Analysis
-
max time kernel
150s -
max time network
39s -
platform
windows7_x64 -
resource
win7-en-20210916 -
submitted
20-09-2021 11:17
Static task
static1
Behavioral task
behavioral1
Sample
d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe
Resource
win7-en-20210916
Behavioral task
behavioral2
Sample
d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe
Resource
win10-en
General
-
Target
d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe
-
Size
194KB
-
MD5
b633567b5bcde20a1e18a0c35869ba07
-
SHA1
18f052cb6f0cef8c4d7c4e3e60b8c91b10e4aa63
-
SHA256
d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0
-
SHA512
5feab5ee400d62192d6fd3a7e2d7a9ba62ca32bcbf0d11335fdcbd82f0d02d94ad44ef95bec76a88e5dbf8fe09d27b4648017cb707627fadb7d1f6449072be43
Malware Config
Extracted
C:\readme.txt
conti
http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/
https://contirecovery.click
Signatures
-
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
Modifies extensions of user files 7 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exedescription ioc process File renamed C:\Users\Admin\Pictures\CheckpointUnpublish.tif => C:\Users\Admin\Pictures\CheckpointUnpublish.tif.MABDG d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File renamed C:\Users\Admin\Pictures\InstallLock.crw => C:\Users\Admin\Pictures\InstallLock.crw.MABDG d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File renamed C:\Users\Admin\Pictures\InvokeWrite.tif => C:\Users\Admin\Pictures\InvokeWrite.tif.MABDG d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Users\Admin\Pictures\SearchUndo.tiff d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File renamed C:\Users\Admin\Pictures\SearchUndo.tiff => C:\Users\Admin\Pictures\SearchUndo.tiff.MABDG d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File renamed C:\Users\Admin\Pictures\TraceCopy.png => C:\Users\Admin\Pictures\TraceCopy.png.MABDG d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File renamed C:\Users\Admin\Pictures\WaitRedo.tif => C:\Users\Admin\Pictures\WaitRedo.tif.MABDG d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN01174_.WMF d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0090149.WMF d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EVRGREEN\readme.txt d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\photoedge_videoinset.png d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\JPEGIM32.FLT d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00346_.WMF d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0149481.WMF d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PROFILE\PROFILE.INF d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_sv.properties d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105396.WMF d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00152_.WMF d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0235319.WMF d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File created C:\Program Files\VideoLAN\VLC\locale\mk\readme.txt d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\SendMail.api d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LEVEL\readme.txt d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107730.WMF d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay.css d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0314068.JPG d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ARCTIC\ARCTIC.INF d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\readme.txt d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-lib-uihandler_ja.jar d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\readme.txt d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00442_.WMF d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Chagos d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\readme.txt d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Oriel.xml d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\MSPUB_F_COL.HXK d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\liveleak.luac d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Maputo d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341557.JPG d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Choibalsan d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\readme.txt d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\ca.txt d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0238959.WMF d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02361_.WMF d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02067_.WMF d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\win32\jawt_md.h d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\.eclipseproduct d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\NOTICE d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\STS2\TAB_ON.GIF d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.fca d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Maceio d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Tallinn d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Genko_1.emf d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.htm d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01858_.WMF d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\LABEL.DPV d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\vlc.mo d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\uz\LC_MESSAGES\vlc.mo d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\sr-spc.txt d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_buttongraphic.png d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02055_.WMF d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14868_.GIF d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\readme.txt d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\StaticText.jpg d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH01329_.WMF d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0182689.JPG d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00486_.WMF d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0278882.WMF d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD.DEV_COL.HXT d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-sampler.jar d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00687_.WMF d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgePackages.h d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro_5.5.0.165303.jar d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exepid process 1916 d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
vssvc.exeWMIC.exeWMIC.exedescription pid process Token: SeBackupPrivilege 1500 vssvc.exe Token: SeRestorePrivilege 1500 vssvc.exe Token: SeAuditPrivilege 1500 vssvc.exe Token: SeIncreaseQuotaPrivilege 1796 WMIC.exe Token: SeSecurityPrivilege 1796 WMIC.exe Token: SeTakeOwnershipPrivilege 1796 WMIC.exe Token: SeLoadDriverPrivilege 1796 WMIC.exe Token: SeSystemProfilePrivilege 1796 WMIC.exe Token: SeSystemtimePrivilege 1796 WMIC.exe Token: SeProfSingleProcessPrivilege 1796 WMIC.exe Token: SeIncBasePriorityPrivilege 1796 WMIC.exe Token: SeCreatePagefilePrivilege 1796 WMIC.exe Token: SeBackupPrivilege 1796 WMIC.exe Token: SeRestorePrivilege 1796 WMIC.exe Token: SeShutdownPrivilege 1796 WMIC.exe Token: SeDebugPrivilege 1796 WMIC.exe Token: SeSystemEnvironmentPrivilege 1796 WMIC.exe Token: SeRemoteShutdownPrivilege 1796 WMIC.exe Token: SeUndockPrivilege 1796 WMIC.exe Token: SeManageVolumePrivilege 1796 WMIC.exe Token: 33 1796 WMIC.exe Token: 34 1796 WMIC.exe Token: 35 1796 WMIC.exe Token: SeIncreaseQuotaPrivilege 1796 WMIC.exe Token: SeSecurityPrivilege 1796 WMIC.exe Token: SeTakeOwnershipPrivilege 1796 WMIC.exe Token: SeLoadDriverPrivilege 1796 WMIC.exe Token: SeSystemProfilePrivilege 1796 WMIC.exe Token: SeSystemtimePrivilege 1796 WMIC.exe Token: SeProfSingleProcessPrivilege 1796 WMIC.exe Token: SeIncBasePriorityPrivilege 1796 WMIC.exe Token: SeCreatePagefilePrivilege 1796 WMIC.exe Token: SeBackupPrivilege 1796 WMIC.exe Token: SeRestorePrivilege 1796 WMIC.exe Token: SeShutdownPrivilege 1796 WMIC.exe Token: SeDebugPrivilege 1796 WMIC.exe Token: SeSystemEnvironmentPrivilege 1796 WMIC.exe Token: SeRemoteShutdownPrivilege 1796 WMIC.exe Token: SeUndockPrivilege 1796 WMIC.exe Token: SeManageVolumePrivilege 1796 WMIC.exe Token: 33 1796 WMIC.exe Token: 34 1796 WMIC.exe Token: 35 1796 WMIC.exe Token: SeIncreaseQuotaPrivilege 432 WMIC.exe Token: SeSecurityPrivilege 432 WMIC.exe Token: SeTakeOwnershipPrivilege 432 WMIC.exe Token: SeLoadDriverPrivilege 432 WMIC.exe Token: SeSystemProfilePrivilege 432 WMIC.exe Token: SeSystemtimePrivilege 432 WMIC.exe Token: SeProfSingleProcessPrivilege 432 WMIC.exe Token: SeIncBasePriorityPrivilege 432 WMIC.exe Token: SeCreatePagefilePrivilege 432 WMIC.exe Token: SeBackupPrivilege 432 WMIC.exe Token: SeRestorePrivilege 432 WMIC.exe Token: SeShutdownPrivilege 432 WMIC.exe Token: SeDebugPrivilege 432 WMIC.exe Token: SeSystemEnvironmentPrivilege 432 WMIC.exe Token: SeRemoteShutdownPrivilege 432 WMIC.exe Token: SeUndockPrivilege 432 WMIC.exe Token: SeManageVolumePrivilege 432 WMIC.exe Token: 33 432 WMIC.exe Token: 34 432 WMIC.exe Token: 35 432 WMIC.exe Token: SeIncreaseQuotaPrivilege 432 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1916 wrote to memory of 384 1916 d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe cmd.exe PID 1916 wrote to memory of 384 1916 d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe cmd.exe PID 1916 wrote to memory of 384 1916 d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe cmd.exe PID 1916 wrote to memory of 384 1916 d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe cmd.exe PID 384 wrote to memory of 1796 384 cmd.exe WMIC.exe PID 384 wrote to memory of 1796 384 cmd.exe WMIC.exe PID 384 wrote to memory of 1796 384 cmd.exe WMIC.exe PID 1916 wrote to memory of 1284 1916 d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe cmd.exe PID 1916 wrote to memory of 1284 1916 d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe cmd.exe PID 1916 wrote to memory of 1284 1916 d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe cmd.exe PID 1916 wrote to memory of 1284 1916 d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe cmd.exe PID 1284 wrote to memory of 432 1284 cmd.exe WMIC.exe PID 1284 wrote to memory of 432 1284 cmd.exe WMIC.exe PID 1284 wrote to memory of 432 1284 cmd.exe WMIC.exe PID 1916 wrote to memory of 1100 1916 d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe cmd.exe PID 1916 wrote to memory of 1100 1916 d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe cmd.exe PID 1916 wrote to memory of 1100 1916 d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe cmd.exe PID 1916 wrote to memory of 1100 1916 d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe cmd.exe PID 1100 wrote to memory of 1784 1100 cmd.exe WMIC.exe PID 1100 wrote to memory of 1784 1100 cmd.exe WMIC.exe PID 1100 wrote to memory of 1784 1100 cmd.exe WMIC.exe PID 1916 wrote to memory of 1356 1916 d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe cmd.exe PID 1916 wrote to memory of 1356 1916 d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe cmd.exe PID 1916 wrote to memory of 1356 1916 d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe cmd.exe PID 1916 wrote to memory of 1356 1916 d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe cmd.exe PID 1356 wrote to memory of 1692 1356 cmd.exe WMIC.exe PID 1356 wrote to memory of 1692 1356 cmd.exe WMIC.exe PID 1356 wrote to memory of 1692 1356 cmd.exe WMIC.exe PID 1916 wrote to memory of 1316 1916 d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe cmd.exe PID 1916 wrote to memory of 1316 1916 d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe cmd.exe PID 1916 wrote to memory of 1316 1916 d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe cmd.exe PID 1916 wrote to memory of 1316 1916 d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe cmd.exe PID 1316 wrote to memory of 1684 1316 cmd.exe WMIC.exe PID 1316 wrote to memory of 1684 1316 cmd.exe WMIC.exe PID 1316 wrote to memory of 1684 1316 cmd.exe WMIC.exe PID 1916 wrote to memory of 1576 1916 d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe cmd.exe PID 1916 wrote to memory of 1576 1916 d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe cmd.exe PID 1916 wrote to memory of 1576 1916 d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe cmd.exe PID 1916 wrote to memory of 1576 1916 d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe cmd.exe PID 1576 wrote to memory of 1708 1576 cmd.exe WMIC.exe PID 1576 wrote to memory of 1708 1576 cmd.exe WMIC.exe PID 1576 wrote to memory of 1708 1576 cmd.exe WMIC.exe PID 1916 wrote to memory of 1976 1916 d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe cmd.exe PID 1916 wrote to memory of 1976 1916 d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe cmd.exe PID 1916 wrote to memory of 1976 1916 d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe cmd.exe PID 1916 wrote to memory of 1976 1916 d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe cmd.exe PID 1976 wrote to memory of 1792 1976 cmd.exe WMIC.exe PID 1976 wrote to memory of 1792 1976 cmd.exe WMIC.exe PID 1976 wrote to memory of 1792 1976 cmd.exe WMIC.exe PID 1916 wrote to memory of 604 1916 d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe cmd.exe PID 1916 wrote to memory of 604 1916 d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe cmd.exe PID 1916 wrote to memory of 604 1916 d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe cmd.exe PID 1916 wrote to memory of 604 1916 d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe cmd.exe PID 604 wrote to memory of 432 604 cmd.exe WMIC.exe PID 604 wrote to memory of 432 604 cmd.exe WMIC.exe PID 604 wrote to memory of 432 604 cmd.exe WMIC.exe PID 1916 wrote to memory of 1312 1916 d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe cmd.exe PID 1916 wrote to memory of 1312 1916 d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe cmd.exe PID 1916 wrote to memory of 1312 1916 d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe cmd.exe PID 1916 wrote to memory of 1312 1916 d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe cmd.exe PID 1312 wrote to memory of 1784 1312 cmd.exe WMIC.exe PID 1312 wrote to memory of 1784 1312 cmd.exe WMIC.exe PID 1312 wrote to memory of 1784 1312 cmd.exe WMIC.exe PID 1916 wrote to memory of 868 1916 d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe"C:\Users\Admin\AppData\Local\Temp\d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe"1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{FC480CE6-7BF8-4746-98C8-3AF628355CFA}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:384 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{FC480CE6-7BF8-4746-98C8-3AF628355CFA}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1796 -
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{38F60BE8-AB9A-4FD4-9EC4-5E87EA96D33F}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{38F60BE8-AB9A-4FD4-9EC4-5E87EA96D33F}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:432 -
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1F15D738-5700-413E-9EEF-3637AB4FF2EF}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1F15D738-5700-413E-9EEF-3637AB4FF2EF}'" delete3⤵PID:1784
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D6D88617-CCF5-44E0-AA8C-B3F8B7DD9019}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D6D88617-CCF5-44E0-AA8C-B3F8B7DD9019}'" delete3⤵PID:1692
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B0D9CA14-517F-4A54-83A6-AACDDA13C62B}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B0D9CA14-517F-4A54-83A6-AACDDA13C62B}'" delete3⤵PID:1684
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8C005BC1-BE48-42C1-9C34-307FF08E60C1}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8C005BC1-BE48-42C1-9C34-307FF08E60C1}'" delete3⤵PID:1708
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8EC3A2D1-93B8-4FAA-A239-A2E677E992B7}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8EC3A2D1-93B8-4FAA-A239-A2E677E992B7}'" delete3⤵PID:1792
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{02B92A5B-2D27-4FB3-BA47-23DCD214B889}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:604 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{02B92A5B-2D27-4FB3-BA47-23DCD214B889}'" delete3⤵PID:432
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{534F491B-0DBF-4D04-AC13-4CC24D547D6E}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{534F491B-0DBF-4D04-AC13-4CC24D547D6E}'" delete3⤵PID:1784
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{37EB72C0-B74C-415D-BF90-39B53DA00050}'" delete2⤵PID:868
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{37EB72C0-B74C-415D-BF90-39B53DA00050}'" delete3⤵PID:832
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4B440E7F-7C28-42F4-B9A2-20A62BE38CAA}'" delete2⤵PID:1680
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4B440E7F-7C28-42F4-B9A2-20A62BE38CAA}'" delete3⤵PID:1868
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7BDF8F14-C923-453F-8BA7-E045149E61CD}'" delete2⤵PID:1860
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7BDF8F14-C923-453F-8BA7-E045149E61CD}'" delete3⤵PID:1640
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1500
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/384-55-0x0000000000000000-mapping.dmp
-
memory/432-58-0x0000000000000000-mapping.dmp
-
memory/432-70-0x0000000000000000-mapping.dmp
-
memory/604-69-0x0000000000000000-mapping.dmp
-
memory/832-74-0x0000000000000000-mapping.dmp
-
memory/868-73-0x0000000000000000-mapping.dmp
-
memory/1100-59-0x0000000000000000-mapping.dmp
-
memory/1284-57-0x0000000000000000-mapping.dmp
-
memory/1312-71-0x0000000000000000-mapping.dmp
-
memory/1316-63-0x0000000000000000-mapping.dmp
-
memory/1356-61-0x0000000000000000-mapping.dmp
-
memory/1576-65-0x0000000000000000-mapping.dmp
-
memory/1640-78-0x0000000000000000-mapping.dmp
-
memory/1680-75-0x0000000000000000-mapping.dmp
-
memory/1684-64-0x0000000000000000-mapping.dmp
-
memory/1692-62-0x0000000000000000-mapping.dmp
-
memory/1708-66-0x0000000000000000-mapping.dmp
-
memory/1784-60-0x0000000000000000-mapping.dmp
-
memory/1784-72-0x0000000000000000-mapping.dmp
-
memory/1792-68-0x0000000000000000-mapping.dmp
-
memory/1796-56-0x0000000000000000-mapping.dmp
-
memory/1860-77-0x0000000000000000-mapping.dmp
-
memory/1868-76-0x0000000000000000-mapping.dmp
-
memory/1916-54-0x0000000075241000-0x0000000075243000-memory.dmpFilesize
8KB
-
memory/1976-67-0x0000000000000000-mapping.dmp