Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
30-11-2021 10:07
Static task
static1
Behavioral task
behavioral1
Sample
35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe
Resource
win10-en-20211104
General
-
Target
35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe
-
Size
194KB
-
MD5
5956ee31b3479f3e1b79456dc42ef8b8
-
SHA1
83fb1f0ecbde4ef2047b2c44626b432c4f2926af
-
SHA256
35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828
-
SHA512
6c7a11c3c72c0f32000b7f7752ae538053cf9e12fbd534f8752539bb1b294f6c386289166e6cdaa6d620234cf5965b96ab753d2443f2af9de50291dd57bb8c49
Malware Config
Extracted
C:\readme.txt
conti
http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/
https://contirecovery.click
Signatures
-
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
Modifies extensions of user files 12 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exedescription ioc process File renamed C:\Users\Admin\Pictures\TraceJoin.png => C:\Users\Admin\Pictures\TraceJoin.png.YHODQ 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File renamed C:\Users\Admin\Pictures\LimitEnter.png => C:\Users\Admin\Pictures\LimitEnter.png.YHODQ 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File renamed C:\Users\Admin\Pictures\MergeExpand.tiff => C:\Users\Admin\Pictures\MergeExpand.tiff.YHODQ 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File renamed C:\Users\Admin\Pictures\OpenStart.tif => C:\Users\Admin\Pictures\OpenStart.tif.YHODQ 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File renamed C:\Users\Admin\Pictures\OutWatch.crw => C:\Users\Admin\Pictures\OutWatch.crw.YHODQ 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File renamed C:\Users\Admin\Pictures\ResumePublish.raw => C:\Users\Admin\Pictures\ResumePublish.raw.YHODQ 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Users\Admin\Pictures\SplitSkip.tiff 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File renamed C:\Users\Admin\Pictures\InitializeWatch.png => C:\Users\Admin\Pictures\InitializeWatch.png.YHODQ 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Users\Admin\Pictures\MergeExpand.tiff 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File renamed C:\Users\Admin\Pictures\RestoreNew.raw => C:\Users\Admin\Pictures\RestoreNew.raw.YHODQ 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File renamed C:\Users\Admin\Pictures\SplitSkip.tiff => C:\Users\Admin\Pictures\SplitSkip.tiff.YHODQ 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File renamed C:\Users\Admin\Pictures\SplitUnlock.tif => C:\Users\Admin\Pictures\SplitUnlock.tif.YHODQ 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01166_.WMF 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099178.WMF 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101861.BMP 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\ACT3R.SAM 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\StatusOnline.ico 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File created C:\Program Files\Microsoft Games\Mahjong\en-US\readme.txt 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Kuala_Lumpur 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\rtf_choosefont.gif 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-sa.xml 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\ONGuide.onepkg 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\REMINDER.WAV 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR12F.GIF 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Karachi 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0205462.WMF 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\WANS.NET.XML 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File created C:\Program Files\VideoLAN\VLC\locale\cs\readme.txt 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\readme.txt 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21433_.GIF 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\jfluid-server_zh_CN.jar 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\POWERPNT.HXS 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\SmallLogoCanary.png 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Andorra 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.hsp 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0285782.WMF 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\extensions\VLSub.luac 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.widgets_1.0.0.v20140514-1823.jar 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\readme.txt 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152558.WMF 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\MSART10.BDR 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ARCTIC\PREVIEW.GIF 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18220_.WMF 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SoftBlue.css 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152590.WMF 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN010.XML 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.security_1.2.0.v20130424-1801.jar 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-windows.jar 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239941.WMF 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\Verisign\Components\VeriSign_Class_3_Code_Signing_2001-4_CA.cer 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\GrooveFormsMetaData.xml 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File created C:\Program Files (x86)\Internet Explorer\readme.txt 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TextConv\RECOVR32.CNV 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File created C:\Program Files\VideoLAN\VLC\locale\fa\readme.txt 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14654_.GIF 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Cairo 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\main.css 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\WSS.ICO 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata_5.5.0.165303.jar 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Montreal 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Nome 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File created C:\Program Files\Mozilla Firefox\uninstall\readme.txt 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101864.BMP 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH_COL.HXT 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AXIS\readme.txt 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_SlateBlue.gif 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\readme.txt 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0086384.WMF 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0200151.WMF 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Data1.cab 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-snaptracer_zh_CN.jar 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\readme.txt 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File created C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\en-US\readme.txt 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\STOPICON.JPG 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Nauru 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 1640 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exepid process 792 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
vssvc.exeWMIC.exeWMIC.exedescription pid process Token: SeBackupPrivilege 1156 vssvc.exe Token: SeRestorePrivilege 1156 vssvc.exe Token: SeAuditPrivilege 1156 vssvc.exe Token: SeIncreaseQuotaPrivilege 1288 WMIC.exe Token: SeSecurityPrivilege 1288 WMIC.exe Token: SeTakeOwnershipPrivilege 1288 WMIC.exe Token: SeLoadDriverPrivilege 1288 WMIC.exe Token: SeSystemProfilePrivilege 1288 WMIC.exe Token: SeSystemtimePrivilege 1288 WMIC.exe Token: SeProfSingleProcessPrivilege 1288 WMIC.exe Token: SeIncBasePriorityPrivilege 1288 WMIC.exe Token: SeCreatePagefilePrivilege 1288 WMIC.exe Token: SeBackupPrivilege 1288 WMIC.exe Token: SeRestorePrivilege 1288 WMIC.exe Token: SeShutdownPrivilege 1288 WMIC.exe Token: SeDebugPrivilege 1288 WMIC.exe Token: SeSystemEnvironmentPrivilege 1288 WMIC.exe Token: SeRemoteShutdownPrivilege 1288 WMIC.exe Token: SeUndockPrivilege 1288 WMIC.exe Token: SeManageVolumePrivilege 1288 WMIC.exe Token: 33 1288 WMIC.exe Token: 34 1288 WMIC.exe Token: 35 1288 WMIC.exe Token: SeIncreaseQuotaPrivilege 1288 WMIC.exe Token: SeSecurityPrivilege 1288 WMIC.exe Token: SeTakeOwnershipPrivilege 1288 WMIC.exe Token: SeLoadDriverPrivilege 1288 WMIC.exe Token: SeSystemProfilePrivilege 1288 WMIC.exe Token: SeSystemtimePrivilege 1288 WMIC.exe Token: SeProfSingleProcessPrivilege 1288 WMIC.exe Token: SeIncBasePriorityPrivilege 1288 WMIC.exe Token: SeCreatePagefilePrivilege 1288 WMIC.exe Token: SeBackupPrivilege 1288 WMIC.exe Token: SeRestorePrivilege 1288 WMIC.exe Token: SeShutdownPrivilege 1288 WMIC.exe Token: SeDebugPrivilege 1288 WMIC.exe Token: SeSystemEnvironmentPrivilege 1288 WMIC.exe Token: SeRemoteShutdownPrivilege 1288 WMIC.exe Token: SeUndockPrivilege 1288 WMIC.exe Token: SeManageVolumePrivilege 1288 WMIC.exe Token: 33 1288 WMIC.exe Token: 34 1288 WMIC.exe Token: 35 1288 WMIC.exe Token: SeIncreaseQuotaPrivilege 1492 WMIC.exe Token: SeSecurityPrivilege 1492 WMIC.exe Token: SeTakeOwnershipPrivilege 1492 WMIC.exe Token: SeLoadDriverPrivilege 1492 WMIC.exe Token: SeSystemProfilePrivilege 1492 WMIC.exe Token: SeSystemtimePrivilege 1492 WMIC.exe Token: SeProfSingleProcessPrivilege 1492 WMIC.exe Token: SeIncBasePriorityPrivilege 1492 WMIC.exe Token: SeCreatePagefilePrivilege 1492 WMIC.exe Token: SeBackupPrivilege 1492 WMIC.exe Token: SeRestorePrivilege 1492 WMIC.exe Token: SeShutdownPrivilege 1492 WMIC.exe Token: SeDebugPrivilege 1492 WMIC.exe Token: SeSystemEnvironmentPrivilege 1492 WMIC.exe Token: SeRemoteShutdownPrivilege 1492 WMIC.exe Token: SeUndockPrivilege 1492 WMIC.exe Token: SeManageVolumePrivilege 1492 WMIC.exe Token: 33 1492 WMIC.exe Token: 34 1492 WMIC.exe Token: 35 1492 WMIC.exe Token: SeIncreaseQuotaPrivilege 1492 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 792 wrote to memory of 1680 792 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe cmd.exe PID 792 wrote to memory of 1680 792 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe cmd.exe PID 792 wrote to memory of 1680 792 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe cmd.exe PID 792 wrote to memory of 1680 792 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe cmd.exe PID 1680 wrote to memory of 1288 1680 cmd.exe WMIC.exe PID 1680 wrote to memory of 1288 1680 cmd.exe WMIC.exe PID 1680 wrote to memory of 1288 1680 cmd.exe WMIC.exe PID 792 wrote to memory of 1456 792 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe cmd.exe PID 792 wrote to memory of 1456 792 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe cmd.exe PID 792 wrote to memory of 1456 792 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe cmd.exe PID 792 wrote to memory of 1456 792 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe cmd.exe PID 1456 wrote to memory of 1492 1456 cmd.exe WMIC.exe PID 1456 wrote to memory of 1492 1456 cmd.exe WMIC.exe PID 1456 wrote to memory of 1492 1456 cmd.exe WMIC.exe PID 792 wrote to memory of 980 792 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe cmd.exe PID 792 wrote to memory of 980 792 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe cmd.exe PID 792 wrote to memory of 980 792 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe cmd.exe PID 792 wrote to memory of 980 792 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe cmd.exe PID 980 wrote to memory of 1836 980 cmd.exe WMIC.exe PID 980 wrote to memory of 1836 980 cmd.exe WMIC.exe PID 980 wrote to memory of 1836 980 cmd.exe WMIC.exe PID 792 wrote to memory of 768 792 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe cmd.exe PID 792 wrote to memory of 768 792 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe cmd.exe PID 792 wrote to memory of 768 792 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe cmd.exe PID 792 wrote to memory of 768 792 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe cmd.exe PID 768 wrote to memory of 968 768 cmd.exe WMIC.exe PID 768 wrote to memory of 968 768 cmd.exe WMIC.exe PID 768 wrote to memory of 968 768 cmd.exe WMIC.exe PID 792 wrote to memory of 1772 792 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe cmd.exe PID 792 wrote to memory of 1772 792 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe cmd.exe PID 792 wrote to memory of 1772 792 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe cmd.exe PID 792 wrote to memory of 1772 792 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe cmd.exe PID 1772 wrote to memory of 1788 1772 cmd.exe WMIC.exe PID 1772 wrote to memory of 1788 1772 cmd.exe WMIC.exe PID 1772 wrote to memory of 1788 1772 cmd.exe WMIC.exe PID 792 wrote to memory of 1760 792 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe cmd.exe PID 792 wrote to memory of 1760 792 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe cmd.exe PID 792 wrote to memory of 1760 792 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe cmd.exe PID 792 wrote to memory of 1760 792 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe cmd.exe PID 1760 wrote to memory of 1052 1760 cmd.exe WMIC.exe PID 1760 wrote to memory of 1052 1760 cmd.exe WMIC.exe PID 1760 wrote to memory of 1052 1760 cmd.exe WMIC.exe PID 792 wrote to memory of 1008 792 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe cmd.exe PID 792 wrote to memory of 1008 792 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe cmd.exe PID 792 wrote to memory of 1008 792 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe cmd.exe PID 792 wrote to memory of 1008 792 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe cmd.exe PID 1008 wrote to memory of 1924 1008 cmd.exe WMIC.exe PID 1008 wrote to memory of 1924 1008 cmd.exe WMIC.exe PID 1008 wrote to memory of 1924 1008 cmd.exe WMIC.exe PID 792 wrote to memory of 1680 792 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe cmd.exe PID 792 wrote to memory of 1680 792 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe cmd.exe PID 792 wrote to memory of 1680 792 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe cmd.exe PID 792 wrote to memory of 1680 792 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe cmd.exe PID 1680 wrote to memory of 872 1680 cmd.exe WMIC.exe PID 1680 wrote to memory of 872 1680 cmd.exe WMIC.exe PID 1680 wrote to memory of 872 1680 cmd.exe WMIC.exe PID 792 wrote to memory of 1616 792 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe cmd.exe PID 792 wrote to memory of 1616 792 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe cmd.exe PID 792 wrote to memory of 1616 792 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe cmd.exe PID 792 wrote to memory of 1616 792 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe cmd.exe PID 1616 wrote to memory of 836 1616 cmd.exe WMIC.exe PID 1616 wrote to memory of 836 1616 cmd.exe WMIC.exe PID 1616 wrote to memory of 836 1616 cmd.exe WMIC.exe PID 792 wrote to memory of 1460 792 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe"C:\Users\Admin\AppData\Local\Temp\35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe"1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{42AB00D9-23AC-4D9F-BCD0-F560B4FBD4B0}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{42AB00D9-23AC-4D9F-BCD0-F560B4FBD4B0}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C90CD5D7-9B6C-471C-8C96-355998B14EF8}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C90CD5D7-9B6C-471C-8C96-355998B14EF8}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1F9BD2A6-5BF7-4A73-A29E-C733297088AB}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1F9BD2A6-5BF7-4A73-A29E-C733297088AB}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9B0CDB24-FE85-46C3-A922-261B4710F554}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9B0CDB24-FE85-46C3-A922-261B4710F554}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{EA725A54-6608-4CC5-ADB5-8264BCE7D769}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{EA725A54-6608-4CC5-ADB5-8264BCE7D769}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C69100F5-3145-4E28-8E5C-905B7935BC10}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C69100F5-3145-4E28-8E5C-905B7935BC10}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{96D0CAC1-C317-4BB6-AD1F-99B2256E98E5}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{96D0CAC1-C317-4BB6-AD1F-99B2256E98E5}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1EA4E4BE-24E6-4635-B5FF-53620C5E736C}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1EA4E4BE-24E6-4635-B5FF-53620C5E736C}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{FFF06B0E-2058-4D70-B8BC-18A1A005070D}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{FFF06B0E-2058-4D70-B8BC-18A1A005070D}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{EE3200B8-7AB9-430D-B09F-BF068E5C27EF}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{EE3200B8-7AB9-430D-B09F-BF068E5C27EF}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{94294216-2812-4D17-858B-782E99F60969}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{94294216-2812-4D17-858B-782E99F60969}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5803ED3F-C3C9-4EEB-988E-4C0536D60FE3}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5803ED3F-C3C9-4EEB-988E-4C0536D60FE3}'" delete3⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\readme.txt1⤵
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\Desktop\readme.txtMD5
ee2c02e4ca3672f8d7f799948421448d
SHA117cd7c0ccb5cb975c0572dc2e0b9e6746807c4f6
SHA2563fe63e4fdf6dde43ec392bce920689b94b25b424e80fc26045cde879bae00346
SHA512b1b4ff036b589c1dea9604f6e1be1442f43fc13da78359d562271be6d1bf394c581231b9598c33bf51e12b5fdaefd7e5bfa20e992df367e4c5166e483023e6a4
-
memory/548-76-0x0000000000000000-mapping.dmp
-
memory/768-62-0x0000000000000000-mapping.dmp
-
memory/792-55-0x0000000074E51000-0x0000000074E53000-memory.dmpFilesize
8KB
-
memory/836-73-0x0000000000000000-mapping.dmp
-
memory/872-71-0x0000000000000000-mapping.dmp
-
memory/968-63-0x0000000000000000-mapping.dmp
-
memory/980-60-0x0000000000000000-mapping.dmp
-
memory/1008-68-0x0000000000000000-mapping.dmp
-
memory/1036-79-0x0000000000000000-mapping.dmp
-
memory/1052-67-0x0000000000000000-mapping.dmp
-
memory/1248-77-0x0000000000000000-mapping.dmp
-
memory/1288-57-0x0000000000000000-mapping.dmp
-
memory/1456-58-0x0000000000000000-mapping.dmp
-
memory/1460-74-0x0000000000000000-mapping.dmp
-
memory/1492-59-0x0000000000000000-mapping.dmp
-
memory/1616-72-0x0000000000000000-mapping.dmp
-
memory/1640-80-0x000007FEFB931000-0x000007FEFB933000-memory.dmpFilesize
8KB
-
memory/1680-70-0x0000000000000000-mapping.dmp
-
memory/1680-56-0x0000000000000000-mapping.dmp
-
memory/1760-66-0x0000000000000000-mapping.dmp
-
memory/1772-78-0x0000000000000000-mapping.dmp
-
memory/1772-64-0x0000000000000000-mapping.dmp
-
memory/1776-75-0x0000000000000000-mapping.dmp
-
memory/1788-65-0x0000000000000000-mapping.dmp
-
memory/1836-61-0x0000000000000000-mapping.dmp
-
memory/1924-69-0x0000000000000000-mapping.dmp