Analysis
-
max time kernel
129s -
max time network
124s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
07-01-2022 19:44
Static task
static1
Behavioral task
behavioral1
Sample
5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe
Resource
win10-en-20211208
General
-
Target
5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe
-
Size
2.1MB
-
MD5
6552b8bf9ba6a4931548fe65cde76ad4
-
SHA1
0c81ed07b0fcc9b8a4ff983ed83dd1c83c8fa600
-
SHA256
5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c
-
SHA512
4421f18fc7b276977366f4099e0602947b85ab0f0b7a75e818389d35b3d8e9d0b81b8128ef47dff47a45e4541d23512267139f361822e18b7bb807105071448d
Malware Config
Extracted
C:\readme.txt
conti
http://contirec7nchr45rx6ympez5rjldibnqzh7lsa56lvjvaeywhvoj3wad.onion/PZ8lOWohN5xGPEYNRMJljsyK7PSBDmbUWQgY74Uvxm8TdMEXICZLVkvTBn5ubLDK
Signatures
-
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exedescription ioc process File renamed C:\Users\Admin\Pictures\ExportComplete.raw => C:\Users\Admin\Pictures\ExportComplete.raw.HTLVN 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe File renamed C:\Users\Admin\Pictures\MountComplete.tif => C:\Users\Admin\Pictures\MountComplete.tif.HTLVN 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe File renamed C:\Users\Admin\Pictures\UnblockConvert.crw => C:\Users\Admin\Pictures\UnblockConvert.crw.HTLVN 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe File renamed C:\Users\Admin\Pictures\UseRedo.crw => C:\Users\Admin\Pictures\UseRedo.crw.HTLVN 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe -
Drops startup file 1 IoCs
Processes:
5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\readme.txt 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\conti.png" 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe -
Drops file in Program Files directory 64 IoCs
Processes:
5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\rsod\proof.en-us.msi.16.en-us.boot.tree.dat 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\HandPrints.jpg 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench_1.2.1.v20140901-1244.jar 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\en-ae\ui-strings.js 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\zh-tw\ui-strings.js 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Retail-ppd.xrm-ms 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN044.XML 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\WINGDNG2.TTF 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe File created C:\Program Files\VideoLAN\VLC\locale\cy\LC_MESSAGES\readme.txt 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup-impl_zh_CN.jar 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Grace-ul-oob.xrm-ms 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\locale\org-openide-util-lookup_ja.jar 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-settings_zh_CN.jar 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ko-kr\ui-strings.js 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\notification_plugin.jar 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019MSDNR_Retail-ppd.xrm-ms 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_KMS_Client-ppd.xrm-ms 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_Subscription-ul-oob.xrm-ms 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\content-types.properties 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\deploy\messages_sv.properties 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN090.XML 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\readme.txt 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\readme.txt 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\css\readme.txt 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\readme.txt 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTest-ul-oob.xrm-ms 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\arrow-up.png 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_KMS_Client-ppd.xrm-ms 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\de-de\ui-strings.js 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\pt-br\readme.txt 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\zh-cn\ui-strings.js 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\orcl7.xsl 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.transport.ecf.nl_ja_4.4.0.v20140623020002.jar 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\sv\readme.txt 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TEXTCONV\readme.txt 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\org.eclipse.equinox.p2.metadata.repository.prefs 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-dialogs_zh_CN.jar 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\ext\sunpkcs11.jar 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_OEM_Perp-ul-oob.xrm-ms 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Top Shadow.eftx 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_download_audit_report_18.svg 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ja-jp\readme.txt 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Stationery\GreenBubbles.jpg 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe File created C:\Program Files\VideoLAN\VLC\plugins\spu\readme.txt 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\pt-PT.pak 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\css\main.css 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\nl-nl\readme.txt 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe File created C:\Program Files\VideoLAN\VLC\locale\brx\readme.txt 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_SubTrial-ppd.xrm-ms 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF\MANIFEST.MF 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fr-fr\readme.txt 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe File created C:\Program Files\Microsoft Office\readme.txt 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\readme.txt 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\readme.txt 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-selector-api.xml 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\zh-cn\readme.txt 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\es-es\ui-strings.js 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\fi-fi\ui-strings.js 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\sl-sl\readme.txt 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Retail-pl.xrm-ms 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_listview_selected-hover.svg 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Sign White Paper.pdf 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe File created C:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\readme.txt 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe -
Drops file in Windows directory 3 IoCs
Processes:
ShellExperienceHost.exesvchost.exedescription ioc process File created C:\Windows\rescache\_merged\4183903823\97717462.pri ShellExperienceHost.exe File created C:\Windows\rescache\_merged\4032412167\2701812693.pri ShellExperienceHost.exe File opened for modification C:\Windows\Debug\ESE.TXT svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exepid process 3160 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe 3160 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe 3160 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe 3160 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe 3160 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe 3160 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe 3160 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe 3160 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe 3160 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe 3160 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe 3160 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe 3160 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe 3160 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe 3160 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe 3160 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe 3160 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe 3160 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe 3160 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe 3160 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe 3160 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe 3160 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe 3160 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe 3160 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe 3160 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe 3160 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe 3160 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe 3160 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe 3160 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe 3160 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe 3160 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe 3160 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe 3160 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe 3160 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe 3160 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe 3160 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe 3160 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe 3160 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe 3160 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe 3160 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe 3160 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe 3160 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe 3160 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe 3160 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe 3160 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe 3160 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe 3160 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe 3160 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe 3160 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe 3160 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe 3160 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe 3160 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe 3160 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe 3160 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe 3160 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe 3160 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe 3160 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe 3160 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe 3160 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe 3160 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe 3160 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe 3160 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe 3160 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe 3160 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe 3160 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
vssvc.exeWMIC.exedescription pid process Token: SeBackupPrivilege 364 vssvc.exe Token: SeRestorePrivilege 364 vssvc.exe Token: SeAuditPrivilege 364 vssvc.exe Token: SeIncreaseQuotaPrivilege 760 WMIC.exe Token: SeSecurityPrivilege 760 WMIC.exe Token: SeTakeOwnershipPrivilege 760 WMIC.exe Token: SeLoadDriverPrivilege 760 WMIC.exe Token: SeSystemProfilePrivilege 760 WMIC.exe Token: SeSystemtimePrivilege 760 WMIC.exe Token: SeProfSingleProcessPrivilege 760 WMIC.exe Token: SeIncBasePriorityPrivilege 760 WMIC.exe Token: SeCreatePagefilePrivilege 760 WMIC.exe Token: SeBackupPrivilege 760 WMIC.exe Token: SeRestorePrivilege 760 WMIC.exe Token: SeShutdownPrivilege 760 WMIC.exe Token: SeDebugPrivilege 760 WMIC.exe Token: SeSystemEnvironmentPrivilege 760 WMIC.exe Token: SeRemoteShutdownPrivilege 760 WMIC.exe Token: SeUndockPrivilege 760 WMIC.exe Token: SeManageVolumePrivilege 760 WMIC.exe Token: 33 760 WMIC.exe Token: 34 760 WMIC.exe Token: 35 760 WMIC.exe Token: 36 760 WMIC.exe Token: SeIncreaseQuotaPrivilege 760 WMIC.exe Token: SeSecurityPrivilege 760 WMIC.exe Token: SeTakeOwnershipPrivilege 760 WMIC.exe Token: SeLoadDriverPrivilege 760 WMIC.exe Token: SeSystemProfilePrivilege 760 WMIC.exe Token: SeSystemtimePrivilege 760 WMIC.exe Token: SeProfSingleProcessPrivilege 760 WMIC.exe Token: SeIncBasePriorityPrivilege 760 WMIC.exe Token: SeCreatePagefilePrivilege 760 WMIC.exe Token: SeBackupPrivilege 760 WMIC.exe Token: SeRestorePrivilege 760 WMIC.exe Token: SeShutdownPrivilege 760 WMIC.exe Token: SeDebugPrivilege 760 WMIC.exe Token: SeSystemEnvironmentPrivilege 760 WMIC.exe Token: SeRemoteShutdownPrivilege 760 WMIC.exe Token: SeUndockPrivilege 760 WMIC.exe Token: SeManageVolumePrivilege 760 WMIC.exe Token: 33 760 WMIC.exe Token: 34 760 WMIC.exe Token: 35 760 WMIC.exe Token: 36 760 WMIC.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
ShellExperienceHost.exepid process 1968 ShellExperienceHost.exe 1968 ShellExperienceHost.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exedescription pid process target process PID 3160 wrote to memory of 760 3160 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe WMIC.exe PID 3160 wrote to memory of 760 3160 5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe"C:\Users\Admin\AppData\Local\Temp\5fa3bf951dde536ac87c0c6f6074e400e9a6a6e83fa6a07b617f608e24b4db0c.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3160 -
C:\Windows\System32\wbem\WMIC.exeshadowcopy where "ID='{0B662981-1382-4EE1-B62A-610BFEE02635}'" delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:760
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:364
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1968
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc1⤵
- Drops file in Windows directory
PID:2276