Analysis
-
max time kernel
155s -
max time network
153s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
28-09-2021 08:02
Static task
static1
Behavioral task
behavioral1
Sample
3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe
Resource
win10-en-20210920
General
-
Target
3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe
-
Size
195KB
-
MD5
9656b98b10d645f1850030f461acdf7b
-
SHA1
f2253855fa2d400c92f819c6ffec73281ec7232f
-
SHA256
3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e
-
SHA512
17016e6d348761865c2c5fa82b94c94604cd819dc4ce0dad5ba2800e16d070eeb7ba261a68d37d4530adacdb955e0bfac42019ac432b1a22b60488f6387a1021
Malware Config
Extracted
C:\readme.txt
conti
http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/
https://contirecovery.xyz/
Signatures
-
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
Drops file in Program Files directory 64 IoCs
Processes:
3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exedescription ioc process File opened for modification C:\Program Files\DVD Maker\sonicsptransform.ax 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File opened for modification C:\Program Files\Mozilla Firefox\Accessible.tlb 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.VisualElementsManifest.xml 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File opened for modification C:\Program Files\NewUnlock.kix 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File opened for modification C:\Program Files\StepBlock.m4a 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File opened for modification C:\Program Files\7-Zip\descript.ion 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File opened for modification C:\Program Files\Internet Explorer\Timeline.cpu.xml 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File created C:\Program Files\MSBuild\readme.txt 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File created C:\Program Files (x86)\Common Files\readme.txt 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File opened for modification C:\Program Files\BlockWait.cfg 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File opened for modification C:\Program Files\WatchTrace.ps1xml 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File created C:\Program Files\DVD Maker\readme.txt 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File opened for modification C:\Program Files\Mozilla Firefox\precomplete 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File created C:\Program Files (x86)\Adobe\readme.txt 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File created C:\Program Files (x86)\Microsoft Office\readme.txt 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\readme.txt 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File opened for modification C:\Program Files\SearchWatch.dwfx 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File created C:\Program Files\Internet Explorer\readme.txt 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File created C:\Program Files\Microsoft Office\readme.txt 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File opened for modification C:\Program Files\InitializeAdd.kix 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File created C:\Program Files\Common Files\readme.txt 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File created C:\Program Files\VideoLAN\readme.txt 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File opened for modification C:\Program Files\DVD Maker\rtstreamsink.ax 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File created C:\Program Files\Mozilla Firefox\readme.txt 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File created C:\Program Files (x86)\Microsoft.NET\readme.txt 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File opened for modification C:\Program Files\ClearExport.html 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File opened for modification C:\Program Files\ExportMount.mp3 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File opened for modification C:\Program Files\OutSkip.wax 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File created C:\Program Files\Uninstall Information\readme.txt 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\readme.txt 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File created C:\Program Files\readme.txt 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File opened for modification C:\Program Files\ExitCheckpoint.odt 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File opened for modification C:\Program Files\7-Zip\7zCon.sfx 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File opened for modification C:\Program Files\DVD Maker\Eurosti.TTF 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File opened for modification C:\Program Files\Internet Explorer\ie9props.propdesc 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File created C:\Program Files (x86)\Internet Explorer\readme.txt 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File opened for modification C:\Program Files\PingDeny.ods 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File opened for modification C:\Program Files\7-Zip\readme.txt 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File opened for modification C:\Program Files\7-Zip\7-zip.chm 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File opened for modification C:\Program Files\Mozilla Firefox\omni.ja 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File opened for modification C:\Program Files (x86)\MSBuild\Microsoft.Office.InfoPath.targets 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File opened for modification C:\Program Files\ResetInvoke.wmf 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File opened for modification C:\Program Files\7-Zip\License.txt 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File opened for modification C:\Program Files\Mozilla Firefox\dependentlibs.list 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\readme.txt 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File created C:\Program Files (x86)\MSBuild\readme.txt 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File created C:\Program Files (x86)\Uninstall Information\readme.txt 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File opened for modification C:\Program Files\ConvertFromCompare.wpl 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File opened for modification C:\Program Files\7-Zip\7z.sfx 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File created C:\Program Files (x86)\Microsoft Sync Framework\readme.txt 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File opened for modification C:\Program Files\EnableUnprotect.mp2v 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File created C:\Program Files (x86)\readme.txt 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ie9props.propdesc 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File opened for modification C:\Program Files\OpenPush.vb 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File created C:\Program Files\Google\readme.txt 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File opened for modification C:\Program Files\MountMeasure.wvx 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File opened for modification C:\Program Files\DVD Maker\SecretST.TTF 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File opened for modification C:\Program Files\Mozilla Firefox\removed-files 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File opened for modification C:\Program Files\7-Zip\History.txt 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File opened for modification C:\Program Files\DVD Maker\fieldswitch.ax 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File opened for modification C:\Program Files\DVD Maker\soniccolorconverter.ax 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File created C:\Program Files (x86)\Google\readme.txt 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File created C:\Program Files (x86)\Microsoft Analysis Services\readme.txt 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File opened for modification C:\Program Files\CopyApprove.txt 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exepid process 1820 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
vssvc.exeWMIC.exeWMIC.exedescription pid process Token: SeBackupPrivilege 1980 vssvc.exe Token: SeRestorePrivilege 1980 vssvc.exe Token: SeAuditPrivilege 1980 vssvc.exe Token: SeIncreaseQuotaPrivilege 1128 WMIC.exe Token: SeSecurityPrivilege 1128 WMIC.exe Token: SeTakeOwnershipPrivilege 1128 WMIC.exe Token: SeLoadDriverPrivilege 1128 WMIC.exe Token: SeSystemProfilePrivilege 1128 WMIC.exe Token: SeSystemtimePrivilege 1128 WMIC.exe Token: SeProfSingleProcessPrivilege 1128 WMIC.exe Token: SeIncBasePriorityPrivilege 1128 WMIC.exe Token: SeCreatePagefilePrivilege 1128 WMIC.exe Token: SeBackupPrivilege 1128 WMIC.exe Token: SeRestorePrivilege 1128 WMIC.exe Token: SeShutdownPrivilege 1128 WMIC.exe Token: SeDebugPrivilege 1128 WMIC.exe Token: SeSystemEnvironmentPrivilege 1128 WMIC.exe Token: SeRemoteShutdownPrivilege 1128 WMIC.exe Token: SeUndockPrivilege 1128 WMIC.exe Token: SeManageVolumePrivilege 1128 WMIC.exe Token: 33 1128 WMIC.exe Token: 34 1128 WMIC.exe Token: 35 1128 WMIC.exe Token: SeIncreaseQuotaPrivilege 1128 WMIC.exe Token: SeSecurityPrivilege 1128 WMIC.exe Token: SeTakeOwnershipPrivilege 1128 WMIC.exe Token: SeLoadDriverPrivilege 1128 WMIC.exe Token: SeSystemProfilePrivilege 1128 WMIC.exe Token: SeSystemtimePrivilege 1128 WMIC.exe Token: SeProfSingleProcessPrivilege 1128 WMIC.exe Token: SeIncBasePriorityPrivilege 1128 WMIC.exe Token: SeCreatePagefilePrivilege 1128 WMIC.exe Token: SeBackupPrivilege 1128 WMIC.exe Token: SeRestorePrivilege 1128 WMIC.exe Token: SeShutdownPrivilege 1128 WMIC.exe Token: SeDebugPrivilege 1128 WMIC.exe Token: SeSystemEnvironmentPrivilege 1128 WMIC.exe Token: SeRemoteShutdownPrivilege 1128 WMIC.exe Token: SeUndockPrivilege 1128 WMIC.exe Token: SeManageVolumePrivilege 1128 WMIC.exe Token: 33 1128 WMIC.exe Token: 34 1128 WMIC.exe Token: 35 1128 WMIC.exe Token: SeIncreaseQuotaPrivilege 1716 WMIC.exe Token: SeSecurityPrivilege 1716 WMIC.exe Token: SeTakeOwnershipPrivilege 1716 WMIC.exe Token: SeLoadDriverPrivilege 1716 WMIC.exe Token: SeSystemProfilePrivilege 1716 WMIC.exe Token: SeSystemtimePrivilege 1716 WMIC.exe Token: SeProfSingleProcessPrivilege 1716 WMIC.exe Token: SeIncBasePriorityPrivilege 1716 WMIC.exe Token: SeCreatePagefilePrivilege 1716 WMIC.exe Token: SeBackupPrivilege 1716 WMIC.exe Token: SeRestorePrivilege 1716 WMIC.exe Token: SeShutdownPrivilege 1716 WMIC.exe Token: SeDebugPrivilege 1716 WMIC.exe Token: SeSystemEnvironmentPrivilege 1716 WMIC.exe Token: SeRemoteShutdownPrivilege 1716 WMIC.exe Token: SeUndockPrivilege 1716 WMIC.exe Token: SeManageVolumePrivilege 1716 WMIC.exe Token: 33 1716 WMIC.exe Token: 34 1716 WMIC.exe Token: 35 1716 WMIC.exe Token: SeIncreaseQuotaPrivilege 1716 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1820 wrote to memory of 2044 1820 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe cmd.exe PID 1820 wrote to memory of 2044 1820 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe cmd.exe PID 1820 wrote to memory of 2044 1820 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe cmd.exe PID 1820 wrote to memory of 2044 1820 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe cmd.exe PID 2044 wrote to memory of 1128 2044 cmd.exe WMIC.exe PID 2044 wrote to memory of 1128 2044 cmd.exe WMIC.exe PID 2044 wrote to memory of 1128 2044 cmd.exe WMIC.exe PID 1820 wrote to memory of 1836 1820 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe cmd.exe PID 1820 wrote to memory of 1836 1820 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe cmd.exe PID 1820 wrote to memory of 1836 1820 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe cmd.exe PID 1820 wrote to memory of 1836 1820 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe cmd.exe PID 1836 wrote to memory of 1716 1836 cmd.exe WMIC.exe PID 1836 wrote to memory of 1716 1836 cmd.exe WMIC.exe PID 1836 wrote to memory of 1716 1836 cmd.exe WMIC.exe PID 1820 wrote to memory of 1704 1820 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe cmd.exe PID 1820 wrote to memory of 1704 1820 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe cmd.exe PID 1820 wrote to memory of 1704 1820 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe cmd.exe PID 1820 wrote to memory of 1704 1820 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe cmd.exe PID 1704 wrote to memory of 1520 1704 cmd.exe WMIC.exe PID 1704 wrote to memory of 1520 1704 cmd.exe WMIC.exe PID 1704 wrote to memory of 1520 1704 cmd.exe WMIC.exe PID 1820 wrote to memory of 1620 1820 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe cmd.exe PID 1820 wrote to memory of 1620 1820 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe cmd.exe PID 1820 wrote to memory of 1620 1820 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe cmd.exe PID 1820 wrote to memory of 1620 1820 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe cmd.exe PID 1620 wrote to memory of 1624 1620 cmd.exe WMIC.exe PID 1620 wrote to memory of 1624 1620 cmd.exe WMIC.exe PID 1620 wrote to memory of 1624 1620 cmd.exe WMIC.exe PID 1820 wrote to memory of 268 1820 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe cmd.exe PID 1820 wrote to memory of 268 1820 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe cmd.exe PID 1820 wrote to memory of 268 1820 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe cmd.exe PID 1820 wrote to memory of 268 1820 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe cmd.exe PID 268 wrote to memory of 1020 268 cmd.exe WMIC.exe PID 268 wrote to memory of 1020 268 cmd.exe WMIC.exe PID 268 wrote to memory of 1020 268 cmd.exe WMIC.exe PID 1820 wrote to memory of 1476 1820 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe cmd.exe PID 1820 wrote to memory of 1476 1820 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe cmd.exe PID 1820 wrote to memory of 1476 1820 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe cmd.exe PID 1820 wrote to memory of 1476 1820 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe cmd.exe PID 1476 wrote to memory of 1004 1476 cmd.exe WMIC.exe PID 1476 wrote to memory of 1004 1476 cmd.exe WMIC.exe PID 1476 wrote to memory of 1004 1476 cmd.exe WMIC.exe PID 1820 wrote to memory of 1288 1820 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe cmd.exe PID 1820 wrote to memory of 1288 1820 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe cmd.exe PID 1820 wrote to memory of 1288 1820 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe cmd.exe PID 1820 wrote to memory of 1288 1820 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe cmd.exe PID 1288 wrote to memory of 344 1288 cmd.exe WMIC.exe PID 1288 wrote to memory of 344 1288 cmd.exe WMIC.exe PID 1288 wrote to memory of 344 1288 cmd.exe WMIC.exe PID 1820 wrote to memory of 1576 1820 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe cmd.exe PID 1820 wrote to memory of 1576 1820 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe cmd.exe PID 1820 wrote to memory of 1576 1820 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe cmd.exe PID 1820 wrote to memory of 1576 1820 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe cmd.exe PID 1576 wrote to memory of 1092 1576 cmd.exe WMIC.exe PID 1576 wrote to memory of 1092 1576 cmd.exe WMIC.exe PID 1576 wrote to memory of 1092 1576 cmd.exe WMIC.exe PID 1820 wrote to memory of 1328 1820 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe cmd.exe PID 1820 wrote to memory of 1328 1820 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe cmd.exe PID 1820 wrote to memory of 1328 1820 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe cmd.exe PID 1820 wrote to memory of 1328 1820 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe cmd.exe PID 1328 wrote to memory of 2044 1328 cmd.exe WMIC.exe PID 1328 wrote to memory of 2044 1328 cmd.exe WMIC.exe PID 1328 wrote to memory of 2044 1328 cmd.exe WMIC.exe PID 1820 wrote to memory of 1932 1820 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe"C:\Users\Admin\AppData\Local\Temp\3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3EA0DCCD-B68F-4739-8545-1421DB5CBBF9}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3EA0DCCD-B68F-4739-8545-1421DB5CBBF9}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1128 -
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6A4DE33F-EC6D-48D6-B18F-B8C0EB661608}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6A4DE33F-EC6D-48D6-B18F-B8C0EB661608}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1716 -
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{674F5ED5-898F-4B38-B442-9717EBC249B0}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{674F5ED5-898F-4B38-B442-9717EBC249B0}'" delete3⤵PID:1520
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{56062236-819D-4FFA-9A67-51FD862961CC}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{56062236-819D-4FFA-9A67-51FD862961CC}'" delete3⤵PID:1624
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{993FFB36-DB0D-4B0F-AB01-F5535FFFD2FF}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:268 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{993FFB36-DB0D-4B0F-AB01-F5535FFFD2FF}'" delete3⤵PID:1020
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5C93421E-92BF-4841-8F4A-AE5CE989C82C}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5C93421E-92BF-4841-8F4A-AE5CE989C82C}'" delete3⤵PID:1004
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A9CE7C86-FE5D-4BEA-A3FE-1097D95611CF}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A9CE7C86-FE5D-4BEA-A3FE-1097D95611CF}'" delete3⤵PID:344
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{781F970E-534F-47AA-999D-6ED6D643AB75}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{781F970E-534F-47AA-999D-6ED6D643AB75}'" delete3⤵PID:1092
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{39949E94-CD4C-4CF8-B45A-3F512784587B}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{39949E94-CD4C-4CF8-B45A-3F512784587B}'" delete3⤵PID:2044
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{AB291DFD-F8B7-48E4-8503-043258A3C021}'" delete2⤵PID:1932
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{AB291DFD-F8B7-48E4-8503-043258A3C021}'" delete3⤵PID:1836
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{485AA00D-2E8F-43E3-8672-B2EC5EA21273}'" delete2⤵PID:1204
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{485AA00D-2E8F-43E3-8672-B2EC5EA21273}'" delete3⤵PID:1672
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1980