Analysis
-
max time kernel
133s -
max time network
149s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
28-09-2021 08:25
Static task
static1
Behavioral task
behavioral1
Sample
4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe
Resource
win10-en-20210920
General
-
Target
4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe
-
Size
194KB
-
MD5
783d5a6f010336bf47803a5570fd0997
-
SHA1
e12cd3ebc23579f43ba7ec0cf07b29c79dc7dbe6
-
SHA256
4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c
-
SHA512
5ed5ee8e23c0a95687172d8f8f39ac326f2ab5dd0c77b37fab281a2519cc07aa947db2ded9d4dea2e24e70f82cb932f350e7be9c56d9dbd96d1b5c64b5c039d0
Malware Config
Extracted
C:\readme.txt
conti
http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/
https://contirecovery.best
Signatures
-
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
Modifies extensions of user files 11 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exedescription ioc process File renamed C:\Users\Admin\Pictures\SkipMount.png => C:\Users\Admin\Pictures\SkipMount.png.ZSSCJ 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File renamed C:\Users\Admin\Pictures\SyncDebug.tif => C:\Users\Admin\Pictures\SyncDebug.tif.ZSSCJ 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File renamed C:\Users\Admin\Pictures\DebugCompare.tif => C:\Users\Admin\Pictures\DebugCompare.tif.ZSSCJ 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File renamed C:\Users\Admin\Pictures\HidePing.crw => C:\Users\Admin\Pictures\HidePing.crw.ZSSCJ 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File renamed C:\Users\Admin\Pictures\PublishRemove.crw => C:\Users\Admin\Pictures\PublishRemove.crw.ZSSCJ 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Users\Admin\Pictures\ResolveGroup.tiff 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File renamed C:\Users\Admin\Pictures\ResolveGroup.tiff => C:\Users\Admin\Pictures\ResolveGroup.tiff.ZSSCJ 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File renamed C:\Users\Admin\Pictures\SuspendUnlock.tif => C:\Users\Admin\Pictures\SuspendUnlock.tif.ZSSCJ 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File renamed C:\Users\Admin\Pictures\DismountReset.tif => C:\Users\Admin\Pictures\DismountReset.tif.ZSSCJ 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Users\Admin\Pictures\ResizeAdd.tiff 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File renamed C:\Users\Admin\Pictures\ResizeAdd.tiff => C:\Users\Admin\Pictures\ResizeAdd.tiff.ZSSCJ 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 39 IoCs
Processes:
4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exedescription ioc process File opened for modification C:\Users\Admin\Favorites\desktop.ini 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Users\Public\Documents\desktop.ini 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Users\Public\Libraries\desktop.ini 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Users\Public\Pictures\desktop.ini 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Users\Admin\Links\desktop.ini 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Users\Public\Recorded TV\desktop.ini 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Users\Admin\Documents\desktop.ini 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\E9RC2MV6\desktop.ini 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Users\Public\Downloads\desktop.ini 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Users\Admin\Videos\desktop.ini 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Users\Public\Music\desktop.ini 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Users\Public\desktop.ini 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Users\Public\Desktop\desktop.ini 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Users\Admin\Music\desktop.ini 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\H18KNA1T\desktop.ini 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\NU1L7O13\desktop.ini 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\VNYR844D\desktop.ini 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Program Files (x86)\desktop.ini 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Users\Admin\Searches\desktop.ini 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Users\Public\Videos\desktop.ini 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Program Files\desktop.ini 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe -
Drops file in Program Files directory 64 IoCs
Processes:
4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00152_.WMF 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Luxembourg 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-util.xml 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\readme.txt 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\ODBCR.SAM 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePageSlice.gif 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-modules-print.xml_hidden 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0106816.WMF 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0199423.WMF 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\PICSTYLES.DPV 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File created C:\Program Files\VideoLAN\VLC\locale\sr\readme.txt 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\CAGCAT10.MML 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Jakarta 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Word.en-us\SETUP.XML 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-util-lookup_zh_CN.jar 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\open_original_form.gif 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\readme.txt 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\CALENDAR.GIF 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-ui_zh_CN.jar 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-next-static.png 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsNotesBackground_PAL.wmv 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCDRESTS.ICO 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-dialogs_zh_CN.jar 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00261_.WMF 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Thatch.xml 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\JOURNAL\PREVIEW.GIF 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-5 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_Country.gif 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-charts.xml 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0198113.WMF 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01368_.WMF 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0229385.WMF 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\New_York 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\status.json 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\readme.txt 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCHDCNCL.CFG 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0233512.WMF 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\ACCSBAR.POC 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14866_.GIF 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File created C:\Program Files (x86)\Common Files\microsoft shared\VSTA\readme.txt 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099201.GIF 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21307_.GIF 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Antarctica\Palmer 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Palmer 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-selector-ui.xml 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Desert\TAB_OFF.GIF 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File created C:\Program Files\Mozilla Firefox\uninstall\readme.txt 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02748U.BMP 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler.nl_zh_4.4.0.v20140623020002.jar 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14980_.GIF 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.MX.XML 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\blackbars60.png 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaSansDemiBold.ttf 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Casual.css 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Places\BUZZ.WAV 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-core.jar 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0196142.WMF 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationRight_ButtonGraphic.png 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\selection_subpicture.png 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File created C:\Program Files\VideoLAN\VLC\lua\meta\readme.txt 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.nl_ja_4.4.0.v20140623020002.jar 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exepid process 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
vssvc.exeWMIC.exeWMIC.exedescription pid process Token: SeBackupPrivilege 1068 vssvc.exe Token: SeRestorePrivilege 1068 vssvc.exe Token: SeAuditPrivilege 1068 vssvc.exe Token: SeIncreaseQuotaPrivilege 1336 WMIC.exe Token: SeSecurityPrivilege 1336 WMIC.exe Token: SeTakeOwnershipPrivilege 1336 WMIC.exe Token: SeLoadDriverPrivilege 1336 WMIC.exe Token: SeSystemProfilePrivilege 1336 WMIC.exe Token: SeSystemtimePrivilege 1336 WMIC.exe Token: SeProfSingleProcessPrivilege 1336 WMIC.exe Token: SeIncBasePriorityPrivilege 1336 WMIC.exe Token: SeCreatePagefilePrivilege 1336 WMIC.exe Token: SeBackupPrivilege 1336 WMIC.exe Token: SeRestorePrivilege 1336 WMIC.exe Token: SeShutdownPrivilege 1336 WMIC.exe Token: SeDebugPrivilege 1336 WMIC.exe Token: SeSystemEnvironmentPrivilege 1336 WMIC.exe Token: SeRemoteShutdownPrivilege 1336 WMIC.exe Token: SeUndockPrivilege 1336 WMIC.exe Token: SeManageVolumePrivilege 1336 WMIC.exe Token: 33 1336 WMIC.exe Token: 34 1336 WMIC.exe Token: 35 1336 WMIC.exe Token: SeIncreaseQuotaPrivilege 1336 WMIC.exe Token: SeSecurityPrivilege 1336 WMIC.exe Token: SeTakeOwnershipPrivilege 1336 WMIC.exe Token: SeLoadDriverPrivilege 1336 WMIC.exe Token: SeSystemProfilePrivilege 1336 WMIC.exe Token: SeSystemtimePrivilege 1336 WMIC.exe Token: SeProfSingleProcessPrivilege 1336 WMIC.exe Token: SeIncBasePriorityPrivilege 1336 WMIC.exe Token: SeCreatePagefilePrivilege 1336 WMIC.exe Token: SeBackupPrivilege 1336 WMIC.exe Token: SeRestorePrivilege 1336 WMIC.exe Token: SeShutdownPrivilege 1336 WMIC.exe Token: SeDebugPrivilege 1336 WMIC.exe Token: SeSystemEnvironmentPrivilege 1336 WMIC.exe Token: SeRemoteShutdownPrivilege 1336 WMIC.exe Token: SeUndockPrivilege 1336 WMIC.exe Token: SeManageVolumePrivilege 1336 WMIC.exe Token: 33 1336 WMIC.exe Token: 34 1336 WMIC.exe Token: 35 1336 WMIC.exe Token: SeIncreaseQuotaPrivilege 1324 WMIC.exe Token: SeSecurityPrivilege 1324 WMIC.exe Token: SeTakeOwnershipPrivilege 1324 WMIC.exe Token: SeLoadDriverPrivilege 1324 WMIC.exe Token: SeSystemProfilePrivilege 1324 WMIC.exe Token: SeSystemtimePrivilege 1324 WMIC.exe Token: SeProfSingleProcessPrivilege 1324 WMIC.exe Token: SeIncBasePriorityPrivilege 1324 WMIC.exe Token: SeCreatePagefilePrivilege 1324 WMIC.exe Token: SeBackupPrivilege 1324 WMIC.exe Token: SeRestorePrivilege 1324 WMIC.exe Token: SeShutdownPrivilege 1324 WMIC.exe Token: SeDebugPrivilege 1324 WMIC.exe Token: SeSystemEnvironmentPrivilege 1324 WMIC.exe Token: SeRemoteShutdownPrivilege 1324 WMIC.exe Token: SeUndockPrivilege 1324 WMIC.exe Token: SeManageVolumePrivilege 1324 WMIC.exe Token: 33 1324 WMIC.exe Token: 34 1324 WMIC.exe Token: 35 1324 WMIC.exe Token: SeIncreaseQuotaPrivilege 1324 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1828 wrote to memory of 1256 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe cmd.exe PID 1828 wrote to memory of 1256 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe cmd.exe PID 1828 wrote to memory of 1256 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe cmd.exe PID 1828 wrote to memory of 1256 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe cmd.exe PID 1256 wrote to memory of 1336 1256 cmd.exe WMIC.exe PID 1256 wrote to memory of 1336 1256 cmd.exe WMIC.exe PID 1256 wrote to memory of 1336 1256 cmd.exe WMIC.exe PID 1828 wrote to memory of 1860 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe cmd.exe PID 1828 wrote to memory of 1860 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe cmd.exe PID 1828 wrote to memory of 1860 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe cmd.exe PID 1828 wrote to memory of 1860 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe cmd.exe PID 1860 wrote to memory of 1324 1860 cmd.exe WMIC.exe PID 1860 wrote to memory of 1324 1860 cmd.exe WMIC.exe PID 1860 wrote to memory of 1324 1860 cmd.exe WMIC.exe PID 1828 wrote to memory of 824 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe cmd.exe PID 1828 wrote to memory of 824 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe cmd.exe PID 1828 wrote to memory of 824 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe cmd.exe PID 1828 wrote to memory of 824 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe cmd.exe PID 824 wrote to memory of 1628 824 cmd.exe WMIC.exe PID 824 wrote to memory of 1628 824 cmd.exe WMIC.exe PID 824 wrote to memory of 1628 824 cmd.exe WMIC.exe PID 1828 wrote to memory of 520 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe cmd.exe PID 1828 wrote to memory of 520 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe cmd.exe PID 1828 wrote to memory of 520 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe cmd.exe PID 1828 wrote to memory of 520 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe cmd.exe PID 520 wrote to memory of 524 520 cmd.exe WMIC.exe PID 520 wrote to memory of 524 520 cmd.exe WMIC.exe PID 520 wrote to memory of 524 520 cmd.exe WMIC.exe PID 1828 wrote to memory of 1636 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe cmd.exe PID 1828 wrote to memory of 1636 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe cmd.exe PID 1828 wrote to memory of 1636 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe cmd.exe PID 1828 wrote to memory of 1636 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe cmd.exe PID 1636 wrote to memory of 856 1636 cmd.exe WMIC.exe PID 1636 wrote to memory of 856 1636 cmd.exe WMIC.exe PID 1636 wrote to memory of 856 1636 cmd.exe WMIC.exe PID 1828 wrote to memory of 1084 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe cmd.exe PID 1828 wrote to memory of 1084 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe cmd.exe PID 1828 wrote to memory of 1084 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe cmd.exe PID 1828 wrote to memory of 1084 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe cmd.exe PID 1084 wrote to memory of 1056 1084 cmd.exe WMIC.exe PID 1084 wrote to memory of 1056 1084 cmd.exe WMIC.exe PID 1084 wrote to memory of 1056 1084 cmd.exe WMIC.exe PID 1828 wrote to memory of 1040 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe cmd.exe PID 1828 wrote to memory of 1040 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe cmd.exe PID 1828 wrote to memory of 1040 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe cmd.exe PID 1828 wrote to memory of 1040 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe cmd.exe PID 1040 wrote to memory of 1604 1040 cmd.exe WMIC.exe PID 1040 wrote to memory of 1604 1040 cmd.exe WMIC.exe PID 1040 wrote to memory of 1604 1040 cmd.exe WMIC.exe PID 1828 wrote to memory of 1716 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe cmd.exe PID 1828 wrote to memory of 1716 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe cmd.exe PID 1828 wrote to memory of 1716 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe cmd.exe PID 1828 wrote to memory of 1716 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe cmd.exe PID 1716 wrote to memory of 1720 1716 cmd.exe WMIC.exe PID 1716 wrote to memory of 1720 1716 cmd.exe WMIC.exe PID 1716 wrote to memory of 1720 1716 cmd.exe WMIC.exe PID 1828 wrote to memory of 1520 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe cmd.exe PID 1828 wrote to memory of 1520 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe cmd.exe PID 1828 wrote to memory of 1520 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe cmd.exe PID 1828 wrote to memory of 1520 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe cmd.exe PID 1520 wrote to memory of 316 1520 cmd.exe WMIC.exe PID 1520 wrote to memory of 316 1520 cmd.exe WMIC.exe PID 1520 wrote to memory of 316 1520 cmd.exe WMIC.exe PID 1828 wrote to memory of 1564 1828 4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe"C:\Users\Admin\AppData\Local\Temp\4d8e709832dc3b6cc9283dc2c79eac0d9a4092b1a3b180d7cc7ec6902b7a128c.bin.sample.exe"1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3EA0DCCD-B68F-4739-8545-1421DB5CBBF9}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3EA0DCCD-B68F-4739-8545-1421DB5CBBF9}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6A4DE33F-EC6D-48D6-B18F-B8C0EB661608}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6A4DE33F-EC6D-48D6-B18F-B8C0EB661608}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{674F5ED5-898F-4B38-B442-9717EBC249B0}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{674F5ED5-898F-4B38-B442-9717EBC249B0}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{56062236-819D-4FFA-9A67-51FD862961CC}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{56062236-819D-4FFA-9A67-51FD862961CC}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{993FFB36-DB0D-4B0F-AB01-F5535FFFD2FF}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{993FFB36-DB0D-4B0F-AB01-F5535FFFD2FF}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5C93421E-92BF-4841-8F4A-AE5CE989C82C}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5C93421E-92BF-4841-8F4A-AE5CE989C82C}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A9CE7C86-FE5D-4BEA-A3FE-1097D95611CF}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A9CE7C86-FE5D-4BEA-A3FE-1097D95611CF}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{781F970E-534F-47AA-999D-6ED6D643AB75}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{781F970E-534F-47AA-999D-6ED6D643AB75}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{39949E94-CD4C-4CF8-B45A-3F512784587B}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{39949E94-CD4C-4CF8-B45A-3F512784587B}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{AB291DFD-F8B7-48E4-8503-043258A3C021}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{AB291DFD-F8B7-48E4-8503-043258A3C021}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{485AA00D-2E8F-43E3-8672-B2EC5EA21273}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{485AA00D-2E8F-43E3-8672-B2EC5EA21273}'" delete3⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/316-79-0x0000000000000000-mapping.dmp
-
memory/520-68-0x0000000000000000-mapping.dmp
-
memory/524-69-0x0000000000000000-mapping.dmp
-
memory/736-82-0x0000000000000000-mapping.dmp
-
memory/824-66-0x0000000000000000-mapping.dmp
-
memory/856-71-0x0000000000000000-mapping.dmp
-
memory/1040-74-0x0000000000000000-mapping.dmp
-
memory/1056-73-0x0000000000000000-mapping.dmp
-
memory/1084-72-0x0000000000000000-mapping.dmp
-
memory/1172-83-0x0000000000000000-mapping.dmp
-
memory/1256-62-0x0000000000000000-mapping.dmp
-
memory/1324-65-0x0000000000000000-mapping.dmp
-
memory/1336-63-0x0000000000000000-mapping.dmp
-
memory/1520-78-0x0000000000000000-mapping.dmp
-
memory/1564-80-0x0000000000000000-mapping.dmp
-
memory/1588-81-0x0000000000000000-mapping.dmp
-
memory/1604-75-0x0000000000000000-mapping.dmp
-
memory/1628-67-0x0000000000000000-mapping.dmp
-
memory/1636-70-0x0000000000000000-mapping.dmp
-
memory/1716-76-0x0000000000000000-mapping.dmp
-
memory/1720-77-0x0000000000000000-mapping.dmp
-
memory/1828-60-0x0000000076641000-0x0000000076643000-memory.dmpFilesize
8KB
-
memory/1828-61-0x0000000077830000-0x00000000779B0000-memory.dmpFilesize
1.5MB
-
memory/1860-64-0x0000000000000000-mapping.dmp