Overview

overview

10

Static

static

10

sample.exe

windows7-x64

10

sample.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    99b8962d32d011802dfa8c8aafaf2c1464fa80d9fb107f7fe1abe7005b5af2cf.bin.sample.gz

  • Size

    173KB

  • Sample

    221209-j23kkscf87

  • MD5

    916755125005fc1c26769b7b64f95f7a

  • SHA1

    ac004fd4d3273eca3af2fb472a101d243ae68938

  • SHA256

    90b23c1d63e4c8653e17a75f0eb2921b5190b6635fa49effe00e06d429f6d7a2

  • SHA512

    74da91c2f9ab50c57a5ddaec36eaf2517917f24eecdffa4374107c93e4c53dd694f50b435743ec918af6ede3dee7edb0e61ae06ff35abe1cdff5ad77fa510bfe

  • SSDEEP

    3072:VI18XaYt1UOKaIEvqQLRIJoUGuEv1hpRP86EjWwb4tQSBsF5Ho9/E:VIiKIUNEvqQFISsQnP8jWwgBu5HQ/E

Score
10/10
xoristpersistenceransomwarespywarestealerupx

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-4063495947-34355257-727531523-1000\HOW TO DECRYPT FILES.txt

Ransom Note
Ooops, your files have been encrypted! -What Happen to my computer? Your important files are encrypted Many of your documents , photos , passwords , databases and other files are no longer accessible because they have been encrypted . Maybe you are busy looking for way to recover your files , but do not waste your time . Nobody can recover your files without our decryption KEY -Can i Recover My Files? Sure.We guarantee that you can recover all your files safely and easlly But You have not so enough time . So If you want to decrypt all your files, you need to pay . You only have 12H to submit the payment.After that price will be doubled Also, If the transaction is not completed within 24 hours your files will be permanently deleted. How To buy bitcoins https://www.bitcoin.com/buy-bitcoin And Send the the correct amount to this address 0.05 BTC 17pXroP4MruitJzpTa88FAPAGD5q5QAPzb
Wallets

17pXroP4MruitJzpTa88FAPAGD5q5QAPzb

URLs

https://www.bitcoin.com/buy-bitcoin

Targets

    • Target

      sample

    • Size

      265KB

    • MD5

      edb9ba4dec60f2fbabe50db587ed035b

    • SHA1

      43ba0dc628d76092dd409a6d21f81e5045ddd24f

    • SHA256

      99b8962d32d011802dfa8c8aafaf2c1464fa80d9fb107f7fe1abe7005b5af2cf

    • SHA512

      7931e66b5c7fe59981835623f4fef3228aed943b49f3b44b1ad8831f28e9f8be8b1be82e1564fa33a843352345f95405198ba89c98bc3e62622b3ab081c7ecfc

    • SSDEEP

      3072:hUQoKIo3zkikzwVNYWGN6ozfnQxct3VCyuVMAAbMIcEWSRgdOdLOfTg:Ryojkia2pGNbZ3EvVxIcEmOdM

    Score
    10/10
    xoristpersistenceransomwarespywarestealerupx

    • Detected Xorist Ransomware

    • Xorist Ransomware

      Xorist is a ransomware first seen in 2020.

      ransomwarexorist

    • Drops file in Drivers directory

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks