conti | 41c56e92efd01a553d0faf39ccb440c7e84d32531335c262572d6a01bf7f70c8

General

Target

MFC_Stub.exe
Size

639KB
MD5

24095d5f0fb8533c72508fbecd40b516
SHA1

8203863af49219e132241d0ce4b4cee0d66c7fed
SHA256

41c56e92efd01a553d0faf39ccb440c7e84d32531335c262572d6a01bf7f70c8
SHA512

0e22c86923d439d54f917320b0f6f4602d3f6c0ac1aa3f702e48a55f24e3cbf198fce3c989d37e525e2eba9afe8a0eb60e3c15b2af662ee7fece7557a2f594b7

Score

10^/10

conti ransomware

Malware Config

Extracted

Path

C:\readme.txt

Family

conti

Ransom Note

All of your files are currently encrypted by CONTI ransomware. If you try to use any additional recovery software - the files might be damaged or lost. To make sure that we REALLY CAN recover data - we offer you to decrypt samples. You can contact us for further instructions through: Our website TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/ HTTPS VERSION : https://contirecovery.ws YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded your data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us ASAP ---BEGIN ID--- P9naBpvFModYOUO6KOdT1qyyFZuneeqjUZoYykxu8avGxV1rxugIPn13Yg1147un ---END ID---

URLs

http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/

https://contirecovery.ws

Signatures

Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
ransomware conti

Modifies extensions of user files 12 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

MFC_Stub.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\TraceJoin.png => C:\Users\Admin\Pictures\TraceJoin.png.BFVEY	MFC_Stub.exe
File renamed	C:\Users\Admin\Pictures\InitializeWatch.png => C:\Users\Admin\Pictures\InitializeWatch.png.BFVEY	MFC_Stub.exe
File renamed	C:\Users\Admin\Pictures\LimitEnter.png => C:\Users\Admin\Pictures\LimitEnter.png.BFVEY	MFC_Stub.exe
File renamed	C:\Users\Admin\Pictures\MergeExpand.tiff => C:\Users\Admin\Pictures\MergeExpand.tiff.BFVEY	MFC_Stub.exe
File renamed	C:\Users\Admin\Pictures\OpenStart.tif => C:\Users\Admin\Pictures\OpenStart.tif.BFVEY	MFC_Stub.exe
File renamed	C:\Users\Admin\Pictures\OutWatch.crw => C:\Users\Admin\Pictures\OutWatch.crw.BFVEY	MFC_Stub.exe
File renamed	C:\Users\Admin\Pictures\RestoreNew.raw => C:\Users\Admin\Pictures\RestoreNew.raw.BFVEY	MFC_Stub.exe
File renamed	C:\Users\Admin\Pictures\ResumePublish.raw => C:\Users\Admin\Pictures\ResumePublish.raw.BFVEY	MFC_Stub.exe
File opened for modification	C:\Users\Admin\Pictures\MergeExpand.tiff	MFC_Stub.exe
File opened for modification	C:\Users\Admin\Pictures\SplitSkip.tiff	MFC_Stub.exe
File renamed	C:\Users\Admin\Pictures\SplitSkip.tiff => C:\Users\Admin\Pictures\SplitSkip.tiff.BFVEY	MFC_Stub.exe
File renamed	C:\Users\Admin\Pictures\SplitUnlock.tif => C:\Users\Admin\Pictures\SplitUnlock.tif.BFVEY	MFC_Stub.exe

Drops file in Program Files directory 64 IoCs

Processes:

MFC_Stub.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.nl_ja_4.4.0.v20140623020002.jar	MFC_Stub.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mk.txt	MFC_Stub.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WPFT532.CNV	MFC_Stub.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0217302.WMF	MFC_Stub.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\OWSHLP10.CHM	MFC_Stub.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.nl_zh_4.4.0.v20140623020002.jar	MFC_Stub.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Thimphu	MFC_Stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_70.png	MFC_Stub.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099161.JPG	MFC_Stub.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB3A.BDR	MFC_Stub.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ga\readme.txt	MFC_Stub.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\readme.txt	MFC_Stub.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00334_.WMF	MFC_Stub.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\WinFXList.xml	MFC_Stub.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107492.WMF	MFC_Stub.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\setup.swf	MFC_Stub.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME35.CSS	MFC_Stub.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\ContactSelector.ico	MFC_Stub.exe
File created	C:\Program Files\VideoLAN\VLC\lua\modules\readme.txt	MFC_Stub.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif	MFC_Stub.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.greychart.ui.zh_CN_5.5.0.165303.jar	MFC_Stub.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.BusinessData.xml	MFC_Stub.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\readme.txt	MFC_Stub.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\whitevignette1047.png	MFC_Stub.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ta\readme.txt	MFC_Stub.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00074_.WMF	MFC_Stub.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02092_.WMF	MFC_Stub.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\TYPE.WAV	MFC_Stub.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CANYON\PREVIEW.GIF	MFC_Stub.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR35F.GIF	MFC_Stub.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	MFC_Stub.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00100_.WMF	MFC_Stub.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc	MFC_Stub.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME09.CSS	MFC_Stub.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Concourse.thmx	MFC_Stub.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00732_.WMF	MFC_Stub.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-previous-static.png	MFC_Stub.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\readme.txt	MFC_Stub.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.transport.ecf_1.1.0.v20140408-1354.jar	MFC_Stub.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Pyongyang	MFC_Stub.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185842.WMF	MFC_Stub.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00916_.WMF	MFC_Stub.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationRight_SelectionSubpicture.png	MFC_Stub.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\content-types.properties	MFC_Stub.exe
File created	C:\Program Files\Common Files\Microsoft Shared\readme.txt	MFC_Stub.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Composite.thmx	MFC_Stub.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Soft Blue.htm	MFC_Stub.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\SoftBlue.jpg	MFC_Stub.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.el_2.2.0.v201303151357.jar	MFC_Stub.exe
File created	C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\readme.txt	MFC_Stub.exe
File created	C:\Program Files\VideoLAN\VLC\locale\km\readme.txt	MFC_Stub.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\drvDX8.x3d	MFC_Stub.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\CreateSpaceImageMask.bmp	MFC_Stub.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\CET	MFC_Stub.exe
File created	C:\Program Files\Java\jre7\bin\dtplugin\readme.txt	MFC_Stub.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD10256_.GIF	MFC_Stub.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.ja_5.5.0.165303.jar	MFC_Stub.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\VisioCustom.propdesc	MFC_Stub.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187883.WMF	MFC_Stub.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad.xml	MFC_Stub.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Title_select-highlight.png	MFC_Stub.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\readme.txt	MFC_Stub.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107544.WMF	MFC_Stub.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.services_1.1.0.v20140328-1925.jar	MFC_Stub.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

960 NOTEPAD.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

MFC_Stub.exe

pid process

756 MFC_Stub.exe

pid	process
960	NOTEPAD.EXE

pid	process
756	MFC_Stub.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

vssvc.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeBackupPrivilege	1660	vssvc.exe
Token: SeRestorePrivilege	1660	vssvc.exe
Token: SeAuditPrivilege	1660	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1816	WMIC.exe
Token: SeSecurityPrivilege	1816	WMIC.exe
Token: SeTakeOwnershipPrivilege	1816	WMIC.exe
Token: SeLoadDriverPrivilege	1816	WMIC.exe
Token: SeSystemProfilePrivilege	1816	WMIC.exe
Token: SeSystemtimePrivilege	1816	WMIC.exe
Token: SeProfSingleProcessPrivilege	1816	WMIC.exe
Token: SeIncBasePriorityPrivilege	1816	WMIC.exe
Token: SeCreatePagefilePrivilege	1816	WMIC.exe
Token: SeBackupPrivilege	1816	WMIC.exe
Token: SeRestorePrivilege	1816	WMIC.exe
Token: SeShutdownPrivilege	1816	WMIC.exe
Token: SeDebugPrivilege	1816	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1816	WMIC.exe
Token: SeRemoteShutdownPrivilege	1816	WMIC.exe
Token: SeUndockPrivilege	1816	WMIC.exe
Token: SeManageVolumePrivilege	1816	WMIC.exe
Token: 33	1816	WMIC.exe
Token: 34	1816	WMIC.exe
Token: 35	1816	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1816	WMIC.exe
Token: SeSecurityPrivilege	1816	WMIC.exe
Token: SeTakeOwnershipPrivilege	1816	WMIC.exe
Token: SeLoadDriverPrivilege	1816	WMIC.exe
Token: SeSystemProfilePrivilege	1816	WMIC.exe
Token: SeSystemtimePrivilege	1816	WMIC.exe
Token: SeProfSingleProcessPrivilege	1816	WMIC.exe
Token: SeIncBasePriorityPrivilege	1816	WMIC.exe
Token: SeCreatePagefilePrivilege	1816	WMIC.exe
Token: SeBackupPrivilege	1816	WMIC.exe
Token: SeRestorePrivilege	1816	WMIC.exe
Token: SeShutdownPrivilege	1816	WMIC.exe
Token: SeDebugPrivilege	1816	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1816	WMIC.exe
Token: SeRemoteShutdownPrivilege	1816	WMIC.exe
Token: SeUndockPrivilege	1816	WMIC.exe
Token: SeManageVolumePrivilege	1816	WMIC.exe
Token: 33	1816	WMIC.exe
Token: 34	1816	WMIC.exe
Token: 35	1816	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1416	WMIC.exe
Token: SeSecurityPrivilege	1416	WMIC.exe
Token: SeTakeOwnershipPrivilege	1416	WMIC.exe
Token: SeLoadDriverPrivilege	1416	WMIC.exe
Token: SeSystemProfilePrivilege	1416	WMIC.exe
Token: SeSystemtimePrivilege	1416	WMIC.exe
Token: SeProfSingleProcessPrivilege	1416	WMIC.exe
Token: SeIncBasePriorityPrivilege	1416	WMIC.exe
Token: SeCreatePagefilePrivilege	1416	WMIC.exe
Token: SeBackupPrivilege	1416	WMIC.exe
Token: SeRestorePrivilege	1416	WMIC.exe
Token: SeShutdownPrivilege	1416	WMIC.exe
Token: SeDebugPrivilege	1416	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1416	WMIC.exe
Token: SeRemoteShutdownPrivilege	1416	WMIC.exe
Token: SeUndockPrivilege	1416	WMIC.exe
Token: SeManageVolumePrivilege	1416	WMIC.exe
Token: 33	1416	WMIC.exe
Token: 34	1416	WMIC.exe
Token: 35	1416	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1416	WMIC.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

MFC_Stub.exe

pid process

756 MFC_Stub.exe

pid	process
756	MFC_Stub.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

MFC_Stub.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 756 wrote to memory of 2020	756	MFC_Stub.exe	cmd.exe
PID 756 wrote to memory of 2020	756	MFC_Stub.exe	cmd.exe
PID 756 wrote to memory of 2020	756	MFC_Stub.exe	cmd.exe
PID 756 wrote to memory of 2020	756	MFC_Stub.exe	cmd.exe
PID 2020 wrote to memory of 1816	2020	cmd.exe	WMIC.exe
PID 2020 wrote to memory of 1816	2020	cmd.exe	WMIC.exe
PID 2020 wrote to memory of 1816	2020	cmd.exe	WMIC.exe
PID 756 wrote to memory of 1168	756	MFC_Stub.exe	cmd.exe
PID 756 wrote to memory of 1168	756	MFC_Stub.exe	cmd.exe
PID 756 wrote to memory of 1168	756	MFC_Stub.exe	cmd.exe
PID 756 wrote to memory of 1168	756	MFC_Stub.exe	cmd.exe
PID 1168 wrote to memory of 1416	1168	cmd.exe	WMIC.exe
PID 1168 wrote to memory of 1416	1168	cmd.exe	WMIC.exe
PID 1168 wrote to memory of 1416	1168	cmd.exe	WMIC.exe
PID 756 wrote to memory of 1524	756	MFC_Stub.exe	cmd.exe
PID 756 wrote to memory of 1524	756	MFC_Stub.exe	cmd.exe
PID 756 wrote to memory of 1524	756	MFC_Stub.exe	cmd.exe
PID 756 wrote to memory of 1524	756	MFC_Stub.exe	cmd.exe
PID 1524 wrote to memory of 860	1524	cmd.exe	WMIC.exe
PID 1524 wrote to memory of 860	1524	cmd.exe	WMIC.exe
PID 1524 wrote to memory of 860	1524	cmd.exe	WMIC.exe
PID 756 wrote to memory of 1736	756	MFC_Stub.exe	cmd.exe
PID 756 wrote to memory of 1736	756	MFC_Stub.exe	cmd.exe
PID 756 wrote to memory of 1736	756	MFC_Stub.exe	cmd.exe
PID 756 wrote to memory of 1736	756	MFC_Stub.exe	cmd.exe
PID 1736 wrote to memory of 1980	1736	cmd.exe	WMIC.exe
PID 1736 wrote to memory of 1980	1736	cmd.exe	WMIC.exe
PID 1736 wrote to memory of 1980	1736	cmd.exe	WMIC.exe
PID 756 wrote to memory of 2024	756	MFC_Stub.exe	cmd.exe
PID 756 wrote to memory of 2024	756	MFC_Stub.exe	cmd.exe
PID 756 wrote to memory of 2024	756	MFC_Stub.exe	cmd.exe
PID 756 wrote to memory of 2024	756	MFC_Stub.exe	cmd.exe
PID 2024 wrote to memory of 548	2024	cmd.exe	WMIC.exe
PID 2024 wrote to memory of 548	2024	cmd.exe	WMIC.exe
PID 2024 wrote to memory of 548	2024	cmd.exe	WMIC.exe
PID 756 wrote to memory of 956	756	MFC_Stub.exe	cmd.exe
PID 756 wrote to memory of 956	756	MFC_Stub.exe	cmd.exe
PID 756 wrote to memory of 956	756	MFC_Stub.exe	cmd.exe
PID 756 wrote to memory of 956	756	MFC_Stub.exe	cmd.exe
PID 956 wrote to memory of 1196	956	cmd.exe	WMIC.exe
PID 956 wrote to memory of 1196	956	cmd.exe	WMIC.exe
PID 956 wrote to memory of 1196	956	cmd.exe	WMIC.exe
PID 756 wrote to memory of 1568	756	MFC_Stub.exe	cmd.exe
PID 756 wrote to memory of 1568	756	MFC_Stub.exe	cmd.exe
PID 756 wrote to memory of 1568	756	MFC_Stub.exe	cmd.exe
PID 756 wrote to memory of 1568	756	MFC_Stub.exe	cmd.exe
PID 1568 wrote to memory of 288	1568	cmd.exe	WMIC.exe
PID 1568 wrote to memory of 288	1568	cmd.exe	WMIC.exe
PID 1568 wrote to memory of 288	1568	cmd.exe	WMIC.exe
PID 756 wrote to memory of 1800	756	MFC_Stub.exe	cmd.exe
PID 756 wrote to memory of 1800	756	MFC_Stub.exe	cmd.exe
PID 756 wrote to memory of 1800	756	MFC_Stub.exe	cmd.exe
PID 756 wrote to memory of 1800	756	MFC_Stub.exe	cmd.exe
PID 1800 wrote to memory of 1452	1800	cmd.exe	WMIC.exe
PID 1800 wrote to memory of 1452	1800	cmd.exe	WMIC.exe
PID 1800 wrote to memory of 1452	1800	cmd.exe	WMIC.exe
PID 756 wrote to memory of 1928	756	MFC_Stub.exe	cmd.exe
PID 756 wrote to memory of 1928	756	MFC_Stub.exe	cmd.exe
PID 756 wrote to memory of 1928	756	MFC_Stub.exe	cmd.exe
PID 756 wrote to memory of 1928	756	MFC_Stub.exe	cmd.exe
PID 1928 wrote to memory of 1004	1928	cmd.exe	WMIC.exe
PID 1928 wrote to memory of 1004	1928	cmd.exe	WMIC.exe
PID 1928 wrote to memory of 1004	1928	cmd.exe	WMIC.exe
PID 756 wrote to memory of 1084	756	MFC_Stub.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\MFC_Stub.exe
"C:\Users\Admin\AppData\Local\Temp\MFC_Stub.exe"
1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:756

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C42FD895-B421-4A33-8B73-34420B94C6C4}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C42FD895-B421-4A33-8B73-34420B94C6C4}'" delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1816

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{10A95FEA-CE68-4673-91E9-44796907EA8F}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1168

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{10A95FEA-CE68-4673-91E9-44796907EA8F}'" delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1416

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3F8D846B-9DD4-48C1-9EB7-331601E45A01}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1524

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3F8D846B-9DD4-48C1-9EB7-331601E45A01}'" delete
3⤵
PID:860

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{83DB695E-B6C4-4F19-94F5-5AB249FE6E4B}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1736

