xorist | 3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901

Target

3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901.exe
Size

583KB
MD5

74d4e0e6dcf5cc7942c35e630036af0c
SHA1

c7c4bb3907344aed022d181eb73f8fd812e06f88
SHA256

3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901
SHA512

110bb901dacc153fb484673fd033d2c0f9a3f7cbfd73a46f54c44c1f699796844b68db5a860cbbb5be08c03f4ad9dfcd25feb71fc8a9b37445e137a002e6a8eb

Score

10^/10

xorist persistence ransomware upx

Malware Config

Signatures

Detected Xorist Ransomware 4 IoCs

resource	yara_rule
behavioral2/files/0x000200000001ab6f-6.dat	family_xorist
behavioral2/files/0x000200000001ab70-8.dat	family_xorist
behavioral2/files/0x000200000001ab6f-11.dat	family_xorist
behavioral2/files/0x000200000001ab70-9.dat	family_xorist

Xorist Ransomware
Xorist is a ransomware first seen in 2020.
ransomware xorist

Executes dropped EXE 3 IoCs

pid	Process
1896	javas.exe
2032	javas2.exe
2172	asat2.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0008000000000687-4.dat	upx
behavioral2/files/0x000200000001ab6f-6.dat	upx
behavioral2/files/0x000200000001ab70-8.dat	upx
behavioral2/files/0x0008000000000687-10.dat	upx
behavioral2/files/0x000200000001ab6f-11.dat	upx
behavioral2/files/0x000200000001ab70-9.dat	upx

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8wph9ejU2DmPc9F.exe"	asat2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	javas2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\x6R50fCWES1x3c1.exe"	javas2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	javas.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\34kNWi9RL6j2fe9.exe"	javas.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	asat2.exe

Drops desktop.ini file(s) 12 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	javas2.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	javas.exe
File opened for modification	C:\Program Files\desktop.ini	javas2.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	javas.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	asat2.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1985363256-3005190890-1182679451-1000\desktop.ini	javas2.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	asat2.exe
File opened for modification	C:\Program Files\desktop.ini	javas.exe
File opened for modification	C:\Program Files\desktop.ini	asat2.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	javas2.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1985363256-3005190890-1182679451-1000\desktop.ini	asat2.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1985363256-3005190890-1182679451-1000\desktop.ini	javas.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\FA000000009	asat2.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\LEELAWDB.TTF	asat2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\trusted.libraries	javas.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate64.exe	javas2.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-80.png	asat2.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.TLB	javas2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.httpcomponents.httpclient_4.2.6.v201311072007.jar	javas.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-80.png	javas2.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-pl.xrm-ms	asat2.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_PrepidBypass-ppd.xrm-ms	javas2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-sampler.xml.pethya zaplat zasifrovano	asat2.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-ul-phn.xrm-ms	asat2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler.xml	javas2.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Office Setup Controller\Office.en-us\PSS10R.CHM	asat2.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\tipresx.dll.mui	asat2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\bin\startNetworkServer	javas2.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\HOW TO DECRYPT FILES.txt	asat2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	javas.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\mip.exe.mui	javas.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\CSS7DATA000A.DLL	asat2.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\IMCONTACT.DLL	javas.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.ds_1.4.200.v20131126-2331.jar	javas2.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\FDATE.DLL	javas2.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Layout.dll	asat2.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL002.XML	asat2.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\DEEPBLUE\THMBNAIL.PNG	asat2.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sl-si.dll	asat2.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTrial-ppd.xrm-ms	asat2.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Grace-ppd.xrm-ms	javas.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-ul-oob.xrm-ms	javas2.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\MSYH.TTC	javas.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mshwLatin.dll	javas2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-core-windows.xml.pethya zaplat zasifrovano	asat2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.swt.nl_ja_4.4.0.v20140623020002.jar	javas2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-sampler.xml	javas2.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\images\cursors\win32_LinkNoDrop32x32.gif.pethya zaplat zasifrovano	javas2.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_KMS_Client_AE-ul.xrm-ms	asat2.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Interceptor.tlb	javas.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GOTHICB.TTF	javas2.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ja-jp.xml	javas.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\oskmenubase.xml	javas.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\1033\TIME.XML	javas.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CANYON\CANYON.INF	javas2.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelFluent.png	javas.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\net.dll	javas2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-ui_zh_CN.jar	javas.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	javas2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\LucidaTypewriterBold.ttf	asat2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ecf.identity_3.4.0.v20140827-1444.jar	javas.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\HOW TO DECRYPT FILES.txt	javas2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\ct.sym	javas2.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-utility-l1-1-0.dll	asat2.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\OFFSYML.TTF	asat2.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\da-DK\tipresx.dll.mui	javas2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.core_0.10.100.v20140424-2042.jar	asat2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-api-search.jar	javas.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL077.XML	javas.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding.nl_zh_4.4.0.v20140623020002.jar	javas2.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-applemenu.xml	javas2.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-ul-phn.xrm-ms	javas2.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-ul-oob.xrm-ms	javas.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\PersonaSpy.js	javas.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PROOF\msgr8en.dub	javas.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-MX\tipresx.dll.mui	asat2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 30 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YYCMXMJNMOUGWFB\shell\open\command	javas2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PJVOKWEVLGZLZWN\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\34kNWi9RL6j2fe9.exe,0"	javas.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pethya zaplat zasifrovano\ = "QTWVCXAHKDHGIML"	asat2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YYCMXMJNMOUGWFB\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\x6R50fCWES1x3c1.exe,0"	javas2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PJVOKWEVLGZLZWN\shell	javas.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QTWVCXAHKDHGIML\ = "CRYPTED!"	asat2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QTWVCXAHKDHGIML\shell\open	asat2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.pethya zaplat zasifrovano	javas2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YYCMXMJNMOUGWFB\shell\open	javas2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PJVOKWEVLGZLZWN\DefaultIcon	javas.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PJVOKWEVLGZLZWN\shell\open\command	javas.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QTWVCXAHKDHGIML\shell\open\command	asat2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YYCMXMJNMOUGWFB\shell	javas2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PJVOKWEVLGZLZWN	javas.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QTWVCXAHKDHGIML\shell	asat2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PJVOKWEVLGZLZWN\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\34kNWi9RL6j2fe9.exe"	javas.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pethya zaplat zasifrovano\ = "PJVOKWEVLGZLZWN"	javas.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QTWVCXAHKDHGIML\DefaultIcon	asat2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QTWVCXAHKDHGIML\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8wph9ejU2DmPc9F.exe,0"	asat2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QTWVCXAHKDHGIML\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8wph9ejU2DmPc9F.exe"	asat2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YYCMXMJNMOUGWFB\DefaultIcon	javas2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PJVOKWEVLGZLZWN\ = "CRYPTED!"	javas.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.pethya zaplat zasifrovano	asat2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YYCMXMJNMOUGWFB	javas2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YYCMXMJNMOUGWFB\ = "CRYPTED!"	javas2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QTWVCXAHKDHGIML	asat2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.pethya zaplat zasifrovano	javas.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YYCMXMJNMOUGWFB\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\x6R50fCWES1x3c1.exe"	javas2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PJVOKWEVLGZLZWN\shell\open	javas.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pethya zaplat zasifrovano\ = "YYCMXMJNMOUGWFB"	javas2.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3984	3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3984 wrote to memory of 1896	3984	3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901.exe	74
PID 3984 wrote to memory of 1896	3984	3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901.exe	74
PID 3984 wrote to memory of 1896	3984	3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901.exe	74
PID 3984 wrote to memory of 2032	3984	3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901.exe	75
PID 3984 wrote to memory of 2032	3984	3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901.exe	75
PID 3984 wrote to memory of 2032	3984	3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901.exe	75
PID 3984 wrote to memory of 2172	3984	3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901.exe	76
PID 3984 wrote to memory of 2172	3984	3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901.exe	76
PID 3984 wrote to memory of 2172	3984	3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901.exe	76

C:\Users\Admin\AppData\Local\Temp\3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901.exe
"C:\Users\Admin\AppData\Local\Temp\3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3984
- C:\Users\Admin\AppData\Local\Temp\javas.exe
  "C:\Users\Admin\AppData\Local\Temp\javas.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Drops file in Program Files directory
  - Modifies registry class
  PID:1896
- C:\Users\Admin\AppData\Local\Temp\javas2.exe
  "C:\Users\Admin\AppData\Local\Temp\javas2.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Drops file in Program Files directory
  - Modifies registry class
  PID:2032
- C:\Users\Admin\AppData\Local\Temp\asat2.exe
  "C:\Users\Admin\AppData\Local\Temp\asat2.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Drops file in Program Files directory
  - Modifies registry class
  PID:2172

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3984-0-0x00007FFC34B90000-0x00007FFC3557C000-memory.dmp

Filesize
9.9MB

Download
memory/3984-1-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

General