Analysis
-
max time kernel
149s -
max time network
89s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
19-10-2021 10:32
Static task
static1
Behavioral task
behavioral1
Sample
9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
Resource
win10-en-20211014
General
-
Target
9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
-
Size
195KB
-
MD5
bf4933f379b743cfbdcdfe78b7071749
-
SHA1
2ddaf5e2ee25ec75c2a4d0bd83097aa93d1de941
-
SHA256
9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d
-
SHA512
9fe5d25f97e600aa8f67302b6fa07e4246d9fb9bf1b0d24d1f5ce7038b0390089468956ffea5477fa18ca7009b5d9af37a710236eed0b051400a379ffb39586a
Malware Config
Extracted
C:\readme.txt
conti
http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/
https://contirecovery.click
Signatures
-
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
Drops file in Program Files directory 64 IoCs
Processes:
9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exedescription ioc process File opened for modification C:\Program Files\RedoOpen.tiff 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe File opened for modification C:\Program Files\TestUnpublish.emf 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe File opened for modification C:\Program Files\UpdateUnblock.wax 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe File opened for modification C:\Program Files\DVD Maker\directshowtap.ax 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe File created C:\Program Files\Microsoft Games\readme.txt 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe File created C:\Program Files\MSBuild\readme.txt 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe File created C:\Program Files\readme.txt 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe File opened for modification C:\Program Files\SwitchCompare.iso 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe File opened for modification C:\Program Files\UseUpdate.M2T 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe File opened for modification C:\Program Files\DVD Maker\fieldswitch.ax 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe File created C:\Program Files\Microsoft Office\readme.txt 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe File created C:\Program Files (x86)\Google\readme.txt 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe File created C:\Program Files (x86)\Reference Assemblies\readme.txt 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe File opened for modification C:\Program Files\DVD Maker\offset.ax 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe File opened for modification C:\Program Files\DisableGrant.xltm 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe File opened for modification C:\Program Files\MoveCheckpoint.xla 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe File opened for modification C:\Program Files\OpenGrant.DVR-MS 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe File opened for modification C:\Program Files\PingUpdate.m4v 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe File opened for modification C:\Program Files\PopSelect.xml 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe File created C:\Program Files (x86)\readme.txt 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe File opened for modification C:\Program Files\7-Zip\descript.ion 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe File created C:\Program Files\Google\readme.txt 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\readme.txt 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe File opened for modification C:\Program Files\CompareWatch.vssx 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe File opened for modification C:\Program Files\ResolveSearch.aifc 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe File created C:\Program Files\DVD Maker\readme.txt 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe File opened for modification C:\Program Files\Internet Explorer\ie9props.propdesc 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe File opened for modification C:\Program Files\Internet Explorer\Timeline.cpu.xml 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe File created C:\Program Files (x86)\Common Files\readme.txt 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe File opened for modification C:\Program Files\CompressDisconnect.m1v 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe File opened for modification C:\Program Files\PopBackup.txt 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe File opened for modification C:\Program Files\Mozilla Firefox\install.log 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe File created C:\Program Files\VideoLAN\readme.txt 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe File opened for modification C:\Program Files\FormatClear.bmp 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe File opened for modification C:\Program Files\7-Zip\7z.sfx 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe File opened for modification C:\Program Files\DVD Maker\audiodepthconverter.ax 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe File opened for modification C:\Program Files\DVD Maker\soniccolorconverter.ax 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe File opened for modification C:\Program Files\DVD Maker\sonicsptransform.ax 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe File opened for modification C:\Program Files\Mozilla Firefox\dependentlibs.list 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe File created C:\Program Files (x86)\MSBuild\readme.txt 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe File opened for modification C:\Program Files\AssertConnect.TTS 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe File opened for modification C:\Program Files\CheckpointBackup.odt 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe File opened for modification C:\Program Files\ReadRepair.mht 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe File opened for modification C:\Program Files\Mozilla Firefox\precomplete 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe File opened for modification C:\Program Files\Mozilla Firefox\removed-files 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe File created C:\Program Files (x86)\Microsoft Synchronization Services\readme.txt 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe File opened for modification C:\Program Files\ApproveWait.mp4v 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe File opened for modification C:\Program Files\7-Zip\readme.txt 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe File created C:\Program Files\Uninstall Information\readme.txt 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe File created C:\Program Files (x86)\Internet Explorer\readme.txt 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe File opened for modification C:\Program Files (x86)\MSBuild\Microsoft.Office.InfoPath.targets 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe File opened for modification C:\Program Files\RepairExport.jpg 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe File opened for modification C:\Program Files\7-Zip\History.txt 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe File opened for modification C:\Program Files\7-Zip\License.txt 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.VisualElementsManifest.xml 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe File created C:\Program Files (x86)\Microsoft Sync Framework\readme.txt 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe File opened for modification C:\Program Files\ConvertBackup.ods 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe File opened for modification C:\Program Files\RepairShow.wax 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe File created C:\Program Files\Internet Explorer\readme.txt 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ie9props.propdesc 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe File opened for modification C:\Program Files\OpenWait.odt 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe File opened for modification C:\Program Files\7-Zip\7-zip.chm 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe File opened for modification C:\Program Files\7-Zip\7zCon.sfx 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\readme.txt 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exepid process 1088 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
vssvc.exeWMIC.exeWMIC.exedescription pid process Token: SeBackupPrivilege 1148 vssvc.exe Token: SeRestorePrivilege 1148 vssvc.exe Token: SeAuditPrivilege 1148 vssvc.exe Token: SeIncreaseQuotaPrivilege 1824 WMIC.exe Token: SeSecurityPrivilege 1824 WMIC.exe Token: SeTakeOwnershipPrivilege 1824 WMIC.exe Token: SeLoadDriverPrivilege 1824 WMIC.exe Token: SeSystemProfilePrivilege 1824 WMIC.exe Token: SeSystemtimePrivilege 1824 WMIC.exe Token: SeProfSingleProcessPrivilege 1824 WMIC.exe Token: SeIncBasePriorityPrivilege 1824 WMIC.exe Token: SeCreatePagefilePrivilege 1824 WMIC.exe Token: SeBackupPrivilege 1824 WMIC.exe Token: SeRestorePrivilege 1824 WMIC.exe Token: SeShutdownPrivilege 1824 WMIC.exe Token: SeDebugPrivilege 1824 WMIC.exe Token: SeSystemEnvironmentPrivilege 1824 WMIC.exe Token: SeRemoteShutdownPrivilege 1824 WMIC.exe Token: SeUndockPrivilege 1824 WMIC.exe Token: SeManageVolumePrivilege 1824 WMIC.exe Token: 33 1824 WMIC.exe Token: 34 1824 WMIC.exe Token: 35 1824 WMIC.exe Token: SeIncreaseQuotaPrivilege 1824 WMIC.exe Token: SeSecurityPrivilege 1824 WMIC.exe Token: SeTakeOwnershipPrivilege 1824 WMIC.exe Token: SeLoadDriverPrivilege 1824 WMIC.exe Token: SeSystemProfilePrivilege 1824 WMIC.exe Token: SeSystemtimePrivilege 1824 WMIC.exe Token: SeProfSingleProcessPrivilege 1824 WMIC.exe Token: SeIncBasePriorityPrivilege 1824 WMIC.exe Token: SeCreatePagefilePrivilege 1824 WMIC.exe Token: SeBackupPrivilege 1824 WMIC.exe Token: SeRestorePrivilege 1824 WMIC.exe Token: SeShutdownPrivilege 1824 WMIC.exe Token: SeDebugPrivilege 1824 WMIC.exe Token: SeSystemEnvironmentPrivilege 1824 WMIC.exe Token: SeRemoteShutdownPrivilege 1824 WMIC.exe Token: SeUndockPrivilege 1824 WMIC.exe Token: SeManageVolumePrivilege 1824 WMIC.exe Token: 33 1824 WMIC.exe Token: 34 1824 WMIC.exe Token: 35 1824 WMIC.exe Token: SeIncreaseQuotaPrivilege 1064 WMIC.exe Token: SeSecurityPrivilege 1064 WMIC.exe Token: SeTakeOwnershipPrivilege 1064 WMIC.exe Token: SeLoadDriverPrivilege 1064 WMIC.exe Token: SeSystemProfilePrivilege 1064 WMIC.exe Token: SeSystemtimePrivilege 1064 WMIC.exe Token: SeProfSingleProcessPrivilege 1064 WMIC.exe Token: SeIncBasePriorityPrivilege 1064 WMIC.exe Token: SeCreatePagefilePrivilege 1064 WMIC.exe Token: SeBackupPrivilege 1064 WMIC.exe Token: SeRestorePrivilege 1064 WMIC.exe Token: SeShutdownPrivilege 1064 WMIC.exe Token: SeDebugPrivilege 1064 WMIC.exe Token: SeSystemEnvironmentPrivilege 1064 WMIC.exe Token: SeRemoteShutdownPrivilege 1064 WMIC.exe Token: SeUndockPrivilege 1064 WMIC.exe Token: SeManageVolumePrivilege 1064 WMIC.exe Token: 33 1064 WMIC.exe Token: 34 1064 WMIC.exe Token: 35 1064 WMIC.exe Token: SeIncreaseQuotaPrivilege 1064 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1088 wrote to memory of 816 1088 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe cmd.exe PID 1088 wrote to memory of 816 1088 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe cmd.exe PID 1088 wrote to memory of 816 1088 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe cmd.exe PID 1088 wrote to memory of 816 1088 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe cmd.exe PID 816 wrote to memory of 1824 816 cmd.exe WMIC.exe PID 816 wrote to memory of 1824 816 cmd.exe WMIC.exe PID 816 wrote to memory of 1824 816 cmd.exe WMIC.exe PID 1088 wrote to memory of 1156 1088 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe cmd.exe PID 1088 wrote to memory of 1156 1088 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe cmd.exe PID 1088 wrote to memory of 1156 1088 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe cmd.exe PID 1088 wrote to memory of 1156 1088 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe cmd.exe PID 1156 wrote to memory of 1064 1156 cmd.exe WMIC.exe PID 1156 wrote to memory of 1064 1156 cmd.exe WMIC.exe PID 1156 wrote to memory of 1064 1156 cmd.exe WMIC.exe PID 1088 wrote to memory of 1440 1088 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe cmd.exe PID 1088 wrote to memory of 1440 1088 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe cmd.exe PID 1088 wrote to memory of 1440 1088 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe cmd.exe PID 1088 wrote to memory of 1440 1088 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe cmd.exe PID 1440 wrote to memory of 1800 1440 cmd.exe WMIC.exe PID 1440 wrote to memory of 1800 1440 cmd.exe WMIC.exe PID 1440 wrote to memory of 1800 1440 cmd.exe WMIC.exe PID 1088 wrote to memory of 1760 1088 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe cmd.exe PID 1088 wrote to memory of 1760 1088 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe cmd.exe PID 1088 wrote to memory of 1760 1088 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe cmd.exe PID 1088 wrote to memory of 1760 1088 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe cmd.exe PID 1760 wrote to memory of 1940 1760 cmd.exe WMIC.exe PID 1760 wrote to memory of 1940 1760 cmd.exe WMIC.exe PID 1760 wrote to memory of 1940 1760 cmd.exe WMIC.exe PID 1088 wrote to memory of 600 1088 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe cmd.exe PID 1088 wrote to memory of 600 1088 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe cmd.exe PID 1088 wrote to memory of 600 1088 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe cmd.exe PID 1088 wrote to memory of 600 1088 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe cmd.exe PID 600 wrote to memory of 1668 600 cmd.exe WMIC.exe PID 600 wrote to memory of 1668 600 cmd.exe WMIC.exe PID 600 wrote to memory of 1668 600 cmd.exe WMIC.exe PID 1088 wrote to memory of 1204 1088 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe cmd.exe PID 1088 wrote to memory of 1204 1088 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe cmd.exe PID 1088 wrote to memory of 1204 1088 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe cmd.exe PID 1088 wrote to memory of 1204 1088 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe cmd.exe PID 1204 wrote to memory of 692 1204 cmd.exe WMIC.exe PID 1204 wrote to memory of 692 1204 cmd.exe WMIC.exe PID 1204 wrote to memory of 692 1204 cmd.exe WMIC.exe PID 1088 wrote to memory of 1512 1088 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe cmd.exe PID 1088 wrote to memory of 1512 1088 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe cmd.exe PID 1088 wrote to memory of 1512 1088 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe cmd.exe PID 1088 wrote to memory of 1512 1088 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe cmd.exe PID 1512 wrote to memory of 1684 1512 cmd.exe WMIC.exe PID 1512 wrote to memory of 1684 1512 cmd.exe WMIC.exe PID 1512 wrote to memory of 1684 1512 cmd.exe WMIC.exe PID 1088 wrote to memory of 2016 1088 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe cmd.exe PID 1088 wrote to memory of 2016 1088 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe cmd.exe PID 1088 wrote to memory of 2016 1088 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe cmd.exe PID 1088 wrote to memory of 2016 1088 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe cmd.exe PID 2016 wrote to memory of 432 2016 cmd.exe WMIC.exe PID 2016 wrote to memory of 432 2016 cmd.exe WMIC.exe PID 2016 wrote to memory of 432 2016 cmd.exe WMIC.exe PID 1088 wrote to memory of 1516 1088 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe cmd.exe PID 1088 wrote to memory of 1516 1088 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe cmd.exe PID 1088 wrote to memory of 1516 1088 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe cmd.exe PID 1088 wrote to memory of 1516 1088 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe cmd.exe PID 1516 wrote to memory of 1480 1516 cmd.exe WMIC.exe PID 1516 wrote to memory of 1480 1516 cmd.exe WMIC.exe PID 1516 wrote to memory of 1480 1516 cmd.exe WMIC.exe PID 1088 wrote to memory of 1520 1088 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe"C:\Users\Admin\AppData\Local\Temp\9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C42FD895-B421-4A33-8B73-34420B94C6C4}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C42FD895-B421-4A33-8B73-34420B94C6C4}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{10A95FEA-CE68-4673-91E9-44796907EA8F}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{10A95FEA-CE68-4673-91E9-44796907EA8F}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3F8D846B-9DD4-48C1-9EB7-331601E45A01}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3F8D846B-9DD4-48C1-9EB7-331601E45A01}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{83DB695E-B6C4-4F19-94F5-5AB249FE6E4B}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{83DB695E-B6C4-4F19-94F5-5AB249FE6E4B}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6E98F490-EC90-48A3-8095-7CAB9F53C350}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6E98F490-EC90-48A3-8095-7CAB9F53C350}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{BE04AF18-D313-4450-8D00-0E635D2D4C97}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{BE04AF18-D313-4450-8D00-0E635D2D4C97}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CEE4CCBC-073C-4640-96A7-6BA7CCA7CF92}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CEE4CCBC-073C-4640-96A7-6BA7CCA7CF92}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{865F3304-51C3-4B8F-A536-F05EC48E587F}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{865F3304-51C3-4B8F-A536-F05EC48E587F}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F66D88E2-B57B-4989-8ED8-F69EC00D6AED}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F66D88E2-B57B-4989-8ED8-F69EC00D6AED}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2D3F6F2F-1FEA-4EF5-B2F9-9AD4D3736A5B}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2D3F6F2F-1FEA-4EF5-B2F9-9AD4D3736A5B}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3AB2448F-F186-4CD1-8044-F01D62EBD5C3}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3AB2448F-F186-4CD1-8044-F01D62EBD5C3}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5E61C5BD-F1FA-4763-95D9-47A0D7BD5FDD}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5E61C5BD-F1FA-4763-95D9-47A0D7BD5FDD}'" delete3⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/432-69-0x0000000000000000-mapping.dmp
-
memory/600-62-0x0000000000000000-mapping.dmp
-
memory/676-75-0x0000000000000000-mapping.dmp
-
memory/692-65-0x0000000000000000-mapping.dmp
-
memory/816-54-0x0000000000000000-mapping.dmp
-
memory/1004-73-0x0000000000000000-mapping.dmp
-
memory/1064-57-0x0000000000000000-mapping.dmp
-
memory/1088-53-0x00000000751A1000-0x00000000751A3000-memory.dmpFilesize
8KB
-
memory/1156-56-0x0000000000000000-mapping.dmp
-
memory/1204-64-0x0000000000000000-mapping.dmp
-
memory/1356-77-0x0000000000000000-mapping.dmp
-
memory/1440-58-0x0000000000000000-mapping.dmp
-
memory/1480-71-0x0000000000000000-mapping.dmp
-
memory/1512-66-0x0000000000000000-mapping.dmp
-
memory/1516-70-0x0000000000000000-mapping.dmp
-
memory/1520-72-0x0000000000000000-mapping.dmp
-
memory/1628-76-0x0000000000000000-mapping.dmp
-
memory/1668-63-0x0000000000000000-mapping.dmp
-
memory/1684-67-0x0000000000000000-mapping.dmp
-
memory/1760-60-0x0000000000000000-mapping.dmp
-
memory/1800-59-0x0000000000000000-mapping.dmp
-
memory/1824-55-0x0000000000000000-mapping.dmp
-
memory/1940-61-0x0000000000000000-mapping.dmp
-
memory/1996-74-0x0000000000000000-mapping.dmp
-
memory/2016-68-0x0000000000000000-mapping.dmp