Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
25-11-2021 11:31
Static task
static1
Behavioral task
behavioral1
Sample
49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe
Resource
win10-en-20211104
General
-
Target
49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe
-
Size
194KB
-
MD5
43d007e18d3a1530c7f2366184bee5df
-
SHA1
652f652a69ab3d5ae0286ec6b8fab4e449a34e71
-
SHA256
49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea
-
SHA512
90ea2fccfadee1f71b0afa7f1e29a23e283490bf1056f6d0c950c2808045cff1d17488d8fee0ad4d9cde428296da08663b3da19feaba8e9ad7840c83e5c8294a
Malware Config
Extracted
C:\readme.txt
conti
http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/
https://contirecovery.click
Signatures
-
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
Modifies extensions of user files 7 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exedescription ioc process File renamed C:\Users\Admin\Pictures\WaitRedo.tif => C:\Users\Admin\Pictures\WaitRedo.tif.QPDUV 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File renamed C:\Users\Admin\Pictures\CheckpointUnpublish.tif => C:\Users\Admin\Pictures\CheckpointUnpublish.tif.QPDUV 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File renamed C:\Users\Admin\Pictures\InstallLock.crw => C:\Users\Admin\Pictures\InstallLock.crw.QPDUV 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File renamed C:\Users\Admin\Pictures\InvokeWrite.tif => C:\Users\Admin\Pictures\InvokeWrite.tif.QPDUV 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Users\Admin\Pictures\SearchUndo.tiff 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File renamed C:\Users\Admin\Pictures\SearchUndo.tiff => C:\Users\Admin\Pictures\SearchUndo.tiff.QPDUV 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File renamed C:\Users\Admin\Pictures\TraceCopy.png => C:\Users\Admin\Pictures\TraceCopy.png.QPDUV 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exedescription ioc process File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\readme.txt 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\TASKL.ICO 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\feature.properties 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application_ja.jar 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\mset7jp.kic 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD10307_.GIF 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME27.CSS 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\SIST02.XSL 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Atlantic\Faroe 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\SystemV\AST4ADT 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-application.xml 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-api_zh_CN.jar 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00246_.WMF 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01138_.WMF 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107154.WMF 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152570.WMF 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\STORYBB.POC 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Library\Analysis\ATPVBAEN.XLAM 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.base_4.0.200.v20141007-2301.jar 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\DELETE.GIF 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_SelectionSubpicture.png 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\STS2\background.gif 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT+5 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Broken_Hill 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0215710.WMF 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0199036.WMF 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\WIND.WAV 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Stationery\1033\SEAMARBL.JPG 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HM00172_.WMF 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21306_.GIF 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\readme.txt 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\1033\14\Built-In Building Blocks.dotx 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\management-agent.jar 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152890.WMF 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Verve.xml 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\SendMail.api 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Antarctica\Macquarie 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File created C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\readme.txt 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files\Java\jre7\lib\deploy.jar 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00448_.WMF 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02233_.WMF 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATERMAR\PREVIEW.GIF 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR45F.GIF 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\SessionOwner.ico 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.operations_2.4.0.v20131119-0908.jar 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Americana\TAB_ON.GIF 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_SelectionSubpictureB.png 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099181.WMF 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Clarity.xml 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\MSPUB_K_COL.HXK 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLOOK.DEV.HXS 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File created C:\Program Files\Common Files\System\Ole DB\fr-FR\readme.txt 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CANYON\CANYON.INF 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Toronto 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\it.txt 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_globalstyle.css 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\javafx-doclet.jar 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101867.BMP 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107482.WMF 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSSP7ES.dub 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File created C:\Program Files (x86)\Common Files\Adobe AIR\readme.txt 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File created C:\Program Files\Microsoft Games\Solitaire\en-US\readme.txt 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105520.WMF 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 1056 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exepid process 1616 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
vssvc.exeWMIC.exeWMIC.exedescription pid process Token: SeBackupPrivilege 1864 vssvc.exe Token: SeRestorePrivilege 1864 vssvc.exe Token: SeAuditPrivilege 1864 vssvc.exe Token: SeIncreaseQuotaPrivilege 1976 WMIC.exe Token: SeSecurityPrivilege 1976 WMIC.exe Token: SeTakeOwnershipPrivilege 1976 WMIC.exe Token: SeLoadDriverPrivilege 1976 WMIC.exe Token: SeSystemProfilePrivilege 1976 WMIC.exe Token: SeSystemtimePrivilege 1976 WMIC.exe Token: SeProfSingleProcessPrivilege 1976 WMIC.exe Token: SeIncBasePriorityPrivilege 1976 WMIC.exe Token: SeCreatePagefilePrivilege 1976 WMIC.exe Token: SeBackupPrivilege 1976 WMIC.exe Token: SeRestorePrivilege 1976 WMIC.exe Token: SeShutdownPrivilege 1976 WMIC.exe Token: SeDebugPrivilege 1976 WMIC.exe Token: SeSystemEnvironmentPrivilege 1976 WMIC.exe Token: SeRemoteShutdownPrivilege 1976 WMIC.exe Token: SeUndockPrivilege 1976 WMIC.exe Token: SeManageVolumePrivilege 1976 WMIC.exe Token: 33 1976 WMIC.exe Token: 34 1976 WMIC.exe Token: 35 1976 WMIC.exe Token: SeIncreaseQuotaPrivilege 1976 WMIC.exe Token: SeSecurityPrivilege 1976 WMIC.exe Token: SeTakeOwnershipPrivilege 1976 WMIC.exe Token: SeLoadDriverPrivilege 1976 WMIC.exe Token: SeSystemProfilePrivilege 1976 WMIC.exe Token: SeSystemtimePrivilege 1976 WMIC.exe Token: SeProfSingleProcessPrivilege 1976 WMIC.exe Token: SeIncBasePriorityPrivilege 1976 WMIC.exe Token: SeCreatePagefilePrivilege 1976 WMIC.exe Token: SeBackupPrivilege 1976 WMIC.exe Token: SeRestorePrivilege 1976 WMIC.exe Token: SeShutdownPrivilege 1976 WMIC.exe Token: SeDebugPrivilege 1976 WMIC.exe Token: SeSystemEnvironmentPrivilege 1976 WMIC.exe Token: SeRemoteShutdownPrivilege 1976 WMIC.exe Token: SeUndockPrivilege 1976 WMIC.exe Token: SeManageVolumePrivilege 1976 WMIC.exe Token: 33 1976 WMIC.exe Token: 34 1976 WMIC.exe Token: 35 1976 WMIC.exe Token: SeIncreaseQuotaPrivilege 992 WMIC.exe Token: SeSecurityPrivilege 992 WMIC.exe Token: SeTakeOwnershipPrivilege 992 WMIC.exe Token: SeLoadDriverPrivilege 992 WMIC.exe Token: SeSystemProfilePrivilege 992 WMIC.exe Token: SeSystemtimePrivilege 992 WMIC.exe Token: SeProfSingleProcessPrivilege 992 WMIC.exe Token: SeIncBasePriorityPrivilege 992 WMIC.exe Token: SeCreatePagefilePrivilege 992 WMIC.exe Token: SeBackupPrivilege 992 WMIC.exe Token: SeRestorePrivilege 992 WMIC.exe Token: SeShutdownPrivilege 992 WMIC.exe Token: SeDebugPrivilege 992 WMIC.exe Token: SeSystemEnvironmentPrivilege 992 WMIC.exe Token: SeRemoteShutdownPrivilege 992 WMIC.exe Token: SeUndockPrivilege 992 WMIC.exe Token: SeManageVolumePrivilege 992 WMIC.exe Token: 33 992 WMIC.exe Token: 34 992 WMIC.exe Token: 35 992 WMIC.exe Token: SeIncreaseQuotaPrivilege 992 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1616 wrote to memory of 1760 1616 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe cmd.exe PID 1616 wrote to memory of 1760 1616 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe cmd.exe PID 1616 wrote to memory of 1760 1616 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe cmd.exe PID 1616 wrote to memory of 1760 1616 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe cmd.exe PID 1760 wrote to memory of 1976 1760 cmd.exe WMIC.exe PID 1760 wrote to memory of 1976 1760 cmd.exe WMIC.exe PID 1760 wrote to memory of 1976 1760 cmd.exe WMIC.exe PID 1616 wrote to memory of 828 1616 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe cmd.exe PID 1616 wrote to memory of 828 1616 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe cmd.exe PID 1616 wrote to memory of 828 1616 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe cmd.exe PID 1616 wrote to memory of 828 1616 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe cmd.exe PID 828 wrote to memory of 992 828 cmd.exe WMIC.exe PID 828 wrote to memory of 992 828 cmd.exe WMIC.exe PID 828 wrote to memory of 992 828 cmd.exe WMIC.exe PID 1616 wrote to memory of 296 1616 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe cmd.exe PID 1616 wrote to memory of 296 1616 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe cmd.exe PID 1616 wrote to memory of 296 1616 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe cmd.exe PID 1616 wrote to memory of 296 1616 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe cmd.exe PID 296 wrote to memory of 1728 296 cmd.exe WMIC.exe PID 296 wrote to memory of 1728 296 cmd.exe WMIC.exe PID 296 wrote to memory of 1728 296 cmd.exe WMIC.exe PID 1616 wrote to memory of 1836 1616 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe cmd.exe PID 1616 wrote to memory of 1836 1616 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe cmd.exe PID 1616 wrote to memory of 1836 1616 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe cmd.exe PID 1616 wrote to memory of 1836 1616 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe cmd.exe PID 1836 wrote to memory of 1304 1836 cmd.exe WMIC.exe PID 1836 wrote to memory of 1304 1836 cmd.exe WMIC.exe PID 1836 wrote to memory of 1304 1836 cmd.exe WMIC.exe PID 1616 wrote to memory of 1672 1616 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe cmd.exe PID 1616 wrote to memory of 1672 1616 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe cmd.exe PID 1616 wrote to memory of 1672 1616 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe cmd.exe PID 1616 wrote to memory of 1672 1616 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe cmd.exe PID 1672 wrote to memory of 908 1672 cmd.exe WMIC.exe PID 1672 wrote to memory of 908 1672 cmd.exe WMIC.exe PID 1672 wrote to memory of 908 1672 cmd.exe WMIC.exe PID 1616 wrote to memory of 1912 1616 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe cmd.exe PID 1616 wrote to memory of 1912 1616 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe cmd.exe PID 1616 wrote to memory of 1912 1616 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe cmd.exe PID 1616 wrote to memory of 1912 1616 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe cmd.exe PID 1912 wrote to memory of 1900 1912 cmd.exe WMIC.exe PID 1912 wrote to memory of 1900 1912 cmd.exe WMIC.exe PID 1912 wrote to memory of 1900 1912 cmd.exe WMIC.exe PID 1616 wrote to memory of 1800 1616 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe cmd.exe PID 1616 wrote to memory of 1800 1616 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe cmd.exe PID 1616 wrote to memory of 1800 1616 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe cmd.exe PID 1616 wrote to memory of 1800 1616 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe cmd.exe PID 1800 wrote to memory of 1452 1800 cmd.exe WMIC.exe PID 1800 wrote to memory of 1452 1800 cmd.exe WMIC.exe PID 1800 wrote to memory of 1452 1800 cmd.exe WMIC.exe PID 1616 wrote to memory of 1972 1616 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe cmd.exe PID 1616 wrote to memory of 1972 1616 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe cmd.exe PID 1616 wrote to memory of 1972 1616 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe cmd.exe PID 1616 wrote to memory of 1972 1616 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe cmd.exe PID 1972 wrote to memory of 1612 1972 cmd.exe WMIC.exe PID 1972 wrote to memory of 1612 1972 cmd.exe WMIC.exe PID 1972 wrote to memory of 1612 1972 cmd.exe WMIC.exe PID 1616 wrote to memory of 828 1616 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe cmd.exe PID 1616 wrote to memory of 828 1616 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe cmd.exe PID 1616 wrote to memory of 828 1616 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe cmd.exe PID 1616 wrote to memory of 828 1616 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe cmd.exe PID 828 wrote to memory of 1896 828 cmd.exe WMIC.exe PID 828 wrote to memory of 1896 828 cmd.exe WMIC.exe PID 828 wrote to memory of 1896 828 cmd.exe WMIC.exe PID 1616 wrote to memory of 1832 1616 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe"C:\Users\Admin\AppData\Local\Temp\49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe"1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{688377E4-B9C8-46C8-9E9F-761D801E9C51}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{688377E4-B9C8-46C8-9E9F-761D801E9C51}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B87D77AA-377B-4092-91E6-D8EF823EC505}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B87D77AA-377B-4092-91E6-D8EF823EC505}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6B69DCC8-B6BE-413E-8BD1-B32E7079E547}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6B69DCC8-B6BE-413E-8BD1-B32E7079E547}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6C32C5FD-1830-45C0-8EFC-ADA3CDAB334C}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6C32C5FD-1830-45C0-8EFC-ADA3CDAB334C}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E7DFD216-D9E4-4A0D-AAB3-BE68833AF6B0}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E7DFD216-D9E4-4A0D-AAB3-BE68833AF6B0}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{02974537-B9D8-4D22-A25D-2642DECBD2E0}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{02974537-B9D8-4D22-A25D-2642DECBD2E0}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A1A0A39E-9C0E-45CD-AAE6-883919D3C98F}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A1A0A39E-9C0E-45CD-AAE6-883919D3C98F}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C3F23FFE-B354-43EE-AF82-4C5563205565}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C3F23FFE-B354-43EE-AF82-4C5563205565}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{395FA19E-995F-4350-BDBF-D4310D77F343}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{395FA19E-995F-4350-BDBF-D4310D77F343}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6C509F8F-1E46-4E1C-923E-A115333C9064}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6C509F8F-1E46-4E1C-923E-A115333C9064}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2CEA3952-D158-405E-827B-2C6C534FE7CB}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2CEA3952-D158-405E-827B-2C6C534FE7CB}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B366BDD6-0DF8-41AD-8E62-E73FD0D134D4}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B366BDD6-0DF8-41AD-8E62-E73FD0D134D4}'" delete3⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\readme.txt1⤵
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\Desktop\readme.txtMD5
455dab7ac61e9ac9b18f6faee4075f52
SHA1724ad308929dde423b67385325330cf823f0e114
SHA256bde6c3c0ccc399395b3db5a77b3615859207ad047d26c8efee26455ba30fa435
SHA512d77398a73d29b7b23c1346ccf4d7e1a237a309a17735cbdab9c151e365fb9f59337b88d818a67c68e8330126fcbcb576cfa67d820812a353997f09455d253345
-
memory/296-60-0x0000000000000000-mapping.dmp
-
memory/828-72-0x0000000000000000-mapping.dmp
-
memory/828-58-0x0000000000000000-mapping.dmp
-
memory/908-65-0x0000000000000000-mapping.dmp
-
memory/980-77-0x0000000000000000-mapping.dmp
-
memory/992-59-0x0000000000000000-mapping.dmp
-
memory/1056-80-0x000007FEFB831000-0x000007FEFB833000-memory.dmpFilesize
8KB
-
memory/1304-63-0x0000000000000000-mapping.dmp
-
memory/1452-69-0x0000000000000000-mapping.dmp
-
memory/1464-76-0x0000000000000000-mapping.dmp
-
memory/1596-79-0x0000000000000000-mapping.dmp
-
memory/1612-71-0x0000000000000000-mapping.dmp
-
memory/1616-55-0x0000000074F61000-0x0000000074F63000-memory.dmpFilesize
8KB
-
memory/1672-64-0x0000000000000000-mapping.dmp
-
memory/1728-61-0x0000000000000000-mapping.dmp
-
memory/1760-56-0x0000000000000000-mapping.dmp
-
memory/1800-68-0x0000000000000000-mapping.dmp
-
memory/1832-74-0x0000000000000000-mapping.dmp
-
memory/1836-62-0x0000000000000000-mapping.dmp
-
memory/1896-73-0x0000000000000000-mapping.dmp
-
memory/1900-67-0x0000000000000000-mapping.dmp
-
memory/1912-66-0x0000000000000000-mapping.dmp
-
memory/1960-75-0x0000000000000000-mapping.dmp
-
memory/1972-70-0x0000000000000000-mapping.dmp
-
memory/1976-57-0x0000000000000000-mapping.dmp
-
memory/1980-78-0x0000000000000000-mapping.dmp