Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

rcru_64.exe

windows7_x64

10

rcru_64.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    rcru_64.exe

  • Size

    1.0MB

  • Sample

    210401-pt65ylsd1j

  • MD5

    0d5d7377432ee449f30626c2371a0080

  • SHA1

    56a1d1203d62c131b70837d75af79aa19a3b0487

  • SHA256

    94c8cf0e19aa11a48a57baf54cc3679dda1dac4ad59ece1bf86ef117a974ddf9

  • SHA512

    19980615dbcba8ca8151aa5b93bc614b79edd1d77abbe37293001ecf16991cc939afca1cf62cac90c05510174cb8b7521a3074fbc160b47fd53d374521e06f0a

Score
10/10
evasionpersistenceransomwarespywarestealertrojan

Malware Config

Extracted

Path

\??\c:\Read_Me!_.txt

Ransom Note
Your Data Locked. To Get Decryption Instructions Email Us ,Don't Edit Files Or Folders ! ID : rfeHv0 Email Address :[email protected]

Extracted

Path

C:\Users\Admin\Desktop\ReadMe_Now!.hta

Ransom Note
All Your Files Have Been Encrypted ! All Your Files Encrypted Due To A Security Problem With Your PC. If You Need Your Files Please Send Us E-mail To Get Decryption Tools .The Only Way Of Recovering Files Is To Purchase For Decryption Tools ( Payment Must Be Made With Bitcoin ) . If You Do Not E-mail Us After 48 Hours Decryption Fee Will Double.Our E-mail Address : [email protected] Personal ID : rfeHv0Sent E-mail Should Be Contains Your Personal ID.If Don't Get a Response Or Any Other Problem Write Us E-mail At : [email protected] Check Your Spam Folder Too. What Guarantee Do We Give You ? You Can Send Some Files For Decryption Test( Before Paying ). File Size Must Be Less Than 2MB And Files Should Not Contains Valuabe Data Like (Backups , Databases etc ... ) . Get Buy Bitcoin Instructions At LocalBitcoins : https://localbitcoins.com/guides/how-to-buy-bitcoins Buy Bitcoin Instructions At Coindesk And Other Websites By Searching At Google :http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention !! Do Not Edit Or Rename Encrypted Files. Do Not Try To Decrypt Files By Third-Party Or Data Recovery Softwares It May Damage Files Forever. In Case Of Trying To Decrypt Files With Third-Party,Recovery Sofwares This May Make The Decryption Harder So Prices Will Be Rise.

Extracted

Path

\??\c:\Read_Me!_.txt

Ransom Note
Your Data Locked. To Get Decryption Instructions Email Us ,Don't Edit Files Or Folders ! ID : 8oBO6b Email Address :[email protected]

Targets

    • Target

      rcru_64.exe

    • Size

      1.0MB

    • MD5

      0d5d7377432ee449f30626c2371a0080

    • SHA1

      56a1d1203d62c131b70837d75af79aa19a3b0487

    • SHA256

      94c8cf0e19aa11a48a57baf54cc3679dda1dac4ad59ece1bf86ef117a974ddf9

    • SHA512

      19980615dbcba8ca8151aa5b93bc614b79edd1d77abbe37293001ecf16991cc939afca1cf62cac90c05510174cb8b7521a3074fbc160b47fd53d374521e06f0a

    Score
    10/10
    evasionpersistenceransomwarespywarestealertrojan

    • UAC bypass

      evasiontrojan

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies Windows Firewall

      evasion

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks