Overview
overview
10Static
static
e7969800b4...c7.exe
windows7_x64
10e7969800b4...c7.exe
windows7_x64
10e7969800b4...c7.exe
windows7_x64
10e7969800b4...c7.exe
windows11_x64
10e7969800b4...c7.exe
windows10_x64
10e7969800b4...c7.exe
windows10_x64
10e7969800b4...c7.exe
windows10_x64
10e7969800b4...c7.exe
windows10_x64
10Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows11_x64 -
resource
win11 -
submitted
05-10-2021 11:35
Static task
static1
Behavioral task
behavioral1
Sample
e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe
Resource
win7-ja-20210920
Behavioral task
behavioral2
Sample
e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe
Resource
win7v20210408
Behavioral task
behavioral3
Sample
e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe
Resource
win7-de-20210920
Behavioral task
behavioral4
Sample
e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe
Resource
win11
Behavioral task
behavioral5
Sample
e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe
Resource
win10v20210408
Behavioral task
behavioral6
Sample
e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe
Resource
win10-ja-20210920
Behavioral task
behavioral7
Sample
e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe
Resource
win10-en-20210920
Behavioral task
behavioral8
Sample
e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe
Resource
win10-de-20210920
General
-
Target
e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe
-
Size
1.6MB
-
MD5
520d488564da102f5482fcfdcdbd266a
-
SHA1
45deee8360e5af17ca04f4bc0fd2c52ae92eb9f0
-
SHA256
e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7
-
SHA512
e2c4f46dcf40b8f03bc9fbe0f0cecf933d2825788b0e9f270e7e7ae8a60174d1b7fc778870aa7ce7ba5cb464f28cc5842d043fc93535921749d186e414f51906
Malware Config
Extracted
C:\readme.txt
conti
http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/
https://contirecovery.click
Signatures
-
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
Drops startup file 1 IoCs
Processes:
e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\readme.txt e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe -
Drops file in Program Files directory 64 IoCs
Processes:
e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_Subscription-pl.xrm-ms e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File created C:\Program Files (x86)\Common Files\System\ado\en-US\readme.txt e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\readme.txt e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-ppd.xrm-ms e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription5-ppd.xrm-ms e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp2-ul-oob.xrm-ms e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-pl.xrm-ms e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue II.xml e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN075.XML e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-pl.xrm-ms e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial2-ppd.xrm-ms e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Retail-pl.xrm-ms e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\hive.xsl e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-ul-oob.xrm-ms e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_Subscription-ul-oob.xrm-ms e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\92.0.902.62\92.0.902.62.manifest e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\92.0.902.62\WidevineCdm\_platform_specific\readme.txt e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Microsoft Office\root\Office15\pkeyconfig-office.xrm-ms e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\en-US\sqlxmlx.rll.mui e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\92.0.902.62\WidevineCdm\readme.txt e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\en-us\readme.txt e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\readme.txt e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_Subscription-ul-oob.xrm-ms e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial-ppd.xrm-ms e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\WordNaiveBayesCommandRanker.txt e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-140.png e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\auxbase.xml e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-moreimages@3x.png e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\GostTitle.XSL e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\92.0.902.62\ResiliencyLinks\Locales\sr-Latn-RS.pak.DATA e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\REFINED\PREVIEW.GIF e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Grace-ppd.xrm-ms e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT.HXS e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-80.png e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\ResiliencyLinks\MLModels\autofill_labeling_features_email.txt.DATA e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Trial-ul-oob.xrm-ms e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_w1\WA104381125 e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\ResiliencyLinks\Locales\fr.pak.DATA e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\Trust Protection Lists\Sigma\Cryptomining e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription5-ppd.xrm-ms e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Trial-ul-oob.xrm-ms e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Trial-ppd.xrm-ms e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\Trust Protection Lists\Sigma\Content e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SUMIPNTG\PREVIEW.GIF e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_Subscription-pl.xrm-ms e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\92.0.902.62\VisualElements\LogoCanary.png e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\92.0.902.62\Trust Protection Lists\Sigma\Content e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SubsetList\readme.txt e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File created C:\Program Files\Common Files\microsoft shared\ink\uk-UA\readme.txt e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\JOURNAL\PREVIEW.GIF e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\WacLangPack2019Eula.txt e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GARAIT.TTF e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Trial-ul-oob.xrm-ms e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTest-ul-oob.xrm-ms e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Configuration\card_security_terms_dict.txt e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\orcl7.xsl e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\sql70.xsl e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\DatabaseCompare_k_col.hxk e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-100.png e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.scale-140.png e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File created C:\Program Files (x86)\Microsoft\EdgeWebView\Application\92.0.902.62\ResiliencyLinks\MLModels\readme.txt e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\readme.txt e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-ppd.xrm-ms e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main.xml e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe -
Modifies data under HKEY_USERS 43 IoCs
Processes:
sihclient.exesvchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust sihclient.exe Key created \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs sihclient.exe Key created \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\7\52C64B7E svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates sihclient.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exepid process 3848 e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe 3848 e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
vssvc.exeWMIC.exeWMIC.exedescription pid process Token: SeBackupPrivilege 5032 vssvc.exe Token: SeRestorePrivilege 5032 vssvc.exe Token: SeAuditPrivilege 5032 vssvc.exe Token: SeIncreaseQuotaPrivilege 4604 WMIC.exe Token: SeSecurityPrivilege 4604 WMIC.exe Token: SeTakeOwnershipPrivilege 4604 WMIC.exe Token: SeLoadDriverPrivilege 4604 WMIC.exe Token: SeSystemProfilePrivilege 4604 WMIC.exe Token: SeSystemtimePrivilege 4604 WMIC.exe Token: SeProfSingleProcessPrivilege 4604 WMIC.exe Token: SeIncBasePriorityPrivilege 4604 WMIC.exe Token: SeCreatePagefilePrivilege 4604 WMIC.exe Token: SeBackupPrivilege 4604 WMIC.exe Token: SeRestorePrivilege 4604 WMIC.exe Token: SeShutdownPrivilege 4604 WMIC.exe Token: SeDebugPrivilege 4604 WMIC.exe Token: SeSystemEnvironmentPrivilege 4604 WMIC.exe Token: SeRemoteShutdownPrivilege 4604 WMIC.exe Token: SeUndockPrivilege 4604 WMIC.exe Token: SeManageVolumePrivilege 4604 WMIC.exe Token: 33 4604 WMIC.exe Token: 34 4604 WMIC.exe Token: 35 4604 WMIC.exe Token: 36 4604 WMIC.exe Token: SeIncreaseQuotaPrivilege 4604 WMIC.exe Token: SeSecurityPrivilege 4604 WMIC.exe Token: SeTakeOwnershipPrivilege 4604 WMIC.exe Token: SeLoadDriverPrivilege 4604 WMIC.exe Token: SeSystemProfilePrivilege 4604 WMIC.exe Token: SeSystemtimePrivilege 4604 WMIC.exe Token: SeProfSingleProcessPrivilege 4604 WMIC.exe Token: SeIncBasePriorityPrivilege 4604 WMIC.exe Token: SeCreatePagefilePrivilege 4604 WMIC.exe Token: SeBackupPrivilege 4604 WMIC.exe Token: SeRestorePrivilege 4604 WMIC.exe Token: SeShutdownPrivilege 4604 WMIC.exe Token: SeDebugPrivilege 4604 WMIC.exe Token: SeSystemEnvironmentPrivilege 4604 WMIC.exe Token: SeRemoteShutdownPrivilege 4604 WMIC.exe Token: SeUndockPrivilege 4604 WMIC.exe Token: SeManageVolumePrivilege 4604 WMIC.exe Token: 33 4604 WMIC.exe Token: 34 4604 WMIC.exe Token: 35 4604 WMIC.exe Token: 36 4604 WMIC.exe Token: SeIncreaseQuotaPrivilege 4252 WMIC.exe Token: SeSecurityPrivilege 4252 WMIC.exe Token: SeTakeOwnershipPrivilege 4252 WMIC.exe Token: SeLoadDriverPrivilege 4252 WMIC.exe Token: SeSystemProfilePrivilege 4252 WMIC.exe Token: SeSystemtimePrivilege 4252 WMIC.exe Token: SeProfSingleProcessPrivilege 4252 WMIC.exe Token: SeIncBasePriorityPrivilege 4252 WMIC.exe Token: SeCreatePagefilePrivilege 4252 WMIC.exe Token: SeBackupPrivilege 4252 WMIC.exe Token: SeRestorePrivilege 4252 WMIC.exe Token: SeShutdownPrivilege 4252 WMIC.exe Token: SeDebugPrivilege 4252 WMIC.exe Token: SeSystemEnvironmentPrivilege 4252 WMIC.exe Token: SeRemoteShutdownPrivilege 4252 WMIC.exe Token: SeUndockPrivilege 4252 WMIC.exe Token: SeManageVolumePrivilege 4252 WMIC.exe Token: 33 4252 WMIC.exe Token: 34 4252 WMIC.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.execmd.execmd.execmd.execmd.exedescription pid process target process PID 3848 wrote to memory of 3988 3848 e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe cmd.exe PID 3848 wrote to memory of 3988 3848 e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe cmd.exe PID 3988 wrote to memory of 4604 3988 cmd.exe WMIC.exe PID 3988 wrote to memory of 4604 3988 cmd.exe WMIC.exe PID 3848 wrote to memory of 4676 3848 e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe cmd.exe PID 3848 wrote to memory of 4676 3848 e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe cmd.exe PID 4676 wrote to memory of 4252 4676 cmd.exe WMIC.exe PID 4676 wrote to memory of 4252 4676 cmd.exe WMIC.exe PID 3848 wrote to memory of 4412 3848 e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe cmd.exe PID 3848 wrote to memory of 4412 3848 e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe cmd.exe PID 4412 wrote to memory of 5024 4412 cmd.exe WMIC.exe PID 4412 wrote to memory of 5024 4412 cmd.exe WMIC.exe PID 3848 wrote to memory of 5028 3848 e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe cmd.exe PID 3848 wrote to memory of 5028 3848 e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe cmd.exe PID 5028 wrote to memory of 5016 5028 cmd.exe WMIC.exe PID 5028 wrote to memory of 5016 5028 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe"C:\Users\Admin\AppData\Local\Temp\e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe"1⤵
- Drops startup file
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F27351B6-5948-4472-805E-D9351169C9F8}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F27351B6-5948-4472-805E-D9351169C9F8}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CA7578E7-C050-4203-8960-B7C1EEB3C154}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CA7578E7-C050-4203-8960-B7C1EEB3C154}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{AAF3D2D2-2F39-4D11-801A-DA2308899B7A}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{AAF3D2D2-2F39-4D11-801A-DA2308899B7A}'" delete3⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{AA09823E-4D3B-48CC-A19F-0B0814E6BACE}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{AA09823E-4D3B-48CC-A19F-0B0814E6BACE}'" delete3⤵
-
C:\Windows\System32\sihclient.exeC:\Windows\System32\sihclient.exe /cv lX+JvkxKV0GZd+6TsanO5Q.0.21⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157MD5
5fc86e8162ad34cc11ea9cbca3118e0c
SHA15e1f776ec67c09da8def4d16091af67a8cac18d4
SHA256ee768812f160218bca7b48fe191958fae5c4d5ae1cdc3173030b626fbc6f3bd4
SHA51252c4d789e1d4e6df7b54e7ef7a98202cb120d3babb9c6f46a30c00d09e536b4ffb25dc8db91282148ce80a38946f0d14990b23468fe75dd612156c50db91ed5c
-
memory/3848-146-0x0000000000400000-0x0000000000810000-memory.dmpFilesize
4.1MB
-
memory/3988-147-0x0000000000000000-mapping.dmp
-
memory/4252-150-0x0000000000000000-mapping.dmp
-
memory/4412-151-0x0000000000000000-mapping.dmp
-
memory/4604-148-0x0000000000000000-mapping.dmp
-
memory/4676-149-0x0000000000000000-mapping.dmp
-
memory/4696-155-0x000001F13EB60000-0x000001F13EB70000-memory.dmpFilesize
64KB
-
memory/4696-156-0x000001F13EDA0000-0x000001F13EDB0000-memory.dmpFilesize
64KB
-
memory/4696-157-0x000001F13EF70000-0x000001F13EF74000-memory.dmpFilesize
16KB
-
memory/5016-154-0x0000000000000000-mapping.dmp
-
memory/5024-152-0x0000000000000000-mapping.dmp
-
memory/5028-153-0x0000000000000000-mapping.dmp