Analysis
-
max time kernel
149s -
max time network
39s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
28-09-2021 09:51
Static task
static1
Behavioral task
behavioral1
Sample
fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe
Resource
win10-en-20210920
General
-
Target
fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe
-
Size
195KB
-
MD5
912f6ba823937d9f1f3b0cef3f5c4986
-
SHA1
42ab240af3bded9cabe5338ac812b81d39862726
-
SHA256
fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864
-
SHA512
1338386cb15ad88ee9505bfc71388bc46d70c7fb1d5ce1312dd2cbe156f99b6ef2b8c1ca3a7f9ab95d0670892a1e340a51df995adc60f617cd90c173e7ab83f2
Malware Config
Extracted
C:\readme.txt
conti
http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/
https://contirecovery.xyz/
Signatures
-
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
Drops file in Program Files directory 64 IoCs
Processes:
fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exedescription ioc process File opened for modification C:\Program Files\DisablePublish.edrwx fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe File opened for modification C:\Program Files\ImportHide.dot fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe File opened for modification C:\Program Files\DVD Maker\audiodepthconverter.ax fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe File opened for modification C:\Program Files\DVD Maker\soniccolorconverter.ax fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe File opened for modification C:\Program Files\Internet Explorer\ie9props.propdesc fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe File created C:\Program Files\7-Zip\Lang\readme.txt fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ie9props.propdesc fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe File opened for modification C:\Program Files\ExitEdit.pcx fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.VisualElementsManifest.xml fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe File created C:\Program Files (x86)\Microsoft Office\readme.txt fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\ar.txt fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe File opened for modification C:\Program Files\UndoRevoke.wps fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe File created C:\Program Files (x86)\readme.txt fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe File opened for modification C:\Program Files\7-Zip\7z.sfx fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe File opened for modification C:\Program Files\7-Zip\History.txt fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe File opened for modification C:\Program Files\DVD Maker\directshowtap.ax fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe File created C:\Program Files (x86)\Common Files\readme.txt fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe File created C:\Program Files (x86)\MSBuild\readme.txt fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\bg.txt fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe File opened for modification C:\Program Files\DVD Maker\rtstreamsink.ax fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe File opened for modification C:\Program Files\Mozilla Firefox\dependentlibs.list fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe File created C:\Program Files\Uninstall Information\readme.txt fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe File created C:\Program Files (x86)\Reference Assemblies\readme.txt fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe File created C:\Program Files (x86)\Microsoft Sync Framework\readme.txt fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe File opened for modification C:\Program Files\ResetPush.cfg fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe File opened for modification C:\Program Files\SelectExport.vstm fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe File opened for modification C:\Program Files\DVD Maker\bod_r.TTF fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe File opened for modification C:\Program Files\DVD Maker\fieldswitch.ax fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe File created C:\Program Files\Internet Explorer\readme.txt fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe File created C:\Program Files\Microsoft Games\readme.txt fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe File opened for modification C:\Program Files\Mozilla Firefox\install.log fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe File created C:\Program Files (x86)\Microsoft Synchronization Services\readme.txt fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe File opened for modification C:\Program Files\EditUninstall.ram fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe File opened for modification C:\Program Files\RestartLimit.mpe fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe File opened for modification C:\Program Files\7-Zip\descript.ion fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe File opened for modification C:\Program Files\DVD Maker\Eurosti.TTF fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe File opened for modification C:\Program Files\Mozilla Firefox\Accessible.tlb fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe File created C:\Program Files\VideoLAN\readme.txt fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe File created C:\Program Files (x86)\Microsoft Analysis Services\readme.txt fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe File opened for modification C:\Program Files\7-Zip\7zCon.sfx fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe File created C:\Program Files\Common Files\readme.txt fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe File created C:\Program Files\Google\readme.txt fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe File created C:\Program Files (x86)\Internet Explorer\readme.txt fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\readme.txt fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe File opened for modification C:\Program Files\SyncStart.png fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe File opened for modification C:\Program Files\DVD Maker\sonicsptransform.ax fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe File created C:\Program Files\Microsoft Office\readme.txt fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe File opened for modification C:\Program Files\Mozilla Firefox\removed-files fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe File opened for modification C:\Program Files\ExpandUnblock.ico fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe File opened for modification C:\Program Files\7-Zip\7-zip.chm fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe File opened for modification C:\Program Files\DVD Maker\rtstreamsource.ax fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\readme.txt fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\az.txt fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\co.txt fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe File opened for modification C:\Program Files\UnlockSet.xps fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe File opened for modification C:\Program Files\7-Zip\readme.txt fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe File opened for modification C:\Program Files\DVD Maker\offset.ax fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\an.txt fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\be.txt fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe File opened for modification C:\Program Files\7-Zip\License.txt fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\br.txt fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe File opened for modification C:\Program Files\UndoSync.tif fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe File opened for modification C:\Program Files\DVD Maker\SecretST.TTF fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe File opened for modification C:\Program Files\Mozilla Firefox\precomplete fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exepid process 2028 fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
vssvc.exeWMIC.exeWMIC.exedescription pid process Token: SeBackupPrivilege 1712 vssvc.exe Token: SeRestorePrivilege 1712 vssvc.exe Token: SeAuditPrivilege 1712 vssvc.exe Token: SeIncreaseQuotaPrivilege 472 WMIC.exe Token: SeSecurityPrivilege 472 WMIC.exe Token: SeTakeOwnershipPrivilege 472 WMIC.exe Token: SeLoadDriverPrivilege 472 WMIC.exe Token: SeSystemProfilePrivilege 472 WMIC.exe Token: SeSystemtimePrivilege 472 WMIC.exe Token: SeProfSingleProcessPrivilege 472 WMIC.exe Token: SeIncBasePriorityPrivilege 472 WMIC.exe Token: SeCreatePagefilePrivilege 472 WMIC.exe Token: SeBackupPrivilege 472 WMIC.exe Token: SeRestorePrivilege 472 WMIC.exe Token: SeShutdownPrivilege 472 WMIC.exe Token: SeDebugPrivilege 472 WMIC.exe Token: SeSystemEnvironmentPrivilege 472 WMIC.exe Token: SeRemoteShutdownPrivilege 472 WMIC.exe Token: SeUndockPrivilege 472 WMIC.exe Token: SeManageVolumePrivilege 472 WMIC.exe Token: 33 472 WMIC.exe Token: 34 472 WMIC.exe Token: 35 472 WMIC.exe Token: SeIncreaseQuotaPrivilege 472 WMIC.exe Token: SeSecurityPrivilege 472 WMIC.exe Token: SeTakeOwnershipPrivilege 472 WMIC.exe Token: SeLoadDriverPrivilege 472 WMIC.exe Token: SeSystemProfilePrivilege 472 WMIC.exe Token: SeSystemtimePrivilege 472 WMIC.exe Token: SeProfSingleProcessPrivilege 472 WMIC.exe Token: SeIncBasePriorityPrivilege 472 WMIC.exe Token: SeCreatePagefilePrivilege 472 WMIC.exe Token: SeBackupPrivilege 472 WMIC.exe Token: SeRestorePrivilege 472 WMIC.exe Token: SeShutdownPrivilege 472 WMIC.exe Token: SeDebugPrivilege 472 WMIC.exe Token: SeSystemEnvironmentPrivilege 472 WMIC.exe Token: SeRemoteShutdownPrivilege 472 WMIC.exe Token: SeUndockPrivilege 472 WMIC.exe Token: SeManageVolumePrivilege 472 WMIC.exe Token: 33 472 WMIC.exe Token: 34 472 WMIC.exe Token: 35 472 WMIC.exe Token: SeIncreaseQuotaPrivilege 1368 WMIC.exe Token: SeSecurityPrivilege 1368 WMIC.exe Token: SeTakeOwnershipPrivilege 1368 WMIC.exe Token: SeLoadDriverPrivilege 1368 WMIC.exe Token: SeSystemProfilePrivilege 1368 WMIC.exe Token: SeSystemtimePrivilege 1368 WMIC.exe Token: SeProfSingleProcessPrivilege 1368 WMIC.exe Token: SeIncBasePriorityPrivilege 1368 WMIC.exe Token: SeCreatePagefilePrivilege 1368 WMIC.exe Token: SeBackupPrivilege 1368 WMIC.exe Token: SeRestorePrivilege 1368 WMIC.exe Token: SeShutdownPrivilege 1368 WMIC.exe Token: SeDebugPrivilege 1368 WMIC.exe Token: SeSystemEnvironmentPrivilege 1368 WMIC.exe Token: SeRemoteShutdownPrivilege 1368 WMIC.exe Token: SeUndockPrivilege 1368 WMIC.exe Token: SeManageVolumePrivilege 1368 WMIC.exe Token: 33 1368 WMIC.exe Token: 34 1368 WMIC.exe Token: 35 1368 WMIC.exe Token: SeIncreaseQuotaPrivilege 1368 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 2028 wrote to memory of 320 2028 fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe cmd.exe PID 2028 wrote to memory of 320 2028 fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe cmd.exe PID 2028 wrote to memory of 320 2028 fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe cmd.exe PID 2028 wrote to memory of 320 2028 fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe cmd.exe PID 320 wrote to memory of 472 320 cmd.exe WMIC.exe PID 320 wrote to memory of 472 320 cmd.exe WMIC.exe PID 320 wrote to memory of 472 320 cmd.exe WMIC.exe PID 2028 wrote to memory of 1212 2028 fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe cmd.exe PID 2028 wrote to memory of 1212 2028 fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe cmd.exe PID 2028 wrote to memory of 1212 2028 fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe cmd.exe PID 2028 wrote to memory of 1212 2028 fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe cmd.exe PID 1212 wrote to memory of 1368 1212 cmd.exe WMIC.exe PID 1212 wrote to memory of 1368 1212 cmd.exe WMIC.exe PID 1212 wrote to memory of 1368 1212 cmd.exe WMIC.exe PID 2028 wrote to memory of 340 2028 fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe cmd.exe PID 2028 wrote to memory of 340 2028 fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe cmd.exe PID 2028 wrote to memory of 340 2028 fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe cmd.exe PID 2028 wrote to memory of 340 2028 fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe cmd.exe PID 340 wrote to memory of 588 340 cmd.exe WMIC.exe PID 340 wrote to memory of 588 340 cmd.exe WMIC.exe PID 340 wrote to memory of 588 340 cmd.exe WMIC.exe PID 2028 wrote to memory of 456 2028 fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe cmd.exe PID 2028 wrote to memory of 456 2028 fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe cmd.exe PID 2028 wrote to memory of 456 2028 fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe cmd.exe PID 2028 wrote to memory of 456 2028 fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe cmd.exe PID 456 wrote to memory of 1260 456 cmd.exe WMIC.exe PID 456 wrote to memory of 1260 456 cmd.exe WMIC.exe PID 456 wrote to memory of 1260 456 cmd.exe WMIC.exe PID 2028 wrote to memory of 848 2028 fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe cmd.exe PID 2028 wrote to memory of 848 2028 fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe cmd.exe PID 2028 wrote to memory of 848 2028 fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe cmd.exe PID 2028 wrote to memory of 848 2028 fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe cmd.exe PID 848 wrote to memory of 1148 848 cmd.exe WMIC.exe PID 848 wrote to memory of 1148 848 cmd.exe WMIC.exe PID 848 wrote to memory of 1148 848 cmd.exe WMIC.exe PID 2028 wrote to memory of 756 2028 fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe cmd.exe PID 2028 wrote to memory of 756 2028 fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe cmd.exe PID 2028 wrote to memory of 756 2028 fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe cmd.exe PID 2028 wrote to memory of 756 2028 fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe cmd.exe PID 756 wrote to memory of 1720 756 cmd.exe WMIC.exe PID 756 wrote to memory of 1720 756 cmd.exe WMIC.exe PID 756 wrote to memory of 1720 756 cmd.exe WMIC.exe PID 2028 wrote to memory of 2000 2028 fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe cmd.exe PID 2028 wrote to memory of 2000 2028 fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe cmd.exe PID 2028 wrote to memory of 2000 2028 fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe cmd.exe PID 2028 wrote to memory of 2000 2028 fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe cmd.exe PID 2000 wrote to memory of 1556 2000 cmd.exe WMIC.exe PID 2000 wrote to memory of 1556 2000 cmd.exe WMIC.exe PID 2000 wrote to memory of 1556 2000 cmd.exe WMIC.exe PID 2028 wrote to memory of 332 2028 fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe cmd.exe PID 2028 wrote to memory of 332 2028 fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe cmd.exe PID 2028 wrote to memory of 332 2028 fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe cmd.exe PID 2028 wrote to memory of 332 2028 fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe cmd.exe PID 332 wrote to memory of 304 332 cmd.exe WMIC.exe PID 332 wrote to memory of 304 332 cmd.exe WMIC.exe PID 332 wrote to memory of 304 332 cmd.exe WMIC.exe PID 2028 wrote to memory of 572 2028 fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe cmd.exe PID 2028 wrote to memory of 572 2028 fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe cmd.exe PID 2028 wrote to memory of 572 2028 fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe cmd.exe PID 2028 wrote to memory of 572 2028 fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe cmd.exe PID 572 wrote to memory of 1240 572 cmd.exe WMIC.exe PID 572 wrote to memory of 1240 572 cmd.exe WMIC.exe PID 572 wrote to memory of 1240 572 cmd.exe WMIC.exe PID 2028 wrote to memory of 1040 2028 fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe"C:\Users\Admin\AppData\Local\Temp\fe1652f4b828c9f98ff4a37829f4a988ad3c1601fc0dff7f99fe941ae4e81864.bin.sample.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C42FD895-B421-4A33-8B73-34420B94C6C4}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C42FD895-B421-4A33-8B73-34420B94C6C4}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{10A95FEA-CE68-4673-91E9-44796907EA8F}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{10A95FEA-CE68-4673-91E9-44796907EA8F}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3F8D846B-9DD4-48C1-9EB7-331601E45A01}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3F8D846B-9DD4-48C1-9EB7-331601E45A01}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{83DB695E-B6C4-4F19-94F5-5AB249FE6E4B}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{83DB695E-B6C4-4F19-94F5-5AB249FE6E4B}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6E98F490-EC90-48A3-8095-7CAB9F53C350}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6E98F490-EC90-48A3-8095-7CAB9F53C350}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{BE04AF18-D313-4450-8D00-0E635D2D4C97}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{BE04AF18-D313-4450-8D00-0E635D2D4C97}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CEE4CCBC-073C-4640-96A7-6BA7CCA7CF92}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CEE4CCBC-073C-4640-96A7-6BA7CCA7CF92}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{865F3304-51C3-4B8F-A536-F05EC48E587F}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{865F3304-51C3-4B8F-A536-F05EC48E587F}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F66D88E2-B57B-4989-8ED8-F69EC00D6AED}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F66D88E2-B57B-4989-8ED8-F69EC00D6AED}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2D3F6F2F-1FEA-4EF5-B2F9-9AD4D3736A5B}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2D3F6F2F-1FEA-4EF5-B2F9-9AD4D3736A5B}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3AB2448F-F186-4CD1-8044-F01D62EBD5C3}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3AB2448F-F186-4CD1-8044-F01D62EBD5C3}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5E61C5BD-F1FA-4763-95D9-47A0D7BD5FDD}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5E61C5BD-F1FA-4763-95D9-47A0D7BD5FDD}'" delete3⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/304-69-0x0000000000000000-mapping.dmp
-
memory/320-54-0x0000000000000000-mapping.dmp
-
memory/332-68-0x0000000000000000-mapping.dmp
-
memory/340-58-0x0000000000000000-mapping.dmp
-
memory/456-60-0x0000000000000000-mapping.dmp
-
memory/472-55-0x0000000000000000-mapping.dmp
-
memory/572-70-0x0000000000000000-mapping.dmp
-
memory/588-59-0x0000000000000000-mapping.dmp
-
memory/756-64-0x0000000000000000-mapping.dmp
-
memory/848-62-0x0000000000000000-mapping.dmp
-
memory/972-73-0x0000000000000000-mapping.dmp
-
memory/1040-72-0x0000000000000000-mapping.dmp
-
memory/1080-77-0x0000000000000000-mapping.dmp
-
memory/1148-63-0x0000000000000000-mapping.dmp
-
memory/1212-56-0x0000000000000000-mapping.dmp
-
memory/1240-71-0x0000000000000000-mapping.dmp
-
memory/1260-61-0x0000000000000000-mapping.dmp
-
memory/1368-57-0x0000000000000000-mapping.dmp
-
memory/1556-67-0x0000000000000000-mapping.dmp
-
memory/1572-74-0x0000000000000000-mapping.dmp
-
memory/1600-75-0x0000000000000000-mapping.dmp
-
memory/1608-76-0x0000000000000000-mapping.dmp
-
memory/1720-65-0x0000000000000000-mapping.dmp
-
memory/2000-66-0x0000000000000000-mapping.dmp
-
memory/2028-53-0x00000000759B1000-0x00000000759B3000-memory.dmpFilesize
8KB