Overview

overview

10

Static

static

build-x32....in.exe

windows7_x64

10

build-x32....in.exe

windows10_x64

10

Resubmissions

23-07-2020 14:59

200723-qeb9jz5z6e 10

23-07-2020 13:40

200723-1el7ztcngs 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    build-x32.crypt.bin.zip

  • Size

    19KB

  • Sample

    200723-qeb9jz5z6e

  • MD5

    44406e1afbf3858f1021681334c19e0b

  • SHA1

    c3ddb9631fe00c67738744446e0b7f5293d454a6

  • SHA256

    9aa75631b7a56a84117e5aed0540fb74dfcde2c36d52744156381c9161603e28

  • SHA512

    628a9677db5c704728e58f58b089d7fb7e1c8eca30feea8f0f8d31d76cccce670990ed5f8ec096685e76512ce3c3d8706f60c4766b6996be58960fa0e8bf7ea3

Score
10/10
exorcistpersistenceransomware

Malware Config

Extracted

Path

C:\Users\Public\Desktop\ntIpgn-decrypt.hta

Family

exorcist

Ransom Note
ntIpgn Decrypt All your data has been encrypted with Exorcist Ransomware. Do not worry: you have some hours to contact us and decrypt your data by paying a ransom. To do this, follow instructions on this web site: http://217.8.117.26/pay Also, you can install Tor Browser and use this web site: http://4dnd3utjsmm2zcsb.onion/pay IMPORTANT: Do not modify this file, otherwise you will not be able to recover your data! Your authorization key: r7Af5U95t+A6rgTKusqR8qF/5UrJk5XmMp9Ds2KBYbExyAUDQXKEpxCkw+L0Vhvr 7gh+LPP8cGMwcDrzmYlnwZFuWkd4+9FsdLTWfuQ6pgTq8A3glMKcw/DhBcmdOihF 5n9AbuF+Oe2asxht4HhjHhUj5q/D0nMBdKjCUF9cZHV4xG2CXQnAMSFmyMUieQBV vTG89BYGv8080gG3JNFnLA71ag+gGlE6UMLD666S+xlchiPyE0nRop/NsUUVYmU1 V/BaHAr3kY9A8xMINGvxZXfi5PcAoPoMHBrML6Qotf2G5IGpXeT/7uAImWRNeTRL tWl4QTQES+BLpV1DWPGh+hoR1ohw9bbrbhjGe0Tnek319EPf326fuc5vUStsDs0F L6JQmh7DhZhvUc6j/j7rYXutB/z5eNBQ5UA52XmmH6m7m53qu2zClDKHGqNkeLsO 1UWNQG+ERVsnr02uQFVdOBnGdR/9tjU2Q8rPnqYHGuFwq0y4rF3tRZ5R9AdIPOdl imzZUxtBE4sNCqEb1TT0Bg3I/K0lqKPDjPdk2H28y5f7kPaifb0k5jWqiL9SEZGS prna8A/O1uJnTB1QGi0t0oI0rPEUtfv/UHOEXAnldKijUZ3RRi0m8QTh8Ba2GPfz 6KfTL8TSrMBAJgze/FFcprsNJixxpXvTavcmBu1Men892nP1Yp8EixqIMiEdLWZi ZEcDPRjybNz+ebV+IbNhcaRIeqSLTTOP86U2bTYHO6cijWtxpyasZJZR5GQzN54p 1p4EVJ1ITjOUL92qQg+eaa9IOmmVMJNRUBBBnFZwVvlhn//KTmFaPsk9hxGKsskT ZJi6oQvM1fRWFzafFEgfyz7af5eF7xBd3Lu6tYNvzVgTmMBz8mNEh72pv+EzSgpU z1RTBv6X2YZqrBHHld46So2kDc96FcO8wfsZ7fMXj3ltMxKPz4fAHxacLwAh3t0B a29KFuaw918hZGIc+uflUeBq5OKES6P/WOB1rDLZuYkxEomV1oXHNKOUgX/6bR7h +IiKOk0uFqCUFZAfsFC22SZzJjzaolcdhwWGVwowW7PXS+gj3Nn6AuNTOG/HxWC/ eGVdeRXk89A754hUQJ5vAmWVYqSmAc8fuIO1fh7cI1MtXRXJE5up0dAD7LQHGQsu 1Bp/U0iScXTMM1ZBo+yarwHEv3DhIiGGsgo2iTyzLMQff1eqRJfqDpIuJSp2oHMW AtRRtKEh+b6O9b+U7vL83jUKlqLnMZYcytAuHm90jbmClJLghlBDh0/4yLk8WTZd v32KAhb9osH975OzDCoJRlIs+SxzbTz6G9wxhVxIhEFdzWtTtrxQqjW44WDhiQ06 q6HPmb1jGGi4mKyOP/ybsB1ILrzRI76XrAdHVHXJzH8p0ILJ/x5+AqylFVSHr1cL ltdqhXGs2dK6q9ef3oUqS9WPvNGUGFmlqrJp4uOPGQ8qCRFHpCJD+TmLD1Enwwo1 5bTYfRK9SMylsQrshHYmm+lgWU/xVqedyfXrEROok4YSwCqcT86x0goOzTzViKIn zvFocosHXCcEpZq7RGbBF5kwC+x+TnJTq2RJRZAwy3jRiSgh6hoKzBXDlqSw7B8L oZ09vbLK1zE4zhvoVSS0fjsgfRrMVbIkcxNo5w0uyLHqM1HxrUrbkurxmnUeQMl5 Hm2w7pk1Vpgamtmu8014LkNOAp8RMBKeb5KFADzXhKQBVSZX6WMVcAgsc7bszfNm eH987TTZa12BFqYTogHIXRHjQLgsBnMwNXn3elWoAN0gFUvgXR+FkUtIGcJ38ae6 sIjpW9/+4wOzsq9/+K+1z5tvffB330I1rLgiTcKAOpquUi++pUN1irPlAwVQ5W0+ SrE2GbI4OJS5xvAFdIEm/RkuligCjFw6Qg0yHsOMje+fWdUngMBXfx7wJ1glnqpm 4gDbb30TO0ZohdpeLYnDTTB06p+9uy74IEAQuQT8p1HJOtJedb0MLH8x660fAOoX OP1+Yl6701ui7AkoFDBiaBRjbYUxpF46ZHPB4LKcFC9cP8bIpbQ34dVZzJz8jAjm BEHst8DJLnJ2LCXAQIYee4x6WPwSRivnIFLSzFDsMhaDGMuDey8gBIm+g+O/kKnq NjLyViSnMs+QV8ZlEPYiPj3F9NUBRcSBr0wOLYRx2q1CTYe/6Hli309TGWGn29Hq SmdRpHR2QJA42nYlVZ+fHO/Rkwb0wW1JGwaA5WdM31U1fOkBZutVfLuvsLgVNf5K Eq3BC1kkRIar9JehsJ2IocpQfU4tIefsorAgUaYGaH9GEEU1B5N+/laK7dwWNXME dDk23pokK55cSaScsctq89lPciYXBPowo/hy+uFUhJub7vfBWMlq1VYb1mmAYUEd xqROYhdZrph6mr912u/Ju2jgyWS+8fg+I8Px5j4A8zgrie8nKiJU6mZnGTNgwmHt U9w6MPEi2uJ9qtmnBhffw3qfSksT3IoBudaMVdfkGLknOJwhW1jFe7Dh0dXgPiu4 bHWLx93ciI3IAAU1h5kBPpUAMST08btU1Oct1tKV5OvZ9EspLSJ0yTcpxQAL1zW+ 7iOkg90pQ3X4z0uQLrbvCc4oYZ1WQ1ziDZ+1/ba29j8cvyWoMADBxzV+3nCAhwkX Xh2YrqQ+V8lbNtpVwLmUeakTf7WxpAc4s+Jug0BOXxiEe8GHWfZycmxOGUhsBf+y SXxHgcqIQVlWFDRewxtWoBknuNlPddg5pz4x5rp9IE8zIoKZt6W/cNPodhuS/8PF 7IoZg1TnsPWBNG7iXULR4dMWk/qkCf+GVkEymKS5OBA5UAtFLFEby17RwzL0hov/ eurn2W35di3WqQaR0wcKAZhK+gUDNePQ3INgt4M+Hz5hEoVUvfs69UylHdkzYFOh u1wIrkdsGcFIX70LXEisVnCRKATQGC63vst3oPmZlMfMEkWMuS69bUZju1aSCJYU WkGT1JSC/O+2dDFMQu4MoZ/Z7Yixru8beL/RWu6hF6KJbNLb6iY4sKBgf9PwoKBR CnIyMVW9MQ0yroWD2dM5HOpU6veqbuqTEgVg3A9o2Ae8/3m23s2eDHPMtWFT4e3N 9Ge/YtqoY+j+KAjPx6q4GD6r64/wY3/EXNpdcVKrTYRFiQzpQmbwRbotGv9CULev Jq4moV2H9G+Qf+Jfv8xOGtG9CBaCZsn/VApm1oNpXXpFNZS7d+SWizoAoloe8hJx /xRD88XHi0581inKWVlp6BztEZGZ56R0VE6NkfE6OqYE+Y277+Vo3CEm9I3lluI8 BQv7ocP/Kj1hkMqpjKJRtBghDDqCvmbFP1ob4xd0+IeafRbOCztDl363ys9bF4on szaAwosCau7r+SpmernWti8AMiZVpIMAb5RziVrGaN89ooHoPDSrI7quyfaaGw+H nQJ/ayFHqizybHLw6VtzN0NzeCrzMwouh3rUAg+ES7FRaUxliOGQYn2mhq6lLJbV GMWZLf9KtTqwW8vYaeyVqKwpNMQUrDVkpDndfifqd9TizsBYFyXFBjQxGZbxdttx n3uciBRDuFKNizZcmfe2RevE+x/9knaL869E1GRIYfZ8ESrGsWQS2LsoTwfltkss JG0BNQR6462wmMIdk7kg78yuCZrEI2azgxlvrmcgppPX38OKvp/Wwz/VRHwX9wXs Brk5Wu7dxxqZsl6J6S6Giv/A6GcXItBXPVovDjYM8HwYn9l4WJK3l18cE750575s TG/Uu8kKiyS8vXiD9By96vrFoVHN8desnjAV9HGoJGSDDlhylF2JPmvWKarQue5I qRSyFrd7NGklIrfo7lieq3ZsxazWCu5RfIxw1LZUm3lpPymalpFEAN8q6PpeaiRE 8jBZj9IgNTT4fEQmLJ8jONUHhi7RUja4N9ZosWnpCRCpBOzmsnNCMXvL9rWoVZJx zHBMWEDDNQxhT0YdqOC1zIWTkz1qRa4FjLRrA5VQOpAWHA9YB1HaCF8xGS45JUhg
URLs

http://217.8.117.26/pay

http://4dnd3utjsmm2zcsb.onion/pay

Targets

    • Target

      build-x32.crypt.bin

    • Size

      43KB

    • MD5

      0d256ab0a8b8b7a3b3d4aaf566189ca6

    • SHA1

      2f0142e0f5a21822fd9e391246b6cc470f4089a1

    • SHA256

      f86e27e58356c554269b93713ea53b797d92359f0abb25bf70fe2de278278f7f

    • SHA512

      19afeb080a691f287b902455269b6de051e93e0c9afbd00ed9166e6fb4c11e2b6d8eea53dabc2b8b465c7bcac9130e379115f0b9ea48420cff9c71788232fe7a

    Score
    10/10
    ransomwareexorcistpersistence

    • Exorcist

      Ransomware-as-a-service which avoids infecting machines in CIS nations. First seen in mid-2020.

      ransomwareexorcist

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Deletes itself

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Modifies service

      persistence

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Privilege Escalation

Defense Evasion

File Deletion

2
T1107

Modify Registry

3
T1112

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Defacement

1
T1491

Tasks