Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
26-09-2021 12:42
Static task
static1
Behavioral task
behavioral1
Sample
fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
Resource
win10-en-20210920
General
-
Target
fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
-
Size
194KB
-
MD5
aceec8b8d93705b4983d3cf9cda3f805
-
SHA1
946d3f00ea84cc3cdb4222cdc811e3eaca82ace8
-
SHA256
fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86
-
SHA512
0a79d75d0d832bcac027f4d03ecf3e77ccfbf53af269bff09b4887f8a4b01624e5dbdc454b315159cea8923035ed14c165ed7458e75835176cc2860185eea648
Malware Config
Extracted
C:\readme.txt
conti
http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/
https://contirecovery.click
Signatures
-
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exedescription ioc process File renamed C:\Users\Admin\Pictures\NewSend.tiff => C:\Users\Admin\Pictures\NewSend.tiff.UHIPV fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File renamed C:\Users\Admin\Pictures\WriteResize.raw => C:\Users\Admin\Pictures\WriteResize.raw.UHIPV fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Users\Admin\Pictures\NewSend.tiff fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe -
Drops startup file 1 IoCs
Processes:
fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\readme.txt fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exedescription ioc process File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\readme.txt fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-ae\ui-strings.js fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\readme.txt fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\scanAppLogo.png fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\nb-no\ui-strings.js fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Grace-ul-oob.xrm-ms fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTest-ul-oob.xrm-ms fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-print_zh_CN.jar fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\en-ae\ui-strings.js fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\tool\readme.txt fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest4-ul-oob.xrm-ms fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File created C:\Program Files\Microsoft Office\root\rsod\readme.txt fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File created C:\Program Files\Common Files\microsoft shared\ink\en-GB\readme.txt fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\ECLIPSE_.SF fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\MANIFEST.MF fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\org-openide-options.xml_hidden fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.common.16.xml fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_OEM_Perp-ul-oob.xrm-ms fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PROOF\MSHY7ES.LEX fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\ended_review_or_form.gif fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.renderers.swt_0.12.1.v20140903-1023.jar fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\zh-tw\ui-strings.js fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\ast.txt fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ORGCHART.CHM fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\s_thumbnailview_18.svg fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BREEZE\PREVIEW.GIF fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\css\main.css fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\it-it\ui-strings.js fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription2-pl.xrm-ms fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-javahelp.xml fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\readme.txt fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\example_icons.png fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\sv-se\ui-strings.js fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\eu-es\ui-strings.js fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\readme.txt fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\FrameworkList.xml fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLENDS\BLENDS.INF fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\close.svg fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\print_poster.png fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\ro_get.svg fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\nb-no\readme.txt fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Trial-ul-oob.xrm-ms fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\readme.txt fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_ellipses_selected.svg fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\sql90.xsl fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\example_icons2x.png fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\en-il\readme.txt fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\gl.txt fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File created C:\Program Files\Uninstall Information\readme.txt fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail2-pl.xrm-ms fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\jfr\profile.jfc fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GARA.TTF fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sv-se\readme.txt fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\es-es\ui-strings.js fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\nb-no\ui-strings.js fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\eu-es\ui-strings.js fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ja-jp\PlayStore_icon.svg fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-ppd.xrm-ms fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-US\delete.avi fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.engine.nl_zh_4.4.0.v20140623020002.jar fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\as90.xsl fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\arrow-left.gif fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\nl-nl\readme.txt fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\vlc.mo fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exepid process 2352 fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe 2352 fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
vssvc.exeWMIC.exedescription pid process Token: SeBackupPrivilege 2728 vssvc.exe Token: SeRestorePrivilege 2728 vssvc.exe Token: SeAuditPrivilege 2728 vssvc.exe Token: SeIncreaseQuotaPrivilege 2220 WMIC.exe Token: SeSecurityPrivilege 2220 WMIC.exe Token: SeTakeOwnershipPrivilege 2220 WMIC.exe Token: SeLoadDriverPrivilege 2220 WMIC.exe Token: SeSystemProfilePrivilege 2220 WMIC.exe Token: SeSystemtimePrivilege 2220 WMIC.exe Token: SeProfSingleProcessPrivilege 2220 WMIC.exe Token: SeIncBasePriorityPrivilege 2220 WMIC.exe Token: SeCreatePagefilePrivilege 2220 WMIC.exe Token: SeBackupPrivilege 2220 WMIC.exe Token: SeRestorePrivilege 2220 WMIC.exe Token: SeShutdownPrivilege 2220 WMIC.exe Token: SeDebugPrivilege 2220 WMIC.exe Token: SeSystemEnvironmentPrivilege 2220 WMIC.exe Token: SeRemoteShutdownPrivilege 2220 WMIC.exe Token: SeUndockPrivilege 2220 WMIC.exe Token: SeManageVolumePrivilege 2220 WMIC.exe Token: 33 2220 WMIC.exe Token: 34 2220 WMIC.exe Token: 35 2220 WMIC.exe Token: 36 2220 WMIC.exe Token: SeIncreaseQuotaPrivilege 2220 WMIC.exe Token: SeSecurityPrivilege 2220 WMIC.exe Token: SeTakeOwnershipPrivilege 2220 WMIC.exe Token: SeLoadDriverPrivilege 2220 WMIC.exe Token: SeSystemProfilePrivilege 2220 WMIC.exe Token: SeSystemtimePrivilege 2220 WMIC.exe Token: SeProfSingleProcessPrivilege 2220 WMIC.exe Token: SeIncBasePriorityPrivilege 2220 WMIC.exe Token: SeCreatePagefilePrivilege 2220 WMIC.exe Token: SeBackupPrivilege 2220 WMIC.exe Token: SeRestorePrivilege 2220 WMIC.exe Token: SeShutdownPrivilege 2220 WMIC.exe Token: SeDebugPrivilege 2220 WMIC.exe Token: SeSystemEnvironmentPrivilege 2220 WMIC.exe Token: SeRemoteShutdownPrivilege 2220 WMIC.exe Token: SeUndockPrivilege 2220 WMIC.exe Token: SeManageVolumePrivilege 2220 WMIC.exe Token: 33 2220 WMIC.exe Token: 34 2220 WMIC.exe Token: 35 2220 WMIC.exe Token: 36 2220 WMIC.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.execmd.exedescription pid process target process PID 2352 wrote to memory of 4068 2352 fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe cmd.exe PID 2352 wrote to memory of 4068 2352 fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe cmd.exe PID 4068 wrote to memory of 2220 4068 cmd.exe WMIC.exe PID 4068 wrote to memory of 2220 4068 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe"C:\Users\Admin\AppData\Local\Temp\fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2D3E78C1-16F5-45C2-8C51-8B602BF398FB}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2D3E78C1-16F5-45C2-8C51-8B602BF398FB}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken