Overview

overview

10

Static

static

Win7: 5min timeout

windows7_x64

10

Win10: 5min timeout

windows10_x64

10

Analysis

  • max time kernel
    266s
  • max time network
    268s
  • platform
    windows10_x64
  • resource
    win10v200722
  • submitted
    30-09-2020 12:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Setup.exe

  • Size

    68KB

  • MD5

    9e5c89c84cdbf460fc6857c4e32dafdf

  • SHA1

    ee0a95846ce48c59261eda0fdd6b38dfc83d9f4d

  • SHA256

    dfecb46078038bcfa9d0b8db18bdc0646f33bad55ee7dd5ee46e61c6cf399620

  • SHA512

    6da517ae5159ebcb0ac138b34215924fb21adae619c3c15ede6863866648e445633f482b2beaddbe74de66b48e18d106dbde3253ee2d3ce86da667f7f8494cd8

Score
10/10
ransomwarepersistenceexorcist

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\DECRYPT-bkgdrg-decrypt.hta

Family

exorcist

Ransom Note
bkgdrg Decrypt All your data has been encrypted with Exorcist 2.0 Ransomware. Do not worry: you have some hours to contact us and decrypt your data by paying a ransom. If you don't pay in time, price will be increased. Then, if the payment is still not received, your keys will be destroyed. To do this, install Tor Browser (here: https://www.torproject.org/download/) and follow instructions on this web site: http://7iulpt5i6whht6zo2r52f7vptxtjxs3vfcdxxazllikrtqpupn4epnqd.onion/ IMPORTANT: Do not modify this file, otherwise you will not be able to recover your data! Your authorization key: HS4CNdXejjZ12VAwiBoCOd+Q+dF6uZ++gbweVOIFX3Ueo4bffx1BK/uMg2il0QE8 2SRSsOVfPqzEK4HztQc8yllM9xdmbg1W7FiZX2ZHXAvtcOdKrVGexxMiBfe/plA1 8jY96rPYycWzb7oWncGowXK7TXvhFuWjGrvSfe22rLwG6dQ7/o5Ej9dNZUOVVbFq quag7pPprpkMByb9cgsVoZgkaX4tw0zMkBeBsc8lL3DFO6XIK2Wmi2U+7RTHXxRz zDiwQ/+AeVxxUGHuauiHavsIj3ylEf+AI5aeUdCBBQGG/rl0Dsn0kpd3tZZe4oW6 dZOFW+GZRY32qUXjKHdZDMy276JgU6a4q4ZUdAzfWA2IPmIVQqady2fbu9Wdl8LN BHrdsMqs8bhmKnqu/8NNwB82rAEQK2CdpaYG2uZF9SlSQRCmwZWPnKSbl7OIQ3TQ Cg6xHlK44npW0Pds9HQpqCbbgKpnl5F/4wMew4AY6TDJCKZB/0ec3Yjgt4dJ3e8B ykcqMvkfBTulVW9IG9oNecqv9/wvVECU3eiq37rW5bVr13u3SjJO0sU6XXY8Sm9F yGru6gmB2P21Kcgdr8zi6ZBa1w0pwnYtaBvgAv+gfq/3Ceq70uYqsmfh0IhvOcMY 3/KviwHAykPGSp8Q8wQd96FQPVXH/HE9NNPJdfoNspYTNkKraSVCo3Ks/gBednPY 4kbr9vmjkD8YZL6KXvTY6cPwnqL3bMLpI7T1/9ZyqBcPB6D7DvYc2giMHCKYvfkx dOdhxa8+4a1Be1oqtZpCwJn/lW1CydSu5jhAgLKRoGmqexBqzqrkUTXZvSp3pvA4 QlaYdEy1EHeUgZcKiRN7B8SUSjalG+h0RvoPvFEePr8anG+x0cSanlv1sHOq4upT brwQg7ZXYNlEyZeTFmKTx0c1nLOkBL1JulIz8CL7A61hViDpocvj3vTEal14yazC iwL5UdxhfE+rdrgl8+/RWlA465VJqVwtAVAAwmZ1om16U9OqXUYp9mN2M/8TzuAV wlUz8+Q8NxOX2+dHehEdys7MUfhXeuN9TpgRpuQ3QxY+b0a8RHP5te7vTP0FrXL0 eUa7Mnwj+3o9MJK5LMv75WJctzFT4HkPQCbXxt9aHbTOJ5AZa7UKEsb38c1Gm2RL tVpfZo40e+HZdF3k0weo3fbBEC05vf7uSngfHHsLk6tsLg+sQLnn3wTBTlBGB46t LNxo3MkrJ6GDWlBHiOJdHfaYBtsDbTYxKxIoBrAPcrX9DscqmADHbT9MFH+EO/AJ i73Cpib7ZdTFWr+eUa6TzFyqSuAS27RN2P5w3EhrUN7uppPukjbAj9+mSjILYV1i klV7XsxeBXMYAXaL3rrtyawdJuo7koPi0V3Tsx0jsdpW3Uw+5DczCMbxrUF5nPEY NzuWuhHmDImYqKcPLCMpilL0eOj+Jt4G1iSEAlBlNujmwMdISYbsdi7hBzTIqI6V fSgXvmShGGHYwBPV4vtfyYd/YofQ98A79qVMKfuzgjD6FaeHD/3Sw5qlkuuLyaeC eLxdPvvvm2EuBXlgMEa/IIvi+nnP3ZL/QjrUMUsmR+kALt1Z1PMjbzcM/qV7oX23 Oh3ixcgRL0lN74KcspgyT5q9XV1TqdGwl/SdPU2xoXmIBTtPJiuwk/ntJ2Y7iSBw H+8WPPRzAASyNhfo2x15uocATBxyl/V0J/oV+GNe0FpNKv5iAwv58n1ZTnYkXjei zy2hmS50EnQt/475hm2po9UT6Ur1glN9qBjw/AzY51Jecr8z/wJMLpBtvfLjKo6H qB+mNSDxJcvotuPtOopt5fnZTyfLkkdEuh2gucLNallel1O87+uvlLggfu6fY5QG EOE0WnHlDVcocQ8R9og3yWQM31+uIPaEabqRIAMKzNGPhhg2fpfR0wfRnaj2/QBi iadxch7u1uJ3TMjTKHX6AiCIt0MLdWyfN+XX5JiLvJBxQ9prSJuFspsWW8eiKvwN bebFLYgWE0HuoZvu7iM4c+RbbwqbWAwsTFWUppJndX9yM6hHn+CMwOvWlu4tb7m+ 7Qk7jSsAqqF08u9ScQYGKZiXll5B6g+WWK17jSLKaSMP0tI7W2LKz6R0XYYq7bF6 ke/0MuaOgJ6XgBvggUmmI1z4axYXarOPXBo3+W+MIf8WTbsjzYKS7ctcsEfLXVEi NmXHePlsue9saV3l86LjKtwl5JZ0kzCUukFxHBLoNE8M9L5+o2cN2WekXcYAFndt 82RfYfLh8kQhiZBQDFH+Xn0Bs5e6Uot7/UjXiNEVeFwPltENXQ/mNMmxO29q+U/S kd6LXxxgFTBuyEf7hTQ1+ffE9ocprZWB9907zna2hfMd5Te00tWH+7GRG8QGEN2e 7fDvA8EFhoSQ7ZodZK+liE0D4iFL9YKoNJID76uCW9+V0EZrduOx5cSieftABf2i gv0WSjSZLOMU5LmZ+90eMEgppskdEc3kQBUAiRGYn8FzCujeDra/FXfrz21UROAg tgGW7tmsWoXSGwsQ+mpym0miGWQ+r199L0Vvvy9ohRyPDce56Rjg9IaSFalvWX8p 58ZMXLOgwbq7gtBXbsN+yaOKKCgWJHAIkXnPRJS4aVt6647UAJGASlCan4Zg50fO VYN8IeYxXcX8DM9W+j1Vkkxq5JN+UkZAavXhyM0KmxMqSid13mdKvR2gRdwCWbOC 0oj8dL35bYmhTx7NvQfPZfUJhXfFaVsN9vbGD7w8SL3caJNmnMwucN9VbhrX06Gx mgFyT/Qb+G0ZbNNvN+ENOD1rPIpeM4AktU+U8NH+VVPkGuBqInDTvfE1dGdeSmHg VS3ii3XgVlug4o9ZwZvr+MAf7PHI3rCOSvy0DGdC9N8gdT5LZ7N6ZPSo+d8lGjxQ tBR5uVxeowyJJuv5uaNLii3LptByNvZknOmpORxcn1pZrUiueWXIPCTHkcM2Cq9/ LOe8BJCDOPE+EE+V+c1ISubZFaopvu2sel8v2zBLuQnpyWHl37U0H2A2BfC8QhxE hfvCc/UZu4UKynVjZct4uPsw4WhWDwVVR2AvOeN4ukLJ0s4FExh4t2c3OUu7/ISf tAAInJmoeXRR32DI/74aoHnTNucVTKwygRNVYmw7l2gIo7x6ElemymScV8N4xmFw 4+kpEqljYYW4lnhftWt02r5zl+2v2rmC7iL/M736QV/A3bTaTeRYQq+8xMNgJGPt nJ1IPupQek+T9I/D0+h1odMQM5IouK/18xHdmFNCgLymYYWf5imzUNg4qPw2Jijd b0F2guG462nSl2TaVZe25MS7TYJVnEGHSZGQNMhYMJjYYZN3yZgNzVrUQ8q3bK+/ a3LIyd9bD5+KRH8u3EddmivyY/zmLpW47k9Ae8OOAft4+QLEfi45aLPG0eu5ZLRV oh0QThGc0pIU9H076JL1nxsWGFCEB8TtmUt+7Db5nMORC6zHzLy61/I6kEFDrUfT zd4J/2XrGIf8CUPFnQIhoto7a4Gk+3XtpCSHSAr9yzMtUcU4el6DYgZqyY7EW8NR 92tCZ4prGDDOkAWGG9UyrEcmi2gtBaNk7Ih+ikQiZcOacKHDt0wO+ap4fNniGlaW KiiClER8djgbhxdqS3ExSG3FUKwOauXuHyfppTkXErnnpWx6Dc1XytcpPScPhEFO R/WspwiPIZA3epQVTvkeS9/yQDDOHNaNYg4Kzr4++wGrYTl4aTsxyE9I+QBqpPjP iUsdtJy5PcrD/yh52BCPKytU8VzC9bJPsXB8vQfU1Z2ZlBzq2w7iiEcxeKIV61GW 3nJwJwFdKex3uAt7bIHjRtWhhI3lxK2E3jiOlh81aRI0+xIcXJRUcjjchnXKOFXV LV5udzPYPtDrMkH9L1VkaThbe669wc0XAwYJHoNSq9dJHX9xWmZ+EZX2Nq5H/lNb vHR6kkQ2S7nvaI06LbNAarTYJAoDI7VmO4hrO1eAyCBj7HKVHmgdY9H9gbmKFHLb B8hynxM3RK+9cVLkLESlfK61vU8kUckfvONEd/8RLsPjT5k0OICQfG1102vQRi/t jFSE5gPsjjtCEUeJj2pHdxxIQYj6qeGeCD8sOl0U7HrqRsz0CQfeTXi6VjruyC0B V8rHFBCKAIgzLh7ZtegSvhCwK+2lrFnFL2G5e9B+/u0FTsc8HP1O9bjwXjA5UcG5 F+CNGGBUcU2MWM/Y9XvCOzqs92TH3pPrdx00TXwEOOfXAPxQiM6/ntDQTn/21FLg iL7iYzPIk7v760OgC4/V4u3y2jcWHfcPiuI/Mhas2vDEUKaZ0iKqCuBFXFMdXff7 Npq7sNMdWid9tdDrtwAhhMXwiWZD8OrqH9g4LKdnxDAuVvXMxSfywUhxoCwBQNG5 Epdf/y0no0ZSL6ykB/DPfYZmY/MZ9PtH7xOTFkjP1/8qeNfpm5DdkLmthPrhfMNz 5wXclLTvOR6QL++t861fp0S1dAxOHWAiytsAhIFVTwv+AoyLioLWYKkYY5J4NUAh 2COEKX97N0V2Skw6krzZk00XpsEBAYJWBGFgXDQpT5yuX4Sirn1bU49Vo19iJ7c1 JdJ6+4pX/IrAVsQ/ccn+ixu+7k+hGZrGgjJE6uEcOJzj6H4U6gSJV51T+7CPHJqe GfUKsuYMaO9RV+65w7c08tMPzxPyS8cMXJ++8ktbt9VMzZY41kSbgraHjmGNBk8z EJh7E3B6XCp5lLghaiEv2mWJ7Q1S5vPxHllr3LESFTaIIRMuK5bL2GS6lmit40gR Bb1WfhjzOg+R10+23+va3X2H79BP8tCb0w+kBF0M2QE2Y0ao4UEq9NnPpwqVAxnx 1qwtCRanh17XAL/r1SuAe0/mWY3w30xGqDEnelrliifbYGAS9GBFjc0MnsO71m40 2BV5TqJOHYZzb08fO0jc5RDFSbJAHHSmXa7hne2f1QggFVsJywiqWnTgXVy2sQn0 3pGtkLVrA6KigPWbmBjmJey75mBebAzyP3vF//WV9e3e7Pzz+kf4v64d8ebKI/mt ui34wc1JZ2aEPLY6Lk2Q1HRJSgM2N9yu0TCWRh69uxU=
URLs

http://7iulpt5i6whht6zo2r52f7vptxtjxs3vfcdxxazllikrtqpupn4epnqd.onion/

Signatures

  • Exorcist Ransomware

    Ransomware-as-a-service which avoids infecting machines in CIS nations. First seen in mid-2020.

    ransomwareexorcist
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 32 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops desktop.ini file(s) 2 IoCs
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies service 2 TTPs 4 IoCs
    persistence
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies data under HKEY_USERS 484 IoCs
  • NTFS ADS 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 5212 IoCs
  • Suspicious use of AdjustPrivilegeToken 30 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
    1⤵
    • Modifies extensions of user files
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Modifies data under HKEY_USERS
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3820
    • C:\Windows\SysWOW64\cmd.exe
      cmd /C vssadmin Delete Shadows /All /Quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:648
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin Delete Shadows /All /Quiet
        3⤵
        • Interacts with shadow copies
        PID:996
    • C:\Windows\SysWOW64\cmd.exe
      cmd /C bcdedit /set {default} recoveryenabled No
      2⤵
        PID:1352
      • C:\Windows\SysWOW64\cmd.exe
        cmd /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
        2⤵
          PID:1444
        • C:\Windows\SysWOW64\cmd.exe
          cmd /C wbadmin DELETE SYSTEMSTATEBACKUP
          2⤵
            PID:1648
          • C:\Windows\SysWOW64\cmd.exe
            cmd /C wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
            2⤵
              PID:1832
            • C:\Windows\SysWOW64\cmd.exe
              cmd /C wmic SHADOWCOPY /nointeractive
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:2068
              • C:\Windows\SysWOW64\Wbem\WMIC.exe
                wmic SHADOWCOPY /nointeractive
                3⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:2500
          • C:\Windows\system32\vssvc.exe
            C:\Windows\system32\vssvc.exe
            1⤵
            • Modifies service
            • Suspicious use of AdjustPrivilegeToken
            PID:844
          • C:\Windows\SysWOW64\mshta.exe
            "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\DECRYPT-bkgdrg-decrypt.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
            1⤵
            • Suspicious use of FindShellTrayWindow
            PID:1552

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Persistence

          Modify Existing Service

          1
          T1031

          Privilege Escalation

          Defense Evasion

          File Deletion

          2
          T1107

          Modify Registry

          1
          T1112

          Credential Access

          Discovery

          Query Registry

          1
          T1012

          Peripheral Device Discovery

          1
          T1120

          System Information Discovery

          1
          T1082

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Inhibit System Recovery

          2
          T1490

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\Desktop\DECRYPT-bkgdrg-decrypt.hta
            MD5

            df98c4ea28773fe02993f9ce9b0ac450

            SHA1

            eccde57d23de283833bfcb1bbb1dfe2c0d3a3219

            SHA256

            38397a8301397347087a41a375f855b5a77e5d77de5f1e3e3676d17643e175a5

            SHA512

            a7746841ff06321ae217102454996de302296185aba0fe8d06ddaca8348afdbbcdec8a7df7d014521fc2f6d5e87eceae89d8a350d92412c92eb0941c87209519

            Download Submit
          • memory/648-0-0x0000000000000000-mapping.dmp
            Download
          • memory/996-1-0x0000000000000000-mapping.dmp
            Download
          • memory/1352-2-0x0000000000000000-mapping.dmp
            Download
          • memory/1444-3-0x0000000000000000-mapping.dmp
            Download
          • memory/1648-4-0x0000000000000000-mapping.dmp
            Download
          • memory/1832-5-0x0000000000000000-mapping.dmp
            Download
          • memory/2068-6-0x0000000000000000-mapping.dmp
            Download
          • memory/2500-7-0x0000000000000000-mapping.dmp
            Download
          • memory/3820-12-0x0000000004340000-0x0000000004341000-memory.dmp
            Filesize

            4KB

            Download
          • memory/3820-85-0x0000000004B40000-0x0000000004B41000-memory.dmp
            Filesize

            4KB

            Download
          • memory/3820-11-0x0000000004B40000-0x0000000004B41000-memory.dmp
            Filesize

            4KB

            Download
          • memory/3820-8-0x0000000004340000-0x0000000004341000-memory.dmp
            Filesize

            4KB

            Download
          • memory/3820-15-0x0000000004B40000-0x0000000004B41000-memory.dmp
            Filesize

            4KB

            Download
          • memory/3820-17-0x0000000004B40000-0x0000000004B41000-memory.dmp
            Filesize

            4KB

            Download
          • memory/3820-16-0x0000000004340000-0x0000000004341000-memory.dmp
            Filesize

            4KB

            Download
          • memory/3820-73-0x0000000004B40000-0x0000000004B41000-memory.dmp
            Filesize

            4KB

            Download
          • memory/3820-74-0x0000000004340000-0x0000000004341000-memory.dmp
            Filesize

            4KB

            Download
          • memory/3820-10-0x0000000004340000-0x0000000004341000-memory.dmp
            Filesize

            4KB

            Download
          • memory/3820-86-0x0000000004340000-0x0000000004341000-memory.dmp
            Filesize

            4KB

            Download
          • memory/3820-123-0x0000000004B40000-0x0000000004B41000-memory.dmp
            Filesize

            4KB

            Download
          • memory/3820-492-0x0000000008226000-0x00000000082E7000-memory.dmp
            Filesize

            772KB

            Download
          • memory/3820-508-0x0000000008291000-0x0000000008352000-memory.dmp
            Filesize

            772KB

            Download
          • memory/3820-665-0x00000000080E0000-0x00000000080FA000-memory.dmp
            Filesize

            104KB

            Download
          • memory/3820-668-0x00000000080E0000-0x00000000080FA000-memory.dmp
            Filesize

            104KB

            Download
          • memory/3820-674-0x0000000008210000-0x00000000082D6000-memory.dmp
            Filesize

            792KB

            Download
          • memory/3820-9-0x0000000004B40000-0x0000000004B41000-memory.dmp
            Filesize

            4KB

            Download