conti | 66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46

Analysis

max time kernel
169s
max time network
172s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
15/02/2022, 19:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
Size

192KB
MD5

2bf2e7c44fc210b3852044109dcd9633
SHA1

2587016c247850422b3a9d0f581606366c685dac
SHA256

66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46
SHA512

bb22b764c7ecadbea0f2ad8f33c091b7cf81b4b1ae52208481c64ddb9cd0a0293facd168e4245b724591edd1f487e0c252e6571d12b7a52fc0da8ca3fdd363b6

Score

10^/10

conti ransomware

Malware Config

Extracted

Path

C:\readme.txt

Family

conti

Ransom Note

All of your files are currently encrypted by CONTI strain. As you know (if you don't - just "google it"), all of the data that has been encrypted by our software cannot be recovered by any means without contacting our team directly. If you try to use any additional recovery software - the files might be damaged, so if you are willing to try - try it on the data of the lowest value. To make sure that we REALLY CAN get your data back - we offer you to decrypt 2 random files completely free of charge. You can contact our team directly for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/ HTTPS VERSION : https://contirecovery.best YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded a pack of your internal data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us as soon as possible. ---BEGIN ID--- 1FRzMJVwqKYCJtL0JfSFSwKnsVTjUuAwkA2PxjPiRNqNR11KjqUR9LbNpfFUCEpw ---END ID---

URLs

http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/

https://contirecovery.best

Signatures

Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
ransomware conti

Modifies extensions of user files 7 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\AssertUnlock.crw => C:\Users\Admin\Pictures\AssertUnlock.crw.LRYDJ	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
File renamed	C:\Users\Admin\Pictures\ClearReset.raw => C:\Users\Admin\Pictures\ClearReset.raw.LRYDJ	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
File opened for modification	C:\Users\Admin\Pictures\InitializeExit.tiff	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
File renamed	C:\Users\Admin\Pictures\InitializeExit.tiff => C:\Users\Admin\Pictures\InitializeExit.tiff.LRYDJ	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
File renamed	C:\Users\Admin\Pictures\ResolveInvoke.png => C:\Users\Admin\Pictures\ResolveInvoke.png.LRYDJ	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
File renamed	C:\Users\Admin\Pictures\UpdateShow.tif => C:\Users\Admin\Pictures\UpdateShow.tif.LRYDJ	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
File renamed	C:\Users\Admin\Pictures\ApproveNew.crw => C:\Users\Admin\Pictures\ApproveNew.crw.LRYDJ	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe

Drops desktop.ini file(s) 23 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
File opened for modification	C:\Program Files\desktop.ini	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
File opened for modification	C:\Users\Public\desktop.ini	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\ir.idl	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
File opened for modification	C:\Program Files\Microsoft Office\ThinAppXManifest.xml	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
File created	C:\Program Files\Internet Explorer\en-US\readme.txt	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsel.xml	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\management-agent.jar	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\Content.xml	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
File created	C:\Program Files\Common Files\microsoft shared\TextConv\readme.txt	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsdeu.xml	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msador28.tlb	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
File created	C:\Program Files\Java\jdk1.8.0_66\db\readme.txt	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
File opened for modification	C:\Program Files\Windows Multimedia Platform	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-cn.txt	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_extended.xml	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\readme.txt	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
File opened for modification	C:\Program Files\SetStop.ico	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipshe.xml	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
File created	C:\Program Files (x86)\Internet Explorer\ja-JP\readme.txt	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsnor.xml	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
File created	C:\Program Files (x86)\Common Files\Services\readme.txt	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipscat.xml	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
File created	C:\Program Files\Common Files\microsoft shared\VC\readme.txt	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\oledbjvs.inc	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
File opened for modification	C:\Program Files\LockClear.tiff	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
File opened for modification	C:\Program Files\SetResolve.mp2	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
File created	C:\Program Files (x86)\Adobe\readme.txt	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
File created	C:\Program Files\Internet Explorer\de-DE\readme.txt	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ja.txt	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsptb.xml	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msado26.tlb	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\adcjavas.inc	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\jvm.lib	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\logging.properties	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
File created	C:\Program Files\Internet Explorer\SIGNUP\readme.txt	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\readme.txt	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
File created	C:\Program Files (x86)\Internet Explorer\de-DE\readme.txt	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipskor.xml	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
File opened for modification	C:\Program Files\Microsoft Office\FileSystemMetadata.xml	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.log	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\accessibility.properties	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate\readme.txt	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\readme.txt	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\ant-javafx.jar	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Integral.thmx	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
File opened for modification	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win8_RTL.mp4	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
File opened for modification	C:\Program Files (x86)\Windows Mail	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifestLoc.16.en-us.xml	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2436	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
2436	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
2436	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
2436	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
2436	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
2436	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
2436	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
2436	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
2436	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
2436	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
2436	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
2436	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
2436	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
2436	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
2436	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
2436	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
2436	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
2436	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
2436	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
2436	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
2436	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
2436	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
2436	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
2436	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
2436	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
2436	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
2436	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
2436	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
2436	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
2436	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
2436	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
2436	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
2436	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
2436	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
2436	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
2436	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
2436	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
2436	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
2436	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
2436	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
2436	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
2436	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
2436	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
2436	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
2436	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
2436	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
2436	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
2436	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
2436	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
2436	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
2436	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
2436	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
2436	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
2436	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
2436	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
2436	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
2436	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
2436	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
2436	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
2436	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
2436	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
2436	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
2436	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
2436	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	1016	vssvc.exe
Token: SeRestorePrivilege	1016	vssvc.exe
Token: SeAuditPrivilege	1016	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1572	WMIC.exe
Token: SeSecurityPrivilege	1572	WMIC.exe
Token: SeTakeOwnershipPrivilege	1572	WMIC.exe
Token: SeLoadDriverPrivilege	1572	WMIC.exe
Token: SeSystemProfilePrivilege	1572	WMIC.exe
Token: SeSystemtimePrivilege	1572	WMIC.exe
Token: SeProfSingleProcessPrivilege	1572	WMIC.exe
Token: SeIncBasePriorityPrivilege	1572	WMIC.exe
Token: SeCreatePagefilePrivilege	1572	WMIC.exe
Token: SeBackupPrivilege	1572	WMIC.exe
Token: SeRestorePrivilege	1572	WMIC.exe
Token: SeShutdownPrivilege	1572	WMIC.exe
Token: SeDebugPrivilege	1572	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1572	WMIC.exe
Token: SeRemoteShutdownPrivilege	1572	WMIC.exe
Token: SeUndockPrivilege	1572	WMIC.exe
Token: SeManageVolumePrivilege	1572	WMIC.exe
Token: 33	1572	WMIC.exe
Token: 34	1572	WMIC.exe
Token: 35	1572	WMIC.exe
Token: 36	1572	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1572	WMIC.exe
Token: SeSecurityPrivilege	1572	WMIC.exe
Token: SeTakeOwnershipPrivilege	1572	WMIC.exe
Token: SeLoadDriverPrivilege	1572	WMIC.exe
Token: SeSystemProfilePrivilege	1572	WMIC.exe
Token: SeSystemtimePrivilege	1572	WMIC.exe
Token: SeProfSingleProcessPrivilege	1572	WMIC.exe
Token: SeIncBasePriorityPrivilege	1572	WMIC.exe
Token: SeCreatePagefilePrivilege	1572	WMIC.exe
Token: SeBackupPrivilege	1572	WMIC.exe
Token: SeRestorePrivilege	1572	WMIC.exe
Token: SeShutdownPrivilege	1572	WMIC.exe
Token: SeDebugPrivilege	1572	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1572	WMIC.exe
Token: SeRemoteShutdownPrivilege	1572	WMIC.exe
Token: SeUndockPrivilege	1572	WMIC.exe
Token: SeManageVolumePrivilege	1572	WMIC.exe
Token: 33	1572	WMIC.exe
Token: 34	1572	WMIC.exe
Token: 35	1572	WMIC.exe
Token: 36	1572	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1096	WMIC.exe
Token: SeSecurityPrivilege	1096	WMIC.exe
Token: SeTakeOwnershipPrivilege	1096	WMIC.exe
Token: SeLoadDriverPrivilege	1096	WMIC.exe
Token: SeSystemProfilePrivilege	1096	WMIC.exe
Token: SeSystemtimePrivilege	1096	WMIC.exe
Token: SeProfSingleProcessPrivilege	1096	WMIC.exe
Token: SeIncBasePriorityPrivilege	1096	WMIC.exe
Token: SeCreatePagefilePrivilege	1096	WMIC.exe
Token: SeBackupPrivilege	1096	WMIC.exe
Token: SeRestorePrivilege	1096	WMIC.exe
Token: SeShutdownPrivilege	1096	WMIC.exe
Token: SeDebugPrivilege	1096	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1096	WMIC.exe
Token: SeRemoteShutdownPrivilege	1096	WMIC.exe
Token: SeUndockPrivilege	1096	WMIC.exe
Token: SeManageVolumePrivilege	1096	WMIC.exe
Token: 33	1096	WMIC.exe
Token: 34	1096	WMIC.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2436 wrote to memory of 4524	2436	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe	85
PID 2436 wrote to memory of 4524	2436	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe	85
PID 4524 wrote to memory of 1572	4524	cmd.exe	87
PID 4524 wrote to memory of 1572	4524	cmd.exe	87
PID 2436 wrote to memory of 4944	2436	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe	88
PID 2436 wrote to memory of 4944	2436	66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe	88
PID 4944 wrote to memory of 1096	4944	cmd.exe	90
PID 4944 wrote to memory of 1096	4944	cmd.exe	90

C:\Users\Admin\AppData\Local\Temp\66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe
"C:\Users\Admin\AppData\Local\Temp\66a57f4322182ffd7318bc81e5d7502db53a3153c28d9312dd6b443430936d46.exe"
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2436
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{17C5A010-80A0-4F9A-836F-BFCB14B6316C}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4524
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{17C5A010-80A0-4F9A-836F-BFCB14B6316C}'" delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1572
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E9B5643F-8908-41A9-879A-BF3F65E24DF9}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4944
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E9B5643F-8908-41A9-879A-BF3F65E24DF9}'" delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1096

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1016

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
PID:3724

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2436-130-0x0000000000640000-0x0000000000674000-memory.dmp

Filesize
208KB

Download
memory/3724-131-0x000001CB65F60000-0x000001CB65F70000-memory.dmp

Filesize
64KB

Download
memory/3724-132-0x000001CB66520000-0x000001CB66530000-memory.dmp

Filesize
64KB

Download
memory/3724-133-0x000001CB68B90000-0x000001CB68B94000-memory.dmp

Filesize
16KB

Download