exorcist | 8d684a790a5683b8decde9fb5a819c4a164d3032723a151a30ff26d3c2b1aabf | Triage

Sharing

General

Target

79385ed97732aee0036e67824de18e28.exe
Size

43KB
Sample

200724-64rls1gjl2
MD5

79385ed97732aee0036e67824de18e28
SHA1

2f65a2b8ac21b3505855f7b89551cc1f31bf636e
SHA256

8d684a790a5683b8decde9fb5a819c4a164d3032723a151a30ff26d3c2b1aabf
SHA512

db1d99884ab384ed571195e7c85105fe1f5bef2cb7e81f1f9380a8aef99f71e9d51a46e5ea6d81acee72aa2c2eb1b371cd11097678cbd27cfa0ef9b254630072

Score

10^/10

exorcist persistence ransomware

Malware Config

Targets

- Target
  
  79385ed97732aee0036e67824de18e28.exe
- Size
  
  43KB
- MD5
  
  79385ed97732aee0036e67824de18e28
- SHA1
  
  2f65a2b8ac21b3505855f7b89551cc1f31bf636e
- SHA256
  
  8d684a790a5683b8decde9fb5a819c4a164d3032723a151a30ff26d3c2b1aabf
- SHA512
  
  db1d99884ab384ed571195e7c85105fe1f5bef2cb7e81f1f9380a8aef99f71e9d51a46e5ea6d81acee72aa2c2eb1b371cd11097678cbd27cfa0ef9b254630072
Score

10^/10

ransomware exorcist persistence
- Exorcist
  Ransomware-as-a-service which avoids infecting machines in CIS nations. First seen in mid-2020.
  ransomware exorcist
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Deletes itself
- Enumerates connected drives
- Modifies service
  persistence
- Sets desktop wallpaper using registry
  ransomware
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

Privilege Escalation

Defense Evasion

File Deletion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

Inhibit System Recovery

Tasks

static1

behavioral1

persistenceransomware

behavioral2

ransomwarepersistence