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{83DB695E-B6C4-4F19-94F5-5AB249FE6E4B}'" delete
3⤵
PID:1980

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6E98F490-EC90-48A3-8095-7CAB9F53C350}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6E98F490-EC90-48A3-8095-7CAB9F53C350}'" delete
3⤵
PID:548

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{BE04AF18-D313-4450-8D00-0E635D2D4C97}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:956

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{BE04AF18-D313-4450-8D00-0E635D2D4C97}'" delete
3⤵
PID:1196

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CEE4CCBC-073C-4640-96A7-6BA7CCA7CF92}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1568

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CEE4CCBC-073C-4640-96A7-6BA7CCA7CF92}'" delete
3⤵
PID:288

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{865F3304-51C3-4B8F-A536-F05EC48E587F}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1800

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{865F3304-51C3-4B8F-A536-F05EC48E587F}'" delete
3⤵
PID:1452

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F66D88E2-B57B-4989-8ED8-F69EC00D6AED}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1928

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F66D88E2-B57B-4989-8ED8-F69EC00D6AED}'" delete
3⤵
PID:1004

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2D3F6F2F-1FEA-4EF5-B2F9-9AD4D3736A5B}'" delete
2⤵
PID:1084

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2D3F6F2F-1FEA-4EF5-B2F9-9AD4D3736A5B}'" delete
3⤵
PID:1744

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3AB2448F-F186-4CD1-8044-F01D62EBD5C3}'" delete
2⤵
PID:864

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3AB2448F-F186-4CD1-8044-F01D62EBD5C3}'" delete
3⤵
PID:1748

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5E61C5BD-F1FA-4763-95D9-47A0D7BD5FDD}'" delete
2⤵
PID:908

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5E61C5BD-F1FA-4763-95D9-47A0D7BD5FDD}'" delete
3⤵
PID:1224

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1660

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\readme.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:960

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\readme.txt
MD5
b04d96037907659b3408a42999d962b6

SHA1
60c94ca67e26125d077eba8f9aa95a992bb5270f

SHA256
a021523cfba50d5d80b983b663fafae79882d3321747a7df2eb7408f6520bd07

SHA512
cec34e60291499f3be4bc39be91d353f024b900d3ac33b579e6cac7280fd91bcbfd0d7817a1b77668bd8b864c00c14f9922e8091d595fd3d0cae3472b0ee7be2

Download Submit
memory/288-69-0x0000000000000000-mapping.dmp

Download
memory/548-65-0x0000000000000000-mapping.dmp

Download
memory/756-55-0x0000000000350000-0x0000000000384000-memory.dmp

Filesize
208KB

Download
memory/756-54-0x00000000767F1000-0x00000000767F3000-memory.dmp

Filesize
8KB

Download
memory/860-61-0x0000000000000000-mapping.dmp

Download
memory/864-76-0x0000000000000000-mapping.dmp

Download
memory/908-78-0x0000000000000000-mapping.dmp

Download
memory/956-66-0x0000000000000000-mapping.dmp

Download
memory/960-80-0x000007FEFC2C1000-0x000007FEFC2C3000-memory.dmp

Filesize
8KB

Download
memory/1004-73-0x0000000000000000-mapping.dmp

Download
memory/1084-74-0x0000000000000000-mapping.dmp

Download
memory/1168-58-0x0000000000000000-mapping.dmp

Download
memory/1196-67-0x0000000000000000-mapping.dmp

Download
memory/1224-79-0x0000000000000000-mapping.dmp

Download
memory/1416-59-0x0000000000000000-mapping.dmp

Download
memory/1452-71-0x0000000000000000-mapping.dmp

Download
memory/1524-60-0x0000000000000000-mapping.dmp

Download
memory/1568-68-0x0000000000000000-mapping.dmp

Download
memory/1736-62-0x0000000000000000-mapping.dmp

Download
memory/1744-75-0x0000000000000000-mapping.dmp

Download
memory/1748-77-0x0000000000000000-mapping.dmp

Download
memory/1800-70-0x0000000000000000-mapping.dmp

Download
memory/1816-57-0x0000000000000000-mapping.dmp

Download
memory/1928-72-0x0000000000000000-mapping.dmp

Download
memory/1980-63-0x0000000000000000-mapping.dmp

Download
memory/2020-56-0x0000000000000000-mapping.dmp

Download
memory/2024-64-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads