conti | f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9

General

Target

f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
Size

194KB
MD5

31c250609693ca7450a1d79840c51057
SHA1

eca2dea03f2c5eac7bbf54e1d212f0fc61d936f8
SHA256

f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9
SHA512

eac254d9a4950666747fad7534c815bafcdc75b6862bb442c9a4d9b4c00aedc2e9317514b7e76f5453c4f0ca55327c88e8cec743a46ccac78fcbfa3e32700424

Score

10^/10

conti ransomware spyware stealer

Malware Config

Extracted

Path

C:\readme.txt

Family

conti

Ransom Note

All of your files are currently encrypted by CONTI ransomware. If you try to use any additional recovery software - the files might be damaged or lost. To make sure that we REALLY CAN recover data - we offer you to decrypt samples. You can contact us for further instructions through: Our website TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/ HTTPS VERSION : https://contirecovery.ws YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded your data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us ASAP ---BEGIN ID--- 1XOTsYKOEFHqHwWPPYpfi6QfUEK4rHVxjLeOYfZwL4AYYuRtXTJdINrIQGMGRNVQ ---END ID---

URLs

http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/

https://contirecovery.ws

Signatures

Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
ransomware conti

Modifies extensions of user files 5 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\ConnectDeny.tif => C:\Users\Admin\Pictures\ConnectDeny.tif.PYZWR	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File renamed	C:\Users\Admin\Pictures\InitializeTest.crw => C:\Users\Admin\Pictures\InitializeTest.crw.PYZWR	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File renamed	C:\Users\Admin\Pictures\RegisterUnblock.png => C:\Users\Admin\Pictures\RegisterUnblock.png.PYZWR	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File renamed	C:\Users\Admin\Pictures\ResolveSync.png => C:\Users\Admin\Pictures\ResolveSync.png.PYZWR	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File renamed	C:\Users\Admin\Pictures\UninstallPublish.crw => C:\Users\Admin\Pictures\UninstallPublish.crw.PYZWR	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe

Drops startup file 1 IoCs

Processes:

f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\readme.txt	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\adobe_sign_tag.png	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\plugins\readme.txt	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ca-es\readme.txt	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Trial-ul-oob.xrm-ms	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\MANIFEST.MF	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\A12_Spinner_int.gif	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\themes\dark\readme.txt	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\root\ui-strings.js	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Trial-ul-oob.xrm-ms	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Grace-ppd.xrm-ms	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_reject_18.svg	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\s_close2x.png	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\de-de\readme.txt	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\logo_retina.png	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\nb-NO\readme.txt	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\ext\sunjce_provider.jar	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GARABD.TTF	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\illustrations_retina.png	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-ul-oob.xrm-ms	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTrial-pl.xrm-ms	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\A12_Spinner_int_2x.gif	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\readme.txt	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\AccessBridgeCalls.c	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_backarrow_default.svg	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\Documentation.url	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.theme.nl_zh_4.4.0.v20140623020002.jar	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring.xml	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\japanese_over.png	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\stopwords.ENU	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\assets\readme.txt	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host-views.xml	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\fr-ma\ui-strings.js	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\fi_get.svg	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\bin\setNetworkServerCP	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\zh-tw\readme.txt	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\pl-pl\readme.txt	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\fi-fi\ui-strings.js	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-common_zh_CN.jar	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_sendforsignature_18.svg	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\editpdf.svg	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Trial-ppd.xrm-ms	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\de-DE\readme.txt	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.commands.nl_zh_4.4.0.v20140623020002.jar	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-print.xml	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\da_get.svg	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\vi_get.svg	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Grace-ppd.xrm-ms	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_Subscription-ul-oob.xrm-ms	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\nl-nl\readme.txt	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\en-il\readme.txt	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTest-pl.xrm-ms	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\sendforcomments.svg	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sl-si\readme.txt	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Grace-ul-oob.xrm-ms	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\info.gif	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.artifact.repository.nl_ja_4.4.0.v20140623020002.jar	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\en-il\readme.txt	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_KMS_ClientC2R-ul-oob.xrm-ms	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\resources.pak	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\readme.txt	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1196 NOTEPAD.EXE

pid	process
1196	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe

pid	process
2704	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
2704	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

vssvc.exeWMIC.exe

description	pid	process
Token: SeBackupPrivilege	428	vssvc.exe
Token: SeRestorePrivilege	428	vssvc.exe
Token: SeAuditPrivilege	428	vssvc.exe
Token: SeIncreaseQuotaPrivilege	3992	WMIC.exe
Token: SeSecurityPrivilege	3992	WMIC.exe
Token: SeTakeOwnershipPrivilege	3992	WMIC.exe
Token: SeLoadDriverPrivilege	3992	WMIC.exe
Token: SeSystemProfilePrivilege	3992	WMIC.exe
Token: SeSystemtimePrivilege	3992	WMIC.exe
Token: SeProfSingleProcessPrivilege	3992	WMIC.exe
Token: SeIncBasePriorityPrivilege	3992	WMIC.exe
Token: SeCreatePagefilePrivilege	3992	WMIC.exe
Token: SeBackupPrivilege	3992	WMIC.exe
Token: SeRestorePrivilege	3992	WMIC.exe
Token: SeShutdownPrivilege	3992	WMIC.exe
Token: SeDebugPrivilege	3992	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3992	WMIC.exe
Token: SeRemoteShutdownPrivilege	3992	WMIC.exe
Token: SeUndockPrivilege	3992	WMIC.exe
Token: SeManageVolumePrivilege	3992	WMIC.exe
Token: 33	3992	WMIC.exe
Token: 34	3992	WMIC.exe
Token: 35	3992	WMIC.exe
Token: 36	3992	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3992	WMIC.exe
Token: SeSecurityPrivilege	3992	WMIC.exe
Token: SeTakeOwnershipPrivilege	3992	WMIC.exe
Token: SeLoadDriverPrivilege	3992	WMIC.exe
Token: SeSystemProfilePrivilege	3992	WMIC.exe
Token: SeSystemtimePrivilege	3992	WMIC.exe
Token: SeProfSingleProcessPrivilege	3992	WMIC.exe
Token: SeIncBasePriorityPrivilege	3992	WMIC.exe
Token: SeCreatePagefilePrivilege	3992	WMIC.exe
Token: SeBackupPrivilege	3992	WMIC.exe
Token: SeRestorePrivilege	3992	WMIC.exe
Token: SeShutdownPrivilege	3992	WMIC.exe
Token: SeDebugPrivilege	3992	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3992	WMIC.exe
Token: SeRemoteShutdownPrivilege	3992	WMIC.exe
Token: SeUndockPrivilege	3992	WMIC.exe
Token: SeManageVolumePrivilege	3992	WMIC.exe
Token: 33	3992	WMIC.exe
Token: 34	3992	WMIC.exe
Token: 35	3992	WMIC.exe
Token: 36	3992	WMIC.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.execmd.exe

description	pid	process	target process
PID 2704 wrote to memory of 2176	2704	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe	cmd.exe
PID 2704 wrote to memory of 2176	2704	f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe	cmd.exe
PID 2176 wrote to memory of 3992	2176	cmd.exe	WMIC.exe
PID 2176 wrote to memory of 3992	2176	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe
"C:\Users\Admin\AppData\Local\Temp\f11724258acba02fa817e411878cd2506c09f4d00fcc47302f55dc7748d50fd9.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2704

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{19CDF45A-AB26-4CD3-A80A-DC59EDB6A247}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:2176

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{19CDF45A-AB26-4CD3-A80A-DC59EDB6A247}'" delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3992

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:428

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\readme.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1196

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Desktop\readme.txt
MD5
99d61a6ea8c6d6df2b07c1885461260f

SHA1
0d655a6c42b758ed05f88c65a11d3d66d9a46314

SHA256
64ce05600e8afb96aedb3c792be8f059300952b347a178f07117aec55ccb28f9

SHA512
f3806833419b68c4b1c5762817096da322a6d1f7af264f2b968240d6ee69fc61c5c2e82443ce593ac2077eb8d4253581b0d0268b3df6572801b5e08bfb494150

Download Submit
memory/2176-115-0x0000000000000000-mapping.dmp

Download
memory/3992-116-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads