conti | 603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b

General

Target

603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe
Size

194KB
MD5

38c68c11f6fff05be28c7f70f9e00255
SHA1

f49dd6576e63ff72cab929d7008acaeb8a74be8e
SHA256

603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b
SHA512

6e141309ec23e740eeca34757db4eafa9373574ddfa222e1467c29bfc4cbfc42b7b7bba36294ad58e0adc7fdab0ad25818f2f01f8b4dcf5ff590821db31aacfd

Score

10^/10

conti ransomware spyware stealer

Malware Config

Extracted

Path

C:\readme.txt

Family

conti

Ransom Note

All of your files are currently encrypted by CONTI strain. As you know (if you don't - just "google it"), all of the data that has been encrypted by our software cannot be recovered by any means without contacting our team directly. If you try to use any additional recovery software - the files might be damaged, so if you are willing to try - try it on the data of the lowest value. To make sure that we REALLY CAN get your data back - we offer you to decrypt 2 random files completely free of charge. You can contact our team directly for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/ HTTPS VERSION : https://contirecovery.click YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded a pack of your internal data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us as soon as possible. ---BEGIN ID--- JNlRq03C1g9yGm1yXd2i14woLYKTGeM9db2LnOB0IsaLl1A0FIZDONoyiWUUPRJT ---END ID---

URLs

http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/

https://contirecovery.click

Signatures

Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
ransomware conti

Modifies extensions of user files 14 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\AddDeny.tiff => C:\Users\Admin\Pictures\AddDeny.tiff.LNVWO	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe
File renamed	C:\Users\Admin\Pictures\MoveAdd.raw => C:\Users\Admin\Pictures\MoveAdd.raw.LNVWO	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe
File renamed	C:\Users\Admin\Pictures\SubmitCopy.crw => C:\Users\Admin\Pictures\SubmitCopy.crw.LNVWO	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe
File renamed	C:\Users\Admin\Pictures\UnprotectReset.tiff => C:\Users\Admin\Pictures\UnprotectReset.tiff.LNVWO	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe
File renamed	C:\Users\Admin\Pictures\PingApprove.crw => C:\Users\Admin\Pictures\PingApprove.crw.LNVWO	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe
File opened for modification	C:\Users\Admin\Pictures\UnprotectReset.tiff	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe
File opened for modification	C:\Users\Admin\Pictures\AddDeny.tiff	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe
File opened for modification	C:\Users\Admin\Pictures\CheckpointResolve.tiff	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe
File renamed	C:\Users\Admin\Pictures\CheckpointResolve.tiff => C:\Users\Admin\Pictures\CheckpointResolve.tiff.LNVWO	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe
File renamed	C:\Users\Admin\Pictures\CompleteTrace.tiff => C:\Users\Admin\Pictures\CompleteTrace.tiff.LNVWO	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe
File renamed	C:\Users\Admin\Pictures\WatchClose.raw => C:\Users\Admin\Pictures\WatchClose.raw.LNVWO	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe
File opened for modification	C:\Users\Admin\Pictures\CompleteTrace.tiff	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe
File renamed	C:\Users\Admin\Pictures\ConnectClose.png => C:\Users\Admin\Pictures\ConnectClose.png.LNVWO	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe
File renamed	C:\Users\Admin\Pictures\ResolveNew.tif => C:\Users\Admin\Pictures\ResolveNew.tif.LNVWO	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0196374.WMF	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\CST6CDT	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\en-US\sqloledb.rll.mui	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-options.xml	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00018_.WMF	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Library\readme.txt	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN065.XML	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe
File created	C:\Program Files\VideoLAN\VLC\locale\az\readme.txt	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\DvdTransform.fx	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0195254.WMF	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCDRESTS.ICO	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Galapagos	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\readme.txt	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\readme.txt	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_hu.jar	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\CONTACTL.ICO	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\CircleIcons.jpg	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sl.txt	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02208U.BMP	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_pt_BR.jar	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe
File opened for modification	C:\Program Files\7-Zip\Lang\it.txt	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\readme.txt	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\d3d9\readme.txt	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Eucla	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01179_.WMF	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0198021.WMF	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00231_.WMF	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\SEAMARBL.HTM	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Classic.dotx	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.jarprocessor_1.0.300.v20131211-1531.jar	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\readme.txt	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04191_.WMF	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.nl_zh_4.4.0.v20140623020002.jar	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\readme.txt	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.resources_3.9.1.v20140825-1431.jar	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.rcp_4.3.100.v20141007-2301.jar	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Enderbury	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\TEXTBOX.JPG	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0151061.WMF	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0297757.WMF	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\newgrounds.luac	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierBackgroundRTL.jpg	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Title_select-highlight.png	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATERMAR\THMBNAIL.PNG	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\readme.txt	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach.ja_5.5.0.165303.jar	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Things\readme.txt	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY00560_.WMF	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WEB11.POC	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-templates.jar	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\ZoneInfoMappings	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\readme.txt	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14531_.GIF	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\speaker-32.png	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\readme.txt	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0186362.WMF	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01296_.GIF	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ESEN\WT61ES.LEX	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR46F.GIF	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Phoenix	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\DigitalInk.jpg	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02405_.WMF	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\Groove Starter Template.xsn	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe

pid process

1880 603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe

pid	process
1880	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

vssvc.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeBackupPrivilege	1820	vssvc.exe
Token: SeRestorePrivilege	1820	vssvc.exe
Token: SeAuditPrivilege	1820	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1096	WMIC.exe
Token: SeSecurityPrivilege	1096	WMIC.exe
Token: SeTakeOwnershipPrivilege	1096	WMIC.exe
Token: SeLoadDriverPrivilege	1096	WMIC.exe
Token: SeSystemProfilePrivilege	1096	WMIC.exe
Token: SeSystemtimePrivilege	1096	WMIC.exe
Token: SeProfSingleProcessPrivilege	1096	WMIC.exe
Token: SeIncBasePriorityPrivilege	1096	WMIC.exe
Token: SeCreatePagefilePrivilege	1096	WMIC.exe
Token: SeBackupPrivilege	1096	WMIC.exe
Token: SeRestorePrivilege	1096	WMIC.exe
Token: SeShutdownPrivilege	1096	WMIC.exe
Token: SeDebugPrivilege	1096	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1096	WMIC.exe
Token: SeRemoteShutdownPrivilege	1096	WMIC.exe
Token: SeUndockPrivilege	1096	WMIC.exe
Token: SeManageVolumePrivilege	1096	WMIC.exe
Token: 33	1096	WMIC.exe
Token: 34	1096	WMIC.exe
Token: 35	1096	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1096	WMIC.exe
Token: SeSecurityPrivilege	1096	WMIC.exe
Token: SeTakeOwnershipPrivilege	1096	WMIC.exe
Token: SeLoadDriverPrivilege	1096	WMIC.exe
Token: SeSystemProfilePrivilege	1096	WMIC.exe
Token: SeSystemtimePrivilege	1096	WMIC.exe
Token: SeProfSingleProcessPrivilege	1096	WMIC.exe
Token: SeIncBasePriorityPrivilege	1096	WMIC.exe
Token: SeCreatePagefilePrivilege	1096	WMIC.exe
Token: SeBackupPrivilege	1096	WMIC.exe
Token: SeRestorePrivilege	1096	WMIC.exe
Token: SeShutdownPrivilege	1096	WMIC.exe
Token: SeDebugPrivilege	1096	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1096	WMIC.exe
Token: SeRemoteShutdownPrivilege	1096	WMIC.exe
Token: SeUndockPrivilege	1096	WMIC.exe
Token: SeManageVolumePrivilege	1096	WMIC.exe
Token: 33	1096	WMIC.exe
Token: 34	1096	WMIC.exe
Token: 35	1096	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1308	WMIC.exe
Token: SeSecurityPrivilege	1308	WMIC.exe
Token: SeTakeOwnershipPrivilege	1308	WMIC.exe
Token: SeLoadDriverPrivilege	1308	WMIC.exe
Token: SeSystemProfilePrivilege	1308	WMIC.exe
Token: SeSystemtimePrivilege	1308	WMIC.exe
Token: SeProfSingleProcessPrivilege	1308	WMIC.exe
Token: SeIncBasePriorityPrivilege	1308	WMIC.exe
Token: SeCreatePagefilePrivilege	1308	WMIC.exe
Token: SeBackupPrivilege	1308	WMIC.exe
Token: SeRestorePrivilege	1308	WMIC.exe
Token: SeShutdownPrivilege	1308	WMIC.exe
Token: SeDebugPrivilege	1308	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1308	WMIC.exe
Token: SeRemoteShutdownPrivilege	1308	WMIC.exe
Token: SeUndockPrivilege	1308	WMIC.exe
Token: SeManageVolumePrivilege	1308	WMIC.exe
Token: 33	1308	WMIC.exe
Token: 34	1308	WMIC.exe
Token: 35	1308	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1308	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1880 wrote to memory of 1616	1880	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe	cmd.exe
PID 1880 wrote to memory of 1616	1880	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe	cmd.exe
PID 1880 wrote to memory of 1616	1880	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe	cmd.exe
PID 1880 wrote to memory of 1616	1880	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe	cmd.exe
PID 1616 wrote to memory of 1096	1616	cmd.exe	WMIC.exe
PID 1616 wrote to memory of 1096	1616	cmd.exe	WMIC.exe
PID 1616 wrote to memory of 1096	1616	cmd.exe	WMIC.exe
PID 1880 wrote to memory of 1924	1880	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe	cmd.exe
PID 1880 wrote to memory of 1924	1880	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe	cmd.exe
PID 1880 wrote to memory of 1924	1880	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe	cmd.exe
PID 1880 wrote to memory of 1924	1880	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe	cmd.exe
PID 1924 wrote to memory of 1308	1924	cmd.exe	WMIC.exe
PID 1924 wrote to memory of 1308	1924	cmd.exe	WMIC.exe
PID 1924 wrote to memory of 1308	1924	cmd.exe	WMIC.exe
PID 1880 wrote to memory of 1196	1880	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe	cmd.exe
PID 1880 wrote to memory of 1196	1880	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe	cmd.exe
PID 1880 wrote to memory of 1196	1880	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe	cmd.exe
PID 1880 wrote to memory of 1196	1880	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe	cmd.exe
PID 1196 wrote to memory of 1908	1196	cmd.exe	WMIC.exe
PID 1196 wrote to memory of 1908	1196	cmd.exe	WMIC.exe
PID 1196 wrote to memory of 1908	1196	cmd.exe	WMIC.exe
PID 1880 wrote to memory of 1064	1880	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe	cmd.exe
PID 1880 wrote to memory of 1064	1880	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe	cmd.exe
PID 1880 wrote to memory of 1064	1880	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe	cmd.exe
PID 1880 wrote to memory of 1064	1880	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe	cmd.exe
PID 1064 wrote to memory of 1732	1064	cmd.exe	WMIC.exe
PID 1064 wrote to memory of 1732	1064	cmd.exe	WMIC.exe
PID 1064 wrote to memory of 1732	1064	cmd.exe	WMIC.exe
PID 1880 wrote to memory of 1920	1880	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe	cmd.exe
PID 1880 wrote to memory of 1920	1880	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe	cmd.exe
PID 1880 wrote to memory of 1920	1880	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe	cmd.exe
PID 1880 wrote to memory of 1920	1880	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe	cmd.exe
PID 1920 wrote to memory of 900	1920	cmd.exe	WMIC.exe
PID 1920 wrote to memory of 900	1920	cmd.exe	WMIC.exe
PID 1920 wrote to memory of 900	1920	cmd.exe	WMIC.exe
PID 1880 wrote to memory of 1056	1880	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe	cmd.exe
PID 1880 wrote to memory of 1056	1880	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe	cmd.exe
PID 1880 wrote to memory of 1056	1880	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe	cmd.exe
PID 1880 wrote to memory of 1056	1880	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe	cmd.exe
PID 1056 wrote to memory of 1304	1056	cmd.exe	WMIC.exe
PID 1056 wrote to memory of 1304	1056	cmd.exe	WMIC.exe
PID 1056 wrote to memory of 1304	1056	cmd.exe	WMIC.exe
PID 1880 wrote to memory of 364	1880	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe	cmd.exe
PID 1880 wrote to memory of 364	1880	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe	cmd.exe
PID 1880 wrote to memory of 364	1880	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe	cmd.exe
PID 1880 wrote to memory of 364	1880	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe	cmd.exe
PID 364 wrote to memory of 1488	364	cmd.exe	WMIC.exe
PID 364 wrote to memory of 1488	364	cmd.exe	WMIC.exe
PID 364 wrote to memory of 1488	364	cmd.exe	WMIC.exe
PID 1880 wrote to memory of 1616	1880	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe	cmd.exe
PID 1880 wrote to memory of 1616	1880	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe	cmd.exe
PID 1880 wrote to memory of 1616	1880	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe	cmd.exe
PID 1880 wrote to memory of 1616	1880	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe	cmd.exe
PID 1616 wrote to memory of 1592	1616	cmd.exe	WMIC.exe
PID 1616 wrote to memory of 1592	1616	cmd.exe	WMIC.exe
PID 1616 wrote to memory of 1592	1616	cmd.exe	WMIC.exe
PID 1880 wrote to memory of 1456	1880	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe	cmd.exe
PID 1880 wrote to memory of 1456	1880	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe	cmd.exe
PID 1880 wrote to memory of 1456	1880	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe	cmd.exe
PID 1880 wrote to memory of 1456	1880	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe	cmd.exe
PID 1456 wrote to memory of 1736	1456	cmd.exe	WMIC.exe
PID 1456 wrote to memory of 1736	1456	cmd.exe	WMIC.exe
PID 1456 wrote to memory of 1736	1456	cmd.exe	WMIC.exe
PID 1880 wrote to memory of 1196	1880	603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe
"C:\Users\Admin\AppData\Local\Temp\603fbfe3d00baa8aa65288169af993b1a43cb6d02718204130922af513cc404b.exe"
1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1880

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C42FD895-B421-4A33-8B73-34420B94C6C4}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1616

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C42FD895-B421-4A33-8B73-34420B94C6C4}'" delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1096

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{10A95FEA-CE68-4673-91E9-44796907EA8F}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1924

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{10A95FEA-CE68-4673-91E9-44796907EA8F}'" delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1308

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3F8D846B-9DD4-48C1-9EB7-331601E45A01}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1196

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3F8D846B-9DD4-48C1-9EB7-331601E45A01}'" delete
3⤵
PID:1908

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{83DB695E-B6C4-4F19-94F5-5AB249FE6E4B}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1064

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{83DB695E-B6C4-4F19-94F5-5AB249FE6E4B}'" delete
3⤵
PID:1732

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6E98F490-EC90-48A3-8095-7CAB9F53C350}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1920

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6E98F490-EC90-48A3-8095-7CAB9F53C350}'" delete
3⤵
PID:900

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{BE04AF18-D313-4450-8D00-0E635D2D4C97}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1056

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{BE04AF18-D313-4450-8D00-0E635D2D4C97}'" delete
3⤵
PID:1304

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CEE4CCBC-073C-4640-96A7-6BA7CCA7CF92}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:364

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CEE4CCBC-073C-4640-96A7-6BA7CCA7CF92}'" delete
3⤵
PID:1488

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{865F3304-51C3-4B8F-A536-F05EC48E587F}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1616

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{865F3304-51C3-4B8F-A536-F05EC48E587F}'" delete
3⤵
PID:1592

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F66D88E2-B57B-4989-8ED8-F69EC00D6AED}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1456

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F66D88E2-B57B-4989-8ED8-F69EC00D6AED}'" delete
3⤵
PID:1736

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2D3F6F2F-1FEA-4EF5-B2F9-9AD4D3736A5B}'" delete
2⤵
PID:1196

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2D3F6F2F-1FEA-4EF5-B2F9-9AD4D3736A5B}'" delete
3⤵
PID:592

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3AB2448F-F186-4CD1-8044-F01D62EBD5C3}'" delete
2⤵
PID:1928

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3AB2448F-F186-4CD1-8044-F01D62EBD5C3}'" delete
3⤵
PID:940

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5E61C5BD-F1FA-4763-95D9-47A0D7BD5FDD}'" delete
2⤵
PID:1920

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5E61C5BD-F1FA-4763-95D9-47A0D7BD5FDD}'" delete
3⤵
PID:1548

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1820

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/364-67-0x0000000000000000-mapping.dmp

Download
memory/592-74-0x0000000000000000-mapping.dmp

Download
memory/900-64-0x0000000000000000-mapping.dmp

Download
memory/940-76-0x0000000000000000-mapping.dmp

Download
memory/1056-65-0x0000000000000000-mapping.dmp

Download
memory/1064-61-0x0000000000000000-mapping.dmp

Download
memory/1096-56-0x0000000000000000-mapping.dmp

Download
memory/1196-73-0x0000000000000000-mapping.dmp

Download
memory/1196-59-0x0000000000000000-mapping.dmp

Download
memory/1304-66-0x0000000000000000-mapping.dmp

Download
memory/1308-58-0x0000000000000000-mapping.dmp

Download
memory/1456-71-0x0000000000000000-mapping.dmp

Download
memory/1488-68-0x0000000000000000-mapping.dmp

Download
memory/1548-78-0x0000000000000000-mapping.dmp

Download
memory/1592-70-0x0000000000000000-mapping.dmp

Download
memory/1616-55-0x0000000000000000-mapping.dmp

Download
memory/1616-69-0x0000000000000000-mapping.dmp

Download
memory/1732-62-0x0000000000000000-mapping.dmp

Download
memory/1736-72-0x0000000000000000-mapping.dmp

Download
memory/1880-54-0x0000000075FC1000-0x0000000075FC3000-memory.dmp

Filesize
8KB

Download
memory/1908-60-0x0000000000000000-mapping.dmp

Download
memory/1920-63-0x0000000000000000-mapping.dmp

Download
memory/1920-77-0x0000000000000000-mapping.dmp

Download
memory/1924-57-0x0000000000000000-mapping.dmp

Download
memory/1928-75-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads