Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
25-11-2021 11:31
Static task
static1
Behavioral task
behavioral1
Sample
b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe
Resource
win10-en-20211104
General
-
Target
b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe
-
Size
195KB
-
MD5
3a95880983f1e70cfcdb3845fa8f9e93
-
SHA1
b12b67fe123ac3d60057448c1b18b665ade41242
-
SHA256
b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e
-
SHA512
ec5599551c5c598b1dc1709b2c65d69cf6e7e76ade8786071ee3831a1ae9d2390f6c320abb9dfebee9386b138b85d435096aa8d0ff6769945cd05cc50724cb45
Malware Config
Extracted
C:\readme.txt
conti
http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/
https://contirecovery.click
Signatures
-
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
Drops file in Program Files directory 64 IoCs
Processes:
b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exedescription ioc process File opened for modification C:\Program Files\NewReset.odt b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe File opened for modification C:\Program Files\RedoWrite.jpe b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe File created C:\Program Files (x86)\Microsoft Synchronization Services\readme.txt b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\readme.txt b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe File opened for modification C:\Program Files\ExitJoin.mpeg2 b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe File opened for modification C:\Program Files\GrantSkip.asf b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe File opened for modification C:\Program Files\UnlockStep.zip b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe File opened for modification C:\Program Files\DVD Maker\bod_r.TTF b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe File opened for modification C:\Program Files\Mozilla Firefox\install.log b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\readme.txt b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe File opened for modification C:\Program Files\MergePublish.hta b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe File opened for modification C:\Program Files\ResumeDeny.doc b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe File opened for modification C:\Program Files\7-Zip\License.txt b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe File opened for modification C:\Program Files\DVD Maker\offset.ax b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe File created C:\Program Files (x86)\Uninstall Information\readme.txt b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe File opened for modification C:\Program Files\CompleteUnregister.cr2 b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe File opened for modification C:\Program Files\PublishSave.css b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe File opened for modification C:\Program Files\7-Zip\History.txt b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe File opened for modification C:\Program Files\Internet Explorer\Timeline.cpu.xml b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe File opened for modification C:\Program Files\InitializeInstall.aiff b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe File opened for modification C:\Program Files\RestartWait.WTV b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe File created C:\Program Files\VideoLAN\readme.txt b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe File created C:\Program Files (x86)\Reference Assemblies\readme.txt b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe File opened for modification C:\Program Files\DVD Maker\sonicsptransform.ax b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe File opened for modification C:\Program Files\Internet Explorer\ie9props.propdesc b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe File opened for modification C:\Program Files\Mozilla Firefox\dependentlibs.list b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe File created C:\Program Files (x86)\Microsoft Office\readme.txt b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe File opened for modification C:\Program Files\DVD Maker\soniccolorconverter.ax b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe File created C:\Program Files\Microsoft Games\readme.txt b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe File opened for modification C:\Program Files\StepWrite.png b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe File opened for modification C:\Program Files\7-Zip\7zCon.sfx b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe File opened for modification C:\Program Files\DVD Maker\directshowtap.ax b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe File opened for modification C:\Program Files\Mozilla Firefox\precomplete b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe File created C:\Program Files (x86)\Microsoft Analysis Services\readme.txt b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe File opened for modification C:\Program Files\InvokeStep.m1v b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe File opened for modification C:\Program Files\RequestMount.wma b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe File created C:\Program Files\Internet Explorer\readme.txt b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe File created C:\Program Files\Mozilla Firefox\readme.txt b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe File created C:\Program Files (x86)\Common Files\readme.txt b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe File created C:\Program Files\readme.txt b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe File opened for modification C:\Program Files\7-Zip\7z.sfx b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe File opened for modification C:\Program Files\DVD Maker\SecretST.TTF b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe File opened for modification C:\Program Files\7-Zip\descript.ion b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe File opened for modification C:\Program Files\DVD Maker\rtstreamsink.ax b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe File created C:\Program Files\Uninstall Information\readme.txt b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe File created C:\Program Files (x86)\Microsoft Sync Framework\readme.txt b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe File opened for modification C:\Program Files\LockEnable.m4v b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe File opened for modification C:\Program Files\WaitGet.mpp b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe File opened for modification C:\Program Files\SwitchLock.reg b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe File opened for modification C:\Program Files\7-Zip\readme.txt b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe File created C:\Program Files\MSBuild\readme.txt b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe File created C:\Program Files\Reference Assemblies\readme.txt b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe File opened for modification C:\Program Files\BlockCopy.jtx b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe File opened for modification C:\Program Files\InitializeComplete.midi b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe File opened for modification C:\Program Files\DVD Maker\rtstreamsource.ax b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ie9props.propdesc b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\readme.txt b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe File opened for modification C:\Program Files\ProtectUninstall.vstx b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe File opened for modification C:\Program Files\DVD Maker\fieldswitch.ax b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe File opened for modification C:\Program Files\TestConvertTo.M2T b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe File opened for modification C:\Program Files\TestRestore.htm b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe File opened for modification C:\Program Files\UnpublishConvertTo.tif b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe File created C:\Program Files (x86)\readme.txt b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe File created C:\Program Files\DVD Maker\readme.txt b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exepid process 1860 b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
vssvc.exeWMIC.exeWMIC.exedescription pid process Token: SeBackupPrivilege 1544 vssvc.exe Token: SeRestorePrivilege 1544 vssvc.exe Token: SeAuditPrivilege 1544 vssvc.exe Token: SeIncreaseQuotaPrivilege 776 WMIC.exe Token: SeSecurityPrivilege 776 WMIC.exe Token: SeTakeOwnershipPrivilege 776 WMIC.exe Token: SeLoadDriverPrivilege 776 WMIC.exe Token: SeSystemProfilePrivilege 776 WMIC.exe Token: SeSystemtimePrivilege 776 WMIC.exe Token: SeProfSingleProcessPrivilege 776 WMIC.exe Token: SeIncBasePriorityPrivilege 776 WMIC.exe Token: SeCreatePagefilePrivilege 776 WMIC.exe Token: SeBackupPrivilege 776 WMIC.exe Token: SeRestorePrivilege 776 WMIC.exe Token: SeShutdownPrivilege 776 WMIC.exe Token: SeDebugPrivilege 776 WMIC.exe Token: SeSystemEnvironmentPrivilege 776 WMIC.exe Token: SeRemoteShutdownPrivilege 776 WMIC.exe Token: SeUndockPrivilege 776 WMIC.exe Token: SeManageVolumePrivilege 776 WMIC.exe Token: 33 776 WMIC.exe Token: 34 776 WMIC.exe Token: 35 776 WMIC.exe Token: SeIncreaseQuotaPrivilege 776 WMIC.exe Token: SeSecurityPrivilege 776 WMIC.exe Token: SeTakeOwnershipPrivilege 776 WMIC.exe Token: SeLoadDriverPrivilege 776 WMIC.exe Token: SeSystemProfilePrivilege 776 WMIC.exe Token: SeSystemtimePrivilege 776 WMIC.exe Token: SeProfSingleProcessPrivilege 776 WMIC.exe Token: SeIncBasePriorityPrivilege 776 WMIC.exe Token: SeCreatePagefilePrivilege 776 WMIC.exe Token: SeBackupPrivilege 776 WMIC.exe Token: SeRestorePrivilege 776 WMIC.exe Token: SeShutdownPrivilege 776 WMIC.exe Token: SeDebugPrivilege 776 WMIC.exe Token: SeSystemEnvironmentPrivilege 776 WMIC.exe Token: SeRemoteShutdownPrivilege 776 WMIC.exe Token: SeUndockPrivilege 776 WMIC.exe Token: SeManageVolumePrivilege 776 WMIC.exe Token: 33 776 WMIC.exe Token: 34 776 WMIC.exe Token: 35 776 WMIC.exe Token: SeIncreaseQuotaPrivilege 1064 WMIC.exe Token: SeSecurityPrivilege 1064 WMIC.exe Token: SeTakeOwnershipPrivilege 1064 WMIC.exe Token: SeLoadDriverPrivilege 1064 WMIC.exe Token: SeSystemProfilePrivilege 1064 WMIC.exe Token: SeSystemtimePrivilege 1064 WMIC.exe Token: SeProfSingleProcessPrivilege 1064 WMIC.exe Token: SeIncBasePriorityPrivilege 1064 WMIC.exe Token: SeCreatePagefilePrivilege 1064 WMIC.exe Token: SeBackupPrivilege 1064 WMIC.exe Token: SeRestorePrivilege 1064 WMIC.exe Token: SeShutdownPrivilege 1064 WMIC.exe Token: SeDebugPrivilege 1064 WMIC.exe Token: SeSystemEnvironmentPrivilege 1064 WMIC.exe Token: SeRemoteShutdownPrivilege 1064 WMIC.exe Token: SeUndockPrivilege 1064 WMIC.exe Token: SeManageVolumePrivilege 1064 WMIC.exe Token: 33 1064 WMIC.exe Token: 34 1064 WMIC.exe Token: 35 1064 WMIC.exe Token: SeIncreaseQuotaPrivilege 1064 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1860 wrote to memory of 1156 1860 b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe cmd.exe PID 1860 wrote to memory of 1156 1860 b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe cmd.exe PID 1860 wrote to memory of 1156 1860 b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe cmd.exe PID 1860 wrote to memory of 1156 1860 b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe cmd.exe PID 1156 wrote to memory of 776 1156 cmd.exe WMIC.exe PID 1156 wrote to memory of 776 1156 cmd.exe WMIC.exe PID 1156 wrote to memory of 776 1156 cmd.exe WMIC.exe PID 1860 wrote to memory of 1452 1860 b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe cmd.exe PID 1860 wrote to memory of 1452 1860 b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe cmd.exe PID 1860 wrote to memory of 1452 1860 b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe cmd.exe PID 1860 wrote to memory of 1452 1860 b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe cmd.exe PID 1452 wrote to memory of 1064 1452 cmd.exe WMIC.exe PID 1452 wrote to memory of 1064 1452 cmd.exe WMIC.exe PID 1452 wrote to memory of 1064 1452 cmd.exe WMIC.exe PID 1860 wrote to memory of 1240 1860 b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe cmd.exe PID 1860 wrote to memory of 1240 1860 b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe cmd.exe PID 1860 wrote to memory of 1240 1860 b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe cmd.exe PID 1860 wrote to memory of 1240 1860 b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe cmd.exe PID 1240 wrote to memory of 1720 1240 cmd.exe WMIC.exe PID 1240 wrote to memory of 1720 1240 cmd.exe WMIC.exe PID 1240 wrote to memory of 1720 1240 cmd.exe WMIC.exe PID 1860 wrote to memory of 1980 1860 b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe cmd.exe PID 1860 wrote to memory of 1980 1860 b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe cmd.exe PID 1860 wrote to memory of 1980 1860 b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe cmd.exe PID 1860 wrote to memory of 1980 1860 b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe cmd.exe PID 1980 wrote to memory of 1940 1980 cmd.exe WMIC.exe PID 1980 wrote to memory of 1940 1980 cmd.exe WMIC.exe PID 1980 wrote to memory of 1940 1980 cmd.exe WMIC.exe PID 1860 wrote to memory of 108 1860 b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe cmd.exe PID 1860 wrote to memory of 108 1860 b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe cmd.exe PID 1860 wrote to memory of 108 1860 b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe cmd.exe PID 1860 wrote to memory of 108 1860 b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe cmd.exe PID 108 wrote to memory of 716 108 cmd.exe WMIC.exe PID 108 wrote to memory of 716 108 cmd.exe WMIC.exe PID 108 wrote to memory of 716 108 cmd.exe WMIC.exe PID 1860 wrote to memory of 936 1860 b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe cmd.exe PID 1860 wrote to memory of 936 1860 b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe cmd.exe PID 1860 wrote to memory of 936 1860 b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe cmd.exe PID 1860 wrote to memory of 936 1860 b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe cmd.exe PID 936 wrote to memory of 2008 936 cmd.exe WMIC.exe PID 936 wrote to memory of 2008 936 cmd.exe WMIC.exe PID 936 wrote to memory of 2008 936 cmd.exe WMIC.exe PID 1860 wrote to memory of 1604 1860 b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe cmd.exe PID 1860 wrote to memory of 1604 1860 b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe cmd.exe PID 1860 wrote to memory of 1604 1860 b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe cmd.exe PID 1860 wrote to memory of 1604 1860 b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe cmd.exe PID 1604 wrote to memory of 740 1604 cmd.exe WMIC.exe PID 1604 wrote to memory of 740 1604 cmd.exe WMIC.exe PID 1604 wrote to memory of 740 1604 cmd.exe WMIC.exe PID 1860 wrote to memory of 1056 1860 b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe cmd.exe PID 1860 wrote to memory of 1056 1860 b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe cmd.exe PID 1860 wrote to memory of 1056 1860 b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe cmd.exe PID 1860 wrote to memory of 1056 1860 b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe cmd.exe PID 1056 wrote to memory of 1676 1056 cmd.exe WMIC.exe PID 1056 wrote to memory of 1676 1056 cmd.exe WMIC.exe PID 1056 wrote to memory of 1676 1056 cmd.exe WMIC.exe PID 1860 wrote to memory of 1064 1860 b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe cmd.exe PID 1860 wrote to memory of 1064 1860 b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe cmd.exe PID 1860 wrote to memory of 1064 1860 b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe cmd.exe PID 1860 wrote to memory of 1064 1860 b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe cmd.exe PID 1064 wrote to memory of 1644 1064 cmd.exe WMIC.exe PID 1064 wrote to memory of 1644 1064 cmd.exe WMIC.exe PID 1064 wrote to memory of 1644 1064 cmd.exe WMIC.exe PID 1860 wrote to memory of 1720 1860 b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe"C:\Users\Admin\AppData\Local\Temp\b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{42AB00D9-23AC-4D9F-BCD0-F560B4FBD4B0}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{42AB00D9-23AC-4D9F-BCD0-F560B4FBD4B0}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C90CD5D7-9B6C-471C-8C96-355998B14EF8}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C90CD5D7-9B6C-471C-8C96-355998B14EF8}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1F9BD2A6-5BF7-4A73-A29E-C733297088AB}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1F9BD2A6-5BF7-4A73-A29E-C733297088AB}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9B0CDB24-FE85-46C3-A922-261B4710F554}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9B0CDB24-FE85-46C3-A922-261B4710F554}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{EA725A54-6608-4CC5-ADB5-8264BCE7D769}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{EA725A54-6608-4CC5-ADB5-8264BCE7D769}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C69100F5-3145-4E28-8E5C-905B7935BC10}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C69100F5-3145-4E28-8E5C-905B7935BC10}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{96D0CAC1-C317-4BB6-AD1F-99B2256E98E5}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{96D0CAC1-C317-4BB6-AD1F-99B2256E98E5}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1EA4E4BE-24E6-4635-B5FF-53620C5E736C}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1EA4E4BE-24E6-4635-B5FF-53620C5E736C}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{FFF06B0E-2058-4D70-B8BC-18A1A005070D}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{FFF06B0E-2058-4D70-B8BC-18A1A005070D}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{EE3200B8-7AB9-430D-B09F-BF068E5C27EF}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{EE3200B8-7AB9-430D-B09F-BF068E5C27EF}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{94294216-2812-4D17-858B-782E99F60969}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{94294216-2812-4D17-858B-782E99F60969}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5803ED3F-C3C9-4EEB-988E-4C0536D60FE3}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5803ED3F-C3C9-4EEB-988E-4C0536D60FE3}'" delete3⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/108-64-0x0000000000000000-mapping.dmp
-
memory/716-65-0x0000000000000000-mapping.dmp
-
memory/740-69-0x0000000000000000-mapping.dmp
-
memory/776-57-0x0000000000000000-mapping.dmp
-
memory/896-77-0x0000000000000000-mapping.dmp
-
memory/936-66-0x0000000000000000-mapping.dmp
-
memory/1056-70-0x0000000000000000-mapping.dmp
-
memory/1064-72-0x0000000000000000-mapping.dmp
-
memory/1064-59-0x0000000000000000-mapping.dmp
-
memory/1092-75-0x0000000000000000-mapping.dmp
-
memory/1156-56-0x0000000000000000-mapping.dmp
-
memory/1204-79-0x0000000000000000-mapping.dmp
-
memory/1240-60-0x0000000000000000-mapping.dmp
-
memory/1452-58-0x0000000000000000-mapping.dmp
-
memory/1604-68-0x0000000000000000-mapping.dmp
-
memory/1644-73-0x0000000000000000-mapping.dmp
-
memory/1676-71-0x0000000000000000-mapping.dmp
-
memory/1712-76-0x0000000000000000-mapping.dmp
-
memory/1720-61-0x0000000000000000-mapping.dmp
-
memory/1720-74-0x0000000000000000-mapping.dmp
-
memory/1728-78-0x0000000000000000-mapping.dmp
-
memory/1860-55-0x0000000075881000-0x0000000075883000-memory.dmpFilesize
8KB
-
memory/1940-63-0x0000000000000000-mapping.dmp
-
memory/1980-62-0x0000000000000000-mapping.dmp
-
memory/2008-67-0x0000000000000000-mapping.dmp