Overview

overview

10

Static

static

1

Encoder Bu...P).rar

windows7-x64

1

Encoder Bu...P).rar

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-12-2024 20:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Encoder Builder v2.4 (pass DIMA-XP).rar

  • Size

    1.2MB

  • MD5

    c19584765504783624918d1459cd6499

  • SHA1

    3c87b34cf3b9243f574d490fcd4031dd9edf68e8

  • SHA256

    b5cd4b8c5c616fab5924452155581bc94e0fe0d67cf8286e300be3d985ca5ef6

  • SHA512

    b9869c78359720d2aded618a0a01d3091f2cc38087af7c2e1aad07917a7053c9e25c21cd498af7b72d53ffd362d9cba09aac451d6d765316a8cbb4356b77c155

  • SSDEEP

    24576:ZIJujiWNRlr17yDmy67P3jbDMFhVnbk3KNADaIPRn5tJKzjU978F6+:BRlrRxymPgFrNANN5Tuj5Z

Score
10/10
xoristdiscoveryransomwareupx

Malware Config

Signatures

  • Detected Xorist Ransomware 11 IoCs
  • Xorist Ransomware

    Xorist is a ransomware first seen in 2020.

    ransomwarexorist
  • Xorist family
    xorist
  • Executes dropped EXE 8 IoCs
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 50 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Encoder Builder v2.4 (pass DIMA-XP).rar"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:4768
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:1940
    • C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe
      "C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe"
      1⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4692
      • C:\Users\Admin\AppData\Local\Temp\upx.exe
        "C:\Users\Admin\AppData\Local\Temp\upx.exe" -9 "C:\Users\Admin\Desktop\nigger.exe"
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2008
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
      1⤵
      • System Location Discovery: System Language Discovery
      PID:4764
    • C:\Users\Admin\Desktop\nigger.exe
      "C:\Users\Admin\Desktop\nigger.exe"
      1⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:3628
    • C:\Users\Admin\Desktop\nigger.exe
      "C:\Users\Admin\Desktop\nigger.exe"
      1⤵
      • Executes dropped EXE
      PID:1692
    • C:\Users\Admin\Desktop\nigger.exe
      "C:\Users\Admin\Desktop\nigger.exe"
      1⤵
      • Executes dropped EXE
      PID:3392
    • C:\Users\Admin\Desktop\nigger.exe
      "C:\Users\Admin\Desktop\nigger.exe"
      1⤵
      • Executes dropped EXE
      PID:408
    • C:\Users\Admin\Desktop\nigger.exe
      "C:\Users\Admin\Desktop\nigger.exe"
      1⤵
      • Executes dropped EXE
      PID:4492
    • C:\Users\Admin\Desktop\nigger.exe
      "C:\Users\Admin\Desktop\nigger.exe"
      1⤵
      • Executes dropped EXE
      PID:824

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\7zE0A2542C7\Encoder Builder v2.4\Encoder Builder v2.4\bin\._.DS_Store
      Filesize

      4KB

      MD5

      241ea797774c86197000ffd2fe2ed491

      SHA1

      2452430e8782abd83462c2a2a4ef2dbfbf2ca4e9

      SHA256

      37852a6bced076acaa2cb93a36e3e60e7a4558fa7bc485b886952deef0108a3d

      SHA512

      58b3f564a47151a0c4518406172e4ef409faad35c135078d692d9579281343c25b8a5aa4c35ae94ce7b6a229af9ea971a4d6effb54184a0a88d0762a4451aeb8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\upx.exe
      Filesize

      283KB

      MD5

      308f709a8f01371a6dd088a793e65a5f

      SHA1

      a07c073d807ab0119b090821ee29edaae481e530

      SHA256

      c0f9faffdf14ab2c853880457be19a237b10f8986755f184ecfe21670076cb35

      SHA512

      c107f1af768d533d02fb82ae2ed5c126c63b53b11a2e5a5bbf45e396cb7796ca4e7984ce969b487ad38d817f4d4366e7953fb555b279aa019ffb5d1bbba57e28

      Download Submit

    • C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe
      Filesize

      883KB

      MD5

      4c824eb8598f175d41e9a2ea06129890

      SHA1

      64b57ea796956cbb60ce4fc702239cbc395aee6f

      SHA256

      7a57d83ae7fde49cfd57e7d2753570306a09c6082bc82f75c89d23fa650a0011

      SHA512

      122e509a3101a67d867f7a3653c8e5d2f838a04c7cb6a97af52e6b35ad709099a3b5940bca48be225ef0d8403537150f232f6137689180a6fd62affef5114845

      Download Submit

    • C:\Users\Admin\Desktop\nigger.exe
      Filesize

      6KB

      MD5

      c0359eff2544c2e59037b6bc57afb535

      SHA1

      39412f5c9e6fd624312441ccbd85a498aed9637c

      SHA256

      c955beab8021c516e967632d841aed7496c6bdaed70ddcaf65554dea48790a88

      SHA512

      76c279bf4fab8918207162950b684be6fff293b364bca0884184f9a4663b747d2fdc84052812056ed3d07fe32a313f25b8ce39e00a9403e7d7e3efca7fd97f68

      Download Submit

    • C:\Users\Admin\Desktop\nigger.exe
      Filesize

      11KB

      MD5

      d94bfb49259b0dc224580099d88899e5

      SHA1

      33d595f97c39684562e9c3342d1477719e91678d

      SHA256

      cee0058819af4ced052cc25032682e1739574080196e4727b8b390591d634003

      SHA512

      a1be423b0a76696688ff0999b840e9bd80397506e0a921383c61f84e2dda9a2fc93d7745d7d9f304e7c440553dac4002141d47f27d7308746ca1948fcbc9c71f

      Download Submit

    • memory/408-117-0x0000000000400000-0x000000000040C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/824-121-0x0000000000400000-0x000000000040C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/1692-113-0x0000000000400000-0x000000000040C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2008-98-0x0000000000400000-0x000000000057E000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/2008-105-0x0000000000400000-0x000000000057E000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/3392-115-0x0000000000400000-0x000000000040C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/3628-107-0x0000000000400000-0x000000000040C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/3628-110-0x0000000000400000-0x000000000040C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/4492-119-0x0000000000400000-0x000000000040C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/4692-86-0x00000000006E0000-0x00000000006E1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4692-111-0x0000000000400000-0x00000000004E2000-memory.dmp

      Filesize

      904KB

      Download

    • memory/4692-85-0x0000000000400000-0x00000000004E2000-memory.dmp

      Filesize

      904KB

      Download

    • memory/4692-84-0x00000000006E0000-0x00000000006E1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4692-122-0x0000000000400000-0x00000000004E2000-memory.dmp

      Filesize

      904KB

      Download