Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
24-11-2021 10:38
Static task
static1
Behavioral task
behavioral1
Sample
f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
Resource
win10-en-20211014
General
-
Target
f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
-
Size
194KB
-
MD5
31c250609693ca7450a1d79840c51057
-
SHA1
eca2dea03f2c5eac7bbf54e1d212f0fc61d936f8
-
SHA256
f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9
-
SHA512
eac254d9a4950666747fad7534c815bafcdc75b6862bb442c9a4d9b4c00aedc2e9317514b7e76f5453c4f0ca55327c88e8cec743a46ccac78fcbfa3e32700424
Malware Config
Extracted
C:\readme.txt
conti
http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/
https://contirecovery.ws
Signatures
-
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
Modifies extensions of user files 8 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exedescription ioc process File renamed C:\Users\Admin\Pictures\CompressRepair.raw => C:\Users\Admin\Pictures\CompressRepair.raw.PYZWR f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Users\Admin\Pictures\InvokeSelect.tiff f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File renamed C:\Users\Admin\Pictures\InvokeSelect.tiff => C:\Users\Admin\Pictures\InvokeSelect.tiff.PYZWR f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File renamed C:\Users\Admin\Pictures\RestorePublish.png => C:\Users\Admin\Pictures\RestorePublish.png.PYZWR f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File renamed C:\Users\Admin\Pictures\UnlockEnter.tif => C:\Users\Admin\Pictures\UnlockEnter.tif.PYZWR f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File renamed C:\Users\Admin\Pictures\UnpublishEnter.png => C:\Users\Admin\Pictures\UnpublishEnter.png.PYZWR f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File renamed C:\Users\Admin\Pictures\BlockDisable.tif => C:\Users\Admin\Pictures\BlockDisable.tif.PYZWR f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File renamed C:\Users\Admin\Pictures\BlockUnpublish.raw => C:\Users\Admin\Pictures\BlockUnpublish.raw.PYZWR f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\RTF_BOLD.GIF f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\BriefcaseIconMask.bmp f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host-remote_ja.jar f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SONORA\readme.txt f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\javaws.policy f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\Document.gif f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02223U.BMP f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR30F.GIF f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.components.ui.ja_5.5.0.165303.jar f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\ECLIPSE_.RSA f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.HLP f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS01080_.WMF f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0304371.WMF f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15274_.GIF f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.di.extensions_0.12.0.v20140417-2033.jar f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\1033\VBLR6.CHM f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File created C:\Program Files\readme.txt f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0196358.WMF f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\MSACCESS.DEV_COL.HXC f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Monaco f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Belize f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_justify.gif f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File created C:\Program Files\MSBuild\Microsoft\readme.txt f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files\Common Files\System\ado\msado21.tlb f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00248_.WMF f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Nome f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Yakutsk f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\arrow.png f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files\7-Zip\Lang\mn.txt f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsrom.xml f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\OUTEX.ECF f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\.lastModified f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\MENUS.JS f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\RESP98.POC f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\readme.txt f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME48.CSS f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Australia\Darwin f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core.xml f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_HighMask.bmp f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-api_ja.jar f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\TAB_ON.GIF f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files\7-Zip\Lang\si.txt f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File created C:\Program Files (x86)\Google\Update\1.3.36.71\readme.txt f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\readme.txt f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files\7-Zip\Lang\fy.txt f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0302827.JPG f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15272_.GIF f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\REPLTMPL.CFG f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Hebron f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_scrapbook_Thumbnail.bmp f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02092_.WMF f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\JSByteCodeWin.bin f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105378.WMF f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00333_.WMF f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\1047x576black.png f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Shanghai f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-applemenu.xml f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MYSL.ICO f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsrus.xml f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH01875_.WMF f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\jquery-ui-1.8.13.custom.css f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\MarkupIconImages.jpg f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00382_.WMF f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Elemental.xml f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exepid process 844 f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
vssvc.exeWMIC.exeWMIC.exedescription pid process Token: SeBackupPrivilege 2044 vssvc.exe Token: SeRestorePrivilege 2044 vssvc.exe Token: SeAuditPrivilege 2044 vssvc.exe Token: SeIncreaseQuotaPrivilege 540 WMIC.exe Token: SeSecurityPrivilege 540 WMIC.exe Token: SeTakeOwnershipPrivilege 540 WMIC.exe Token: SeLoadDriverPrivilege 540 WMIC.exe Token: SeSystemProfilePrivilege 540 WMIC.exe Token: SeSystemtimePrivilege 540 WMIC.exe Token: SeProfSingleProcessPrivilege 540 WMIC.exe Token: SeIncBasePriorityPrivilege 540 WMIC.exe Token: SeCreatePagefilePrivilege 540 WMIC.exe Token: SeBackupPrivilege 540 WMIC.exe Token: SeRestorePrivilege 540 WMIC.exe Token: SeShutdownPrivilege 540 WMIC.exe Token: SeDebugPrivilege 540 WMIC.exe Token: SeSystemEnvironmentPrivilege 540 WMIC.exe Token: SeRemoteShutdownPrivilege 540 WMIC.exe Token: SeUndockPrivilege 540 WMIC.exe Token: SeManageVolumePrivilege 540 WMIC.exe Token: 33 540 WMIC.exe Token: 34 540 WMIC.exe Token: 35 540 WMIC.exe Token: SeIncreaseQuotaPrivilege 540 WMIC.exe Token: SeSecurityPrivilege 540 WMIC.exe Token: SeTakeOwnershipPrivilege 540 WMIC.exe Token: SeLoadDriverPrivilege 540 WMIC.exe Token: SeSystemProfilePrivilege 540 WMIC.exe Token: SeSystemtimePrivilege 540 WMIC.exe Token: SeProfSingleProcessPrivilege 540 WMIC.exe Token: SeIncBasePriorityPrivilege 540 WMIC.exe Token: SeCreatePagefilePrivilege 540 WMIC.exe Token: SeBackupPrivilege 540 WMIC.exe Token: SeRestorePrivilege 540 WMIC.exe Token: SeShutdownPrivilege 540 WMIC.exe Token: SeDebugPrivilege 540 WMIC.exe Token: SeSystemEnvironmentPrivilege 540 WMIC.exe Token: SeRemoteShutdownPrivilege 540 WMIC.exe Token: SeUndockPrivilege 540 WMIC.exe Token: SeManageVolumePrivilege 540 WMIC.exe Token: 33 540 WMIC.exe Token: 34 540 WMIC.exe Token: 35 540 WMIC.exe Token: SeIncreaseQuotaPrivilege 2028 WMIC.exe Token: SeSecurityPrivilege 2028 WMIC.exe Token: SeTakeOwnershipPrivilege 2028 WMIC.exe Token: SeLoadDriverPrivilege 2028 WMIC.exe Token: SeSystemProfilePrivilege 2028 WMIC.exe Token: SeSystemtimePrivilege 2028 WMIC.exe Token: SeProfSingleProcessPrivilege 2028 WMIC.exe Token: SeIncBasePriorityPrivilege 2028 WMIC.exe Token: SeCreatePagefilePrivilege 2028 WMIC.exe Token: SeBackupPrivilege 2028 WMIC.exe Token: SeRestorePrivilege 2028 WMIC.exe Token: SeShutdownPrivilege 2028 WMIC.exe Token: SeDebugPrivilege 2028 WMIC.exe Token: SeSystemEnvironmentPrivilege 2028 WMIC.exe Token: SeRemoteShutdownPrivilege 2028 WMIC.exe Token: SeUndockPrivilege 2028 WMIC.exe Token: SeManageVolumePrivilege 2028 WMIC.exe Token: 33 2028 WMIC.exe Token: 34 2028 WMIC.exe Token: 35 2028 WMIC.exe Token: SeIncreaseQuotaPrivilege 2028 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 844 wrote to memory of 964 844 f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe cmd.exe PID 844 wrote to memory of 964 844 f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe cmd.exe PID 844 wrote to memory of 964 844 f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe cmd.exe PID 844 wrote to memory of 964 844 f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe cmd.exe PID 964 wrote to memory of 540 964 cmd.exe WMIC.exe PID 964 wrote to memory of 540 964 cmd.exe WMIC.exe PID 964 wrote to memory of 540 964 cmd.exe WMIC.exe PID 844 wrote to memory of 1404 844 f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe cmd.exe PID 844 wrote to memory of 1404 844 f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe cmd.exe PID 844 wrote to memory of 1404 844 f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe cmd.exe PID 844 wrote to memory of 1404 844 f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe cmd.exe PID 1404 wrote to memory of 2028 1404 cmd.exe WMIC.exe PID 1404 wrote to memory of 2028 1404 cmd.exe WMIC.exe PID 1404 wrote to memory of 2028 1404 cmd.exe WMIC.exe PID 844 wrote to memory of 1912 844 f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe cmd.exe PID 844 wrote to memory of 1912 844 f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe cmd.exe PID 844 wrote to memory of 1912 844 f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe cmd.exe PID 844 wrote to memory of 1912 844 f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe cmd.exe PID 1912 wrote to memory of 1720 1912 cmd.exe WMIC.exe PID 1912 wrote to memory of 1720 1912 cmd.exe WMIC.exe PID 1912 wrote to memory of 1720 1912 cmd.exe WMIC.exe PID 844 wrote to memory of 596 844 f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe cmd.exe PID 844 wrote to memory of 596 844 f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe cmd.exe PID 844 wrote to memory of 596 844 f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe cmd.exe PID 844 wrote to memory of 596 844 f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe cmd.exe PID 596 wrote to memory of 1468 596 cmd.exe WMIC.exe PID 596 wrote to memory of 1468 596 cmd.exe WMIC.exe PID 596 wrote to memory of 1468 596 cmd.exe WMIC.exe PID 844 wrote to memory of 1152 844 f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe cmd.exe PID 844 wrote to memory of 1152 844 f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe cmd.exe PID 844 wrote to memory of 1152 844 f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe cmd.exe PID 844 wrote to memory of 1152 844 f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe cmd.exe PID 1152 wrote to memory of 1756 1152 cmd.exe WMIC.exe PID 1152 wrote to memory of 1756 1152 cmd.exe WMIC.exe PID 1152 wrote to memory of 1756 1152 cmd.exe WMIC.exe PID 844 wrote to memory of 1444 844 f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe cmd.exe PID 844 wrote to memory of 1444 844 f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe cmd.exe PID 844 wrote to memory of 1444 844 f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe cmd.exe PID 844 wrote to memory of 1444 844 f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe cmd.exe PID 1444 wrote to memory of 1700 1444 cmd.exe WMIC.exe PID 1444 wrote to memory of 1700 1444 cmd.exe WMIC.exe PID 1444 wrote to memory of 1700 1444 cmd.exe WMIC.exe PID 844 wrote to memory of 1052 844 f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe cmd.exe PID 844 wrote to memory of 1052 844 f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe cmd.exe PID 844 wrote to memory of 1052 844 f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe cmd.exe PID 844 wrote to memory of 1052 844 f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe cmd.exe PID 1052 wrote to memory of 1864 1052 cmd.exe WMIC.exe PID 1052 wrote to memory of 1864 1052 cmd.exe WMIC.exe PID 1052 wrote to memory of 1864 1052 cmd.exe WMIC.exe PID 844 wrote to memory of 1276 844 f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe cmd.exe PID 844 wrote to memory of 1276 844 f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe cmd.exe PID 844 wrote to memory of 1276 844 f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe cmd.exe PID 844 wrote to memory of 1276 844 f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe cmd.exe PID 1276 wrote to memory of 992 1276 cmd.exe WMIC.exe PID 1276 wrote to memory of 992 1276 cmd.exe WMIC.exe PID 1276 wrote to memory of 992 1276 cmd.exe WMIC.exe PID 844 wrote to memory of 1336 844 f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe cmd.exe PID 844 wrote to memory of 1336 844 f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe cmd.exe PID 844 wrote to memory of 1336 844 f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe cmd.exe PID 844 wrote to memory of 1336 844 f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe cmd.exe PID 1336 wrote to memory of 1824 1336 cmd.exe WMIC.exe PID 1336 wrote to memory of 1824 1336 cmd.exe WMIC.exe PID 1336 wrote to memory of 1824 1336 cmd.exe WMIC.exe PID 844 wrote to memory of 1968 844 f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe"C:\Users\Admin\AppData\Local\Temp\f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe"1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{42AB00D9-23AC-4D9F-BCD0-F560B4FBD4B0}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{42AB00D9-23AC-4D9F-BCD0-F560B4FBD4B0}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C90CD5D7-9B6C-471C-8C96-355998B14EF8}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C90CD5D7-9B6C-471C-8C96-355998B14EF8}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1F9BD2A6-5BF7-4A73-A29E-C733297088AB}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1F9BD2A6-5BF7-4A73-A29E-C733297088AB}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9B0CDB24-FE85-46C3-A922-261B4710F554}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9B0CDB24-FE85-46C3-A922-261B4710F554}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{EA725A54-6608-4CC5-ADB5-8264BCE7D769}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{EA725A54-6608-4CC5-ADB5-8264BCE7D769}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C69100F5-3145-4E28-8E5C-905B7935BC10}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C69100F5-3145-4E28-8E5C-905B7935BC10}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{96D0CAC1-C317-4BB6-AD1F-99B2256E98E5}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{96D0CAC1-C317-4BB6-AD1F-99B2256E98E5}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1EA4E4BE-24E6-4635-B5FF-53620C5E736C}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1EA4E4BE-24E6-4635-B5FF-53620C5E736C}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{FFF06B0E-2058-4D70-B8BC-18A1A005070D}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{FFF06B0E-2058-4D70-B8BC-18A1A005070D}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{EE3200B8-7AB9-430D-B09F-BF068E5C27EF}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{EE3200B8-7AB9-430D-B09F-BF068E5C27EF}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{94294216-2812-4D17-858B-782E99F60969}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{94294216-2812-4D17-858B-782E99F60969}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5803ED3F-C3C9-4EEB-988E-4C0536D60FE3}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5803ED3F-C3C9-4EEB-988E-4C0536D60FE3}'" delete3⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/540-57-0x0000000000000000-mapping.dmp
-
memory/596-62-0x0000000000000000-mapping.dmp
-
memory/672-75-0x0000000000000000-mapping.dmp
-
memory/844-55-0x00000000758F1000-0x00000000758F3000-memory.dmpFilesize
8KB
-
memory/964-56-0x0000000000000000-mapping.dmp
-
memory/992-71-0x0000000000000000-mapping.dmp
-
memory/1052-68-0x0000000000000000-mapping.dmp
-
memory/1152-64-0x0000000000000000-mapping.dmp
-
memory/1164-79-0x0000000000000000-mapping.dmp
-
memory/1276-70-0x0000000000000000-mapping.dmp
-
memory/1336-72-0x0000000000000000-mapping.dmp
-
memory/1340-77-0x0000000000000000-mapping.dmp
-
memory/1404-58-0x0000000000000000-mapping.dmp
-
memory/1444-66-0x0000000000000000-mapping.dmp
-
memory/1468-63-0x0000000000000000-mapping.dmp
-
memory/1476-78-0x0000000000000000-mapping.dmp
-
memory/1688-76-0x0000000000000000-mapping.dmp
-
memory/1700-67-0x0000000000000000-mapping.dmp
-
memory/1720-61-0x0000000000000000-mapping.dmp
-
memory/1756-65-0x0000000000000000-mapping.dmp
-
memory/1824-73-0x0000000000000000-mapping.dmp
-
memory/1864-69-0x0000000000000000-mapping.dmp
-
memory/1912-60-0x0000000000000000-mapping.dmp
-
memory/1968-74-0x0000000000000000-mapping.dmp
-
memory/2028-59-0x0000000000000000-mapping.dmp