Analysis
-
max time kernel
118s -
max time network
121s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
19-11-2021 20:47
Static task
static1
Behavioral task
behavioral1
Sample
a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe
Resource
win10-en-20211014
General
-
Target
a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe
-
Size
194KB
-
MD5
7d599fba9d8a06c70ddfdf8f55cf5c1c
-
SHA1
67a48ca5b621f23d133154cf5b0348f37bbc4963
-
SHA256
a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70
-
SHA512
6c6f591a9badcd04ed488b292da247fac29d933f81f9a146a2221609a0f951a85f9179c1d7b4c9fdd2c551c697bdb7eb58d252f029e14332b6944af72dcc1781
Malware Config
Extracted
C:\readme.txt
conti
http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/
https://contirecovery.click
Signatures
-
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exedescription ioc process File renamed C:\Users\Admin\Pictures\MountGet.crw => C:\Users\Admin\Pictures\MountGet.crw.EEWSB a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe File opened for modification C:\Users\Admin\Pictures\PopReceive.tiff a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe File renamed C:\Users\Admin\Pictures\PopReceive.tiff => C:\Users\Admin\Pictures\PopReceive.tiff.EEWSB a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe File renamed C:\Users\Admin\Pictures\SelectRead.png => C:\Users\Admin\Pictures\SelectRead.png.EEWSB a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187849.WMF a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\readme.txt a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03012U.BMP a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe File created C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\readme.txt a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe File opened for modification C:\Program Files\Mozilla Firefox\fonts\TwemojiMozilla.ttf a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\sqlxmlx.rll.mui a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-selector-api.xml a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-progress-ui_zh_CN.jar a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107262.WMF a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0332268.WMF a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\FLYER.XML a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\readme.txt a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Stanley a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0292020.WMF a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\AMERITECH.NET.XML a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\SpaceSelector.ico a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.di.nl_ja_4.4.0.v20140623020002.jar a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe File opened for modification C:\Program Files\Java\jre7\lib\tzmappings a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Zaporozhye a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\AST4 a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\NUMERIC.JPG a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdate.cer a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\MSART5.BDR a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationLeft_ButtonGraphic.png a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\vlm.html a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\readme.txt a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-util.xml a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MML2OMML.XSL a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe File opened for modification C:\Program Files (x86)\Common Files\System\ado\msadox28.tlb a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107482.WMF a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01743_.GIF a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00145_.WMF a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\720x480icongraphic.png a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\sd\jamendo.luac a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\SmallLogoCanary.png a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-application-views.jar a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN108.XML a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BROCHURE.XML a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe File created C:\Program Files\Common Files\System\ado\ja-JP\readme.txt a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.base.nl_zh_4.4.0.v20140623020002.jar a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Newsprint.eftx a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\readme.txt a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RADIAL\PREVIEW.GIF a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Fancy.dotx a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-cli.xml a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGWEBCAL.XML a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\NEWS11.POC a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\1047x576black.png a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21315_.GIF a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\vlc.mo a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Novosibirsk a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\readme.txt a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\CALENDAR.GIF a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\twitch.luac a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\feature.xml a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\readme.txt a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Luxembourg a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SpringGreen\BUTTON.GIF a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00388_.WMF a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe File created C:\Program Files\Common Files\System\msadc\en-US\readme.txt a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Help\1046\readme.txt a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18255_.WMF a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exepid process 1592 a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
vssvc.exeWMIC.exeWMIC.exedescription pid process Token: SeBackupPrivilege 540 vssvc.exe Token: SeRestorePrivilege 540 vssvc.exe Token: SeAuditPrivilege 540 vssvc.exe Token: SeIncreaseQuotaPrivilege 1544 WMIC.exe Token: SeSecurityPrivilege 1544 WMIC.exe Token: SeTakeOwnershipPrivilege 1544 WMIC.exe Token: SeLoadDriverPrivilege 1544 WMIC.exe Token: SeSystemProfilePrivilege 1544 WMIC.exe Token: SeSystemtimePrivilege 1544 WMIC.exe Token: SeProfSingleProcessPrivilege 1544 WMIC.exe Token: SeIncBasePriorityPrivilege 1544 WMIC.exe Token: SeCreatePagefilePrivilege 1544 WMIC.exe Token: SeBackupPrivilege 1544 WMIC.exe Token: SeRestorePrivilege 1544 WMIC.exe Token: SeShutdownPrivilege 1544 WMIC.exe Token: SeDebugPrivilege 1544 WMIC.exe Token: SeSystemEnvironmentPrivilege 1544 WMIC.exe Token: SeRemoteShutdownPrivilege 1544 WMIC.exe Token: SeUndockPrivilege 1544 WMIC.exe Token: SeManageVolumePrivilege 1544 WMIC.exe Token: 33 1544 WMIC.exe Token: 34 1544 WMIC.exe Token: 35 1544 WMIC.exe Token: SeIncreaseQuotaPrivilege 1544 WMIC.exe Token: SeSecurityPrivilege 1544 WMIC.exe Token: SeTakeOwnershipPrivilege 1544 WMIC.exe Token: SeLoadDriverPrivilege 1544 WMIC.exe Token: SeSystemProfilePrivilege 1544 WMIC.exe Token: SeSystemtimePrivilege 1544 WMIC.exe Token: SeProfSingleProcessPrivilege 1544 WMIC.exe Token: SeIncBasePriorityPrivilege 1544 WMIC.exe Token: SeCreatePagefilePrivilege 1544 WMIC.exe Token: SeBackupPrivilege 1544 WMIC.exe Token: SeRestorePrivilege 1544 WMIC.exe Token: SeShutdownPrivilege 1544 WMIC.exe Token: SeDebugPrivilege 1544 WMIC.exe Token: SeSystemEnvironmentPrivilege 1544 WMIC.exe Token: SeRemoteShutdownPrivilege 1544 WMIC.exe Token: SeUndockPrivilege 1544 WMIC.exe Token: SeManageVolumePrivilege 1544 WMIC.exe Token: 33 1544 WMIC.exe Token: 34 1544 WMIC.exe Token: 35 1544 WMIC.exe Token: SeIncreaseQuotaPrivilege 1352 WMIC.exe Token: SeSecurityPrivilege 1352 WMIC.exe Token: SeTakeOwnershipPrivilege 1352 WMIC.exe Token: SeLoadDriverPrivilege 1352 WMIC.exe Token: SeSystemProfilePrivilege 1352 WMIC.exe Token: SeSystemtimePrivilege 1352 WMIC.exe Token: SeProfSingleProcessPrivilege 1352 WMIC.exe Token: SeIncBasePriorityPrivilege 1352 WMIC.exe Token: SeCreatePagefilePrivilege 1352 WMIC.exe Token: SeBackupPrivilege 1352 WMIC.exe Token: SeRestorePrivilege 1352 WMIC.exe Token: SeShutdownPrivilege 1352 WMIC.exe Token: SeDebugPrivilege 1352 WMIC.exe Token: SeSystemEnvironmentPrivilege 1352 WMIC.exe Token: SeRemoteShutdownPrivilege 1352 WMIC.exe Token: SeUndockPrivilege 1352 WMIC.exe Token: SeManageVolumePrivilege 1352 WMIC.exe Token: 33 1352 WMIC.exe Token: 34 1352 WMIC.exe Token: 35 1352 WMIC.exe Token: SeIncreaseQuotaPrivilege 1352 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1592 wrote to memory of 1720 1592 a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe cmd.exe PID 1592 wrote to memory of 1720 1592 a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe cmd.exe PID 1592 wrote to memory of 1720 1592 a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe cmd.exe PID 1592 wrote to memory of 1720 1592 a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe cmd.exe PID 1720 wrote to memory of 1544 1720 cmd.exe WMIC.exe PID 1720 wrote to memory of 1544 1720 cmd.exe WMIC.exe PID 1720 wrote to memory of 1544 1720 cmd.exe WMIC.exe PID 1592 wrote to memory of 1216 1592 a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe cmd.exe PID 1592 wrote to memory of 1216 1592 a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe cmd.exe PID 1592 wrote to memory of 1216 1592 a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe cmd.exe PID 1592 wrote to memory of 1216 1592 a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe cmd.exe PID 1216 wrote to memory of 1352 1216 cmd.exe WMIC.exe PID 1216 wrote to memory of 1352 1216 cmd.exe WMIC.exe PID 1216 wrote to memory of 1352 1216 cmd.exe WMIC.exe PID 1592 wrote to memory of 1452 1592 a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe cmd.exe PID 1592 wrote to memory of 1452 1592 a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe cmd.exe PID 1592 wrote to memory of 1452 1592 a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe cmd.exe PID 1592 wrote to memory of 1452 1592 a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe cmd.exe PID 1452 wrote to memory of 1716 1452 cmd.exe WMIC.exe PID 1452 wrote to memory of 1716 1452 cmd.exe WMIC.exe PID 1452 wrote to memory of 1716 1452 cmd.exe WMIC.exe PID 1592 wrote to memory of 680 1592 a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe cmd.exe PID 1592 wrote to memory of 680 1592 a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe cmd.exe PID 1592 wrote to memory of 680 1592 a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe cmd.exe PID 1592 wrote to memory of 680 1592 a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe cmd.exe PID 680 wrote to memory of 1512 680 cmd.exe WMIC.exe PID 680 wrote to memory of 1512 680 cmd.exe WMIC.exe PID 680 wrote to memory of 1512 680 cmd.exe WMIC.exe PID 1592 wrote to memory of 900 1592 a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe cmd.exe PID 1592 wrote to memory of 900 1592 a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe cmd.exe PID 1592 wrote to memory of 900 1592 a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe cmd.exe PID 1592 wrote to memory of 900 1592 a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe cmd.exe PID 900 wrote to memory of 1752 900 cmd.exe WMIC.exe PID 900 wrote to memory of 1752 900 cmd.exe WMIC.exe PID 900 wrote to memory of 1752 900 cmd.exe WMIC.exe PID 1592 wrote to memory of 1976 1592 a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe cmd.exe PID 1592 wrote to memory of 1976 1592 a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe cmd.exe PID 1592 wrote to memory of 1976 1592 a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe cmd.exe PID 1592 wrote to memory of 1976 1592 a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe cmd.exe PID 1592 wrote to memory of 976 1592 a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe cmd.exe PID 1592 wrote to memory of 976 1592 a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe cmd.exe PID 1592 wrote to memory of 976 1592 a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe cmd.exe PID 1592 wrote to memory of 976 1592 a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe cmd.exe PID 976 wrote to memory of 1556 976 cmd.exe WMIC.exe PID 976 wrote to memory of 1556 976 cmd.exe WMIC.exe PID 976 wrote to memory of 1556 976 cmd.exe WMIC.exe PID 1592 wrote to memory of 1000 1592 a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe cmd.exe PID 1592 wrote to memory of 1000 1592 a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe cmd.exe PID 1592 wrote to memory of 1000 1592 a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe cmd.exe PID 1592 wrote to memory of 1000 1592 a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe cmd.exe PID 1000 wrote to memory of 1624 1000 cmd.exe WMIC.exe PID 1000 wrote to memory of 1624 1000 cmd.exe WMIC.exe PID 1000 wrote to memory of 1624 1000 cmd.exe WMIC.exe PID 1592 wrote to memory of 1756 1592 a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe cmd.exe PID 1592 wrote to memory of 1756 1592 a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe cmd.exe PID 1592 wrote to memory of 1756 1592 a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe cmd.exe PID 1592 wrote to memory of 1756 1592 a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe cmd.exe PID 1756 wrote to memory of 1732 1756 cmd.exe WMIC.exe PID 1756 wrote to memory of 1732 1756 cmd.exe WMIC.exe PID 1756 wrote to memory of 1732 1756 cmd.exe WMIC.exe PID 1592 wrote to memory of 568 1592 a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe cmd.exe PID 1592 wrote to memory of 568 1592 a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe cmd.exe PID 1592 wrote to memory of 568 1592 a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe cmd.exe PID 1592 wrote to memory of 568 1592 a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe"C:\Users\Admin\AppData\Local\Temp\a5aeae61d5045abdc28dd0e78bd1cef6e4bc2beb5360696959f532a616435f70.exe"1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{42AB00D9-23AC-4D9F-BCD0-F560B4FBD4B0}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{42AB00D9-23AC-4D9F-BCD0-F560B4FBD4B0}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C90CD5D7-9B6C-471C-8C96-355998B14EF8}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C90CD5D7-9B6C-471C-8C96-355998B14EF8}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1F9BD2A6-5BF7-4A73-A29E-C733297088AB}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1F9BD2A6-5BF7-4A73-A29E-C733297088AB}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9B0CDB24-FE85-46C3-A922-261B4710F554}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9B0CDB24-FE85-46C3-A922-261B4710F554}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{EA725A54-6608-4CC5-ADB5-8264BCE7D769}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{EA725A54-6608-4CC5-ADB5-8264BCE7D769}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C69100F5-3145-4E28-8E5C-905B7935BC10}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C69100F5-3145-4E28-8E5C-905B7935BC10}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{96D0CAC1-C317-4BB6-AD1F-99B2256E98E5}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{96D0CAC1-C317-4BB6-AD1F-99B2256E98E5}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1EA4E4BE-24E6-4635-B5FF-53620C5E736C}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1EA4E4BE-24E6-4635-B5FF-53620C5E736C}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{FFF06B0E-2058-4D70-B8BC-18A1A005070D}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{FFF06B0E-2058-4D70-B8BC-18A1A005070D}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{EE3200B8-7AB9-430D-B09F-BF068E5C27EF}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{EE3200B8-7AB9-430D-B09F-BF068E5C27EF}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{94294216-2812-4D17-858B-782E99F60969}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{94294216-2812-4D17-858B-782E99F60969}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5803ED3F-C3C9-4EEB-988E-4C0536D60FE3}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5803ED3F-C3C9-4EEB-988E-4C0536D60FE3}'" delete3⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/568-73-0x0000000000000000-mapping.dmp
-
memory/680-62-0x0000000000000000-mapping.dmp
-
memory/900-64-0x0000000000000000-mapping.dmp
-
memory/948-75-0x0000000000000000-mapping.dmp
-
memory/976-67-0x0000000000000000-mapping.dmp
-
memory/1000-69-0x0000000000000000-mapping.dmp
-
memory/1068-77-0x0000000000000000-mapping.dmp
-
memory/1216-58-0x0000000000000000-mapping.dmp
-
memory/1352-59-0x0000000000000000-mapping.dmp
-
memory/1388-76-0x0000000000000000-mapping.dmp
-
memory/1452-60-0x0000000000000000-mapping.dmp
-
memory/1512-63-0x0000000000000000-mapping.dmp
-
memory/1544-57-0x0000000000000000-mapping.dmp
-
memory/1556-68-0x0000000000000000-mapping.dmp
-
memory/1592-55-0x0000000075731000-0x0000000075733000-memory.dmpFilesize
8KB
-
memory/1624-70-0x0000000000000000-mapping.dmp
-
memory/1652-74-0x0000000000000000-mapping.dmp
-
memory/1716-61-0x0000000000000000-mapping.dmp
-
memory/1720-56-0x0000000000000000-mapping.dmp
-
memory/1732-72-0x0000000000000000-mapping.dmp
-
memory/1752-65-0x0000000000000000-mapping.dmp
-
memory/1756-71-0x0000000000000000-mapping.dmp
-
memory/1976-66-0x0000000000000000-mapping.dmp
-
memory/2008-78-0x0000000000000000-mapping.dmp