Analysis
-
max time kernel
96s -
max time network
136s -
platform
windows10_x64 -
resource
win10-en -
submitted
20-09-2021 11:17
Static task
static1
Behavioral task
behavioral1
Sample
d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe
Resource
win7-en-20210916
Behavioral task
behavioral2
Sample
d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe
Resource
win10-en
General
-
Target
d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe
-
Size
194KB
-
MD5
b633567b5bcde20a1e18a0c35869ba07
-
SHA1
18f052cb6f0cef8c4d7c4e3e60b8c91b10e4aa63
-
SHA256
d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0
-
SHA512
5feab5ee400d62192d6fd3a7e2d7a9ba62ca32bcbf0d11335fdcbd82f0d02d94ad44ef95bec76a88e5dbf8fe09d27b4648017cb707627fadb7d1f6449072be43
Malware Config
Extracted
C:\readme.txt
conti
http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/
https://contirecovery.click
Signatures
-
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
Modifies extensions of user files 8 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exedescription ioc process File renamed C:\Users\Admin\Pictures\StepLock.raw => C:\Users\Admin\Pictures\StepLock.raw.MABDG d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File renamed C:\Users\Admin\Pictures\UpdateConvertFrom.tif => C:\Users\Admin\Pictures\UpdateConvertFrom.tif.MABDG d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File renamed C:\Users\Admin\Pictures\WatchUse.raw => C:\Users\Admin\Pictures\WatchUse.raw.MABDG d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File renamed C:\Users\Admin\Pictures\EnterAdd.tif => C:\Users\Admin\Pictures\EnterAdd.tif.MABDG d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File renamed C:\Users\Admin\Pictures\ExitGroup.crw => C:\Users\Admin\Pictures\ExitGroup.crw.MABDG d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Users\Admin\Pictures\LockOut.tiff d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File renamed C:\Users\Admin\Pictures\LockOut.tiff => C:\Users\Admin\Pictures\LockOut.tiff.MABDG d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File renamed C:\Users\Admin\Pictures\MeasureGrant.png => C:\Users\Admin\Pictures\MeasureGrant.png.MABDG d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe -
Drops startup file 1 IoCs
Processes:
d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\readme.txt d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Grace-ppd.xrm-ms d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_KMS_Automation-ul.xrm-ms d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\over-arrow-navigation.svg d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\SaslPrepProfile_norm_bidi.spp d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\as80.xsl d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Info.plist d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\win32_LinkDrop32x32.gif d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-ul-oob.xrm-ms d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O17EnterpriseVL_Bypass30-ul-oob.xrm-ms d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OneNoteFreeR_Bypass-ul-oob.xrm-ms d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_KMS_Client_AE-ppd.xrm-ms d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Office 2007 - 2010.xml d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files\Google\Chrome\Application\93.0.4577.63\Locales\el.pak d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.ui.zh_CN_5.5.0.165303.jar d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\triggerActions.exsd d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_checkbox_partialselected-default_18.svg d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\fi-fi\readme.txt d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\en-gb\ui-strings.js d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Grace-ppd.xrm-ms d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File created C:\Program Files (x86)\Microsoft.NET\readme.txt d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Trial-ul-oob.xrm-ms d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.browser.jdp.ja_5.5.0.165303.jar d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\readme.txt d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\readme.txt d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\cs-cz\ui-strings.js d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Garden.htm d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-180.png d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-variant2.gif d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-100.png d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fr-fr\readme.txt d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\be_get.svg d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\sl-sl\ui-strings.js d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\management\jmxremote.password.template d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.diagnostic_5.5.0.165303.jar d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.nl_zh_4.4.0.v20140623020002.jar d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_sortedby_up_hover_18.svg d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\plugins\rhp\pages-app-tool-view.js d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PROOF\MSHY7ES.LEX d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-charts_zh_CN.jar d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\informix.xsl d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\added.txt d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\WordNaiveBayesCommandRanker.txt d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.views.nl_ja_4.4.0.v20140623020002.jar d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\it-it\ui-strings.js d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\hu-hu\ui-strings.js d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-spi-actions.xml d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STUDIO\PREVIEW.GIF d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\CT_ROOTS.XML d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LEVEL\THMBNAIL.PNG d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\readme.txt d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\download-btn.png d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\he-il\readme.txt d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\bg_get.svg d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_OEM_Perp-pl.xrm-ms d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTrial-ppd.xrm-ms d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\feature.xml d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\HintBarEllipses.16.White.png d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-fr\ui-strings.js d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\close.png d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\de-de\ui-strings.js d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\Alphabet.xml d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\readme.txt d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-awt_zh_CN.jar d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exepid process 4008 d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe 4008 d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
vssvc.exeWMIC.exedescription pid process Token: SeBackupPrivilege 4052 vssvc.exe Token: SeRestorePrivilege 4052 vssvc.exe Token: SeAuditPrivilege 4052 vssvc.exe Token: SeIncreaseQuotaPrivilege 976 WMIC.exe Token: SeSecurityPrivilege 976 WMIC.exe Token: SeTakeOwnershipPrivilege 976 WMIC.exe Token: SeLoadDriverPrivilege 976 WMIC.exe Token: SeSystemProfilePrivilege 976 WMIC.exe Token: SeSystemtimePrivilege 976 WMIC.exe Token: SeProfSingleProcessPrivilege 976 WMIC.exe Token: SeIncBasePriorityPrivilege 976 WMIC.exe Token: SeCreatePagefilePrivilege 976 WMIC.exe Token: SeBackupPrivilege 976 WMIC.exe Token: SeRestorePrivilege 976 WMIC.exe Token: SeShutdownPrivilege 976 WMIC.exe Token: SeDebugPrivilege 976 WMIC.exe Token: SeSystemEnvironmentPrivilege 976 WMIC.exe Token: SeRemoteShutdownPrivilege 976 WMIC.exe Token: SeUndockPrivilege 976 WMIC.exe Token: SeManageVolumePrivilege 976 WMIC.exe Token: 33 976 WMIC.exe Token: 34 976 WMIC.exe Token: 35 976 WMIC.exe Token: 36 976 WMIC.exe Token: SeIncreaseQuotaPrivilege 976 WMIC.exe Token: SeSecurityPrivilege 976 WMIC.exe Token: SeTakeOwnershipPrivilege 976 WMIC.exe Token: SeLoadDriverPrivilege 976 WMIC.exe Token: SeSystemProfilePrivilege 976 WMIC.exe Token: SeSystemtimePrivilege 976 WMIC.exe Token: SeProfSingleProcessPrivilege 976 WMIC.exe Token: SeIncBasePriorityPrivilege 976 WMIC.exe Token: SeCreatePagefilePrivilege 976 WMIC.exe Token: SeBackupPrivilege 976 WMIC.exe Token: SeRestorePrivilege 976 WMIC.exe Token: SeShutdownPrivilege 976 WMIC.exe Token: SeDebugPrivilege 976 WMIC.exe Token: SeSystemEnvironmentPrivilege 976 WMIC.exe Token: SeRemoteShutdownPrivilege 976 WMIC.exe Token: SeUndockPrivilege 976 WMIC.exe Token: SeManageVolumePrivilege 976 WMIC.exe Token: 33 976 WMIC.exe Token: 34 976 WMIC.exe Token: 35 976 WMIC.exe Token: 36 976 WMIC.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.execmd.exedescription pid process target process PID 4008 wrote to memory of 2840 4008 d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe cmd.exe PID 4008 wrote to memory of 2840 4008 d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe cmd.exe PID 2840 wrote to memory of 976 2840 cmd.exe WMIC.exe PID 2840 wrote to memory of 976 2840 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe"C:\Users\Admin\AppData\Local\Temp\d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{15C15014-00CD-4D36-BD8D-1042E7A30F6F}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{15C15014-00CD-4D36-BD8D-1042E7A30F6F}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken