Analysis
-
max time kernel
90s -
max time network
47s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
28-09-2021 09:51
Static task
static1
Behavioral task
behavioral1
Sample
fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
Resource
win10v20210408
General
-
Target
fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe
-
Size
194KB
-
MD5
aceec8b8d93705b4983d3cf9cda3f805
-
SHA1
946d3f00ea84cc3cdb4222cdc811e3eaca82ace8
-
SHA256
fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86
-
SHA512
0a79d75d0d832bcac027f4d03ecf3e77ccfbf53af269bff09b4887f8a4b01624e5dbdc454b315159cea8923035ed14c165ed7458e75835176cc2860185eea648
Malware Config
Extracted
C:\readme.txt
conti
http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/
https://contirecovery.click
Signatures
-
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
Modifies extensions of user files 10 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exedescription ioc process File renamed C:\Users\Admin\Pictures\RestartSave.tiff => C:\Users\Admin\Pictures\RestartSave.tiff.UHIPV fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File renamed C:\Users\Admin\Pictures\UnlockBlock.raw => C:\Users\Admin\Pictures\UnlockBlock.raw.UHIPV fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File renamed C:\Users\Admin\Pictures\JoinOut.tif => C:\Users\Admin\Pictures\JoinOut.tif.UHIPV fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File renamed C:\Users\Admin\Pictures\PopMerge.png => C:\Users\Admin\Pictures\PopMerge.png.UHIPV fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Users\Admin\Pictures\RestartSave.tiff fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File renamed C:\Users\Admin\Pictures\StartLock.png => C:\Users\Admin\Pictures\StartLock.png.UHIPV fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File renamed C:\Users\Admin\Pictures\UndoOpen.png => C:\Users\Admin\Pictures\UndoOpen.png.UHIPV fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File renamed C:\Users\Admin\Pictures\ExitSplit.raw => C:\Users\Admin\Pictures\ExitSplit.raw.UHIPV fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File renamed C:\Users\Admin\Pictures\ExportBlock.png => C:\Users\Admin\Pictures\ExportBlock.png.UHIPV fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File renamed C:\Users\Admin\Pictures\ShowOpen.png => C:\Users\Admin\Pictures\ShowOpen.png.UHIPV fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.theme.nl_ja_4.4.0.v20140623020002.jar fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File created C:\Program Files (x86)\Common Files\SpeechEngines\readme.txt fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0301076.WMF fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proofing.en-us\Proofing.XML fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipscsy.xml fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File created C:\Program Files\VideoLAN\VLC\locale\pa\LC_MESSAGES\readme.txt fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\background.png fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\MET fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files\Java\jre7\lib\meta-index fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0215070.WMF fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can32.clx fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsplk.xml fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18187_.WMF fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\macroprogress.gif fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\ONGuide.onepkg fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CHECKER.POC fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Prague fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\core.jar fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02757U.BMP fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGCOUPON.XML fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GROOVE.HXS fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File created C:\Program Files\Microsoft Games\Multiplayer\Backgammon\en-US\readme.txt fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00074_.WMF fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107496.WMF fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\1033\readme.txt fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\sl.pak fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\MANIFEST.MF fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File created C:\Program Files (x86)\Google\Update\Download\readme.txt fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToScenesBackground.wmv fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File created C:\Program Files\VideoLAN\VLC\locale\sv\LC_MESSAGES\readme.txt fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\rtf_spellcheck.gif fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Oriel.xml fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.greychart.ui_5.5.0.165303.jar fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Edmonton fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File created C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\readme.txt fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\MSPUB.DEV_COL.HXC fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSSP7FR.dub fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\readme.txt fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\PNCTUATE.POC fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\whitemenu.png fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21305_.GIF fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File created C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\readme.txt fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files\Java\jre7\lib\images\cursors\cursors.properties fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\si\LC_MESSAGES\vlc.mo fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-1 fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\readme.txt fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page_PAL.wmv fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-options-api.xml fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\he.pak fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Inuvik fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Scoresbysund fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\readme.txt fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files\VideoLAN\VLC\Documentation.url fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\bdcmetadataresource.xsd fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\EADOCUMENTAPPROVAL_REVIEW.XSN fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File created C:\Program Files\VideoLAN\VLC\locale\af\readme.txt fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SMSL.ICO fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\nl.txt fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01180_.WMF fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107262.WMF fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02270_.WMF fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File opened for modification C:\Program Files\Java\jre7\lib\cmm\sRGB.pf fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe File created C:\Program Files\VideoLAN\VLC\locale\mn\readme.txt fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exepid process 1272 fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
vssvc.exeWMIC.exeWMIC.exedescription pid process Token: SeBackupPrivilege 484 vssvc.exe Token: SeRestorePrivilege 484 vssvc.exe Token: SeAuditPrivilege 484 vssvc.exe Token: SeIncreaseQuotaPrivilege 316 WMIC.exe Token: SeSecurityPrivilege 316 WMIC.exe Token: SeTakeOwnershipPrivilege 316 WMIC.exe Token: SeLoadDriverPrivilege 316 WMIC.exe Token: SeSystemProfilePrivilege 316 WMIC.exe Token: SeSystemtimePrivilege 316 WMIC.exe Token: SeProfSingleProcessPrivilege 316 WMIC.exe Token: SeIncBasePriorityPrivilege 316 WMIC.exe Token: SeCreatePagefilePrivilege 316 WMIC.exe Token: SeBackupPrivilege 316 WMIC.exe Token: SeRestorePrivilege 316 WMIC.exe Token: SeShutdownPrivilege 316 WMIC.exe Token: SeDebugPrivilege 316 WMIC.exe Token: SeSystemEnvironmentPrivilege 316 WMIC.exe Token: SeRemoteShutdownPrivilege 316 WMIC.exe Token: SeUndockPrivilege 316 WMIC.exe Token: SeManageVolumePrivilege 316 WMIC.exe Token: 33 316 WMIC.exe Token: 34 316 WMIC.exe Token: 35 316 WMIC.exe Token: SeIncreaseQuotaPrivilege 316 WMIC.exe Token: SeSecurityPrivilege 316 WMIC.exe Token: SeTakeOwnershipPrivilege 316 WMIC.exe Token: SeLoadDriverPrivilege 316 WMIC.exe Token: SeSystemProfilePrivilege 316 WMIC.exe Token: SeSystemtimePrivilege 316 WMIC.exe Token: SeProfSingleProcessPrivilege 316 WMIC.exe Token: SeIncBasePriorityPrivilege 316 WMIC.exe Token: SeCreatePagefilePrivilege 316 WMIC.exe Token: SeBackupPrivilege 316 WMIC.exe Token: SeRestorePrivilege 316 WMIC.exe Token: SeShutdownPrivilege 316 WMIC.exe Token: SeDebugPrivilege 316 WMIC.exe Token: SeSystemEnvironmentPrivilege 316 WMIC.exe Token: SeRemoteShutdownPrivilege 316 WMIC.exe Token: SeUndockPrivilege 316 WMIC.exe Token: SeManageVolumePrivilege 316 WMIC.exe Token: 33 316 WMIC.exe Token: 34 316 WMIC.exe Token: 35 316 WMIC.exe Token: SeIncreaseQuotaPrivilege 1880 WMIC.exe Token: SeSecurityPrivilege 1880 WMIC.exe Token: SeTakeOwnershipPrivilege 1880 WMIC.exe Token: SeLoadDriverPrivilege 1880 WMIC.exe Token: SeSystemProfilePrivilege 1880 WMIC.exe Token: SeSystemtimePrivilege 1880 WMIC.exe Token: SeProfSingleProcessPrivilege 1880 WMIC.exe Token: SeIncBasePriorityPrivilege 1880 WMIC.exe Token: SeCreatePagefilePrivilege 1880 WMIC.exe Token: SeBackupPrivilege 1880 WMIC.exe Token: SeRestorePrivilege 1880 WMIC.exe Token: SeShutdownPrivilege 1880 WMIC.exe Token: SeDebugPrivilege 1880 WMIC.exe Token: SeSystemEnvironmentPrivilege 1880 WMIC.exe Token: SeRemoteShutdownPrivilege 1880 WMIC.exe Token: SeUndockPrivilege 1880 WMIC.exe Token: SeManageVolumePrivilege 1880 WMIC.exe Token: 33 1880 WMIC.exe Token: 34 1880 WMIC.exe Token: 35 1880 WMIC.exe Token: SeIncreaseQuotaPrivilege 1880 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1272 wrote to memory of 564 1272 fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe cmd.exe PID 1272 wrote to memory of 564 1272 fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe cmd.exe PID 1272 wrote to memory of 564 1272 fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe cmd.exe PID 1272 wrote to memory of 564 1272 fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe cmd.exe PID 564 wrote to memory of 316 564 cmd.exe WMIC.exe PID 564 wrote to memory of 316 564 cmd.exe WMIC.exe PID 564 wrote to memory of 316 564 cmd.exe WMIC.exe PID 1272 wrote to memory of 1528 1272 fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe cmd.exe PID 1272 wrote to memory of 1528 1272 fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe cmd.exe PID 1272 wrote to memory of 1528 1272 fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe cmd.exe PID 1272 wrote to memory of 1528 1272 fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe cmd.exe PID 1528 wrote to memory of 1880 1528 cmd.exe WMIC.exe PID 1528 wrote to memory of 1880 1528 cmd.exe WMIC.exe PID 1528 wrote to memory of 1880 1528 cmd.exe WMIC.exe PID 1272 wrote to memory of 896 1272 fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe cmd.exe PID 1272 wrote to memory of 896 1272 fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe cmd.exe PID 1272 wrote to memory of 896 1272 fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe cmd.exe PID 1272 wrote to memory of 896 1272 fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe cmd.exe PID 896 wrote to memory of 772 896 cmd.exe WMIC.exe PID 896 wrote to memory of 772 896 cmd.exe WMIC.exe PID 896 wrote to memory of 772 896 cmd.exe WMIC.exe PID 1272 wrote to memory of 1872 1272 fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe cmd.exe PID 1272 wrote to memory of 1872 1272 fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe cmd.exe PID 1272 wrote to memory of 1872 1272 fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe cmd.exe PID 1272 wrote to memory of 1872 1272 fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe cmd.exe PID 1872 wrote to memory of 1300 1872 cmd.exe WMIC.exe PID 1872 wrote to memory of 1300 1872 cmd.exe WMIC.exe PID 1872 wrote to memory of 1300 1872 cmd.exe WMIC.exe PID 1272 wrote to memory of 1944 1272 fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe cmd.exe PID 1272 wrote to memory of 1944 1272 fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe cmd.exe PID 1272 wrote to memory of 1944 1272 fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe cmd.exe PID 1272 wrote to memory of 1944 1272 fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe cmd.exe PID 1944 wrote to memory of 632 1944 cmd.exe WMIC.exe PID 1944 wrote to memory of 632 1944 cmd.exe WMIC.exe PID 1944 wrote to memory of 632 1944 cmd.exe WMIC.exe PID 1272 wrote to memory of 860 1272 fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe cmd.exe PID 1272 wrote to memory of 860 1272 fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe cmd.exe PID 1272 wrote to memory of 860 1272 fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe cmd.exe PID 1272 wrote to memory of 860 1272 fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe cmd.exe PID 860 wrote to memory of 1940 860 cmd.exe WMIC.exe PID 860 wrote to memory of 1940 860 cmd.exe WMIC.exe PID 860 wrote to memory of 1940 860 cmd.exe WMIC.exe PID 1272 wrote to memory of 1760 1272 fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe cmd.exe PID 1272 wrote to memory of 1760 1272 fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe cmd.exe PID 1272 wrote to memory of 1760 1272 fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe cmd.exe PID 1272 wrote to memory of 1760 1272 fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe cmd.exe PID 1760 wrote to memory of 1288 1760 cmd.exe WMIC.exe PID 1760 wrote to memory of 1288 1760 cmd.exe WMIC.exe PID 1760 wrote to memory of 1288 1760 cmd.exe WMIC.exe PID 1272 wrote to memory of 676 1272 fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe cmd.exe PID 1272 wrote to memory of 676 1272 fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe cmd.exe PID 1272 wrote to memory of 676 1272 fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe cmd.exe PID 1272 wrote to memory of 676 1272 fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe cmd.exe PID 676 wrote to memory of 572 676 cmd.exe WMIC.exe PID 676 wrote to memory of 572 676 cmd.exe WMIC.exe PID 676 wrote to memory of 572 676 cmd.exe WMIC.exe PID 1272 wrote to memory of 1076 1272 fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe cmd.exe PID 1272 wrote to memory of 1076 1272 fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe cmd.exe PID 1272 wrote to memory of 1076 1272 fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe cmd.exe PID 1272 wrote to memory of 1076 1272 fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe cmd.exe PID 1076 wrote to memory of 1816 1076 cmd.exe WMIC.exe PID 1076 wrote to memory of 1816 1076 cmd.exe WMIC.exe PID 1076 wrote to memory of 1816 1076 cmd.exe WMIC.exe PID 1272 wrote to memory of 272 1272 fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe"C:\Users\Admin\AppData\Local\Temp\fe6e84192da5c0210d4bd51e809792b28e60edb337917f903a7e9a31bc40cf86.bin.sample.exe"1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C42FD895-B421-4A33-8B73-34420B94C6C4}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:564 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C42FD895-B421-4A33-8B73-34420B94C6C4}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:316 -
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{10A95FEA-CE68-4673-91E9-44796907EA8F}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{10A95FEA-CE68-4673-91E9-44796907EA8F}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1880 -
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3F8D846B-9DD4-48C1-9EB7-331601E45A01}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:896 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3F8D846B-9DD4-48C1-9EB7-331601E45A01}'" delete3⤵PID:772
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{83DB695E-B6C4-4F19-94F5-5AB249FE6E4B}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{83DB695E-B6C4-4F19-94F5-5AB249FE6E4B}'" delete3⤵PID:1300
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6E98F490-EC90-48A3-8095-7CAB9F53C350}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6E98F490-EC90-48A3-8095-7CAB9F53C350}'" delete3⤵PID:632
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{BE04AF18-D313-4450-8D00-0E635D2D4C97}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{BE04AF18-D313-4450-8D00-0E635D2D4C97}'" delete3⤵PID:1940
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CEE4CCBC-073C-4640-96A7-6BA7CCA7CF92}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CEE4CCBC-073C-4640-96A7-6BA7CCA7CF92}'" delete3⤵PID:1288
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{865F3304-51C3-4B8F-A536-F05EC48E587F}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:676 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{865F3304-51C3-4B8F-A536-F05EC48E587F}'" delete3⤵PID:572
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F66D88E2-B57B-4989-8ED8-F69EC00D6AED}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F66D88E2-B57B-4989-8ED8-F69EC00D6AED}'" delete3⤵PID:1816
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2D3F6F2F-1FEA-4EF5-B2F9-9AD4D3736A5B}'" delete2⤵PID:272
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2D3F6F2F-1FEA-4EF5-B2F9-9AD4D3736A5B}'" delete3⤵PID:1672
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3AB2448F-F186-4CD1-8044-F01D62EBD5C3}'" delete2⤵PID:1588
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3AB2448F-F186-4CD1-8044-F01D62EBD5C3}'" delete3⤵PID:1512
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5E61C5BD-F1FA-4763-95D9-47A0D7BD5FDD}'" delete2⤵PID:1556
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5E61C5BD-F1FA-4763-95D9-47A0D7BD5FDD}'" delete3⤵PID:1504
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:484