xorist | 71fd02f4c99304a3308087baf500fff484645413d633afdb74380de7aac564f3 | Triage

Submit
Reports

Overview

overview

Static

static

3

1f210c60f9...40.exe

windows7-x64

1f210c60f9...40.exe

windows10-2004-x64

Sharing

General

Target

71fd02f4c99304a3308087baf500fff484645413d633afdb74380de7aac564f3
Size

29KB
Sample

240419-wzag8scf7v
MD5

17918fb06d51823743387d4d7a1c7e33
SHA1

b5e38e285f983ed6b6065525f67b60c9e671517b
SHA256

71fd02f4c99304a3308087baf500fff484645413d633afdb74380de7aac564f3
SHA512

1aefd4dcd8cbe4e7b456bb516c93e9fd2f6f1d98383eb01658c9a8a3937568e68e1da55335ba4e1086a3e1f8cb51b5807cf717c1303fabbc178b54b33f04d0e4
SSDEEP

768:e/fZc2ezniCkQea79oh4UZbJrbC2Uw8xMtKs8+a5V:e/fZc2ebh9oikbRbLGMKdH

Score

10^/10

xorist persistence ransomware spyware stealer upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe

Resource

win7-20240221-en

xorist persistence ransomware spyware stealer upx

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe

Resource

win10v2004-20240412-en

xorist persistence ransomware spyware stealer upx

windows10-2004-x64

12 signatures

150 seconds

Malware Config

Targets

- Target
  
  1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40
- Size
  
  43KB
- MD5
  
  c86e6c9a14e2c11428dea7f72805d999
- SHA1
  
  1e41e641e54bb6fb26b5706e39b90c93165bcb0b
- SHA256
  
  1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40
- SHA512
  
  32ed8ef777e5d30ae086d6bd05202b94932f6894e25a48c2e92a2e8a77ba80651c45ee04ed0b70831d479a74a2d48af14b40623e59c06223289cb3d4b144576d
- SSDEEP
  
  768:wO70S7b0vJinmDOxCRfcwt5Dqcjgqa57R/SVcQPnmX5URz7D7PpUmNq:ngawv2PTq5D1jgZ7RKJeJU1D7PpUQ
Score

10^/10

xorist persistence ransomware spyware stealer upx
- Detected Xorist Ransomware
- Xorist Ransomware
  Xorist is a ransomware first seen in 2020.
  ransomware xorist
- Renames multiple (2184) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Drops file in Drivers directory
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xoristpersistenceransomwarespywarestealerupx

behavioral2

xoristpersistenceransomwarespywarestealerupx

© 2018-2025

Terms | Privacy