exorcist | 2b37a372626063afce9e08199342a41bbe4183b0d5ba7864ff61eb6e6f7c4fdf | Triage

Submit
Reports

Overview

overview

Static

static

D4D32E7583...in.exe

windows7_x64

9

D4D32E7583...in.exe

windows10_x64

Sharing

General

Target

D4D32E7583B3FD8363DED73C91ED3D08.bin
Size

52KB
Sample

200727-5r6kwh8bfe
MD5

d4d32e7583b3fd8363ded73c91ed3d08
SHA1

4079602dce0fb495ed0ec97c5aea5988127fb50c
SHA256

2b37a372626063afce9e08199342a41bbe4183b0d5ba7864ff61eb6e6f7c4fdf
SHA512

e1ba8e27a19933f15e13ae310920bb74051b5dbe7d3408d8d5aad5f1b80ca7e2ac45d288115c357c9ffcf72a4d2ea29db513a591d64874d972b60962d746aadf

Score

10^/10

exorcist evasion persistence ransomware

Static task

static1

Behavioral task

behavioral1

Sample

D4D32E7583B3FD8363DED73C91ED3D08.bin.exe

Resource

win7

ransomware evasion persistence

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

D4D32E7583B3FD8363DED73C91ED3D08.bin.exe

Resource

win10v200722

ransomware evasion persistence exorcist

windows10_x64

0 signatures

0 seconds

Malware Config

Targets

- Target
  
  D4D32E7583B3FD8363DED73C91ED3D08.bin
- Size
  
  52KB
- MD5
  
  d4d32e7583b3fd8363ded73c91ed3d08
- SHA1
  
  4079602dce0fb495ed0ec97c5aea5988127fb50c
- SHA256
  
  2b37a372626063afce9e08199342a41bbe4183b0d5ba7864ff61eb6e6f7c4fdf
- SHA512
  
  e1ba8e27a19933f15e13ae310920bb74051b5dbe7d3408d8d5aad5f1b80ca7e2ac45d288115c357c9ffcf72a4d2ea29db513a591d64874d972b60962d746aadf
Score

10^/10

ransomware evasion persistence exorcist
- Exorcist
  Ransomware-as-a-service which avoids infecting machines in CIS nations. First seen in mid-2020.
  ransomware exorcist
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Deletes System State backups
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Enumerates connected drives
- Modifies service
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

Persistence

Modify Existing Service

Privilege Escalation

Defense Evasion

File Deletion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

Tasks

static1

behavioral1

ransomwareevasionpersistence

behavioral2

ransomwareevasionpersistenceexorcist

© 2018-2024

Terms | Privacy