xorist | 934dbbfe39728292a5f2d44d53087b7add0205e00d901cd02d3103df997e21a9 | Triage

Submit
Reports

Overview

overview

Static

static

VirusShare...95.exe

windows7-x64

9

VirusShare...95.exe

windows10-2004-x64

9

Sharing

General

Target

VirusShare_db69dc47e177e79a390089b72d715295
Size

12KB
Sample

240206-z21c8aabfk
MD5

db69dc47e177e79a390089b72d715295
SHA1

836655afa5624cf81b6e6d02dfa0c149e393cf2e
SHA256

934dbbfe39728292a5f2d44d53087b7add0205e00d901cd02d3103df997e21a9
SHA512

96c0d15fc42d91b92c2db0f65d7bfe0c23af9324b890a88a0d61349c9be85cfdcd23449c10387ecdaff3bfd3ec99e13eb96a79f45868a60b0c82e5671f1090a5
SSDEEP

192:y/TrG62a6B10k3g4fXk1iTV3HGc7EkpAqEjvu2q9C/YpXnAITZfPtRMTa/C+U:yebFNw4Pk1itKkpAjjI2YpdmTao

Score

10^/10

xorist persistence ransomware spyware stealer

Static task

static1

4 signatures

Behavioral task

behavioral1

Sample

VirusShare_db69dc47e177e79a390089b72d715295.exe

Resource

win7-20231129-en

persistence ransomware spyware stealer

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

VirusShare_db69dc47e177e79a390089b72d715295.exe

Resource

win10v2004-20231222-en

persistence ransomware spyware stealer

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Targets

- Target
  
  VirusShare_db69dc47e177e79a390089b72d715295
- Size
  
  12KB
- MD5
  
  db69dc47e177e79a390089b72d715295
- SHA1
  
  836655afa5624cf81b6e6d02dfa0c149e393cf2e
- SHA256
  
  934dbbfe39728292a5f2d44d53087b7add0205e00d901cd02d3103df997e21a9
- SHA512
  
  96c0d15fc42d91b92c2db0f65d7bfe0c23af9324b890a88a0d61349c9be85cfdcd23449c10387ecdaff3bfd3ec99e13eb96a79f45868a60b0c82e5671f1090a5
- SSDEEP
  
  192:y/TrG62a6B10k3g4fXk1iTV3HGc7EkpAqEjvu2q9C/YpXnAITZfPtRMTa/C+U:yebFNw4Pk1itKkpAjjI2YpdmTao
Score

9^/10

persistence ransomware spyware stealer
- Renames multiple (17403) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Drops file in Drivers directory
- Manipulates Digital Signatures
  Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.
- Modifies Installed Components in the registry
  persistence
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Replication Through Removable Media

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Lateral Movement

Replication Through Removable Media

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

persistenceransomwarespywarestealer

behavioral2

persistenceransomwarespywarestealer

© 2018-2024

Terms | Privacy