Overview

overview

10

Static

static

build-x64-...in.exe

windows7_x64

10

build-x64-...in.exe

windows10_x64

10

Resubmissions

23-09-2020 10:35

200923-mkwlt9yalx 10

23-07-2020 14:59

200723-mtbw6t99d2 10

23-07-2020 13:47

200723-5t3mhtw95x 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    build-x64-crypt.bin.zip

  • Size

    22KB

  • Sample

    200723-mtbw6t99d2

  • MD5

    bbd3fe70b7063821c3e0aab4895f270e

  • SHA1

    86f7aa738e472c99355410e8875cc7c0b6936d48

  • SHA256

    d7d0688022b5848caf5cbabc1bde628cb74f32e014311f5299ed63241fff72b0

  • SHA512

    6948295e7beaa1b10d2219afe2f5eedb002f757d406bc39d069c48e71c88c1a80733ae0cc4dedccfa5e06d592a4a55c7b3c47534d273e5509016598b5e1ac86b

Score
10/10
exorcistevasionpersistenceransomware

Malware Config

Extracted

Path

C:\Users\Public\Desktop\zcwiYr-decrypt.hta

Family

exorcist

Ransom Note
zcwiYr Decrypt All your data has been encrypted with Exorcist Ransomware. Do not worry: you have some hours to contact us and decrypt your data by paying a ransom. To do this, follow instructions on this web site: http://217.8.117.26/pay Also, you can install Tor Browser and use this web site: http://4dnd3utjsmm2zcsb.onion/pay IMPORTANT: Do not modify this file, otherwise you will not be able to recover your data! Your authorization key: uRmNx1C9X1gw6nAP4r7GEtpP1t6diH3k20Qi6Zlcr3tVAKPtQnU0HfXcdrp6nFJB TRos6GcNyuLQ8d2OlhQLljuaCeugl9SfrqK8y8C7YSO/spZNmqJohoW7OVILne7d jAbYWAAXj7cQzEgc+koyqF2FElwSO6QG6nDtwfAMPKWYRqP1lCrMTFcLkgyotsqh 8BWKytlP+IdgoGJRj8YYDlufvVFcDVqP+hTZ6MC0NuGdv2TkHkMycSrjNj2Dj+Ce vgQi8mWt8gE5gk1rKWpk3tIH4DZgVMa8Mh7YRZzwJgZkRUW3k3pUl8y7TYDuafy4 jFOra3KZ2M6ZdzIbfQUliGrAepTduHsmdOq7IkMsRFmCqC6j8u9VRjvm48X+y7Wq jNjBgMbfnCygKBS1cnmv3R/dCzENYh9RDHkTfwwrPMgefLByvIYdly5WQp0j86yC 0eSxh3oyD1lMvVHlXGYWe2vMEZge39YZLLncPdpaowht+ISVHuH4XLHinOXFu+/k xbIsiF5QEIbb0fgArpV5AWQvhZ/lGhAs+9VTZTjKBgy99wtJwriqQ+dO6xXyckiN yEsWxsiT0Knlbmv3w/yipvx7aWh5KbV8XdWYzzflsTBSsH5OWwItUZZHjg3cqfls NmXVj9zsVnsFhLZ8uJtvM4bqJ8XmghMtFDRTZxpwIQmzpp6z8XTZaUZdqLkHdSqJ 1kd3o4SMSXf2dl2q1AsIXz096zDA4hu/OcgWi9fPtJf7ZUl8pwItnVRSetWSxOm9 snLUp1FUamjvPOtnTezyp0+o9r1H6ihm9cKwm6kvrkiwgpvxSeTkI347IDzKppk9 Ne8RuL1C4Zcv08k2YkGvn9YKgIq2oqzqnOJtENdCI+QtqHPIW1TfOSL6DNmlhKFN PpW45bq2Edp1gFzx6PnD3HAYyrN9vdjxSL2lhrMDNxDdIVgWTXM9z4/6cSq6MjKX CDCeI9cAZH/+XTJcOB1uBFuzQLm0HRn3sy3RBmovxUPmsf/PPCCqiRjNlhOXWIU+ OANkhoC5NZLGHRQ9aZ660lMnOj/TsbYKrucE9k3WE4zK/oE+5XLlvV+/VAhhyC9J dLTHHz/XrJyz2t9MQ+Of/nO8Y6CPBSm5vWNThQDgILNL/dl3Ot8IPqz1GTbwz0xa vKVnVYuv0Y4yrOUkt3QU9RlJOjs7xd6lN+7tISdL7xasXEh1ZU3dCzJa4kO3ctF1 l6EJ+OIxM4n1kC7Wj/bd+0kfeOGL7O3xB7cfIA/N9788i1jqXVoqZ9ttoraGp+fq Ty6HTAKFm+kvGUXziS35LJ/zRnB7R4sFYRK7grdHivdSb2AissRx5rXDpa9RxZvd 22VXJL9CmPpKw1EoIu/Fl/uYL33+zRJ0K1b7L9NNZFdXSkHEUug8g6pHc//in9cV 0Qx9VK7vmDKBLyj1df6DEQ87AQtU0D/+2USQRsIyKcjGxmH8UJIxmLAqJR/8rClG KDULIaz4pmRdhwSDjZLwFX0GdlhPiEKkcJQIdi9xGH6wL6T7ZDBBBayAAYTAkMK4 rEz4PQeIxL65TQih03Jp1vcPkSWlgMqt5x8+n2lZWQ0CnkoUnfAfkY77oaxWnaVW C3FbNS7XjY984XzH1GhuET/qsdf6i4v34s+wZCGadpjnIUKE7Sh9Vqp3pTc2o12I zwZTWr6yzzv5PZGM05HHAAcWjvUUKsGYrL0s0spvc3tPLlUohGNHxTtFwdp6+pxq 2p9EF9CnVdqtiuONr4k8bgy1cZV/bEFJUWvj9K5kIu/P6yT7NO4AJ3KYNSYyhMfp 6WoFaL79nYN9jIMgF7UDqFvLPP9BbCO8jMuAyDZZwAgB3u9CIC5oW8b7m9YBaZaZ CSsNHzilvqoicCnczBWd3gN9ww3XkqNCTCd1a8n1XJaP6dXj4QqGFECRoqZYmL7S H7iHc7NTtffoAy3OkaXS84F28BV9VDzEsM53TzmWsOkvh9CGLw+PxmSZ/H1onht2 09FaIIKu7Ed36lRPDkCKietptNzCDv/fj9bbNcL7FcbWgQX0mgvtnBTXo5BTwg8f aDxbKeD//H9BUi/18H5eXxjzD+F/vlV+DwvxaHzgu7PDS00a6ghC7F1fd5vKMM3/ MdVScYvWQYEBjogghaJGw2113+M6c0O9vcyBX4BaQ7wA3nGFRENZhIaUptFgQ6zX 74L4mg/Qg1VSh8f6Xw/5e92B+K+Bfg7IgMdRE3zU6HYSTmGmOV5mt8NjsoqivVUw SRi5PLGhn6XbQWqVOx1l0vfFIjqQeLFzd9vzEo5tTs8E8KkWM75AtgSuCamZxDbw 5DxkEytrDpwWT1HQB6WCZJpOzz+nIUZEKmsCpeh0MSQrfpYEhL9xxNAX4EL+pmYi 8nyl93a8+t/hQ9ZTcmhA8G6QphAJM8h7Pdwf/tI0WsZ/blDunwZOUKUlI7NT4n28 6dpCMqDXPCmyLyWjjqNHvHDOxYrS/2SrAl6uMT+tXZLfDV1gEoWT3em06nUYwIYM a+GGUgC8ExM/eUMnGEV0hfJkIJEHWJU8zak66RmwLzxLNJDR5lOoHuYNmv+xlq9T Zb6E+2W4x86bjWa+HWrzdpJRGWtw4F66v1IYc0TVp+Uwj7+3uPGow1Py32Zb2BFS TRt1RvGWDkSbGfvdwUsvSiodaTahAcYLUptyctidG348cWuh52/SHD4/C9ZTbWKw 7AdRcnfw4jIzZQXQdlyESzbQVw+gL9bf5pTebu7FMDI/lvFZrkLT4TMmpEpYxxAD wOanMEAbbpdJdK9Cn18hM16dA4aFjyJfxbsYuSvR/3Kt4dL+NJPEgcooEx52OaRS RzdaKD43GOK51M77kEc7vF3tC6+G7tig7LDI87KxF5AyGlhRj8ZAJxUnvc9NY44U SI89PH3CRCB2fqwFI2OBSBCBWb/oh6MdCsoCpJvqFOs4iQjibxUjIUOB1Un5E7mS XBfPwlOiwWrjmaOxP1ZO9TCNdqTo07DFtJsl0GjyzN8cGf/ew57FGzG7Mx+EuCZZ +ljqGqkUE5MZSbGa4LAsk1aImEVAmvtys/VHr6ynBswISDm5qKQtWRyapl8p/EvB E2b9C/YML7uUN1nFmAHTtuPNv+O670wArpx4curEItsmT0gbP7KETs4ja9/t5Mtx ojrDHFkKUwPLiObCG0R+WpXc7Q+a4JVM38/ZVidM73lOmDg5wMLDZcvQytRlBHbq ajTNb7U0J5/VaZIbh+XWZAY9ZHg+auXfSD89ep2FgtDglKVLWUgD1V+CDsImkqOg 53PCVNvWpyXN1+ZcR19JmA5yxOB7sZ6+DdW9LyvYCxDuXZVBsHGy3A20u3WI7Ok8 mKBW2boIP2g2OYVoeZP9xXvolKtxNppF8fy/TpZAakoCPsw4Q6tZQLWlae+FwtoG wDuO6I2ah9XnbGjLiP9fOvt9STYTVbJ79unfsyD+TxFrzaIAWfIyFVB2ZKlqAOr7 qxtf5lbzZJnGJgaWMQVS6XHUyY0Ei2gU9iYEgHQD9P6zPcxdWI67+IUswYnx8ROj WzsCFVF8goYj1Yz6HMFoiT9t6S9RNPgsUYIwH01lsXW5dX7JCn8iamk5+WpK4tKn 5nBA/ccT9KwnSqu3U1n61o99UX/gz09VOG/rta9gAxlMgsJ1xGm7aecVbv4z6MVE Q55S5H3ly8nD40QSUcGLCah+96bnOfTK5bOB/U/GZs4e7en4j7VDdGmX5aIGrxlk +Z/DkBCMe0X7tx1VnBWECFfdW37wmfEJvHQtV8KU+AINHX+xx4zvNlOsX+ZdjO5+ 9WfyTBiDtsj6r4J8nrjhOtfVbzgPsPnjg7Z6UBl/g+9oGi2pBnGWgxuSyBjGnOSd OWrCykT0xBaQCE9Glr7EWw6flCpTPhykB6w/vJkplU4c7VQXx8Q/d3U/agB+k+Nf 69LKBeYSRxY5HgIhvmyoJqF2lNNTU+LmeesanaIjONWCzMqbQDmTt02I+ACKV20f
URLs

http://217.8.117.26/pay

http://4dnd3utjsmm2zcsb.onion/pay

Targets

    • Target

      build-x64-crypt.bin

    • Size

      52KB

    • MD5

      8cc13fea61cc0ba1382a779ee46726f0

    • SHA1

      bd8ef46a02085153605a87fcc047f7ef3d0c4131

    • SHA256

      eeb8a83d7532797d39d060ffb2a65562e8d803c4dbd8379289f99367cac2f850

    • SHA512

      2f317f04b6bda9af58b049cb9bd0032d08c0aa30b8ac8d76b10f738ab11f4cc9f4eca4af3ecf26e610715117e2d68e5f8fb0ac139e60e882cc24fc795bf0a34a

    Score
    10/10
    ransomwareevasionexorcistpersistence

    • Exorcist

      Ransomware-as-a-service which avoids infecting machines in CIS nations. First seen in mid-2020.

      ransomwareexorcist

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes System State backups

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Deletes itself

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Modifies service

      persistence

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1
T1059

Persistence

Modify Existing Service

1
T1031

Privilege Escalation

Defense Evasion

File Deletion

3
T1107

Modify Registry

3
T1112

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

4
T1490

Defacement

1
T1491

Tasks