General

  • Target

    FW-APGKSDTPX4HOAUJJMBVDNXPOHZ.PDF.bat

  • Size

    917B

  • Sample

    230102-larecadg78

  • MD5

    b24fdc872260f29a59e4b8d64951178f

  • SHA1

    6737ddd082d82734350b1ea027b831b9d1a40cca

  • SHA256

    d538905616374227d085054f88dad318d0580232f5fc3be46cb7d97276a58525

  • SHA512

    26df85b2c8d044d277773c4b22db778022dd9c36ab1d9caae1a34643e246553a85c3f180ad7c2b747ccb9d23947081ed45a8d8220aa3d027e79150ba8069f39f

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-3845472200-3839195424-595303356-1000\HOW TO DECRYPT FILES.txt

Ransom Note
YOUR SYSTEM IS LOCKED AND ALL YOUR IMPORTANT DATA HAS BEEN ENCRYPTED. DON'T WORRY YOUR FILES ARE SAFE. TO RETURN ALL THE NORMALLY YOU MUST BUY THE CERBER DECRYPTOR PROGRAM. PAYMENTS ARE ACCEPTED ONLY THROUGH THE BITCOIN NETWORK. YOU CAN GET THEM VIA ATM MACHINE OR ONLINE https://coinatmradar.com/ (find a ATM) https://www.localbitcoins.com/ (buy instantly online any country) 1. Visit qtox.github.io 2. Download and install qTOX on your PC. 3. Open it, click "New Profile" and create profile. 4. Click "Add friends" button and search our contact - DA639EF141F3E3C35EA62FF284200C29FA2E7E597EF150FDD526F9891CED372CBB9AB7B8BEC8 For more information : [email protected] (24/7) Second Support Via Email Subject : SYSTEM-LOCKED-ID: MortalKombat=ID12DJ901S
URLs

https://coinatmradar.com/

https://www.localbitcoins.com/

Targets

    • Target

      FW-APGKSDTPX4HOAUJJMBVDNXPOHZ.PDF.bat

    • Size

      917B

    • MD5

      b24fdc872260f29a59e4b8d64951178f

    • SHA1

      6737ddd082d82734350b1ea027b831b9d1a40cca

    • SHA256

      d538905616374227d085054f88dad318d0580232f5fc3be46cb7d97276a58525

    • SHA512

      26df85b2c8d044d277773c4b22db778022dd9c36ab1d9caae1a34643e246553a85c3f180ad7c2b747ccb9d23947081ed45a8d8220aa3d027e79150ba8069f39f

    • Detected Xorist Ransomware

    • Xorist Ransomware

      Xorist is a ransomware first seen in 2020.

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Deletes itself

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v6

Tasks