Overview

overview

10

Static

static

ca680208fb...97.exe

windows7_x64

10

ca680208fb...97.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    166s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    11-05-2022 23:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ca680208fb28dca0595ca9f677c7845aca09c1979db0a9d680ad6f6bf30b7097.exe

  • Size

    68KB

  • MD5

    f269d24544e8bb4cb82680bb396a5f1b

  • SHA1

    8283f4266a7782308b04a3d03c8b13a38eefaa61

  • SHA256

    ca680208fb28dca0595ca9f677c7845aca09c1979db0a9d680ad6f6bf30b7097

  • SHA512

    c22f51697316c4d29e4b4ef817a1c73d4681fc02b0a2b0fee01e2aaf065d6a3aa04b7defc366cea012a723e600bd80a12083d54bb0907fa0b4cf6f12c41e68d1

Score
10/10
exorcistransomwaresuricata

Malware Config

Signatures

  • Exorcist Ransomware

    Ransomware-as-a-service which avoids infecting machines in CIS nations. First seen in mid-2020.

    ransomwareexorcist
  • suricata: ET MALWARE Exorcist 2.0 Ransomware CnC Activity

    suricata: ET MALWARE Exorcist 2.0 Ransomware CnC Activity

    suricata
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Drops desktop.ini file(s) 2 IoCs
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies data under HKEY_USERS 64 IoCs
  • NTFS ADS 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 29 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ca680208fb28dca0595ca9f677c7845aca09c1979db0a9d680ad6f6bf30b7097.exe
    "C:\Users\Admin\AppData\Local\Temp\ca680208fb28dca0595ca9f677c7845aca09c1979db0a9d680ad6f6bf30b7097.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Modifies data under HKEY_USERS
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1164
    • C:\Windows\SysWOW64\cmd.exe
      cmd /C vssadmin Delete Shadows /All /Quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1508
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin Delete Shadows /All /Quiet
        3⤵
        • Interacts with shadow copies
        PID:1388
    • C:\Windows\SysWOW64\cmd.exe
      cmd /C bcdedit /set {default} recoveryenabled No
      2⤵
        PID:1768
      • C:\Windows\SysWOW64\cmd.exe
        cmd /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
        2⤵
          PID:524
        • C:\Windows\SysWOW64\cmd.exe
          cmd /C wbadmin DELETE SYSTEMSTATEBACKUP
          2⤵
            PID:1504
          • C:\Windows\SysWOW64\cmd.exe
            cmd /C wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
            2⤵
              PID:1808
            • C:\Windows\SysWOW64\cmd.exe
              cmd /C wmic SHADOWCOPY /nointeractive
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:808
              • C:\Windows\SysWOW64\Wbem\WMIC.exe
                wmic SHADOWCOPY /nointeractive
                3⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:916
          • C:\Windows\system32\vssvc.exe
            C:\Windows\system32\vssvc.exe
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1432

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Persistence

          Privilege Escalation

          Defense Evasion

          File Deletion

          2
          T1107

          Credential Access

          Discovery

          Query Registry

          1
          T1012

          Peripheral Device Discovery

          1
          T1120

          System Information Discovery

          2
          T1082

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Inhibit System Recovery

          2
          T1490

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/524-58-0x0000000000000000-mapping.dmp
            Download
          • memory/808-61-0x0000000000000000-mapping.dmp
            Download
          • memory/916-62-0x0000000000000000-mapping.dmp
            Download
          • memory/1164-54-0x0000000076181000-0x0000000076183000-memory.dmp
            Filesize

            8KB

            Download
          • memory/1388-56-0x0000000000000000-mapping.dmp
            Download
          • memory/1504-59-0x0000000000000000-mapping.dmp
            Download
          • memory/1508-55-0x0000000000000000-mapping.dmp
            Download
          • memory/1768-57-0x0000000000000000-mapping.dmp
            Download
          • memory/1808-60-0x0000000000000000-mapping.dmp
            Download