conti | d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0

General

Target

d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe
Size

194KB
MD5

b633567b5bcde20a1e18a0c35869ba07
SHA1

18f052cb6f0cef8c4d7c4e3e60b8c91b10e4aa63
SHA256

d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0
SHA512

5feab5ee400d62192d6fd3a7e2d7a9ba62ca32bcbf0d11335fdcbd82f0d02d94ad44ef95bec76a88e5dbf8fe09d27b4648017cb707627fadb7d1f6449072be43

Score

10^/10

conti ransomware spyware stealer

Malware Config

Extracted

Path

C:\readme.txt

Family

conti

Ransom Note

All of your files are currently encrypted by CONTI ransomware. If you try to use any additional recovery software - the files might be damaged or lost. To make sure that we REALLY CAN recover data - we offer you to decrypt samples. You can contact us for further instructions through: Our website TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/ HTTPS VERSION : https://contirecovery.click YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded your data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us ASAP. ---BEGIN ID--- 0Y2bUdHGJV86rTP8Tu27AgfN91oYLnc2GES6JjNUJY6Wy4r1DIzS2E7P7QpX2VVe ---END ID---

URLs

http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/

https://contirecovery.click

Signatures

Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
ransomware conti

Modifies extensions of user files 8 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\StepLock.raw => C:\Users\Admin\Pictures\StepLock.raw.MABDG	d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\UpdateConvertFrom.tif => C:\Users\Admin\Pictures\UpdateConvertFrom.tif.MABDG	d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\WatchUse.raw => C:\Users\Admin\Pictures\WatchUse.raw.MABDG	d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\EnterAdd.tif => C:\Users\Admin\Pictures\EnterAdd.tif.MABDG	d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\ExitGroup.crw => C:\Users\Admin\Pictures\ExitGroup.crw.MABDG	d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\LockOut.tiff	d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\LockOut.tiff => C:\Users\Admin\Pictures\LockOut.tiff.MABDG	d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\MeasureGrant.png => C:\Users\Admin\Pictures\MeasureGrant.png.MABDG	d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe

Drops startup file 1 IoCs

Processes:

d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\readme.txt	d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Grace-ppd.xrm-ms	d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_KMS_Automation-ul.xrm-ms	d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt	d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\over-arrow-navigation.svg	d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\SaslPrepProfile_norm_bidi.spp	d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\as80.xsl	d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Info.plist	d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\win32_LinkDrop32x32.gif	d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-ul-oob.xrm-ms	d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O17EnterpriseVL_Bypass30-ul-oob.xrm-ms	d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteFreeR_Bypass-ul-oob.xrm-ms	d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_KMS_Client_AE-ppd.xrm-ms	d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Office 2007 - 2010.xml	d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\93.0.4577.63\Locales\el.pak	d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.ui.zh_CN_5.5.0.165303.jar	d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\triggerActions.exsd	d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_checkbox_partialselected-default_18.svg	d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\fi-fi\readme.txt	d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\en-gb\ui-strings.js	d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Grace-ppd.xrm-ms	d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe
File created	C:\Program Files (x86)\Microsoft.NET\readme.txt	d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Trial-ul-oob.xrm-ms	d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.browser.jdp.ja_5.5.0.165303.jar	d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\readme.txt	d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\readme.txt	d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\cs-cz\ui-strings.js	d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Garden.htm	d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-180.png	d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-variant2.gif	d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-100.png	d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fr-fr\readme.txt	d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\be_get.svg	d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\sl-sl\ui-strings.js	d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\management\jmxremote.password.template	d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.diagnostic_5.5.0.165303.jar	d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.nl_zh_4.4.0.v20140623020002.jar	d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_sortedby_up_hover_18.svg	d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\plugins\rhp\pages-app-tool-view.js	d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PROOF\MSHY7ES.LEX	d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-charts_zh_CN.jar	d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\informix.xsl	d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\added.txt	d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\WordNaiveBayesCommandRanker.txt	d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.views.nl_ja_4.4.0.v20140623020002.jar	d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\it-it\ui-strings.js	d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\hu-hu\ui-strings.js	d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-spi-actions.xml	d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STUDIO\PREVIEW.GIF	d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\CT_ROOTS.XML	d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LEVEL\THMBNAIL.PNG	d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\readme.txt	d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\download-btn.png	d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\he-il\readme.txt	d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\bg_get.svg	d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_OEM_Perp-pl.xrm-ms	d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTrial-ppd.xrm-ms	d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\feature.xml	d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\HintBarEllipses.16.White.png	d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-fr\ui-strings.js	d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\close.png	d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\de-de\ui-strings.js	d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\Alphabet.xml	d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\readme.txt	d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-awt_zh_CN.jar	d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe

pid	process
4008	d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe
4008	d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

vssvc.exeWMIC.exe

description	pid	process
Token: SeBackupPrivilege	4052	vssvc.exe
Token: SeRestorePrivilege	4052	vssvc.exe
Token: SeAuditPrivilege	4052	vssvc.exe
Token: SeIncreaseQuotaPrivilege	976	WMIC.exe
Token: SeSecurityPrivilege	976	WMIC.exe
Token: SeTakeOwnershipPrivilege	976	WMIC.exe
Token: SeLoadDriverPrivilege	976	WMIC.exe
Token: SeSystemProfilePrivilege	976	WMIC.exe
Token: SeSystemtimePrivilege	976	WMIC.exe
Token: SeProfSingleProcessPrivilege	976	WMIC.exe
Token: SeIncBasePriorityPrivilege	976	WMIC.exe
Token: SeCreatePagefilePrivilege	976	WMIC.exe
Token: SeBackupPrivilege	976	WMIC.exe
Token: SeRestorePrivilege	976	WMIC.exe
Token: SeShutdownPrivilege	976	WMIC.exe
Token: SeDebugPrivilege	976	WMIC.exe
Token: SeSystemEnvironmentPrivilege	976	WMIC.exe
Token: SeRemoteShutdownPrivilege	976	WMIC.exe
Token: SeUndockPrivilege	976	WMIC.exe
Token: SeManageVolumePrivilege	976	WMIC.exe
Token: 33	976	WMIC.exe
Token: 34	976	WMIC.exe
Token: 35	976	WMIC.exe
Token: 36	976	WMIC.exe
Token: SeIncreaseQuotaPrivilege	976	WMIC.exe
Token: SeSecurityPrivilege	976	WMIC.exe
Token: SeTakeOwnershipPrivilege	976	WMIC.exe
Token: SeLoadDriverPrivilege	976	WMIC.exe
Token: SeSystemProfilePrivilege	976	WMIC.exe
Token: SeSystemtimePrivilege	976	WMIC.exe
Token: SeProfSingleProcessPrivilege	976	WMIC.exe
Token: SeIncBasePriorityPrivilege	976	WMIC.exe
Token: SeCreatePagefilePrivilege	976	WMIC.exe
Token: SeBackupPrivilege	976	WMIC.exe
Token: SeRestorePrivilege	976	WMIC.exe
Token: SeShutdownPrivilege	976	WMIC.exe
Token: SeDebugPrivilege	976	WMIC.exe
Token: SeSystemEnvironmentPrivilege	976	WMIC.exe
Token: SeRemoteShutdownPrivilege	976	WMIC.exe
Token: SeUndockPrivilege	976	WMIC.exe
Token: SeManageVolumePrivilege	976	WMIC.exe
Token: 33	976	WMIC.exe
Token: 34	976	WMIC.exe
Token: 35	976	WMIC.exe
Token: 36	976	WMIC.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.execmd.exe

description	pid	process	target process
PID 4008 wrote to memory of 2840	4008	d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe	cmd.exe
PID 4008 wrote to memory of 2840	4008	d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe	cmd.exe
PID 2840 wrote to memory of 976	2840	cmd.exe	WMIC.exe
PID 2840 wrote to memory of 976	2840	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4008

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{15C15014-00CD-4D36-BD8D-1042E7A30F6F}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:2840

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{15C15014-00CD-4D36-BD8D-1042E7A30F6F}'" delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:976

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4052

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/976-116-0x0000000000000000-mapping.dmp

Download
memory/2840-115-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads