conti | f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9

General

Target

f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.bin.sample.exe
Size

194KB
MD5

31c250609693ca7450a1d79840c51057
SHA1

eca2dea03f2c5eac7bbf54e1d212f0fc61d936f8
SHA256

f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9
SHA512

eac254d9a4950666747fad7534c815bafcdc75b6862bb442c9a4d9b4c00aedc2e9317514b7e76f5453c4f0ca55327c88e8cec743a46ccac78fcbfa3e32700424

Score

10^/10

conti ransomware spyware stealer

Malware Config

Extracted

Path

C:\readme.txt

Family

conti

Ransom Note

All of your files are currently encrypted by CONTI ransomware. If you try to use any additional recovery software - the files might be damaged or lost. To make sure that we REALLY CAN recover data - we offer you to decrypt samples. You can contact us for further instructions through: Our website TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/ HTTPS VERSION : https://contirecovery.ws YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded your data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us ASAP ---BEGIN ID--- 1XOTsYKOEFHqHwWPPYpfi6QfUEK4rHVxjLeOYfZwL4AYYuRtXTJdINrIQGMGRNVQ ---END ID---

URLs

http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/

https://contirecovery.ws

Signatures

Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
ransomware conti

Modifies extensions of user files 5 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.bin.sample.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\ExportRequest.png => C:\Users\Admin\Pictures\ExportRequest.png.PYZWR	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\MergeLimit.tif => C:\Users\Admin\Pictures\MergeLimit.tif.PYZWR	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\RegisterUninstall.raw => C:\Users\Admin\Pictures\RegisterUninstall.raw.PYZWR	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\SubmitSearch.crw => C:\Users\Admin\Pictures\SubmitSearch.crw.PYZWR	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\BlockPing.png => C:\Users\Admin\Pictures\BlockPing.png.PYZWR	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.bin.sample.exe

Drops startup file 1 IoCs

Processes:

f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.bin.sample.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\readme.txt	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.bin.sample.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.bin.sample.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Grace-ul-oob.xrm-ms	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.bin.sample.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BREEZE\readme.txt	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\s_radio_unselected_18.svg	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.bin.sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ru-ru\readme.txt	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\fil_get.svg	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.bin.sample.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\deploy\messages_es.properties	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.bin.sample.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sv\readme.txt	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\duplicate.svg	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\css\main.css	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.bin.sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\it-it\readme.txt	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_Subscription-ul-oob.xrm-ms	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.bin.sample.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\readme.txt	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ro-ro\ui-strings.js	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription-pl.xrm-ms	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\plugins\rhp\editpdf-tool-view.js	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.bin.sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\root\readme.txt	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Trial-ppd.xrm-ms	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui_2.3.0.v20140404-1657.jar	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.swt.win32.win32.x86_64.nl_ja_4.4.0.v20140623020002.jar	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\it-it\ui-strings.js	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.bin.sample.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\deploy\messages_ja.properties	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\SY______.PFM	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.bin.sample.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\FA000000011	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.bin.sample.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\vlc.mo	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Roses.htm	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\license.html	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\about.html	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.bin.sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\sk-sk\readme.txt	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ClientLangPack2019_eula.txt	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-100.png	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_filterselected-dark-focus_32.svg	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTest-ul-oob.xrm-ms	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-pl.xrm-ms	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.bin.sample.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\sl-SI\readme.txt	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_COL.HXC	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.bin.sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\readme.txt	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\feature.properties	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-coredump.jar	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.bin.sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\nb-no\readme.txt	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.bin.sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ro-ro\readme.txt	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\rt.jar	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.bin.sample.exe
File created	C:\Program Files\Java\jre1.8.0_66\lib\amd64\readme.txt	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.bin.sample.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\meta\art\00_musicbrainz.luac	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\ind_prog.gif	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423496939244.profile.gz	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.bin.sample.exe
File created	C:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\readme.txt	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.bin.sample.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\readme.txt	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\PlatformCapabilities\PowerPointCapabilities.json	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\cs-cz\ui-strings.js	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.bin.sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\en-il\readme.txt	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-il\ui-strings.js	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ro-ro\ui-strings.js	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.bin.sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ro-ro\readme.txt	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.bin.sample.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\COPYING.txt	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-openide-loaders.jar	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\file_obj.gif	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLENDS\THMBNAIL.PNG	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\nb-no\ui-strings.js	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\Close.png	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\nl-nl\ui-strings.js	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Retrospect.thmx	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.bin.sample.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\readme.txt	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\PYCC.pf	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.bin.sample.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.bin.sample.exe

pid	process
2728	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.bin.sample.exe
2728	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.bin.sample.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

vssvc.exeWMIC.exe

description	pid	process
Token: SeBackupPrivilege	3576	vssvc.exe
Token: SeRestorePrivilege	3576	vssvc.exe
Token: SeAuditPrivilege	3576	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2896	WMIC.exe
Token: SeSecurityPrivilege	2896	WMIC.exe
Token: SeTakeOwnershipPrivilege	2896	WMIC.exe
Token: SeLoadDriverPrivilege	2896	WMIC.exe
Token: SeSystemProfilePrivilege	2896	WMIC.exe
Token: SeSystemtimePrivilege	2896	WMIC.exe
Token: SeProfSingleProcessPrivilege	2896	WMIC.exe
Token: SeIncBasePriorityPrivilege	2896	WMIC.exe
Token: SeCreatePagefilePrivilege	2896	WMIC.exe
Token: SeBackupPrivilege	2896	WMIC.exe
Token: SeRestorePrivilege	2896	WMIC.exe
Token: SeShutdownPrivilege	2896	WMIC.exe
Token: SeDebugPrivilege	2896	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2896	WMIC.exe
Token: SeRemoteShutdownPrivilege	2896	WMIC.exe
Token: SeUndockPrivilege	2896	WMIC.exe
Token: SeManageVolumePrivilege	2896	WMIC.exe
Token: 33	2896	WMIC.exe
Token: 34	2896	WMIC.exe
Token: 35	2896	WMIC.exe
Token: 36	2896	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2896	WMIC.exe
Token: SeSecurityPrivilege	2896	WMIC.exe
Token: SeTakeOwnershipPrivilege	2896	WMIC.exe
Token: SeLoadDriverPrivilege	2896	WMIC.exe
Token: SeSystemProfilePrivilege	2896	WMIC.exe
Token: SeSystemtimePrivilege	2896	WMIC.exe
Token: SeProfSingleProcessPrivilege	2896	WMIC.exe
Token: SeIncBasePriorityPrivilege	2896	WMIC.exe
Token: SeCreatePagefilePrivilege	2896	WMIC.exe
Token: SeBackupPrivilege	2896	WMIC.exe
Token: SeRestorePrivilege	2896	WMIC.exe
Token: SeShutdownPrivilege	2896	WMIC.exe
Token: SeDebugPrivilege	2896	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2896	WMIC.exe
Token: SeRemoteShutdownPrivilege	2896	WMIC.exe
Token: SeUndockPrivilege	2896	WMIC.exe
Token: SeManageVolumePrivilege	2896	WMIC.exe
Token: 33	2896	WMIC.exe
Token: 34	2896	WMIC.exe
Token: 35	2896	WMIC.exe
Token: 36	2896	WMIC.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.bin.sample.execmd.exe

description	pid	process	target process
PID 2728 wrote to memory of 3696	2728	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.bin.sample.exe	cmd.exe
PID 2728 wrote to memory of 3696	2728	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.bin.sample.exe	cmd.exe
PID 3696 wrote to memory of 2896	3696	cmd.exe	WMIC.exe
PID 3696 wrote to memory of 2896	3696	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.bin.sample.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2728

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{EF6BEA9C-45E8-4C04-814F-EBA74A04A6CD}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:3696

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{EF6BEA9C-45E8-4C04-814F-EBA74A04A6CD}'" delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2896

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3576

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2896-119-0x0000000000000000-mapping.dmp

Download
memory/3696-118-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads