Overview

overview

10

Static

static

Win7: 5min timeout

windows7_x64

10

Win10: 5min timeout

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Setup

  • Size

    68KB

  • Sample

    200930-vz17f3p2d2

  • MD5

    9e5c89c84cdbf460fc6857c4e32dafdf

  • SHA1

    ee0a95846ce48c59261eda0fdd6b38dfc83d9f4d

  • SHA256

    dfecb46078038bcfa9d0b8db18bdc0646f33bad55ee7dd5ee46e61c6cf399620

  • SHA512

    6da517ae5159ebcb0ac138b34215924fb21adae619c3c15ede6863866648e445633f482b2beaddbe74de66b48e18d106dbde3253ee2d3ce86da667f7f8494cd8

Score
10/10
exorcistpersistenceransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\DECRYPT-bkgdrg-decrypt.hta

Family

exorcist

Ransom Note
bkgdrg Decrypt All your data has been encrypted with Exorcist 2.0 Ransomware. Do not worry: you have some hours to contact us and decrypt your data by paying a ransom. If you don't pay in time, price will be increased. Then, if the payment is still not received, your keys will be destroyed. To do this, install Tor Browser (here: https://www.torproject.org/download/) and follow instructions on this web site: http://7iulpt5i6whht6zo2r52f7vptxtjxs3vfcdxxazllikrtqpupn4epnqd.onion/ IMPORTANT: Do not modify this file, otherwise you will not be able to recover your data! Your authorization key: HS4CNdXejjZ12VAwiBoCOd+Q+dF6uZ++gbweVOIFX3Ueo4bffx1BK/uMg2il0QE8 2SRSsOVfPqzEK4HztQc8yllM9xdmbg1W7FiZX2ZHXAvtcOdKrVGexxMiBfe/plA1 8jY96rPYycWzb7oWncGowXK7TXvhFuWjGrvSfe22rLwG6dQ7/o5Ej9dNZUOVVbFq quag7pPprpkMByb9cgsVoZgkaX4tw0zMkBeBsc8lL3DFO6XIK2Wmi2U+7RTHXxRz zDiwQ/+AeVxxUGHuauiHavsIj3ylEf+AI5aeUdCBBQGG/rl0Dsn0kpd3tZZe4oW6 dZOFW+GZRY32qUXjKHdZDMy276JgU6a4q4ZUdAzfWA2IPmIVQqady2fbu9Wdl8LN BHrdsMqs8bhmKnqu/8NNwB82rAEQK2CdpaYG2uZF9SlSQRCmwZWPnKSbl7OIQ3TQ Cg6xHlK44npW0Pds9HQpqCbbgKpnl5F/4wMew4AY6TDJCKZB/0ec3Yjgt4dJ3e8B ykcqMvkfBTulVW9IG9oNecqv9/wvVECU3eiq37rW5bVr13u3SjJO0sU6XXY8Sm9F yGru6gmB2P21Kcgdr8zi6ZBa1w0pwnYtaBvgAv+gfq/3Ceq70uYqsmfh0IhvOcMY 3/KviwHAykPGSp8Q8wQd96FQPVXH/HE9NNPJdfoNspYTNkKraSVCo3Ks/gBednPY 4kbr9vmjkD8YZL6KXvTY6cPwnqL3bMLpI7T1/9ZyqBcPB6D7DvYc2giMHCKYvfkx dOdhxa8+4a1Be1oqtZpCwJn/lW1CydSu5jhAgLKRoGmqexBqzqrkUTXZvSp3pvA4 QlaYdEy1EHeUgZcKiRN7B8SUSjalG+h0RvoPvFEePr8anG+x0cSanlv1sHOq4upT brwQg7ZXYNlEyZeTFmKTx0c1nLOkBL1JulIz8CL7A61hViDpocvj3vTEal14yazC iwL5UdxhfE+rdrgl8+/RWlA465VJqVwtAVAAwmZ1om16U9OqXUYp9mN2M/8TzuAV wlUz8+Q8NxOX2+dHehEdys7MUfhXeuN9TpgRpuQ3QxY+b0a8RHP5te7vTP0FrXL0 eUa7Mnwj+3o9MJK5LMv75WJctzFT4HkPQCbXxt9aHbTOJ5AZa7UKEsb38c1Gm2RL tVpfZo40e+HZdF3k0weo3fbBEC05vf7uSngfHHsLk6tsLg+sQLnn3wTBTlBGB46t LNxo3MkrJ6GDWlBHiOJdHfaYBtsDbTYxKxIoBrAPcrX9DscqmADHbT9MFH+EO/AJ i73Cpib7ZdTFWr+eUa6TzFyqSuAS27RN2P5w3EhrUN7uppPukjbAj9+mSjILYV1i klV7XsxeBXMYAXaL3rrtyawdJuo7koPi0V3Tsx0jsdpW3Uw+5DczCMbxrUF5nPEY NzuWuhHmDImYqKcPLCMpilL0eOj+Jt4G1iSEAlBlNujmwMdISYbsdi7hBzTIqI6V fSgXvmShGGHYwBPV4vtfyYd/YofQ98A79qVMKfuzgjD6FaeHD/3Sw5qlkuuLyaeC eLxdPvvvm2EuBXlgMEa/IIvi+nnP3ZL/QjrUMUsmR+kALt1Z1PMjbzcM/qV7oX23 Oh3ixcgRL0lN74KcspgyT5q9XV1TqdGwl/SdPU2xoXmIBTtPJiuwk/ntJ2Y7iSBw H+8WPPRzAASyNhfo2x15uocATBxyl/V0J/oV+GNe0FpNKv5iAwv58n1ZTnYkXjei zy2hmS50EnQt/475hm2po9UT6Ur1glN9qBjw/AzY51Jecr8z/wJMLpBtvfLjKo6H qB+mNSDxJcvotuPtOopt5fnZTyfLkkdEuh2gucLNallel1O87+uvlLggfu6fY5QG EOE0WnHlDVcocQ8R9og3yWQM31+uIPaEabqRIAMKzNGPhhg2fpfR0wfRnaj2/QBi iadxch7u1uJ3TMjTKHX6AiCIt0MLdWyfN+XX5JiLvJBxQ9prSJuFspsWW8eiKvwN bebFLYgWE0HuoZvu7iM4c+RbbwqbWAwsTFWUppJndX9yM6hHn+CMwOvWlu4tb7m+ 7Qk7jSsAqqF08u9ScQYGKZiXll5B6g+WWK17jSLKaSMP0tI7W2LKz6R0XYYq7bF6 ke/0MuaOgJ6XgBvggUmmI1z4axYXarOPXBo3+W+MIf8WTbsjzYKS7ctcsEfLXVEi NmXHePlsue9saV3l86LjKtwl5JZ0kzCUukFxHBLoNE8M9L5+o2cN2WekXcYAFndt 82RfYfLh8kQhiZBQDFH+Xn0Bs5e6Uot7/UjXiNEVeFwPltENXQ/mNMmxO29q+U/S kd6LXxxgFTBuyEf7hTQ1+ffE9ocprZWB9907zna2hfMd5Te00tWH+7GRG8QGEN2e 7fDvA8EFhoSQ7ZodZK+liE0D4iFL9YKoNJID76uCW9+V0EZrduOx5cSieftABf2i gv0WSjSZLOMU5LmZ+90eMEgppskdEc3kQBUAiRGYn8FzCujeDra/FXfrz21UROAg tgGW7tmsWoXSGwsQ+mpym0miGWQ+r199L0Vvvy9ohRyPDce56Rjg9IaSFalvWX8p 58ZMXLOgwbq7gtBXbsN+yaOKKCgWJHAIkXnPRJS4aVt6647UAJGASlCan4Zg50fO VYN8IeYxXcX8DM9W+j1Vkkxq5JN+UkZAavXhyM0KmxMqSid13mdKvR2gRdwCWbOC 0oj8dL35bYmhTx7NvQfPZfUJhXfFaVsN9vbGD7w8SL3caJNmnMwucN9VbhrX06Gx mgFyT/Qb+G0ZbNNvN+ENOD1rPIpeM4AktU+U8NH+VVPkGuBqInDTvfE1dGdeSmHg VS3ii3XgVlug4o9ZwZvr+MAf7PHI3rCOSvy0DGdC9N8gdT5LZ7N6ZPSo+d8lGjxQ tBR5uVxeowyJJuv5uaNLii3LptByNvZknOmpORxcn1pZrUiueWXIPCTHkcM2Cq9/ LOe8BJCDOPE+EE+V+c1ISubZFaopvu2sel8v2zBLuQnpyWHl37U0H2A2BfC8QhxE hfvCc/UZu4UKynVjZct4uPsw4WhWDwVVR2AvOeN4ukLJ0s4FExh4t2c3OUu7/ISf tAAInJmoeXRR32DI/74aoHnTNucVTKwygRNVYmw7l2gIo7x6ElemymScV8N4xmFw 4+kpEqljYYW4lnhftWt02r5zl+2v2rmC7iL/M736QV/A3bTaTeRYQq+8xMNgJGPt nJ1IPupQek+T9I/D0+h1odMQM5IouK/18xHdmFNCgLymYYWf5imzUNg4qPw2Jijd b0F2guG462nSl2TaVZe25MS7TYJVnEGHSZGQNMhYMJjYYZN3yZgNzVrUQ8q3bK+/ a3LIyd9bD5+KRH8u3EddmivyY/zmLpW47k9Ae8OOAft4+QLEfi45aLPG0eu5ZLRV oh0QThGc0pIU9H076JL1nxsWGFCEB8TtmUt+7Db5nMORC6zHzLy61/I6kEFDrUfT zd4J/2XrGIf8CUPFnQIhoto7a4Gk+3XtpCSHSAr9yzMtUcU4el6DYgZqyY7EW8NR 92tCZ4prGDDOkAWGG9UyrEcmi2gtBaNk7Ih+ikQiZcOacKHDt0wO+ap4fNniGlaW KiiClER8djgbhxdqS3ExSG3FUKwOauXuHyfppTkXErnnpWx6Dc1XytcpPScPhEFO R/WspwiPIZA3epQVTvkeS9/yQDDOHNaNYg4Kzr4++wGrYTl4aTsxyE9I+QBqpPjP iUsdtJy5PcrD/yh52BCPKytU8VzC9bJPsXB8vQfU1Z2ZlBzq2w7iiEcxeKIV61GW 3nJwJwFdKex3uAt7bIHjRtWhhI3lxK2E3jiOlh81aRI0+xIcXJRUcjjchnXKOFXV LV5udzPYPtDrMkH9L1VkaThbe669wc0XAwYJHoNSq9dJHX9xWmZ+EZX2Nq5H/lNb vHR6kkQ2S7nvaI06LbNAarTYJAoDI7VmO4hrO1eAyCBj7HKVHmgdY9H9gbmKFHLb B8hynxM3RK+9cVLkLESlfK61vU8kUckfvONEd/8RLsPjT5k0OICQfG1102vQRi/t jFSE5gPsjjtCEUeJj2pHdxxIQYj6qeGeCD8sOl0U7HrqRsz0CQfeTXi6VjruyC0B V8rHFBCKAIgzLh7ZtegSvhCwK+2lrFnFL2G5e9B+/u0FTsc8HP1O9bjwXjA5UcG5 F+CNGGBUcU2MWM/Y9XvCOzqs92TH3pPrdx00TXwEOOfXAPxQiM6/ntDQTn/21FLg iL7iYzPIk7v760OgC4/V4u3y2jcWHfcPiuI/Mhas2vDEUKaZ0iKqCuBFXFMdXff7 Npq7sNMdWid9tdDrtwAhhMXwiWZD8OrqH9g4LKdnxDAuVvXMxSfywUhxoCwBQNG5 Epdf/y0no0ZSL6ykB/DPfYZmY/MZ9PtH7xOTFkjP1/8qeNfpm5DdkLmthPrhfMNz 5wXclLTvOR6QL++t861fp0S1dAxOHWAiytsAhIFVTwv+AoyLioLWYKkYY5J4NUAh 2COEKX97N0V2Skw6krzZk00XpsEBAYJWBGFgXDQpT5yuX4Sirn1bU49Vo19iJ7c1 JdJ6+4pX/IrAVsQ/ccn+ixu+7k+hGZrGgjJE6uEcOJzj6H4U6gSJV51T+7CPHJqe GfUKsuYMaO9RV+65w7c08tMPzxPyS8cMXJ++8ktbt9VMzZY41kSbgraHjmGNBk8z EJh7E3B6XCp5lLghaiEv2mWJ7Q1S5vPxHllr3LESFTaIIRMuK5bL2GS6lmit40gR Bb1WfhjzOg+R10+23+va3X2H79BP8tCb0w+kBF0M2QE2Y0ao4UEq9NnPpwqVAxnx 1qwtCRanh17XAL/r1SuAe0/mWY3w30xGqDEnelrliifbYGAS9GBFjc0MnsO71m40 2BV5TqJOHYZzb08fO0jc5RDFSbJAHHSmXa7hne2f1QggFVsJywiqWnTgXVy2sQn0 3pGtkLVrA6KigPWbmBjmJey75mBebAzyP3vF//WV9e3e7Pzz+kf4v64d8ebKI/mt ui34wc1JZ2aEPLY6Lk2Q1HRJSgM2N9yu0TCWRh69uxU=
URLs

http://7iulpt5i6whht6zo2r52f7vptxtjxs3vfcdxxazllikrtqpupn4epnqd.onion/

Targets

    • Target

      Setup

    • Size

      68KB

    • MD5

      9e5c89c84cdbf460fc6857c4e32dafdf

    • SHA1

      ee0a95846ce48c59261eda0fdd6b38dfc83d9f4d

    • SHA256

      dfecb46078038bcfa9d0b8db18bdc0646f33bad55ee7dd5ee46e61c6cf399620

    • SHA512

      6da517ae5159ebcb0ac138b34215924fb21adae619c3c15ede6863866648e445633f482b2beaddbe74de66b48e18d106dbde3253ee2d3ce86da667f7f8494cd8

    Score
    10/10
    ransomwareexorcistpersistence

    • Exorcist Ransomware

      Ransomware-as-a-service which avoids infecting machines in CIS nations. First seen in mid-2020.

      ransomwareexorcist

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Modifies service

      persistence
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Privilege Escalation

Defense Evasion

File Deletion

2
T1107

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Tasks