Overview

overview

10

Static

static

10

a2449e48a4...0N.exe

windows7-x64

10

a2449e48a4...0N.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a2449e48a4047644ad84d4f00409c2d0N

  • Size

    206KB

  • Sample

    240913-acc4ystcnb

  • MD5

    a2449e48a4047644ad84d4f00409c2d0

  • SHA1

    b268604e5c70f6f3add1dec4024d2935d3cb2da2

  • SHA256

    3d9a47a80e9022fafda9c5bc3e50155adb282395f50748e126a02a73113b625c

  • SHA512

    6bbd90299a583b42d41b3a3a8a4ff43f2eca16b67e6eb53800b883de36dadfe4404a62293368ba85410145f0c48ce3398f587ed1ab91594688942a6c5d222a87

  • SSDEEP

    3072:qUQPGOzKv7Mu6t/+xwgHX+MB7+4TFY/ahEFAj2I4Nk:6eOmTD6cygDBa42FQp5

Score
10/10
xoristdiscoverypersistenceransomwarespywarestealerupx

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\HOW TO DECRYPT FILES.txt

Ransom Note
Hello All your files have been encrypted if you want to decrypt them you have to pay me 0.015 bitcoin. Make sure you send the 0.015 bitcoins to this address: bc1qaxd0wz2zwqgzwmz47mucxjwav8ydw25s0d8m4w If you do not own bitcoins, buy from here: www.paxful.com You can find a larger list here: https://bitcoin.org/en/exchanges After sending the bitcoin, contact me at this email address: [email protected] with this subject: 0015COVINA-V28310290015 After payment confirmation, I will send you the keys and decryptor to decrypt your files automatically. You will also receive information on how to resolve your security issue to avoid becoming a victim of ransomware again. Attention! You have 2 days to contact me to start the file decryption process

Targets

    • Target

      a2449e48a4047644ad84d4f00409c2d0N

    • Size

      206KB

    • MD5

      a2449e48a4047644ad84d4f00409c2d0

    • SHA1

      b268604e5c70f6f3add1dec4024d2935d3cb2da2

    • SHA256

      3d9a47a80e9022fafda9c5bc3e50155adb282395f50748e126a02a73113b625c

    • SHA512

      6bbd90299a583b42d41b3a3a8a4ff43f2eca16b67e6eb53800b883de36dadfe4404a62293368ba85410145f0c48ce3398f587ed1ab91594688942a6c5d222a87

    • SSDEEP

      3072:qUQPGOzKv7Mu6t/+xwgHX+MB7+4TFY/ahEFAj2I4Nk:6eOmTD6cygDBa42FQp5

    Score
    10/10
    xoristpersistenceransomwarespywarestealerupxdiscovery

    • Detected Xorist Ransomware

    • Xorist Ransomware

      Xorist is a ransomware first seen in 2020.

      ransomwarexorist

    • Renames multiple (9181) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Drops file in Drivers directory

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks