conti | f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9

General

Target

f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
Size

194KB
MD5

31c250609693ca7450a1d79840c51057
SHA1

eca2dea03f2c5eac7bbf54e1d212f0fc61d936f8
SHA256

f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9
SHA512

eac254d9a4950666747fad7534c815bafcdc75b6862bb442c9a4d9b4c00aedc2e9317514b7e76f5453c4f0ca55327c88e8cec743a46ccac78fcbfa3e32700424

Score

10^/10

conti ransomware spyware stealer

Malware Config

Extracted

Path

C:\readme.txt

Family

conti

Ransom Note

All of your files are currently encrypted by CONTI ransomware. If you try to use any additional recovery software - the files might be damaged or lost. To make sure that we REALLY CAN recover data - we offer you to decrypt samples. You can contact us for further instructions through: Our website TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/ HTTPS VERSION : https://contirecovery.ws YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded your data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us ASAP ---BEGIN ID--- 1XOTsYKOEFHqHwWPPYpfi6QfUEK4rHVxjLeOYfZwL4AYYuRtXTJdINrIQGMGRNVQ ---END ID---

URLs

http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/

https://contirecovery.ws

Signatures

Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
ransomware conti

Modifies extensions of user files 8 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\CompressRepair.raw => C:\Users\Admin\Pictures\CompressRepair.raw.PYZWR	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Users\Admin\Pictures\InvokeSelect.tiff	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File renamed	C:\Users\Admin\Pictures\InvokeSelect.tiff => C:\Users\Admin\Pictures\InvokeSelect.tiff.PYZWR	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File renamed	C:\Users\Admin\Pictures\RestorePublish.png => C:\Users\Admin\Pictures\RestorePublish.png.PYZWR	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File renamed	C:\Users\Admin\Pictures\UnlockEnter.tif => C:\Users\Admin\Pictures\UnlockEnter.tif.PYZWR	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File renamed	C:\Users\Admin\Pictures\UnpublishEnter.png => C:\Users\Admin\Pictures\UnpublishEnter.png.PYZWR	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File renamed	C:\Users\Admin\Pictures\BlockDisable.tif => C:\Users\Admin\Pictures\BlockDisable.tif.PYZWR	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File renamed	C:\Users\Admin\Pictures\BlockUnpublish.raw => C:\Users\Admin\Pictures\BlockUnpublish.raw.PYZWR	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\RTF_BOLD.GIF	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\BriefcaseIconMask.bmp	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host-remote_ja.jar	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SONORA\readme.txt	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\javaws.policy	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\Document.gif	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02223U.BMP	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR30F.GIF	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.components.ui.ja_5.5.0.165303.jar	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\ECLIPSE_.RSA	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.HLP	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS01080_.WMF	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0304371.WMF	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15274_.GIF	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.di.extensions_0.12.0.v20140417-2033.jar	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\1033\VBLR6.CHM	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File created	C:\Program Files\readme.txt	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0196358.WMF	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSACCESS.DEV_COL.HXC	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Monaco	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Belize	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_justify.gif	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File created	C:\Program Files\MSBuild\Microsoft\readme.txt	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msado21.tlb	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00248_.WMF	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Nome	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Yakutsk	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\arrow.png	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsrom.xml	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\OUTEX.ECF	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\.lastModified	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\MENUS.JS	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\RESP98.POC	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\readme.txt	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME48.CSS	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Australia\Darwin	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core.xml	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_HighMask.bmp	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-api_ja.jar	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\TAB_ON.GIF	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.71\readme.txt	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\readme.txt	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0302827.JPG	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15272_.GIF	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\REPLTMPL.CFG	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Hebron	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_scrapbook_Thumbnail.bmp	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02092_.WMF	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\JSByteCodeWin.bin	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105378.WMF	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00333_.WMF	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\1047x576black.png	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Shanghai	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-applemenu.xml	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MYSL.ICO	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsrus.xml	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH01875_.WMF	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\jquery-ui-1.8.13.custom.css	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\MarkupIconImages.jpg	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00382_.WMF	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Elemental.xml	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe

pid process

844 f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe

pid	process
844	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

vssvc.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeBackupPrivilege	2044	vssvc.exe
Token: SeRestorePrivilege	2044	vssvc.exe
Token: SeAuditPrivilege	2044	vssvc.exe
Token: SeIncreaseQuotaPrivilege	540	WMIC.exe
Token: SeSecurityPrivilege	540	WMIC.exe
Token: SeTakeOwnershipPrivilege	540	WMIC.exe
Token: SeLoadDriverPrivilege	540	WMIC.exe
Token: SeSystemProfilePrivilege	540	WMIC.exe
Token: SeSystemtimePrivilege	540	WMIC.exe
Token: SeProfSingleProcessPrivilege	540	WMIC.exe
Token: SeIncBasePriorityPrivilege	540	WMIC.exe
Token: SeCreatePagefilePrivilege	540	WMIC.exe
Token: SeBackupPrivilege	540	WMIC.exe
Token: SeRestorePrivilege	540	WMIC.exe
Token: SeShutdownPrivilege	540	WMIC.exe
Token: SeDebugPrivilege	540	WMIC.exe
Token: SeSystemEnvironmentPrivilege	540	WMIC.exe
Token: SeRemoteShutdownPrivilege	540	WMIC.exe
Token: SeUndockPrivilege	540	WMIC.exe
Token: SeManageVolumePrivilege	540	WMIC.exe
Token: 33	540	WMIC.exe
Token: 34	540	WMIC.exe
Token: 35	540	WMIC.exe
Token: SeIncreaseQuotaPrivilege	540	WMIC.exe
Token: SeSecurityPrivilege	540	WMIC.exe
Token: SeTakeOwnershipPrivilege	540	WMIC.exe
Token: SeLoadDriverPrivilege	540	WMIC.exe
Token: SeSystemProfilePrivilege	540	WMIC.exe
Token: SeSystemtimePrivilege	540	WMIC.exe
Token: SeProfSingleProcessPrivilege	540	WMIC.exe
Token: SeIncBasePriorityPrivilege	540	WMIC.exe
Token: SeCreatePagefilePrivilege	540	WMIC.exe
Token: SeBackupPrivilege	540	WMIC.exe
Token: SeRestorePrivilege	540	WMIC.exe
Token: SeShutdownPrivilege	540	WMIC.exe
Token: SeDebugPrivilege	540	WMIC.exe
Token: SeSystemEnvironmentPrivilege	540	WMIC.exe
Token: SeRemoteShutdownPrivilege	540	WMIC.exe
Token: SeUndockPrivilege	540	WMIC.exe
Token: SeManageVolumePrivilege	540	WMIC.exe
Token: 33	540	WMIC.exe
Token: 34	540	WMIC.exe
Token: 35	540	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2028	WMIC.exe
Token: SeSecurityPrivilege	2028	WMIC.exe
Token: SeTakeOwnershipPrivilege	2028	WMIC.exe
Token: SeLoadDriverPrivilege	2028	WMIC.exe
Token: SeSystemProfilePrivilege	2028	WMIC.exe
Token: SeSystemtimePrivilege	2028	WMIC.exe
Token: SeProfSingleProcessPrivilege	2028	WMIC.exe
Token: SeIncBasePriorityPrivilege	2028	WMIC.exe
Token: SeCreatePagefilePrivilege	2028	WMIC.exe
Token: SeBackupPrivilege	2028	WMIC.exe
Token: SeRestorePrivilege	2028	WMIC.exe
Token: SeShutdownPrivilege	2028	WMIC.exe
Token: SeDebugPrivilege	2028	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2028	WMIC.exe
Token: SeRemoteShutdownPrivilege	2028	WMIC.exe
Token: SeUndockPrivilege	2028	WMIC.exe
Token: SeManageVolumePrivilege	2028	WMIC.exe
Token: 33	2028	WMIC.exe
Token: 34	2028	WMIC.exe
Token: 35	2028	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2028	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 844 wrote to memory of 964	844	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe	cmd.exe
PID 844 wrote to memory of 964	844	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe	cmd.exe
PID 844 wrote to memory of 964	844	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe	cmd.exe
PID 844 wrote to memory of 964	844	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe	cmd.exe
PID 964 wrote to memory of 540	964	cmd.exe	WMIC.exe
PID 964 wrote to memory of 540	964	cmd.exe	WMIC.exe
PID 964 wrote to memory of 540	964	cmd.exe	WMIC.exe
PID 844 wrote to memory of 1404	844	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe	cmd.exe
PID 844 wrote to memory of 1404	844	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe	cmd.exe
PID 844 wrote to memory of 1404	844	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe	cmd.exe
PID 844 wrote to memory of 1404	844	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe	cmd.exe
PID 1404 wrote to memory of 2028	1404	cmd.exe	WMIC.exe
PID 1404 wrote to memory of 2028	1404	cmd.exe	WMIC.exe
PID 1404 wrote to memory of 2028	1404	cmd.exe	WMIC.exe
PID 844 wrote to memory of 1912	844	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe	cmd.exe
PID 844 wrote to memory of 1912	844	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe	cmd.exe
PID 844 wrote to memory of 1912	844	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe	cmd.exe
PID 844 wrote to memory of 1912	844	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe	cmd.exe
PID 1912 wrote to memory of 1720	1912	cmd.exe	WMIC.exe
PID 1912 wrote to memory of 1720	1912	cmd.exe	WMIC.exe
PID 1912 wrote to memory of 1720	1912	cmd.exe	WMIC.exe
PID 844 wrote to memory of 596	844	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe	cmd.exe
PID 844 wrote to memory of 596	844	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe	cmd.exe
PID 844 wrote to memory of 596	844	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe	cmd.exe
PID 844 wrote to memory of 596	844	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe	cmd.exe
PID 596 wrote to memory of 1468	596	cmd.exe	WMIC.exe
PID 596 wrote to memory of 1468	596	cmd.exe	WMIC.exe
PID 596 wrote to memory of 1468	596	cmd.exe	WMIC.exe
PID 844 wrote to memory of 1152	844	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe	cmd.exe
PID 844 wrote to memory of 1152	844	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe	cmd.exe
PID 844 wrote to memory of 1152	844	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe	cmd.exe
PID 844 wrote to memory of 1152	844	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe	cmd.exe
PID 1152 wrote to memory of 1756	1152	cmd.exe	WMIC.exe
PID 1152 wrote to memory of 1756	1152	cmd.exe	WMIC.exe
PID 1152 wrote to memory of 1756	1152	cmd.exe	WMIC.exe
PID 844 wrote to memory of 1444	844	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe	cmd.exe
PID 844 wrote to memory of 1444	844	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe	cmd.exe
PID 844 wrote to memory of 1444	844	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe	cmd.exe
PID 844 wrote to memory of 1444	844	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe	cmd.exe
PID 1444 wrote to memory of 1700	1444	cmd.exe	WMIC.exe
PID 1444 wrote to memory of 1700	1444	cmd.exe	WMIC.exe
PID 1444 wrote to memory of 1700	1444	cmd.exe	WMIC.exe
PID 844 wrote to memory of 1052	844	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe	cmd.exe
PID 844 wrote to memory of 1052	844	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe	cmd.exe
PID 844 wrote to memory of 1052	844	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe	cmd.exe
PID 844 wrote to memory of 1052	844	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe	cmd.exe
PID 1052 wrote to memory of 1864	1052	cmd.exe	WMIC.exe
PID 1052 wrote to memory of 1864	1052	cmd.exe	WMIC.exe
PID 1052 wrote to memory of 1864	1052	cmd.exe	WMIC.exe
PID 844 wrote to memory of 1276	844	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe	cmd.exe
PID 844 wrote to memory of 1276	844	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe	cmd.exe
PID 844 wrote to memory of 1276	844	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe	cmd.exe
PID 844 wrote to memory of 1276	844	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe	cmd.exe
PID 1276 wrote to memory of 992	1276	cmd.exe	WMIC.exe
PID 1276 wrote to memory of 992	1276	cmd.exe	WMIC.exe
PID 1276 wrote to memory of 992	1276	cmd.exe	WMIC.exe
PID 844 wrote to memory of 1336	844	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe	cmd.exe
PID 844 wrote to memory of 1336	844	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe	cmd.exe
PID 844 wrote to memory of 1336	844	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe	cmd.exe
PID 844 wrote to memory of 1336	844	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe	cmd.exe
PID 1336 wrote to memory of 1824	1336	cmd.exe	WMIC.exe
PID 1336 wrote to memory of 1824	1336	cmd.exe	WMIC.exe
PID 1336 wrote to memory of 1824	1336	cmd.exe	WMIC.exe
PID 844 wrote to memory of 1968	844	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
"C:\Users\Admin\AppData\Local\Temp\f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe"
1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:844

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{42AB00D9-23AC-4D9F-BCD0-F560B4FBD4B0}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:964

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{42AB00D9-23AC-4D9F-BCD0-F560B4FBD4B0}'" delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:540

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C90CD5D7-9B6C-471C-8C96-355998B14EF8}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1404

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C90CD5D7-9B6C-471C-8C96-355998B14EF8}'" delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2028

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1F9BD2A6-5BF7-4A73-A29E-C733297088AB}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1912

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1F9BD2A6-5BF7-4A73-A29E-C733297088AB}'" delete
3⤵
PID:1720

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9B0CDB24-FE85-46C3-A922-261B4710F554}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:596

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9B0CDB24-FE85-46C3-A922-261B4710F554}'" delete
3⤵
PID:1468

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{EA725A54-6608-4CC5-ADB5-8264BCE7D769}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1152

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{EA725A54-6608-4CC5-ADB5-8264BCE7D769}'" delete
3⤵
PID:1756

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C69100F5-3145-4E28-8E5C-905B7935BC10}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1444

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C69100F5-3145-4E28-8E5C-905B7935BC10}'" delete
3⤵
PID:1700

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{96D0CAC1-C317-4BB6-AD1F-99B2256E98E5}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1052

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{96D0CAC1-C317-4BB6-AD1F-99B2256E98E5}'" delete
3⤵
PID:1864

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1EA4E4BE-24E6-4635-B5FF-53620C5E736C}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1276

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1EA4E4BE-24E6-4635-B5FF-53620C5E736C}'" delete
3⤵
PID:992

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{FFF06B0E-2058-4D70-B8BC-18A1A005070D}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1336

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{FFF06B0E-2058-4D70-B8BC-18A1A005070D}'" delete
3⤵
PID:1824

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{EE3200B8-7AB9-430D-B09F-BF068E5C27EF}'" delete
2⤵
PID:1968

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{EE3200B8-7AB9-430D-B09F-BF068E5C27EF}'" delete
3⤵
PID:672

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{94294216-2812-4D17-858B-782E99F60969}'" delete
2⤵
PID:1688

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{94294216-2812-4D17-858B-782E99F60969}'" delete
3⤵
PID:1340

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5803ED3F-C3C9-4EEB-988E-4C0536D60FE3}'" delete
2⤵
PID:1476

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5803ED3F-C3C9-4EEB-988E-4C0536D60FE3}'" delete
3⤵
PID:1164

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2044

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/540-57-0x0000000000000000-mapping.dmp

Download
memory/596-62-0x0000000000000000-mapping.dmp

Download
memory/672-75-0x0000000000000000-mapping.dmp

Download
memory/844-55-0x00000000758F1000-0x00000000758F3000-memory.dmp

Filesize
8KB

Download
memory/964-56-0x0000000000000000-mapping.dmp

Download
memory/992-71-0x0000000000000000-mapping.dmp

Download
memory/1052-68-0x0000000000000000-mapping.dmp

Download
memory/1152-64-0x0000000000000000-mapping.dmp

Download
memory/1164-79-0x0000000000000000-mapping.dmp

Download
memory/1276-70-0x0000000000000000-mapping.dmp

Download
memory/1336-72-0x0000000000000000-mapping.dmp

Download
memory/1340-77-0x0000000000000000-mapping.dmp

Download
memory/1404-58-0x0000000000000000-mapping.dmp

Download
memory/1444-66-0x0000000000000000-mapping.dmp

Download
memory/1468-63-0x0000000000000000-mapping.dmp

Download
memory/1476-78-0x0000000000000000-mapping.dmp

Download
memory/1688-76-0x0000000000000000-mapping.dmp

Download
memory/1700-67-0x0000000000000000-mapping.dmp

Download
memory/1720-61-0x0000000000000000-mapping.dmp

Download
memory/1756-65-0x0000000000000000-mapping.dmp

Download
memory/1824-73-0x0000000000000000-mapping.dmp

Download
memory/1864-69-0x0000000000000000-mapping.dmp

Download
memory/1912-60-0x0000000000000000-mapping.dmp

Download
memory/1968-74-0x0000000000000000-mapping.dmp

Download
memory/2028-59-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads