Analysis
-
max time kernel
94s -
max time network
57s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
01-11-2021 09:48
Static task
static1
Behavioral task
behavioral1
Sample
MFC_Stub.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
MFC_Stub.exe
Resource
win10-en-20210920
General
-
Target
MFC_Stub.exe
-
Size
639KB
-
MD5
24095d5f0fb8533c72508fbecd40b516
-
SHA1
8203863af49219e132241d0ce4b4cee0d66c7fed
-
SHA256
41c56e92efd01a553d0faf39ccb440c7e84d32531335c262572d6a01bf7f70c8
-
SHA512
0e22c86923d439d54f917320b0f6f4602d3f6c0ac1aa3f702e48a55f24e3cbf198fce3c989d37e525e2eba9afe8a0eb60e3c15b2af662ee7fece7557a2f594b7
Malware Config
Extracted
C:\readme.txt
conti
http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/
https://contirecovery.ws
Signatures
-
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
Modifies extensions of user files 12 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
MFC_Stub.exedescription ioc process File renamed C:\Users\Admin\Pictures\TraceJoin.png => C:\Users\Admin\Pictures\TraceJoin.png.BFVEY MFC_Stub.exe File renamed C:\Users\Admin\Pictures\InitializeWatch.png => C:\Users\Admin\Pictures\InitializeWatch.png.BFVEY MFC_Stub.exe File renamed C:\Users\Admin\Pictures\LimitEnter.png => C:\Users\Admin\Pictures\LimitEnter.png.BFVEY MFC_Stub.exe File renamed C:\Users\Admin\Pictures\MergeExpand.tiff => C:\Users\Admin\Pictures\MergeExpand.tiff.BFVEY MFC_Stub.exe File renamed C:\Users\Admin\Pictures\OpenStart.tif => C:\Users\Admin\Pictures\OpenStart.tif.BFVEY MFC_Stub.exe File renamed C:\Users\Admin\Pictures\OutWatch.crw => C:\Users\Admin\Pictures\OutWatch.crw.BFVEY MFC_Stub.exe File renamed C:\Users\Admin\Pictures\RestoreNew.raw => C:\Users\Admin\Pictures\RestoreNew.raw.BFVEY MFC_Stub.exe File renamed C:\Users\Admin\Pictures\ResumePublish.raw => C:\Users\Admin\Pictures\ResumePublish.raw.BFVEY MFC_Stub.exe File opened for modification C:\Users\Admin\Pictures\MergeExpand.tiff MFC_Stub.exe File opened for modification C:\Users\Admin\Pictures\SplitSkip.tiff MFC_Stub.exe File renamed C:\Users\Admin\Pictures\SplitSkip.tiff => C:\Users\Admin\Pictures\SplitSkip.tiff.BFVEY MFC_Stub.exe File renamed C:\Users\Admin\Pictures\SplitUnlock.tif => C:\Users\Admin\Pictures\SplitUnlock.tif.BFVEY MFC_Stub.exe -
Drops file in Program Files directory 64 IoCs
Processes:
MFC_Stub.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.nl_ja_4.4.0.v20140623020002.jar MFC_Stub.exe File opened for modification C:\Program Files\7-Zip\Lang\mk.txt MFC_Stub.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WPFT532.CNV MFC_Stub.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0217302.WMF MFC_Stub.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\OWSHLP10.CHM MFC_Stub.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.nl_zh_4.4.0.v20140623020002.jar MFC_Stub.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Thimphu MFC_Stub.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_70.png MFC_Stub.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099161.JPG MFC_Stub.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB3A.BDR MFC_Stub.exe File created C:\Program Files\VideoLAN\VLC\locale\ga\readme.txt MFC_Stub.exe File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\readme.txt MFC_Stub.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00334_.WMF MFC_Stub.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\WinFXList.xml MFC_Stub.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107492.WMF MFC_Stub.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\setup.swf MFC_Stub.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME35.CSS MFC_Stub.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\ContactSelector.ico MFC_Stub.exe File created C:\Program Files\VideoLAN\VLC\lua\modules\readme.txt MFC_Stub.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif MFC_Stub.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.greychart.ui.zh_CN_5.5.0.165303.jar MFC_Stub.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.BusinessData.xml MFC_Stub.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\readme.txt MFC_Stub.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\whitevignette1047.png MFC_Stub.exe File created C:\Program Files\VideoLAN\VLC\locale\ta\readme.txt MFC_Stub.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00074_.WMF MFC_Stub.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02092_.WMF MFC_Stub.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\TYPE.WAV MFC_Stub.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CANYON\PREVIEW.GIF MFC_Stub.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR35F.GIF MFC_Stub.exe File opened for modification C:\Program Files\7-Zip\Lang\ca.txt MFC_Stub.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00100_.WMF MFC_Stub.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc MFC_Stub.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME09.CSS MFC_Stub.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Concourse.thmx MFC_Stub.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00732_.WMF MFC_Stub.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-previous-static.png MFC_Stub.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\readme.txt MFC_Stub.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.transport.ecf_1.1.0.v20140408-1354.jar MFC_Stub.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Pyongyang MFC_Stub.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185842.WMF MFC_Stub.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00916_.WMF MFC_Stub.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationRight_SelectionSubpicture.png MFC_Stub.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\content-types.properties MFC_Stub.exe File created C:\Program Files\Common Files\Microsoft Shared\readme.txt MFC_Stub.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Composite.thmx MFC_Stub.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Soft Blue.htm MFC_Stub.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\SoftBlue.jpg MFC_Stub.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.el_2.2.0.v201303151357.jar MFC_Stub.exe File created C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\readme.txt MFC_Stub.exe File created C:\Program Files\VideoLAN\VLC\locale\km\readme.txt MFC_Stub.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\drvDX8.x3d MFC_Stub.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\CreateSpaceImageMask.bmp MFC_Stub.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\CET MFC_Stub.exe File created C:\Program Files\Java\jre7\bin\dtplugin\readme.txt MFC_Stub.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD10256_.GIF MFC_Stub.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.ja_5.5.0.165303.jar MFC_Stub.exe File opened for modification C:\Program Files\Microsoft Office\Office14\VisioCustom.propdesc MFC_Stub.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187883.WMF MFC_Stub.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad.xml MFC_Stub.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Title_select-highlight.png MFC_Stub.exe File created C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\readme.txt MFC_Stub.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107544.WMF MFC_Stub.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.services_1.1.0.v20140328-1925.jar MFC_Stub.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 960 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
MFC_Stub.exepid process 756 MFC_Stub.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
vssvc.exeWMIC.exeWMIC.exedescription pid process Token: SeBackupPrivilege 1660 vssvc.exe Token: SeRestorePrivilege 1660 vssvc.exe Token: SeAuditPrivilege 1660 vssvc.exe Token: SeIncreaseQuotaPrivilege 1816 WMIC.exe Token: SeSecurityPrivilege 1816 WMIC.exe Token: SeTakeOwnershipPrivilege 1816 WMIC.exe Token: SeLoadDriverPrivilege 1816 WMIC.exe Token: SeSystemProfilePrivilege 1816 WMIC.exe Token: SeSystemtimePrivilege 1816 WMIC.exe Token: SeProfSingleProcessPrivilege 1816 WMIC.exe Token: SeIncBasePriorityPrivilege 1816 WMIC.exe Token: SeCreatePagefilePrivilege 1816 WMIC.exe Token: SeBackupPrivilege 1816 WMIC.exe Token: SeRestorePrivilege 1816 WMIC.exe Token: SeShutdownPrivilege 1816 WMIC.exe Token: SeDebugPrivilege 1816 WMIC.exe Token: SeSystemEnvironmentPrivilege 1816 WMIC.exe Token: SeRemoteShutdownPrivilege 1816 WMIC.exe Token: SeUndockPrivilege 1816 WMIC.exe Token: SeManageVolumePrivilege 1816 WMIC.exe Token: 33 1816 WMIC.exe Token: 34 1816 WMIC.exe Token: 35 1816 WMIC.exe Token: SeIncreaseQuotaPrivilege 1816 WMIC.exe Token: SeSecurityPrivilege 1816 WMIC.exe Token: SeTakeOwnershipPrivilege 1816 WMIC.exe Token: SeLoadDriverPrivilege 1816 WMIC.exe Token: SeSystemProfilePrivilege 1816 WMIC.exe Token: SeSystemtimePrivilege 1816 WMIC.exe Token: SeProfSingleProcessPrivilege 1816 WMIC.exe Token: SeIncBasePriorityPrivilege 1816 WMIC.exe Token: SeCreatePagefilePrivilege 1816 WMIC.exe Token: SeBackupPrivilege 1816 WMIC.exe Token: SeRestorePrivilege 1816 WMIC.exe Token: SeShutdownPrivilege 1816 WMIC.exe Token: SeDebugPrivilege 1816 WMIC.exe Token: SeSystemEnvironmentPrivilege 1816 WMIC.exe Token: SeRemoteShutdownPrivilege 1816 WMIC.exe Token: SeUndockPrivilege 1816 WMIC.exe Token: SeManageVolumePrivilege 1816 WMIC.exe Token: 33 1816 WMIC.exe Token: 34 1816 WMIC.exe Token: 35 1816 WMIC.exe Token: SeIncreaseQuotaPrivilege 1416 WMIC.exe Token: SeSecurityPrivilege 1416 WMIC.exe Token: SeTakeOwnershipPrivilege 1416 WMIC.exe Token: SeLoadDriverPrivilege 1416 WMIC.exe Token: SeSystemProfilePrivilege 1416 WMIC.exe Token: SeSystemtimePrivilege 1416 WMIC.exe Token: SeProfSingleProcessPrivilege 1416 WMIC.exe Token: SeIncBasePriorityPrivilege 1416 WMIC.exe Token: SeCreatePagefilePrivilege 1416 WMIC.exe Token: SeBackupPrivilege 1416 WMIC.exe Token: SeRestorePrivilege 1416 WMIC.exe Token: SeShutdownPrivilege 1416 WMIC.exe Token: SeDebugPrivilege 1416 WMIC.exe Token: SeSystemEnvironmentPrivilege 1416 WMIC.exe Token: SeRemoteShutdownPrivilege 1416 WMIC.exe Token: SeUndockPrivilege 1416 WMIC.exe Token: SeManageVolumePrivilege 1416 WMIC.exe Token: 33 1416 WMIC.exe Token: 34 1416 WMIC.exe Token: 35 1416 WMIC.exe Token: SeIncreaseQuotaPrivilege 1416 WMIC.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
MFC_Stub.exepid process 756 MFC_Stub.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
MFC_Stub.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 756 wrote to memory of 2020 756 MFC_Stub.exe cmd.exe PID 756 wrote to memory of 2020 756 MFC_Stub.exe cmd.exe PID 756 wrote to memory of 2020 756 MFC_Stub.exe cmd.exe PID 756 wrote to memory of 2020 756 MFC_Stub.exe cmd.exe PID 2020 wrote to memory of 1816 2020 cmd.exe WMIC.exe PID 2020 wrote to memory of 1816 2020 cmd.exe WMIC.exe PID 2020 wrote to memory of 1816 2020 cmd.exe WMIC.exe PID 756 wrote to memory of 1168 756 MFC_Stub.exe cmd.exe PID 756 wrote to memory of 1168 756 MFC_Stub.exe cmd.exe PID 756 wrote to memory of 1168 756 MFC_Stub.exe cmd.exe PID 756 wrote to memory of 1168 756 MFC_Stub.exe cmd.exe PID 1168 wrote to memory of 1416 1168 cmd.exe WMIC.exe PID 1168 wrote to memory of 1416 1168 cmd.exe WMIC.exe PID 1168 wrote to memory of 1416 1168 cmd.exe WMIC.exe PID 756 wrote to memory of 1524 756 MFC_Stub.exe cmd.exe PID 756 wrote to memory of 1524 756 MFC_Stub.exe cmd.exe PID 756 wrote to memory of 1524 756 MFC_Stub.exe cmd.exe PID 756 wrote to memory of 1524 756 MFC_Stub.exe cmd.exe PID 1524 wrote to memory of 860 1524 cmd.exe WMIC.exe PID 1524 wrote to memory of 860 1524 cmd.exe WMIC.exe PID 1524 wrote to memory of 860 1524 cmd.exe WMIC.exe PID 756 wrote to memory of 1736 756 MFC_Stub.exe cmd.exe PID 756 wrote to memory of 1736 756 MFC_Stub.exe cmd.exe PID 756 wrote to memory of 1736 756 MFC_Stub.exe cmd.exe PID 756 wrote to memory of 1736 756 MFC_Stub.exe cmd.exe PID 1736 wrote to memory of 1980 1736 cmd.exe WMIC.exe PID 1736 wrote to memory of 1980 1736 cmd.exe WMIC.exe PID 1736 wrote to memory of 1980 1736 cmd.exe WMIC.exe PID 756 wrote to memory of 2024 756 MFC_Stub.exe cmd.exe PID 756 wrote to memory of 2024 756 MFC_Stub.exe cmd.exe PID 756 wrote to memory of 2024 756 MFC_Stub.exe cmd.exe PID 756 wrote to memory of 2024 756 MFC_Stub.exe cmd.exe PID 2024 wrote to memory of 548 2024 cmd.exe WMIC.exe PID 2024 wrote to memory of 548 2024 cmd.exe WMIC.exe PID 2024 wrote to memory of 548 2024 cmd.exe WMIC.exe PID 756 wrote to memory of 956 756 MFC_Stub.exe cmd.exe PID 756 wrote to memory of 956 756 MFC_Stub.exe cmd.exe PID 756 wrote to memory of 956 756 MFC_Stub.exe cmd.exe PID 756 wrote to memory of 956 756 MFC_Stub.exe cmd.exe PID 956 wrote to memory of 1196 956 cmd.exe WMIC.exe PID 956 wrote to memory of 1196 956 cmd.exe WMIC.exe PID 956 wrote to memory of 1196 956 cmd.exe WMIC.exe PID 756 wrote to memory of 1568 756 MFC_Stub.exe cmd.exe PID 756 wrote to memory of 1568 756 MFC_Stub.exe cmd.exe PID 756 wrote to memory of 1568 756 MFC_Stub.exe cmd.exe PID 756 wrote to memory of 1568 756 MFC_Stub.exe cmd.exe PID 1568 wrote to memory of 288 1568 cmd.exe WMIC.exe PID 1568 wrote to memory of 288 1568 cmd.exe WMIC.exe PID 1568 wrote to memory of 288 1568 cmd.exe WMIC.exe PID 756 wrote to memory of 1800 756 MFC_Stub.exe cmd.exe PID 756 wrote to memory of 1800 756 MFC_Stub.exe cmd.exe PID 756 wrote to memory of 1800 756 MFC_Stub.exe cmd.exe PID 756 wrote to memory of 1800 756 MFC_Stub.exe cmd.exe PID 1800 wrote to memory of 1452 1800 cmd.exe WMIC.exe PID 1800 wrote to memory of 1452 1800 cmd.exe WMIC.exe PID 1800 wrote to memory of 1452 1800 cmd.exe WMIC.exe PID 756 wrote to memory of 1928 756 MFC_Stub.exe cmd.exe PID 756 wrote to memory of 1928 756 MFC_Stub.exe cmd.exe PID 756 wrote to memory of 1928 756 MFC_Stub.exe cmd.exe PID 756 wrote to memory of 1928 756 MFC_Stub.exe cmd.exe PID 1928 wrote to memory of 1004 1928 cmd.exe WMIC.exe PID 1928 wrote to memory of 1004 1928 cmd.exe WMIC.exe PID 1928 wrote to memory of 1004 1928 cmd.exe WMIC.exe PID 756 wrote to memory of 1084 756 MFC_Stub.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\MFC_Stub.exe"C:\Users\Admin\AppData\Local\Temp\MFC_Stub.exe"1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C42FD895-B421-4A33-8B73-34420B94C6C4}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C42FD895-B421-4A33-8B73-34420B94C6C4}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{10A95FEA-CE68-4673-91E9-44796907EA8F}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{10A95FEA-CE68-4673-91E9-44796907EA8F}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3F8D846B-9DD4-48C1-9EB7-331601E45A01}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3F8D846B-9DD4-48C1-9EB7-331601E45A01}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{83DB695E-B6C4-4F19-94F5-5AB249FE6E4B}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{83DB695E-B6C4-4F19-94F5-5AB249FE6E4B}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6E98F490-EC90-48A3-8095-7CAB9F53C350}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6E98F490-EC90-48A3-8095-7CAB9F53C350}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{BE04AF18-D313-4450-8D00-0E635D2D4C97}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{BE04AF18-D313-4450-8D00-0E635D2D4C97}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CEE4CCBC-073C-4640-96A7-6BA7CCA7CF92}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CEE4CCBC-073C-4640-96A7-6BA7CCA7CF92}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{865F3304-51C3-4B8F-A536-F05EC48E587F}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{865F3304-51C3-4B8F-A536-F05EC48E587F}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F66D88E2-B57B-4989-8ED8-F69EC00D6AED}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F66D88E2-B57B-4989-8ED8-F69EC00D6AED}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2D3F6F2F-1FEA-4EF5-B2F9-9AD4D3736A5B}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2D3F6F2F-1FEA-4EF5-B2F9-9AD4D3736A5B}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3AB2448F-F186-4CD1-8044-F01D62EBD5C3}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3AB2448F-F186-4CD1-8044-F01D62EBD5C3}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5E61C5BD-F1FA-4763-95D9-47A0D7BD5FDD}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5E61C5BD-F1FA-4763-95D9-47A0D7BD5FDD}'" delete3⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\readme.txt1⤵
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\readme.txtMD5
b04d96037907659b3408a42999d962b6
SHA160c94ca67e26125d077eba8f9aa95a992bb5270f
SHA256a021523cfba50d5d80b983b663fafae79882d3321747a7df2eb7408f6520bd07
SHA512cec34e60291499f3be4bc39be91d353f024b900d3ac33b579e6cac7280fd91bcbfd0d7817a1b77668bd8b864c00c14f9922e8091d595fd3d0cae3472b0ee7be2
-
memory/288-69-0x0000000000000000-mapping.dmp
-
memory/548-65-0x0000000000000000-mapping.dmp
-
memory/756-55-0x0000000000350000-0x0000000000384000-memory.dmpFilesize
208KB
-
memory/756-54-0x00000000767F1000-0x00000000767F3000-memory.dmpFilesize
8KB
-
memory/860-61-0x0000000000000000-mapping.dmp
-
memory/864-76-0x0000000000000000-mapping.dmp
-
memory/908-78-0x0000000000000000-mapping.dmp
-
memory/956-66-0x0000000000000000-mapping.dmp
-
memory/960-80-0x000007FEFC2C1000-0x000007FEFC2C3000-memory.dmpFilesize
8KB
-
memory/1004-73-0x0000000000000000-mapping.dmp
-
memory/1084-74-0x0000000000000000-mapping.dmp
-
memory/1168-58-0x0000000000000000-mapping.dmp
-
memory/1196-67-0x0000000000000000-mapping.dmp
-
memory/1224-79-0x0000000000000000-mapping.dmp
-
memory/1416-59-0x0000000000000000-mapping.dmp
-
memory/1452-71-0x0000000000000000-mapping.dmp
-
memory/1524-60-0x0000000000000000-mapping.dmp
-
memory/1568-68-0x0000000000000000-mapping.dmp
-
memory/1736-62-0x0000000000000000-mapping.dmp
-
memory/1744-75-0x0000000000000000-mapping.dmp
-
memory/1748-77-0x0000000000000000-mapping.dmp
-
memory/1800-70-0x0000000000000000-mapping.dmp
-
memory/1816-57-0x0000000000000000-mapping.dmp
-
memory/1928-72-0x0000000000000000-mapping.dmp
-
memory/1980-63-0x0000000000000000-mapping.dmp
-
memory/2020-56-0x0000000000000000-mapping.dmp
-
memory/2024-64-0x0000000000000000-mapping.dmp