Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
23-09-2021 14:58
Static task
static1
Behavioral task
behavioral1
Sample
11d1bda99c350ee4d82c6e53ca9a1c1c76bc5b9e3148853899cc04d1d00e9754.bin.sample.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
11d1bda99c350ee4d82c6e53ca9a1c1c76bc5b9e3148853899cc04d1d00e9754.bin.sample.exe
Resource
win10-en-20210920
General
-
Target
11d1bda99c350ee4d82c6e53ca9a1c1c76bc5b9e3148853899cc04d1d00e9754.bin.sample.exe
-
Size
517KB
-
MD5
4eaaf31a7ff227a52fb036ed30103c79
-
SHA1
eef0ee30efb1a0595a5a1633e08dcdf65a94a3c4
-
SHA256
11d1bda99c350ee4d82c6e53ca9a1c1c76bc5b9e3148853899cc04d1d00e9754
-
SHA512
917707ea12dc5ec296e41d25797dcafdda525eaaee768137926df11699cad07f8176567ecd0969e471ebced0e00932bf3aa270a9d177de814d6c003ff7d18e73
Malware Config
Extracted
C:\readme.txt
conti
http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/
https://contirecovery.click
Signatures
-
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
Modifies extensions of user files 6 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
11d1bda99c350ee4d82c6e53ca9a1c1c76bc5b9e3148853899cc04d1d00e9754.bin.sample.exedescription ioc process File renamed C:\Users\Admin\Pictures\PingJoin.tif => C:\Users\Admin\Pictures\PingJoin.tif.BGQHM 11d1bda99c350ee4d82c6e53ca9a1c1c76bc5b9e3148853899cc04d1d00e9754.bin.sample.exe File renamed C:\Users\Admin\Pictures\PopEnter.raw => C:\Users\Admin\Pictures\PopEnter.raw.BGQHM 11d1bda99c350ee4d82c6e53ca9a1c1c76bc5b9e3148853899cc04d1d00e9754.bin.sample.exe File renamed C:\Users\Admin\Pictures\RemoveGroup.png => C:\Users\Admin\Pictures\RemoveGroup.png.BGQHM 11d1bda99c350ee4d82c6e53ca9a1c1c76bc5b9e3148853899cc04d1d00e9754.bin.sample.exe File renamed C:\Users\Admin\Pictures\UseRedo.raw => C:\Users\Admin\Pictures\UseRedo.raw.BGQHM 11d1bda99c350ee4d82c6e53ca9a1c1c76bc5b9e3148853899cc04d1d00e9754.bin.sample.exe File opened for modification C:\Users\Admin\Pictures\CompleteGroup.tiff 11d1bda99c350ee4d82c6e53ca9a1c1c76bc5b9e3148853899cc04d1d00e9754.bin.sample.exe File renamed C:\Users\Admin\Pictures\CompleteGroup.tiff => C:\Users\Admin\Pictures\CompleteGroup.tiff.BGQHM 11d1bda99c350ee4d82c6e53ca9a1c1c76bc5b9e3148853899cc04d1d00e9754.bin.sample.exe -
Drops startup file 1 IoCs
Processes:
11d1bda99c350ee4d82c6e53ca9a1c1c76bc5b9e3148853899cc04d1d00e9754.bin.sample.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\readme.txt 11d1bda99c350ee4d82c6e53ca9a1c1c76bc5b9e3148853899cc04d1d00e9754.bin.sample.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
11d1bda99c350ee4d82c6e53ca9a1c1c76bc5b9e3148853899cc04d1d00e9754.bin.sample.exedescription ioc process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\RHP_icons.png 11d1bda99c350ee4d82c6e53ca9a1c1c76bc5b9e3148853899cc04d1d00e9754.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\nl-nl\ui-strings.js 11d1bda99c350ee4d82c6e53ca9a1c1c76bc5b9e3148853899cc04d1d00e9754.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Retrospect.thmx 11d1bda99c350ee4d82c6e53ca9a1c1c76bc5b9e3148853899cc04d1d00e9754.bin.sample.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\readme.txt 11d1bda99c350ee4d82c6e53ca9a1c1c76bc5b9e3148853899cc04d1d00e9754.bin.sample.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert.xml 11d1bda99c350ee4d82c6e53ca9a1c1c76bc5b9e3148853899cc04d1d00e9754.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\org-netbeans-core-output2.xml_hidden 11d1bda99c350ee4d82c6e53ca9a1c1c76bc5b9e3148853899cc04d1d00e9754.bin.sample.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\it-it\readme.txt 11d1bda99c350ee4d82c6e53ca9a1c1c76bc5b9e3148853899cc04d1d00e9754.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ui-strings.js 11d1bda99c350ee4d82c6e53ca9a1c1c76bc5b9e3148853899cc04d1d00e9754.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-ul-phn.xrm-ms 11d1bda99c350ee4d82c6e53ca9a1c1c76bc5b9e3148853899cc04d1d00e9754.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\GRAPH.ICO 11d1bda99c350ee4d82c6e53ca9a1c1c76bc5b9e3148853899cc04d1d00e9754.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-rdr-en_us.gif 11d1bda99c350ee4d82c6e53ca9a1c1c76bc5b9e3148853899cc04d1d00e9754.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher_1.3.0.v20140911-0143.jar 11d1bda99c350ee4d82c6e53ca9a1c1c76bc5b9e3148853899cc04d1d00e9754.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-util-lookup.xml 11d1bda99c350ee4d82c6e53ca9a1c1c76bc5b9e3148853899cc04d1d00e9754.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\ECLIPSE_.SF 11d1bda99c350ee4d82c6e53ca9a1c1c76bc5b9e3148853899cc04d1d00e9754.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\scan_poster.jpg 11d1bda99c350ee4d82c6e53ca9a1c1c76bc5b9e3148853899cc04d1d00e9754.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial4-pl.xrm-ms 11d1bda99c350ee4d82c6e53ca9a1c1c76bc5b9e3148853899cc04d1d00e9754.bin.sample.exe File created C:\Program Files\Google\Chrome\Application\89.0.4389.114\readme.txt 11d1bda99c350ee4d82c6e53ca9a1c1c76bc5b9e3148853899cc04d1d00e9754.bin.sample.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\fonts\LucidaTypewriterRegular.ttf 11d1bda99c350ee4d82c6e53ca9a1c1c76bc5b9e3148853899cc04d1d00e9754.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN054.XML 11d1bda99c350ee4d82c6e53ca9a1c1c76bc5b9e3148853899cc04d1d00e9754.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro.ja_5.5.0.165303.jar 11d1bda99c350ee4d82c6e53ca9a1c1c76bc5b9e3148853899cc04d1d00e9754.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jface.databinding_1.6.200.v20140528-1422.jar 11d1bda99c350ee4d82c6e53ca9a1c1c76bc5b9e3148853899cc04d1d00e9754.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.sat4j.pb_2.3.5.v201404071733.jar 11d1bda99c350ee4d82c6e53ca9a1c1c76bc5b9e3148853899cc04d1d00e9754.bin.sample.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\readme.txt 11d1bda99c350ee4d82c6e53ca9a1c1c76bc5b9e3148853899cc04d1d00e9754.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTrial-ul-oob.xrm-ms 11d1bda99c350ee4d82c6e53ca9a1c1c76bc5b9e3148853899cc04d1d00e9754.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-ul-phn.xrm-ms 11d1bda99c350ee4d82c6e53ca9a1c1c76bc5b9e3148853899cc04d1d00e9754.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\en-il\ui-strings.js 11d1bda99c350ee4d82c6e53ca9a1c1c76bc5b9e3148853899cc04d1d00e9754.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\da-dk\ui-strings.js 11d1bda99c350ee4d82c6e53ca9a1c1c76bc5b9e3148853899cc04d1d00e9754.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\cs-cz\ui-strings.js 11d1bda99c350ee4d82c6e53ca9a1c1c76bc5b9e3148853899cc04d1d00e9754.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\bg_patterns_header.png 11d1bda99c350ee4d82c6e53ca9a1c1c76bc5b9e3148853899cc04d1d00e9754.bin.sample.exe File created C:\Program Files\VideoLAN\VLC\locale\fur\readme.txt 11d1bda99c350ee4d82c6e53ca9a1c1c76bc5b9e3148853899cc04d1d00e9754.bin.sample.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\readme.txt 11d1bda99c350ee4d82c6e53ca9a1c1c76bc5b9e3148853899cc04d1d00e9754.bin.sample.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Source Engine\readme.txt 11d1bda99c350ee4d82c6e53ca9a1c1c76bc5b9e3148853899cc04d1d00e9754.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\sl-si\ui-strings.js 11d1bda99c350ee4d82c6e53ca9a1c1c76bc5b9e3148853899cc04d1d00e9754.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\CompleteCheckmark2x.png 11d1bda99c350ee4d82c6e53ca9a1c1c76bc5b9e3148853899cc04d1d00e9754.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\sa.txt 11d1bda99c350ee4d82c6e53ca9a1c1c76bc5b9e3148853899cc04d1d00e9754.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\index.win32.stats.json 11d1bda99c350ee4d82c6e53ca9a1c1c76bc5b9e3148853899cc04d1d00e9754.bin.sample.exe File created C:\Program Files\Common Files\microsoft shared\ink\es-MX\readme.txt 11d1bda99c350ee4d82c6e53ca9a1c1c76bc5b9e3148853899cc04d1d00e9754.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\TITLE.XSL 11d1bda99c350ee4d82c6e53ca9a1c1c76bc5b9e3148853899cc04d1d00e9754.bin.sample.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\sk-sk\readme.txt 11d1bda99c350ee4d82c6e53ca9a1c1c76bc5b9e3148853899cc04d1d00e9754.bin.sample.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\fi-fi\readme.txt 11d1bda99c350ee4d82c6e53ca9a1c1c76bc5b9e3148853899cc04d1d00e9754.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Trial-pl.xrm-ms 11d1bda99c350ee4d82c6e53ca9a1c1c76bc5b9e3148853899cc04d1d00e9754.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial2-ppd.xrm-ms 11d1bda99c350ee4d82c6e53ca9a1c1c76bc5b9e3148853899cc04d1d00e9754.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ko-kr\ui-strings.js 11d1bda99c350ee4d82c6e53ca9a1c1c76bc5b9e3148853899cc04d1d00e9754.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt 11d1bda99c350ee4d82c6e53ca9a1c1c76bc5b9e3148853899cc04d1d00e9754.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-sendopts_zh_CN.jar 11d1bda99c350ee4d82c6e53ca9a1c1c76bc5b9e3148853899cc04d1d00e9754.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.commands_5.5.0.165303.jar 11d1bda99c350ee4d82c6e53ca9a1c1c76bc5b9e3148853899cc04d1d00e9754.bin.sample.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\hi\readme.txt 11d1bda99c350ee4d82c6e53ca9a1c1c76bc5b9e3148853899cc04d1d00e9754.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\uk-ua\ui-strings.js 11d1bda99c350ee4d82c6e53ca9a1c1c76bc5b9e3148853899cc04d1d00e9754.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\zh-cn.txt 11d1bda99c350ee4d82c6e53ca9a1c1c76bc5b9e3148853899cc04d1d00e9754.bin.sample.exe File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\sqloledb.rll.mui 11d1bda99c350ee4d82c6e53ca9a1c1c76bc5b9e3148853899cc04d1d00e9754.bin.sample.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\readme.txt 11d1bda99c350ee4d82c6e53ca9a1c1c76bc5b9e3148853899cc04d1d00e9754.bin.sample.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ca-es\readme.txt 11d1bda99c350ee4d82c6e53ca9a1c1c76bc5b9e3148853899cc04d1d00e9754.bin.sample.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\jsse.jar 11d1bda99c350ee4d82c6e53ca9a1c1c76bc5b9e3148853899cc04d1d00e9754.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\WATERMAR\PREVIEW.GIF 11d1bda99c350ee4d82c6e53ca9a1c1c76bc5b9e3148853899cc04d1d00e9754.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest2-ppd.xrm-ms 11d1bda99c350ee4d82c6e53ca9a1c1c76bc5b9e3148853899cc04d1d00e9754.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\INDUST\PREVIEW.GIF 11d1bda99c350ee4d82c6e53ca9a1c1c76bc5b9e3148853899cc04d1d00e9754.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\sv-se\ui-strings.js 11d1bda99c350ee4d82c6e53ca9a1c1c76bc5b9e3148853899cc04d1d00e9754.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pt_get.svg 11d1bda99c350ee4d82c6e53ca9a1c1c76bc5b9e3148853899cc04d1d00e9754.bin.sample.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\root\readme.txt 11d1bda99c350ee4d82c6e53ca9a1c1c76bc5b9e3148853899cc04d1d00e9754.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\MANIFEST.MF 11d1bda99c350ee4d82c6e53ca9a1c1c76bc5b9e3148853899cc04d1d00e9754.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\css\main-selector.css 11d1bda99c350ee4d82c6e53ca9a1c1c76bc5b9e3148853899cc04d1d00e9754.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\asl-v20.txt 11d1bda99c350ee4d82c6e53ca9a1c1c76bc5b9e3148853899cc04d1d00e9754.bin.sample.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ko-kr\readme.txt 11d1bda99c350ee4d82c6e53ca9a1c1c76bc5b9e3148853899cc04d1d00e9754.bin.sample.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ru-ru\readme.txt 11d1bda99c350ee4d82c6e53ca9a1c1c76bc5b9e3148853899cc04d1d00e9754.bin.sample.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
11d1bda99c350ee4d82c6e53ca9a1c1c76bc5b9e3148853899cc04d1d00e9754.bin.sample.exepid process 300 11d1bda99c350ee4d82c6e53ca9a1c1c76bc5b9e3148853899cc04d1d00e9754.bin.sample.exe 300 11d1bda99c350ee4d82c6e53ca9a1c1c76bc5b9e3148853899cc04d1d00e9754.bin.sample.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
vssvc.exeWMIC.exedescription pid process Token: SeBackupPrivilege 3644 vssvc.exe Token: SeRestorePrivilege 3644 vssvc.exe Token: SeAuditPrivilege 3644 vssvc.exe Token: SeIncreaseQuotaPrivilege 4044 WMIC.exe Token: SeSecurityPrivilege 4044 WMIC.exe Token: SeTakeOwnershipPrivilege 4044 WMIC.exe Token: SeLoadDriverPrivilege 4044 WMIC.exe Token: SeSystemProfilePrivilege 4044 WMIC.exe Token: SeSystemtimePrivilege 4044 WMIC.exe Token: SeProfSingleProcessPrivilege 4044 WMIC.exe Token: SeIncBasePriorityPrivilege 4044 WMIC.exe Token: SeCreatePagefilePrivilege 4044 WMIC.exe Token: SeBackupPrivilege 4044 WMIC.exe Token: SeRestorePrivilege 4044 WMIC.exe Token: SeShutdownPrivilege 4044 WMIC.exe Token: SeDebugPrivilege 4044 WMIC.exe Token: SeSystemEnvironmentPrivilege 4044 WMIC.exe Token: SeRemoteShutdownPrivilege 4044 WMIC.exe Token: SeUndockPrivilege 4044 WMIC.exe Token: SeManageVolumePrivilege 4044 WMIC.exe Token: 33 4044 WMIC.exe Token: 34 4044 WMIC.exe Token: 35 4044 WMIC.exe Token: 36 4044 WMIC.exe Token: SeIncreaseQuotaPrivilege 4044 WMIC.exe Token: SeSecurityPrivilege 4044 WMIC.exe Token: SeTakeOwnershipPrivilege 4044 WMIC.exe Token: SeLoadDriverPrivilege 4044 WMIC.exe Token: SeSystemProfilePrivilege 4044 WMIC.exe Token: SeSystemtimePrivilege 4044 WMIC.exe Token: SeProfSingleProcessPrivilege 4044 WMIC.exe Token: SeIncBasePriorityPrivilege 4044 WMIC.exe Token: SeCreatePagefilePrivilege 4044 WMIC.exe Token: SeBackupPrivilege 4044 WMIC.exe Token: SeRestorePrivilege 4044 WMIC.exe Token: SeShutdownPrivilege 4044 WMIC.exe Token: SeDebugPrivilege 4044 WMIC.exe Token: SeSystemEnvironmentPrivilege 4044 WMIC.exe Token: SeRemoteShutdownPrivilege 4044 WMIC.exe Token: SeUndockPrivilege 4044 WMIC.exe Token: SeManageVolumePrivilege 4044 WMIC.exe Token: 33 4044 WMIC.exe Token: 34 4044 WMIC.exe Token: 35 4044 WMIC.exe Token: 36 4044 WMIC.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
11d1bda99c350ee4d82c6e53ca9a1c1c76bc5b9e3148853899cc04d1d00e9754.bin.sample.execmd.exedescription pid process target process PID 300 wrote to memory of 4080 300 11d1bda99c350ee4d82c6e53ca9a1c1c76bc5b9e3148853899cc04d1d00e9754.bin.sample.exe cmd.exe PID 300 wrote to memory of 4080 300 11d1bda99c350ee4d82c6e53ca9a1c1c76bc5b9e3148853899cc04d1d00e9754.bin.sample.exe cmd.exe PID 4080 wrote to memory of 4044 4080 cmd.exe WMIC.exe PID 4080 wrote to memory of 4044 4080 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\11d1bda99c350ee4d82c6e53ca9a1c1c76bc5b9e3148853899cc04d1d00e9754.bin.sample.exe"C:\Users\Admin\AppData\Local\Temp\11d1bda99c350ee4d82c6e53ca9a1c1c76bc5b9e3148853899cc04d1d00e9754.bin.sample.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2D3E78C1-16F5-45C2-8C51-8B602BF398FB}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2D3E78C1-16F5-45C2-8C51-8B602BF398FB}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken