xorist | f294e7f4f7be1f9bc726714d9562c3d28e6db46a614659abbc2308387d59f752 | Triage

Sharing

General

Target

JaffaCakes118_169b0324d79b860129bb16d15ffdbaeb
Size

1.3MB
Sample

250112-x9mqzsykhn
MD5

169b0324d79b860129bb16d15ffdbaeb
SHA1

f74fbfc36d553fa02eee46a04fd6c21fa13beb41
SHA256

f294e7f4f7be1f9bc726714d9562c3d28e6db46a614659abbc2308387d59f752
SHA512

09f18031c2ac0fbb931eb30a713adaa8b7f4d069adb2ee20c1ab825cdf0e42783bd4b7310c8817a95d69525f1f23d70a9276774f942d65a5589a4dc4ada6c20e
SSDEEP

24576:FYEaD1n4wtjEtnwXEdAdGqAhvJF98r+OAkzzWoOWkK5sTTfn/NBsG7asyS7A7i:24Sj5ld2vTSTzWoOWITf/3stsyS7A2

Score

10^/10

xorist discovery ransomware

Malware Config

Targets

- Target
  
  _private/Mss32.dll
- Size
  
  343KB
- MD5
  
  f520185e02e8a5d85860669176bc4adc
- SHA1
  
  cea8e9ff14994c89ad86cf891c89fea42a39250a
- SHA256
  
  fe62f1eb6ba407df77619d16927abbefad3c726014f6bd1f8c37a7c3d6b781cc
- SHA512
  
  b434e77a17cdac0109b698d0fccdd25dcdb15090a9fd0427504cc7f616673fa6c7307f07fb22cc2fc1e915887c0f9dc025aa8d38f51503f91df6a9ccee5ebe58
- SSDEEP
  
  6144:zP/1qeom4nrYNQvvHCkVvH0DMHvZW4aHrmtcitczJ3v:zn1qesnr3vHfdUDovbaHrmtcsS
Score

3^/10

discovery
behavioral1 behavioral2
- Target
  
  _private/a3dapi.dll
- Size
  
  206KB
- MD5
  
  0b3f04a2757f5e43140ac81db1afdc42
- SHA1
  
  57c666aebb0fb59ac86deae9e6849e3268a05703
- SHA256
  
  f05b2eeb851b174ef2b39c4728687915648ae33780a65cdf7f0c7ce99e6a67af
- SHA512
  
  1df19cac3b3ca5a45b50ceddf3e7ecf60b8521c9b589d9c47219ce8d056d6d244516922627fd522818fd8383788924a6589baba9f3984f749ebb992e4de327b0
- SSDEEP
  
  6144:5atuZySlWDRI0jcAwcwypEGmFPHrA/8/5mB:55yd3EcbpEGmFPVkB
Score

3^/10

discovery
behavioral3 behavioral4
- Target
  
  _private/speex_strafe.dll
- Size
  
  136KB
- MD5
  
  0a812ecf43bfe0173a84734c70f4a260
- SHA1
  
  d06c4109893113b5b1ebec60188bc06604bc01f6
- SHA256
  
  4e0d124c2cc55f8b5a29465f037a6363e122399d0753e9e099c85c382040e867
- SHA512
  
  54636cbba87d6797efee9a96bc4a6c107b43aee261833e01d622492ee829628f07d3a24e69ade48a639ceef70f3ed294a63ce46d598b76dcba2a72df5f4c396b
- SSDEEP
  
  1536:vurKvhLIR4k9OdxzNXS7WeR1tKVXkwSrRo70TY85fOaCRNEfGdX2pYsbVbqLoXda:v21ik9sNuWeR18Z745ZG3LoXdgsCj
Score

3^/10

discovery
behavioral5 behavioral6
- Target
  
  _private/start.exe
- Size
  
  1.5MB
- MD5
  
  7570470b1ceccc6c936c482420704fd4
- SHA1
  
  30bc1a4a60b1c32846226c1adf68df4564789b6d
- SHA256
  
  4ec7f96812c6b994cbb719d16870313b4cd44cb96ad01367dd0293ecb7c128b8
- SHA512
  
  f1a6b4cc19276c3144f64c73072bab6fd73d95937bffbe690d692bbadc71df633c76d0e07074916cea6eb17793a5796e356c3df5c0d0f3e3f585ee849049354a
- SSDEEP
  
  24576:/5dZufOrzvckB+Fr+waFHTcqunNW3QdWvPiVD2CWgrUE94FFs+n9rQOF8nX7:/5dVwPaFHTTgkAAn2IQ39y9rRF8L
Score

10^/10

xorist discovery ransomware
- Detected Xorist Ransomware
- Xorist Ransomware
  Xorist is a ransomware first seen in 2020.
  ransomware xorist
- Xorist family
  xorist
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral7 behavioral8
- Target
  
  _private/vstdlib.dll
- Size
  
  332KB
- MD5
  
  91bc6ecb8d841dd4911b983118553d49
- SHA1
  
  6ded5005c82a51fcd3af694af5a1df3d93a44d79
- SHA256
  
  d76f6d869ccaaa83d4384b0ec5f14ab7d72b74d99bffdc401ccdf3d50a18d9ac
- SHA512
  
  a06f017e5a57c03edddbc1c8736b3866afff6affdcc13ed3c4b810ec9d5b0eecd4b9c93bf6d73b30b934ddea6e9f1e0e05c51a179e30bd168c490d4a54ad6ee2
- SSDEEP
  
  3072:zfmUZcdk5Z4q0U00jMeHykQLz4yS+UGYiw7NvNxRYsHLi6ipmg5mmWIFY3rrKYNR:zDqR9Lz4yS+UGSRY4Sn5mqd+c6dF
Score

3^/10

discovery
behavioral10 behavioral9

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

xoristdiscoveryransomware

behavioral8

xoristdiscoveryransomware

behavioral9

behavioral10