Analysis
-
max time kernel
121s -
max time network
135s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
30-10-2021 05:22
Static task
static1
Behavioral task
behavioral1
Sample
b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a.exe
Resource
win10-en-20210920
General
-
Target
b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a.exe
-
Size
388KB
-
MD5
bb97b436d1228b690ae475a8bcfe2cc5
-
SHA1
37ba5ec064414a74ecf86afba89fc57e627b0193
-
SHA256
b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a
-
SHA512
32aff9c8508c2475bc9cf831d8343c013e53833320c19844c9a3c60f0ec3e50cb34d846a187081768c2d8b8f28db165e8e252f5c136f1458b37e1337c9c8b2d6
Malware Config
Extracted
C:\readme.txt
conti
http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/
https://contirecovery.ws
Signatures
-
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
Modifies extensions of user files 14 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\EnableConfirm.tiff b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a.exe File opened for modification C:\Users\Admin\Pictures\ExportExpand.tiff b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a.exe File renamed C:\Users\Admin\Pictures\InvokeUndo.crw => C:\Users\Admin\Pictures\InvokeUndo.crw.NEWCD b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a.exe File renamed C:\Users\Admin\Pictures\ProtectLimit.raw => C:\Users\Admin\Pictures\ProtectLimit.raw.NEWCD b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a.exe File renamed C:\Users\Admin\Pictures\UnprotectUpdate.raw => C:\Users\Admin\Pictures\UnprotectUpdate.raw.NEWCD b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a.exe File renamed C:\Users\Admin\Pictures\ClearSuspend.raw => C:\Users\Admin\Pictures\ClearSuspend.raw.NEWCD b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a.exe File renamed C:\Users\Admin\Pictures\SaveDeny.png => C:\Users\Admin\Pictures\SaveDeny.png.NEWCD b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a.exe File renamed C:\Users\Admin\Pictures\InitializeLimit.raw => C:\Users\Admin\Pictures\InitializeLimit.raw.NEWCD b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a.exe File renamed C:\Users\Admin\Pictures\ExportExpand.tiff => C:\Users\Admin\Pictures\ExportExpand.tiff.NEWCD b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a.exe File renamed C:\Users\Admin\Pictures\GrantJoin.png => C:\Users\Admin\Pictures\GrantJoin.png.NEWCD b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a.exe File renamed C:\Users\Admin\Pictures\NewHide.crw => C:\Users\Admin\Pictures\NewHide.crw.NEWCD b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a.exe File renamed C:\Users\Admin\Pictures\PingFind.tif => C:\Users\Admin\Pictures\PingFind.tif.NEWCD b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a.exe File renamed C:\Users\Admin\Pictures\ExpandSave.crw => C:\Users\Admin\Pictures\ExpandSave.crw.NEWCD b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a.exe File renamed C:\Users\Admin\Pictures\EnableConfirm.tiff => C:\Users\Admin\Pictures\EnableConfirm.tiff.NEWCD b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a.exe -
Drops startup file 1 IoCs
Processes:
b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\readme.txt b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AFTRNOON\PREVIEW.GIF b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ca-es\readme.txt b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Trial-ul-oob.xrm-ms b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue Warm.xml b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\S_IlluDCFilesEmpty_180x180.svg b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\css\main.css b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\readme.txt b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-rdr-es_es_2x.gif b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\cs.pak b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\LucidaTypewriterRegular.ttf b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\edit_pdf_poster.jpg b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\sv-se\readme.txt b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ro-ro\readme.txt b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark_mac.css b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\uk-ua\readme.txt b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ja-jp\readme.txt b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\twitch.luac b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\it\readme.txt b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\ja-JP\sqlxmlx.rll.mui b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_MAK-ppd.xrm-ms b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.console.nl_zh_4.4.0.v20140623020002.jar b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CAPSULES\CAPSULES.ELM b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\readme.txt b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\root\ui-strings.js b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a.exe File opened for modification C:\Program Files\UndoResume.mpa b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Yellow.xml b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a.exe File created C:\Program Files\VideoLAN\VLC\lua\meta\reader\readme.txt b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\readme.txt b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTrial-ppd.xrm-ms b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-core-execution.jar b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\faf_icons_retina.png b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sk-sk\readme.txt b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a.exe File created C:\Program Files\Common Files\System\en-US\readme.txt b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp2-ppd.xrm-ms b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach_5.5.0.165303.jar b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-ui_ja.jar b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\sendforcomments.svg b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\appstore.png b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\hu-hu\readme.txt b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\cs-cz\ui-strings.js b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a.exe File opened for modification C:\Program Files\Microsoft Office\ThinAppXManifest.xml b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols.xml b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\bwclassic.dotx b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\vlc.mo b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\pl-pl\readme.txt b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\doh-rollout@mozilla.org.xpi b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.browser.jdp.zh_CN_5.5.0.165303.jar b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jface.databinding.nl_zh_4.4.0.v20140623020002.jar b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\it-it\readme.txt b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a.exe File created C:\Program Files\Common Files\microsoft shared\ink\zh-CN\readme.txt b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\DarkTheme.acrotheme b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\management\jmxremote.password.template b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\sl-sl\readme.txt b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\nl-nl\readme.txt b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_PrepidBypass-ul-oob.xrm-ms b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a.exe File created C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\readme.txt b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\he-il\ui-strings.js b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL089.XML b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\readme.txt b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-ma\readme.txt b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_OEM_Perp-pl.xrm-ms b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial-ppd.xrm-ms b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ql.nl_zh_4.4.0.v20140623020002.jar b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a.exepid process 2792 b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a.exe 2792 b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
vssvc.exeWMIC.exedescription pid process Token: SeBackupPrivilege 4088 vssvc.exe Token: SeRestorePrivilege 4088 vssvc.exe Token: SeAuditPrivilege 4088 vssvc.exe Token: SeIncreaseQuotaPrivilege 2968 WMIC.exe Token: SeSecurityPrivilege 2968 WMIC.exe Token: SeTakeOwnershipPrivilege 2968 WMIC.exe Token: SeLoadDriverPrivilege 2968 WMIC.exe Token: SeSystemProfilePrivilege 2968 WMIC.exe Token: SeSystemtimePrivilege 2968 WMIC.exe Token: SeProfSingleProcessPrivilege 2968 WMIC.exe Token: SeIncBasePriorityPrivilege 2968 WMIC.exe Token: SeCreatePagefilePrivilege 2968 WMIC.exe Token: SeBackupPrivilege 2968 WMIC.exe Token: SeRestorePrivilege 2968 WMIC.exe Token: SeShutdownPrivilege 2968 WMIC.exe Token: SeDebugPrivilege 2968 WMIC.exe Token: SeSystemEnvironmentPrivilege 2968 WMIC.exe Token: SeRemoteShutdownPrivilege 2968 WMIC.exe Token: SeUndockPrivilege 2968 WMIC.exe Token: SeManageVolumePrivilege 2968 WMIC.exe Token: 33 2968 WMIC.exe Token: 34 2968 WMIC.exe Token: 35 2968 WMIC.exe Token: 36 2968 WMIC.exe Token: SeIncreaseQuotaPrivilege 2968 WMIC.exe Token: SeSecurityPrivilege 2968 WMIC.exe Token: SeTakeOwnershipPrivilege 2968 WMIC.exe Token: SeLoadDriverPrivilege 2968 WMIC.exe Token: SeSystemProfilePrivilege 2968 WMIC.exe Token: SeSystemtimePrivilege 2968 WMIC.exe Token: SeProfSingleProcessPrivilege 2968 WMIC.exe Token: SeIncBasePriorityPrivilege 2968 WMIC.exe Token: SeCreatePagefilePrivilege 2968 WMIC.exe Token: SeBackupPrivilege 2968 WMIC.exe Token: SeRestorePrivilege 2968 WMIC.exe Token: SeShutdownPrivilege 2968 WMIC.exe Token: SeDebugPrivilege 2968 WMIC.exe Token: SeSystemEnvironmentPrivilege 2968 WMIC.exe Token: SeRemoteShutdownPrivilege 2968 WMIC.exe Token: SeUndockPrivilege 2968 WMIC.exe Token: SeManageVolumePrivilege 2968 WMIC.exe Token: 33 2968 WMIC.exe Token: 34 2968 WMIC.exe Token: 35 2968 WMIC.exe Token: 36 2968 WMIC.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a.execmd.exedescription pid process target process PID 2792 wrote to memory of 1216 2792 b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a.exe cmd.exe PID 2792 wrote to memory of 1216 2792 b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a.exe cmd.exe PID 1216 wrote to memory of 2968 1216 cmd.exe WMIC.exe PID 1216 wrote to memory of 2968 1216 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a.exe"C:\Users\Admin\AppData\Local\Temp\b2d3143d0778a10d5d03bb9e4d2712a980e2a8ec12d47958a8ab4b3192f4bf6a.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2D3E78C1-16F5-45C2-8C51-8B602BF398FB}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2D3E78C1-16F5-45C2-8C51-8B602BF398FB}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken