Analysis
-
max time kernel
96s -
max time network
67s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
26-09-2021 12:42
Static task
static1
Behavioral task
behavioral1
Sample
fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
Resource
win10-en-20210920
General
-
Target
fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
-
Size
194KB
-
MD5
aceec8b8d93705b4983d3cf9cda3f805
-
SHA1
946d3f00ea84cc3cdb4222cdc811e3eaca82ace8
-
SHA256
fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86
-
SHA512
0a79d75d0d832bcac027f4d03ecf3e77ccfbf53af269bff09b4887f8a4b01624e5dbdc454b315159cea8923035ed14c165ed7458e75835176cc2860185eea648
Malware Config
Extracted
C:\readme.txt
conti
http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/
https://contirecovery.click
Signatures
-
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exedescription ioc process File renamed C:\Users\Admin\Pictures\ExitFind.crw => C:\Users\Admin\Pictures\ExitFind.crw.UHIPV fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File renamed C:\Users\Admin\Pictures\ImportDebug.tif => C:\Users\Admin\Pictures\ImportDebug.tif.UHIPV fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File renamed C:\Users\Admin\Pictures\NewReset.raw => C:\Users\Admin\Pictures\NewReset.raw.UHIPV fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\DOC.CFG fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Prague fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\GrayCheck\TAB_ON.GIF fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FORM.ICO fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler_zh_CN.jar fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0151041.WMF fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0199727.WMF fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\en-US\sqlxmlx.rll.mui fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME13.CSS fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Mauritius fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185778.WMF fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0292278.WMF fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\readme.txt fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0216600.WMF fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\1033\VBHW6.CHM fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File created C:\Program Files\VideoLAN\VLC\locale\tr\LC_MESSAGES\readme.txt fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\readme.txt fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0297749.WMF fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\POSTCD11.POC fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\main.css fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\SessionMember.ico fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\ja.txt fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGNAVBAR.XML fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\InfoPathOMFormServicesV12\Microsoft.Office.InfoPath.xml fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\VelvetRose.css fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSCOL11.PPD fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Wrinkled_Paper.gif fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0199483.WMF fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0241041.WMF fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-common_zh_CN.jar fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\vlc.mo fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-utilities.jar fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\BriefcaseIconMask.bmp fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099168.JPG fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107514.WMF fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Perf_Scenes_Mask1.png fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18243_.WMF fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Creston fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files\Common Files\System\ado\msadomd28.tlb fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationLeft_ButtonGraphic.png fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Ashgabat fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring_zh_CN.jar fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files\CompareWatch.odt fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\id.txt fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00913_.WMF fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File created C:\Program Files\VideoLAN\VLC\lua\meta\readme.txt fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-multitabs_zh_CN.jar fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-api_ja.jar fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02748G.GIF fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\OLMAIL.FAE fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\videowall.png fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\sql90.xsl fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\SAVE.GIF fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightOrange\readme.txt fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0237759.WMF fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0292248.WMF fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00444_.WMF fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\readme.txt fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\readme.txt fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR31F.GIF fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Macau fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Havana fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files\TestClear.mpeg fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02055_.WMF fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exepid process 2000 fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
vssvc.exeWMIC.exeWMIC.exedescription pid process Token: SeBackupPrivilege 1524 vssvc.exe Token: SeRestorePrivilege 1524 vssvc.exe Token: SeAuditPrivilege 1524 vssvc.exe Token: SeIncreaseQuotaPrivilege 1756 WMIC.exe Token: SeSecurityPrivilege 1756 WMIC.exe Token: SeTakeOwnershipPrivilege 1756 WMIC.exe Token: SeLoadDriverPrivilege 1756 WMIC.exe Token: SeSystemProfilePrivilege 1756 WMIC.exe Token: SeSystemtimePrivilege 1756 WMIC.exe Token: SeProfSingleProcessPrivilege 1756 WMIC.exe Token: SeIncBasePriorityPrivilege 1756 WMIC.exe Token: SeCreatePagefilePrivilege 1756 WMIC.exe Token: SeBackupPrivilege 1756 WMIC.exe Token: SeRestorePrivilege 1756 WMIC.exe Token: SeShutdownPrivilege 1756 WMIC.exe Token: SeDebugPrivilege 1756 WMIC.exe Token: SeSystemEnvironmentPrivilege 1756 WMIC.exe Token: SeRemoteShutdownPrivilege 1756 WMIC.exe Token: SeUndockPrivilege 1756 WMIC.exe Token: SeManageVolumePrivilege 1756 WMIC.exe Token: 33 1756 WMIC.exe Token: 34 1756 WMIC.exe Token: 35 1756 WMIC.exe Token: SeIncreaseQuotaPrivilege 1756 WMIC.exe Token: SeSecurityPrivilege 1756 WMIC.exe Token: SeTakeOwnershipPrivilege 1756 WMIC.exe Token: SeLoadDriverPrivilege 1756 WMIC.exe Token: SeSystemProfilePrivilege 1756 WMIC.exe Token: SeSystemtimePrivilege 1756 WMIC.exe Token: SeProfSingleProcessPrivilege 1756 WMIC.exe Token: SeIncBasePriorityPrivilege 1756 WMIC.exe Token: SeCreatePagefilePrivilege 1756 WMIC.exe Token: SeBackupPrivilege 1756 WMIC.exe Token: SeRestorePrivilege 1756 WMIC.exe Token: SeShutdownPrivilege 1756 WMIC.exe Token: SeDebugPrivilege 1756 WMIC.exe Token: SeSystemEnvironmentPrivilege 1756 WMIC.exe Token: SeRemoteShutdownPrivilege 1756 WMIC.exe Token: SeUndockPrivilege 1756 WMIC.exe Token: SeManageVolumePrivilege 1756 WMIC.exe Token: 33 1756 WMIC.exe Token: 34 1756 WMIC.exe Token: 35 1756 WMIC.exe Token: SeIncreaseQuotaPrivilege 1620 WMIC.exe Token: SeSecurityPrivilege 1620 WMIC.exe Token: SeTakeOwnershipPrivilege 1620 WMIC.exe Token: SeLoadDriverPrivilege 1620 WMIC.exe Token: SeSystemProfilePrivilege 1620 WMIC.exe Token: SeSystemtimePrivilege 1620 WMIC.exe Token: SeProfSingleProcessPrivilege 1620 WMIC.exe Token: SeIncBasePriorityPrivilege 1620 WMIC.exe Token: SeCreatePagefilePrivilege 1620 WMIC.exe Token: SeBackupPrivilege 1620 WMIC.exe Token: SeRestorePrivilege 1620 WMIC.exe Token: SeShutdownPrivilege 1620 WMIC.exe Token: SeDebugPrivilege 1620 WMIC.exe Token: SeSystemEnvironmentPrivilege 1620 WMIC.exe Token: SeRemoteShutdownPrivilege 1620 WMIC.exe Token: SeUndockPrivilege 1620 WMIC.exe Token: SeManageVolumePrivilege 1620 WMIC.exe Token: 33 1620 WMIC.exe Token: 34 1620 WMIC.exe Token: 35 1620 WMIC.exe Token: SeIncreaseQuotaPrivilege 1620 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 2000 wrote to memory of 1708 2000 fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe cmd.exe PID 2000 wrote to memory of 1708 2000 fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe cmd.exe PID 2000 wrote to memory of 1708 2000 fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe cmd.exe PID 2000 wrote to memory of 1708 2000 fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe cmd.exe PID 1708 wrote to memory of 1756 1708 cmd.exe WMIC.exe PID 1708 wrote to memory of 1756 1708 cmd.exe WMIC.exe PID 1708 wrote to memory of 1756 1708 cmd.exe WMIC.exe PID 2000 wrote to memory of 1300 2000 fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe cmd.exe PID 2000 wrote to memory of 1300 2000 fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe cmd.exe PID 2000 wrote to memory of 1300 2000 fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe cmd.exe PID 2000 wrote to memory of 1300 2000 fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe cmd.exe PID 1300 wrote to memory of 1620 1300 cmd.exe WMIC.exe PID 1300 wrote to memory of 1620 1300 cmd.exe WMIC.exe PID 1300 wrote to memory of 1620 1300 cmd.exe WMIC.exe PID 2000 wrote to memory of 1904 2000 fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe cmd.exe PID 2000 wrote to memory of 1904 2000 fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe cmd.exe PID 2000 wrote to memory of 1904 2000 fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe cmd.exe PID 2000 wrote to memory of 1904 2000 fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe cmd.exe PID 1904 wrote to memory of 1836 1904 cmd.exe WMIC.exe PID 1904 wrote to memory of 1836 1904 cmd.exe WMIC.exe PID 1904 wrote to memory of 1836 1904 cmd.exe WMIC.exe PID 2000 wrote to memory of 1856 2000 fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe cmd.exe PID 2000 wrote to memory of 1856 2000 fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe cmd.exe PID 2000 wrote to memory of 1856 2000 fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe cmd.exe PID 2000 wrote to memory of 1856 2000 fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe cmd.exe PID 1856 wrote to memory of 756 1856 cmd.exe WMIC.exe PID 1856 wrote to memory of 756 1856 cmd.exe WMIC.exe PID 1856 wrote to memory of 756 1856 cmd.exe WMIC.exe PID 2000 wrote to memory of 1984 2000 fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe cmd.exe PID 2000 wrote to memory of 1984 2000 fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe cmd.exe PID 2000 wrote to memory of 1984 2000 fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe cmd.exe PID 2000 wrote to memory of 1984 2000 fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe cmd.exe PID 1984 wrote to memory of 1940 1984 cmd.exe WMIC.exe PID 1984 wrote to memory of 1940 1984 cmd.exe WMIC.exe PID 1984 wrote to memory of 1940 1984 cmd.exe WMIC.exe PID 2000 wrote to memory of 1176 2000 fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe cmd.exe PID 2000 wrote to memory of 1176 2000 fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe cmd.exe PID 2000 wrote to memory of 1176 2000 fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe cmd.exe PID 2000 wrote to memory of 1176 2000 fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe cmd.exe PID 1176 wrote to memory of 1972 1176 cmd.exe WMIC.exe PID 1176 wrote to memory of 1972 1176 cmd.exe WMIC.exe PID 1176 wrote to memory of 1972 1176 cmd.exe WMIC.exe PID 2000 wrote to memory of 1440 2000 fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe cmd.exe PID 2000 wrote to memory of 1440 2000 fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe cmd.exe PID 2000 wrote to memory of 1440 2000 fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe cmd.exe PID 2000 wrote to memory of 1440 2000 fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe cmd.exe PID 1440 wrote to memory of 1444 1440 cmd.exe WMIC.exe PID 1440 wrote to memory of 1444 1440 cmd.exe WMIC.exe PID 1440 wrote to memory of 1444 1440 cmd.exe WMIC.exe PID 2000 wrote to memory of 620 2000 fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe cmd.exe PID 2000 wrote to memory of 620 2000 fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe cmd.exe PID 2000 wrote to memory of 620 2000 fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe cmd.exe PID 2000 wrote to memory of 620 2000 fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe cmd.exe PID 620 wrote to memory of 1628 620 cmd.exe WMIC.exe PID 620 wrote to memory of 1628 620 cmd.exe WMIC.exe PID 620 wrote to memory of 1628 620 cmd.exe WMIC.exe PID 2000 wrote to memory of 632 2000 fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe cmd.exe PID 2000 wrote to memory of 632 2000 fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe cmd.exe PID 2000 wrote to memory of 632 2000 fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe cmd.exe PID 2000 wrote to memory of 632 2000 fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe cmd.exe PID 632 wrote to memory of 1616 632 cmd.exe WMIC.exe PID 632 wrote to memory of 1616 632 cmd.exe WMIC.exe PID 632 wrote to memory of 1616 632 cmd.exe WMIC.exe PID 2000 wrote to memory of 1980 2000 fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe"C:\Users\Admin\AppData\Local\Temp\fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe"1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3EA0DCCD-B68F-4739-8545-1421DB5CBBF9}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3EA0DCCD-B68F-4739-8545-1421DB5CBBF9}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6A4DE33F-EC6D-48D6-B18F-B8C0EB661608}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6A4DE33F-EC6D-48D6-B18F-B8C0EB661608}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{674F5ED5-898F-4B38-B442-9717EBC249B0}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{674F5ED5-898F-4B38-B442-9717EBC249B0}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{56062236-819D-4FFA-9A67-51FD862961CC}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{56062236-819D-4FFA-9A67-51FD862961CC}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{993FFB36-DB0D-4B0F-AB01-F5535FFFD2FF}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{993FFB36-DB0D-4B0F-AB01-F5535FFFD2FF}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5C93421E-92BF-4841-8F4A-AE5CE989C82C}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5C93421E-92BF-4841-8F4A-AE5CE989C82C}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A9CE7C86-FE5D-4BEA-A3FE-1097D95611CF}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A9CE7C86-FE5D-4BEA-A3FE-1097D95611CF}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{781F970E-534F-47AA-999D-6ED6D643AB75}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{781F970E-534F-47AA-999D-6ED6D643AB75}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{39949E94-CD4C-4CF8-B45A-3F512784587B}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{39949E94-CD4C-4CF8-B45A-3F512784587B}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{AB291DFD-F8B7-48E4-8503-043258A3C021}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{AB291DFD-F8B7-48E4-8503-043258A3C021}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{485AA00D-2E8F-43E3-8672-B2EC5EA21273}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{485AA00D-2E8F-43E3-8672-B2EC5EA21273}'" delete3⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/620-74-0x0000000000000000-mapping.dmp
-
memory/632-76-0x0000000000000000-mapping.dmp
-
memory/756-67-0x0000000000000000-mapping.dmp
-
memory/1176-70-0x0000000000000000-mapping.dmp
-
memory/1212-80-0x0000000000000000-mapping.dmp
-
memory/1300-62-0x0000000000000000-mapping.dmp
-
memory/1440-72-0x0000000000000000-mapping.dmp
-
memory/1444-73-0x0000000000000000-mapping.dmp
-
memory/1616-77-0x0000000000000000-mapping.dmp
-
memory/1620-63-0x0000000000000000-mapping.dmp
-
memory/1628-75-0x0000000000000000-mapping.dmp
-
memory/1708-60-0x0000000000000000-mapping.dmp
-
memory/1756-61-0x0000000000000000-mapping.dmp
-
memory/1836-65-0x0000000000000000-mapping.dmp
-
memory/1852-81-0x0000000000000000-mapping.dmp
-
memory/1856-66-0x0000000000000000-mapping.dmp
-
memory/1856-79-0x0000000000000000-mapping.dmp
-
memory/1904-64-0x0000000000000000-mapping.dmp
-
memory/1940-69-0x0000000000000000-mapping.dmp
-
memory/1972-71-0x0000000000000000-mapping.dmp
-
memory/1980-78-0x0000000000000000-mapping.dmp
-
memory/1984-68-0x0000000000000000-mapping.dmp
-
memory/2000-59-0x0000000075D11000-0x0000000075D13000-memory.dmpFilesize
8KB