Overview

overview

10

Static

static

ca680208fb...97.exe

windows7_x64

10

ca680208fb...97.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    184s
  • max time network
    193s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    11-05-2022 23:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ca680208fb28dca0595ca9f677c7845aca09c1979db0a9d680ad6f6bf30b7097.exe

  • Size

    68KB

  • MD5

    f269d24544e8bb4cb82680bb396a5f1b

  • SHA1

    8283f4266a7782308b04a3d03c8b13a38eefaa61

  • SHA256

    ca680208fb28dca0595ca9f677c7845aca09c1979db0a9d680ad6f6bf30b7097

  • SHA512

    c22f51697316c4d29e4b4ef817a1c73d4681fc02b0a2b0fee01e2aaf065d6a3aa04b7defc366cea012a723e600bd80a12083d54bb0907fa0b4cf6f12c41e68d1

Score
10/10
exorcistransomware

Malware Config

Signatures

  • Exorcist Ransomware

    Ransomware-as-a-service which avoids infecting machines in CIS nations. First seen in mid-2020.

    ransomwareexorcist
  • Modifies extensions of user files 9 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops desktop.ini file(s) 2 IoCs
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 64 IoCs
  • NTFS ADS 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 27 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ca680208fb28dca0595ca9f677c7845aca09c1979db0a9d680ad6f6bf30b7097.exe
    "C:\Users\Admin\AppData\Local\Temp\ca680208fb28dca0595ca9f677c7845aca09c1979db0a9d680ad6f6bf30b7097.exe"
    1⤵
    • Modifies extensions of user files
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Modifies data under HKEY_USERS
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3656
    • C:\Windows\SysWOW64\cmd.exe
      cmd /C vssadmin Delete Shadows /All /Quiet
      2⤵
        PID:4832
      • C:\Windows\SysWOW64\cmd.exe
        cmd /C bcdedit /set {default} recoveryenabled No
        2⤵
          PID:5076
        • C:\Windows\SysWOW64\cmd.exe
          cmd /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
          2⤵
            PID:4836
          • C:\Windows\SysWOW64\cmd.exe
            cmd /C wbadmin DELETE SYSTEMSTATEBACKUP
            2⤵
              PID:3112
            • C:\Windows\SysWOW64\cmd.exe
              cmd /C wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
              2⤵
                PID:4276
              • C:\Windows\SysWOW64\cmd.exe
                cmd /C wmic SHADOWCOPY /nointeractive
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:3968
                • C:\Windows\SysWOW64\Wbem\WMIC.exe
                  wmic SHADOWCOPY /nointeractive
                  3⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4528

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads