Overview

overview

10

Static

static

10

xhvXnps.exe

windows7-x64

10

xhvXnps.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    xhvXnps.exe

  • Size

    22KB

  • Sample

    250215-ten4satkgy

  • MD5

    a8e46ccd0a0eddb53ae9486b82ac2da7

  • SHA1

    cd8d2c8e16b4f669eaaeaa5ad49860ce71b9f323

  • SHA256

    809ace7cfbca9f9a1f385fbd0a07c07c8d145a52075e936ca808b8365e22b4d1

  • SHA512

    b394662e2ce39f51bd065f289926cfbf0ebbdfcb726c6efbb1589e14aa6d0e52c03372d68aab2dca4effe0bc1d972e3deebbeb6232d9606579a81677673c663c

  • SSDEEP

    384:Gprr1gkDCgSfj46VQWb+nKNyXaHX7xEMgfkwtHZ4mOLQFg+UZpHcFc48sAiqNB:0rVDCb4Cy5XWxwswlkLQFYZRcF98sP4

Score
10/10
xoristdiscoverypersistenceransomwarespywarestealerupx

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\HOW TO DECRYPT FILES.txt

Ransom Note
YOUR SYSTEM IS LOCKED AND ALL YOUR IMPORTANT DATA HAS BEEN ENCRYPTED. DON'T WORRY YOUR FILES ARE SAFE. TO RETURN ALL THE NORMALLY YOU MUST BUY THE CERBER DECRYPTOR PROGRAM. PAYMENTS ARE ACCEPTED ONLY THROUGH THE BITCOIN NETWORK. YOU CAN GET THEM VIA ATM MACHINE OR ONLINE https://coinatmradar.com/ (find a ATM) https://www.localbitcoins.com/ (buy instantly online any country) 1. Visit qtox.github.io 2. Download and install qTOX on your PC. 3. Open it, click "New Profile" and create profile. 4. Click "Add friends" button and search our contact - 677DD06ED071E4B557FF3D9236ACD21AFECBA485C6643AB84F766060B967DC6E0CFC34DDD9A0 Subject : SYSTEM-LOCKED-ID: 90890423 Payment 10 000$ BTC
URLs

https://coinatmradar.com/

https://www.localbitcoins.com/

Targets

    • Target

      xhvXnps.exe

    • Size

      22KB

    • MD5

      a8e46ccd0a0eddb53ae9486b82ac2da7

    • SHA1

      cd8d2c8e16b4f669eaaeaa5ad49860ce71b9f323

    • SHA256

      809ace7cfbca9f9a1f385fbd0a07c07c8d145a52075e936ca808b8365e22b4d1

    • SHA512

      b394662e2ce39f51bd065f289926cfbf0ebbdfcb726c6efbb1589e14aa6d0e52c03372d68aab2dca4effe0bc1d972e3deebbeb6232d9606579a81677673c663c

    • SSDEEP

      384:Gprr1gkDCgSfj46VQWb+nKNyXaHX7xEMgfkwtHZ4mOLQFg+UZpHcFc48sAiqNB:0rVDCb4Cy5XWxwswlkLQFYZRcF98sP4

    Score
    10/10
    xoristdiscoverypersistenceransomwarespywarestealerupx

    • Detected Xorist Ransomware

    • Xorist Ransomware

      Xorist is a ransomware first seen in 2020.

      ransomwarexorist

    • Xorist family

      xorist

    • Renames multiple (10143) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Drops file in Drivers directory

    • Manipulates Digital Signatures

      Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks