Analysis
-
max time kernel
110s -
max time network
121s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
30-11-2021 10:07
Static task
static1
Behavioral task
behavioral1
Sample
35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe
Resource
win10-en-20211104
General
-
Target
35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe
-
Size
194KB
-
MD5
5956ee31b3479f3e1b79456dc42ef8b8
-
SHA1
83fb1f0ecbde4ef2047b2c44626b432c4f2926af
-
SHA256
35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828
-
SHA512
6c7a11c3c72c0f32000b7f7752ae538053cf9e12fbd534f8752539bb1b294f6c386289166e6cdaa6d620234cf5965b96ab753d2443f2af9de50291dd57bb8c49
Malware Config
Extracted
C:\readme.txt
conti
http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/
https://contirecovery.click
Signatures
-
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\BlockReset.tiff 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File renamed C:\Users\Admin\Pictures\BlockReset.tiff => C:\Users\Admin\Pictures\BlockReset.tiff.YHODQ 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File renamed C:\Users\Admin\Pictures\MergeWatch.crw => C:\Users\Admin\Pictures\MergeWatch.crw.YHODQ 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File renamed C:\Users\Admin\Pictures\TraceHide.tif => C:\Users\Admin\Pictures\TraceHide.tif.YHODQ 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe -
Drops startup file 1 IoCs
Processes:
35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\readme.txt 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exedescription ioc process File created C:\Program Files\Java\jre1.8.0_66\lib\security\readme.txt 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PROOF\LTSHYPH_FR.LEX 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\feature.xml 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\fi-fi\ui-strings.js 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\hr-hr\ui-strings.js 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\cs-cz\readme.txt 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ko-kr\ui-strings.js 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription2-ppd.xrm-ms 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_Subscription-ppd.xrm-ms 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nl-nl\readme.txt 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_KMS_Client_AE-ul.xrm-ms 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\org-openide-modules.jar 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover_2x.png 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ko-kr\PlayStore_icon.svg 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsen.xml 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-rdr-ja_jp_2x.gif 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\eu-es\readme.txt 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Grace-ul-oob.xrm-ms 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.sun.el_2.2.0.v201303151357.jar 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_closereview_18.svg 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalDemoR_BypassTrial180-ul-oob.xrm-ms 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui_5.5.0.165303.jar 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ext_5.5.0.165303.jar 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\favicon.ico 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\rename.svg 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsfin.xml 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\Sybase.xsl 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\natives_blob.bin 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_jpn.xml 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\readme.txt 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\amd64\jvm.cfg 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\WATERMAR\readme.txt 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\fillandsign.svg 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL106.XML 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\PersonaSpy.html 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\readme.txt 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_closereview_18.svg 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_MAK-ul-phn.xrm-ms 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RADIAL\PREVIEW.GIF 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\s_radio_unselected_18.svg 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\es-es\readme.txt 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\nl-nl\readme.txt 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ca-es\ui-strings.js 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\mng.txt 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription5-ppd.xrm-ms 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\readme.txt 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\hy.txt 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription3-pl.xrm-ms 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial4-pl.xrm-ms 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File created C:\Program Files\VideoLAN\VLC\lua\sd\readme.txt 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-addtotable.png 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\dark\share_icons2x.png 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-spi-quicksearch_zh_CN.jar 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\readme.txt 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\CompleteCheckmark2x.png 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files (x86)\Common Files\System\ado\msado27.tlb 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File created C:\Program Files\VideoLAN\VLC\locale\ast\readme.txt 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\mobile.html 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-modules-appui.jar 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\readme.txt 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RADIAL\RADIAL.ELM 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-ul-oob.xrm-ms 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-lib-uihandler_ja.jar 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exepid process 1740 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe 1740 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
vssvc.exeWMIC.exedescription pid process Token: SeBackupPrivilege 1292 vssvc.exe Token: SeRestorePrivilege 1292 vssvc.exe Token: SeAuditPrivilege 1292 vssvc.exe Token: SeIncreaseQuotaPrivilege 664 WMIC.exe Token: SeSecurityPrivilege 664 WMIC.exe Token: SeTakeOwnershipPrivilege 664 WMIC.exe Token: SeLoadDriverPrivilege 664 WMIC.exe Token: SeSystemProfilePrivilege 664 WMIC.exe Token: SeSystemtimePrivilege 664 WMIC.exe Token: SeProfSingleProcessPrivilege 664 WMIC.exe Token: SeIncBasePriorityPrivilege 664 WMIC.exe Token: SeCreatePagefilePrivilege 664 WMIC.exe Token: SeBackupPrivilege 664 WMIC.exe Token: SeRestorePrivilege 664 WMIC.exe Token: SeShutdownPrivilege 664 WMIC.exe Token: SeDebugPrivilege 664 WMIC.exe Token: SeSystemEnvironmentPrivilege 664 WMIC.exe Token: SeRemoteShutdownPrivilege 664 WMIC.exe Token: SeUndockPrivilege 664 WMIC.exe Token: SeManageVolumePrivilege 664 WMIC.exe Token: 33 664 WMIC.exe Token: 34 664 WMIC.exe Token: 35 664 WMIC.exe Token: 36 664 WMIC.exe Token: SeIncreaseQuotaPrivilege 664 WMIC.exe Token: SeSecurityPrivilege 664 WMIC.exe Token: SeTakeOwnershipPrivilege 664 WMIC.exe Token: SeLoadDriverPrivilege 664 WMIC.exe Token: SeSystemProfilePrivilege 664 WMIC.exe Token: SeSystemtimePrivilege 664 WMIC.exe Token: SeProfSingleProcessPrivilege 664 WMIC.exe Token: SeIncBasePriorityPrivilege 664 WMIC.exe Token: SeCreatePagefilePrivilege 664 WMIC.exe Token: SeBackupPrivilege 664 WMIC.exe Token: SeRestorePrivilege 664 WMIC.exe Token: SeShutdownPrivilege 664 WMIC.exe Token: SeDebugPrivilege 664 WMIC.exe Token: SeSystemEnvironmentPrivilege 664 WMIC.exe Token: SeRemoteShutdownPrivilege 664 WMIC.exe Token: SeUndockPrivilege 664 WMIC.exe Token: SeManageVolumePrivilege 664 WMIC.exe Token: 33 664 WMIC.exe Token: 34 664 WMIC.exe Token: 35 664 WMIC.exe Token: 36 664 WMIC.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.execmd.exedescription pid process target process PID 1740 wrote to memory of 1572 1740 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe cmd.exe PID 1740 wrote to memory of 1572 1740 35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe cmd.exe PID 1572 wrote to memory of 664 1572 cmd.exe WMIC.exe PID 1572 wrote to memory of 664 1572 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe"C:\Users\Admin\AppData\Local\Temp\35d49eb7fa8740a53d6a84de7fd9b7d177df8d96d25a67b1bc18d2b685988828.bin.sample.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{EF6BEA9C-45E8-4C04-814F-EBA74A04A6CD}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{EF6BEA9C-45E8-4C04-814F-EBA74A04A6CD}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken