conti | fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86

General

Target

fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
Size

194KB
MD5

aceec8b8d93705b4983d3cf9cda3f805
SHA1

946d3f00ea84cc3cdb4222cdc811e3eaca82ace8
SHA256

fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86
SHA512

0a79d75d0d832bcac027f4d03ecf3e77ccfbf53af269bff09b4887f8a4b01624e5dbdc454b315159cea8923035ed14c165ed7458e75835176cc2860185eea648

Score

10^/10

conti ransomware spyware stealer

Malware Config

Extracted

Path

C:\readme.txt

Family

conti

Ransom Note

All of your files are currently encrypted by CONTI strain. As you know (if you don't - just "google it"), all of the data that has been encrypted by our software cannot be recovered by any means without contacting our team directly. If you try to use any additional recovery software - the files might be damaged, so if you are willing to try - try it on the data of the lowest value. To make sure that we REALLY CAN get your data back - we offer you to decrypt 2 random files completely free of charge. You can contact our team directly for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/ HTTPS VERSION : https://contirecovery.click YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded a pack of your internal data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us as soon as possible. ---BEGIN ID--- zxvgI2EJXCbBsLXOWyZC76LDtOCLHneJVbjaZVY6AQsYgVvGXRO6q8z0oRH1rIMZ ---END ID---

URLs

http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/

https://contirecovery.click

Signatures

Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
ransomware conti

Modifies extensions of user files 3 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\ExitFind.crw => C:\Users\Admin\Pictures\ExitFind.crw.UHIPV	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\ImportDebug.tif => C:\Users\Admin\Pictures\ImportDebug.tif.UHIPV	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\NewReset.raw => C:\Users\Admin\Pictures\NewReset.raw.UHIPV	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\DOC.CFG	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Prague	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\GrayCheck\TAB_ON.GIF	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FORM.ICO	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler_zh_CN.jar	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0151041.WMF	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0199727.WMF	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\en-US\sqlxmlx.rll.mui	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME13.CSS	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Mauritius	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185778.WMF	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0292278.WMF	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\readme.txt	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0216600.WMF	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\1033\VBHW6.CHM	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
File created	C:\Program Files\VideoLAN\VLC\locale\tr\LC_MESSAGES\readme.txt	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\readme.txt	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0297749.WMF	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\POSTCD11.POC	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\main.css	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\SessionMember.ico	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ja.txt	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGNAVBAR.XML	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\InfoPathOMFormServicesV12\Microsoft.Office.InfoPath.xml	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\VelvetRose.css	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSCOL11.PPD	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Wrinkled_Paper.gif	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0199483.WMF	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0241041.WMF	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-common_zh_CN.jar	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\vlc.mo	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-utilities.jar	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\BriefcaseIconMask.bmp	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099168.JPG	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107514.WMF	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Perf_Scenes_Mask1.png	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18243_.WMF	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Creston	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msadomd28.tlb	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationLeft_ButtonGraphic.png	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Ashgabat	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring_zh_CN.jar	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
File opened for modification	C:\Program Files\CompareWatch.odt	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00913_.WMF	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
File created	C:\Program Files\VideoLAN\VLC\lua\meta\readme.txt	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-multitabs_zh_CN.jar	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-api_ja.jar	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02748G.GIF	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\OLMAIL.FAE	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\videowall.png	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\sql90.xsl	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\SAVE.GIF	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightOrange\readme.txt	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0237759.WMF	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0292248.WMF	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00444_.WMF	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\readme.txt	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\readme.txt	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR31F.GIF	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Macau	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Havana	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
File opened for modification	C:\Program Files\TestClear.mpeg	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02055_.WMF	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe

pid process

2000 fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe

pid	process
2000	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

vssvc.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeBackupPrivilege	1524	vssvc.exe
Token: SeRestorePrivilege	1524	vssvc.exe
Token: SeAuditPrivilege	1524	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1756	WMIC.exe
Token: SeSecurityPrivilege	1756	WMIC.exe
Token: SeTakeOwnershipPrivilege	1756	WMIC.exe
Token: SeLoadDriverPrivilege	1756	WMIC.exe
Token: SeSystemProfilePrivilege	1756	WMIC.exe
Token: SeSystemtimePrivilege	1756	WMIC.exe
Token: SeProfSingleProcessPrivilege	1756	WMIC.exe
Token: SeIncBasePriorityPrivilege	1756	WMIC.exe
Token: SeCreatePagefilePrivilege	1756	WMIC.exe
Token: SeBackupPrivilege	1756	WMIC.exe
Token: SeRestorePrivilege	1756	WMIC.exe
Token: SeShutdownPrivilege	1756	WMIC.exe
Token: SeDebugPrivilege	1756	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1756	WMIC.exe
Token: SeRemoteShutdownPrivilege	1756	WMIC.exe
Token: SeUndockPrivilege	1756	WMIC.exe
Token: SeManageVolumePrivilege	1756	WMIC.exe
Token: 33	1756	WMIC.exe
Token: 34	1756	WMIC.exe
Token: 35	1756	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1756	WMIC.exe
Token: SeSecurityPrivilege	1756	WMIC.exe
Token: SeTakeOwnershipPrivilege	1756	WMIC.exe
Token: SeLoadDriverPrivilege	1756	WMIC.exe
Token: SeSystemProfilePrivilege	1756	WMIC.exe
Token: SeSystemtimePrivilege	1756	WMIC.exe
Token: SeProfSingleProcessPrivilege	1756	WMIC.exe
Token: SeIncBasePriorityPrivilege	1756	WMIC.exe
Token: SeCreatePagefilePrivilege	1756	WMIC.exe
Token: SeBackupPrivilege	1756	WMIC.exe
Token: SeRestorePrivilege	1756	WMIC.exe
Token: SeShutdownPrivilege	1756	WMIC.exe
Token: SeDebugPrivilege	1756	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1756	WMIC.exe
Token: SeRemoteShutdownPrivilege	1756	WMIC.exe
Token: SeUndockPrivilege	1756	WMIC.exe
Token: SeManageVolumePrivilege	1756	WMIC.exe
Token: 33	1756	WMIC.exe
Token: 34	1756	WMIC.exe
Token: 35	1756	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1620	WMIC.exe
Token: SeSecurityPrivilege	1620	WMIC.exe
Token: SeTakeOwnershipPrivilege	1620	WMIC.exe
Token: SeLoadDriverPrivilege	1620	WMIC.exe
Token: SeSystemProfilePrivilege	1620	WMIC.exe
Token: SeSystemtimePrivilege	1620	WMIC.exe
Token: SeProfSingleProcessPrivilege	1620	WMIC.exe
Token: SeIncBasePriorityPrivilege	1620	WMIC.exe
Token: SeCreatePagefilePrivilege	1620	WMIC.exe
Token: SeBackupPrivilege	1620	WMIC.exe
Token: SeRestorePrivilege	1620	WMIC.exe
Token: SeShutdownPrivilege	1620	WMIC.exe
Token: SeDebugPrivilege	1620	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1620	WMIC.exe
Token: SeRemoteShutdownPrivilege	1620	WMIC.exe
Token: SeUndockPrivilege	1620	WMIC.exe
Token: SeManageVolumePrivilege	1620	WMIC.exe
Token: 33	1620	WMIC.exe
Token: 34	1620	WMIC.exe
Token: 35	1620	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1620	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2000 wrote to memory of 1708	2000	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe	cmd.exe
PID 2000 wrote to memory of 1708	2000	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe	cmd.exe
PID 2000 wrote to memory of 1708	2000	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe	cmd.exe
PID 2000 wrote to memory of 1708	2000	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe	cmd.exe
PID 1708 wrote to memory of 1756	1708	cmd.exe	WMIC.exe
PID 1708 wrote to memory of 1756	1708	cmd.exe	WMIC.exe
PID 1708 wrote to memory of 1756	1708	cmd.exe	WMIC.exe
PID 2000 wrote to memory of 1300	2000	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe	cmd.exe
PID 2000 wrote to memory of 1300	2000	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe	cmd.exe
PID 2000 wrote to memory of 1300	2000	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe	cmd.exe
PID 2000 wrote to memory of 1300	2000	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe	cmd.exe
PID 1300 wrote to memory of 1620	1300	cmd.exe	WMIC.exe
PID 1300 wrote to memory of 1620	1300	cmd.exe	WMIC.exe
PID 1300 wrote to memory of 1620	1300	cmd.exe	WMIC.exe
PID 2000 wrote to memory of 1904	2000	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe	cmd.exe
PID 2000 wrote to memory of 1904	2000	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe	cmd.exe
PID 2000 wrote to memory of 1904	2000	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe	cmd.exe
PID 2000 wrote to memory of 1904	2000	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe	cmd.exe
PID 1904 wrote to memory of 1836	1904	cmd.exe	WMIC.exe
PID 1904 wrote to memory of 1836	1904	cmd.exe	WMIC.exe
PID 1904 wrote to memory of 1836	1904	cmd.exe	WMIC.exe
PID 2000 wrote to memory of 1856	2000	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe	cmd.exe
PID 2000 wrote to memory of 1856	2000	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe	cmd.exe
PID 2000 wrote to memory of 1856	2000	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe	cmd.exe
PID 2000 wrote to memory of 1856	2000	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe	cmd.exe
PID 1856 wrote to memory of 756	1856	cmd.exe	WMIC.exe
PID 1856 wrote to memory of 756	1856	cmd.exe	WMIC.exe
PID 1856 wrote to memory of 756	1856	cmd.exe	WMIC.exe
PID 2000 wrote to memory of 1984	2000	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe	cmd.exe
PID 2000 wrote to memory of 1984	2000	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe	cmd.exe
PID 2000 wrote to memory of 1984	2000	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe	cmd.exe
PID 2000 wrote to memory of 1984	2000	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe	cmd.exe
PID 1984 wrote to memory of 1940	1984	cmd.exe	WMIC.exe
PID 1984 wrote to memory of 1940	1984	cmd.exe	WMIC.exe
PID 1984 wrote to memory of 1940	1984	cmd.exe	WMIC.exe
PID 2000 wrote to memory of 1176	2000	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe	cmd.exe
PID 2000 wrote to memory of 1176	2000	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe	cmd.exe
PID 2000 wrote to memory of 1176	2000	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe	cmd.exe
PID 2000 wrote to memory of 1176	2000	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe	cmd.exe
PID 1176 wrote to memory of 1972	1176	cmd.exe	WMIC.exe
PID 1176 wrote to memory of 1972	1176	cmd.exe	WMIC.exe
PID 1176 wrote to memory of 1972	1176	cmd.exe	WMIC.exe
PID 2000 wrote to memory of 1440	2000	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe	cmd.exe
PID 2000 wrote to memory of 1440	2000	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe	cmd.exe
PID 2000 wrote to memory of 1440	2000	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe	cmd.exe
PID 2000 wrote to memory of 1440	2000	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe	cmd.exe
PID 1440 wrote to memory of 1444	1440	cmd.exe	WMIC.exe
PID 1440 wrote to memory of 1444	1440	cmd.exe	WMIC.exe
PID 1440 wrote to memory of 1444	1440	cmd.exe	WMIC.exe
PID 2000 wrote to memory of 620	2000	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe	cmd.exe
PID 2000 wrote to memory of 620	2000	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe	cmd.exe
PID 2000 wrote to memory of 620	2000	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe	cmd.exe
PID 2000 wrote to memory of 620	2000	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe	cmd.exe
PID 620 wrote to memory of 1628	620	cmd.exe	WMIC.exe
PID 620 wrote to memory of 1628	620	cmd.exe	WMIC.exe
PID 620 wrote to memory of 1628	620	cmd.exe	WMIC.exe
PID 2000 wrote to memory of 632	2000	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe	cmd.exe
PID 2000 wrote to memory of 632	2000	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe	cmd.exe
PID 2000 wrote to memory of 632	2000	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe	cmd.exe
PID 2000 wrote to memory of 632	2000	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe	cmd.exe
PID 632 wrote to memory of 1616	632	cmd.exe	WMIC.exe
PID 632 wrote to memory of 1616	632	cmd.exe	WMIC.exe
PID 632 wrote to memory of 1616	632	cmd.exe	WMIC.exe
PID 2000 wrote to memory of 1980	2000	fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe"
1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3EA0DCCD-B68F-4739-8545-1421DB5CBBF9}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1708

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3EA0DCCD-B68F-4739-8545-1421DB5CBBF9}'" delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1756

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6A4DE33F-EC6D-48D6-B18F-B8C0EB661608}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1300

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6A4DE33F-EC6D-48D6-B18F-B8C0EB661608}'" delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{674F5ED5-898F-4B38-B442-9717EBC249B0}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1904

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{674F5ED5-898F-4B38-B442-9717EBC249B0}'" delete
3⤵
PID:1836

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{56062236-819D-4FFA-9A67-51FD862961CC}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1856

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{56062236-819D-4FFA-9A67-51FD862961CC}'" delete
3⤵
PID:756

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{993FFB36-DB0D-4B0F-AB01-F5535FFFD2FF}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{993FFB36-DB0D-4B0F-AB01-F5535FFFD2FF}'" delete
3⤵
PID:1940

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5C93421E-92BF-4841-8F4A-AE5CE989C82C}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1176

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5C93421E-92BF-4841-8F4A-AE5CE989C82C}'" delete
3⤵
PID:1972

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A9CE7C86-FE5D-4BEA-A3FE-1097D95611CF}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1440

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A9CE7C86-FE5D-4BEA-A3FE-1097D95611CF}'" delete
3⤵
PID:1444

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{781F970E-534F-47AA-999D-6ED6D643AB75}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:620

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{781F970E-534F-47AA-999D-6ED6D643AB75}'" delete
3⤵
PID:1628

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{39949E94-CD4C-4CF8-B45A-3F512784587B}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:632

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{39949E94-CD4C-4CF8-B45A-3F512784587B}'" delete
3⤵
PID:1616

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{AB291DFD-F8B7-48E4-8503-043258A3C021}'" delete
2⤵
PID:1980

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{AB291DFD-F8B7-48E4-8503-043258A3C021}'" delete
3⤵
PID:1856

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{485AA00D-2E8F-43E3-8672-B2EC5EA21273}'" delete
2⤵
PID:1212

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{485AA00D-2E8F-43E3-8672-B2EC5EA21273}'" delete
3⤵
PID:1852

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1524

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/620-74-0x0000000000000000-mapping.dmp

Download
memory/632-76-0x0000000000000000-mapping.dmp

Download
memory/756-67-0x0000000000000000-mapping.dmp

Download
memory/1176-70-0x0000000000000000-mapping.dmp

Download
memory/1212-80-0x0000000000000000-mapping.dmp

Download
memory/1300-62-0x0000000000000000-mapping.dmp

Download
memory/1440-72-0x0000000000000000-mapping.dmp

Download
memory/1444-73-0x0000000000000000-mapping.dmp

Download
memory/1616-77-0x0000000000000000-mapping.dmp

Download
memory/1620-63-0x0000000000000000-mapping.dmp

Download
memory/1628-75-0x0000000000000000-mapping.dmp

Download
memory/1708-60-0x0000000000000000-mapping.dmp

Download
memory/1756-61-0x0000000000000000-mapping.dmp

Download
memory/1836-65-0x0000000000000000-mapping.dmp

Download
memory/1852-81-0x0000000000000000-mapping.dmp

Download
memory/1856-66-0x0000000000000000-mapping.dmp

Download
memory/1856-79-0x0000000000000000-mapping.dmp

Download
memory/1904-64-0x0000000000000000-mapping.dmp

Download
memory/1940-69-0x0000000000000000-mapping.dmp

Download
memory/1972-71-0x0000000000000000-mapping.dmp

Download
memory/1980-78-0x0000000000000000-mapping.dmp

Download
memory/1984-68-0x0000000000000000-mapping.dmp

Download
memory/2000-59-0x0000000075D11000-0x0000000075D13000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads