conti | 34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b

General

Target

34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe
Size

194KB
MD5

4220529bbf818e00cdec2ebbf4b24565
SHA1

2c0d7929b304a3cf633e432dd9b580f2c3fb5a0b
SHA256

34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b
SHA512

6fa9cb66438d99bfe41b45b690db65a455050bae4ce2386aa44d451891d5beeb24e7df28c67ea863aa944ed734aa668e40909868bbf28f261f8b289e2428ce73

Score

10^/10

conti ransomware spyware stealer

Malware Config

Extracted

Path

C:\readme.txt

Family

conti

Ransom Note

All of your files are currently encrypted by CONTI strain. As you know (if you don't - just "google it"), all of the data that has been encrypted by our software cannot be recovered by any means without contacting our team directly. If you try to use any additional recovery software - the files might be damaged, so if you are willing to try - try it on the data of the lowest value. To make sure that we REALLY CAN get your data back - we offer you to decrypt 2 random files completely free of charge. You can contact our team directly for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/ HTTPS VERSION : https://contirecovery.ws YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded a pack of your internal data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us as soon as possible. ---BEGIN ID--- JbibOgJOTWtg1lTio94wsqcsjX84Lb9jy2cSX8P2Fn8z2JhaQPnCExLyuQlMiDJM ---END ID---

URLs

http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/

https://contirecovery.ws

Signatures

Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
ransomware conti

Modifies extensions of user files 6 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\GrantUndo.tif => C:\Users\Admin\Pictures\GrantUndo.tif.MVDKV	34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe
File renamed	C:\Users\Admin\Pictures\PublishConvertFrom.png => C:\Users\Admin\Pictures\PublishConvertFrom.png.MVDKV	34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe
File opened for modification	C:\Users\Admin\Pictures\RedoUnpublish.tiff	34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe
File renamed	C:\Users\Admin\Pictures\RedoUnpublish.tiff => C:\Users\Admin\Pictures\RedoUnpublish.tiff.MVDKV	34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe
File renamed	C:\Users\Admin\Pictures\SendRevoke.png => C:\Users\Admin\Pictures\SendRevoke.png.MVDKV	34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe
File renamed	C:\Users\Admin\Pictures\StartMerge.crw => C:\Users\Admin\Pictures\StartMerge.crw.MVDKV	34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe

Drops startup file 1 IoCs

Processes:

34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\readme.txt	34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro_5.5.0.165303.jar	34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\oracle.gif	34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\bg_get.svg	34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_ko_135x40.svg	34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.intro.nl_ja_4.4.0.v20140623020002.jar	34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\readme.txt	34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-selector-api.xml	34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\icons_retina.png	34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\zh-tw\ui-strings.js	34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe
File created	C:\Program Files (x86)\Google\Policies\readme.txt	34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derby.war	34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_output\readme.txt	34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\css\main.css	34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\hu-hu\ui-strings.js	34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\epdf\plugin.js	34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\WinFXList.xml	34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\license.html	34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\readme.txt	34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-linkedentity@3x.png	34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\sound.properties	34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_forward_18.svg	34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.txt	34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-right.gif	34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-execution_ja.jar	34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_sortedby_up_hover_18.svg	34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\msadox28.tlb	34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LEVEL\THMBNAIL.PNG	34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\readme.txt	34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\action_poster.jpg	34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ko-kr\readme.txt	34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe
File created	C:\Program Files\Mozilla Firefox\defaults\readme.txt	34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\include\classfile_constants.h	34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTest-ul-oob.xrm-ms	34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\apple-touch-icon-57x57-precomposed.png	34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\Confirmation.png	34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sk-sk\ui-strings.js	34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\ar_get.svg	34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-bridge-office.xrm-ms	34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe
File created	C:\Program Files\VideoLAN\VLC\lua\meta\art\readme.txt	34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-queries_ja.jar	34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\readme.txt	34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\file_info.png	34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_KMS_Client_AE-ppd.xrm-ms	34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\readme.txt	34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\CollectSignatures.aapp	34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\readme.txt	34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\plugins\rhp\combinepdf-selector.js	34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\root\readme.txt	34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\doh-rollout@mozilla.org.xpi	34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\readme.txt	34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUEPRNT\BLUEPRNT.ELM	34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\back-arrow-default.svg	34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp-ul-oob.xrm-ms	34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL075.XML	34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\eu-es\ui-strings.js	34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\themes\dark\s_radio_unselected_18.svg	34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\MinionPro-BoldIt.otf	34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\readme.txt	34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_Grace-ul-oob.xrm-ms	34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\A12_Checkmark_White@1x.png	34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-linkedentity-dark@3x.png	34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\illustrations.png	34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\dark\cstm_brand_preview2x.png	34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\de-de\readme.txt	34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe

pid	process
1744	34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe
1744	34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

vssvc.exeWMIC.exe

description	pid	process
Token: SeBackupPrivilege	3776	vssvc.exe
Token: SeRestorePrivilege	3776	vssvc.exe
Token: SeAuditPrivilege	3776	vssvc.exe
Token: SeIncreaseQuotaPrivilege	3788	WMIC.exe
Token: SeSecurityPrivilege	3788	WMIC.exe
Token: SeTakeOwnershipPrivilege	3788	WMIC.exe
Token: SeLoadDriverPrivilege	3788	WMIC.exe
Token: SeSystemProfilePrivilege	3788	WMIC.exe
Token: SeSystemtimePrivilege	3788	WMIC.exe
Token: SeProfSingleProcessPrivilege	3788	WMIC.exe
Token: SeIncBasePriorityPrivilege	3788	WMIC.exe
Token: SeCreatePagefilePrivilege	3788	WMIC.exe
Token: SeBackupPrivilege	3788	WMIC.exe
Token: SeRestorePrivilege	3788	WMIC.exe
Token: SeShutdownPrivilege	3788	WMIC.exe
Token: SeDebugPrivilege	3788	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3788	WMIC.exe
Token: SeRemoteShutdownPrivilege	3788	WMIC.exe
Token: SeUndockPrivilege	3788	WMIC.exe
Token: SeManageVolumePrivilege	3788	WMIC.exe
Token: 33	3788	WMIC.exe
Token: 34	3788	WMIC.exe
Token: 35	3788	WMIC.exe
Token: 36	3788	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3788	WMIC.exe
Token: SeSecurityPrivilege	3788	WMIC.exe
Token: SeTakeOwnershipPrivilege	3788	WMIC.exe
Token: SeLoadDriverPrivilege	3788	WMIC.exe
Token: SeSystemProfilePrivilege	3788	WMIC.exe
Token: SeSystemtimePrivilege	3788	WMIC.exe
Token: SeProfSingleProcessPrivilege	3788	WMIC.exe
Token: SeIncBasePriorityPrivilege	3788	WMIC.exe
Token: SeCreatePagefilePrivilege	3788	WMIC.exe
Token: SeBackupPrivilege	3788	WMIC.exe
Token: SeRestorePrivilege	3788	WMIC.exe
Token: SeShutdownPrivilege	3788	WMIC.exe
Token: SeDebugPrivilege	3788	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3788	WMIC.exe
Token: SeRemoteShutdownPrivilege	3788	WMIC.exe
Token: SeUndockPrivilege	3788	WMIC.exe
Token: SeManageVolumePrivilege	3788	WMIC.exe
Token: 33	3788	WMIC.exe
Token: 34	3788	WMIC.exe
Token: 35	3788	WMIC.exe
Token: 36	3788	WMIC.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.execmd.exe

description	pid	process	target process
PID 1744 wrote to memory of 3532	1744	34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe	cmd.exe
PID 1744 wrote to memory of 3532	1744	34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe	cmd.exe
PID 3532 wrote to memory of 3788	3532	cmd.exe	WMIC.exe
PID 3532 wrote to memory of 3788	3532	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe
"C:\Users\Admin\AppData\Local\Temp\34366c9a9ac34dd9016abd406cffe713a3e8606e8600e6cb07e0242904f91a5b.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1744

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{19CDF45A-AB26-4CD3-A80A-DC59EDB6A247}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:3532

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{19CDF45A-AB26-4CD3-A80A-DC59EDB6A247}'" delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3788

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3776

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3532-115-0x0000000000000000-mapping.dmp

Download
memory/3788-116-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads