97171b9d6743959ee9873ea8ab1a6ea9a2cf66158cf478642bfde38b03639554

Analysis

max time kernel
36s
max time network
37s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
30/03/2025, 19:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Retrac.exe
Size

932KB
MD5

2fd21c9c29f8761865340fc9efb530c4
SHA1

ba5f8d1ebd67e6aa0d596ee6a102fec681b83e7c
SHA256

236b42ab76fcda6d8914e56ee80d0372e8552e7bc96942412c5e63ebb2980d64
SHA512

78ba5da96511d28927e7442001757d9138c70154977580a4cd8fadc44831b92c6724b5e0a00e30494ff9f3c553d2cc967cd412515152c85cf73d4a9559487dec
SSDEEP

12288:tjMsQ7auPRHrnNtinnsrHD+3/4Y6EW5lRXi0kyf+zB1FPN:NMsnuPRHrnLinCHK3Z6EElw3yf+Nj

Score

9^/10

defense_evasion ransomware

Malware Config

Signatures

Clears Windows event logs 1 TTPs 2 IoCs

defense_evasion ransomware

Clear Windows Event Logs

T1070.001

pid	Process
5780	wevtutil.exe
4728	wevtutil.exe

Indicator Removal: Clear Persistence 1 TTPs 1 IoCs

Clear artifacts associated with previously established persistence like scheduletasks on a host.

defense_evasion

Clear Persistence

T1070.009

pid	Process
1212	cmd.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
5728	ipconfig.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeSecurityPrivilege	5780	wevtutil.exe
Token: SeBackupPrivilege	5780	wevtutil.exe
Token: SeSecurityPrivilege	4728	wevtutil.exe
Token: SeBackupPrivilege	4728	wevtutil.exe

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 636 wrote to memory of 2468	636	Retrac.exe	101
PID 636 wrote to memory of 2468	636	Retrac.exe	101
PID 636 wrote to memory of 2548	636	Retrac.exe	102
PID 636 wrote to memory of 2548	636	Retrac.exe	102
PID 2548 wrote to memory of 3768	2548	cmd.exe	103
PID 2548 wrote to memory of 3768	2548	cmd.exe	103
PID 636 wrote to memory of 4196	636	Retrac.exe	104
PID 636 wrote to memory of 4196	636	Retrac.exe	104
PID 4196 wrote to memory of 6060	4196	cmd.exe	105
PID 4196 wrote to memory of 6060	4196	cmd.exe	105
PID 636 wrote to memory of 936	636	Retrac.exe	106
PID 636 wrote to memory of 936	636	Retrac.exe	106
PID 936 wrote to memory of 5928	936	cmd.exe	107
PID 936 wrote to memory of 5928	936	cmd.exe	107
PID 636 wrote to memory of 3396	636	Retrac.exe	108
PID 636 wrote to memory of 3396	636	Retrac.exe	108
PID 3396 wrote to memory of 5236	3396	cmd.exe	109
PID 3396 wrote to memory of 5236	3396	cmd.exe	109
PID 636 wrote to memory of 2552	636	Retrac.exe	110
PID 636 wrote to memory of 2552	636	Retrac.exe	110
PID 2552 wrote to memory of 5024	2552	cmd.exe	111
PID 2552 wrote to memory of 5024	2552	cmd.exe	111
PID 636 wrote to memory of 4348	636	Retrac.exe	112
PID 636 wrote to memory of 4348	636	Retrac.exe	112
PID 4348 wrote to memory of 752	4348	cmd.exe	113
PID 4348 wrote to memory of 752	4348	cmd.exe	113
PID 636 wrote to memory of 4108	636	Retrac.exe	114
PID 636 wrote to memory of 4108	636	Retrac.exe	114
PID 636 wrote to memory of 3436	636	Retrac.exe	115
PID 636 wrote to memory of 3436	636	Retrac.exe	115
PID 636 wrote to memory of 2756	636	Retrac.exe	116
PID 636 wrote to memory of 2756	636	Retrac.exe	116
PID 636 wrote to memory of 4372	636	Retrac.exe	117
PID 636 wrote to memory of 4372	636	Retrac.exe	117
PID 4372 wrote to memory of 5780	4372	cmd.exe	118
PID 4372 wrote to memory of 5780	4372	cmd.exe	118
PID 636 wrote to memory of 3420	636	Retrac.exe	119
PID 636 wrote to memory of 3420	636	Retrac.exe	119
PID 3420 wrote to memory of 4728	3420	cmd.exe	120
PID 3420 wrote to memory of 4728	3420	cmd.exe	120
PID 636 wrote to memory of 516	636	Retrac.exe	121
PID 636 wrote to memory of 516	636	Retrac.exe	121
PID 636 wrote to memory of 1212	636	Retrac.exe	122
PID 636 wrote to memory of 1212	636	Retrac.exe	122
PID 1212 wrote to memory of 5308	1212	cmd.exe	123
PID 1212 wrote to memory of 5308	1212	cmd.exe	123
PID 636 wrote to memory of 620	636	Retrac.exe	124
PID 636 wrote to memory of 620	636	Retrac.exe	124
PID 620 wrote to memory of 5728	620	cmd.exe	125
PID 620 wrote to memory of 5728	620	cmd.exe	125

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Retrac.exe
"C:\Users\Admin\AppData\Local\Temp\Retrac.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2468
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "HKEY_CURRENT_USER\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache" /v "C:\Program Files\Retrac Launcher\Retrac Launcher.exe.FriendlyAppName" /f > nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache" /v "C:\Program Files\Retrac Launcher\Retrac Launcher.exe.FriendlyAppName" /f
    3⤵
    PID:3768
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "HKEY_CURRENT_USER\SOFTWARE\Classes\snow" /f > nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4196
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\SOFTWARE\Classes\snow" /f
    3⤵
    PID:6060
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\AppSwitched" /f > nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:936
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\AppSwitched" /f
    3⤵
    PID:5928
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store" /f > nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3396
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store" /f
    3⤵
    PID:5236
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender" /f > nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender" /f
    3⤵
    PID:5024
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "Retrac" /f > nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4348
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "Retrac" /f
    3⤵
    PID:752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /f /q C:\Windows\Prefetch\RETRAC*.*.pf > nul
  2⤵
  PID:4108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /f /q C:\Users\WINDOW~1\AppData\Local\Temp\*.* > nul
  2⤵
  PID:3436
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rmdir /s /q C:\Users\WindowSandbox\AppData\Local\site.retrac > nul
  2⤵
  PID:2756
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wevtutil cl System > nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4372
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl System
    3⤵
    - Clears Windows event logs
    - Suspicious use of AdjustPrivilegeToken
    PID:5780
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wevtutil cl Application > nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3420
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl Application
    3⤵
    - Clears Windows event logs
    - Suspicious use of AdjustPrivilegeToken
    PID:4728
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rd /s /q %systemdrive%\$Recycle.Bin > nul
  2⤵
  PID:516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /delete /tn "RetracTask" /f > nul
  2⤵
  - Indicator Removal: Clear Persistence
  - Suspicious use of WriteProcessMemory
  PID:1212
- - C:\Windows\system32\schtasks.exe
    schtasks /delete /tn "RetracTask" /f
    3⤵
    PID:5308
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ipconfig /flushdns > nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:620
- - C:\Windows\system32\ipconfig.exe
    ipconfig /flushdns
    3⤵
    - Gathers network information
    PID:5728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

Clear Persistence

T1070.009

Clear Windows Event Logs

T1070.001

File Deletion

T1070.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads