Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
22-07-2022 18:28
Static task
static1
Behavioral task
behavioral1
Sample
24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe
Resource
win7-20220718-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe
Resource
win10v2004-20220721-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe
-
Size
1.0MB
-
MD5
42800d065e5855e261cc617fa688850f
-
SHA1
6c7b35e36830c1cc613fb08280ee25e5fbba9937
-
SHA256
24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59
-
SHA512
9e6e09aa81666c491058773b312d2c3178c4d6d6d295c455e8ad40f186f2081a6cc3b00e6a9eeefd66a806e05019d496cb2d54e2dcf45cc6b63ab7d55f9c2154
Score
10/10
Malware Config
Extracted
Path
C:\readme.txt
Family
conti
Ransom Note
All of your files are currently encrypted by CONTI strain.
As you know (if you don't - just "google it"), all of the data that has been encrypted by our software cannot be recovered by any means without contacting our team directly.
If you try to use any additional recovery software - the files might be damaged, so if you are willing to try - try it on the data of the lowest value.
To make sure that we REALLY CAN get your data back - we offer you to decrypt 2 random files completely free of charge.
You can contact our team directly for further instructions through our website :
TOR VERSION :
(you should download and install TOR browser first https://torproject.org)
http://contirec7nchr45rx6ympez5rjldibnqzh7lsa56lvjvaeywhvoj3wad.onion/rw0J6Ap3LZNfxsJyo6UpClQbrgD1dzRjxZLVZep0QQEFdl01ihbHIkEvZt91EvtA
YOU SHOULD BE AWARE!
Just in case, if you try to ignore us. We've downloaded a pack of your internal data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us as soon as possible.
---BEGIN ID---
rw0J6Ap3LZNfxsJyo6UpClQbrgD1dzRjxZLVZep0QQEFdl01ihbHIkEvZt91EvtA
---END ID---
URLs
http://contirec7nchr45rx6ympez5rjldibnqzh7lsa56lvjvaeywhvoj3wad.onion/rw0J6Ap3LZNfxsJyo6UpClQbrgD1dzRjxZLVZep0QQEFdl01ihbHIkEvZt91EvtA
Signatures
-
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
Modifies extensions of user files 5 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\ConvertToConfirm.raw => C:\Users\Admin\Pictures\ConvertToConfirm.raw.XKLKO 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File renamed C:\Users\Admin\Pictures\CopyMeasure.png => C:\Users\Admin\Pictures\CopyMeasure.png.XKLKO 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File renamed C:\Users\Admin\Pictures\ExitSuspend.png => C:\Users\Admin\Pictures\ExitSuspend.png.XKLKO 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File renamed C:\Users\Admin\Pictures\NewEdit.png => C:\Users\Admin\Pictures\NewEdit.png.XKLKO 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File renamed C:\Users\Admin\Pictures\ReceiveOut.tif => C:\Users\Admin\Pictures\ReceiveOut.tif.XKLKO 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\readme.txt 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 31 IoCs
description ioc Process File opened for modification C:\Users\Admin\Videos\desktop.ini 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File opened for modification C:\Users\Public\desktop.ini 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File opened for modification C:\Users\Public\Desktop\desktop.ini 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File opened for modification C:\Users\Public\Libraries\desktop.ini 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File opened for modification C:\Program Files (x86)\desktop.ini 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File opened for modification C:\Users\Admin\Searches\desktop.ini 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File opened for modification C:\Users\Public\Videos\desktop.ini 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File opened for modification C:\Users\Admin\Links\desktop.ini 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File opened for modification C:\Users\Public\Music\desktop.ini 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File opened for modification C:\Users\Public\Documents\desktop.ini 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File opened for modification C:\Users\Public\Downloads\desktop.ini 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File opened for modification C:\Users\Public\Pictures\desktop.ini 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File opened for modification C:\Program Files\desktop.ini 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File opened for modification C:\Users\Admin\Music\desktop.ini 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File opened for modification C:\Users\Admin\Documents\desktop.ini 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.osgi.services.nl_zh_4.4.0.v20140623020002.jar 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\MS.SETLANG.16.1033.hxn 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Help\NamedUrls.HxK 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ca-es\readme.txt 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp3-ul-oob.xrm-ms 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-il\ui-strings.js 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\MSTAG.TLB 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\WindowsMedia.mpp 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\MANIFEST.MF 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\WATERMAR\WATERMAR.INF 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_KMS_Client-ppd.xrm-ms 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\FA000000011 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN075.XML 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\readme.txt 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\readme.txt 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\CompleteCheckmark.png 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\illustrations_retina.png 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\pl-pl\ui-strings.js 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyrun.jar 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\readme.txt 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\nl-nl\ui-strings.js 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\SearchEmail2x.png 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\pt-BR.pak.DATA 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Calibri-Cambria.xml 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-api-annotations-common_ja.jar 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SUMIPNTG\SUMIPNTG.INF 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\core_icons__retina_hiContrast_bow.png 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_duplicate_18.svg 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\nb-no\readme.txt 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\s_radio_unselected_18.svg 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File opened for modification C:\Program Files\7-Zip\Lang\sr-spl.txt 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Grace-ppd.xrm-ms 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\win32_LinkDrop32x32.gif 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\core_icons_hiContrast_wob.png 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\RHP_icons.png 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\sign-in.png 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription-pl.xrm-ms 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Trial-ul-oob.xrm-ms 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ca-es\ui-strings.js 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_2x.png 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\pt-br_get.svg 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial2-ul-oob.xrm-ms 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.natives.nl_zh_4.4.0.v20140623020002.jar 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AFTRNOON\PREVIEW.GIF 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\css\main.css 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ro-ro\readme.txt 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\zh-tw\readme.txt 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Trial-ul-oob.xrm-ms 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\mailapi.jar 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-heapdump.xml 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_reject_18.svg 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-pl.xrm-ms 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial5-pl.xrm-ms 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\en-GB.pak 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\catalog.json 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MLModels\autofill_labeling_email.ort 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\MySite.ico 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\cy.pak.DATA 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\dc-annotations\css\readme.txt 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-pl.xrm-ms 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ca-es\readme.txt 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\root\readme.txt 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail-ul-phn.xrm-ms 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1312 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe 1312 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeBackupPrivilege 428 vssvc.exe Token: SeRestorePrivilege 428 vssvc.exe Token: SeAuditPrivilege 428 vssvc.exe Token: SeIncreaseQuotaPrivilege 1096 WMIC.exe Token: SeSecurityPrivilege 1096 WMIC.exe Token: SeTakeOwnershipPrivilege 1096 WMIC.exe Token: SeLoadDriverPrivilege 1096 WMIC.exe Token: SeSystemProfilePrivilege 1096 WMIC.exe Token: SeSystemtimePrivilege 1096 WMIC.exe Token: SeProfSingleProcessPrivilege 1096 WMIC.exe Token: SeIncBasePriorityPrivilege 1096 WMIC.exe Token: SeCreatePagefilePrivilege 1096 WMIC.exe Token: SeBackupPrivilege 1096 WMIC.exe Token: SeRestorePrivilege 1096 WMIC.exe Token: SeShutdownPrivilege 1096 WMIC.exe Token: SeDebugPrivilege 1096 WMIC.exe Token: SeSystemEnvironmentPrivilege 1096 WMIC.exe Token: SeRemoteShutdownPrivilege 1096 WMIC.exe Token: SeUndockPrivilege 1096 WMIC.exe Token: SeManageVolumePrivilege 1096 WMIC.exe Token: 33 1096 WMIC.exe Token: 34 1096 WMIC.exe Token: 35 1096 WMIC.exe Token: 36 1096 WMIC.exe Token: SeIncreaseQuotaPrivilege 1096 WMIC.exe Token: SeSecurityPrivilege 1096 WMIC.exe Token: SeTakeOwnershipPrivilege 1096 WMIC.exe Token: SeLoadDriverPrivilege 1096 WMIC.exe Token: SeSystemProfilePrivilege 1096 WMIC.exe Token: SeSystemtimePrivilege 1096 WMIC.exe Token: SeProfSingleProcessPrivilege 1096 WMIC.exe Token: SeIncBasePriorityPrivilege 1096 WMIC.exe Token: SeCreatePagefilePrivilege 1096 WMIC.exe Token: SeBackupPrivilege 1096 WMIC.exe Token: SeRestorePrivilege 1096 WMIC.exe Token: SeShutdownPrivilege 1096 WMIC.exe Token: SeDebugPrivilege 1096 WMIC.exe Token: SeSystemEnvironmentPrivilege 1096 WMIC.exe Token: SeRemoteShutdownPrivilege 1096 WMIC.exe Token: SeUndockPrivilege 1096 WMIC.exe Token: SeManageVolumePrivilege 1096 WMIC.exe Token: 33 1096 WMIC.exe Token: 34 1096 WMIC.exe Token: 35 1096 WMIC.exe Token: 36 1096 WMIC.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1312 wrote to memory of 3576 1312 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe 80 PID 1312 wrote to memory of 3576 1312 24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe 80 PID 3576 wrote to memory of 1096 3576 cmd.exe 82 PID 3576 wrote to memory of 1096 3576 cmd.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe"C:\Users\Admin\AppData\Local\Temp\24ac73821de77cc9644d2ac40e97067ff63f625b5f20e085ad10535e47d7db59.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{151E50B9-3AC5-4054-84A8-FFC64A088376}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:3576 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{151E50B9-3AC5-4054-84A8-FFC64A088376}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1096
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:428