Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
16-11-2021 05:39
Static task
static1
Behavioral task
behavioral1
Sample
1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe
Resource
win10-en-20211014
General
-
Target
1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe
-
Size
194KB
-
MD5
a35a0ad3e3600c94e00f52dfb0d28103
-
SHA1
8c2af54642a32926dee8a2520d3d979d5f30ee27
-
SHA256
1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487
-
SHA512
4db5829a04fcfa7eed2b4159cd47336f2735826a950d4600e779cb9914964c5db54068498676e3820f2889a74c04660ae085d7e9d5efa773f70db9bef427bc3b
Malware Config
Extracted
C:\readme.txt
conti
http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/
https://contirecovery.click
Signatures
-
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
Modifies extensions of user files 14 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exedescription ioc process File renamed C:\Users\Admin\Pictures\RevokeOut.tiff => C:\Users\Admin\Pictures\RevokeOut.tiff.XCDZI 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File renamed C:\Users\Admin\Pictures\SkipDebug.png => C:\Users\Admin\Pictures\SkipDebug.png.XCDZI 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File renamed C:\Users\Admin\Pictures\DisableCompare.tif => C:\Users\Admin\Pictures\DisableCompare.tif.XCDZI 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File renamed C:\Users\Admin\Pictures\PingImport.tif => C:\Users\Admin\Pictures\PingImport.tif.XCDZI 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File renamed C:\Users\Admin\Pictures\ProtectSelect.tiff => C:\Users\Admin\Pictures\ProtectSelect.tiff.XCDZI 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File renamed C:\Users\Admin\Pictures\SubmitReceive.raw => C:\Users\Admin\Pictures\SubmitReceive.raw.XCDZI 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Users\Admin\Pictures\GetApprove.tiff 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Users\Admin\Pictures\ProtectSelect.tiff 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File renamed C:\Users\Admin\Pictures\StopSync.crw => C:\Users\Admin\Pictures\StopSync.crw.XCDZI 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File renamed C:\Users\Admin\Pictures\GetApprove.tiff => C:\Users\Admin\Pictures\GetApprove.tiff.XCDZI 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File renamed C:\Users\Admin\Pictures\OutSend.crw => C:\Users\Admin\Pictures\OutSend.crw.XCDZI 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Users\Admin\Pictures\RevokeOut.tiff 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File renamed C:\Users\Admin\Pictures\SendCheckpoint.raw => C:\Users\Admin\Pictures\SendCheckpoint.raw.XCDZI 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File renamed C:\Users\Admin\Pictures\ShowOpen.raw => C:\Users\Admin\Pictures\ShowOpen.raw.XCDZI 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\com.jrockit.mc.console.ui.notification_contexts.xml 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\org-openide-filesystems.jar 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\.data\readme.txt 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\ms.pak 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui_2.3.0.v20140404-1657.jar 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File created C:\Program Files\VideoLAN\VLC\locale\vi\LC_MESSAGES\readme.txt 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\feature.properties 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\2d.x3d 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\readme.txt 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector.nl_zh_4.4.0.v20140623020002.jar 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\readme.txt 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File created C:\Program Files\VideoLAN\VLC\locale\cy\LC_MESSAGES\readme.txt 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0238333.WMF 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02028K.JPG 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\readme.txt 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\NL.ROGERS.COM.XML 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\readme.txt 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLOOK.HOL 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.VN.XML 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File created C:\Program Files\VideoLAN\VLC\plugins\control\readme.txt 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\vlc.mo 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.nl_ja_4.4.0.v20140623020002.jar 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\OfficeMUI.XML 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-selector-ui.jar 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099150.JPG 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105320.WMF 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB02229_.GIF 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR1B.GIF 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECLIPSE\ECLIPSE.INF 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Library\Analysis\readme.txt 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\EST5EDT 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\readme.txt 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files\7-Zip\Lang\bg.txt 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files\7-Zip\Lang\br.txt 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsita.xml 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File created C:\Program Files\VideoLAN\VLC\locale\pa\readme.txt 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0332268.WMF 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File created C:\Program Files (x86)\Common Files\Adobe\readme.txt 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02116_.WMF 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00612_.WMF 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105292.WMF 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Apothecary.xml 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files\EditRevoke.docx 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File created C:\Program Files\VideoLAN\VLC\locale\zh_CN\LC_MESSAGES\readme.txt 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_FileHigh.jpg 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\rockbox_fm_presets.luac 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21300_.GIF 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Sts.css 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0197979.WMF 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\readme.txt 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Full\readme.txt 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File created C:\Program Files\VideoLAN\VLC\locale\ps\readme.txt 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Tarawa 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0186364.WMF 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLENDS\BLENDS.INF 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14794_.GIF 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\readme.txt 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\POWERPNT_COL.HXT 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14792_.GIF 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME42.CSS 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsFormTemplateRTL.html 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_Buttongraphic.png 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS01636_.WMF 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_ja.properties 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exepid process 1612 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
vssvc.exeWMIC.exeWMIC.exedescription pid process Token: SeBackupPrivilege 1832 vssvc.exe Token: SeRestorePrivilege 1832 vssvc.exe Token: SeAuditPrivilege 1832 vssvc.exe Token: SeIncreaseQuotaPrivilege 1060 WMIC.exe Token: SeSecurityPrivilege 1060 WMIC.exe Token: SeTakeOwnershipPrivilege 1060 WMIC.exe Token: SeLoadDriverPrivilege 1060 WMIC.exe Token: SeSystemProfilePrivilege 1060 WMIC.exe Token: SeSystemtimePrivilege 1060 WMIC.exe Token: SeProfSingleProcessPrivilege 1060 WMIC.exe Token: SeIncBasePriorityPrivilege 1060 WMIC.exe Token: SeCreatePagefilePrivilege 1060 WMIC.exe Token: SeBackupPrivilege 1060 WMIC.exe Token: SeRestorePrivilege 1060 WMIC.exe Token: SeShutdownPrivilege 1060 WMIC.exe Token: SeDebugPrivilege 1060 WMIC.exe Token: SeSystemEnvironmentPrivilege 1060 WMIC.exe Token: SeRemoteShutdownPrivilege 1060 WMIC.exe Token: SeUndockPrivilege 1060 WMIC.exe Token: SeManageVolumePrivilege 1060 WMIC.exe Token: 33 1060 WMIC.exe Token: 34 1060 WMIC.exe Token: 35 1060 WMIC.exe Token: SeIncreaseQuotaPrivilege 1060 WMIC.exe Token: SeSecurityPrivilege 1060 WMIC.exe Token: SeTakeOwnershipPrivilege 1060 WMIC.exe Token: SeLoadDriverPrivilege 1060 WMIC.exe Token: SeSystemProfilePrivilege 1060 WMIC.exe Token: SeSystemtimePrivilege 1060 WMIC.exe Token: SeProfSingleProcessPrivilege 1060 WMIC.exe Token: SeIncBasePriorityPrivilege 1060 WMIC.exe Token: SeCreatePagefilePrivilege 1060 WMIC.exe Token: SeBackupPrivilege 1060 WMIC.exe Token: SeRestorePrivilege 1060 WMIC.exe Token: SeShutdownPrivilege 1060 WMIC.exe Token: SeDebugPrivilege 1060 WMIC.exe Token: SeSystemEnvironmentPrivilege 1060 WMIC.exe Token: SeRemoteShutdownPrivilege 1060 WMIC.exe Token: SeUndockPrivilege 1060 WMIC.exe Token: SeManageVolumePrivilege 1060 WMIC.exe Token: 33 1060 WMIC.exe Token: 34 1060 WMIC.exe Token: 35 1060 WMIC.exe Token: SeIncreaseQuotaPrivilege 1320 WMIC.exe Token: SeSecurityPrivilege 1320 WMIC.exe Token: SeTakeOwnershipPrivilege 1320 WMIC.exe Token: SeLoadDriverPrivilege 1320 WMIC.exe Token: SeSystemProfilePrivilege 1320 WMIC.exe Token: SeSystemtimePrivilege 1320 WMIC.exe Token: SeProfSingleProcessPrivilege 1320 WMIC.exe Token: SeIncBasePriorityPrivilege 1320 WMIC.exe Token: SeCreatePagefilePrivilege 1320 WMIC.exe Token: SeBackupPrivilege 1320 WMIC.exe Token: SeRestorePrivilege 1320 WMIC.exe Token: SeShutdownPrivilege 1320 WMIC.exe Token: SeDebugPrivilege 1320 WMIC.exe Token: SeSystemEnvironmentPrivilege 1320 WMIC.exe Token: SeRemoteShutdownPrivilege 1320 WMIC.exe Token: SeUndockPrivilege 1320 WMIC.exe Token: SeManageVolumePrivilege 1320 WMIC.exe Token: 33 1320 WMIC.exe Token: 34 1320 WMIC.exe Token: 35 1320 WMIC.exe Token: SeIncreaseQuotaPrivilege 1320 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1612 wrote to memory of 1012 1612 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe cmd.exe PID 1612 wrote to memory of 1012 1612 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe cmd.exe PID 1612 wrote to memory of 1012 1612 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe cmd.exe PID 1612 wrote to memory of 1012 1612 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe cmd.exe PID 1012 wrote to memory of 1060 1012 cmd.exe WMIC.exe PID 1012 wrote to memory of 1060 1012 cmd.exe WMIC.exe PID 1012 wrote to memory of 1060 1012 cmd.exe WMIC.exe PID 1612 wrote to memory of 1972 1612 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe cmd.exe PID 1612 wrote to memory of 1972 1612 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe cmd.exe PID 1612 wrote to memory of 1972 1612 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe cmd.exe PID 1612 wrote to memory of 1972 1612 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe cmd.exe PID 1972 wrote to memory of 1320 1972 cmd.exe WMIC.exe PID 1972 wrote to memory of 1320 1972 cmd.exe WMIC.exe PID 1972 wrote to memory of 1320 1972 cmd.exe WMIC.exe PID 1612 wrote to memory of 1044 1612 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe cmd.exe PID 1612 wrote to memory of 1044 1612 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe cmd.exe PID 1612 wrote to memory of 1044 1612 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe cmd.exe PID 1612 wrote to memory of 1044 1612 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe cmd.exe PID 1044 wrote to memory of 2028 1044 cmd.exe WMIC.exe PID 1044 wrote to memory of 2028 1044 cmd.exe WMIC.exe PID 1044 wrote to memory of 2028 1044 cmd.exe WMIC.exe PID 1612 wrote to memory of 928 1612 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe cmd.exe PID 1612 wrote to memory of 928 1612 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe cmd.exe PID 1612 wrote to memory of 928 1612 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe cmd.exe PID 1612 wrote to memory of 928 1612 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe cmd.exe PID 928 wrote to memory of 2032 928 cmd.exe WMIC.exe PID 928 wrote to memory of 2032 928 cmd.exe WMIC.exe PID 928 wrote to memory of 2032 928 cmd.exe WMIC.exe PID 1612 wrote to memory of 1968 1612 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe cmd.exe PID 1612 wrote to memory of 1968 1612 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe cmd.exe PID 1612 wrote to memory of 1968 1612 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe cmd.exe PID 1612 wrote to memory of 1968 1612 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe cmd.exe PID 1968 wrote to memory of 904 1968 cmd.exe WMIC.exe PID 1968 wrote to memory of 904 1968 cmd.exe WMIC.exe PID 1968 wrote to memory of 904 1968 cmd.exe WMIC.exe PID 1612 wrote to memory of 1284 1612 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe cmd.exe PID 1612 wrote to memory of 1284 1612 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe cmd.exe PID 1612 wrote to memory of 1284 1612 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe cmd.exe PID 1612 wrote to memory of 1284 1612 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe cmd.exe PID 1284 wrote to memory of 1940 1284 cmd.exe WMIC.exe PID 1284 wrote to memory of 1940 1284 cmd.exe WMIC.exe PID 1284 wrote to memory of 1940 1284 cmd.exe WMIC.exe PID 1612 wrote to memory of 1388 1612 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe cmd.exe PID 1612 wrote to memory of 1388 1612 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe cmd.exe PID 1612 wrote to memory of 1388 1612 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe cmd.exe PID 1612 wrote to memory of 1388 1612 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe cmd.exe PID 1388 wrote to memory of 1520 1388 cmd.exe WMIC.exe PID 1388 wrote to memory of 1520 1388 cmd.exe WMIC.exe PID 1388 wrote to memory of 1520 1388 cmd.exe WMIC.exe PID 1612 wrote to memory of 1632 1612 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe cmd.exe PID 1612 wrote to memory of 1632 1612 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe cmd.exe PID 1612 wrote to memory of 1632 1612 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe cmd.exe PID 1612 wrote to memory of 1632 1612 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe cmd.exe PID 1632 wrote to memory of 1516 1632 cmd.exe WMIC.exe PID 1632 wrote to memory of 1516 1632 cmd.exe WMIC.exe PID 1632 wrote to memory of 1516 1632 cmd.exe WMIC.exe PID 1612 wrote to memory of 1432 1612 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe cmd.exe PID 1612 wrote to memory of 1432 1612 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe cmd.exe PID 1612 wrote to memory of 1432 1612 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe cmd.exe PID 1612 wrote to memory of 1432 1612 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe cmd.exe PID 1432 wrote to memory of 1700 1432 cmd.exe WMIC.exe PID 1432 wrote to memory of 1700 1432 cmd.exe WMIC.exe PID 1432 wrote to memory of 1700 1432 cmd.exe WMIC.exe PID 1612 wrote to memory of 1240 1612 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe"C:\Users\Admin\AppData\Local\Temp\1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe"1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{42AB00D9-23AC-4D9F-BCD0-F560B4FBD4B0}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{42AB00D9-23AC-4D9F-BCD0-F560B4FBD4B0}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C90CD5D7-9B6C-471C-8C96-355998B14EF8}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C90CD5D7-9B6C-471C-8C96-355998B14EF8}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1F9BD2A6-5BF7-4A73-A29E-C733297088AB}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1F9BD2A6-5BF7-4A73-A29E-C733297088AB}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9B0CDB24-FE85-46C3-A922-261B4710F554}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9B0CDB24-FE85-46C3-A922-261B4710F554}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{EA725A54-6608-4CC5-ADB5-8264BCE7D769}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{EA725A54-6608-4CC5-ADB5-8264BCE7D769}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C69100F5-3145-4E28-8E5C-905B7935BC10}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C69100F5-3145-4E28-8E5C-905B7935BC10}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{96D0CAC1-C317-4BB6-AD1F-99B2256E98E5}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{96D0CAC1-C317-4BB6-AD1F-99B2256E98E5}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1EA4E4BE-24E6-4635-B5FF-53620C5E736C}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1EA4E4BE-24E6-4635-B5FF-53620C5E736C}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{FFF06B0E-2058-4D70-B8BC-18A1A005070D}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{FFF06B0E-2058-4D70-B8BC-18A1A005070D}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{EE3200B8-7AB9-430D-B09F-BF068E5C27EF}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{EE3200B8-7AB9-430D-B09F-BF068E5C27EF}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{94294216-2812-4D17-858B-782E99F60969}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{94294216-2812-4D17-858B-782E99F60969}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5803ED3F-C3C9-4EEB-988E-4C0536D60FE3}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5803ED3F-C3C9-4EEB-988E-4C0536D60FE3}'" delete3⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/840-77-0x0000000000000000-mapping.dmp
-
memory/904-65-0x0000000000000000-mapping.dmp
-
memory/928-62-0x0000000000000000-mapping.dmp
-
memory/1012-56-0x0000000000000000-mapping.dmp
-
memory/1044-60-0x0000000000000000-mapping.dmp
-
memory/1060-57-0x0000000000000000-mapping.dmp
-
memory/1152-75-0x0000000000000000-mapping.dmp
-
memory/1240-74-0x0000000000000000-mapping.dmp
-
memory/1284-66-0x0000000000000000-mapping.dmp
-
memory/1320-59-0x0000000000000000-mapping.dmp
-
memory/1388-68-0x0000000000000000-mapping.dmp
-
memory/1432-72-0x0000000000000000-mapping.dmp
-
memory/1516-71-0x0000000000000000-mapping.dmp
-
memory/1520-69-0x0000000000000000-mapping.dmp
-
memory/1612-55-0x0000000075491000-0x0000000075493000-memory.dmpFilesize
8KB
-
memory/1632-70-0x0000000000000000-mapping.dmp
-
memory/1680-79-0x0000000000000000-mapping.dmp
-
memory/1700-73-0x0000000000000000-mapping.dmp
-
memory/1820-78-0x0000000000000000-mapping.dmp
-
memory/1824-76-0x0000000000000000-mapping.dmp
-
memory/1940-67-0x0000000000000000-mapping.dmp
-
memory/1968-64-0x0000000000000000-mapping.dmp
-
memory/1972-58-0x0000000000000000-mapping.dmp
-
memory/2028-61-0x0000000000000000-mapping.dmp
-
memory/2032-63-0x0000000000000000-mapping.dmp