exorcist | a7e27cc38a39ff242da39d05e04b95ea9b656829dfe2e90e8226351da8813d7d | Triage

Sharing

General

Target

7e415d5a1b1235491cb698eb14817d31.exe
Size

43KB
Sample

200724-b5zwteacds
MD5

7e415d5a1b1235491cb698eb14817d31
SHA1

ca1a94c1be4e51da577e51957428263ca9c0c0ab
SHA256

a7e27cc38a39ff242da39d05e04b95ea9b656829dfe2e90e8226351da8813d7d
SHA512

6c97b54c6b9d7e82f9be371773ffdafa2fbd59b967d4597e737f3b4249215c662403d3f0f8e3527c129334105ff4ce46397b1aed8d4f4ff49a8032b50bc01303

Score

10^/10

exorcist persistence ransomware

Malware Config

Targets

- Target
  
  7e415d5a1b1235491cb698eb14817d31.exe
- Size
  
  43KB
- MD5
  
  7e415d5a1b1235491cb698eb14817d31
- SHA1
  
  ca1a94c1be4e51da577e51957428263ca9c0c0ab
- SHA256
  
  a7e27cc38a39ff242da39d05e04b95ea9b656829dfe2e90e8226351da8813d7d
- SHA512
  
  6c97b54c6b9d7e82f9be371773ffdafa2fbd59b967d4597e737f3b4249215c662403d3f0f8e3527c129334105ff4ce46397b1aed8d4f4ff49a8032b50bc01303
Score

10^/10

ransomware exorcist persistence
- Exorcist
  Ransomware-as-a-service which avoids infecting machines in CIS nations. First seen in mid-2020.
  ransomware exorcist
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Deletes itself
- Enumerates connected drives
- Modifies service
  persistence
- Sets desktop wallpaper using registry
  ransomware
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

Privilege Escalation

Defense Evasion

File Deletion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

Inhibit System Recovery

Tasks

static1

behavioral1

ransomwarepersistence

behavioral2

ransomwarepersistence