exorcist | 768b40ceafed20055bbc60418929e8ec52fe3d1935caa1405af01e775d03e5e1

Analysis

max time kernel
137s
max time network
152s
platform
windows7_x64
resource
win7
submitted
01-10-2020 16:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

excorsist.bin.exe
Size

68KB
MD5

9e5c89c84cdbf460fc6857c4e32dafdf
SHA1

ee0a95846ce48c59261eda0fdd6b38dfc83d9f4d
SHA256

dfecb46078038bcfa9d0b8db18bdc0646f33bad55ee7dd5ee46e61c6cf399620
SHA512

6da517ae5159ebcb0ac138b34215924fb21adae619c3c15ede6863866648e445633f482b2beaddbe74de66b48e18d106dbde3253ee2d3ce86da667f7f8494cd8

Score

10^/10

ransomware exorcist persistence

Malware Config

Signatures

Exorcist Ransomware
Ransomware-as-a-service which avoids infecting machines in CIS nations. First seen in mid-2020.
ransomware exorcist
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Drops desktop.ini file(s) 2 IoCs

Processes:

excorsist.bin.exe

description	ioc	process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	excorsist.bin.exe
File opened for modification	\??\Z:\$RECYCLE.BIN\S-1-5-18\desktop.ini	excorsist.bin.exe

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

excorsist.bin.exe

description	ioc	process
File opened (read-only)	\??\J:	excorsist.bin.exe
File opened (read-only)	\??\E:	excorsist.bin.exe
File opened (read-only)	\??\A:	excorsist.bin.exe
File opened (read-only)	\??\S:	excorsist.bin.exe
File opened (read-only)	\??\L:	excorsist.bin.exe
File opened (read-only)	\??\Q:	excorsist.bin.exe
File opened (read-only)	\??\O:	excorsist.bin.exe
File opened (read-only)	\??\Z:	excorsist.bin.exe
File opened (read-only)	\??\R:	excorsist.bin.exe
File opened (read-only)	\??\G:	excorsist.bin.exe
File opened (read-only)	\??\D:	excorsist.bin.exe
File opened (read-only)	\??\Y:	excorsist.bin.exe
File opened (read-only)	\??\H:	excorsist.bin.exe
File opened (read-only)	\??\V:	excorsist.bin.exe
File opened (read-only)	\??\U:	excorsist.bin.exe
File opened (read-only)	\??\T:	excorsist.bin.exe
File opened (read-only)	\??\P:	excorsist.bin.exe
File opened (read-only)	\??\N:	excorsist.bin.exe
File opened (read-only)	\??\M:	excorsist.bin.exe
File opened (read-only)	\??\X:	excorsist.bin.exe
File opened (read-only)	\??\W:	excorsist.bin.exe
File opened (read-only)	\??\F:	excorsist.bin.exe
File opened (read-only)	\??\B:	excorsist.bin.exe
File opened (read-only)	\??\K:	excorsist.bin.exe
File opened (read-only)	\??\I:	excorsist.bin.exe

Modifies service 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1796 vssadmin.exe

pid	process
1796	vssadmin.exe

Modifies data under HKEY_USERS 223 IoCs

Processes:

excorsist.bin.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 7e08ccfc7f170a13a6aee03a498e1aa56f4304ff4cd50e6e737df28eeb1896f0	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = f26e92789339c7df98b214610abda531e461a1d33af6afadbfe17abe232f1fc8	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = b99e14a8256d69e92ee011dc2fb27266f24e02258e281f19903522ec023b51cd	excorsist.bin.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Full = "%SystemRoot%\\System32\\imageres.dll,-54"	excorsist.bin.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C7121406-7FD4-42C9-B2AC-0BA026A12C21}\WpadDecisionTime = 309201fc0d98d601	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 1526ed98074e8dc369b9a829fff20a29fa68a78b63d650635798f2282bc3d93b	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004400650073006b0074006f0070005c00470072006f007500700045007800690074002e007000700073006d0000000000	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 69ad50e7ad2b32085846e432abad94477625aeee8d9216b981b4fc38eedc483f	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c006400650070006c006f0079006d0065006e0074002e00700072006f00700065007200740069006500730000000000	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f00630075006d0065006e00740073005c004f00700065006e00650064002e0064006f006300780000000000	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 9568fe95bbce628f624bd36367f40ecb097b247628557d724e281fbfa56e2df3	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = c96ce671ec05d7cb600f5dd30de47c83ef4456d1668560e54bd471af5c8dc9b1	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 1bd992052017f4c671eda4af858f6662b474acf7b707ea9363ed8242e968c59e	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = fc67012577675b229a1b7fcc43db30348760eebc2978e106792cf72fd2b5b5e3	excorsist.bin.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = dc652c0d97d365bbbf70e97026c935ba35ca71041f21a2abc86c3d47663b61b8	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c005200650063006f0076006500720079005c00660038003400300062006300380032002d0061006600660032002d0031003100650061002d0038003300390066002d006600320031003400350030006200340066003800350034005c00570069006e00720065002e00770069006d0000000000	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004400650073006b0074006f0070005c0048006900640065005500730065002e0063006600670000000000	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 9d17af2d51a1759245dc7c7047c3dcddc432c9d9fe52ff0fedef3dedaa597ba8	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = c7d7d030eb25b5c0fc9bb83b9351fd9dc6177a6fe627c0b41d05d35ae1abf49f	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = a1b68c17d873a2a052ab8694dbac208a64ab0faf9b3a6cc87d0847be0b24dce3	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 00fb38ff5e696a73b5d0791dc4ae2b6b82859d6c14cbed9a3ca7c1a5760f472d	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 02f97bc868ad4d94d27d6f5f20bd529daf91b5a71158adb13e91f0d1f020b3fa	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f00630075006d0065006e00740073005c0045006e0074006500720052006500710075006500730074002e0070007000740000000000	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 8d25cf9fa4e77dd6a924044100d1f8c41e825783c893822c180bd67eb699577e	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004400650073006b0074006f0070005c00480069006400650043006f00700079002e0054005400530000000000	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = c3d4e803585cdefd5a97e2a275344a9242983c7ad34595092743300811f1c35a	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 628f0a1f54ad792e1ea3f86a6d28b48344faf93cecb6baedad1d48616ed5cc3d	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = a34085497471ba1a101e765d038d5fc4274927f43253fb045b4d54c4d488121c	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 7da590da598e4c1063f32863f9961a73ce507021bfe0530abff10814e467febc	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f0077006e006c006f006100640073005c0043006f006d0070006c006500740065005500700064006100740065002e006d00680074006d006c0000000000	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = d4d161f2a39f12994a59e75828525d487046d780709de5a66b4c08e4eab40ada	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f0077006e006c006f006100640073005c004700720061006e00740044006900730063006f006e006e006500630074002e006a007000650000000000	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 6c3b79f0468db0b762c8b5d7c1f8731eba9a8ed027b8cddb7cc713fd413c6b10	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 5238c81d39adeee17967e39e78125311864069d9489b70808e7d91e03405b94f	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = b7d4ea0ab8707459abaa3ab6abad0ab97d0d51563ec938aef053fd62917317b5	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 48079a42c2f80255677414f4175ce5f31ed7e4eca332829325f844acf046107f	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = cfcd9db890104e854a7c7a442e54568c80055b1f918939b609daa948f52e673d	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f00630075006d0065006e00740073005c0043006f006e006600690072006d0043006c006500610072002e0070006f00740000000000	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 07a8fb5cce0b3afd9db2b6167b655137d15a6ef685f687c3049a6e4ee66a6c42	excorsist.bin.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C7121406-7FD4-42C9-B2AC-0BA026A12C21}	excorsist.bin.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004400650073006b0074006f0070005c0057006100740063006800530074006f0070002e00780073006c0000000000	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = e529a4461977e14f6c3bf1b348b43e64fc4b1d0501cc3a157a1b1acf2fcd8a17	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f00630075006d0065006e00740073005c0055006e00700072006f00740065006300740043006c006f00730065002e0078006c007300780000000000	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = e15a4e1fe802d040781929b73d80d8a8d918e857f92b05df58a14ddd8d996607	excorsist.bin.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Empty = "%SystemRoot%\\System32\\imageres.dll,-55"	excorsist.bin.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 053f9074ee62cd0261149158f1f11ebcfda3c2debab9bda46d15ffdf2d68ce26	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = a4d5807355c72f9df578a558201fa7d02f6653d69839b1fe1c413fa11a8aefb6	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = eef76fa56bb5bb289232e5f32254c19742e7e0d25a0d07054e52006b2486b169	excorsist.bin.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C7121406-7FD4-42C9-B2AC-0BA026A12C21}\32-e2-17-db-d2-77	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004400650073006b0074006f0070005c0043006f006d007000610072006500460069006e0064002e0074006900660000000000	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = e746c50ddec34d288c2ffdcdc66de76178660aff6f6ac4aa75260268b80d581c	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = b0ed0576298e2562d86aaabb72d8be59a471c3b5765b15986418609c4ad6883f	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004400650073006b0074006f0070005c00500069006e00670045006e00610062006c0065002e00680074006d0000000000	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = f13edfbf3b72ff8369311b5845a1444ace17d32776ad942a3a28bbdc8398d5db	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f0077006e006c006f006100640073005c004d0065006100730075007200650042006c006f0063006b002e007300760067007a0000000000	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionTime = 309201fc0d98d601	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = dee97a119c4fcf24f9ddc9946042a15ef8b7581017ebcb20c848186ea2cce98f	excorsist.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = b952fb6803614eaf8dce1ae5ac78d6dc1fc9feebe62ebf24270a26affb13a7d6	excorsist.bin.exe

NTFS ADS 4 IoCs

Processes:

excorsist.bin.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\Microsoft\Windows\tcA6as\windows.sys:qxoyhxveerelbnrwg	excorsist.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Microsoft\Windows\5bqXmA\windows.sys:dhpkxqkdun	excorsist.bin.exe
File created	C:\Users\Admin\AppData\Local\Temp\Microsoft\Windows\g2ea2L\windows.sys:qvqhfjkvnrdtqgtt	excorsist.bin.exe
File created	C:\Users\Admin\AppData\Local\Temp\Microsoft\Windows\5bqXmA\windows.sys:dhpkxqkdun	excorsist.bin.exe

Suspicious behavior: EnumeratesProcesses 1366 IoCs

Processes:

excorsist.bin.exe

pid	process
316	excorsist.bin.exe
316	excorsist.bin.exe
316	excorsist.bin.exe
316	excorsist.bin.exe
316	excorsist.bin.exe
316	excorsist.bin.exe
316	excorsist.bin.exe
316	excorsist.bin.exe
316	excorsist.bin.exe
316	excorsist.bin.exe
316	excorsist.bin.exe
316	excorsist.bin.exe
316	excorsist.bin.exe
316	excorsist.bin.exe
316	excorsist.bin.exe
316	excorsist.bin.exe
316	excorsist.bin.exe
316	excorsist.bin.exe
316	excorsist.bin.exe
316	excorsist.bin.exe
316	excorsist.bin.exe
316	excorsist.bin.exe
316	excorsist.bin.exe
316	excorsist.bin.exe
316	excorsist.bin.exe
316	excorsist.bin.exe
316	excorsist.bin.exe
316	excorsist.bin.exe
316	excorsist.bin.exe
316	excorsist.bin.exe
316	excorsist.bin.exe
316	excorsist.bin.exe
316	excorsist.bin.exe
316	excorsist.bin.exe
316	excorsist.bin.exe
316	excorsist.bin.exe
316	excorsist.bin.exe
316	excorsist.bin.exe
316	excorsist.bin.exe
316	excorsist.bin.exe
316	excorsist.bin.exe
316	excorsist.bin.exe
316	excorsist.bin.exe
316	excorsist.bin.exe
316	excorsist.bin.exe
316	excorsist.bin.exe
316	excorsist.bin.exe
316	excorsist.bin.exe
316	excorsist.bin.exe
316	excorsist.bin.exe
316	excorsist.bin.exe
316	excorsist.bin.exe
316	excorsist.bin.exe
316	excorsist.bin.exe
316	excorsist.bin.exe
316	excorsist.bin.exe
316	excorsist.bin.exe
316	excorsist.bin.exe
316	excorsist.bin.exe
316	excorsist.bin.exe
316	excorsist.bin.exe
316	excorsist.bin.exe
316	excorsist.bin.exe
316	excorsist.bin.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

Processes:

excorsist.bin.exevssvc.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	316	excorsist.bin.exe
Token: SeRestorePrivilege	316	excorsist.bin.exe
Token: SeDebugPrivilege	316	excorsist.bin.exe
Token: SeSecurityPrivilege	316	excorsist.bin.exe
Token: SeRestorePrivilege	316	excorsist.bin.exe
Token: SeDebugPrivilege	316	excorsist.bin.exe
Token: SeBackupPrivilege	1772	vssvc.exe
Token: SeRestorePrivilege	1772	vssvc.exe
Token: SeAuditPrivilege	1772	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2004	WMIC.exe
Token: SeSecurityPrivilege	2004	WMIC.exe
Token: SeTakeOwnershipPrivilege	2004	WMIC.exe
Token: SeLoadDriverPrivilege	2004	WMIC.exe
Token: SeSystemProfilePrivilege	2004	WMIC.exe
Token: SeSystemtimePrivilege	2004	WMIC.exe
Token: SeProfSingleProcessPrivilege	2004	WMIC.exe
Token: SeIncBasePriorityPrivilege	2004	WMIC.exe
Token: SeCreatePagefilePrivilege	2004	WMIC.exe
Token: SeBackupPrivilege	2004	WMIC.exe
Token: SeRestorePrivilege	2004	WMIC.exe
Token: SeShutdownPrivilege	2004	WMIC.exe
Token: SeDebugPrivilege	2004	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2004	WMIC.exe
Token: SeRemoteShutdownPrivilege	2004	WMIC.exe
Token: SeUndockPrivilege	2004	WMIC.exe
Token: SeManageVolumePrivilege	2004	WMIC.exe
Token: 33	2004	WMIC.exe
Token: 34	2004	WMIC.exe
Token: 35	2004	WMIC.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

excorsist.bin.execmd.execmd.exe

description	pid	process	target process
PID 316 wrote to memory of 1388	316	excorsist.bin.exe	cmd.exe
PID 316 wrote to memory of 1388	316	excorsist.bin.exe	cmd.exe
PID 316 wrote to memory of 1388	316	excorsist.bin.exe	cmd.exe
PID 316 wrote to memory of 1388	316	excorsist.bin.exe	cmd.exe
PID 1388 wrote to memory of 1796	1388	cmd.exe	vssadmin.exe
PID 1388 wrote to memory of 1796	1388	cmd.exe	vssadmin.exe
PID 1388 wrote to memory of 1796	1388	cmd.exe	vssadmin.exe
PID 1388 wrote to memory of 1796	1388	cmd.exe	vssadmin.exe
PID 316 wrote to memory of 1648	316	excorsist.bin.exe	cmd.exe
PID 316 wrote to memory of 1648	316	excorsist.bin.exe	cmd.exe
PID 316 wrote to memory of 1648	316	excorsist.bin.exe	cmd.exe
PID 316 wrote to memory of 1648	316	excorsist.bin.exe	cmd.exe
PID 316 wrote to memory of 1924	316	excorsist.bin.exe	cmd.exe
PID 316 wrote to memory of 1924	316	excorsist.bin.exe	cmd.exe
PID 316 wrote to memory of 1924	316	excorsist.bin.exe	cmd.exe
PID 316 wrote to memory of 1924	316	excorsist.bin.exe	cmd.exe
PID 316 wrote to memory of 1936	316	excorsist.bin.exe	cmd.exe
PID 316 wrote to memory of 1936	316	excorsist.bin.exe	cmd.exe
PID 316 wrote to memory of 1936	316	excorsist.bin.exe	cmd.exe
PID 316 wrote to memory of 1936	316	excorsist.bin.exe	cmd.exe
PID 316 wrote to memory of 1920	316	excorsist.bin.exe	cmd.exe
PID 316 wrote to memory of 1920	316	excorsist.bin.exe	cmd.exe
PID 316 wrote to memory of 1920	316	excorsist.bin.exe	cmd.exe
PID 316 wrote to memory of 1920	316	excorsist.bin.exe	cmd.exe
PID 316 wrote to memory of 2008	316	excorsist.bin.exe	cmd.exe
PID 316 wrote to memory of 2008	316	excorsist.bin.exe	cmd.exe
PID 316 wrote to memory of 2008	316	excorsist.bin.exe	cmd.exe
PID 316 wrote to memory of 2008	316	excorsist.bin.exe	cmd.exe
PID 2008 wrote to memory of 2004	2008	cmd.exe	WMIC.exe
PID 2008 wrote to memory of 2004	2008	cmd.exe	WMIC.exe
PID 2008 wrote to memory of 2004	2008	cmd.exe	WMIC.exe
PID 2008 wrote to memory of 2004	2008	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\excorsist.bin.exe
"C:\Users\Admin\AppData\Local\Temp\excorsist.bin.exe"
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Modifies data under HKEY_USERS
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:316
- C:\Windows\SysWOW64\cmd.exe
  cmd /C vssadmin Delete Shadows /All /Quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1388
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:1796
- C:\Windows\SysWOW64\cmd.exe
  cmd /C bcdedit /set {default} recoveryenabled No
  2⤵
  PID:1648
- C:\Windows\SysWOW64\cmd.exe
  cmd /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:1924
- C:\Windows\SysWOW64\cmd.exe
  cmd /C wbadmin DELETE SYSTEMSTATEBACKUP
  2⤵
  PID:1936
- C:\Windows\SysWOW64\cmd.exe
  cmd /C wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
  2⤵
  PID:1920
- C:\Windows\SysWOW64\cmd.exe
  cmd /C wmic SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic SHADOWCOPY /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2004

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1772

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/316-135-0x0000000003E40000-0x0000000003E51000-memory.dmp

Filesize
68KB

Download
memory/316-99-0x0000000003E40000-0x0000000003E51000-memory.dmp

Filesize
68KB

Download
memory/316-279-0x0000000003E40000-0x0000000003E51000-memory.dmp

Filesize
68KB

Download
memory/316-276-0x0000000003E40000-0x0000000003E51000-memory.dmp

Filesize
68KB

Download
memory/316-9-0x0000000003E40000-0x0000000003E51000-memory.dmp

Filesize
68KB

Download
memory/316-273-0x0000000003E40000-0x0000000003E51000-memory.dmp

Filesize
68KB

Download
memory/316-270-0x0000000003E40000-0x0000000003E51000-memory.dmp

Filesize
68KB

Download
memory/316-12-0x0000000003E40000-0x0000000003E51000-memory.dmp

Filesize
68KB

Download
memory/316-13-0x0000000004250000-0x0000000004261000-memory.dmp

Filesize
68KB

Download
memory/316-15-0x0000000003E40000-0x0000000003E51000-memory.dmp

Filesize
68KB

Download
memory/316-18-0x0000000003E40000-0x0000000003E51000-memory.dmp

Filesize
68KB

Download
memory/316-138-0x0000000003E40000-0x0000000003E51000-memory.dmp

Filesize
68KB

Download
memory/316-21-0x0000000003E40000-0x0000000003E51000-memory.dmp

Filesize
68KB

Download
memory/316-24-0x0000000003E40000-0x0000000003E51000-memory.dmp

Filesize
68KB

Download
memory/316-27-0x0000000003E40000-0x0000000003E51000-memory.dmp

Filesize
68KB

Download
memory/316-30-0x0000000003E40000-0x0000000003E51000-memory.dmp

Filesize
68KB

Download
memory/316-33-0x0000000003E40000-0x0000000003E51000-memory.dmp

Filesize
68KB

Download
memory/316-36-0x0000000003E40000-0x0000000003E51000-memory.dmp

Filesize
68KB

Download
memory/316-39-0x0000000003E40000-0x0000000003E51000-memory.dmp

Filesize
68KB

Download
memory/316-42-0x0000000003E40000-0x0000000003E51000-memory.dmp

Filesize
68KB

Download
memory/316-45-0x0000000003E40000-0x0000000003E51000-memory.dmp

Filesize
68KB

Download
memory/316-48-0x0000000003E40000-0x0000000003E51000-memory.dmp

Filesize
68KB

Download
memory/316-51-0x0000000003E40000-0x0000000003E51000-memory.dmp

Filesize
68KB

Download
memory/316-54-0x0000000003E40000-0x0000000003E51000-memory.dmp

Filesize
68KB

Download
memory/316-57-0x0000000003E40000-0x0000000003E51000-memory.dmp

Filesize
68KB

Download
memory/316-60-0x0000000003E40000-0x0000000003E51000-memory.dmp

Filesize
68KB

Download
memory/316-63-0x0000000003E40000-0x0000000003E51000-memory.dmp

Filesize
68KB

Download
memory/316-66-0x0000000003E40000-0x0000000003E51000-memory.dmp

Filesize
68KB

Download
memory/316-69-0x0000000003E40000-0x0000000003E51000-memory.dmp

Filesize
68KB

Download
memory/316-72-0x0000000003E40000-0x0000000003E51000-memory.dmp

Filesize
68KB

Download
memory/316-75-0x0000000003E40000-0x0000000003E51000-memory.dmp

Filesize
68KB

Download
memory/316-78-0x0000000003E40000-0x0000000003E51000-memory.dmp

Filesize
68KB

Download
memory/316-81-0x0000000003E40000-0x0000000003E51000-memory.dmp

Filesize
68KB

Download
memory/316-84-0x0000000003E40000-0x0000000003E51000-memory.dmp

Filesize
68KB

Download
memory/316-87-0x0000000003E40000-0x0000000003E51000-memory.dmp

Filesize
68KB

Download
memory/316-90-0x0000000003E40000-0x0000000003E51000-memory.dmp

Filesize
68KB

Download
memory/316-93-0x0000000003E40000-0x0000000003E51000-memory.dmp

Filesize
68KB

Download
memory/316-96-0x0000000003E40000-0x0000000003E51000-memory.dmp

Filesize
68KB

Download
memory/316-141-0x0000000003E40000-0x0000000003E51000-memory.dmp

Filesize
68KB

Download
memory/316-102-0x0000000003E40000-0x0000000003E51000-memory.dmp

Filesize
68KB

Download
memory/316-105-0x0000000003E40000-0x0000000003E51000-memory.dmp

Filesize
68KB

Download
memory/316-108-0x0000000003E40000-0x0000000003E51000-memory.dmp

Filesize
68KB

Download
memory/316-111-0x0000000003E40000-0x0000000003E51000-memory.dmp

Filesize
68KB

Download
memory/316-114-0x0000000003E40000-0x0000000003E51000-memory.dmp

Filesize
68KB

Download
memory/316-117-0x0000000003E40000-0x0000000003E51000-memory.dmp

Filesize
68KB

Download
memory/316-120-0x0000000003E40000-0x0000000003E51000-memory.dmp

Filesize
68KB

Download
memory/316-123-0x0000000003E40000-0x0000000003E51000-memory.dmp

Filesize
68KB

Download
memory/316-126-0x0000000003E40000-0x0000000003E51000-memory.dmp

Filesize
68KB

Download
memory/316-129-0x0000000003E40000-0x0000000003E51000-memory.dmp

Filesize
68KB

Download
memory/316-132-0x0000000003E40000-0x0000000003E51000-memory.dmp

Filesize
68KB

Download
memory/316-267-0x0000000003E40000-0x0000000003E51000-memory.dmp

Filesize
68KB

Download
memory/316-19-0x0000000004250000-0x0000000004261000-memory.dmp

Filesize
68KB

Download
memory/316-10-0x0000000004250000-0x0000000004261000-memory.dmp

Filesize
68KB

Download
memory/316-144-0x0000000003E40000-0x0000000003E51000-memory.dmp

Filesize
68KB

Download
memory/316-147-0x0000000003E40000-0x0000000003E51000-memory.dmp

Filesize
68KB

Download
memory/316-150-0x0000000003E40000-0x0000000003E51000-memory.dmp

Filesize
68KB

Download
memory/316-153-0x0000000003E40000-0x0000000003E51000-memory.dmp

Filesize
68KB

Download
memory/316-156-0x0000000003E40000-0x0000000003E51000-memory.dmp

Filesize
68KB

Download
memory/316-159-0x0000000003E40000-0x0000000003E51000-memory.dmp

Filesize
68KB

Download
memory/316-162-0x0000000003E40000-0x0000000003E51000-memory.dmp

Filesize
68KB

Download
memory/316-165-0x0000000003E40000-0x0000000003E51000-memory.dmp

Filesize
68KB

Download
memory/316-168-0x0000000003E40000-0x0000000003E51000-memory.dmp

Filesize
68KB

Download
memory/316-171-0x0000000003E40000-0x0000000003E51000-memory.dmp

Filesize
68KB

Download
memory/316-174-0x0000000003E40000-0x0000000003E51000-memory.dmp

Filesize
68KB

Download
memory/316-177-0x0000000003E40000-0x0000000003E51000-memory.dmp

Filesize
68KB

Download
memory/316-180-0x0000000003E40000-0x0000000003E51000-memory.dmp

Filesize
68KB

Download
memory/316-183-0x0000000003E40000-0x0000000003E51000-memory.dmp

Filesize
68KB

Download
memory/316-186-0x0000000003E40000-0x0000000003E51000-memory.dmp

Filesize
68KB

Download
memory/316-189-0x0000000003E40000-0x0000000003E51000-memory.dmp

Filesize
68KB

Download
memory/316-192-0x0000000003E40000-0x0000000003E51000-memory.dmp

Filesize
68KB

Download
memory/316-195-0x0000000003E40000-0x0000000003E51000-memory.dmp

Filesize
68KB

Download
memory/316-198-0x0000000003E40000-0x0000000003E51000-memory.dmp

Filesize
68KB

Download
memory/316-201-0x0000000003E40000-0x0000000003E51000-memory.dmp

Filesize
68KB

Download
memory/316-204-0x0000000003E40000-0x0000000003E51000-memory.dmp

Filesize
68KB

Download
memory/316-207-0x0000000003E40000-0x0000000003E51000-memory.dmp

Filesize
68KB

Download
memory/316-210-0x0000000003E40000-0x0000000003E51000-memory.dmp

Filesize
68KB

Download
memory/316-213-0x0000000003E40000-0x0000000003E51000-memory.dmp

Filesize
68KB

Download
memory/316-216-0x0000000003E40000-0x0000000003E51000-memory.dmp

Filesize
68KB

Download
memory/316-219-0x0000000003E40000-0x0000000003E51000-memory.dmp

Filesize
68KB

Download
memory/316-222-0x0000000003E40000-0x0000000003E51000-memory.dmp

Filesize
68KB

Download
memory/316-225-0x0000000003E40000-0x0000000003E51000-memory.dmp

Filesize
68KB

Download
memory/316-228-0x0000000003E40000-0x0000000003E51000-memory.dmp

Filesize
68KB

Download
memory/316-231-0x0000000003E40000-0x0000000003E51000-memory.dmp

Filesize
68KB

Download
memory/316-234-0x0000000003E40000-0x0000000003E51000-memory.dmp

Filesize
68KB

Download
memory/316-237-0x0000000003E40000-0x0000000003E51000-memory.dmp

Filesize
68KB

Download
memory/316-240-0x0000000003E40000-0x0000000003E51000-memory.dmp

Filesize
68KB

Download
memory/316-243-0x0000000003E40000-0x0000000003E51000-memory.dmp

Filesize
68KB

Download
memory/316-246-0x0000000003E40000-0x0000000003E51000-memory.dmp

Filesize
68KB

Download
memory/316-249-0x0000000003E40000-0x0000000003E51000-memory.dmp

Filesize
68KB

Download
memory/316-252-0x0000000003E40000-0x0000000003E51000-memory.dmp

Filesize
68KB

Download
memory/316-255-0x0000000003E40000-0x0000000003E51000-memory.dmp

Filesize
68KB

Download
memory/316-258-0x0000000003E40000-0x0000000003E51000-memory.dmp

Filesize
68KB

Download
memory/316-261-0x0000000003E40000-0x0000000003E51000-memory.dmp

Filesize
68KB

Download
memory/316-264-0x0000000003E40000-0x0000000003E51000-memory.dmp

Filesize
68KB

Download
memory/1388-0-0x0000000000000000-mapping.dmp

Download
memory/1648-2-0x0000000000000000-mapping.dmp

Download
memory/1796-1-0x0000000000000000-mapping.dmp

Download
memory/1920-5-0x0000000000000000-mapping.dmp

Download
memory/1924-3-0x0000000000000000-mapping.dmp

Download
memory/1936-4-0x0000000000000000-mapping.dmp

Download
memory/2004-7-0x0000000000000000-mapping.dmp

Download
memory/2008-6-0x0000000000000000-mapping.dmp

Download