conti | 6eeefc25fe1d24d3f46b554a31aea357a4cd04635db5c32dfddf28b5446c09d3

Analysis

max time kernel
161s
max time network
164s
platform
windows10_x64
resource
win10v20210408
submitted
24-09-2021 10:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5.exe
Size

194KB
MD5

91185817b6a6c96f9730dbe0cab30a8a
SHA1

af9d4627271a3627ead14999857e19d3925264e2
SHA256

3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5
SHA512

36543836a6b855d186058b10255fde814777b7ab3f18ce4622ef31277192381098c4e13162763bdeec3dd7dc6f314c39e77c1cc30214a47fc3616524dec6290f

Score

10^/10

conti ransomware spyware stealer

Malware Config

Extracted

Path

C:\readme.txt

Family

conti

Ransom Note

All of your files are currently encrypted by CONTI strain. As you know (if you don't - just "google it"), all of the data that has been encrypted by our software cannot be recovered by any means without contacting our team directly. If you try to use any additional recovery software - the files might be damaged, so if you are willing to try - try it on the data of the lowest value. To make sure that we REALLY CAN get your data back - we offer you to decrypt 2 random files completely free of charge. You can contact our team directly for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/ HTTPS VERSION : https://contirecovery.click YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded a pack of your internal data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us as soon as possible. ---BEGIN ID--- lWL5aqUDwBJQsqHmM6OkU1yOTGOiNHcCdTAyuj6A1xKUIz98qMCGpifNoPeYSXBA ---END ID---

URLs

http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/

https://contirecovery.click

Signatures

Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
ransomware conti

Modifies extensions of user files 14 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\BlockImport.tiff	3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5.exe
File renamed	C:\Users\Admin\Pictures\InstallClear.crw => C:\Users\Admin\Pictures\InstallClear.crw.AGKBR	3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5.exe
File renamed	C:\Users\Admin\Pictures\MoveSave.crw => C:\Users\Admin\Pictures\MoveSave.crw.AGKBR	3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5.exe
File renamed	C:\Users\Admin\Pictures\ResetRead.raw => C:\Users\Admin\Pictures\ResetRead.raw.AGKBR	3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5.exe
File renamed	C:\Users\Admin\Pictures\BlockImport.tiff => C:\Users\Admin\Pictures\BlockImport.tiff.AGKBR	3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5.exe
File renamed	C:\Users\Admin\Pictures\ResetGroup.png => C:\Users\Admin\Pictures\ResetGroup.png.AGKBR	3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5.exe
File renamed	C:\Users\Admin\Pictures\SearchSelect.tif => C:\Users\Admin\Pictures\SearchSelect.tif.AGKBR	3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5.exe
File renamed	C:\Users\Admin\Pictures\SetDisconnect.png => C:\Users\Admin\Pictures\SetDisconnect.png.AGKBR	3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5.exe
File renamed	C:\Users\Admin\Pictures\UpdateStart.png => C:\Users\Admin\Pictures\UpdateStart.png.AGKBR	3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5.exe
File renamed	C:\Users\Admin\Pictures\DebugTrace.tif => C:\Users\Admin\Pictures\DebugTrace.tif.AGKBR	3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5.exe
File renamed	C:\Users\Admin\Pictures\ImportEnter.raw => C:\Users\Admin\Pictures\ImportEnter.raw.AGKBR	3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5.exe
File renamed	C:\Users\Admin\Pictures\RenameGroup.raw => C:\Users\Admin\Pictures\RenameGroup.raw.AGKBR	3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5.exe
File renamed	C:\Users\Admin\Pictures\UseExport.png => C:\Users\Admin\Pictures\UseExport.png.AGKBR	3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5.exe
File renamed	C:\Users\Admin\Pictures\GrantMount.tif => C:\Users\Admin\Pictures\GrantMount.tif.AGKBR	3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5.exe

Drops startup file 1 IoCs

Processes:

3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\readme.txt	3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-checkmark@3x.png	3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_KMS_ClientC2R-ul.xrm-ms	3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\OFFSYMSL.TTF	3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5.exe
File created	C:\Program Files\Java\jre1.8.0_66\bin\dtplugin\readme.txt	3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\fonts\LucidaSansRegular.ttf	3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.commands_3.6.100.v20140528-1422.jar	3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\eclipse.inf	3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5.exe
File created	C:\Program Files\VideoLAN\VLC\locale\be\readme.txt	3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\TAG.XSL	3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.jarprocessor.nl_zh_4.4.0.v20140623020002.jar	3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\vlc.mo	3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Retail-ppd.xrm-ms	3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_KMS_ClientC2R-ul-oob.xrm-ms	3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\readme.txt	3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\readme.txt	3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\splash.gif	3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.core.di.extensions_0.12.0.v20140417-2033.jar	3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-modules.xml	3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-heapwalker.xml	3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EXPEDITN\PREVIEW.GIF	3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_export_18.svg	3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\TURKISH.TXT	3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\hscroll-thumb.png	3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-actions.xml	3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-impl_zh_CN.jar	3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019DemoR_BypassTrial180-ul-oob.xrm-ms	3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Grace-ul-oob.xrm-ms	3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Search.api	3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\zipfs.jar	3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jface.databinding_1.6.200.v20140528-1422.jar	3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\InAppSign.aapp	3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\readme.txt	3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.net.nl_zh_4.4.0.v20140623020002.jar	3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Unlock@3x.png	3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\rarrow.gif	3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-progress-ui.xml	3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OsfInstallerConfigOnLogon.xml	3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\pref\channel-prefs.js	3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-80.png	3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5.exe
File created	C:\Program Files\VideoLAN\VLC\locale\de\readme.txt	3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui_5.5.0.165303.jar	3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.common_3.6.200.v20130402-1505.jar	3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.manipulator.nl_ja_4.4.0.v20140623020002.jar	3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\BIN\readme.txt	3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5.exe
File opened for modification	C:\Program Files\WatchImport.7z	3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Trial-ul-oob.xrm-ms	3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_MAK-ppd.xrm-ms	3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\css\readme.txt	3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\New_Skins.url	3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\mosaic_window.html	3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\readme.txt	3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-ul-oob.xrm-ms	3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Grace-ppd.xrm-ms	3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Retail-ul-phn.xrm-ms	3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.artifact.repository.nl_zh_4.4.0.v20140623020002.jar	3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA	3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5.exe
File created	C:\Program Files\VideoLAN\VLC\locale\gl\readme.txt	3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\keystore\readme.txt	3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\oskclearuibase.xml	3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\s_filetype_psd.svg	3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Grace-ul-oob.xrm-ms	3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\readme.txt	3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.transport.ecf.nl_ja_4.4.0.v20140623020002.jar	3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\date-span-16.png	3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5.exe

pid	process
900	3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5.exe
900	3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

vssvc.exeWMIC.exe

description	pid	process
Token: SeBackupPrivilege	1036	vssvc.exe
Token: SeRestorePrivilege	1036	vssvc.exe
Token: SeAuditPrivilege	1036	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1660	WMIC.exe
Token: SeSecurityPrivilege	1660	WMIC.exe
Token: SeTakeOwnershipPrivilege	1660	WMIC.exe
Token: SeLoadDriverPrivilege	1660	WMIC.exe
Token: SeSystemProfilePrivilege	1660	WMIC.exe
Token: SeSystemtimePrivilege	1660	WMIC.exe
Token: SeProfSingleProcessPrivilege	1660	WMIC.exe
Token: SeIncBasePriorityPrivilege	1660	WMIC.exe
Token: SeCreatePagefilePrivilege	1660	WMIC.exe
Token: SeBackupPrivilege	1660	WMIC.exe
Token: SeRestorePrivilege	1660	WMIC.exe
Token: SeShutdownPrivilege	1660	WMIC.exe
Token: SeDebugPrivilege	1660	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1660	WMIC.exe
Token: SeRemoteShutdownPrivilege	1660	WMIC.exe
Token: SeUndockPrivilege	1660	WMIC.exe
Token: SeManageVolumePrivilege	1660	WMIC.exe
Token: 33	1660	WMIC.exe
Token: 34	1660	WMIC.exe
Token: 35	1660	WMIC.exe
Token: 36	1660	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1660	WMIC.exe
Token: SeSecurityPrivilege	1660	WMIC.exe
Token: SeTakeOwnershipPrivilege	1660	WMIC.exe
Token: SeLoadDriverPrivilege	1660	WMIC.exe
Token: SeSystemProfilePrivilege	1660	WMIC.exe
Token: SeSystemtimePrivilege	1660	WMIC.exe
Token: SeProfSingleProcessPrivilege	1660	WMIC.exe
Token: SeIncBasePriorityPrivilege	1660	WMIC.exe
Token: SeCreatePagefilePrivilege	1660	WMIC.exe
Token: SeBackupPrivilege	1660	WMIC.exe
Token: SeRestorePrivilege	1660	WMIC.exe
Token: SeShutdownPrivilege	1660	WMIC.exe
Token: SeDebugPrivilege	1660	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1660	WMIC.exe
Token: SeRemoteShutdownPrivilege	1660	WMIC.exe
Token: SeUndockPrivilege	1660	WMIC.exe
Token: SeManageVolumePrivilege	1660	WMIC.exe
Token: 33	1660	WMIC.exe
Token: 34	1660	WMIC.exe
Token: 35	1660	WMIC.exe
Token: 36	1660	WMIC.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5.execmd.exe

description	pid	process	target process
PID 900 wrote to memory of 1424	900	3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5.exe	cmd.exe
PID 900 wrote to memory of 1424	900	3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5.exe	cmd.exe
PID 1424 wrote to memory of 1660	1424	cmd.exe	WMIC.exe
PID 1424 wrote to memory of 1660	1424	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5.exe
"C:\Users\Admin\AppData\Local\Temp\3e2ce6fd7b53224df92581b800ce9a6605eae878d4165df9ae8f73a488be3fa5.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:900

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{493E2A7D-D35C-4823-8312-DB6A87B45E66}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1424

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{493E2A7D-D35C-4823-8312-DB6A87B45E66}'" delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1660

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1036

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1424-114-0x0000000000000000-mapping.dmp

Download
memory/1660-115-0x0000000000000000-mapping.dmp

Download