exorcist | d7d0688022b5848caf5cbabc1bde628cb74f32e014311f5299ed63241fff72b0

Resubmissions

23-09-2020 10:35

200923-mkwlt9yalx 10

23-07-2020 14:59

200723-mtbw6t99d2 10

23-07-2020 13:47

200723-5t3mhtw95x 10

Sharing

Copy URL

Twitter E-mail

General

Target

build-x64-crypt.bin.zip
Size

22KB
Sample

200723-5t3mhtw95x
MD5

bbd3fe70b7063821c3e0aab4895f270e
SHA1

86f7aa738e472c99355410e8875cc7c0b6936d48
SHA256

d7d0688022b5848caf5cbabc1bde628cb74f32e014311f5299ed63241fff72b0
SHA512

6948295e7beaa1b10d2219afe2f5eedb002f757d406bc39d069c48e71c88c1a80733ae0cc4dedccfa5e06d592a4a55c7b3c47534d273e5509016598b5e1ac86b

Score

10^/10

Malware Config

Targets

- Target
  
  build-x64-crypt.bin
- Size
  
  52KB
- MD5
  
  8cc13fea61cc0ba1382a779ee46726f0
- SHA1
  
  bd8ef46a02085153605a87fcc047f7ef3d0c4131
- SHA256
  
  eeb8a83d7532797d39d060ffb2a65562e8d803c4dbd8379289f99367cac2f850
- SHA512
  
  2f317f04b6bda9af58b049cb9bd0032d08c0aa30b8ac8d76b10f738ab11f4cc9f4eca4af3ecf26e610715117e2d68e5f8fb0ac139e60e882cc24fc795bf0a34a
Score

10^/10

exorcist evasion ransomware
- Exorcist Ransomware
  Ransomware-as-a-service which avoids infecting machines in CIS nations. First seen in mid-2020.
  ransomware exorcist
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Deletes System State backups
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Deletes itself
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Sets desktop wallpaper using registry
  ransomware
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Tasks

Resubmissions

Sharing

General

Malware Config

Targets

Exorcist Ransomware

Deletes shadow copies

Modifies boot configuration data using bcdedit

Deletes System State backups

Modifies extensions of user files

Deletes itself

Enumerates connected drives

Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2