Overview

overview

10

Static

static

excorsist.bin.exe

windows7_x64

10

excorsist.bin.exe

windows10_x64

10

Analysis

  • max time kernel
    137s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    01-10-2020 16:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    excorsist.bin.exe

  • Size

    68KB

  • MD5

    9e5c89c84cdbf460fc6857c4e32dafdf

  • SHA1

    ee0a95846ce48c59261eda0fdd6b38dfc83d9f4d

  • SHA256

    dfecb46078038bcfa9d0b8db18bdc0646f33bad55ee7dd5ee46e61c6cf399620

  • SHA512

    6da517ae5159ebcb0ac138b34215924fb21adae619c3c15ede6863866648e445633f482b2beaddbe74de66b48e18d106dbde3253ee2d3ce86da667f7f8494cd8

Score
10/10
ransomwareexorcistpersistence

Malware Config

Signatures

  • Exorcist Ransomware

    Ransomware-as-a-service which avoids infecting machines in CIS nations. First seen in mid-2020.

    ransomwareexorcist
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Drops desktop.ini file(s) 2 IoCs
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies service 2 TTPs 4 IoCs
    persistence
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies data under HKEY_USERS 223 IoCs
  • NTFS ADS 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 1366 IoCs
  • Suspicious use of AdjustPrivilegeToken 29 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\excorsist.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\excorsist.bin.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Modifies data under HKEY_USERS
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:316
    • C:\Windows\SysWOW64\cmd.exe
      cmd /C vssadmin Delete Shadows /All /Quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1388
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin Delete Shadows /All /Quiet
        3⤵
        • Interacts with shadow copies
        PID:1796
    • C:\Windows\SysWOW64\cmd.exe
      cmd /C bcdedit /set {default} recoveryenabled No
      2⤵
        PID:1648
      • C:\Windows\SysWOW64\cmd.exe
        cmd /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
        2⤵
          PID:1924
        • C:\Windows\SysWOW64\cmd.exe
          cmd /C wbadmin DELETE SYSTEMSTATEBACKUP
          2⤵
            PID:1936
          • C:\Windows\SysWOW64\cmd.exe
            cmd /C wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
            2⤵
              PID:1920
            • C:\Windows\SysWOW64\cmd.exe
              cmd /C wmic SHADOWCOPY /nointeractive
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:2008
              • C:\Windows\SysWOW64\Wbem\WMIC.exe
                wmic SHADOWCOPY /nointeractive
                3⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:2004
          • C:\Windows\system32\vssvc.exe
            C:\Windows\system32\vssvc.exe
            1⤵
            • Modifies service
            • Suspicious use of AdjustPrivilegeToken
            PID:1772

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Persistence

          Modify Existing Service

          1
          T1031

          Privilege Escalation

          Defense Evasion

          File Deletion

          2
          T1107

          Modify Registry

          1
          T1112

          Credential Access

          Discovery

          Query Registry

          1
          T1012

          Peripheral Device Discovery

          1
          T1120

          System Information Discovery

          1
          T1082

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Inhibit System Recovery

          2
          T1490

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/316-135-0x0000000003E40000-0x0000000003E51000-memory.dmp
            Filesize

            68KB

            Download
          • memory/316-99-0x0000000003E40000-0x0000000003E51000-memory.dmp
            Filesize

            68KB

            Download
          • memory/316-279-0x0000000003E40000-0x0000000003E51000-memory.dmp
            Filesize

            68KB

            Download
          • memory/316-276-0x0000000003E40000-0x0000000003E51000-memory.dmp
            Filesize

            68KB

            Download
          • memory/316-9-0x0000000003E40000-0x0000000003E51000-memory.dmp
            Filesize

            68KB

            Download
          • memory/316-273-0x0000000003E40000-0x0000000003E51000-memory.dmp
            Filesize

            68KB

            Download
          • memory/316-270-0x0000000003E40000-0x0000000003E51000-memory.dmp
            Filesize

            68KB

            Download
          • memory/316-12-0x0000000003E40000-0x0000000003E51000-memory.dmp
            Filesize

            68KB

            Download
          • memory/316-13-0x0000000004250000-0x0000000004261000-memory.dmp
            Filesize

            68KB

            Download
          • memory/316-15-0x0000000003E40000-0x0000000003E51000-memory.dmp
            Filesize

            68KB

            Download
          • memory/316-18-0x0000000003E40000-0x0000000003E51000-memory.dmp
            Filesize

            68KB

            Download
          • memory/316-138-0x0000000003E40000-0x0000000003E51000-memory.dmp
            Filesize

            68KB

            Download
          • memory/316-21-0x0000000003E40000-0x0000000003E51000-memory.dmp
            Filesize

            68KB

            Download
          • memory/316-24-0x0000000003E40000-0x0000000003E51000-memory.dmp
            Filesize

            68KB

            Download
          • memory/316-27-0x0000000003E40000-0x0000000003E51000-memory.dmp
            Filesize

            68KB

            Download
          • memory/316-30-0x0000000003E40000-0x0000000003E51000-memory.dmp
            Filesize

            68KB

            Download
          • memory/316-33-0x0000000003E40000-0x0000000003E51000-memory.dmp
            Filesize

            68KB

            Download
          • memory/316-36-0x0000000003E40000-0x0000000003E51000-memory.dmp
            Filesize

            68KB

            Download
          • memory/316-39-0x0000000003E40000-0x0000000003E51000-memory.dmp
            Filesize

            68KB

            Download
          • memory/316-42-0x0000000003E40000-0x0000000003E51000-memory.dmp
            Filesize

            68KB

            Download
          • memory/316-45-0x0000000003E40000-0x0000000003E51000-memory.dmp
            Filesize

            68KB

            Download
          • memory/316-48-0x0000000003E40000-0x0000000003E51000-memory.dmp
            Filesize

            68KB

            Download
          • memory/316-51-0x0000000003E40000-0x0000000003E51000-memory.dmp
            Filesize

            68KB

            Download
          • memory/316-54-0x0000000003E40000-0x0000000003E51000-memory.dmp
            Filesize

            68KB

            Download
          • memory/316-57-0x0000000003E40000-0x0000000003E51000-memory.dmp
            Filesize

            68KB

            Download
          • memory/316-60-0x0000000003E40000-0x0000000003E51000-memory.dmp
            Filesize

            68KB

            Download
          • memory/316-63-0x0000000003E40000-0x0000000003E51000-memory.dmp
            Filesize

            68KB

            Download
          • memory/316-66-0x0000000003E40000-0x0000000003E51000-memory.dmp
            Filesize

            68KB

            Download
          • memory/316-69-0x0000000003E40000-0x0000000003E51000-memory.dmp
            Filesize

            68KB

            Download
          • memory/316-72-0x0000000003E40000-0x0000000003E51000-memory.dmp
            Filesize

            68KB

            Download
          • memory/316-75-0x0000000003E40000-0x0000000003E51000-memory.dmp
            Filesize

            68KB

            Download
          • memory/316-78-0x0000000003E40000-0x0000000003E51000-memory.dmp
            Filesize

            68KB

            Download
          • memory/316-81-0x0000000003E40000-0x0000000003E51000-memory.dmp
            Filesize

            68KB

            Download
          • memory/316-84-0x0000000003E40000-0x0000000003E51000-memory.dmp
            Filesize

            68KB

            Download
          • memory/316-87-0x0000000003E40000-0x0000000003E51000-memory.dmp
            Filesize

            68KB

            Download
          • memory/316-90-0x0000000003E40000-0x0000000003E51000-memory.dmp
            Filesize

            68KB

            Download
          • memory/316-93-0x0000000003E40000-0x0000000003E51000-memory.dmp
            Filesize

            68KB

            Download
          • memory/316-96-0x0000000003E40000-0x0000000003E51000-memory.dmp
            Filesize

            68KB

            Download
          • memory/316-141-0x0000000003E40000-0x0000000003E51000-memory.dmp
            Filesize

            68KB

            Download
          • memory/316-102-0x0000000003E40000-0x0000000003E51000-memory.dmp
            Filesize

            68KB

            Download
          • memory/316-105-0x0000000003E40000-0x0000000003E51000-memory.dmp
            Filesize

            68KB

            Download
          • memory/316-108-0x0000000003E40000-0x0000000003E51000-memory.dmp
            Filesize

            68KB

            Download
          • memory/316-111-0x0000000003E40000-0x0000000003E51000-memory.dmp
            Filesize

            68KB

            Download
          • memory/316-114-0x0000000003E40000-0x0000000003E51000-memory.dmp
            Filesize

            68KB

            Download
          • memory/316-117-0x0000000003E40000-0x0000000003E51000-memory.dmp
            Filesize

            68KB

            Download
          • memory/316-120-0x0000000003E40000-0x0000000003E51000-memory.dmp
            Filesize

            68KB

            Download
          • memory/316-123-0x0000000003E40000-0x0000000003E51000-memory.dmp
            Filesize

            68KB

            Download
          • memory/316-126-0x0000000003E40000-0x0000000003E51000-memory.dmp
            Filesize

            68KB

            Download
          • memory/316-129-0x0000000003E40000-0x0000000003E51000-memory.dmp
            Filesize

            68KB

            Download
          • memory/316-132-0x0000000003E40000-0x0000000003E51000-memory.dmp
            Filesize

            68KB

            Download
          • memory/316-267-0x0000000003E40000-0x0000000003E51000-memory.dmp
            Filesize

            68KB

            Download
          • memory/316-19-0x0000000004250000-0x0000000004261000-memory.dmp
            Filesize

            68KB

            Download
          • memory/316-10-0x0000000004250000-0x0000000004261000-memory.dmp
            Filesize

            68KB

            Download
          • memory/316-144-0x0000000003E40000-0x0000000003E51000-memory.dmp
            Filesize

            68KB

            Download
          • memory/316-147-0x0000000003E40000-0x0000000003E51000-memory.dmp
            Filesize

            68KB

            Download
          • memory/316-150-0x0000000003E40000-0x0000000003E51000-memory.dmp
            Filesize

            68KB

            Download
          • memory/316-153-0x0000000003E40000-0x0000000003E51000-memory.dmp
            Filesize

            68KB

            Download
          • memory/316-156-0x0000000003E40000-0x0000000003E51000-memory.dmp
            Filesize

            68KB

            Download
          • memory/316-159-0x0000000003E40000-0x0000000003E51000-memory.dmp
            Filesize

            68KB

            Download
          • memory/316-162-0x0000000003E40000-0x0000000003E51000-memory.dmp
            Filesize

            68KB

            Download
          • memory/316-165-0x0000000003E40000-0x0000000003E51000-memory.dmp
            Filesize

            68KB

            Download
          • memory/316-168-0x0000000003E40000-0x0000000003E51000-memory.dmp
            Filesize

            68KB

            Download
          • memory/316-171-0x0000000003E40000-0x0000000003E51000-memory.dmp
            Filesize

            68KB

            Download
          • memory/316-174-0x0000000003E40000-0x0000000003E51000-memory.dmp
            Filesize

            68KB

            Download
          • memory/316-177-0x0000000003E40000-0x0000000003E51000-memory.dmp
            Filesize

            68KB

            Download
          • memory/316-180-0x0000000003E40000-0x0000000003E51000-memory.dmp
            Filesize

            68KB

            Download
          • memory/316-183-0x0000000003E40000-0x0000000003E51000-memory.dmp
            Filesize

            68KB

            Download
          • memory/316-186-0x0000000003E40000-0x0000000003E51000-memory.dmp
            Filesize

            68KB

            Download
          • memory/316-189-0x0000000003E40000-0x0000000003E51000-memory.dmp
            Filesize

            68KB

            Download
          • memory/316-192-0x0000000003E40000-0x0000000003E51000-memory.dmp
            Filesize

            68KB

            Download
          • memory/316-195-0x0000000003E40000-0x0000000003E51000-memory.dmp
            Filesize

            68KB

            Download
          • memory/316-198-0x0000000003E40000-0x0000000003E51000-memory.dmp
            Filesize

            68KB

            Download
          • memory/316-201-0x0000000003E40000-0x0000000003E51000-memory.dmp
            Filesize

            68KB

            Download
          • memory/316-204-0x0000000003E40000-0x0000000003E51000-memory.dmp
            Filesize

            68KB

            Download
          • memory/316-207-0x0000000003E40000-0x0000000003E51000-memory.dmp
            Filesize

            68KB

            Download
          • memory/316-210-0x0000000003E40000-0x0000000003E51000-memory.dmp
            Filesize

            68KB

            Download
          • memory/316-213-0x0000000003E40000-0x0000000003E51000-memory.dmp
            Filesize

            68KB

            Download
          • memory/316-216-0x0000000003E40000-0x0000000003E51000-memory.dmp
            Filesize

            68KB

            Download
          • memory/316-219-0x0000000003E40000-0x0000000003E51000-memory.dmp
            Filesize

            68KB

            Download
          • memory/316-222-0x0000000003E40000-0x0000000003E51000-memory.dmp
            Filesize

            68KB

            Download
          • memory/316-225-0x0000000003E40000-0x0000000003E51000-memory.dmp
            Filesize

            68KB

            Download
          • memory/316-228-0x0000000003E40000-0x0000000003E51000-memory.dmp
            Filesize

            68KB

            Download
          • memory/316-231-0x0000000003E40000-0x0000000003E51000-memory.dmp
            Filesize

            68KB

            Download
          • memory/316-234-0x0000000003E40000-0x0000000003E51000-memory.dmp
            Filesize

            68KB

            Download
          • memory/316-237-0x0000000003E40000-0x0000000003E51000-memory.dmp
            Filesize

            68KB

            Download
          • memory/316-240-0x0000000003E40000-0x0000000003E51000-memory.dmp
            Filesize

            68KB

            Download
          • memory/316-243-0x0000000003E40000-0x0000000003E51000-memory.dmp
            Filesize

            68KB

            Download
          • memory/316-246-0x0000000003E40000-0x0000000003E51000-memory.dmp
            Filesize

            68KB

            Download
          • memory/316-249-0x0000000003E40000-0x0000000003E51000-memory.dmp
            Filesize

            68KB

            Download
          • memory/316-252-0x0000000003E40000-0x0000000003E51000-memory.dmp
            Filesize

            68KB

            Download
          • memory/316-255-0x0000000003E40000-0x0000000003E51000-memory.dmp
            Filesize

            68KB

            Download
          • memory/316-258-0x0000000003E40000-0x0000000003E51000-memory.dmp
            Filesize

            68KB

            Download
          • memory/316-261-0x0000000003E40000-0x0000000003E51000-memory.dmp
            Filesize

            68KB

            Download
          • memory/316-264-0x0000000003E40000-0x0000000003E51000-memory.dmp
            Filesize

            68KB

            Download
          • memory/1388-0-0x0000000000000000-mapping.dmp
            Download
          • memory/1648-2-0x0000000000000000-mapping.dmp
            Download
          • memory/1796-1-0x0000000000000000-mapping.dmp
            Download
          • memory/1920-5-0x0000000000000000-mapping.dmp
            Download
          • memory/1924-3-0x0000000000000000-mapping.dmp
            Download
          • memory/1936-4-0x0000000000000000-mapping.dmp
            Download
          • memory/2004-7-0x0000000000000000-mapping.dmp
            Download
          • memory/2008-6-0x0000000000000000-mapping.dmp
            Download