Overview

overview

10

Static

static

0873b47caf...da.exe

windows7-x64

0873b47caf...da.exe

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    0873b47caf6e9052441e48a2bb66a07aab0ea857a72c200e76b5a8e7580a91da

  • Size

    51KB

  • Sample

    221201-hl7c6ade57

  • MD5

    f055a132de2ad3733859b7db2a2a584d

  • SHA1

    e729f54392e6503f3d60efddb4785fab05719d8d

  • SHA256

    0873b47caf6e9052441e48a2bb66a07aab0ea857a72c200e76b5a8e7580a91da

  • SHA512

    8efa3ea64bddc82e8ded87538b11c3610d1543bdab47e27ccb4010ee8f950f7b9a6fa197cb218cd2b7ab50db3e7480285ad3712ce275b7c03b7088c6c367bb8a

  • SSDEEP

    768:GrDe5WY9c1IM29sWOvrM3Ogfx9a5/NMkWQr4D4QFjbLQCH7sW0qJ5/LfRK1og:G/XqTM29sWOmv9aNntrc4oQtI/K1og

Score
10/10
xoristdiscoverypersistenceransomwarespywarestealerupx

Malware Config

Targets

    • Target

      0873b47caf6e9052441e48a2bb66a07aab0ea857a72c200e76b5a8e7580a91da

    • Size

      51KB

    • MD5

      f055a132de2ad3733859b7db2a2a584d

    • SHA1

      e729f54392e6503f3d60efddb4785fab05719d8d

    • SHA256

      0873b47caf6e9052441e48a2bb66a07aab0ea857a72c200e76b5a8e7580a91da

    • SHA512

      8efa3ea64bddc82e8ded87538b11c3610d1543bdab47e27ccb4010ee8f950f7b9a6fa197cb218cd2b7ab50db3e7480285ad3712ce275b7c03b7088c6c367bb8a

    • SSDEEP

      768:GrDe5WY9c1IM29sWOvrM3Ogfx9a5/NMkWQr4D4QFjbLQCH7sW0qJ5/LfRK1og:G/XqTM29sWOmv9aNntrc4oQtI/K1og

    Score
    10/10
    xoristdiscoverypersistenceransomwarespywarestealerupx

    • Detected Xorist Ransomware

    • Xorist Ransomware

      Xorist is a ransomware first seen in 2020.

      ransomwarexorist

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks