97171b9d6743959ee9873ea8ab1a6ea9a2cf66158cf478642bfde38b03639554

Analysis

max time kernel
21s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30/03/2025, 19:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Retrac.exe
Size

932KB
MD5

2fd21c9c29f8761865340fc9efb530c4
SHA1

ba5f8d1ebd67e6aa0d596ee6a102fec681b83e7c
SHA256

236b42ab76fcda6d8914e56ee80d0372e8552e7bc96942412c5e63ebb2980d64
SHA512

78ba5da96511d28927e7442001757d9138c70154977580a4cd8fadc44831b92c6724b5e0a00e30494ff9f3c553d2cc967cd412515152c85cf73d4a9559487dec
SSDEEP

12288:tjMsQ7auPRHrnNtinnsrHD+3/4Y6EW5lRXi0kyf+zB1FPN:NMsnuPRHrnLinCHK3Z6EElw3yf+Nj

Score

9^/10

defense_evasion ransomware

Malware Config

Signatures

Clears Windows event logs 1 TTPs 2 IoCs

defense_evasion ransomware

Clear Windows Event Logs

T1070.001

pid	Process
2432	wevtutil.exe
2592	wevtutil.exe

Indicator Removal: Clear Persistence 1 TTPs 1 IoCs

Clear artifacts associated with previously established persistence like scheduletasks on a host.

defense_evasion

Clear Persistence

T1070.009

pid	Process
2548	cmd.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2596	ipconfig.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2432	wevtutil.exe
Token: SeBackupPrivilege	2432	wevtutil.exe
Token: SeSecurityPrivilege	2592	wevtutil.exe
Token: SeBackupPrivilege	2592	wevtutil.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2796	2236	Retrac.exe	31
PID 2236 wrote to memory of 2796	2236	Retrac.exe	31
PID 2236 wrote to memory of 2796	2236	Retrac.exe	31
PID 2236 wrote to memory of 2808	2236	Retrac.exe	32
PID 2236 wrote to memory of 2808	2236	Retrac.exe	32
PID 2236 wrote to memory of 2808	2236	Retrac.exe	32
PID 2808 wrote to memory of 2832	2808	cmd.exe	33
PID 2808 wrote to memory of 2832	2808	cmd.exe	33
PID 2808 wrote to memory of 2832	2808	cmd.exe	33
PID 2236 wrote to memory of 2936	2236	Retrac.exe	34
PID 2236 wrote to memory of 2936	2236	Retrac.exe	34
PID 2236 wrote to memory of 2936	2236	Retrac.exe	34
PID 2936 wrote to memory of 2700	2936	cmd.exe	35
PID 2936 wrote to memory of 2700	2936	cmd.exe	35
PID 2936 wrote to memory of 2700	2936	cmd.exe	35
PID 2236 wrote to memory of 2752	2236	Retrac.exe	36
PID 2236 wrote to memory of 2752	2236	Retrac.exe	36
PID 2236 wrote to memory of 2752	2236	Retrac.exe	36
PID 2752 wrote to memory of 2740	2752	cmd.exe	37
PID 2752 wrote to memory of 2740	2752	cmd.exe	37
PID 2752 wrote to memory of 2740	2752	cmd.exe	37
PID 2236 wrote to memory of 2692	2236	Retrac.exe	38
PID 2236 wrote to memory of 2692	2236	Retrac.exe	38
PID 2236 wrote to memory of 2692	2236	Retrac.exe	38
PID 2692 wrote to memory of 2672	2692	cmd.exe	39
PID 2692 wrote to memory of 2672	2692	cmd.exe	39
PID 2692 wrote to memory of 2672	2692	cmd.exe	39
PID 2236 wrote to memory of 2552	2236	Retrac.exe	40
PID 2236 wrote to memory of 2552	2236	Retrac.exe	40
PID 2236 wrote to memory of 2552	2236	Retrac.exe	40
PID 2552 wrote to memory of 2108	2552	cmd.exe	41
PID 2552 wrote to memory of 2108	2552	cmd.exe	41
PID 2552 wrote to memory of 2108	2552	cmd.exe	41
PID 2236 wrote to memory of 2840	2236	Retrac.exe	42
PID 2236 wrote to memory of 2840	2236	Retrac.exe	42
PID 2236 wrote to memory of 2840	2236	Retrac.exe	42
PID 2840 wrote to memory of 2664	2840	cmd.exe	43
PID 2840 wrote to memory of 2664	2840	cmd.exe	43
PID 2840 wrote to memory of 2664	2840	cmd.exe	43
PID 2236 wrote to memory of 2716	2236	Retrac.exe	44
PID 2236 wrote to memory of 2716	2236	Retrac.exe	44
PID 2236 wrote to memory of 2716	2236	Retrac.exe	44
PID 2236 wrote to memory of 2580	2236	Retrac.exe	45
PID 2236 wrote to memory of 2580	2236	Retrac.exe	45
PID 2236 wrote to memory of 2580	2236	Retrac.exe	45
PID 2236 wrote to memory of 2876	2236	Retrac.exe	46
PID 2236 wrote to memory of 2876	2236	Retrac.exe	46
PID 2236 wrote to memory of 2876	2236	Retrac.exe	46
PID 2236 wrote to memory of 2724	2236	Retrac.exe	47
PID 2236 wrote to memory of 2724	2236	Retrac.exe	47
PID 2236 wrote to memory of 2724	2236	Retrac.exe	47
PID 2724 wrote to memory of 2432	2724	cmd.exe	48
PID 2724 wrote to memory of 2432	2724	cmd.exe	48
PID 2724 wrote to memory of 2432	2724	cmd.exe	48
PID 2236 wrote to memory of 2712	2236	Retrac.exe	49
PID 2236 wrote to memory of 2712	2236	Retrac.exe	49
PID 2236 wrote to memory of 2712	2236	Retrac.exe	49
PID 2712 wrote to memory of 2592	2712	cmd.exe	50
PID 2712 wrote to memory of 2592	2712	cmd.exe	50
PID 2712 wrote to memory of 2592	2712	cmd.exe	50
PID 2236 wrote to memory of 2600	2236	Retrac.exe	51
PID 2236 wrote to memory of 2600	2236	Retrac.exe	51
PID 2236 wrote to memory of 2600	2236	Retrac.exe	51
PID 2236 wrote to memory of 2548	2236	Retrac.exe	52

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Retrac.exe
"C:\Users\Admin\AppData\Local\Temp\Retrac.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2796
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "HKEY_CURRENT_USER\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache" /v "C:\Program Files\Retrac Launcher\Retrac Launcher.exe.FriendlyAppName" /f > nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache" /v "C:\Program Files\Retrac Launcher\Retrac Launcher.exe.FriendlyAppName" /f
    3⤵
    PID:2832
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "HKEY_CURRENT_USER\SOFTWARE\Classes\snow" /f > nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\SOFTWARE\Classes\snow" /f
    3⤵
    PID:2700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\AppSwitched" /f > nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\AppSwitched" /f
    3⤵
    PID:2740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store" /f > nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store" /f
    3⤵
    PID:2672
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender" /f > nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender" /f
    3⤵
    PID:2108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "Retrac" /f > nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "Retrac" /f
    3⤵
    PID:2664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /f /q C:\Windows\Prefetch\RETRAC*.*.pf > nul
  2⤵
  PID:2716
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /f /q C:\Users\WINDOW~1\AppData\Local\Temp\*.* > nul
  2⤵
  PID:2580
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\WindowSandbox\AppData\Local\site.retrac > nul
  2⤵
  PID:2876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wevtutil cl System > nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl System
    3⤵
    - Clears Windows event logs
    - Suspicious use of AdjustPrivilegeToken
    PID:2432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wevtutil cl Application > nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl Application
    3⤵
    - Clears Windows event logs
    - Suspicious use of AdjustPrivilegeToken
    PID:2592
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rd /s /q %systemdrive%\$Recycle.Bin > nul
  2⤵
  PID:2600
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /delete /tn "RetracTask" /f > nul
  2⤵
  - Indicator Removal: Clear Persistence
  PID:2548
- - C:\Windows\system32\schtasks.exe
    schtasks /delete /tn "RetracTask" /f
    3⤵
    PID:2556
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ipconfig /flushdns > nul
  2⤵
  PID:2576
- - C:\Windows\system32\ipconfig.exe
    ipconfig /flushdns
    3⤵
    - Gathers network information
    PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

Clear Persistence

T1070.009

Clear Windows Event Logs

T1070.001

File Deletion

T1070.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads