Overview
overview
10Static
static
e7969800b4...c7.exe
windows7_x64
10e7969800b4...c7.exe
windows7_x64
10e7969800b4...c7.exe
windows7_x64
10e7969800b4...c7.exe
windows11_x64
10e7969800b4...c7.exe
windows10_x64
10e7969800b4...c7.exe
windows10_x64
10e7969800b4...c7.exe
windows10_x64
10e7969800b4...c7.exe
windows10_x64
10Analysis
-
max time kernel
141s -
max time network
151s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
05-10-2021 11:35
Static task
static1
Behavioral task
behavioral1
Sample
e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe
Resource
win7-ja-20210920
Behavioral task
behavioral2
Sample
e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe
Resource
win7v20210408
Behavioral task
behavioral3
Sample
e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe
Resource
win7-de-20210920
Behavioral task
behavioral4
Sample
e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe
Resource
win11
Behavioral task
behavioral5
Sample
e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe
Resource
win10v20210408
Behavioral task
behavioral6
Sample
e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe
Resource
win10-ja-20210920
Behavioral task
behavioral7
Sample
e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe
Resource
win10-en-20210920
Behavioral task
behavioral8
Sample
e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe
Resource
win10-de-20210920
General
-
Target
e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe
-
Size
1.6MB
-
MD5
520d488564da102f5482fcfdcdbd266a
-
SHA1
45deee8360e5af17ca04f4bc0fd2c52ae92eb9f0
-
SHA256
e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7
-
SHA512
e2c4f46dcf40b8f03bc9fbe0f0cecf933d2825788b0e9f270e7e7ae8a60174d1b7fc778870aa7ce7ba5cb464f28cc5842d043fc93535921749d186e414f51906
Malware Config
Extracted
C:\readme.txt
conti
http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/
https://contirecovery.click
Signatures
-
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\NewSend.tiff e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File renamed C:\Users\Admin\Pictures\NewSend.tiff => C:\Users\Admin\Pictures\NewSend.tiff.LCODG e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File renamed C:\Users\Admin\Pictures\WriteResize.raw => C:\Users\Admin\Pictures\WriteResize.raw.LCODG e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe -
Drops startup file 1 IoCs
Processes:
e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\readme.txt e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\org-netbeans-modules-uihandler.xml_hidden e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\da-dk\ui-strings.js e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-awt_zh_CN.jar e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\S_IlluDCFilesEmpty_180x180.svg e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\it-it\readme.txt e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\de-de\readme.txt e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\he-il\readme.txt e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File created C:\Program Files\VideoLAN\VLC\plugins\codec\readme.txt e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Help\Hx.HxC e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CANYON\readme.txt e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\de-de\readme.txt e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\root\ui-strings.js e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Subscription-ul-oob.xrm-ms e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File created C:\Program Files\VideoLAN\VLC\locale\ms\readme.txt e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\comment.svg e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\readme.txt e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sk-sk\ui-strings.js e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\nl-nl\readme.txt e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PROOF\msth8EN.LEX e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\pl.pak e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\sql120.xsl e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\readme.txt e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\share_icons.png e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\MyriadPro-BoldIt.otf e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-util.xml e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.repository.nl_zh_4.4.0.v20140623020002.jar e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-util.xml e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_nl_135x40.svg e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\pt-br\ui-strings.js e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File created C:\Program Files\Microsoft Office\root\Licenses\readme.txt e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-pl.xrm-ms e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ru-ru\ui-strings.js e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-il\ui-strings.js e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\cs-cz\ui-strings.js e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-pl.xrm-ms e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\OpenSSL64.DllA\readme.txt e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\root\ui-strings.js e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\NOTICE e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\MSUIGHUR.TTF e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STUDIO\THMBNAIL.PNG e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\css\main.css e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\readme.txt e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-core-execution.xml e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\dev\app-api.js e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\root\readme.txt e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\lv_get.svg e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\license.html e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_move_18.svg e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\es-es\readme.txt e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp5-ul-oob.xrm-ms e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\readme.txt e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\MSYHBD.TTC e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STRTEDGE\THMBNAIL.PNG e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ar-ae\ui-strings.js e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\pl-pl\readme.txt e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Microsoft Office\AppXManifest.xml e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_KMS_Client-ul-oob.xrm-ms e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File created C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\readme.txt e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\license.html e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-api.xml e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\hr-hr\readme.txt e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcDemoR_BypassTrial365-ul-oob.xrm-ms e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.core.nl_ja_4.4.0.v20140623020002.jar e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\db2v0801.xsl e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exepid process 2160 e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe 2160 e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
vssvc.exeWMIC.exedescription pid process Token: SeBackupPrivilege 2728 vssvc.exe Token: SeRestorePrivilege 2728 vssvc.exe Token: SeAuditPrivilege 2728 vssvc.exe Token: SeIncreaseQuotaPrivilege 2220 WMIC.exe Token: SeSecurityPrivilege 2220 WMIC.exe Token: SeTakeOwnershipPrivilege 2220 WMIC.exe Token: SeLoadDriverPrivilege 2220 WMIC.exe Token: SeSystemProfilePrivilege 2220 WMIC.exe Token: SeSystemtimePrivilege 2220 WMIC.exe Token: SeProfSingleProcessPrivilege 2220 WMIC.exe Token: SeIncBasePriorityPrivilege 2220 WMIC.exe Token: SeCreatePagefilePrivilege 2220 WMIC.exe Token: SeBackupPrivilege 2220 WMIC.exe Token: SeRestorePrivilege 2220 WMIC.exe Token: SeShutdownPrivilege 2220 WMIC.exe Token: SeDebugPrivilege 2220 WMIC.exe Token: SeSystemEnvironmentPrivilege 2220 WMIC.exe Token: SeRemoteShutdownPrivilege 2220 WMIC.exe Token: SeUndockPrivilege 2220 WMIC.exe Token: SeManageVolumePrivilege 2220 WMIC.exe Token: 33 2220 WMIC.exe Token: 34 2220 WMIC.exe Token: 35 2220 WMIC.exe Token: 36 2220 WMIC.exe Token: SeIncreaseQuotaPrivilege 2220 WMIC.exe Token: SeSecurityPrivilege 2220 WMIC.exe Token: SeTakeOwnershipPrivilege 2220 WMIC.exe Token: SeLoadDriverPrivilege 2220 WMIC.exe Token: SeSystemProfilePrivilege 2220 WMIC.exe Token: SeSystemtimePrivilege 2220 WMIC.exe Token: SeProfSingleProcessPrivilege 2220 WMIC.exe Token: SeIncBasePriorityPrivilege 2220 WMIC.exe Token: SeCreatePagefilePrivilege 2220 WMIC.exe Token: SeBackupPrivilege 2220 WMIC.exe Token: SeRestorePrivilege 2220 WMIC.exe Token: SeShutdownPrivilege 2220 WMIC.exe Token: SeDebugPrivilege 2220 WMIC.exe Token: SeSystemEnvironmentPrivilege 2220 WMIC.exe Token: SeRemoteShutdownPrivilege 2220 WMIC.exe Token: SeUndockPrivilege 2220 WMIC.exe Token: SeManageVolumePrivilege 2220 WMIC.exe Token: 33 2220 WMIC.exe Token: 34 2220 WMIC.exe Token: 35 2220 WMIC.exe Token: 36 2220 WMIC.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.execmd.exedescription pid process target process PID 2160 wrote to memory of 4068 2160 e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe cmd.exe PID 2160 wrote to memory of 4068 2160 e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe cmd.exe PID 4068 wrote to memory of 2220 4068 cmd.exe WMIC.exe PID 4068 wrote to memory of 2220 4068 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe"C:\Users\Admin\AppData\Local\Temp\e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2D3E78C1-16F5-45C2-8C51-8B602BF398FB}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2D3E78C1-16F5-45C2-8C51-8B602BF398FB}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken