364e35\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.Tpm.Commands.Resources\v4.0_10.0.0.0_it_31bf3856ad364e35\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.resources\v4.0_4.0.0.0_de_b77a5c561934e089\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.resources\v4.0_4.0.0.0_it_b77a5c561934e089\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Transactions.resources\v4.0_4.0.0.0_de_b77a5c561934e089\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Workflow.Runtime\v4.0_4.0.0.0__31bf3856ad364e35\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security.Cryptography.Primitives\v4.0_4.0.0.0__b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Windows.Forms.Resources\2.0.0.0_ja_b77a5c561934e089\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\Boot\DVD\PCAT\de-DE\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\Boot\Resources\ja-JP\HOW TO DECRYPT FILES.txt	sample.exe
File opened for modification	C:\Windows\Media\Windows Background.wav	sample.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.AppV.AppVClientWmi\v4.0_10.0.0.0__31bf3856ad364e35\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.StartLayout.Commands.Resources\v4.0_10.0.0.0_en_31bf3856ad364e35\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework.resources\v4.0_4.0.0.0_de_31bf3856ad364e35\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\assembly\GAC_MSIL\dfsvc\2.0.0.0__b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Data.Resources\2.0.0.0_fr_b77a5c561934e089\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Web.Services.Resources\2.0.0.0_it_b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Workflow.Runtime.Resources\3.0.0.0_es_31bf3856ad364e35\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Design.Resources\2.0.0.0_fr_b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Runtime.Serialization.Resources\3.0.0.0_it_b77a5c561934e089\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Activities.Build.resources\v4.0_4.0.0.0_fr_31bf3856ad364e35\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Speech.resources\v4.0_4.0.0.0_ja_31bf3856ad364e35\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.ApplicationServices.resources\v4.0_4.0.0.0_de_31bf3856ad364e35\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices.Protocols.resources\v4.0_4.0.0.0_ja_b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\assembly\GAC_MSIL\System.IdentityModel.Resources\3.0.0.0_de_b77a5c561934e089\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Windows.Presentation.Resources\3.5.0.0_fr_b77a5c561934e089\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Run#\927a00c8d6c2756ed97e610e209e12ab\HOW TO DECRYPT FILES.txt	sample.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\HOW TO DECRYPT FILES.txt	sample.exe

Modifies registry class 10 IoCs

Processes:

sample.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.HELLO	sample.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.HELLO\ = "HZBRREFORVMFWWE"	sample.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HZBRREFORVMFWWE	sample.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\HZBRREFORVMFWWE\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\i92449jtMcCP2K0.exe,0"	sample.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HZBRREFORVMFWWE\shell\open\command	sample.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HZBRREFORVMFWWE\shell	sample.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HZBRREFORVMFWWE\shell\open	sample.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\HZBRREFORVMFWWE\ = "CRYPTED!"	sample.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HZBRREFORVMFWWE\DefaultIcon	sample.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\HZBRREFORVMFWWE\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\i92449jtMcCP2K0.exe"	sample.exe

C:\Users\Admin\AppData\Local\Temp\sample.exe
"C:\Users\Admin\AppData\Local\Temp\sample.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:1672

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\HOW TO DECRYPT FILES.txt
1⤵
PID:3316

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\HOW TO DECRYPT FILES.txt
1⤵
PID:436

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\HOW TO DECRYPT FILES.txt
1⤵
PID:2836

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\HOW TO DECRYPT FILES.txt
1⤵
PID:3468

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\HOW TO DECRYPT FILES.txt
1⤵
PID:5116

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\HOW TO DECRYPT FILES.txt
1⤵
PID:2264

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\HOW TO DECRYPT FILES.txt
Filesize
949B

MD5
f1bad9df68fd2048163760286e7ba0e6

SHA1
bda9081d420f6b80728811bfc9b551efbc6dddce

SHA256
ba55982fc1d90fdaef69c6b069f39aef64685973f304303f203eaa35b151db05

SHA512
6c2d8f2fc91d8e843b93e6996050649dfa564dc3ee0b8c1c34ef98c65d22ed47e95b9a59bbb11d6414d9101512b626a3eff1b8c5136e14d6b4d598222b141573

Download Submit
memory/1672-132-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/1672-133-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads