fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample

General
Target

fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe

Filesize

194KB

Completed

26-09-2021 12:46

Score
10 /10
MD5

aceec8b8d93705b4983d3cf9cda3f805

SHA1

946d3f00ea84cc3cdb4222cdc811e3eaca82ace8

SHA256

fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86

Malware Config

Extracted

Path C:\readme.txt
Family conti
Ransom Note
All of your files are currently encrypted by CONTI strain. As you know (if you don't - just "google it"), all of the data that has been encrypted by our software cannot be recovered by any means without contacting our team directly. If you try to use any additional recovery software - the files might be damaged, so if you are willing to try - try it on the data of the lowest value. To make sure that we REALLY CAN get your data back - we offer you to decrypt 2 random files completely free of charge. You can contact our team directly for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/ HTTPS VERSION : https://contirecovery.click YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded a pack of your internal data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us as soon as possible. ---BEGIN ID--- zxvgI2EJXCbBsLXOWyZC76LDtOCLHneJVbjaZVY6AQsYgVvGXRO6q8z0oRH1rIMZ ---END ID---
URLs

http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/

https://contirecovery.click

Signatures 7

Filter: none

Collection
Credential Access
  • Conti Ransomware

    Description

    Ransomware generally thought to be a successor to Ryuk.

  • Modifies extensions of user files
    fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

    Reported IOCs

    descriptioniocprocess
    File renamedC:\Users\Admin\Pictures\ExitFind.crw => C:\Users\Admin\Pictures\ExitFind.crw.UHIPVfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File renamedC:\Users\Admin\Pictures\ImportDebug.tif => C:\Users\Admin\Pictures\ImportDebug.tif.UHIPVfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File renamedC:\Users\Admin\Pictures\NewReset.raw => C:\Users\Admin\Pictures\NewReset.raw.UHIPVfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    TTPs

    Data from Local SystemCredentials in Files
  • Drops file in Program Files directory
    fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\DOC.CFGfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\Europe\Praguefe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\GrayCheck\TAB_ON.GIFfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FORM.ICOfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler_zh_CN.jarfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0151041.WMFfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0199727.WMFfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files\Common Files\System\Ole DB\en-US\sqlxmlx.rll.muife6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME13.CSSfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Mauritiusfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185778.WMFfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0292278.WMFfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File createdC:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\readme.txtfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0216600.WMFfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\1033\VBHW6.CHMfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File createdC:\Program Files\VideoLAN\VLC\locale\tr\LC_MESSAGES\readme.txtfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File createdC:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\readme.txtfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0297749.WMFfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\POSTCD11.POCfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\main.cssfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\SessionMember.icofe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files\7-Zip\Lang\ja.txtfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGNAVBAR.XMLfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\InfoPathOMFormServicesV12\Microsoft.Office.InfoPath.xmlfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\VelvetRose.cssfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\Office14\MSCOL11.PPDfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files\Common Files\Microsoft Shared\Stationery\Wrinkled_Paper.giffe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0199483.WMFfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0241041.WMFfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-common_zh_CN.jarfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\vlc.mofe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-utilities.jarfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\BriefcaseIconMask.bmpfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099168.JPGfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107514.WMFfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Perf_Scenes_Mask1.pngfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18243_.WMFfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\America\Crestonfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files\Common Files\System\ado\msadomd28.tlbfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationLeft_ButtonGraphic.pngfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Ashgabatfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring_zh_CN.jarfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files\CompareWatch.odtfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files\7-Zip\Lang\id.txtfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00913_.WMFfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File createdC:\Program Files\VideoLAN\VLC\lua\meta\readme.txtfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-multitabs_zh_CN.jarfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-api_ja.jarfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02748G.GIFfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\Office14\CONVERT\OLMAIL.FAEfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\videowall.pngfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\sql90.xslfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\SAVE.GIFfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File createdC:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightOrange\readme.txtfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0237759.WMFfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0292248.WMFfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00444_.WMFfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File createdC:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\readme.txtfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File createdC:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\readme.txtfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR31F.GIFfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\Asia\Macaufe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Havanafe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files\TestClear.mpegfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02055_.WMFfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
  • Suspicious behavior: EnumeratesProcesses
    fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe

    Reported IOCs

    pidprocess
    2000fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
  • Suspicious use of AdjustPrivilegeToken
    vssvc.exeWMIC.exeWMIC.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeBackupPrivilege1524vssvc.exe
    Token: SeRestorePrivilege1524vssvc.exe
    Token: SeAuditPrivilege1524vssvc.exe
    Token: SeIncreaseQuotaPrivilege1756WMIC.exe
    Token: SeSecurityPrivilege1756WMIC.exe
    Token: SeTakeOwnershipPrivilege1756WMIC.exe
    Token: SeLoadDriverPrivilege1756WMIC.exe
    Token: SeSystemProfilePrivilege1756WMIC.exe
    Token: SeSystemtimePrivilege1756WMIC.exe
    Token: SeProfSingleProcessPrivilege1756WMIC.exe
    Token: SeIncBasePriorityPrivilege1756WMIC.exe
    Token: SeCreatePagefilePrivilege1756WMIC.exe
    Token: SeBackupPrivilege1756WMIC.exe
    Token: SeRestorePrivilege1756WMIC.exe
    Token: SeShutdownPrivilege1756WMIC.exe
    Token: SeDebugPrivilege1756WMIC.exe
    Token: SeSystemEnvironmentPrivilege1756WMIC.exe
    Token: SeRemoteShutdownPrivilege1756WMIC.exe
    Token: SeUndockPrivilege1756WMIC.exe
    Token: SeManageVolumePrivilege1756WMIC.exe
    Token: 331756WMIC.exe
    Token: 341756WMIC.exe
    Token: 351756WMIC.exe
    Token: SeIncreaseQuotaPrivilege1756WMIC.exe
    Token: SeSecurityPrivilege1756WMIC.exe
    Token: SeTakeOwnershipPrivilege1756WMIC.exe
    Token: SeLoadDriverPrivilege1756WMIC.exe
    Token: SeSystemProfilePrivilege1756WMIC.exe
    Token: SeSystemtimePrivilege1756WMIC.exe
    Token: SeProfSingleProcessPrivilege1756WMIC.exe
    Token: SeIncBasePriorityPrivilege1756WMIC.exe
    Token: SeCreatePagefilePrivilege1756WMIC.exe
    Token: SeBackupPrivilege1756WMIC.exe
    Token: SeRestorePrivilege1756WMIC.exe
    Token: SeShutdownPrivilege1756WMIC.exe
    Token: SeDebugPrivilege1756WMIC.exe
    Token: SeSystemEnvironmentPrivilege1756WMIC.exe
    Token: SeRemoteShutdownPrivilege1756WMIC.exe
    Token: SeUndockPrivilege1756WMIC.exe
    Token: SeManageVolumePrivilege1756WMIC.exe
    Token: 331756WMIC.exe
    Token: 341756WMIC.exe
    Token: 351756WMIC.exe
    Token: SeIncreaseQuotaPrivilege1620WMIC.exe
    Token: SeSecurityPrivilege1620WMIC.exe
    Token: SeTakeOwnershipPrivilege1620WMIC.exe
    Token: SeLoadDriverPrivilege1620WMIC.exe
    Token: SeSystemProfilePrivilege1620WMIC.exe
    Token: SeSystemtimePrivilege1620WMIC.exe
    Token: SeProfSingleProcessPrivilege1620WMIC.exe
    Token: SeIncBasePriorityPrivilege1620WMIC.exe
    Token: SeCreatePagefilePrivilege1620WMIC.exe
    Token: SeBackupPrivilege1620WMIC.exe
    Token: SeRestorePrivilege1620WMIC.exe
    Token: SeShutdownPrivilege1620WMIC.exe
    Token: SeDebugPrivilege1620WMIC.exe
    Token: SeSystemEnvironmentPrivilege1620WMIC.exe
    Token: SeRemoteShutdownPrivilege1620WMIC.exe
    Token: SeUndockPrivilege1620WMIC.exe
    Token: SeManageVolumePrivilege1620WMIC.exe
    Token: 331620WMIC.exe
    Token: 341620WMIC.exe
    Token: 351620WMIC.exe
    Token: SeIncreaseQuotaPrivilege1620WMIC.exe
  • Suspicious use of WriteProcessMemory
    fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 2000 wrote to memory of 17082000fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.execmd.exe
    PID 2000 wrote to memory of 17082000fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.execmd.exe
    PID 2000 wrote to memory of 17082000fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.execmd.exe
    PID 2000 wrote to memory of 17082000fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.execmd.exe
    PID 1708 wrote to memory of 17561708cmd.exeWMIC.exe
    PID 1708 wrote to memory of 17561708cmd.exeWMIC.exe
    PID 1708 wrote to memory of 17561708cmd.exeWMIC.exe
    PID 2000 wrote to memory of 13002000fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.execmd.exe
    PID 2000 wrote to memory of 13002000fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.execmd.exe
    PID 2000 wrote to memory of 13002000fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.execmd.exe
    PID 2000 wrote to memory of 13002000fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.execmd.exe
    PID 1300 wrote to memory of 16201300cmd.exeWMIC.exe
    PID 1300 wrote to memory of 16201300cmd.exeWMIC.exe
    PID 1300 wrote to memory of 16201300cmd.exeWMIC.exe
    PID 2000 wrote to memory of 19042000fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.execmd.exe
    PID 2000 wrote to memory of 19042000fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.execmd.exe
    PID 2000 wrote to memory of 19042000fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.execmd.exe
    PID 2000 wrote to memory of 19042000fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.execmd.exe
    PID 1904 wrote to memory of 18361904cmd.exeWMIC.exe
    PID 1904 wrote to memory of 18361904cmd.exeWMIC.exe
    PID 1904 wrote to memory of 18361904cmd.exeWMIC.exe
    PID 2000 wrote to memory of 18562000fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.execmd.exe
    PID 2000 wrote to memory of 18562000fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.execmd.exe
    PID 2000 wrote to memory of 18562000fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.execmd.exe
    PID 2000 wrote to memory of 18562000fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.execmd.exe
    PID 1856 wrote to memory of 7561856cmd.exeWMIC.exe
    PID 1856 wrote to memory of 7561856cmd.exeWMIC.exe
    PID 1856 wrote to memory of 7561856cmd.exeWMIC.exe
    PID 2000 wrote to memory of 19842000fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.execmd.exe
    PID 2000 wrote to memory of 19842000fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.execmd.exe
    PID 2000 wrote to memory of 19842000fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.execmd.exe
    PID 2000 wrote to memory of 19842000fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.execmd.exe
    PID 1984 wrote to memory of 19401984cmd.exeWMIC.exe
    PID 1984 wrote to memory of 19401984cmd.exeWMIC.exe
    PID 1984 wrote to memory of 19401984cmd.exeWMIC.exe
    PID 2000 wrote to memory of 11762000fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.execmd.exe
    PID 2000 wrote to memory of 11762000fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.execmd.exe
    PID 2000 wrote to memory of 11762000fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.execmd.exe
    PID 2000 wrote to memory of 11762000fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.execmd.exe
    PID 1176 wrote to memory of 19721176cmd.exeWMIC.exe
    PID 1176 wrote to memory of 19721176cmd.exeWMIC.exe
    PID 1176 wrote to memory of 19721176cmd.exeWMIC.exe
    PID 2000 wrote to memory of 14402000fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.execmd.exe
    PID 2000 wrote to memory of 14402000fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.execmd.exe
    PID 2000 wrote to memory of 14402000fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.execmd.exe
    PID 2000 wrote to memory of 14402000fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.execmd.exe
    PID 1440 wrote to memory of 14441440cmd.exeWMIC.exe
    PID 1440 wrote to memory of 14441440cmd.exeWMIC.exe
    PID 1440 wrote to memory of 14441440cmd.exeWMIC.exe
    PID 2000 wrote to memory of 6202000fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.execmd.exe
    PID 2000 wrote to memory of 6202000fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.execmd.exe
    PID 2000 wrote to memory of 6202000fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.execmd.exe
    PID 2000 wrote to memory of 6202000fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.execmd.exe
    PID 620 wrote to memory of 1628620cmd.exeWMIC.exe
    PID 620 wrote to memory of 1628620cmd.exeWMIC.exe
    PID 620 wrote to memory of 1628620cmd.exeWMIC.exe
    PID 2000 wrote to memory of 6322000fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.execmd.exe
    PID 2000 wrote to memory of 6322000fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.execmd.exe
    PID 2000 wrote to memory of 6322000fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.execmd.exe
    PID 2000 wrote to memory of 6322000fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.execmd.exe
    PID 632 wrote to memory of 1616632cmd.exeWMIC.exe
    PID 632 wrote to memory of 1616632cmd.exeWMIC.exe
    PID 632 wrote to memory of 1616632cmd.exeWMIC.exe
    PID 2000 wrote to memory of 19802000fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.execmd.exe
Processes 24
  • C:\Users\Admin\AppData\Local\Temp\fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    "C:\Users\Admin\AppData\Local\Temp\fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe"
    Modifies extensions of user files
    Drops file in Program Files directory
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of WriteProcessMemory
    PID:2000
    • C:\Windows\system32\cmd.exe
      cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3EA0DCCD-B68F-4739-8545-1421DB5CBBF9}'" delete
      Suspicious use of WriteProcessMemory
      PID:1708
      • C:\Windows\System32\wbem\WMIC.exe
        C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3EA0DCCD-B68F-4739-8545-1421DB5CBBF9}'" delete
        Suspicious use of AdjustPrivilegeToken
        PID:1756
    • C:\Windows\system32\cmd.exe
      cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6A4DE33F-EC6D-48D6-B18F-B8C0EB661608}'" delete
      Suspicious use of WriteProcessMemory
      PID:1300
      • C:\Windows\System32\wbem\WMIC.exe
        C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6A4DE33F-EC6D-48D6-B18F-B8C0EB661608}'" delete
        Suspicious use of AdjustPrivilegeToken
        PID:1620
    • C:\Windows\system32\cmd.exe
      cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{674F5ED5-898F-4B38-B442-9717EBC249B0}'" delete
      Suspicious use of WriteProcessMemory
      PID:1904
      • C:\Windows\System32\wbem\WMIC.exe
        C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{674F5ED5-898F-4B38-B442-9717EBC249B0}'" delete
        PID:1836
    • C:\Windows\system32\cmd.exe
      cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{56062236-819D-4FFA-9A67-51FD862961CC}'" delete
      Suspicious use of WriteProcessMemory
      PID:1856
      • C:\Windows\System32\wbem\WMIC.exe
        C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{56062236-819D-4FFA-9A67-51FD862961CC}'" delete
        PID:756
    • C:\Windows\system32\cmd.exe
      cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{993FFB36-DB0D-4B0F-AB01-F5535FFFD2FF}'" delete
      Suspicious use of WriteProcessMemory
      PID:1984
      • C:\Windows\System32\wbem\WMIC.exe
        C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{993FFB36-DB0D-4B0F-AB01-F5535FFFD2FF}'" delete
        PID:1940
    • C:\Windows\system32\cmd.exe
      cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5C93421E-92BF-4841-8F4A-AE5CE989C82C}'" delete
      Suspicious use of WriteProcessMemory
      PID:1176
      • C:\Windows\System32\wbem\WMIC.exe
        C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5C93421E-92BF-4841-8F4A-AE5CE989C82C}'" delete
        PID:1972
    • C:\Windows\system32\cmd.exe
      cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A9CE7C86-FE5D-4BEA-A3FE-1097D95611CF}'" delete
      Suspicious use of WriteProcessMemory
      PID:1440
      • C:\Windows\System32\wbem\WMIC.exe
        C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A9CE7C86-FE5D-4BEA-A3FE-1097D95611CF}'" delete
        PID:1444
    • C:\Windows\system32\cmd.exe
      cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{781F970E-534F-47AA-999D-6ED6D643AB75}'" delete
      Suspicious use of WriteProcessMemory
      PID:620
      • C:\Windows\System32\wbem\WMIC.exe
        C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{781F970E-534F-47AA-999D-6ED6D643AB75}'" delete
        PID:1628
    • C:\Windows\system32\cmd.exe
      cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{39949E94-CD4C-4CF8-B45A-3F512784587B}'" delete
      Suspicious use of WriteProcessMemory
      PID:632
      • C:\Windows\System32\wbem\WMIC.exe
        C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{39949E94-CD4C-4CF8-B45A-3F512784587B}'" delete
        PID:1616
    • C:\Windows\system32\cmd.exe
      cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{AB291DFD-F8B7-48E4-8503-043258A3C021}'" delete
      PID:1980
      • C:\Windows\System32\wbem\WMIC.exe
        C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{AB291DFD-F8B7-48E4-8503-043258A3C021}'" delete
        PID:1856
    • C:\Windows\system32\cmd.exe
      cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{485AA00D-2E8F-43E3-8672-B2EC5EA21273}'" delete
      PID:1212
      • C:\Windows\System32\wbem\WMIC.exe
        C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{485AA00D-2E8F-43E3-8672-B2EC5EA21273}'" delete
        PID:1852
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    Suspicious use of AdjustPrivilegeToken
    PID:1524
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
      Discovery
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads
                      • memory/620-74-0x0000000000000000-mapping.dmp

                      • memory/632-76-0x0000000000000000-mapping.dmp

                      • memory/756-67-0x0000000000000000-mapping.dmp

                      • memory/1176-70-0x0000000000000000-mapping.dmp

                      • memory/1212-80-0x0000000000000000-mapping.dmp

                      • memory/1300-62-0x0000000000000000-mapping.dmp

                      • memory/1440-72-0x0000000000000000-mapping.dmp

                      • memory/1444-73-0x0000000000000000-mapping.dmp

                      • memory/1616-77-0x0000000000000000-mapping.dmp

                      • memory/1620-63-0x0000000000000000-mapping.dmp

                      • memory/1628-75-0x0000000000000000-mapping.dmp

                      • memory/1708-60-0x0000000000000000-mapping.dmp

                      • memory/1756-61-0x0000000000000000-mapping.dmp

                      • memory/1836-65-0x0000000000000000-mapping.dmp

                      • memory/1852-81-0x0000000000000000-mapping.dmp

                      • memory/1856-66-0x0000000000000000-mapping.dmp

                      • memory/1856-79-0x0000000000000000-mapping.dmp

                      • memory/1904-64-0x0000000000000000-mapping.dmp

                      • memory/1940-69-0x0000000000000000-mapping.dmp

                      • memory/1972-71-0x0000000000000000-mapping.dmp

                      • memory/1980-78-0x0000000000000000-mapping.dmp

                      • memory/1984-68-0x0000000000000000-mapping.dmp

                      • memory/2000-59-0x0000000075D11000-0x0000000075D13000-memory.dmp