conti | 732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884

General

Target

732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe
Size

206KB
MD5

f9234840f07c5cfe75b482275a63f549
SHA1

8fbc27b26c4c582b5764eacf897a89fe74c0a88d
SHA256

732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884
SHA512

d47d3a1fd0555da513c0a768d71b7eb19c9adb0df7a04431e74235a02fc37aa22a23beec3757ff1ce3b4370915ff07f431c1d8e26db3704188c1d9708a583ba6

Score

10^/10

conti ransomware

Malware Config

Extracted

Path

C:\readme.txt

Family

conti

Ransom Note

All of your files are currently encrypted by CONTI strain. As you know (if you don't - just "google it"), all of the data that has been encrypted by our software cannot be recovered by any means without contacting our team directly. If you try to use any additional recovery software - the files might be damaged, so if you are willing to try - try it on the data of the lowest value. To make sure that we REALLY CAN get your data back - we offer you to decrypt 2 random files completely free of charge. You can contact our team directly for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/ HTTPS VERSION : https://contirecovery.click/ YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded a pack of your internal data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us as soon as possible. ---BEGIN ID--- dvTyjJN89zAOzGONw3JF0DDEokfNVuxhJsqkqCL6IRZHU5RJHhTaw9KPZjVh7k3z ---END ID---

URLs

http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/

https://contirecovery.click/

Signatures

Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
ransomware conti

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description	pid	process	target process
PID 2640 created 1096	2640	WerFault.exe	732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe

Modifies extensions of user files 8 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\MergeCompare.tiff => C:\Users\Admin\Pictures\MergeCompare.tiff.QTBHS	732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\MountDismount.tif => C:\Users\Admin\Pictures\MountDismount.tif.QTBHS	732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\RemoveRegister.raw => C:\Users\Admin\Pictures\RemoveRegister.raw.QTBHS	732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\ConvertToSend.crw => C:\Users\Admin\Pictures\ConvertToSend.crw.QTBHS	732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\DenyReset.tif => C:\Users\Admin\Pictures\DenyReset.tif.QTBHS	732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\DismountSplit.raw => C:\Users\Admin\Pictures\DismountSplit.raw.QTBHS	732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\ExitDebug.crw => C:\Users\Admin\Pictures\ExitDebug.crw.QTBHS	732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\MergeCompare.tiff	732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe

Drops file in Program Files directory 64 IoCs

Processes:

732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-pl.xrm-ms	732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteFreeR_Bypass-ul-oob.xrm-ms	732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-pl.xrm-ms	732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Bears.htm	732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\ShadesOfBlue.jpg	732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntimeR_PrepidBypass-ppd.xrm-ms	732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial2-ppd.xrm-ms	732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Trial-pl.xrm-ms	732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml	732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipssve.xml	732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-ul-oob.xrm-ms	732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\calendars.properties	732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-ppd.xrm-ms	732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe
File created	C:\Program Files\Common Files\microsoft shared\Stationery\readme.txt	732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntime2019R_PrepidBypass-ppd.xrm-ms	732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-ul-phn.xrm-ms	732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Trial-ul-oob.xrm-ms	732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Grace-ppd.xrm-ms	732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\FlickAnimation.avi	732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_MAK_AE-ppd.xrm-ms	732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Grace-ppd.xrm-ms	732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\vstoee100.tlb	732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui.xml	732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\net.properties	732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-ul-oob.xrm-ms	732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription-ul-oob.xrm-ms	732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTest-ul-oob.xrm-ms	732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifestLoc.16.en-us.xml	732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-pl.xrm-ms	732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-pl.xrm-ms	732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial4-ul-oob.xrm-ms	732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Retail-ul-phn.xrm-ms	732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\formautofill@mozilla.org.xpi	732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu.xml	732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_KMS_Client_AE-ppd.xrm-ms	732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTrial-pl.xrm-ms	732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_Subscription-pl.xrm-ms	732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ro.txt	732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-pl.xrm-ms	732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-ppd.xrm-ms	732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe
File created	C:\Program Files (x86)\Google\Update\readme.txt	732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.VisualElementsManifest.xml	732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-pl.xrm-ms	732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\sqlxmlx.rll	732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTest-ul-oob.xrm-ms	732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription4-pl.xrm-ms	732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_KMS_Client_AE-ppd.xrm-ms	732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-ul-oob.xrm-ms	732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\flat_officeFontsPreview.ttf	732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-pl.xrm-ms	732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_OEM_Perp-ul-phn.xrm-ms	732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\readme.txt	732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp3-pl.xrm-ms	732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Trial-pl.xrm-ms	732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_OEM_Perp-ppd.xrm-ms	732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Grace-ppd.xrm-ms	732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipshrv.xml	732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Retail-pl.xrm-ms	732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-ul-oob.xrm-ms	732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe
File created	C:\Program Files\Mozilla Firefox\browser\readme.txt	732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription2-ppd.xrm-ms	732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2640 1096 WerFault.exe 732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe

pid	pid_target	process	target process
2640	1096	WerFault.exe	732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exeWerFault.exe

pid	process
1096	732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe
1096	732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe
2640	WerFault.exe
2640	WerFault.exe
2640	WerFault.exe
2640	WerFault.exe
2640	WerFault.exe
2640	WerFault.exe
2640	WerFault.exe
2640	WerFault.exe
2640	WerFault.exe
2640	WerFault.exe
2640	WerFault.exe
2640	WerFault.exe
2640	WerFault.exe
2640	WerFault.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

vssvc.exeWMIC.exeWerFault.exe

description	pid	process
Token: SeBackupPrivilege	1104	vssvc.exe
Token: SeRestorePrivilege	1104	vssvc.exe
Token: SeAuditPrivilege	1104	vssvc.exe
Token: SeIncreaseQuotaPrivilege	3976	WMIC.exe
Token: SeSecurityPrivilege	3976	WMIC.exe
Token: SeTakeOwnershipPrivilege	3976	WMIC.exe
Token: SeLoadDriverPrivilege	3976	WMIC.exe
Token: SeSystemProfilePrivilege	3976	WMIC.exe
Token: SeSystemtimePrivilege	3976	WMIC.exe
Token: SeProfSingleProcessPrivilege	3976	WMIC.exe
Token: SeIncBasePriorityPrivilege	3976	WMIC.exe
Token: SeCreatePagefilePrivilege	3976	WMIC.exe
Token: SeBackupPrivilege	3976	WMIC.exe
Token: SeRestorePrivilege	3976	WMIC.exe
Token: SeShutdownPrivilege	3976	WMIC.exe
Token: SeDebugPrivilege	3976	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3976	WMIC.exe
Token: SeRemoteShutdownPrivilege	3976	WMIC.exe
Token: SeUndockPrivilege	3976	WMIC.exe
Token: SeManageVolumePrivilege	3976	WMIC.exe
Token: 33	3976	WMIC.exe
Token: 34	3976	WMIC.exe
Token: 35	3976	WMIC.exe
Token: 36	3976	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3976	WMIC.exe
Token: SeSecurityPrivilege	3976	WMIC.exe
Token: SeTakeOwnershipPrivilege	3976	WMIC.exe
Token: SeLoadDriverPrivilege	3976	WMIC.exe
Token: SeSystemProfilePrivilege	3976	WMIC.exe
Token: SeSystemtimePrivilege	3976	WMIC.exe
Token: SeProfSingleProcessPrivilege	3976	WMIC.exe
Token: SeIncBasePriorityPrivilege	3976	WMIC.exe
Token: SeCreatePagefilePrivilege	3976	WMIC.exe
Token: SeBackupPrivilege	3976	WMIC.exe
Token: SeRestorePrivilege	3976	WMIC.exe
Token: SeShutdownPrivilege	3976	WMIC.exe
Token: SeDebugPrivilege	3976	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3976	WMIC.exe
Token: SeRemoteShutdownPrivilege	3976	WMIC.exe
Token: SeUndockPrivilege	3976	WMIC.exe
Token: SeManageVolumePrivilege	3976	WMIC.exe
Token: 33	3976	WMIC.exe
Token: 34	3976	WMIC.exe
Token: 35	3976	WMIC.exe
Token: 36	3976	WMIC.exe
Token: SeRestorePrivilege	2640	WerFault.exe
Token: SeBackupPrivilege	2640	WerFault.exe
Token: SeDebugPrivilege	2640	WerFault.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.execmd.exe

description	pid	process	target process
PID 1096 wrote to memory of 4052	1096	732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe	cmd.exe
PID 1096 wrote to memory of 4052	1096	732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe	cmd.exe
PID 4052 wrote to memory of 3976	4052	cmd.exe	WMIC.exe
PID 4052 wrote to memory of 3976	4052	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\732e207d32fe4296e6cf0b4e874111e551a9490329e662fe42958e08ef3a9884.bin.sample.exe"
1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1096

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{493E2A7D-D35C-4823-8312-DB6A87B45E66}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:4052

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{493E2A7D-D35C-4823-8312-DB6A87B45E66}'" delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1096 -s 1916
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2640

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1104

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads