Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
26/04/2021, 08:34
210426-9lq7mp8pta 10Analysis
-
max time kernel
98s -
max time network
35s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
26/04/2021, 08:34
Static task
static1
Behavioral task
behavioral1
Sample
MOSS.exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
MOSS.exe
Resource
win10v20210410
windows10_x64
0 signatures
0 seconds
General
-
Target
MOSS.exe
-
Size
190KB
-
MD5
b1d5ffd0e1e56f056f429b9b96be08e3
-
SHA1
46a09183d478f0ee9f5322e32ab38cbb0cdf444b
-
SHA256
d29b8160e51dd29474f3464111fc888da8adb2bc2f0d4f29ce71219ffc846bd5
-
SHA512
4c23dd6914234db4718569175722c5b8c7b65348a77504c9fcf6ff62a9088ac6643e3be875afd5546cec3d7ff188ab4e7457fd796ac964e8e1d72c2bfa74fa5c
Score
10/10
Malware Config
Extracted
Path
C:\readme.txt
Family
conti
Ransom Note
All of your files are currently encrypted by CONTI strain.
As you know (if you don't - just "google it"), all of the data that has been encrypted by our software cannot be recovered by any means without contacting our team directly.
If you try to use any additional recovery software - the files might be damaged, so if you are willing to try - try it on the data of the lowest value.
To make sure that we REALLY CAN get your data back - we offer you to decrypt 2 random files completely free of charge.
You can contact our team directly for further instructions through our website :
TOR VERSION :
(you should download and install TOR browser first https://torproject.org)
http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/
HTTPS VERSION :
https://contirecovery.top
YOU SHOULD BE AWARE!
Just in case, if you try to ignore us. We've downloaded a pack of your internal data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us as soon as possible.
---BEGIN ID---
cnxUZFg6NAi31LVHmHIEOjAUGxbCfnw6nFXLVywSJeUDFLkZ1Ket5UoxpcA98It8
---END ID---
URLs
http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/
https://contirecovery.top
Signatures
-
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\StepCompare.png => C:\Users\Admin\Pictures\StepCompare.png.ALNBR MOSS.exe File renamed C:\Users\Admin\Pictures\InitializeExport.raw => C:\Users\Admin\Pictures\InitializeExport.raw.ALNBR MOSS.exe File renamed C:\Users\Admin\Pictures\ProtectNew.crw => C:\Users\Admin\Pictures\ProtectNew.crw.ALNBR MOSS.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 39 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini MOSS.exe File opened for modification C:\Users\Public\Music\desktop.ini MOSS.exe File opened for modification C:\Users\Public\Pictures\desktop.ini MOSS.exe File opened for modification C:\Users\Public\Videos\desktop.ini MOSS.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\XVLP3GFJ\desktop.ini MOSS.exe File opened for modification C:\Program Files (x86)\desktop.ini MOSS.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini MOSS.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini MOSS.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini MOSS.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini MOSS.exe File opened for modification C:\Program Files\desktop.ini MOSS.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini MOSS.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini MOSS.exe File opened for modification C:\Users\Admin\Videos\desktop.ini MOSS.exe File opened for modification C:\Users\Public\Desktop\desktop.ini MOSS.exe File opened for modification C:\Users\Public\Downloads\desktop.ini MOSS.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini MOSS.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini MOSS.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini MOSS.exe File opened for modification C:\Users\Admin\Documents\desktop.ini MOSS.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini MOSS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI MOSS.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\MLS6OOW4\desktop.ini MOSS.exe File opened for modification C:\Users\Public\Recorded TV\desktop.ini MOSS.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini MOSS.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini MOSS.exe File opened for modification C:\Users\Admin\Music\desktop.ini MOSS.exe File opened for modification C:\Users\Public\Libraries\desktop.ini MOSS.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini MOSS.exe File opened for modification C:\Users\Public\desktop.ini MOSS.exe File opened for modification C:\Users\Admin\Links\desktop.ini MOSS.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini MOSS.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini MOSS.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\93PHUZFG\desktop.ini MOSS.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\VLFEZDK1\desktop.ini MOSS.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini MOSS.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini MOSS.exe File opened for modification C:\Users\Admin\Searches\desktop.ini MOSS.exe File opened for modification C:\Users\Public\Documents\desktop.ini MOSS.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\readme.txt MOSS.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-image-mask.png MOSS.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Khandyga MOSS.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Mexico_City MOSS.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-modules-options-keymap.xml_hidden MOSS.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\COPYRIGHT MOSS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ACCWIZ\ACWZUSR12.ACCDU MOSS.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\AddIns.store MOSS.exe File created C:\Program Files\VideoLAN\VLC\locale\nl\LC_MESSAGES\readme.txt MOSS.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring.xml MOSS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00685_.WMF MOSS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0199805.WMF MOSS.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\mainscroll.png MOSS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR43B.GIF MOSS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR9B.GIF MOSS.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.widgets_1.0.0.v20140514-1823.jar MOSS.exe File created C:\Program Files\VideoLAN\VLC\locale\fy\readme.txt MOSS.exe File created C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk\readme.txt MOSS.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\readme.txt MOSS.exe File opened for modification C:\Program Files\7-Zip\Lang\ug.txt MOSS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00296_.WMF MOSS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099150.JPG MOSS.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\sd\icecast.luac MOSS.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.mbeanbrowser.zh_CN_5.5.0.165303.jar MOSS.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.forms.nl_zh_4.4.0.v20140623020002.jar MOSS.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CANYON\CANYON.ELM MOSS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\spacebackupiconsmask.bmp MOSS.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\readme.txt MOSS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN058.XML MOSS.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Irkutsk MOSS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\macroprogress.gif MOSS.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipscat.xml MOSS.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\classfile_constants.h MOSS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0196110.WMF MOSS.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\readme.txt MOSS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR44F.GIF MOSS.