Analysis
-
max time kernel
159s -
max time network
169s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
15-02-2022 19:52
Static task
static1
Behavioral task
behavioral1
Sample
eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe
Resource
win10v2004-en-20220112
General
-
Target
eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe
-
Size
76KB
-
MD5
f34052fe70c4ec35899aeaee7386f2e0
-
SHA1
57b6cd016c158e15736969d63d8626af4b483d8d
-
SHA256
eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371
-
SHA512
478f0974ad408258f784fc897f9af76c3d37603b8cfd048132f13281ddf70fb60ded1b6f4b6d4a997b6ff71ed3be68f0659e35ed50ddefd0020a4634303bca13
Malware Config
Extracted
C:\readme.txt
conti
http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/
https://contirecovery.top
Signatures
-
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
Drops desktop.ini file(s) 3 IoCs
Processes:
eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exedescription ioc process File opened for modification C:\Users\Public\desktop.ini eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe File opened for modification C:\Program Files\desktop.ini eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe File opened for modification C:\Program Files (x86)\desktop.ini eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe -
Drops file in Program Files directory 64 IoCs
Processes:
eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe File opened for modification C:\Program Files\7-Zip\Lang\bg.txt eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe File created C:\Program Files (x86)\readme.txt eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe File opened for modification C:\Program Files\Microsoft Office\FileSystemMetadata.xml eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe File created C:\Program Files\readme.txt eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe File opened for modification C:\Program Files\7-Zip\Lang\be.txt eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\COPYRIGHT eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe File created C:\Program Files (x86)\Internet Explorer\en-US\readme.txt eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe File created C:\Program Files\Java\readme.txt eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe File opened for modification C:\Program Files\7-Zip\Lang\ku-ckb.txt eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe File created C:\Program Files (x86)\Google\Policies\readme.txt eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe File created C:\Program Files (x86)\Internet Explorer\ja-JP\readme.txt eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe File opened for modification C:\Program Files\7-Zip\Lang\eo.txt eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe File opened for modification C:\Program Files\7-Zip\Lang\mn.txt eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Edge.dat.LOG1 eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe File created C:\Program Files\VideoLAN\readme.txt eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe File opened for modification C:\Program Files\Microsoft Office\Office16\OSPP.HTM eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe File opened for modification C:\Program Files\7-Zip\7zCon.sfx eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe File opened for modification C:\Program Files\7-Zip\Lang\sl.txt eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe File opened for modification C:\Program Files\Common Files\DESIGNER\MSADDNDR.OLB eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\README.html eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe File created C:\Program Files\Mozilla Firefox\browser\readme.txt eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe File opened for modification C:\Program Files\ReceiveConvert.mp4 eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe File opened for modification C:\Program Files\7-Zip\Lang\gu.txt eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe File opened for modification C:\Program Files\7-Zip\Lang\si.txt eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe File opened for modification C:\Program Files\VideoLAN\VLC\Documentation.url eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\readme.txt eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.ini eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe File opened for modification C:\Program Files\Mozilla Firefox\update-settings.ini eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe File opened for modification C:\Program Files\7-Zip\Lang\ky.txt eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe File opened for modification C:\Program Files\7-Zip\Lang\nl.txt eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe File created C:\Program Files\Common Files\Services\readme.txt eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\Welcome.html eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe File created C:\Program Files (x86)\Google\CrashReports\readme.txt eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.VisualElementsManifest.xml eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe File opened for modification C:\Program Files\SwitchDisable.contact eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe File opened for modification C:\Program Files\Mozilla Firefox\Accessible.tlb eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe File opened for modification C:\Program Files\Mozilla Firefox\application.ini eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe File opened for modification C:\Program Files\7-Zip\Lang\sq.txt eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe File created C:\Program Files\Google\Chrome\readme.txt eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe File opened for modification C:\Program Files\MergePop.asp eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe File opened for modification C:\Program Files\VideoLAN\VLC\AUTHORS.txt eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe File created C:\Program Files (x86)\Internet Explorer\SIGNUP\readme.txt eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe File opened for modification C:\Program Files\7-Zip\7-zip.chm eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe File opened for modification C:\Program Files\7-Zip\Lang\tr.txt eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-3102-0000-1000-0000000FF1CE.xml eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Edge.dat.LOG2 eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate\readme.txt eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe File opened for modification C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_client.xml eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe File opened for modification C:\Program Files\SkipJoin.xhtml eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe File opened for modification C:\Program Files\7-Zip\Lang\fy.txt eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe File opened for modification C:\Program Files\7-Zip\Lang\zh-cn.txt eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\javafx-src.zip eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe File created C:\Program Files (x86)\Microsoft.NET\RedistList\readme.txt eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\updater.ini eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe File opened for modification C:\Program Files\7-Zip\Lang\it.txt eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe File opened for modification C:\Program Files\7-Zip\Lang\ja.txt eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\readme.txt eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe File opened for modification C:\Program Files\7-Zip\Lang\ba.txt eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exepid process 3576 eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe 3576 eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe 3576 eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe 3576 eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe 3576 eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe 3576 eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe 3576 eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe 3576 eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe 3576 eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe 3576 eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe 3576 eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe 3576 eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe 3576 eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe 3576 eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe 3576 eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe 3576 eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe 3576 eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe 3576 eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe 3576 eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe 3576 eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe 3576 eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe 3576 eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe 3576 eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe 3576 eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe 3576 eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe 3576 eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe 3576 eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe 3576 eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe 3576 eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe 3576 eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe 3576 eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe 3576 eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe 3576 eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe 3576 eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe 3576 eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe 3576 eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe 3576 eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe 3576 eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe 3576 eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe 3576 eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe 3576 eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe 3576 eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe 3576 eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe 3576 eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe 3576 eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe 3576 eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe 3576 eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe 3576 eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe 3576 eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe 3576 eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe 3576 eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe 3576 eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe 3576 eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe 3576 eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe 3576 eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe 3576 eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe 3576 eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe 3576 eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe 3576 eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe 3576 eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe 3576 eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe 3576 eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe 3576 eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe 3576 eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
vssvc.exeWMIC.exedescription pid process Token: SeBackupPrivilege 508 vssvc.exe Token: SeRestorePrivilege 508 vssvc.exe Token: SeAuditPrivilege 508 vssvc.exe Token: SeIncreaseQuotaPrivilege 1992 WMIC.exe Token: SeSecurityPrivilege 1992 WMIC.exe Token: SeTakeOwnershipPrivilege 1992 WMIC.exe Token: SeLoadDriverPrivilege 1992 WMIC.exe Token: SeSystemProfilePrivilege 1992 WMIC.exe Token: SeSystemtimePrivilege 1992 WMIC.exe Token: SeProfSingleProcessPrivilege 1992 WMIC.exe Token: SeIncBasePriorityPrivilege 1992 WMIC.exe Token: SeCreatePagefilePrivilege 1992 WMIC.exe Token: SeBackupPrivilege 1992 WMIC.exe Token: SeRestorePrivilege 1992 WMIC.exe Token: SeShutdownPrivilege 1992 WMIC.exe Token: SeDebugPrivilege 1992 WMIC.exe Token: SeSystemEnvironmentPrivilege 1992 WMIC.exe Token: SeRemoteShutdownPrivilege 1992 WMIC.exe Token: SeUndockPrivilege 1992 WMIC.exe Token: SeManageVolumePrivilege 1992 WMIC.exe Token: 33 1992 WMIC.exe Token: 34 1992 WMIC.exe Token: 35 1992 WMIC.exe Token: 36 1992 WMIC.exe Token: SeIncreaseQuotaPrivilege 1992 WMIC.exe Token: SeSecurityPrivilege 1992 WMIC.exe Token: SeTakeOwnershipPrivilege 1992 WMIC.exe Token: SeLoadDriverPrivilege 1992 WMIC.exe Token: SeSystemProfilePrivilege 1992 WMIC.exe Token: SeSystemtimePrivilege 1992 WMIC.exe Token: SeProfSingleProcessPrivilege 1992 WMIC.exe Token: SeIncBasePriorityPrivilege 1992 WMIC.exe Token: SeCreatePagefilePrivilege 1992 WMIC.exe Token: SeBackupPrivilege 1992 WMIC.exe Token: SeRestorePrivilege 1992 WMIC.exe Token: SeShutdownPrivilege 1992 WMIC.exe Token: SeDebugPrivilege 1992 WMIC.exe Token: SeSystemEnvironmentPrivilege 1992 WMIC.exe Token: SeRemoteShutdownPrivilege 1992 WMIC.exe Token: SeUndockPrivilege 1992 WMIC.exe Token: SeManageVolumePrivilege 1992 WMIC.exe Token: 33 1992 WMIC.exe Token: 34 1992 WMIC.exe Token: 35 1992 WMIC.exe Token: 36 1992 WMIC.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.execmd.exedescription pid process target process PID 3576 wrote to memory of 1828 3576 eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe cmd.exe PID 3576 wrote to memory of 1828 3576 eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe cmd.exe PID 1828 wrote to memory of 1992 1828 cmd.exe WMIC.exe PID 1828 wrote to memory of 1992 1828 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe"C:\Users\Admin\AppData\Local\Temp\eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe"1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3576 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8D84F5DF-167E-44BC-B65F-610B82C3B339}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8D84F5DF-167E-44BC-B65F-610B82C3B339}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1992
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:508
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:3716