exorcist | 6db3aae21a6d80857c85f58c4c8b2cf9c6b7f8b8a9ab1d5496d18eaf9bd0bd01 | Triage

Sharing

General

Target

f4009abe9f41da41e48340c96e29d62c.exe
Size

43KB
Sample

200724-zxydprrjys
MD5

f4009abe9f41da41e48340c96e29d62c
SHA1

01636cd2ab7eada533ded51728acd8cd99020c57
SHA256

6db3aae21a6d80857c85f58c4c8b2cf9c6b7f8b8a9ab1d5496d18eaf9bd0bd01
SHA512

4bdd711818c29c01dd532c13c23155ee0450a7f1f3ad7d92c45952f59b8ee947ab5876688e8971dfd094f7f494003106e9ad9b470cf99bccbd53f545900c9a15

Score

10^/10

exorcist persistence ransomware

Malware Config

Targets

- Target
  
  f4009abe9f41da41e48340c96e29d62c.exe
- Size
  
  43KB
- MD5
  
  f4009abe9f41da41e48340c96e29d62c
- SHA1
  
  01636cd2ab7eada533ded51728acd8cd99020c57
- SHA256
  
  6db3aae21a6d80857c85f58c4c8b2cf9c6b7f8b8a9ab1d5496d18eaf9bd0bd01
- SHA512
  
  4bdd711818c29c01dd532c13c23155ee0450a7f1f3ad7d92c45952f59b8ee947ab5876688e8971dfd094f7f494003106e9ad9b470cf99bccbd53f545900c9a15
Score

10^/10

ransomware persistence exorcist
- Exorcist
  Ransomware-as-a-service which avoids infecting machines in CIS nations. First seen in mid-2020.
  ransomware exorcist
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Deletes itself
- Enumerates connected drives
- Modifies service
  persistence
- Sets desktop wallpaper using registry
  ransomware
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

Privilege Escalation

Defense Evasion

File Deletion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

Inhibit System Recovery

Tasks

static1

behavioral1

ransomwarepersistence

behavioral2

ransomwarepersistence