xorist | f294e7f4f7be1f9bc726714d9562c3d28e6db46a614659abbc2308387d59f752

General

Target

_private/start.exe
Size

1.5MB
MD5

7570470b1ceccc6c936c482420704fd4
SHA1

30bc1a4a60b1c32846226c1adf68df4564789b6d
SHA256

4ec7f96812c6b994cbb719d16870313b4cd44cb96ad01367dd0293ecb7c128b8
SHA512

f1a6b4cc19276c3144f64c73072bab6fd73d95937bffbe690d692bbadc71df633c76d0e07074916cea6eb17793a5796e356c3df5c0d0f3e3f585ee849049354a
SSDEEP

24576:/5dZufOrzvckB+Fr+waFHTcqunNW3QdWvPiVD2CWgrUE94FFs+n9rQOF8nX7:/5dVwPaFHTTgkAAn2IQ39y9rRF8L

Score

10^/10

Malware Config

Signatures

Detected Xorist Ransomware 3 IoCs

resource	yara_rule
behavioral7/memory/2296-36-0x0000000000400000-0x0000000000458000-memory.dmp	family_xorist
behavioral7/files/0x0009000000015c9f-57.dat	family_xorist
behavioral7/memory/2296-60-0x0000000000400000-0x0000000000458000-memory.dmp	family_xorist

Xorist Ransomware
Xorist is a ransomware first seen in 2020.
ransomware xorist
Xorist family
xorist

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	start.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	start.exe

Executes dropped EXE 2 IoCs

pid	Process
2216	svhost.exe
2896	svhosts.exe

Loads dropped DLL 4 IoCs

pid	Process
2296	start.exe
2296	start.exe
2296	start.exe
2296	start.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1808 set thread context of 2296	1808	start.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	start.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	start.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	start.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\InprocServer32	start.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\ProgID	start.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\ProgID\ = "eHome.RecoveryTaskDispatchServer.1"	start.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\VersionIndependentProgID	start.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\VersionIndependentProgID\ = "eHome.RecoveryTaskDispatchServer"	start.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}	start.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\ = "RecoveryTaskDispatchServer Class"	start.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\InprocServer32\ = "C:\\Windows\\eHome\\ehTrace.dll"	start.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\InprocServer32\ThreadingModel = "both"	start.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	1808	start.exe
Token: SeIncBasePriorityPrivilege	1808	start.exe
Token: 33	1808	start.exe
Token: SeIncBasePriorityPrivilege	1808	start.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 1808	2548	start.exe	30
PID 2548 wrote to memory of 1808	2548	start.exe	30
PID 2548 wrote to memory of 1808	2548	start.exe	30
PID 2548 wrote to memory of 1808	2548	start.exe	30
PID 2548 wrote to memory of 1808	2548	start.exe	30
PID 2548 wrote to memory of 1808	2548	start.exe	30
PID 1808 wrote to memory of 2296	1808	start.exe	32
PID 1808 wrote to memory of 2296	1808	start.exe	32
PID 1808 wrote to memory of 2296	1808	start.exe	32
PID 1808 wrote to memory of 2296	1808	start.exe	32
PID 1808 wrote to memory of 2296	1808	start.exe	32
PID 1808 wrote to memory of 2296	1808	start.exe	32
PID 1808 wrote to memory of 2296	1808	start.exe	32
PID 1808 wrote to memory of 2296	1808	start.exe	32
PID 2296 wrote to memory of 2216	2296	start.exe	33
PID 2296 wrote to memory of 2216	2296	start.exe	33
PID 2296 wrote to memory of 2216	2296	start.exe	33
PID 2296 wrote to memory of 2216	2296	start.exe	33
PID 2296 wrote to memory of 2896	2296	start.exe	34
PID 2296 wrote to memory of 2896	2296	start.exe	34
PID 2296 wrote to memory of 2896	2296	start.exe	34
PID 2296 wrote to memory of 2896	2296	start.exe	34

C:\Users\Admin\AppData\Local\Temp\_private\start.exe
"C:\Users\Admin\AppData\Local\Temp\_private\start.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Users\Admin\AppData\Local\Temp\_private\start.exe
  "C:\Users\Admin\AppData\Local\Temp\_private\start.exe"
  2⤵
  - Checks BIOS information in registry
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1808
- - C:\Users\Admin\AppData\Local\Temp\_private\start.exe
    C:\Users\Admin\AppData\Local\Temp\_private\start.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2296
  - - C:\Users\Admin\AppData\Local\Temp\svhost.exe
      "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
      4⤵
      Executes dropped EXE
      PID:2216
  - - C:\Users\Admin\AppData\Local\Temp\svhosts.exe
      "C:\Users\Admin\AppData\Local\Temp\svhosts.exe"
      4⤵
      Executes dropped EXE
      PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
15KB

MD5
c69e45d794c736cc7010b8f2a2bf5552

SHA1
50572e2752d8968585c7832fac11ea067c7bf3df

SHA256
6a0cd2030eb9daf05021ea4d007da474cdb196c4c4efa9094173377e7ce5d36d

SHA512
f9b0a3446716d3be050995d041f1cac9c89ff746b7ac7eb6bd43ba4117ba083b4a29190df0d25b720977901b8506c69ee21e9291db0f33c38904f29f93c1e2a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhosts.exe

Filesize
11KB

MD5
d94bfb49259b0dc224580099d88899e5

SHA1
33d595f97c39684562e9c3342d1477719e91678d

SHA256
cee0058819af4ced052cc25032682e1739574080196e4727b8b390591d634003

SHA512
a1be423b0a76696688ff0999b840e9bd80397506e0a921383c61f84e2dda9a2fc93d7745d7d9f304e7c440553dac4002141d47f27d7308746ca1948fcbc9c71f

Download Submit
memory/1808-35-0x0000000001E90000-0x0000000001FEA000-memory.dmp

Filesize
1.4MB

Download
memory/1808-10-0x0000000010086000-0x0000000010087000-memory.dmp

Filesize
4KB

Download
memory/1808-34-0x0000000003300000-0x00000000034AC000-memory.dmp

Filesize
1.7MB

Download
memory/1808-2-0x0000000010000000-0x00000000101AC000-memory.dmp

Filesize
1.7MB

Download
memory/1808-3-0x0000000001E90000-0x0000000001FEA000-memory.dmp

Filesize
1.4MB

Download
memory/1808-16-0x0000000001E90000-0x0000000001FEA000-memory.dmp

Filesize
1.4MB

Download
memory/1808-15-0x0000000010000000-0x00000000101AC000-memory.dmp

Filesize
1.7MB

Download
memory/1808-14-0x0000000010000000-0x00000000101AC000-memory.dmp

Filesize
1.7MB

Download
memory/1808-13-0x0000000010000000-0x00000000101AC000-memory.dmp

Filesize
1.7MB

Download
memory/1808-11-0x0000000010000000-0x00000000101AC000-memory.dmp

Filesize
1.7MB

Download
memory/1808-40-0x0000000010000000-0x00000000101AC000-memory.dmp

Filesize
1.7MB

Download
memory/1808-9-0x0000000001E90000-0x0000000001FEA000-memory.dmp

Filesize
1.4MB

Download
memory/2216-58-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2296-25-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2296-36-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2296-32-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2296-31-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2296-60-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2296-27-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2296-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2296-22-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2296-33-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2296-20-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2548-1-0x0000000001CF0000-0x0000000001E9C000-memory.dmp

Filesize
1.7MB

Download
memory/2548-38-0x0000000010000000-0x00000000101AC000-memory.dmp

Filesize
1.7MB

Download
memory/2548-0-0x0000000010000000-0x00000000101AC000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing