conti | 1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3

Analysis

max time kernel
154s
max time network
157s
platform
windows7_x64
resource
win7-20220414-en
submitted
08-05-2022 22:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
Size

5.4MB
MD5

c82a4f52bf0cac24d01281f5b45cd350
SHA1

2884f66d660f20fcdd8680365599aa1e41481cb3
SHA256

1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3
SHA512

e1ca8887cb3f5935ffd2c77e456014011b8c874f6e007e6e68579b7a6810875875c9a2b842ec0aef1a8c2d57ec1cef356eb911e2335e0de14b92cf3c5a6e3ad0

Score

10^/10

conti ransomware vmprotect

Malware Config

Extracted

Path

C:\R3ADM3.txt

Family

conti

Ransom Note

All of your files are currently encrypted by CONTI strain. As you know (if you don't - just "google it"), all of the data that has been encrypted by our software cannot be recovered by any means without contacting our team directly. If you try to use any additional recovery software - the files might be damaged, so if you are willing to try - try it on the data of the lowest value. To make sure that we REALLY CAN get your data back - we offer you to decrypt 2 random files completely free of charge. You can contact our team directly for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://m232fdxbfmbrcehbrj5iayknxnggf6niqfj6x4iedrgtab4qupzjlaid.onion HTTPS VERSION : https://contirecovery.info YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded a pack of your internal data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us as soon as possible. ---BEGIN ID--- CaFGUkuxCokVJnZz1cVe9DtLJKZQghAJ2qT8Gw48hLhhW8YEcIGIUIZzVdTkgEJW ---END ID---

URLs

http://m232fdxbfmbrcehbrj5iayknxnggf6niqfj6x4iedrgtab4qupzjlaid.onion

https://contirecovery.info

Signatures

Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
ransomware conti

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/1828-54-0x0000000000FF0000-0x00000000018B6000-memory.dmp	vmprotect
behavioral1/memory/1828-58-0x0000000000FF0000-0x00000000018B6000-memory.dmp	vmprotect
behavioral1/memory/1828-59-0x0000000000FF0000-0x00000000018B6000-memory.dmp	vmprotect

Drops desktop.ini file(s) 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\desktop.ini	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
File opened for modification	C:\Users\Public\desktop.ini	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Analysis Services\R3ADM3.txt	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.VisualElementsManifest.xml	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\updater.ini	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
File created	C:\Program Files\DVD Maker\it-IT\R3ADM3.txt	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
File created	C:\Program Files (x86)\Google\R3ADM3.txt	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
File opened for modification	C:\Program Files\Windows Journal	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\R3ADM3.txt	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
File opened for modification	C:\Program Files\Windows Defender	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
File opened for modification	C:\Program Files\DVD Maker\offset.ax	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
File opened for modification	C:\Program Files (x86)\Google\Temp	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
File created	C:\Program Files\Google\R3ADM3.txt	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
File created	C:\Program Files\Internet Explorer\en-US\R3ADM3.txt	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
File created	C:\Program Files\DVD Maker\R3ADM3.txt	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
File opened for modification	C:\Program Files\desktop.ini	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\R3ADM3.txt	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
File opened for modification	C:\Program Files\DVD Maker\Eurosti.TTF	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
File created	C:\Program Files\DVD Maker\ja-JP\R3ADM3.txt	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
File created	C:\Program Files\Internet Explorer\de-DE\R3ADM3.txt	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
File opened for modification	C:\Program Files\ExpandWrite.vsdm	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
File created	C:\Program Files\Internet Explorer\es-ES\R3ADM3.txt	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
File opened for modification	C:\Program Files\DVD Maker\SecretST.TTF	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
File created	C:\Program Files\Common Files\Microsoft Shared\R3ADM3.txt	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
File created	C:\Program Files\DVD Maker\fr-FR\R3ADM3.txt	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
File created	C:\Program Files (x86)\Adobe\R3ADM3.txt	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
File created	C:\Program Files (x86)\Common Files\R3ADM3.txt	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\R3ADM3.txt	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\R3ADM3.txt	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
File opened for modification	C:\Program Files (x86)\Windows Defender	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
File opened for modification	C:\Program Files\DVD Maker\bod_r.TTF	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
File opened for modification	C:\Program Files\DVD Maker\sonicsptransform.ax	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
File created	C:\Program Files\Microsoft Games\R3ADM3.txt	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft.Office.InfoPath.targets	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
File opened for modification	C:\Program Files\BlockHide.mpeg3	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
File opened for modification	C:\Program Files (x86)\Windows Mail	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
File opened for modification	C:\Program Files\DVD Maker\audiodepthconverter.ax	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
File opened for modification	C:\Program Files\DVD Maker\rtstreamsource.ax	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
File created	C:\Program Files\Google\Chrome\R3ADM3.txt	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
File created	C:\Program Files\Internet Explorer\R3ADM3.txt	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
File created	C:\Program Files\Microsoft Office\R3ADM3.txt	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
File created	C:\Program Files\Mozilla Firefox\R3ADM3.txt	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
File opened for modification	C:\Program Files\Mozilla Firefox\precomplete	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
File created	C:\Program Files\DVD Maker\es-ES\R3ADM3.txt	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
File created	C:\Program Files (x86)\R3ADM3.txt	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
File opened for modification	C:\Program Files\SuspendSet.rar	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
File opened for modification	C:\Program Files\Windows Mail	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
File created	C:\Program Files\Common Files\R3ADM3.txt	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
File created	C:\Program Files\Common Files\SpeechEngines\R3ADM3.txt	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
File opened for modification	C:\Program Files\Windows NT	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
File opened for modification	C:\Program Files\Internet Explorer\ie9props.propdesc	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
File created	C:\Program Files\Uninstall Information\R3ADM3.txt	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
File created	C:\Program Files (x86)\MSBuild\R3ADM3.txt	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
File opened for modification	C:\Program Files\Mozilla Firefox\dependentlibs.list	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
File opened for modification	C:\Program Files\InitializeMount.cmd	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
File opened for modification	C:\Program Files\7-Zip\descript.ion	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
File opened for modification	C:\Program Files\Mozilla Firefox\Accessible.tlb	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
File created	C:\Program Files (x86)\Microsoft.NET\R3ADM3.txt	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
File opened for modification	C:\Program Files\DVD Maker\soniccolorconverter.ax	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
File created	C:\Program Files\DVD Maker\en-US\R3ADM3.txt	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	1044	vssvc.exe
Token: SeRestorePrivilege	1044	vssvc.exe
Token: SeAuditPrivilege	1044	vssvc.exe
Token: SeIncreaseQuotaPrivilege	820	WMIC.exe
Token: SeSecurityPrivilege	820	WMIC.exe
Token: SeTakeOwnershipPrivilege	820	WMIC.exe
Token: SeLoadDriverPrivilege	820	WMIC.exe
Token: SeSystemProfilePrivilege	820	WMIC.exe
Token: SeSystemtimePrivilege	820	WMIC.exe
Token: SeProfSingleProcessPrivilege	820	WMIC.exe
Token: SeIncBasePriorityPrivilege	820	WMIC.exe
Token: SeCreatePagefilePrivilege	820	WMIC.exe
Token: SeBackupPrivilege	820	WMIC.exe
Token: SeRestorePrivilege	820	WMIC.exe
Token: SeShutdownPrivilege	820	WMIC.exe
Token: SeDebugPrivilege	820	WMIC.exe
Token: SeSystemEnvironmentPrivilege	820	WMIC.exe
Token: SeRemoteShutdownPrivilege	820	WMIC.exe
Token: SeUndockPrivilege	820	WMIC.exe
Token: SeManageVolumePrivilege	820	WMIC.exe
Token: 33	820	WMIC.exe
Token: 34	820	WMIC.exe
Token: 35	820	WMIC.exe
Token: SeIncreaseQuotaPrivilege	820	WMIC.exe
Token: SeSecurityPrivilege	820	WMIC.exe
Token: SeTakeOwnershipPrivilege	820	WMIC.exe
Token: SeLoadDriverPrivilege	820	WMIC.exe
Token: SeSystemProfilePrivilege	820	WMIC.exe
Token: SeSystemtimePrivilege	820	WMIC.exe
Token: SeProfSingleProcessPrivilege	820	WMIC.exe
Token: SeIncBasePriorityPrivilege	820	WMIC.exe
Token: SeCreatePagefilePrivilege	820	WMIC.exe
Token: SeBackupPrivilege	820	WMIC.exe
Token: SeRestorePrivilege	820	WMIC.exe
Token: SeShutdownPrivilege	820	WMIC.exe
Token: SeDebugPrivilege	820	WMIC.exe
Token: SeSystemEnvironmentPrivilege	820	WMIC.exe
Token: SeRemoteShutdownPrivilege	820	WMIC.exe
Token: SeUndockPrivilege	820	WMIC.exe
Token: SeManageVolumePrivilege	820	WMIC.exe
Token: 33	820	WMIC.exe
Token: 34	820	WMIC.exe
Token: 35	820	WMIC.exe
Token: SeIncreaseQuotaPrivilege	916	WMIC.exe
Token: SeSecurityPrivilege	916	WMIC.exe
Token: SeTakeOwnershipPrivilege	916	WMIC.exe
Token: SeLoadDriverPrivilege	916	WMIC.exe
Token: SeSystemProfilePrivilege	916	WMIC.exe
Token: SeSystemtimePrivilege	916	WMIC.exe
Token: SeProfSingleProcessPrivilege	916	WMIC.exe
Token: SeIncBasePriorityPrivilege	916	WMIC.exe
Token: SeCreatePagefilePrivilege	916	WMIC.exe
Token: SeBackupPrivilege	916	WMIC.exe
Token: SeRestorePrivilege	916	WMIC.exe
Token: SeShutdownPrivilege	916	WMIC.exe
Token: SeDebugPrivilege	916	WMIC.exe
Token: SeSystemEnvironmentPrivilege	916	WMIC.exe
Token: SeRemoteShutdownPrivilege	916	WMIC.exe
Token: SeUndockPrivilege	916	WMIC.exe
Token: SeManageVolumePrivilege	916	WMIC.exe
Token: 33	916	WMIC.exe
Token: 34	916	WMIC.exe
Token: 35	916	WMIC.exe
Token: SeIncreaseQuotaPrivilege	916	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1828 wrote to memory of 468	1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe	30
PID 1828 wrote to memory of 468	1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe	30
PID 1828 wrote to memory of 468	1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe	30
PID 1828 wrote to memory of 468	1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe	30
PID 468 wrote to memory of 820	468	cmd.exe	32
PID 468 wrote to memory of 820	468	cmd.exe	32
PID 468 wrote to memory of 820	468	cmd.exe	32
PID 1828 wrote to memory of 2032	1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe	33
PID 1828 wrote to memory of 2032	1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe	33
PID 1828 wrote to memory of 2032	1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe	33
PID 1828 wrote to memory of 2032	1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe	33
PID 2032 wrote to memory of 916	2032	cmd.exe	35
PID 2032 wrote to memory of 916	2032	cmd.exe	35
PID 2032 wrote to memory of 916	2032	cmd.exe	35
PID 1828 wrote to memory of 1952	1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe	36
PID 1828 wrote to memory of 1952	1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe	36
PID 1828 wrote to memory of 1952	1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe	36
PID 1828 wrote to memory of 1952	1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe	36
PID 1952 wrote to memory of 1692	1952	cmd.exe	38
PID 1952 wrote to memory of 1692	1952	cmd.exe	38
PID 1952 wrote to memory of 1692	1952	cmd.exe	38
PID 1828 wrote to memory of 1708	1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe	39
PID 1828 wrote to memory of 1708	1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe	39
PID 1828 wrote to memory of 1708	1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe	39
PID 1828 wrote to memory of 1708	1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe	39
PID 1708 wrote to memory of 1928	1708	cmd.exe	41
PID 1708 wrote to memory of 1928	1708	cmd.exe	41
PID 1708 wrote to memory of 1928	1708	cmd.exe	41
PID 1828 wrote to memory of 1920	1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe	42
PID 1828 wrote to memory of 1920	1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe	42
PID 1828 wrote to memory of 1920	1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe	42
PID 1828 wrote to memory of 1920	1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe	42
PID 1920 wrote to memory of 1340	1920	cmd.exe	44
PID 1920 wrote to memory of 1340	1920	cmd.exe	44
PID 1920 wrote to memory of 1340	1920	cmd.exe	44
PID 1828 wrote to memory of 1644	1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe	45
PID 1828 wrote to memory of 1644	1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe	45
PID 1828 wrote to memory of 1644	1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe	45
PID 1828 wrote to memory of 1644	1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe	45
PID 1644 wrote to memory of 1680	1644	cmd.exe	47
PID 1644 wrote to memory of 1680	1644	cmd.exe	47
PID 1644 wrote to memory of 1680	1644	cmd.exe	47
PID 1828 wrote to memory of 552	1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe	48
PID 1828 wrote to memory of 552	1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe	48
PID 1828 wrote to memory of 552	1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe	48
PID 1828 wrote to memory of 552	1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe	48
PID 552 wrote to memory of 1348	552	cmd.exe	50
PID 552 wrote to memory of 1348	552	cmd.exe	50
PID 552 wrote to memory of 1348	552	cmd.exe	50
PID 1828 wrote to memory of 1736	1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe	51
PID 1828 wrote to memory of 1736	1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe	51
PID 1828 wrote to memory of 1736	1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe	51
PID 1828 wrote to memory of 1736	1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe	51
PID 1736 wrote to memory of 1764	1736	cmd.exe	53
PID 1736 wrote to memory of 1764	1736	cmd.exe	53
PID 1736 wrote to memory of 1764	1736	cmd.exe	53
PID 1828 wrote to memory of 1332	1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe	54
PID 1828 wrote to memory of 1332	1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe	54
PID 1828 wrote to memory of 1332	1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe	54
PID 1828 wrote to memory of 1332	1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe	54
PID 1332 wrote to memory of 1248	1332	cmd.exe	56
PID 1332 wrote to memory of 1248	1332	cmd.exe	56
PID 1332 wrote to memory of 1248	1332	cmd.exe	56
PID 1828 wrote to memory of 1980	1828	1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe	57

C:\Users\Admin\AppData\Local\Temp\1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe
"C:\Users\Admin\AppData\Local\Temp\1f782c00f48835beffd1cb068c1b43854b5f1542966dd5926589fece4a5058b3.exe"
1⤵
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1828
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{89697DE0-8AFD-4B41-886A-B7EB72DF3AA8}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:468
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{89697DE0-8AFD-4B41-886A-B7EB72DF3AA8}'" delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:820
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{004F80FF-D134-40FF-896B-3B02EA9DF238}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{004F80FF-D134-40FF-896B-3B02EA9DF238}'" delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:916
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1CA373D3-0720-4AF4-934C-F884960206D5}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1952
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1CA373D3-0720-4AF4-934C-F884960206D5}'" delete
    3⤵
    PID:1692
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C951ED94-9E18-4B0F-97B7-40AF0998ADB0}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1708
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C951ED94-9E18-4B0F-97B7-40AF0998ADB0}'" delete
    3⤵
    PID:1928
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4231B339-4EB3-41AB-80A3-508C3288E141}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1920
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4231B339-4EB3-41AB-80A3-508C3288E141}'" delete
    3⤵
    PID:1340
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{41589B6B-50A3-47D7-925E-FED6576DD211}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1644
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{41589B6B-50A3-47D7-925E-FED6576DD211}'" delete
    3⤵
    PID:1680
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1BB9D07F-059E-4013-BE7F-701EA09F706A}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:552
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1BB9D07F-059E-4013-BE7F-701EA09F706A}'" delete
    3⤵
    PID:1348
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{FFA87842-5434-47D1-B0BB-BECA3260BE04}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1736
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{FFA87842-5434-47D1-B0BB-BECA3260BE04}'" delete
    3⤵
    PID:1764
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5E19154F-51FA-43F7-8302-9500D51540D3}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1332
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5E19154F-51FA-43F7-8302-9500D51540D3}'" delete
    3⤵
    PID:1248
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B9AEA514-75F1-434E-9AA1-C39F88C95D1D}'" delete
  2⤵
  PID:1980
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B9AEA514-75F1-434E-9AA1-C39F88C95D1D}'" delete
    3⤵
    PID:1104
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2A0AA1B9-E21E-4FDC-81D9-A624B1BB2B8F}'" delete
  2⤵
  PID:1824
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2A0AA1B9-E21E-4FDC-81D9-A624B1BB2B8F}'" delete
    3⤵
    PID:1376
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5AE464CA-8460-4455-AAA6-62AFB5670AE2}'" delete
  2⤵
  PID:1388
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5AE464CA-8460-4455-AAA6-62AFB5670AE2}'" delete
    3⤵
    PID:928
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B16F72DE-243A-40E3-9640-F63AFEB59182}'" delete
  2⤵
  PID:1792
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B16F72DE-243A-40E3-9640-F63AFEB59182}'" delete
    3⤵
    PID:1580
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8D2703CB-4AC0-4A10-B0F6-CFE9ADDD388D}'" delete
  2⤵
  PID:1572
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8D2703CB-4AC0-4A10-B0F6-CFE9ADDD388D}'" delete
    3⤵
    PID:560
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7F205D07-EA20-493C-BD37-BD4B6671BC69}'" delete
  2⤵
  PID:552
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7F205D07-EA20-493C-BD37-BD4B6671BC69}'" delete
    3⤵
    PID:1968
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5106895C-48BE-4DB1-BF9C-EAE864E896FA}'" delete
  2⤵
  PID:944
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5106895C-48BE-4DB1-BF9C-EAE864E896FA}'" delete
    3⤵
    PID:588
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{EF76A732-49C6-4961-8222-635072F634E0}'" delete
  2⤵
  PID:428
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{EF76A732-49C6-4961-8222-635072F634E0}'" delete
    3⤵
    PID:1668
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D35CD01D-C9C4-48E2-9FCB-16447CF65EAE}'" delete
  2⤵
  PID:1728
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D35CD01D-C9C4-48E2-9FCB-16447CF65EAE}'" delete
    3⤵
    PID:1980

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1044

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1828-59-0x0000000000FF0000-0x00000000018B6000-memory.dmp

Filesize
8.8MB

Download
memory/1828-54-0x0000000000FF0000-0x00000000018B6000-memory.dmp

Filesize
8.8MB

Download
memory/1828-57-0x0000000076811000-0x0000000076813000-memory.dmp

Filesize
8KB

Download
memory/1828-58-0x0000000000FF0000-0x00000000018B6000-memory.dmp

Filesize
8.8MB

Download