conti | b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f

General

Target

b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe
Size

984KB
MD5

d5830d258e4aa138b21a0841d85f4e2a
SHA1

d82f858eaac39c4ce5f20cf6db8414de7147b4e3
SHA256

b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f
SHA512

9cb37cc4e8292a189c390f6b0df912a24870e762f79a23c94a005c62e7b518f637b0de697a306b3543cda294b5ce9e45324edca3fc6f8c8b496d659dcb4a6e19

Score

10^/10

conti ransomware spyware stealer

Malware Config

Extracted

Path

C:\readme.txt

Family

conti

Ransom Note

All of your files are currently encrypted by CONTI ransomware. If you try to use any additional recovery software - the files might be damaged or lost. To make sure that we REALLY CAN recover data - we offer you to decrypt samples. You can contact us for further instructions through: Our website TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/ HTTPS VERSION : https://contirecovery.ws YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded your data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us ASAP ---BEGIN ID--- gmJxnzHa5Dw2DvbKWC4mcXdBrCrgIzoW9s4hbbeYjYeFNCPs72WwCKPkoPC06zzH ---END ID---

URLs

http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/

https://contirecovery.ws

Signatures

Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
ransomware conti

Modifies extensions of user files 12 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\InitializeWatch.png => C:\Users\Admin\Pictures\InitializeWatch.png.ZLAKO	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe
File renamed	C:\Users\Admin\Pictures\ResumePublish.raw => C:\Users\Admin\Pictures\ResumePublish.raw.ZLAKO	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe
File renamed	C:\Users\Admin\Pictures\OpenStart.tif => C:\Users\Admin\Pictures\OpenStart.tif.ZLAKO	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe
File renamed	C:\Users\Admin\Pictures\OutWatch.crw => C:\Users\Admin\Pictures\OutWatch.crw.ZLAKO	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe
File renamed	C:\Users\Admin\Pictures\RestoreNew.raw => C:\Users\Admin\Pictures\RestoreNew.raw.ZLAKO	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe
File opened for modification	C:\Users\Admin\Pictures\SplitSkip.tiff	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe
File renamed	C:\Users\Admin\Pictures\SplitSkip.tiff => C:\Users\Admin\Pictures\SplitSkip.tiff.ZLAKO	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe
File renamed	C:\Users\Admin\Pictures\LimitEnter.png => C:\Users\Admin\Pictures\LimitEnter.png.ZLAKO	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe
File opened for modification	C:\Users\Admin\Pictures\MergeExpand.tiff	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe
File renamed	C:\Users\Admin\Pictures\MergeExpand.tiff => C:\Users\Admin\Pictures\MergeExpand.tiff.ZLAKO	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe
File renamed	C:\Users\Admin\Pictures\SplitUnlock.tif => C:\Users\Admin\Pictures\SplitUnlock.tif.ZLAKO	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe
File renamed	C:\Users\Admin\Pictures\TraceJoin.png => C:\Users\Admin\Pictures\TraceJoin.png.ZLAKO	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153265.WMF	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Macau	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-settings.xml	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Indianapolis	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0148757.JPG	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01751_.GIF	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Updater.api	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-sampler.jar	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightYellow\HEADER.GIF	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\babyblue.png	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fa\readme.txt	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SLATE\SLATE.ELM	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN092.XML	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.services_3.4.0.v20140312-2051.jar	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\TAB_ON.GIF	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.console_1.0.300.v20131113-1212.jar	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-9	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jmx.xml	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD19827_.WMF	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Trans_Scene_PAL.wmv	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\sRGB.pf	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105234.WMF	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proofing.en-us\SETUP.XML	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Dot.png	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01631_.WMF	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\ENV98SP.POC	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_LightSpirit.gif	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04326_.WMF	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WORDREP.DPV	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-editor-mimelookup-impl.xml	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0281904.WMF	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+6	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\button_right_over.gif	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\readme.txt	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CharSetTable.chr	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152628.WMF	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\larrow.gif	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02736U.BMP	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WORDREP.XML	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-actions.jar	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.http.servlet_1.1.500.v20140318-1755.jar	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-core.jar	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RIPPLE\RIPPLE.INF	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.diagnostic.ja_5.5.0.165303.jar	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.observable.nl_ja_4.4.0.v20140623020002.jar	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Aqtau	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00943_.WMF	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGCOUPON.DPV	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\NAVBARV.POC	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\trusted.libraries	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH01875_.WMF	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02125_.WMF	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\SBCGLOBAL.NET.XML	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY00882_.WMF	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\1033\readme.txt	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+12	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\1.7\readme.txt	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\sql90.xsl	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Kwajalein	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01171_.WMF	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\readme.txt	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\MSSPC.ECF	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-options.jar	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe

pid process

1472 b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe

pid	process
1472	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

vssvc.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeBackupPrivilege	1140	vssvc.exe
Token: SeRestorePrivilege	1140	vssvc.exe
Token: SeAuditPrivilege	1140	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1228	WMIC.exe
Token: SeSecurityPrivilege	1228	WMIC.exe
Token: SeTakeOwnershipPrivilege	1228	WMIC.exe
Token: SeLoadDriverPrivilege	1228	WMIC.exe
Token: SeSystemProfilePrivilege	1228	WMIC.exe
Token: SeSystemtimePrivilege	1228	WMIC.exe
Token: SeProfSingleProcessPrivilege	1228	WMIC.exe
Token: SeIncBasePriorityPrivilege	1228	WMIC.exe
Token: SeCreatePagefilePrivilege	1228	WMIC.exe
Token: SeBackupPrivilege	1228	WMIC.exe
Token: SeRestorePrivilege	1228	WMIC.exe
Token: SeShutdownPrivilege	1228	WMIC.exe
Token: SeDebugPrivilege	1228	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1228	WMIC.exe
Token: SeRemoteShutdownPrivilege	1228	WMIC.exe
Token: SeUndockPrivilege	1228	WMIC.exe
Token: SeManageVolumePrivilege	1228	WMIC.exe
Token: 33	1228	WMIC.exe
Token: 34	1228	WMIC.exe
Token: 35	1228	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1228	WMIC.exe
Token: SeSecurityPrivilege	1228	WMIC.exe
Token: SeTakeOwnershipPrivilege	1228	WMIC.exe
Token: SeLoadDriverPrivilege	1228	WMIC.exe
Token: SeSystemProfilePrivilege	1228	WMIC.exe
Token: SeSystemtimePrivilege	1228	WMIC.exe
Token: SeProfSingleProcessPrivilege	1228	WMIC.exe
Token: SeIncBasePriorityPrivilege	1228	WMIC.exe
Token: SeCreatePagefilePrivilege	1228	WMIC.exe
Token: SeBackupPrivilege	1228	WMIC.exe
Token: SeRestorePrivilege	1228	WMIC.exe
Token: SeShutdownPrivilege	1228	WMIC.exe
Token: SeDebugPrivilege	1228	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1228	WMIC.exe
Token: SeRemoteShutdownPrivilege	1228	WMIC.exe
Token: SeUndockPrivilege	1228	WMIC.exe
Token: SeManageVolumePrivilege	1228	WMIC.exe
Token: 33	1228	WMIC.exe
Token: 34	1228	WMIC.exe
Token: 35	1228	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1616	WMIC.exe
Token: SeSecurityPrivilege	1616	WMIC.exe
Token: SeTakeOwnershipPrivilege	1616	WMIC.exe
Token: SeLoadDriverPrivilege	1616	WMIC.exe
Token: SeSystemProfilePrivilege	1616	WMIC.exe
Token: SeSystemtimePrivilege	1616	WMIC.exe
Token: SeProfSingleProcessPrivilege	1616	WMIC.exe
Token: SeIncBasePriorityPrivilege	1616	WMIC.exe
Token: SeCreatePagefilePrivilege	1616	WMIC.exe
Token: SeBackupPrivilege	1616	WMIC.exe
Token: SeRestorePrivilege	1616	WMIC.exe
Token: SeShutdownPrivilege	1616	WMIC.exe
Token: SeDebugPrivilege	1616	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1616	WMIC.exe
Token: SeRemoteShutdownPrivilege	1616	WMIC.exe
Token: SeUndockPrivilege	1616	WMIC.exe
Token: SeManageVolumePrivilege	1616	WMIC.exe
Token: 33	1616	WMIC.exe
Token: 34	1616	WMIC.exe
Token: 35	1616	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1616	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1472 wrote to memory of 1660	1472	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe	cmd.exe
PID 1472 wrote to memory of 1660	1472	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe	cmd.exe
PID 1472 wrote to memory of 1660	1472	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe	cmd.exe
PID 1472 wrote to memory of 1660	1472	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe	cmd.exe
PID 1660 wrote to memory of 1228	1660	cmd.exe	WMIC.exe
PID 1660 wrote to memory of 1228	1660	cmd.exe	WMIC.exe
PID 1660 wrote to memory of 1228	1660	cmd.exe	WMIC.exe
PID 1472 wrote to memory of 1540	1472	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe	cmd.exe
PID 1472 wrote to memory of 1540	1472	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe	cmd.exe
PID 1472 wrote to memory of 1540	1472	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe	cmd.exe
PID 1472 wrote to memory of 1540	1472	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe	cmd.exe
PID 1540 wrote to memory of 1616	1540	cmd.exe	WMIC.exe
PID 1540 wrote to memory of 1616	1540	cmd.exe	WMIC.exe
PID 1540 wrote to memory of 1616	1540	cmd.exe	WMIC.exe
PID 1472 wrote to memory of 1640	1472	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe	cmd.exe
PID 1472 wrote to memory of 1640	1472	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe	cmd.exe
PID 1472 wrote to memory of 1640	1472	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe	cmd.exe
PID 1472 wrote to memory of 1640	1472	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe	cmd.exe
PID 1640 wrote to memory of 1460	1640	cmd.exe	WMIC.exe
PID 1640 wrote to memory of 1460	1640	cmd.exe	WMIC.exe
PID 1640 wrote to memory of 1460	1640	cmd.exe	WMIC.exe
PID 1472 wrote to memory of 1752	1472	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe	cmd.exe
PID 1472 wrote to memory of 1752	1472	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe	cmd.exe
PID 1472 wrote to memory of 1752	1472	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe	cmd.exe
PID 1472 wrote to memory of 1752	1472	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe	cmd.exe
PID 1752 wrote to memory of 1792	1752	cmd.exe	WMIC.exe
PID 1752 wrote to memory of 1792	1752	cmd.exe	WMIC.exe
PID 1752 wrote to memory of 1792	1752	cmd.exe	WMIC.exe
PID 1472 wrote to memory of 928	1472	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe	cmd.exe
PID 1472 wrote to memory of 928	1472	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe	cmd.exe
PID 1472 wrote to memory of 928	1472	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe	cmd.exe
PID 1472 wrote to memory of 928	1472	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe	cmd.exe
PID 928 wrote to memory of 564	928	cmd.exe	WMIC.exe
PID 928 wrote to memory of 564	928	cmd.exe	WMIC.exe
PID 928 wrote to memory of 564	928	cmd.exe	WMIC.exe
PID 1472 wrote to memory of 940	1472	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe	cmd.exe
PID 1472 wrote to memory of 940	1472	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe	cmd.exe
PID 1472 wrote to memory of 940	1472	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe	cmd.exe
PID 1472 wrote to memory of 940	1472	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe	cmd.exe
PID 940 wrote to memory of 1396	940	cmd.exe	WMIC.exe
PID 940 wrote to memory of 1396	940	cmd.exe	WMIC.exe
PID 940 wrote to memory of 1396	940	cmd.exe	WMIC.exe
PID 1472 wrote to memory of 1380	1472	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe	cmd.exe
PID 1472 wrote to memory of 1380	1472	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe	cmd.exe
PID 1472 wrote to memory of 1380	1472	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe	cmd.exe
PID 1472 wrote to memory of 1380	1472	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe	cmd.exe
PID 1380 wrote to memory of 1884	1380	cmd.exe	WMIC.exe
PID 1380 wrote to memory of 1884	1380	cmd.exe	WMIC.exe
PID 1380 wrote to memory of 1884	1380	cmd.exe	WMIC.exe
PID 1472 wrote to memory of 1336	1472	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe	cmd.exe
PID 1472 wrote to memory of 1336	1472	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe	cmd.exe
PID 1472 wrote to memory of 1336	1472	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe	cmd.exe
PID 1472 wrote to memory of 1336	1472	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe	cmd.exe
PID 1336 wrote to memory of 1680	1336	cmd.exe	WMIC.exe
PID 1336 wrote to memory of 1680	1336	cmd.exe	WMIC.exe
PID 1336 wrote to memory of 1680	1336	cmd.exe	WMIC.exe
PID 1472 wrote to memory of 1572	1472	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe	cmd.exe
PID 1472 wrote to memory of 1572	1472	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe	cmd.exe
PID 1472 wrote to memory of 1572	1472	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe	cmd.exe
PID 1472 wrote to memory of 1572	1472	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe	cmd.exe
PID 1572 wrote to memory of 1540	1572	cmd.exe	WMIC.exe
PID 1572 wrote to memory of 1540	1572	cmd.exe	WMIC.exe
PID 1572 wrote to memory of 1540	1572	cmd.exe	WMIC.exe
PID 1472 wrote to memory of 1128	1472	b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe
"C:\Users\Admin\AppData\Local\Temp\b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe"
1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1472

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{42AB00D9-23AC-4D9F-BCD0-F560B4FBD4B0}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1660

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{42AB00D9-23AC-4D9F-BCD0-F560B4FBD4B0}'" delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1228

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C90CD5D7-9B6C-471C-8C96-355998B14EF8}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1540

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C90CD5D7-9B6C-471C-8C96-355998B14EF8}'" delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1616

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1F9BD2A6-5BF7-4A73-A29E-C733297088AB}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1F9BD2A6-5BF7-4A73-A29E-C733297088AB}'" delete
3⤵
PID:1460

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9B0CDB24-FE85-46C3-A922-261B4710F554}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1752

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9B0CDB24-FE85-46C3-A922-261B4710F554}'" delete
3⤵
PID:1792

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{EA725A54-6608-4CC5-ADB5-8264BCE7D769}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:928

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{EA725A54-6608-4CC5-ADB5-8264BCE7D769}'" delete
3⤵
PID:564

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C69100F5-3145-4E28-8E5C-905B7935BC10}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:940

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C69100F5-3145-4E28-8E5C-905B7935BC10}'" delete
3⤵
PID:1396

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{96D0CAC1-C317-4BB6-AD1F-99B2256E98E5}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1380

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{96D0CAC1-C317-4BB6-AD1F-99B2256E98E5}'" delete
3⤵
PID:1884

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1EA4E4BE-24E6-4635-B5FF-53620C5E736C}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1336

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1EA4E4BE-24E6-4635-B5FF-53620C5E736C}'" delete
3⤵
PID:1680

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{FFF06B0E-2058-4D70-B8BC-18A1A005070D}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1572

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{FFF06B0E-2058-4D70-B8BC-18A1A005070D}'" delete
3⤵
PID:1540

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{EE3200B8-7AB9-430D-B09F-BF068E5C27EF}'" delete
2⤵
PID:1128

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{EE3200B8-7AB9-430D-B09F-BF068E5C27EF}'" delete
3⤵
PID:1544

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{94294216-2812-4D17-858B-782E99F60969}'" delete
2⤵
PID:1968

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{94294216-2812-4D17-858B-782E99F60969}'" delete
3⤵
PID:2004

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5803ED3F-C3C9-4EEB-988E-4C0536D60FE3}'" delete
2⤵
PID:1816

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5803ED3F-C3C9-4EEB-988E-4C0536D60FE3}'" delete
3⤵
PID:1764

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1140

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/564-66-0x0000000000000000-mapping.dmp

Download
memory/928-65-0x0000000000000000-mapping.dmp

Download
memory/940-67-0x0000000000000000-mapping.dmp

Download
memory/1128-75-0x0000000000000000-mapping.dmp

Download
memory/1228-58-0x0000000000000000-mapping.dmp

Download
memory/1336-71-0x0000000000000000-mapping.dmp

Download
memory/1380-69-0x0000000000000000-mapping.dmp

Download
memory/1396-68-0x0000000000000000-mapping.dmp

Download
memory/1460-62-0x0000000000000000-mapping.dmp

Download
memory/1472-55-0x0000000074E51000-0x0000000074E53000-memory.dmp

Filesize
8KB

Download
memory/1472-56-0x00000000023E0000-0x0000000002414000-memory.dmp

Filesize
208KB

Download
memory/1540-74-0x0000000000000000-mapping.dmp

Download
memory/1540-59-0x0000000000000000-mapping.dmp

Download
memory/1544-76-0x0000000000000000-mapping.dmp

Download
memory/1572-73-0x0000000000000000-mapping.dmp

Download
memory/1616-60-0x0000000000000000-mapping.dmp

Download
memory/1640-61-0x0000000000000000-mapping.dmp

Download
memory/1660-57-0x0000000000000000-mapping.dmp

Download
memory/1680-72-0x0000000000000000-mapping.dmp

Download
memory/1752-63-0x0000000000000000-mapping.dmp

Download
memory/1764-80-0x0000000000000000-mapping.dmp

Download
memory/1792-64-0x0000000000000000-mapping.dmp

Download
memory/1816-79-0x0000000000000000-mapping.dmp

Download
memory/1884-70-0x0000000000000000-mapping.dmp

Download
memory/1968-77-0x0000000000000000-mapping.dmp

Download
memory/2004-78-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads