xorist | bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2

Analysis

max time kernel
163s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
08-10-2023 14:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
Size

39KB
MD5

a7ed00a3b0f827a3dccc69d8908f5a22
SHA1

7a36afb00dc04927478303dc7df10c088d00da37
SHA256

bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2
SHA512

b9a55cef1c02c3f23a0065acc1dc20dbea3471f7ce89a67ba75fe993eb6c719901a9128209078bac56a6089d9ca60f71302863d120a842a7b60d5f4c6614b7f6
SSDEEP

768:4rVDCIs4eh3hhNWyTp0jvINEsMUILnidqwH37Zg4cauO2eCmLvB06vfn:4r4imxn10AP3Iuo27ZgtFeD0Uf

Score

10^/10

xorist persistence ransomware upx

Malware Config

Signatures

Detected Xorist Ransomware 14 IoCs

resource	yara_rule
behavioral2/memory/1844-613-0x0000000000400000-0x0000000000414000-memory.dmp	family_xorist
behavioral2/memory/1844-670-0x0000000000400000-0x0000000000414000-memory.dmp	family_xorist
behavioral2/memory/1844-698-0x0000000000400000-0x0000000000414000-memory.dmp	family_xorist
behavioral2/memory/1844-764-0x0000000000400000-0x0000000000414000-memory.dmp	family_xorist
behavioral2/memory/1844-1062-0x0000000000400000-0x0000000000414000-memory.dmp	family_xorist
behavioral2/memory/1844-1069-0x0000000000400000-0x0000000000414000-memory.dmp	family_xorist
behavioral2/memory/1844-1080-0x0000000000400000-0x0000000000414000-memory.dmp	family_xorist
behavioral2/memory/1844-2204-0x0000000000400000-0x0000000000414000-memory.dmp	family_xorist
behavioral2/memory/1844-2210-0x0000000000400000-0x0000000000414000-memory.dmp	family_xorist
behavioral2/memory/1844-2217-0x0000000000400000-0x0000000000414000-memory.dmp	family_xorist
behavioral2/memory/1844-2228-0x0000000000400000-0x0000000000414000-memory.dmp	family_xorist
behavioral2/memory/1844-2570-0x0000000000400000-0x0000000000414000-memory.dmp	family_xorist
behavioral2/memory/1844-2571-0x0000000000400000-0x0000000000414000-memory.dmp	family_xorist
behavioral2/memory/1844-2572-0x0000000000400000-0x0000000000414000-memory.dmp	family_xorist

Xorist Ransomware
Xorist is a ransomware first seen in 2020.
ransomware xorist
Renames multiple (922) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1844-0-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral2/memory/1844-613-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral2/memory/1844-670-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral2/memory/1844-698-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral2/memory/1844-764-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral2/memory/1844-1062-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral2/memory/1844-1069-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral2/memory/1844-1080-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral2/memory/1844-2204-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral2/memory/1844-2210-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral2/memory/1844-2217-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral2/memory/1844-2228-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral2/memory/1844-2570-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral2/memory/1844-2571-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral2/memory/1844-2572-0x0000000000400000-0x0000000000414000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\69LGnXmwow3YdN3.exe"	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File opened for modification	C:\Program Files\Windows Media Player\Media Renderer\DMR_120.jpg	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\TableTextServiceDaYi.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\Assets\Images\SkypeMedTile.scale-125_contrast-white.png	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\topnav.gif	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SLATE\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\logo.scale-200_contrast-white.png	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BREEZE\PREVIEW.GIF	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\DESIGNER\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-black\MedTile.scale-125.png	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\SmallTile.scale-400.png	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SPRING\THMBNAIL.PNG	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\filecompare.exe	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Program Files\VideoLAN\VLC\locale\si\LC_MESSAGES\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\Weather_TileLargeSquare.scale-200.png	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\prodbig.gif	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CASCADE\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\10.jpg	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\256x256.png	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageBadgeLogo.scale-200_contrast-white.png	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\sk-SK\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\time-span-16.png	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-checkmark.png	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-180.png	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-black\SmallTile.scale-125.png	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_20_666666_40x40.png	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\VoiceRecorderSplashScreen.contrast-black_scale-125.png	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.altform-unplated_targetsize-48.png	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ko.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EURO\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AFTRNOON\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\sscicons.exe	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\AppPackageLargeTile.scale-100_contrast-white.png	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\epl-v10.html	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\tinytile.targetsize-16_altform-unplated_contrast-black.png	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\osmclienticon.exe	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\PhotosLargeTile.contrast-white_scale-125.png	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sl\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-linkedentity.png	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-white\MedTile.scale-125.png	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\SmallLogo.scale-125_contrast-black.png	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\tinytile.targetsize-48_contrast-black.png	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lij.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\bg-BG\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-black\MedTile.scale-125.png	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\LibrarySquare71x71Logo.scale-125_contrast-white.png	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\etc\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe

Modifies registry class 10 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PDOMSSVJCXDYMBD\ = "CRYPTED!"	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PDOMSSVJCXDYMBD\DefaultIcon	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PDOMSSVJCXDYMBD\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\69LGnXmwow3YdN3.exe,0"	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PDOMSSVJCXDYMBD\shell\open\command	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PDOMSSVJCXDYMBD\shell\open	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.keygroup	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PDOMSSVJCXDYMBD	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PDOMSSVJCXDYMBD\shell	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PDOMSSVJCXDYMBD\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\69LGnXmwow3YdN3.exe"	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.keygroup\ = "PDOMSSVJCXDYMBD"	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe

C:\Users\Admin\AppData\Local\Temp\bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
"C:\Users\Admin\AppData\Local\Temp\bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe"
1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
PID:1844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\HOW TO DECRYPT FILES.txt

Filesize
319B

MD5
7de497d552d315fc22f53b31f54f0252

SHA1
ea6eb93c0d3098aea3246259644fdd7b05299c2d

SHA256
f2ef35bb0360cc11ba8e08665d1625a420fc425523fb82c69b0af21281cba894

SHA512
5f1fd33c5d2d554f0a1e0c8884545632340c691e3f7fc2448289aa7255e678819ea642f0d7fc0b3d2c1ce7420d1841f83ad7961d0653945c3acfe54be1f0c55c

Download Submit
C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif

Filesize
153B

MD5
6e0025e714d1b8000abac4a9f235aa3f

SHA1
2cce0c561bf6ca8e29323842223f8acf376142c3

SHA256
c4a24706e1082e6236286ac3617261ca0b02d9ed0756895c747e95e11346acf1

SHA512
33acbd38be0a5633d267f6fbcf76fd7956110ba87aa5ae32601d2c2ad57ec06f9767bea02860f9a839f4d6c70168e2b6fd0c2c70aa4893302fe6771dc197f1df

Download Submit
C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
12KB

MD5
56efeb76b7087b401b4f235abd0bcd1a

SHA1
702a052725fd5bae6026931a09716cffbe0631f0

SHA256
5e3c2f81296a329d804ad01f80d4e69018214e5784874409d2abcd87229dfb68

SHA512
6a50b1e9e3958b8bb5dcd8648cb02d9716a98548b2db60e8c6286645f557facf73270dfc0086e4956f1ca6890b5c914770d398af1d12ed20ad89ff7ec1f14d7f

Download Submit
C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
8KB

MD5
a78eb05fc3de01a57aa49726aa7436a1

SHA1
efc0537f2671677151cd8f5bc37fd1058ae4675b

SHA256
8c26bc9591dcc34cc0b981e23c80317a25ca0bc74e69490bfd59be9f00062dea

SHA512
c86bfb9541606af1673a4e49c4829d1429755be37e7b0db8309198810a9e4304bd7f1f8c48e1701601d6d424e4c8cd0e6ed3453219894c52a3c3cfd4dcf30dde

Download Submit
C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
e65f064482b5a89a54e57280e9827de6

SHA1
dd7af4d30264141908c98bcab92fc67911421c4d

SHA256
66df4ffd1c2524bd94de38254e8c857a42808a6c57ab86eda86604e0179ef5bf

SHA512
e42c5039e7e727c4b8a017e76c92d0b1f85ed1d6a78c53a237d0955381705a5ed7e8de6487bf49c21d86de3b2648b7203c402c7a296571ab85db3f66b14edc77

Download Submit
C:\Program Files\Java\jre1.8.0_66\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
107KB

MD5
f842e0d50759996bd79cd1535683750e

SHA1
4c07738523898a03df11b16a09fbc0c5fc8e05ad

SHA256
29374db414748a2b3ecc4462660de87800e9c0e8150ed5dcaa7949aa6f5678af

SHA512
118e9da116817ec77d8301e0229f563ec2a7c3ae195aec4daa8866e647ee2403ab3b007fac694462a1c77eacae96e582022944e79d9e1bcc7b051580ffcc22b3

Download Submit
C:\Program Files\Java\jre1.8.0_66\THIRDPARTYLICENSEREADME.txt

Filesize
172KB

MD5
b7c94ad5150b4151a12ec8d452afb0a2

SHA1
d5157997bfbd8639d2a28d39ecf2035ace199f18

SHA256
38cb78060f76f8920c85257939adfdb99fea78e04ed9d79b5b3e507ac1a4e327

SHA512
03610c2ef07a34f22cd4e36a14fb85b1d8de8fdfde94bc4ac71461060a624f40790b8c0493b58747006da9c0981215b6a8c3130f98aec2886d84bd172251df08

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
42B

MD5
e09b69727262ec2453887c22eca510da

SHA1
f3dd0f1547233a701787890dd8edfdfba0961c18

SHA256
401f301f5c07e5565c4eb7704843884335ad5614bf068a90b89fa74340d67812

SHA512
b5496372e36a9cc903f14d30dae02fe2c2607cc620f4990a01c8080f2e7c6c217f6361ba1ef12e94d25432ad0d7e127583c767596bfca52d0c2b624541ec1df1

Download Submit
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\misc.exe

Filesize
1014KB

MD5
5bd74a107e5ec46865bb1515ed9c0daa

SHA1
17c52c46e5aa6f523513063c1c2ff29fbe4214a7

SHA256
b1ad268bda6aea994c7cd605c6a3b6530ee2adb24df8dc8f925a5c5ced3f9cde

SHA512
32efad807d7203ecfb1cda572c95176c501675642920b829eed06d1bb1dca459b19ec2a865f69b9cf66e4e086f0f60eb4d8b2e10b6334f4587809253da45d978

Download Submit
memory/1844-2204-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1844-764-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1844-613-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1844-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1844-1062-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1844-1069-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1844-670-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1844-698-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1844-1080-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1844-2210-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1844-2217-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1844-2228-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1844-2570-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1844-2571-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1844-2572-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads