fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample

General
Target

fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe

Filesize

194KB

Completed

26-09-2021 12:45

Score
10 /10
MD5

aceec8b8d93705b4983d3cf9cda3f805

SHA1

946d3f00ea84cc3cdb4222cdc811e3eaca82ace8

SHA256

fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86

Malware Config

Extracted

Path C:\readme.txt
Family conti
Ransom Note
All of your files are currently encrypted by CONTI strain. As you know (if you don't - just "google it"), all of the data that has been encrypted by our software cannot be recovered by any means without contacting our team directly. If you try to use any additional recovery software - the files might be damaged, so if you are willing to try - try it on the data of the lowest value. To make sure that we REALLY CAN get your data back - we offer you to decrypt 2 random files completely free of charge. You can contact our team directly for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/ HTTPS VERSION : https://contirecovery.click YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded a pack of your internal data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us as soon as possible. ---BEGIN ID--- zxvgI2EJXCbBsLXOWyZC76LDtOCLHneJVbjaZVY6AQsYgVvGXRO6q8z0oRH1rIMZ ---END ID---
URLs

http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/

https://contirecovery.click

Signatures 8

Filter: none

Collection
Credential Access
  • Conti Ransomware

    Description

    Ransomware generally thought to be a successor to Ryuk.

  • Modifies extensions of user files
    fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

    Reported IOCs

    descriptioniocprocess
    File renamedC:\Users\Admin\Pictures\NewSend.tiff => C:\Users\Admin\Pictures\NewSend.tiff.UHIPVfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File renamedC:\Users\Admin\Pictures\WriteResize.raw => C:\Users\Admin\Pictures\WriteResize.raw.UHIPVfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Users\Admin\Pictures\NewSend.tifffe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
  • Drops startup file
    fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe

    Reported IOCs

    descriptioniocprocess
    File createdC:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\readme.txtfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    TTPs

    Data from Local SystemCredentials in Files
  • Drops file in Program Files directory
    fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe

    Reported IOCs

    descriptioniocprocess
    File createdC:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\readme.txtfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-ae\ui-strings.jsfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File createdC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\readme.txtfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\scanAppLogo.pngfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\nb-no\ui-strings.jsfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Grace-ul-oob.xrm-msfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTest-ul-oob.xrm-msfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-print_zh_CN.jarfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\en-ae\ui-strings.jsfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File createdC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\tool\readme.txtfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest4-ul-oob.xrm-msfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File createdC:\Program Files\Microsoft Office\root\rsod\readme.txtfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File createdC:\Program Files\Common Files\microsoft shared\ink\en-GB\readme.txtfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\ECLIPSE_.SFfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\MANIFEST.MFfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\org-openide-options.xml_hiddenfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files\Microsoft Office\PackageManifests\AppXManifest.common.16.xmlfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_OEM_Perp-ul-oob.xrm-msfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Office16\PROOF\MSHY7ES.LEXfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\ended_review_or_form.giffe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.renderers.swt_0.12.1.v20140903-1023.jarfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\zh-tw\ui-strings.jsfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files\7-Zip\Lang\ast.txtfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Office16\1033\ORGCHART.CHMfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\s_thumbnailview_18.svgfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BREEZE\PREVIEW.GIFfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\css\main.cssfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\it-it\ui-strings.jsfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription2-pl.xrm-msfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-javahelp.xmlfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File createdC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\readme.txtfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\example_icons.pngfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\sv-se\ui-strings.jsfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\eu-es\ui-strings.jsfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File createdC:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\readme.txtfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\FrameworkList.xmlfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLENDS\BLENDS.INFfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\close.svgfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\print_poster.pngfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\ro_get.svgfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File createdC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\nb-no\readme.txtfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Trial-ul-oob.xrm-msfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File createdC:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\readme.txtfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_ellipses_selected.svgfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\sql90.xslfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\example_icons2x.pngfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File createdC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\en-il\readme.txtfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files\7-Zip\Lang\gl.txtfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File createdC:\Program Files\Uninstall Information\readme.txtfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail2-pl.xrm-msfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\jre\lib\jfr\profile.jfcfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\vfs\Fonts\private\GARA.TTFfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File createdC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sv-se\readme.txtfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\es-es\ui-strings.jsfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\nb-no\ui-strings.jsfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\eu-es\ui-strings.jsfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ja-jp\PlayStore_icon.svgfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-ppd.xrm-msfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files\Common Files\microsoft shared\ink\en-US\delete.avife6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.engine.nl_zh_4.4.0.v20140623020002.jarfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\as90.xslfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\arrow-left.giffe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File createdC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\nl-nl\readme.txtfe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    File opened for modificationC:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\vlc.mofe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
  • Suspicious behavior: EnumeratesProcesses
    fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe

    Reported IOCs

    pidprocess
    2352fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    2352fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
  • Suspicious use of AdjustPrivilegeToken
    vssvc.exeWMIC.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeBackupPrivilege2728vssvc.exe
    Token: SeRestorePrivilege2728vssvc.exe
    Token: SeAuditPrivilege2728vssvc.exe
    Token: SeIncreaseQuotaPrivilege2220WMIC.exe
    Token: SeSecurityPrivilege2220WMIC.exe
    Token: SeTakeOwnershipPrivilege2220WMIC.exe
    Token: SeLoadDriverPrivilege2220WMIC.exe
    Token: SeSystemProfilePrivilege2220WMIC.exe
    Token: SeSystemtimePrivilege2220WMIC.exe
    Token: SeProfSingleProcessPrivilege2220WMIC.exe
    Token: SeIncBasePriorityPrivilege2220WMIC.exe
    Token: SeCreatePagefilePrivilege2220WMIC.exe
    Token: SeBackupPrivilege2220WMIC.exe
    Token: SeRestorePrivilege2220WMIC.exe
    Token: SeShutdownPrivilege2220WMIC.exe
    Token: SeDebugPrivilege2220WMIC.exe
    Token: SeSystemEnvironmentPrivilege2220WMIC.exe
    Token: SeRemoteShutdownPrivilege2220WMIC.exe
    Token: SeUndockPrivilege2220WMIC.exe
    Token: SeManageVolumePrivilege2220WMIC.exe
    Token: 332220WMIC.exe
    Token: 342220WMIC.exe
    Token: 352220WMIC.exe
    Token: 362220WMIC.exe
    Token: SeIncreaseQuotaPrivilege2220WMIC.exe
    Token: SeSecurityPrivilege2220WMIC.exe
    Token: SeTakeOwnershipPrivilege2220WMIC.exe
    Token: SeLoadDriverPrivilege2220WMIC.exe
    Token: SeSystemProfilePrivilege2220WMIC.exe
    Token: SeSystemtimePrivilege2220WMIC.exe
    Token: SeProfSingleProcessPrivilege2220WMIC.exe
    Token: SeIncBasePriorityPrivilege2220WMIC.exe
    Token: SeCreatePagefilePrivilege2220WMIC.exe
    Token: SeBackupPrivilege2220WMIC.exe
    Token: SeRestorePrivilege2220WMIC.exe
    Token: SeShutdownPrivilege2220WMIC.exe
    Token: SeDebugPrivilege2220WMIC.exe
    Token: SeSystemEnvironmentPrivilege2220WMIC.exe
    Token: SeRemoteShutdownPrivilege2220WMIC.exe
    Token: SeUndockPrivilege2220WMIC.exe
    Token: SeManageVolumePrivilege2220WMIC.exe
    Token: 332220WMIC.exe
    Token: 342220WMIC.exe
    Token: 352220WMIC.exe
    Token: 362220WMIC.exe
  • Suspicious use of WriteProcessMemory
    fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.execmd.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 2352 wrote to memory of 40682352fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.execmd.exe
    PID 2352 wrote to memory of 40682352fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.execmd.exe
    PID 4068 wrote to memory of 22204068cmd.exeWMIC.exe
    PID 4068 wrote to memory of 22204068cmd.exeWMIC.exe
Processes 4
  • C:\Users\Admin\AppData\Local\Temp\fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
    "C:\Users\Admin\AppData\Local\Temp\fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe"
    Modifies extensions of user files
    Drops startup file
    Drops file in Program Files directory
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of WriteProcessMemory
    PID:2352
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2D3E78C1-16F5-45C2-8C51-8B602BF398FB}'" delete
      Suspicious use of WriteProcessMemory
      PID:4068
      • C:\Windows\System32\wbem\WMIC.exe
        C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2D3E78C1-16F5-45C2-8C51-8B602BF398FB}'" delete
        Suspicious use of AdjustPrivilegeToken
        PID:2220
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    Suspicious use of AdjustPrivilegeToken
    PID:2728
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
      Discovery
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads
                      • memory/2220-116-0x0000000000000000-mapping.dmp

                      • memory/4068-115-0x0000000000000000-mapping.dmp