conti | 626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce

Analysis

max time kernel
172s
max time network
185s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
15/02/2022, 19:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
Size

191KB
MD5

7e10aded8fc55ad5d1fdbf20f7a96bc5
SHA1

f514f0fd76e6f5cef392de083a10a2091031f36f
SHA256

626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce
SHA512

a04e7318d8f7e58e868653f507a61d68ae872bda831597d3a71c445649a918e5416a87aa730ce875b6af89763eab4df0ad1cad26a804a74fe9942665dfbe9c09

Score

10^/10

conti ransomware

Malware Config

Extracted

Path

C:\readme.txt

Family

conti

Ransom Note

All of your files are currently encrypted by CONTI ransomware. If you try to use any additional recovery software - the files might be damaged or lost. To make sure that we REALLY CAN recover data - we offer you to decrypt samples. You can contact us for further instructions through: Our website TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/ HTTPS VERSION : https://contirecovery.best YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded your data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us ASAP ---BEGIN ID--- K2N1tSspdj6THjQ4ZES1GBdPX8V2f7P5unxYqgmCB2WizNnMfRVXq03p0BtFek3h ---END ID---

URLs

http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/

https://contirecovery.best

Signatures

Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
ransomware conti

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\desktop.ini	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files\desktop.ini	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Uninstall Information\readme.txt	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Temp	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ie9props.propdesc	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\readme.txt	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files\WindowsApps	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File created	C:\Program Files\Google\readme.txt	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files\Mozilla Firefox\precomplete	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files\Mozilla Firefox\update-settings.ini	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files\Windows NT	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files\Mozilla Firefox\application.ini	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File created	C:\Program Files (x86)\Microsoft\readme.txt	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files\desktop.ini	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files\UpdateBackup.m4a	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File created	C:\Program Files\Mozilla Firefox\readme.txt	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.ini	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File created	C:\Program Files (x86)\Common Files\readme.txt	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files\RegisterUpdate.001	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files\RevokeLimit.3gpp	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files\UnpublishRequest.xls	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files\BlockPop.DVR	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files\GetRevoke.midi	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files\Windows Media Player	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files\Mozilla Firefox\Accessible.tlb	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files\Mozilla Firefox\omni.ja	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files (x86)\Google\Temp	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File created	C:\Program Files\readme.txt	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files\Windows Mail	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files\WindowsPowerShell	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files\7-Zip\descript.ion	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File created	C:\Program Files\Internet Explorer\readme.txt	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File created	C:\Program Files\Java\readme.txt	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File created	C:\Program Files\VideoLAN\readme.txt	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File created	C:\Program Files (x86)\Google\readme.txt	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File created	C:\Program Files (x86)\readme.txt	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File created	C:\Program Files\Common Files\readme.txt	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files\Microsoft Office\FileSystemMetadata.xml	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files\Microsoft Office\ThinAppXManifest.xml	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files\Mozilla Firefox\platform.ini	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files\CloseUndo.eps	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.VisualElementsManifest.xml	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files (x86)\Windows NT	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files\Mozilla Firefox\dependentlibs.list	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files\ResumeEnter.html	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files\Windows Multimedia Platform	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files (x86)\Windows Defender	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files\Microsoft Office\AppXManifest.xml	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files\Mozilla Firefox\install.log	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files\MeasureResolve.vsdm	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files\OptimizePublish.asf	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files\Windows Portable Devices	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File created	C:\Program Files\Microsoft Office 15\readme.txt	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
File created	C:\Program Files (x86)\Adobe\readme.txt	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MusNotifyIcon.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MusNotifyIcon.exe

Modifies data under HKEY_USERS 49 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.413225"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132896049902064093"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4208"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4140"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.429182"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100"	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3980	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
3980	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	1908	vssvc.exe
Token: SeRestorePrivilege	1908	vssvc.exe
Token: SeAuditPrivilege	1908	vssvc.exe
Token: SeSecurityPrivilege	1092	TiWorker.exe
Token: SeRestorePrivilege	1092	TiWorker.exe
Token: SeBackupPrivilege	1092	TiWorker.exe
Token: SeIncreaseQuotaPrivilege	760	WMIC.exe
Token: SeSecurityPrivilege	760	WMIC.exe
Token: SeTakeOwnershipPrivilege	760	WMIC.exe
Token: SeLoadDriverPrivilege	760	WMIC.exe
Token: SeSystemProfilePrivilege	760	WMIC.exe
Token: SeSystemtimePrivilege	760	WMIC.exe
Token: SeProfSingleProcessPrivilege	760	WMIC.exe
Token: SeIncBasePriorityPrivilege	760	WMIC.exe
Token: SeCreatePagefilePrivilege	760	WMIC.exe
Token: SeBackupPrivilege	760	WMIC.exe
Token: SeRestorePrivilege	760	WMIC.exe
Token: SeShutdownPrivilege	760	WMIC.exe
Token: SeDebugPrivilege	760	WMIC.exe
Token: SeSystemEnvironmentPrivilege	760	WMIC.exe
Token: SeRemoteShutdownPrivilege	760	WMIC.exe
Token: SeUndockPrivilege	760	WMIC.exe
Token: SeManageVolumePrivilege	760	WMIC.exe
Token: 33	760	WMIC.exe
Token: 34	760	WMIC.exe
Token: 35	760	WMIC.exe
Token: 36	760	WMIC.exe
Token: SeIncreaseQuotaPrivilege	760	WMIC.exe
Token: SeSecurityPrivilege	760	WMIC.exe
Token: SeTakeOwnershipPrivilege	760	WMIC.exe
Token: SeLoadDriverPrivilege	760	WMIC.exe
Token: SeSystemProfilePrivilege	760	WMIC.exe
Token: SeSystemtimePrivilege	760	WMIC.exe
Token: SeProfSingleProcessPrivilege	760	WMIC.exe
Token: SeIncBasePriorityPrivilege	760	WMIC.exe
Token: SeCreatePagefilePrivilege	760	WMIC.exe
Token: SeBackupPrivilege	760	WMIC.exe
Token: SeRestorePrivilege	760	WMIC.exe
Token: SeShutdownPrivilege	760	WMIC.exe
Token: SeDebugPrivilege	760	WMIC.exe
Token: SeSystemEnvironmentPrivilege	760	WMIC.exe
Token: SeRemoteShutdownPrivilege	760	WMIC.exe
Token: SeUndockPrivilege	760	WMIC.exe
Token: SeManageVolumePrivilege	760	WMIC.exe
Token: 33	760	WMIC.exe
Token: 34	760	WMIC.exe
Token: 35	760	WMIC.exe
Token: 36	760	WMIC.exe
Token: SeBackupPrivilege	1092	TiWorker.exe
Token: SeRestorePrivilege	1092	TiWorker.exe
Token: SeSecurityPrivilege	1092	TiWorker.exe
Token: SeBackupPrivilege	1092	TiWorker.exe
Token: SeRestorePrivilege	1092	TiWorker.exe
Token: SeSecurityPrivilege	1092	TiWorker.exe
Token: SeBackupPrivilege	1092	TiWorker.exe
Token: SeRestorePrivilege	1092	TiWorker.exe
Token: SeSecurityPrivilege	1092	TiWorker.exe
Token: SeBackupPrivilege	1092	TiWorker.exe
Token: SeRestorePrivilege	1092	TiWorker.exe
Token: SeSecurityPrivilege	1092	TiWorker.exe
Token: SeBackupPrivilege	1092	TiWorker.exe
Token: SeRestorePrivilege	1092	TiWorker.exe
Token: SeSecurityPrivilege	1092	TiWorker.exe
Token: SeBackupPrivilege	1092	TiWorker.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3980 wrote to memory of 2564	3980	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe	72
PID 3980 wrote to memory of 2564	3980	626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe	72
PID 2564 wrote to memory of 760	2564	cmd.exe	74
PID 2564 wrote to memory of 760	2564	cmd.exe	74

C:\Users\Admin\AppData\Local\Temp\626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe
"C:\Users\Admin\AppData\Local\Temp\626a1863c6cb57977bf75596d78b51cb8208fadec3d68eba1dd7b5a3c88578ce.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3980
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8D84F5DF-167E-44BC-B65F-610B82C3B339}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8D84F5DF-167E-44BC-B65F-610B82C3B339}'" delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:760

C:\Windows\system32\MusNotifyIcon.exe
%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
1⤵
- Checks processor information in registry
PID:3436

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1620

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1908

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1092

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads