Overview

overview

10

Static

static

10

NEAS.a6f5e...JC.exe

windows7-x64

10

NEAS.a6f5e...JC.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    NEAS.a6f5e09a630d69c04c183c8bb632b220_JC.exe

  • Size

    207KB

  • Sample

    231105-em82laaf5y

  • MD5

    a6f5e09a630d69c04c183c8bb632b220

  • SHA1

    5153a81f00b771576ff41f39f4f5a5773cd3bae3

  • SHA256

    1e03c1e489f04d23e46aca176ac23d2492f049008c53f774f010818a63ae3874

  • SHA512

    17a975b0710f66ac098a80494090bc48b2fe3d6955ccccd5ca227d68bbd2a8918cec692cf3b107e0ac1d9136c97d4ff383e7049ce36db17ecab4970d27a2cb7d

  • SSDEEP

    3072:KUQiLu8YVxgi5Iy+nmOSrxwgHX+MB7+4TFB/ahEFAs2I47r:aMqINmOyygDBa43FTpE

Score
10/10
xoristpersistenceransomwarespywarestealerupx

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\HOW TO DECRYPT FILES.txt

Ransom Note
Hello, All your files have been encrypted. To decrypt them, you must make a payment of 0.04 bitcoins. Ensure that you send the 0.04 bitcoins to the following address: bc1qygn239pmpswtge00x60ultpp6wymht64ggf5mk If you don't own bitcoin, you can easily purchase it from the following sites: www.coinmama.com www.bitpanda.com www.localbitcoins.com www.paxful.com For a more extensive list, please visit: https://bitcoin.org/en/exchanges Once the bitcoin has been sent, contact me at either of these email addresses: [email protected] [email protected] Use this subject: GOTIS004-ID-PCIS05301004 For a good communication experience, kindly create an account on skiff.com and get in touch with us. After the payment is confirmed, you will receive the decryptor and decryption keys. Additionally, you will be provided with information on how to safeguard against future ransomware attacks, including details about the security vulnerability through which we gained access.

Targets

    • Target

      NEAS.a6f5e09a630d69c04c183c8bb632b220_JC.exe

    • Size

      207KB

    • MD5

      a6f5e09a630d69c04c183c8bb632b220

    • SHA1

      5153a81f00b771576ff41f39f4f5a5773cd3bae3

    • SHA256

      1e03c1e489f04d23e46aca176ac23d2492f049008c53f774f010818a63ae3874

    • SHA512

      17a975b0710f66ac098a80494090bc48b2fe3d6955ccccd5ca227d68bbd2a8918cec692cf3b107e0ac1d9136c97d4ff383e7049ce36db17ecab4970d27a2cb7d

    • SSDEEP

      3072:KUQiLu8YVxgi5Iy+nmOSrxwgHX+MB7+4TFB/ahEFAs2I47r:aMqINmOyygDBa43FTpE

    Score
    10/10
    xoristpersistenceransomwarespywarestealerupx

    • Detected Xorist Ransomware

    • Xorist Ransomware

      Xorist is a ransomware first seen in 2020.

      ransomwarexorist

    • Renames multiple (10487) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Renames multiple (7021) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Drops file in Drivers directory

    • Modifies Installed Components in the registry

      persistence

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks