Analysis
-
max time kernel
151s -
max time network
88s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
28-09-2021 09:29
Static task
static1
Behavioral task
behavioral1
Sample
853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe
Resource
win10v20210408
General
-
Target
853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe
-
Size
192KB
-
MD5
6b2c004ab77290fec33d460930d08844
-
SHA1
3b5cfc88baa8bf78ec0b45dc07b3bbea9cdf35dc
-
SHA256
853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e
-
SHA512
744e56785f42dea874cae577d59c93e14e538d920cb065acd74f9c67450d9d74ae70754c8aafe74d225b238e6b493a4b428098e1d75e6369356341a37fa49d5f
Malware Config
Extracted
C:\readme.txt
conti
http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/
https://contirecovery.best
Signatures
-
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exedescription ioc process File renamed C:\Users\Admin\Pictures\SendRemove.crw => C:\Users\Admin\Pictures\SendRemove.crw.JVUAE 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe -
Drops desktop.ini file(s) 28 IoCs
Processes:
853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exedescription ioc process File opened for modification C:\Users\Admin\Contacts\desktop.ini 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe File opened for modification C:\Users\Admin\Documents\desktop.ini 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe File opened for modification C:\Users\Admin\Links\desktop.ini 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe File opened for modification C:\Users\Admin\Videos\desktop.ini 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe File opened for modification C:\Users\Admin\Searches\desktop.ini 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe File opened for modification C:\Users\Public\Downloads\desktop.ini 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe File opened for modification C:\Users\Admin\Music\desktop.ini 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe File opened for modification C:\Users\Public\Libraries\desktop.ini 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe File opened for modification C:\Program Files (x86)\desktop.ini 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe File opened for modification C:\Users\Public\Documents\desktop.ini 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe File opened for modification C:\Users\Public\Music\desktop.ini 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Desktop.ini 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe File opened for modification C:\Program Files\desktop.ini 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe File opened for modification C:\Users\Public\Desktop\desktop.ini 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe File opened for modification C:\Users\Public\Videos\desktop.ini 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe File opened for modification C:\Users\Public\desktop.ini 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe File opened for modification C:\Users\Public\Pictures\desktop.ini 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe -
Drops file in Program Files directory 64 IoCs
Processes:
853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTrial-ppd.xrm-ms 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\security\blacklist 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL048.XML 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Ion Boardroom.thmx 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial2-pl.xrm-ms 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_SubTrial-ul-oob.xrm-ms 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription4-ppd.xrm-ms 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_OEM_Perp-ul-phn.xrm-ms 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_KMS_Client_AE-ul-oob.xrm-ms 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe File opened for modification C:\Program Files (x86)\Windows Mail 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-ppd.xrm-ms 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Grace-ppd.xrm-ms 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\WacLangPackEula.txt 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\eu.txt 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\mng2.txt 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Retail-ppd.xrm-ms 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Grace-ul-oob.xrm-ms 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-ul-phn.xrm-ms 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_COL.HXC 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial1-ul-oob.xrm-ms 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\OFFSYMT.TTF 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC.HXS 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART13.BDR 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe File created C:\Program Files\MSBuild\readme.txt 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019DemoR_BypassTrial180-ul-oob.xrm-ms 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSZIP.DIC 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-80.png 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN096.XML 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription3-ul-oob.xrm-ms 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\fre\StartMenu_Win7_RTL.wmv 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\OUTLFLTR.DAT 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe File created C:\Program Files\Microsoft Office\root\Office16\Library\readme.txt 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.scale-180.png 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\OrangeCircles.jpg 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\NetworkServerControl 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\zh-tw.txt 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-ppd.xrm-ms 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_SubTrial-pl.xrm-ms 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription5-pl.xrm-ms 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_OEM_Perp-ul-phn.xrm-ms 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ExcelCombinedFloatieModel.bin 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription5-ul-oob.xrm-ms 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_Subscription-ppd.xrm-ms 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-ul-oob.xrm-ms 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_KMS_Client_AE-ppd.xrm-ms 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Office 2007 - 2010.eftx 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe File created C:\Program Files\Microsoft Office\root\Office16\FPA_f7\readme.txt 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe File opened for modification C:\Program Files\WindowsPowerShell 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\charsets.jar 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Grace-ppd.xrm-ms 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Georgia.xml 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\AccessRuntime2019_eula.txt 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MEDIA\HAMMER.WAV 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Stationery\Green Bubbles.htm 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\ir.idl 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_KMS_Client-ul-oob.xrm-ms 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Grace-ppd.xrm-ms 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_KMS_Client_AE-ppd.xrm-ms 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL081.XML 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe File opened for modification C:\Program Files\Windows Sidebar 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-ul-phn.xrm-ms 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_SubTrial-pl.xrm-ms 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_KMS_Client-ul.xrm-ms 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exepid process 568 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe 568 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe 568 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe 568 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe 568 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe 568 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe 568 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe 568 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe 568 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe 568 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe 568 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe 568 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe 568 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe 568 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe 568 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe 568 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe 568 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe 568 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe 568 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe 568 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe 568 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe 568 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe 568 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe 568 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe 568 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe 568 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe 568 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe 568 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe 568 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe 568 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe 568 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe 568 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe 568 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe 568 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe 568 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe 568 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe 568 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe 568 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe 568 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe 568 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe 568 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe 568 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe 568 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe 568 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe 568 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe 568 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe 568 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe 568 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe 568 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe 568 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe 568 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe 568 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe 568 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe 568 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe 568 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe 568 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe 568 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe 568 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe 568 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe 568 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe 568 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe 568 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe 568 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe 568 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
vssvc.exeWMIC.exedescription pid process Token: SeBackupPrivilege 4020 vssvc.exe Token: SeRestorePrivilege 4020 vssvc.exe Token: SeAuditPrivilege 4020 vssvc.exe Token: SeIncreaseQuotaPrivilege 732 WMIC.exe Token: SeSecurityPrivilege 732 WMIC.exe Token: SeTakeOwnershipPrivilege 732 WMIC.exe Token: SeLoadDriverPrivilege 732 WMIC.exe Token: SeSystemProfilePrivilege 732 WMIC.exe Token: SeSystemtimePrivilege 732 WMIC.exe Token: SeProfSingleProcessPrivilege 732 WMIC.exe Token: SeIncBasePriorityPrivilege 732 WMIC.exe Token: SeCreatePagefilePrivilege 732 WMIC.exe Token: SeBackupPrivilege 732 WMIC.exe Token: SeRestorePrivilege 732 WMIC.exe Token: SeShutdownPrivilege 732 WMIC.exe Token: SeDebugPrivilege 732 WMIC.exe Token: SeSystemEnvironmentPrivilege 732 WMIC.exe Token: SeRemoteShutdownPrivilege 732 WMIC.exe Token: SeUndockPrivilege 732 WMIC.exe Token: SeManageVolumePrivilege 732 WMIC.exe Token: 33 732 WMIC.exe Token: 34 732 WMIC.exe Token: 35 732 WMIC.exe Token: 36 732 WMIC.exe Token: SeIncreaseQuotaPrivilege 732 WMIC.exe Token: SeSecurityPrivilege 732 WMIC.exe Token: SeTakeOwnershipPrivilege 732 WMIC.exe Token: SeLoadDriverPrivilege 732 WMIC.exe Token: SeSystemProfilePrivilege 732 WMIC.exe Token: SeSystemtimePrivilege 732 WMIC.exe Token: SeProfSingleProcessPrivilege 732 WMIC.exe Token: SeIncBasePriorityPrivilege 732 WMIC.exe Token: SeCreatePagefilePrivilege 732 WMIC.exe Token: SeBackupPrivilege 732 WMIC.exe Token: SeRestorePrivilege 732 WMIC.exe Token: SeShutdownPrivilege 732 WMIC.exe Token: SeDebugPrivilege 732 WMIC.exe Token: SeSystemEnvironmentPrivilege 732 WMIC.exe Token: SeRemoteShutdownPrivilege 732 WMIC.exe Token: SeUndockPrivilege 732 WMIC.exe Token: SeManageVolumePrivilege 732 WMIC.exe Token: 33 732 WMIC.exe Token: 34 732 WMIC.exe Token: 35 732 WMIC.exe Token: 36 732 WMIC.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.execmd.exedescription pid process target process PID 568 wrote to memory of 500 568 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe cmd.exe PID 568 wrote to memory of 500 568 853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe cmd.exe PID 500 wrote to memory of 732 500 cmd.exe WMIC.exe PID 500 wrote to memory of 732 500 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe"C:\Users\Admin\AppData\Local\Temp\853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe"1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:568 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{493E2A7D-D35C-4823-8312-DB6A87B45E66}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:500 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{493E2A7D-D35C-4823-8312-DB6A87B45E66}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:732
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4020