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Qatar MOSS.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\jdwpTransport.h MOSS.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\bandwidth.png MOSS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\CHICAGO.XSL MOSS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\TASKACCL.ICO MOSS.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Gaza MOSS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Maroon.css MOSS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD01191_.WMF MOSS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00932_.WMF MOSS.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationRight_ButtonGraphic.png MOSS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\APPTL.ICO MOSS.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Chita MOSS.exe File opened for modification C:\Program Files\Internet Explorer\SIGNUP\install.ins MOSS.exe File created C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\readme.txt MOSS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0157995.WMF MOSS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14693_.GIF MOSS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21427_.GIF MOSS.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Kerguelen MOSS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_off.gif MOSS.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STRTEDGE\STRTEDGE.ELM MOSS.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ja_5.5.0.165303.jar MOSS.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Midway MOSS.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+1 MOSS.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm MOSS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\MUSIC_01.MID MOSS.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ICE\ICE.INF MOSS.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-heapdump.xml MOSS.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FRAR\MSB1FRAR.ITS MOSS.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 308 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1240 MOSS.exe 1240 MOSS.exe 1240 MOSS.exe 1240 MOSS.exe 1240 MOSS.exe 1240 MOSS.exe 1240 MOSS.exe 1240 MOSS.exe 1240 MOSS.exe 1240 MOSS.exe 1240 MOSS.exe 1240 MOSS.exe 1240 MOSS.exe 1240 MOSS.exe 1240 MOSS.exe 1240 MOSS.exe 1240 MOSS.exe 1240 MOSS.exe 1240 MOSS.exe 1240 MOSS.exe 1240 MOSS.exe 1240 MOSS.exe 1240 MOSS.exe 1240 MOSS.exe 1240 MOSS.exe 1240 MOSS.exe 1240 MOSS.exe 1240 MOSS.exe 1240 MOSS.exe 1240 MOSS.exe 1240 MOSS.exe 1240 MOSS.exe 1240 MOSS.exe 1240 MOSS.exe 1240 MOSS.exe 1240 MOSS.exe 1240 MOSS.exe 1240 MOSS.exe 1240 MOSS.exe 1240 MOSS.exe 1240 MOSS.exe 1240 MOSS.exe 1240 MOSS.exe 1240 MOSS.exe 1240 MOSS.exe 1240 MOSS.exe 1240 MOSS.exe 1240 MOSS.exe 1240 MOSS.exe 1240 MOSS.exe 1240 MOSS.exe 1240 MOSS.exe 1240 MOSS.exe 1240 MOSS.exe 1240 MOSS.exe 1240 MOSS.exe 1240 MOSS.exe 1240 MOSS.exe 1240 MOSS.exe 1240 MOSS.exe 1240 MOSS.exe 1240 MOSS.exe 1240 MOSS.exe 1240 MOSS.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeBackupPrivilege 1248 vssvc.exe Token: SeRestorePrivilege 1248 vssvc.exe Token: SeAuditPrivilege 1248 vssvc.exe Token: SeIncreaseQuotaPrivilege 796 WMIC.exe Token: SeSecurityPrivilege 796 WMIC.exe Token: SeTakeOwnershipPrivilege 796 WMIC.exe Token: SeLoadDriverPrivilege 796 WMIC.exe Token: SeSystemProfilePrivilege 796 WMIC.exe Token: SeSystemtimePrivilege 796 WMIC.exe Token: SeProfSingleProcessPrivilege 796 WMIC.exe Token: SeIncBasePriorityPrivilege 796 WMIC.exe Token: SeCreatePagefilePrivilege 796 WMIC.exe Token: SeBackupPrivilege 796 WMIC.exe Token: SeRestorePrivilege 796 WMIC.exe Token: SeShutdownPrivilege 796 WMIC.exe Token: SeDebugPrivilege 796 WMIC.exe Token: SeSystemEnvironmentPrivilege 796 WMIC.exe Token: SeRemoteShutdownPrivilege 796 WMIC.exe Token: SeUndockPrivilege 796 WMIC.exe Token: SeManageVolumePrivilege 796 WMIC.exe Token: 33 796 WMIC.exe Token: 34 796 WMIC.exe Token: 35 796 WMIC.exe Token: SeIncreaseQuotaPrivilege 796 WMIC.exe Token: SeSecurityPrivilege 796 WMIC.exe Token: SeTakeOwnershipPrivilege 796 WMIC.exe Token: SeLoadDriverPrivilege 796 WMIC.exe Token: SeSystemProfilePrivilege 796 WMIC.exe Token: SeSystemtimePrivilege 796 WMIC.exe Token: SeProfSingleProcessPrivilege 796 WMIC.exe Token: SeIncBasePriorityPrivilege 796 WMIC.exe Token: SeCreatePagefilePrivilege 796 WMIC.exe Token: SeBackupPrivilege 796 WMIC.exe Token: SeRestorePrivilege 796 WMIC.exe Token: SeShutdownPrivilege 796 WMIC.exe Token: SeDebugPrivilege 796 WMIC.exe Token: SeSystemEnvironmentPrivilege 796 WMIC.exe Token: SeRemoteShutdownPrivilege 796 WMIC.exe Token: SeUndockPrivilege 796 WMIC.exe Token: SeManageVolumePrivilege 796 WMIC.exe Token: 33 796 WMIC.exe Token: 34 796 WMIC.exe Token: 35 796 WMIC.exe Token: SeIncreaseQuotaPrivilege 1084 WMIC.exe Token: SeSecurityPrivilege 1084 WMIC.exe Token: SeTakeOwnershipPrivilege 1084 WMIC.exe Token: SeLoadDriverPrivilege 1084 WMIC.exe Token: SeSystemProfilePrivilege 1084 WMIC.exe Token: SeSystemtimePrivilege 1084 WMIC.exe Token: SeProfSingleProcessPrivilege 1084 WMIC.exe Token: SeIncBasePriorityPrivilege 1084 WMIC.exe Token: SeCreatePagefilePrivilege 1084 WMIC.exe Token: SeBackupPrivilege 1084 WMIC.exe Token: SeRestorePrivilege 1084 WMIC.exe Token: SeShutdownPrivilege 1084 WMIC.exe Token: SeDebugPrivilege 1084 WMIC.exe Token: SeSystemEnvironmentPrivilege 1084 WMIC.exe Token: SeRemoteShutdownPrivilege 1084 WMIC.exe Token: SeUndockPrivilege 1084 WMIC.exe Token: SeManageVolumePrivilege 1084 WMIC.exe Token: 33 1084 WMIC.exe Token: 34 1084 WMIC.exe Token: 35 1084 WMIC.exe Token: SeIncreaseQuotaPrivilege 1084 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1240 wrote to memory of 1108 1240 MOSS.exe 32 PID 1240 wrote to memory of 1108 1240 MOSS.exe 32 PID 1240 wrote to memory of 1108 1240 MOSS.exe 32 PID 1240 wrote to memory of 1108 1240 MOSS.exe 32 PID 1108 wrote to memory of 796 1108 cmd.exe 34 PID 1108 wrote to memory of 796 1108 cmd.exe 34 PID 1108 wrote to memory of 796 1108 cmd.exe 34 PID 1240 wrote to memory of 820 1240 MOSS.exe 35 PID 1240 wrote to memory of 820 1240 MOSS.exe 35 PID 1240 wrote to memory of 820 1240 MOSS.exe 35 PID 1240 wrote to memory of 820 1240 MOSS.exe 35 PID 820 wrote to memory of 1084 820 cmd.exe 37 PID 820 wrote to memory of 1084 820 cmd.exe 37 PID 820 wrote to memory of 1084 820 cmd.exe 37 PID 1240 wrote to memory of 1480 1240 MOSS.exe 38 PID 1240 wrote to memory of 1480 1240 MOSS.exe 38 PID 1240 wrote to memory of 1480 1240 MOSS.exe 38 PID 1240 wrote to memory of 1480 1240 MOSS.exe 38 PID 1480 wrote to memory of 432 1480 cmd.exe 40 PID 1480 wrote to memory of 432 1480 cmd.exe 40 PID 1480 wrote to memory of 432 1480 cmd.exe 40 PID 1240 wrote to memory of 308 1240 MOSS.exe 41 PID 1240 wrote to memory of 308 1240 MOSS.exe 41 PID 1240 wrote to memory of 308 1240 MOSS.exe 41 PID 1240 wrote to memory of 308 1240 MOSS.exe 41 PID 308 wrote to memory of 1704 308 cmd.exe 43 PID 308 wrote to memory of 1704 308 cmd.exe 43 PID 308 wrote to memory of 1704 308 cmd.exe 43 PID 1240 wrote to memory of 1504 1240 MOSS.exe 44 PID 1240 wrote to memory of 1504 1240 MOSS.exe 44 PID 1240 wrote to memory of 1504 1240 MOSS.exe 44 PID 1240 wrote to memory of 1504 1240 MOSS.exe 44 PID 1504 wrote to memory of 240 1504 cmd.exe 46 PID 1504 wrote to memory of 240 1504 cmd.exe 46 PID 1504 wrote to memory of 240 1504 cmd.exe 46 PID 1240 wrote to memory of 756 1240 MOSS.exe 47 PID 1240 wrote to memory of 756 1240 MOSS.exe 47 PID 1240 wrote to memory of 756 1240 MOSS.exe 47 PID 1240 wrote to memory of 756 1240 MOSS.exe 47 PID 756 wrote to memory of 1468 756 cmd.exe 49 PID 756 wrote to memory of 1468 756 cmd.exe 49 PID 756 wrote to memory of 1468 756 cmd.exe 49 PID 1240 wrote to memory of 