conti | 1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
08-05-2022 09:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
Size

190KB
MD5

2dc5a4338d438ea4e78878cff4cfe2cf
SHA1

cfdd6e3a69b12d43af94cb0441db3e1ef93f74f8
SHA256

1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9
SHA512

32a8d6f2fa1e472aefa8cc41cb59b5b67e84d336ca35c5b1f5d2a2ad2eae5a7ba1cbfba17f75261b0220a5d896b72bb4b95c5c86a6c8bda4b9bf50463f2222fc

Score

10^/10

conti ransomware

Malware Config

Extracted

Path

C:\readme.txt

Family

conti

Ransom Note

All of your files are currently encrypted by CONTI ransomware. If you try to use any additional recovery software - the files might be damaged or lost. To make sure that we REALLY CAN recover data - we offer you to decrypt samples. You can contact us for further instructions through: Our website TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/ HTTPS VERSION : https://contirecovery.top/ YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded your data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us ASAP ---BEGIN ID--- FQ6C1V320lsGoEpDS1i4SFkTzLnOQ9vSXpwMwYdsE7CL2myTZeHVHuuqtzHQGOpB ---END ID---

URLs

http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/

https://contirecovery.top/

Signatures

Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
ransomware conti

Modifies extensions of user files 6 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\SendSelect.png => C:\Users\Admin\Pictures\SendSelect.png.YEKRW	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File renamed	C:\Users\Admin\Pictures\ShowRestore.png => C:\Users\Admin\Pictures\ShowRestore.png.YEKRW	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File renamed	C:\Users\Admin\Pictures\TestConfirm.png => C:\Users\Admin\Pictures\TestConfirm.png.YEKRW	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File renamed	C:\Users\Admin\Pictures\FindRedo.tif => C:\Users\Admin\Pictures\FindRedo.tif.YEKRW	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File renamed	C:\Users\Admin\Pictures\JoinApprove.raw => C:\Users\Admin\Pictures\JoinApprove.raw.YEKRW	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File renamed	C:\Users\Admin\Pictures\MoveGroup.tif => C:\Users\Admin\Pictures\MoveGroup.tif.YEKRW	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe

Drops desktop.ini file(s) 27 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Users\Public\desktop.ini	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files\desktop.ini	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\VC\readme.txt	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Trial-ppd.xrm-ms	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp3-ppd.xrm-ms	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription3-ul-oob.xrm-ms	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_KMS_Client_AE-ppd.xrm-ms	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\jfxswt.jar	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\readme.txt	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_KMS_Client_AE-ul-oob.xrm-ms	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Grace-ul-oob.xrm-ms	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\ext\nashorn.jar	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File created	C:\Program Files\Common Files\microsoft shared\readme.txt	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\README-JDK.html	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File created	C:\Program Files\Google\Chrome\Application\readme.txt	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols.xml	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files\NewUnlock.xlsb	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File created	C:\Program Files\Google\Chrome\readme.txt	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-ul-phn.xrm-ms	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsplk.xml	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_OEM_Perp-pl.xrm-ms	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_KMS_Client-ppd.xrm-ms	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Acrobat\readme.txt	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File created	C:\Program Files (x86)\readme.txt	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\readme.txt	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\flavormap.properties	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File created	C:\Program Files\Java\jre1.8.0_66\lib\ext\readme.txt	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File created	C:\Program Files\MSBuild\Microsoft\readme.txt	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\Welcome.html	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Trial-pl.xrm-ms	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\mscss7cm_fr.dub	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Retail-pl.xrm-ms	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-ppd.xrm-ms	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Grace-ul-oob.xrm-ms	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_MAK_AE-ppd.xrm-ms	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-ul-oob.xrm-ms	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-ppd.xrm-ms	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\sk-SK\readme.txt	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_OEM_Perp-ul-phn.xrm-ms	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Trial-ppd.xrm-ms	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\resources.jar	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_MAK_AE-ul-phn.xrm-ms	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File created	C:\Program Files\Common Files\System\de-DE\readme.txt	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp6-pl.xrm-ms	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pa-in.txt	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\THIRDPARTYLICENSEREADME-JAVAFX.txt	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial-ul-oob.xrm-ms	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\sound.properties	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial5-ul-oob.xrm-ms	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial1-pl.xrm-ms	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\readme.txt	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest4-ul-oob.xrm-ms	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019MSDNR_Retail-ul-oob.xrm-ms	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest-pl.xrm-ms	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial5-ul-oob.xrm-ms	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_OEM_Perp-ul-oob.xrm-ms	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_MAKC2R-ppd.xrm-ms	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_KMS_ClientC2R-ppd.xrm-ms	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-pl.xrm-ms	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Trial-pl.xrm-ms	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Subscription-ul-oob.xrm-ms	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav.xml	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-pl.xrm-ms	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\en-US\sqlxmlx.rll.mui	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2192	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4636	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
4636	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
4636	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
4636	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
4636	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
4636	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
4636	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
4636	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
4636	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
4636	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
4636	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
4636	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
4636	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
4636	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
4636	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
4636	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
4636	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
4636	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
4636	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
4636	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
4636	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
4636	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
4636	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
4636	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
4636	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
4636	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
4636	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
4636	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
4636	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
4636	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
4636	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
4636	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
4636	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
4636	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
4636	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
4636	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
4636	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
4636	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
4636	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
4636	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
4636	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
4636	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
4636	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
4636	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
4636	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
4636	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
4636	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
4636	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
4636	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
4636	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
4636	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
4636	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
4636	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
4636	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
4636	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
4636	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
4636	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
4636	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
4636	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
4636	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
4636	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
4636	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
4636	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
4636	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeBackupPrivilege	4820	vssvc.exe
Token: SeRestorePrivilege	4820	vssvc.exe
Token: SeAuditPrivilege	4820	vssvc.exe
Token: SeIncreaseQuotaPrivilege	4520	WMIC.exe
Token: SeSecurityPrivilege	4520	WMIC.exe
Token: SeTakeOwnershipPrivilege	4520	WMIC.exe
Token: SeLoadDriverPrivilege	4520	WMIC.exe
Token: SeSystemProfilePrivilege	4520	WMIC.exe
Token: SeSystemtimePrivilege	4520	WMIC.exe
Token: SeProfSingleProcessPrivilege	4520	WMIC.exe
Token: SeIncBasePriorityPrivilege	4520	WMIC.exe
Token: SeCreatePagefilePrivilege	4520	WMIC.exe
Token: SeBackupPrivilege	4520	WMIC.exe
Token: SeRestorePrivilege	4520	WMIC.exe
Token: SeShutdownPrivilege	4520	WMIC.exe
Token: SeDebugPrivilege	4520	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4520	WMIC.exe
Token: SeRemoteShutdownPrivilege	4520	WMIC.exe
Token: SeUndockPrivilege	4520	WMIC.exe
Token: SeManageVolumePrivilege	4520	WMIC.exe
Token: 33	4520	WMIC.exe
Token: 34	4520	WMIC.exe
Token: 35	4520	WMIC.exe
Token: 36	4520	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4520	WMIC.exe
Token: SeSecurityPrivilege	4520	WMIC.exe
Token: SeTakeOwnershipPrivilege	4520	WMIC.exe
Token: SeLoadDriverPrivilege	4520	WMIC.exe
Token: SeSystemProfilePrivilege	4520	WMIC.exe
Token: SeSystemtimePrivilege	4520	WMIC.exe
Token: SeProfSingleProcessPrivilege	4520	WMIC.exe
Token: SeIncBasePriorityPrivilege	4520	WMIC.exe
Token: SeCreatePagefilePrivilege	4520	WMIC.exe
Token: SeBackupPrivilege	4520	WMIC.exe
Token: SeRestorePrivilege	4520	WMIC.exe
Token: SeShutdownPrivilege	4520	WMIC.exe
Token: SeDebugPrivilege	4520	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4520	WMIC.exe
Token: SeRemoteShutdownPrivilege	4520	WMIC.exe
Token: SeUndockPrivilege	4520	WMIC.exe
Token: SeManageVolumePrivilege	4520	WMIC.exe
Token: 33	4520	WMIC.exe
Token: 34	4520	WMIC.exe
Token: 35	4520	WMIC.exe
Token: 36	4520	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2192	NOTEPAD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4636 wrote to memory of 2516	4636	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe	87
PID 4636 wrote to memory of 2516	4636	1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe	87
PID 2516 wrote to memory of 4520	2516	cmd.exe	89
PID 2516 wrote to memory of 4520	2516	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe
"C:\Users\Admin\AppData\Local\Temp\1ce8a939b3e7d84c59c12dc9e1091532f4336dac533847b6533b01d9dcf494e9.exe"
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4636
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0CB52C57-F33E-48C3-965E-DB7A91603164}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0CB52C57-F33E-48C3-965E-DB7A91603164}'" delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4520

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4820

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\readme.txt
1⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:2192

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:5084

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\readme.txt

Filesize
866B

MD5
78a15c814df271551d3e0d882a7caae6

SHA1
65a43e6eac21105afaf62f534bc066c8f460122d

SHA256
c5543d9ed561efd53666d18ce7e6fcc8bc500c8e90ee873aae1ea8615ca0405b

SHA512
9cca3a336d30b324eeab100d87f812e5ff2459de1177f9b4fab7513b8f1de2d0d01521f01c539b497ee498a095a807c47ff816b775b3d8095f7d7fc673dba269

Download Submit