Analysis
-
max time kernel
124s -
max time network
68s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
28-09-2021 08:00
Static task
static1
Behavioral task
behavioral1
Sample
2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe
Resource
win10-en-20210920
General
-
Target
2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe
-
Size
191KB
-
MD5
8d0b5c991c8725b979911d074556ee11
-
SHA1
04575878698e6ab06a0ea3f9ff6390051a73b580
-
SHA256
2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6
-
SHA512
48609af2b35845921f0f7f48b3ad501ad8dc4077c7fb67b7e63f98c2d7056b2f3e7585800dc186a525eee6f7b2014ba0167297f2f7f4a70498edf4f56e57c489
Malware Config
Extracted
C:\readme.txt
conti
http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/
https://contirecovery.top/
Signatures
-
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
Modifies extensions of user files 7 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exedescription ioc process File renamed C:\Users\Admin\Pictures\SuspendLock.tif => C:\Users\Admin\Pictures\SuspendLock.tif.NEFHC 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File renamed C:\Users\Admin\Pictures\DebugExpand.raw => C:\Users\Admin\Pictures\DebugExpand.raw.NEFHC 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File renamed C:\Users\Admin\Pictures\InstallFind.raw => C:\Users\Admin\Pictures\InstallFind.raw.NEFHC 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Users\Admin\Pictures\ProtectRequest.tiff 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File renamed C:\Users\Admin\Pictures\ProtectRequest.tiff => C:\Users\Admin\Pictures\ProtectRequest.tiff.NEFHC 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File renamed C:\Users\Admin\Pictures\RegisterUpdate.raw => C:\Users\Admin\Pictures\RegisterUpdate.raw.NEFHC 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File renamed C:\Users\Admin\Pictures\ResumeConnect.png => C:\Users\Admin\Pictures\ResumeConnect.png.NEFHC 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 39 IoCs
Processes:
2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exedescription ioc process File opened for modification C:\Users\Admin\Links\desktop.ini 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Users\Admin\Searches\desktop.ini 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Users\Public\Pictures\desktop.ini 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Users\Public\desktop.ini 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Users\Admin\Documents\desktop.ini 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\NU1L7O13\desktop.ini 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Users\Admin\Music\desktop.ini 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Users\Public\Downloads\desktop.ini 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\VNYR844D\desktop.ini 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Program Files\desktop.ini 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Users\Public\Documents\desktop.ini 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Users\Public\Libraries\desktop.ini 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\E9RC2MV6\desktop.ini 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\H18KNA1T\desktop.ini 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Users\Public\Desktop\desktop.ini 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Users\Admin\Videos\desktop.ini 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Users\Public\Videos\desktop.ini 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Program Files (x86)\desktop.ini 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Users\Public\Music\desktop.ini 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Users\Public\Recorded TV\desktop.ini 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe -
Drops file in Program Files directory 64 IoCs
Processes:
2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exedescription ioc process File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\Basic\readme.txt 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\TaskbarIconImagesMask256Colors.bmp 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.ths 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\NETWORK\PREVIEW.GIF 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21365_.GIF 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-utilities_zh_CN.jar 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00174_.WMF 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00211_.WMF 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGWEBREF.XML 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18185_.WMF 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-actions.xml 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\SAVE.GIF 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsnor.xml 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\GIFIMP32.FLT 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SUMER_01.MID 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.engine_2.3.0.v20140506-1720.jar 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Bishkek 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\jvmticmlr.h 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00152_.WMF 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105298.WMF 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBlue.png 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-progress.xml 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03331_.WMF 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TR00006_.WMF 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-outline.xml 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR6F.GIF 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\People\MMHMM.WAV 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21305_.GIF 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans_1.2.200.v20140214-0004.jar 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+2 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsHomePage.html 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-text.xml 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File created C:\Program Files\Common Files\Microsoft Shared\Filters\readme.txt 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\manifest.json 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS01634_.WMF 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01627_.WMF 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Austin.xml 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\SIDEBARVERTBB.DPV 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File created C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\readme.txt 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Antigua 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Program Files\Mozilla Firefox\application.ini 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Grid.thmx 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Riyadh88 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR5B.GIF 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0151581.WMF 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN010.XML 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\invalid32x32.gif 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\readme.txt 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-keyring-impl.jar 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SlateBlue.css 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\J0143750.GIF 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File created C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\readme.txt 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File created C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\readme.txt 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File created C:\Program Files (x86)\Internet Explorer\readme.txt 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Rome 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0195320.WMF 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01064_.WMF 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00555_.WMF 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02028_.WMF 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLPERF.H 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ql.nl_ja_4.4.0.v20140623020002.jar 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\ast.txt 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00669_.WMF 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\macroprogress.gif 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exepid process 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
vssvc.exeWMIC.exeWMIC.exedescription pid process Token: SeBackupPrivilege 1628 vssvc.exe Token: SeRestorePrivilege 1628 vssvc.exe Token: SeAuditPrivilege 1628 vssvc.exe Token: SeIncreaseQuotaPrivilege 1988 WMIC.exe Token: SeSecurityPrivilege 1988 WMIC.exe Token: SeTakeOwnershipPrivilege 1988 WMIC.exe Token: SeLoadDriverPrivilege 1988 WMIC.exe Token: SeSystemProfilePrivilege 1988 WMIC.exe Token: SeSystemtimePrivilege 1988 WMIC.exe Token: SeProfSingleProcessPrivilege 1988 WMIC.exe Token: SeIncBasePriorityPrivilege 1988 WMIC.exe Token: SeCreatePagefilePrivilege 1988 WMIC.exe Token: SeBackupPrivilege 1988 WMIC.exe Token: SeRestorePrivilege 1988 WMIC.exe Token: SeShutdownPrivilege 1988 WMIC.exe Token: SeDebugPrivilege 1988 WMIC.exe Token: SeSystemEnvironmentPrivilege 1988 WMIC.exe Token: SeRemoteShutdownPrivilege 1988 WMIC.exe Token: SeUndockPrivilege 1988 WMIC.exe Token: SeManageVolumePrivilege 1988 WMIC.exe Token: 33 1988 WMIC.exe Token: 34 1988 WMIC.exe Token: 35 1988 WMIC.exe Token: SeIncreaseQuotaPrivilege 1988 WMIC.exe Token: SeSecurityPrivilege 1988 WMIC.exe Token: SeTakeOwnershipPrivilege 1988 WMIC.exe Token: SeLoadDriverPrivilege 1988 WMIC.exe Token: SeSystemProfilePrivilege 1988 WMIC.exe Token: SeSystemtimePrivilege 1988 WMIC.exe Token: SeProfSingleProcessPrivilege 1988 WMIC.exe Token: SeIncBasePriorityPrivilege 1988 WMIC.exe Token: SeCreatePagefilePrivilege 1988 WMIC.exe Token: SeBackupPrivilege 1988 WMIC.exe Token: SeRestorePrivilege 1988 WMIC.exe Token: SeShutdownPrivilege 1988 WMIC.exe Token: SeDebugPrivilege 1988 WMIC.exe Token: SeSystemEnvironmentPrivilege 1988 WMIC.exe Token: SeRemoteShutdownPrivilege 1988 WMIC.exe Token: SeUndockPrivilege 1988 WMIC.exe Token: SeManageVolumePrivilege 1988 WMIC.exe Token: 33 1988 WMIC.exe Token: 34 1988 WMIC.exe Token: 35 1988 WMIC.exe Token: SeIncreaseQuotaPrivilege 1708 WMIC.exe Token: SeSecurityPrivilege 1708 WMIC.exe Token: SeTakeOwnershipPrivilege 1708 WMIC.exe Token: SeLoadDriverPrivilege 1708 WMIC.exe Token: SeSystemProfilePrivilege 1708 WMIC.exe Token: SeSystemtimePrivilege 1708 WMIC.exe Token: SeProfSingleProcessPrivilege 1708 WMIC.exe Token: SeIncBasePriorityPrivilege 1708 WMIC.exe Token: SeCreatePagefilePrivilege 1708 WMIC.exe Token: SeBackupPrivilege 1708 WMIC.exe Token: SeRestorePrivilege 1708 WMIC.exe Token: SeShutdownPrivilege 1708 WMIC.exe Token: SeDebugPrivilege 1708 WMIC.exe Token: SeSystemEnvironmentPrivilege 1708 WMIC.exe Token: SeRemoteShutdownPrivilege 1708 WMIC.exe Token: SeUndockPrivilege 1708 WMIC.exe Token: SeManageVolumePrivilege 1708 WMIC.exe Token: 33 1708 WMIC.exe Token: 34 1708 WMIC.exe Token: 35 1708 WMIC.exe Token: SeIncreaseQuotaPrivilege 1708 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 360 wrote to memory of 1156 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe cmd.exe PID 360 wrote to memory of 1156 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe cmd.exe PID 360 wrote to memory of 1156 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe cmd.exe PID 360 wrote to memory of 1156 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe cmd.exe PID 1156 wrote to memory of 1988 1156 cmd.exe WMIC.exe PID 1156 wrote to memory of 1988 1156 cmd.exe WMIC.exe PID 1156 wrote to memory of 1988 1156 cmd.exe WMIC.exe PID 360 wrote to memory of 1852 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe cmd.exe PID 360 wrote to memory of 1852 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe cmd.exe PID 360 wrote to memory of 1852 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe cmd.exe PID 360 wrote to memory of 1852 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe cmd.exe PID 1852 wrote to memory of 1708 1852 cmd.exe WMIC.exe PID 1852 wrote to memory of 1708 1852 cmd.exe WMIC.exe PID 1852 wrote to memory of 1708 1852 cmd.exe WMIC.exe PID 360 wrote to memory of 1684 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe cmd.exe PID 360 wrote to memory of 1684 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe cmd.exe PID 360 wrote to memory of 1684 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe cmd.exe PID 360 wrote to memory of 1684 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe cmd.exe PID 1684 wrote to memory of 1276 1684 cmd.exe WMIC.exe PID 1684 wrote to memory of 1276 1684 cmd.exe WMIC.exe PID 1684 wrote to memory of 1276 1684 cmd.exe WMIC.exe PID 360 wrote to memory of 1128 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe cmd.exe PID 360 wrote to memory of 1128 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe cmd.exe PID 360 wrote to memory of 1128 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe cmd.exe PID 360 wrote to memory of 1128 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe cmd.exe PID 1128 wrote to memory of 1396 1128 cmd.exe WMIC.exe PID 1128 wrote to memory of 1396 1128 cmd.exe WMIC.exe PID 1128 wrote to memory of 1396 1128 cmd.exe WMIC.exe PID 360 wrote to memory of 320 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe cmd.exe PID 360 wrote to memory of 320 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe cmd.exe PID 360 wrote to memory of 320 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe cmd.exe PID 360 wrote to memory of 320 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe cmd.exe PID 320 wrote to memory of 988 320 cmd.exe WMIC.exe PID 320 wrote to memory of 988 320 cmd.exe WMIC.exe PID 320 wrote to memory of 988 320 cmd.exe WMIC.exe PID 360 wrote to memory of 1688 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe cmd.exe PID 360 wrote to memory of 1688 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe cmd.exe PID 360 wrote to memory of 1688 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe cmd.exe PID 360 wrote to memory of 1688 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe cmd.exe PID 1688 wrote to memory of 1720 1688 cmd.exe WMIC.exe PID 1688 wrote to memory of 1720 1688 cmd.exe WMIC.exe PID 1688 wrote to memory of 1720 1688 cmd.exe WMIC.exe PID 360 wrote to memory of 600 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe cmd.exe PID 360 wrote to memory of 600 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe cmd.exe PID 360 wrote to memory of 600 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe cmd.exe PID 360 wrote to memory of 600 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe cmd.exe PID 600 wrote to memory of 1592 600 cmd.exe WMIC.exe PID 600 wrote to memory of 1592 600 cmd.exe WMIC.exe PID 600 wrote to memory of 1592 600 cmd.exe WMIC.exe PID 360 wrote to memory of 2000 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe cmd.exe PID 360 wrote to memory of 2000 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe cmd.exe PID 360 wrote to memory of 2000 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe cmd.exe PID 360 wrote to memory of 2000 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe cmd.exe PID 2000 wrote to memory of 2008 2000 cmd.exe WMIC.exe PID 2000 wrote to memory of 2008 2000 cmd.exe WMIC.exe PID 2000 wrote to memory of 2008 2000 cmd.exe WMIC.exe PID 360 wrote to memory of 1996 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe cmd.exe PID 360 wrote to memory of 1996 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe cmd.exe PID 360 wrote to memory of 1996 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe cmd.exe PID 360 wrote to memory of 1996 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe cmd.exe PID 1996 wrote to memory of 1788 1996 cmd.exe WMIC.exe PID 1996 wrote to memory of 1788 1996 cmd.exe WMIC.exe PID 1996 wrote to memory of 1788 1996 cmd.exe WMIC.exe PID 360 wrote to memory of 1772 360 2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe"C:\Users\Admin\AppData\Local\Temp\2f4f45f6624d1992bb474d7b245ebe8c316c0f8093fd1e313756c69680b844e6.bin.sample.exe"1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:360 -
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3EA0DCCD-B68F-4739-8545-1421DB5CBBF9}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3EA0DCCD-B68F-4739-8545-1421DB5CBBF9}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1988 -
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6A4DE33F-EC6D-48D6-B18F-B8C0EB661608}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6A4DE33F-EC6D-48D6-B18F-B8C0EB661608}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1708 -
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{674F5ED5-898F-4B38-B442-9717EBC249B0}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{674F5ED5-898F-4B38-B442-9717EBC249B0}'" delete3⤵PID:1276
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{56062236-819D-4FFA-9A67-51FD862961CC}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1128 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{56062236-819D-4FFA-9A67-51FD862961CC}'" delete3⤵PID:1396
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{993FFB36-DB0D-4B0F-AB01-F5535FFFD2FF}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{993FFB36-DB0D-4B0F-AB01-F5535FFFD2FF}'" delete3⤵PID:988
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5C93421E-92BF-4841-8F4A-AE5CE989C82C}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5C93421E-92BF-4841-8F4A-AE5CE989C82C}'" delete3⤵PID:1720
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A9CE7C86-FE5D-4BEA-A3FE-1097D95611CF}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:600 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A9CE7C86-FE5D-4BEA-A3FE-1097D95611CF}'" delete3⤵PID:1592
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{781F970E-534F-47AA-999D-6ED6D643AB75}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{781F970E-534F-47AA-999D-6ED6D643AB75}'" delete3⤵PID:2008
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{39949E94-CD4C-4CF8-B45A-3F512784587B}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{39949E94-CD4C-4CF8-B45A-3F512784587B}'" delete3⤵PID:1788
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{AB291DFD-F8B7-48E4-8503-043258A3C021}'" delete2⤵PID:1772
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{AB291DFD-F8B7-48E4-8503-043258A3C021}'" delete3⤵PID:1272
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{485AA00D-2E8F-43E3-8672-B2EC5EA21273}'" delete2⤵PID:1192
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{485AA00D-2E8F-43E3-8672-B2EC5EA21273}'" delete3⤵PID:1360
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1628