General

  • Target

    d2352980b25e21274fda5ca245b8c17fe26bd7be9f331ce0b4067282486a821e

  • Size

    2.0MB

  • Sample

    221128-mpz6gacd41

  • MD5

    4916a3a62e24567d390eece7fedbb1f1

  • SHA1

    d0c220e32263472943d7b717b0655f31f4e905fb

  • SHA256

    d2352980b25e21274fda5ca245b8c17fe26bd7be9f331ce0b4067282486a821e

  • SHA512

    24ea01f09c0206672742cefd8d4559c8d3d22ce7a0ba93588e2ee89354ef3f58e30989cb5a8ccfb42e1fd95ab1aad73c8049344a7f2dd38cd5666cba935fd5d0

  • SSDEEP

    49152:ZYnFxxpJWR96vHVXT4AlXKr3LLn0h6RXmJ32MjL2mmbH/O:ZYnFPCRYvyAlarPnC6I53pWfO

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\HOW TO DECRYPT FILES.txt

Ransom Note
Your important Files have been Encrypted: Photos,documents,videos,usb,Etc... CryptoLocker 2015 CONTACT ME IF YOU NEED HELP MY EMAIL [email protected] if you want to decrypt Your Files You Must Pay About 100$ How to Pay? Purchase Bitcoins TIMER STOP FINAL PRICE BTC 1 BITCOIN 1. www.LocaLBitcoins.com or Bitquick.co or HowToBuyBitcoins.info AFTER YOU COPY TXT AND SENT 1 BITCOIN TO SPECIFIC ADDRESS BITCOIN YOUR COMPUTER AUTOMATIC DECRYPT PROCEDURE START! Copy And Pay To Bitcoin Address: 1KxyZV8hQR2BuMqPrQjvatjqzmwwjpcJEs
Wallets

1KxyZV8hQR2BuMqPrQjvatjqzmwwjpcJEs

Targets

    • Target

      d2352980b25e21274fda5ca245b8c17fe26bd7be9f331ce0b4067282486a821e

    • Size

      2.0MB

    • MD5

      4916a3a62e24567d390eece7fedbb1f1

    • SHA1

      d0c220e32263472943d7b717b0655f31f4e905fb

    • SHA256

      d2352980b25e21274fda5ca245b8c17fe26bd7be9f331ce0b4067282486a821e

    • SHA512

      24ea01f09c0206672742cefd8d4559c8d3d22ce7a0ba93588e2ee89354ef3f58e30989cb5a8ccfb42e1fd95ab1aad73c8049344a7f2dd38cd5666cba935fd5d0

    • SSDEEP

      49152:ZYnFxxpJWR96vHVXT4AlXKr3LLn0h6RXmJ32MjL2mmbH/O:ZYnFPCRYvyAlarPnC6I53pWfO

    • Detected Xorist Ransomware

    • Xorist Ransomware

      Xorist is a ransomware first seen in 2020.

    • Drops file in Drivers directory

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks