Overview

overview

10

Static

static

4b190a407b...5f.exe

windows7_x64

10

4b190a407b...5f.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    12-07-2022 11:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4b190a407bca89dd4778afa551bdc58dddff26fc5fe7622453e836ecdfaf565f.exe

  • Size

    346KB

  • MD5

    99df60e4e6bd3497f40736a408dd0a46

  • SHA1

    d02937c29a00c4d15fbcb19a9afd85a9ad3fce6b

  • SHA256

    4b190a407bca89dd4778afa551bdc58dddff26fc5fe7622453e836ecdfaf565f

  • SHA512

    aa902f62c05b5682209459d354dc70d243125612fff1000879b5ee0d32b58c8b503a140942376483ad41de4c4d29502bf3f3f92a4a910418f9af3b5cf6671f32

Score
10/10
xoristpersistenceransomware

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-1809750270-3141839489-3074374771-1000\HOW TO DECRYPT FILES.txt

Ransom Note
YOUR SYSTEM IS LOCKED AND ALL YOUR IMPORTANT DATA HAS BEEN ENCRYPTED. DON'T WORRY YOUR FILES ARE SAFE. TO RETURN ALL TO NORMALLY YOU MUST BUY THE CERBER DECRYPTOR PROGRAM. PAYMENTS ARE ACCEPTED ONLY THROUGH THE BITCOIN NETWORK. YOU CAN GET THEM VIA ATM MACHINE OR ONLINE https://coinatmradar.com/ (find a ATM) https://www.localbitcoins.com/ (buy instantly online any country) THE PRICE FOR DECRYPTOR SOFTWARE IS 0.8 BTC BTC ADRESS : 3KxEZKjS4ifAHhX2o1fq9tERkAshSgA4hg (where you need to make the payment) VERRY IMPORTANT ! DO NOT TRY TO SCAN WITH ANTIVIRUS YOU RISK LOSING YOUR DATA . ANTIVIRUSES ONLY DESTROY THE ENCRYPTED DATA , THEY DO NOT KNOW THE ALGORITH WITH WICH THE ENTIRE SYSTEM WAS ENCRYPTED. THE ONLY WAY TO DECRYPT YOUR SYSTEM AND RETURN TO NORMAL IS TO BUY THE ORIGINAL DECRYPTOR SOFTWARE. For more information : repair_data@scryptmail.com (24/7) Subject : SYSTEM-LOCKED-ID: 10191895
Emails

repair_data@scryptmail.com

Wallets

3KxEZKjS4ifAHhX2o1fq9tERkAshSgA4hg

URLs

https://coinatmradar.com/

https://www.localbitcoins.com/

Signatures

  • Detected Xorist Ransomware 2 IoCs
  • Xorist Ransomware

    Xorist is a ransomware first seen in 2020.

    ransomwarexorist
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops desktop.ini file(s) 14 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Modifies registry class 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4b190a407bca89dd4778afa551bdc58dddff26fc5fe7622453e836ecdfaf565f.exe
    "C:\Users\Admin\AppData\Local\Temp\4b190a407bca89dd4778afa551bdc58dddff26fc5fe7622453e836ecdfaf565f.exe"
    1⤵
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Modifies registry class
    PID:3456

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-1809750270-3141839489-3074374771-1000\desktop.ini
    Filesize

    129B

    MD5

    102809ec948569f9f6975c03d7e3e689

    SHA1

    6c0be287ad1d680ea9593c3266cb9d5f1a073a2b

    SHA256

    aaf90b204a8909085e56a7783b67b9bb241cb8b95c9106d5ddea17765eab10ef

    SHA512

    5bea7ba76f2d00a2cdac3135b92e65b1a224a7a57b63b0d64d9f1826c30e73ab967b39275170f4367d3eb30b625e3f1be9aa10910fc6748f92e443bf2fdf8284

    Download Submit
  • memory/3456-130-0x0000000000700000-0x0000000000721000-memory.dmp
    Filesize

    132KB

    Download
  • memory/3456-131-0x0000000000400000-0x0000000000465000-memory.dmp
    Filesize

    404KB

    Download
  • memory/3456-133-0x0000000000400000-0x0000000000465000-memory.dmp
    Filesize

    404KB

    Download