656 1240 MOSS.exe 50 PID 1240 wrote to memory of 656 1240 MOSS.exe 50 PID 1240 wrote to memory of 656 1240 MOSS.exe 50 PID 1240 wrote to memory of 656 1240 MOSS.exe 50 PID 656 wrote to memory of 744 656 cmd.exe 52 PID 656 wrote to memory of 744 656 cmd.exe 52 PID 656 wrote to memory of 744 656 cmd.exe 52 PID 1240 wrote to memory of 432 1240 MOSS.exe 53 PID 1240 wrote to memory of 432 1240 MOSS.exe 53 PID 1240 wrote to memory of 432 1240 MOSS.exe 53 PID 1240 wrote to memory of 432 1240 MOSS.exe 53 PID 432 wrote to memory of 596 432 cmd.exe 55 PID 432 wrote to memory of 596 432 cmd.exe 55 PID 432 wrote to memory of 596 432 cmd.exe 55 PID 1240 wrote to memory of 1704 1240 MOSS.exe 56 PID 1240 wrote to memory of 1704 1240 MOSS.exe 56 PID 1240 wrote to memory of 1704 1240 MOSS.exe 56 PID 1240 wrote to memory of 1704 1240 MOSS.exe 56 PID 1704 wrote to memory of 1564 1704 cmd.exe 58 PID 1704 wrote to memory of 1564 1704 cmd.exe 58 PID 1704 wrote to memory of 1564 1704 cmd.exe 58 PID 1240 wrote to memory of 240 1240 MOSS.exe 59
Processes
-
C:\Users\Admin\AppData\Local\Temp\MOSS.exe"C:\Users\Admin\AppData\Local\Temp\MOSS.exe"1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5DF5AEE8-C2C6-41F9-A327-52A9D6E729EE}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5DF5AEE8-C2C6-41F9-A327-52A9D6E729EE}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:796
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D6B3DCDA-28EB-44CF-945C-B4D93AF77241}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:820 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D6B3DCDA-28EB-44CF-945C-B4D93AF77241}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1084
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CD906EB4-EAFD-4DB3-81A2-99391D930AA9}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CD906EB4-EAFD-4DB3-81A2-99391D930AA9}'" delete3⤵PID:432
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{32958932-8E11-43B0-AC31-6B99594E4D00}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:308 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{32958932-8E11-43B0-AC31-6B99594E4D00}'" delete3⤵PID:1704
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{385FE97B-312C-483D-B1B8-607CA59A04B6}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{385FE97B-312C-483D-B1B8-607CA59A04B6}'" delete3⤵PID:240
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{77D65635-69D3-422D-87E3-4146A6665F55}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{77D65635-69D3-422D-87E3-4146A6665F55}'" delete3⤵PID:1468
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1210D522-0704-4EBB-A15E-008D93F648D2}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:656 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1210D522-0704-4EBB-A15E-008D93F648D2}'" delete3⤵PID:744
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{AAAD01A2-C6EB-4ADB-A43B-E56007843F7E}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{AAAD01A2-C6EB-4ADB-A43B-E56007843F7E}'" delete3⤵PID:596
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{BC45FBA6-DD27-4112-A4DB-130E06CF6CCF}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{BC45FBA6-DD27-4112-A4DB-130E06CF6CCF}'" delete3⤵PID:1564
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{77E3A4FE-8BEE-45BE-825F-0485AEA4AAAE}'" delete2⤵PID:240
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{77E3A4FE-8BEE-45BE-825F-0485AEA4AAAE}'" delete3⤵PID:572
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9ACDAEEF-8B35-46A6-8E5B-CD19B0E97795}'" delete2⤵PID:1468
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9ACDAEEF-8B35-46A6-8E5B-CD19B0E97795}'" delete3⤵PID:1512
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1248
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\readme.txt1⤵
- Opens file in notepad (likely ransom note)
PID:308
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:520