Analysis
-
max time kernel
110s -
max time network
125s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
25-11-2021 11:31
Static task
static1
Behavioral task
behavioral1
Sample
49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe
Resource
win10-en-20211104
General
-
Target
49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe
-
Size
194KB
-
MD5
43d007e18d3a1530c7f2366184bee5df
-
SHA1
652f652a69ab3d5ae0286ec6b8fab4e449a34e71
-
SHA256
49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea
-
SHA512
90ea2fccfadee1f71b0afa7f1e29a23e283490bf1056f6d0c950c2808045cff1d17488d8fee0ad4d9cde428296da08663b3da19feaba8e9ad7840c83e5c8294a
Malware Config
Extracted
C:\readme.txt
conti
http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/
https://contirecovery.click
Signatures
-
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exedescription ioc process File renamed C:\Users\Admin\Pictures\ConvertMeasure.png => C:\Users\Admin\Pictures\ConvertMeasure.png.QPDUV 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File renamed C:\Users\Admin\Pictures\NewMerge.png => C:\Users\Admin\Pictures\NewMerge.png.QPDUV 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe -
Drops startup file 1 IoCs
Processes:
49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\readme.txt 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exedescription ioc process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\themes\dark\rhp_world_icon_hover_2x.png 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\fr-ma\ui-strings.js 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\tools.jar 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Retail-pl.xrm-ms 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Shades of Blue.htm 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\ECLIPSE_.SF 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-ul-phn.xrm-ms 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\cue.luac 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\IRIS\readme.txt 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_gloss-wave_35_f6a828_500x100.png 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macTSFrame.png 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\organize.svg 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\readme.txt 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\root\readme.txt 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_cancel_18.svg 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sv-se\ui-strings.js 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ko-kr\readme.txt 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\sk-sk\readme.txt 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_KMS_Client-ul.xrm-ms 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\89.0.4389.114.manifest 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-swing-tabcontrol_zh_CN.jar 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Edit.White.png 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019MSDNR_Retail-ul-phn.xrm-ms 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File created C:\Program Files\VideoLAN\VLC\plugins\control\readme.txt 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\epl-v10.html 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_OEM_Perp-ppd.xrm-ms 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\readme.txt 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\readme.txt 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\images\themes\dark\readme.txt 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\pt-br\ui-strings.js 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\plugins.dat 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\br.gif 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\sl\LC_MESSAGES\vlc.mo 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files-select\js\plugin.js 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\tr-tr\ui-strings.js 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\file_info2x.png 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f33\FA000000033 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\readme.txt 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\compare.png 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\themes\dark\rhp_world_icon.png 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\core\locale\org-openide-filesystems_ja.jar 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\readme.txt 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\HintBarEllipses.16.White@3x.png 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ja-jp\readme.txt 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\security\java.security 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Bibliography\Author2XML.XSL 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\review_browser.gif 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macHandle.png 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\sl-si\ui-strings.js 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\eu-es\readme.txt 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\dark\dd_arrow_small2x.png 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\feature.xml 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CASCADE\THMBNAIL.PNG 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_uinline_warning.svg 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\readme.txt 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Retail-ul-phn.xrm-ms 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\TURABIAN.XSL 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial2-pl.xrm-ms 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-print.jar 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring-fallback.xml 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\sl-si\ui-strings.js 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-api-search.xml 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-profiling_ja.jar 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\plugins\rhp\generic-rhp-app-tool-view.js 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 1324 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exepid process 2784 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe 2784 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
vssvc.exeWMIC.exedescription pid process Token: SeBackupPrivilege 4088 vssvc.exe Token: SeRestorePrivilege 4088 vssvc.exe Token: SeAuditPrivilege 4088 vssvc.exe Token: SeIncreaseQuotaPrivilege 932 WMIC.exe Token: SeSecurityPrivilege 932 WMIC.exe Token: SeTakeOwnershipPrivilege 932 WMIC.exe Token: SeLoadDriverPrivilege 932 WMIC.exe Token: SeSystemProfilePrivilege 932 WMIC.exe Token: SeSystemtimePrivilege 932 WMIC.exe Token: SeProfSingleProcessPrivilege 932 WMIC.exe Token: SeIncBasePriorityPrivilege 932 WMIC.exe Token: SeCreatePagefilePrivilege 932 WMIC.exe Token: SeBackupPrivilege 932 WMIC.exe Token: SeRestorePrivilege 932 WMIC.exe Token: SeShutdownPrivilege 932 WMIC.exe Token: SeDebugPrivilege 932 WMIC.exe Token: SeSystemEnvironmentPrivilege 932 WMIC.exe Token: SeRemoteShutdownPrivilege 932 WMIC.exe Token: SeUndockPrivilege 932 WMIC.exe Token: SeManageVolumePrivilege 932 WMIC.exe Token: 33 932 WMIC.exe Token: 34 932 WMIC.exe Token: 35 932 WMIC.exe Token: 36 932 WMIC.exe Token: SeIncreaseQuotaPrivilege 932 WMIC.exe Token: SeSecurityPrivilege 932 WMIC.exe Token: SeTakeOwnershipPrivilege 932 WMIC.exe Token: SeLoadDriverPrivilege 932 WMIC.exe Token: SeSystemProfilePrivilege 932 WMIC.exe Token: SeSystemtimePrivilege 932 WMIC.exe Token: SeProfSingleProcessPrivilege 932 WMIC.exe Token: SeIncBasePriorityPrivilege 932 WMIC.exe Token: SeCreatePagefilePrivilege 932 WMIC.exe Token: SeBackupPrivilege 932 WMIC.exe Token: SeRestorePrivilege 932 WMIC.exe Token: SeShutdownPrivilege 932 WMIC.exe Token: SeDebugPrivilege 932 WMIC.exe Token: SeSystemEnvironmentPrivilege 932 WMIC.exe Token: SeRemoteShutdownPrivilege 932 WMIC.exe Token: SeUndockPrivilege 932 WMIC.exe Token: SeManageVolumePrivilege 932 WMIC.exe Token: 33 932 WMIC.exe Token: 34 932 WMIC.exe Token: 35 932 WMIC.exe Token: 36 932 WMIC.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.execmd.exedescription pid process target process PID 2784 wrote to memory of 1184 2784 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe cmd.exe PID 2784 wrote to memory of 1184 2784 49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe cmd.exe PID 1184 wrote to memory of 932 1184 cmd.exe WMIC.exe PID 1184 wrote to memory of 932 1184 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe"C:\Users\Admin\AppData\Local\Temp\49dc5a243d322cd4d467e5f24b61ff749869564ddcf6a2f700839cf5ae9e37ea.bin.sample.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{EF6BEA9C-45E8-4C04-814F-EBA74A04A6CD}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{EF6BEA9C-45E8-4C04-814F-EBA74A04A6CD}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\readme.txt1⤵
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\readme.txtMD5
455dab7ac61e9ac9b18f6faee4075f52
SHA1724ad308929dde423b67385325330cf823f0e114
SHA256bde6c3c0ccc399395b3db5a77b3615859207ad047d26c8efee26455ba30fa435
SHA512d77398a73d29b7b23c1346ccf4d7e1a237a309a17735cbdab9c151e365fb9f59337b88d818a67c68e8330126fcbcb576cfa67d820812a353997f09455d253345
-
memory/932-119-0x0000000000000000-mapping.dmp
-
memory/1184-118-0x0000000000000000-mapping.dmp