General

  • Target

    f4af0ac6adecdca36a32b013cb709851c2cd732e20db6ec55e9036bd352e2fe0

  • Size

    1.7MB

  • Sample

    221029-svnyaadbal

  • MD5

    da038f272b0b93f0826e4283e15d0fb5

  • SHA1

    5cbe114a36377528cbfd1e3e137b991380f70abb

  • SHA256

    f4af0ac6adecdca36a32b013cb709851c2cd732e20db6ec55e9036bd352e2fe0

  • SHA512

    3fbee6de83522d954f7cb9824cfe316fd6f713dd8a33931f74d66cb7294fdccfa2300ea0c7242aa6c1ab11c0e6d7182a467615d52ab5eb3d7258a0803220223a

  • SSDEEP

    49152:yYnFxxpJWCqb6t08+9UyVpiDnaC7mV5RmrjhkJZZvl:yYnFPC9b6+8snVkFCwrjhSl

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\HOW TO DECRYPT FILES.txt

Ransom Note
Your Very important files Strong Encryption RSA-4096 produces on this Computer:documents,Photos,Videos,usb disks Etc...Nobody and never will be able to restore files is impossible without paying the ransom Yes OK which is allow to decrypt and return control to all your encrypted files.To get the key to decrypt files you have to pay 0.25 Bitcoin TIMER STOP FINAL PRICE Your Region = 50$ USD/EUR. Just After payment specify the Bitcoin Address.Our robot will check the Bitcoin ID and when the transaction will be completed,You'll Receive Activation!You need to following instruction HOW BUY FAST 1.www.Localbitcoins.com 2.www.bitquick.co 3. e-scrooge.is 4. howtobuybitcoins.info OK MY EMAIL = [email protected] We Wait In Our Wallet Your Transaction WE GIVE YOU DETAILS! ON YOUR BRAIN! AFTER YOU MAKE PAYMENT BITCOIN YOUR COMPUTER AUTOMATIC DECRYPT PROCEDURE START! YOU MUST COPY ADRES AND PAY Send 0.25 BTC To Specific! Bitcoin Address: 1HwP1tFUu64upXhNsEjuunAaF6Yh9VT2s5
Wallets

1HwP1tFUu64upXhNsEjuunAaF6Yh9VT2s5

Targets

    • Target

      f4af0ac6adecdca36a32b013cb709851c2cd732e20db6ec55e9036bd352e2fe0

    • Size

      1.7MB

    • MD5

      da038f272b0b93f0826e4283e15d0fb5

    • SHA1

      5cbe114a36377528cbfd1e3e137b991380f70abb

    • SHA256

      f4af0ac6adecdca36a32b013cb709851c2cd732e20db6ec55e9036bd352e2fe0

    • SHA512

      3fbee6de83522d954f7cb9824cfe316fd6f713dd8a33931f74d66cb7294fdccfa2300ea0c7242aa6c1ab11c0e6d7182a467615d52ab5eb3d7258a0803220223a

    • SSDEEP

      49152:yYnFxxpJWCqb6t08+9UyVpiDnaC7mV5RmrjhkJZZvl:yYnFPC9b6+8snVkFCwrjhSl

    • Detected Xorist Ransomware

    • Xorist Ransomware

      Xorist is a ransomware first seen in 2020.

    • Drops file in Drivers directory

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks