Overview

overview

10

Static

static

10

fb17fb6e1e...20.exe

windows7_x64

10

fb17fb6e1e...20.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-en-20211014
  • submitted
    29-10-2021 12:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fb17fb6e1e71c92d2ae5a06363886ea71d614e2603706d38ca8ebbc56d3dc120.exe

  • Size

    109KB

  • MD5

    2bd337b8648c7a465a1f94ba4a99c344

  • SHA1

    509cb9c71d34ec78c7fa937506758ae9ad0ebdd6

  • SHA256

    fb17fb6e1e71c92d2ae5a06363886ea71d614e2603706d38ca8ebbc56d3dc120

  • SHA512

    d31b87213494f9173d288a971704b384a582a3dd3fd3a7a4dec8f01aef9db3e8e08213fdb8b308db0a1320dbd4b8bcf553b4fbbe3d9a180b8faab432932dc667

Score
10/10
evasionransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txt

Ransom Note
Hello !!! Many of your documents, photos, passwords, databases and other files are no longer available as they were encrypted. You may be looking for a way to recover your files, but don't waste your time. No one will be able to recover your files without our decryption KEY (if someone says they can do it, theywill also contact me and I will make the price much more expensive than if you contacted directly).                                   DONT USE GMAIL.COM TO CONTACT US               !!!THE DATARECOVERY COMPANIES JUST WANT YOUR MONEY!!!         !!DATA RECOVERY COMPANIES WILL ONLY INCREASE THE DECRYPTION TIME!! Can i Recover My Files?Sure. We guarantee that you can recover all your files safely and easily But You have not so enough time .As fast you pay as fastall of your data will be back as before encryption. Send e-mail to this address: [email protected] Or contact https://supportdatarecovery.cc/users.php user:Wanqu password:zVIJmqEB You have to pay for decryption in Bitcoins.                                                      ATTENTION !!! Do not rename encrypted files.Do not try to decrypt your data using third party software, it may cause permanent data loss.Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. We also have all your information to share .It is in your best interest to contact us as soon as possible. Key Identifier: HItWILJQBp44XfVDyASs2jcYo5k9VOoVk+/CM2SwTlbKxi4DHiBajTiIQFqgJnguTU430frjMrGeLJ5800C8HuTs/FpMvdx3p/paYx/Ccna2157I2RLjWRpQBTfDAGDl31b5m1oqr+WUzs2zUIqnDXrHUptpFTVZVv9pWI4p/BcKLG9GmLh36796ml7EXyOIXdlvRfTOvDSu82M19WImKrUsyGWOf41hH2FTOkc0PuRKcRU/UGfOyE+OOImQb7gwgTQjpIJUm0noIKPkL089FfF+TyI1bmitMyoODPnJkyDtLtiUR9TD3sPGlYuBlCaiE1v2J2svBojySh9370w7L3I8kYiye1wbb8n7nG+WEOzR6puQhn5Yf+W3ZbQUZEc58tDHtqPM9waPr0t8JDx5hAwiz15DWp3EMFT7Ya3D8l+lcETMbe+74mmcNpGq2bWfcRRtTRIVpj1rnsLRSrXWISTPelMXsXGBbgSBUEiMSYyXH1WIzZPqphErzsQzfDwGRemtr/LBWPSk99DeyEIRcQW48jPqpjyfzCjWBRbVt1+UOGzPTrsN91jyJDKROr9AOWxRsPiCtFeizJFEjeVEIUiqmK+cAabxZg/WVE+Si8yhCa9nNNsKIcBZO0r3iINMyTd9nKtKFJiZXoST9XT5vUmgQy7XwaVPWz9DVuV3Pak=
URLs

https://supportdatarecovery.cc/users.php

Extracted

Path

C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta

Ransom Note
Hello !!! Many of your documents, photos, passwords, databases and other files are no longer available as they were encrypted. You may be looking for a way to recover your files, but don't waste your time. No one will be able to recover your files without our decryption KEY (if someone says they can do it, theywill also contact me and I will make the price much more expensive than if you contacted directly). DONT USE GMAIL.COM TO CONTACT US !!!THE DATARECOVERY COMPANIES JUST WANT YOUR MONEY!!! !!DATA RECOVERY COMPANIES WILL ONLY INCREASE THE DECRYPTION TIME!! Can i Recover My Files?Sure. We guarantee that you can recover all your files safely and easily But You have not so enough time .As fast you pay as fastall of your data will be back as before encryption. Send e-mail to this address: [email protected] Or contact https://supportdatarecovery.cc/users.php user:Wanqu password:zVIJmqEB You have to pay for decryption in Bitcoins. ATTENTION !!! Do not rename encrypted files.Do not try to decrypt your data using third party software, it may cause permanent data loss.Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. We also have all your information to share .It is in your best interest to contact us as soon as possible. Key Identifier: HItWILJQBp44XfVDyASs2jcYo5k9VOoVk+/CM2SwTlbKxi4DHiBajTiIQFqgJnguTU430frjMrGeLJ5800C8HuTs/FpMvdx3p/paYx/Ccna2157I2RLjWRpQBTfDAGDl31b5m1oqr+WUzs2zUIqnDXrHUptpFTVZVv9pWI4p/BcKLG9GmLh36796ml7EXyOIXdlvRfTOvDSu82M19WImKrUsyGWOf41hH2FTOkc0PuRKcRU/UGfOyE+OOImQb7gwgTQjpIJUm0noIKPkL089FfF+TyI1bmitMyoODPnJkyDtLtiUR9TD3sPGlYuBlCaiE1v2J2svBojySh9370w7L3I8kYiye1wbb8n7nG+WEOzR6puQhn5Yf+W3ZbQUZEc58tDHtqPM9waPr0t8JDx5hAwiz15DWp3EMFT7Ya3D8l+lcETMbe+74mmcNpGq2bWfcRRtTRIVpj1rnsLRSrXWISTPelMXsXGBbgSBUEiMSYyXH1WIzZPqphErzsQzfDwGRemtr/LBWPSk99DeyEIRcQW48jPqpjyfzCjWBRbVt1+UOGzPTrsN91jyJDKROr9AOWxRsPiCtFeizJFEjeVEIUiqmK+cAabxZg/WVE+Si8yhCa9nNNsKIcBZO0r3iINMyTd9nKtKFJiZXoST9XT5vUmgQy7XwaVPWz9DVuV3Pak=
URLs

https://supportdatarecovery.cc/users.php

Signatures

  • Disables Task Manager via registry modification
    evasion
  • Modifies extensions of user files 13 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops startup file 1 IoCs
  • Drops desktop.ini file(s) 6 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 28 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 48 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry class 20 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 49 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fb17fb6e1e71c92d2ae5a06363886ea71d614e2603706d38ca8ebbc56d3dc120.exe
    "C:\Users\Admin\AppData\Local\Temp\fb17fb6e1e71c92d2ae5a06363886ea71d614e2603706d38ca8ebbc56d3dc120.exe"
    1⤵
    • Modifies extensions of user files
    • Drops startup file
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:828
    • C:\Windows\SysWOW64\taskkill.exe
      "taskkill" /F /IM RaccineSettings.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1376
    • C:\Windows\SysWOW64\reg.exe
      "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
      2⤵
        PID:1512
      • C:\Windows\SysWOW64\reg.exe
        "reg" delete HKCU\Software\Raccine /F
        2⤵
        • Modifies registry key
        PID:1052
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /DELETE /TN "Raccine Rules Updater" /F
        2⤵
          PID:1456
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
          2⤵
            PID:988
          • C:\Windows\SysWOW64\sc.exe
            "sc.exe" config Dnscache start= auto
            2⤵
              PID:1808
            • C:\Windows\SysWOW64\sc.exe
              "sc.exe" config FDResPub start= auto
              2⤵
                PID:1956
              • C:\Windows\SysWOW64\sc.exe
                "sc.exe" config SQLTELEMETRY start= disabled
                2⤵
                  PID:1684
                • C:\Windows\SysWOW64\sc.exe
                  "sc.exe" config SSDPSRV start= auto
                  2⤵
                    PID:1104
                  • C:\Windows\SysWOW64\sc.exe
                    "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
                    2⤵
                      PID:912
                    • C:\Windows\SysWOW64\sc.exe
                      "sc.exe" config SstpSvc start= disabled
                      2⤵
                        PID:852
                      • C:\Windows\SysWOW64\sc.exe
                        "sc.exe" config upnphost start= auto
                        2⤵
                          PID:324
                        • C:\Windows\SysWOW64\sc.exe
                          "sc.exe" config SQLWriter start= disabled
                          2⤵
                            PID:1624
                          • C:\Windows\SysWOW64\taskkill.exe
                            "taskkill.exe" /IM mspub.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1584
                          • C:\Windows\SysWOW64\taskkill.exe
                            "taskkill.exe" /IM synctime.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2032
                          • C:\Windows\SysWOW64\taskkill.exe
                            "taskkill.exe" /IM mspub.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1628
                          • C:\Windows\SysWOW64\taskkill.exe
                            "taskkill.exe" /IM mydesktopqos.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1108
                          • C:\Windows\SysWOW64\taskkill.exe
                            "taskkill.exe" /IM mysqld.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1908
                          • C:\Windows\SysWOW64\taskkill.exe
                            "taskkill.exe" /IM Ntrtscan.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1540
                          • C:\Windows\SysWOW64\taskkill.exe
                            "taskkill.exe" /IM mydesktopservice.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1112
                          • C:\Windows\SysWOW64\taskkill.exe
                            "taskkill.exe" /IM sqbcoreservice.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1196
                          • C:\Windows\SysWOW64\taskkill.exe
                            "taskkill.exe" /IM isqlplussvc.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:976
                          • C:\Windows\SysWOW64\taskkill.exe
                            "taskkill.exe" /IM firefoxconfig.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:684
                          • C:\Windows\SysWOW64\taskkill.exe
                            "taskkill.exe" /IM encsvc.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1204
                          • C:\Windows\SysWOW64\taskkill.exe
                            "taskkill.exe" /IM excel.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1532
                          • C:\Windows\SysWOW64\taskkill.exe
                            "taskkill.exe" /IM onenote.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1740
                          • C:\Windows\SysWOW64\taskkill.exe
                            "taskkill.exe" /IM agntsvc.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:364
                          • C:\Windows\SysWOW64\taskkill.exe
                            "taskkill.exe" /IM dbeng50.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:284
                          • C:\Windows\SysWOW64\taskkill.exe
                            "taskkill.exe" /IM CNTAoSMgr.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:896
                          • C:\Windows\SysWOW64\taskkill.exe
                            "taskkill.exe" /IM PccNTMon.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:880
                          • C:\Windows\SysWOW64\taskkill.exe
                            "taskkill.exe" /IM thebat.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1892
                          • C:\Windows\SysWOW64\taskkill.exe
                            "taskkill.exe" /IM sqlwriter.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:968
                          • C:\Windows\SysWOW64\taskkill.exe
                            "taskkill.exe" /IM thebat64.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1272
                          • C:\Windows\SysWOW64\taskkill.exe
                            "taskkill.exe" /IM steam.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1096
                          • C:\Windows\SysWOW64\taskkill.exe
                            "taskkill.exe" /IM msaccess.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1492
                          • C:\Windows\SysWOW64\taskkill.exe
                            "taskkill.exe" /IM ocomm.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1224
                          • C:\Windows\SysWOW64\taskkill.exe
                            "taskkill.exe" /IM tbirdconfig.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1508
                          • C:\Windows\SysWOW64\taskkill.exe
                            "taskkill.exe" /IM outlook.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1884
                          • C:\Windows\SysWOW64\taskkill.exe
                            "taskkill.exe" IM thunderbird.exe /F
                            2⤵
                            • Kills process with taskkill
                            PID:1052
                          • C:\Windows\SysWOW64\taskkill.exe
                            "taskkill.exe" /IM dbsnmp.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1104
                          • C:\Windows\SysWOW64\taskkill.exe
                            "taskkill.exe" /IM tmlisten.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1660
                          • C:\Windows\SysWOW64\taskkill.exe
                            "taskkill.exe" /IM infopath.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:756
                          • C:\Windows\SysWOW64\taskkill.exe
                            "taskkill.exe" /IM wordpad.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1040
                          • C:\Windows\SysWOW64\taskkill.exe
                            "taskkill.exe" /IM msftesql.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1888
                          • C:\Windows\SysWOW64\taskkill.exe
                            "taskkill.exe" /IM xfssvccon.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2036
                          • C:\Windows\SysWOW64\taskkill.exe
                            "taskkill.exe" /IM mbamtray.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1832
                          • C:\Windows\SysWOW64\taskkill.exe
                            "taskkill.exe" /IM powerpnt.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:896
                          • C:\Windows\SysWOW64\taskkill.exe
                            "taskkill.exe" /IM mysqld-opt.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:984
                          • C:\Windows\SysWOW64\taskkill.exe
                            "taskkill.exe" /IM zoolz.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1840
                          • C:\Windows\SysWOW64\taskkill.exe
                            "taskkill.exe" /IM mydesktopqos.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1808
                          • C:\Windows\SysWOW64\taskkill.exe
                            "taskkill.exe" /IM ocautoupds.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1800
                          • C:\Windows\SysWOW64\taskkill.exe
                            "taskkill.exe" /IM visio.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1908
                          • C:\Windows\SysWOW64\taskkill.exe
                            "taskkill.exe" /IM ocssd.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1532
                          • C:\Windows\SysWOW64\taskkill.exe
                            "taskkill.exe" /IM mydesktopservice.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:936
                          • C:\Windows\SysWOW64\taskkill.exe
                            "taskkill.exe" /IM oracle.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1368
                          • C:\Windows\SysWOW64\taskkill.exe
                            "taskkill.exe" /IM winword.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1524
                          • C:\Windows\SysWOW64\taskkill.exe
                            "taskkill.exe" /IM sqlagent.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1700
                          • C:\Windows\SysWOW64\taskkill.exe
                            "taskkill.exe" /IM mysqld-nt.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1584
                          • C:\Windows\SysWOW64\taskkill.exe
                            "taskkill.exe" /IM sqlbrowser.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:536
                          • C:\Windows\SysWOW64\taskkill.exe
                            "taskkill.exe" /IM sqlservr.exe /F
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1928
                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
                            2⤵
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1676
                          • C:\Windows\SysWOW64\mshta.exe
                            "C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta
                            2⤵
                            • Modifies Internet Explorer settings
                            PID:1900
                          • C:\Windows\splwow64.exe
                            C:\Windows\splwow64.exe 12288
                            2⤵
                            • Modifies registry class
                            • Suspicious use of SetWindowsHookEx
                            PID:1204

                        Network

                        MITRE ATT&CK Enterprise v6

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • memory/828-55-0x0000000001310000-0x0000000001311000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/828-57-0x00000000004F0000-0x00000000004F1000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/1204-129-0x0000000004150000-0x0000000004151000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/1204-125-0x000007FEFBB91000-0x000007FEFBB93000-memory.dmp

                          Filesize

                          8KB

                          Download

                        • memory/1676-120-0x00000000025B0000-0x00000000031FA000-memory.dmp

                          Filesize

                          12.3MB

                          Download

                        • memory/1676-122-0x00000000025B0000-0x00000000031FA000-memory.dmp

                          Filesize

                          12.3MB

                          Download

                        • memory/1676-121-0x00000000025B0000-0x00000000031FA000-memory.dmp

                          Filesize

                          12.3MB

                          Download

                        • memory/1676-119-0x0000000076231000-0x0000000076233000-memory.dmp

                          Filesize

                          8KB

                          Download