conti | 53b1c1b2f41a7fc300e97d036e57539453ff82001dd3f6abf07f4896b1f9ca22

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2023 04:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

290c7dfb01e50cea9e19da81a781af2c.exe
Size

190KB
MD5

290c7dfb01e50cea9e19da81a781af2c
SHA1

8a52c7645ec8fd6c217dfe5491461372acc4e849
SHA256

53b1c1b2f41a7fc300e97d036e57539453ff82001dd3f6abf07f4896b1f9ca22
SHA512

be2f45b5cc110bc9c4e61723eb111e53d70f3e32757915a9a945589a5296e3a667afdf5978f7002869005f961d705058ffafd2076d44471b7826237c76e11d4d
SSDEEP

3072:iZ0eFVz8q3Ab6BNx6GmZd9WAT4uY59oVU9FLBD9VK+gvPXCX8l9:i+eFVz8qTz6GmZjBUuC9HJDTKGY

Score

10^/10

conti ransomware

Malware Config

Extracted

Path

C:\Program Files (x86)\readme.txt

Family

conti

Ransom Note

All of your files are currently encrypted by CONTI strain. As you know (if you don't - just "google it"), all of the data that has been encrypted by our software cannot be recovered by any means without contacting our team directly. If you try to use any additional recovery software - the files might be damaged, so if you are willing to try - try it on the data of the lowest value. To make sure that we REALLY CAN get your data back - we offer you to decrypt 2 random files completely free of charge. You can contact our team directly for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/ HTTPS VERSION : https://contirecovery.best YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded a pack of your internal data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us as soon as possible. ---BEGIN ID--- EdKBszpVz7i9aIrMedNHe3uExMpz8Eot9fbCsY15OEUhJqECuuiljKTgA3E6nPSF ---END ID---

URLs

http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/

https://contirecovery.best

Signatures

Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
ransomware conti
Renames multiple (1801) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops desktop.ini file(s) 24 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\desktop.ini	290c7dfb01e50cea9e19da81a781af2c.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	290c7dfb01e50cea9e19da81a781af2c.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	290c7dfb01e50cea9e19da81a781af2c.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	290c7dfb01e50cea9e19da81a781af2c.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	290c7dfb01e50cea9e19da81a781af2c.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	290c7dfb01e50cea9e19da81a781af2c.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	290c7dfb01e50cea9e19da81a781af2c.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	290c7dfb01e50cea9e19da81a781af2c.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	290c7dfb01e50cea9e19da81a781af2c.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	290c7dfb01e50cea9e19da81a781af2c.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	290c7dfb01e50cea9e19da81a781af2c.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	290c7dfb01e50cea9e19da81a781af2c.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	290c7dfb01e50cea9e19da81a781af2c.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	290c7dfb01e50cea9e19da81a781af2c.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	290c7dfb01e50cea9e19da81a781af2c.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	290c7dfb01e50cea9e19da81a781af2c.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	290c7dfb01e50cea9e19da81a781af2c.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	290c7dfb01e50cea9e19da81a781af2c.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	290c7dfb01e50cea9e19da81a781af2c.exe
File opened for modification	C:\Program Files\desktop.ini	290c7dfb01e50cea9e19da81a781af2c.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	290c7dfb01e50cea9e19da81a781af2c.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	290c7dfb01e50cea9e19da81a781af2c.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	290c7dfb01e50cea9e19da81a781af2c.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	290c7dfb01e50cea9e19da81a781af2c.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Trial-ul-oob.xrm-ms	290c7dfb01e50cea9e19da81a781af2c.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProDemoR_BypassTrial180-ul-oob.xrm-ms	290c7dfb01e50cea9e19da81a781af2c.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019DemoR_BypassTrial180-ppd.xrm-ms	290c7dfb01e50cea9e19da81a781af2c.exe
File opened for modification	C:\Program Files\GrantRemove.snd	290c7dfb01e50cea9e19da81a781af2c.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kk.txt	290c7dfb01e50cea9e19da81a781af2c.exe
File created	C:\Program Files\Internet Explorer\fr-FR\readme.txt	290c7dfb01e50cea9e19da81a781af2c.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_SubTrial-pl.xrm-ms	290c7dfb01e50cea9e19da81a781af2c.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Trial-pl.xrm-ms	290c7dfb01e50cea9e19da81a781af2c.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Trial-ppd.xrm-ms	290c7dfb01e50cea9e19da81a781af2c.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-tw.txt	290c7dfb01e50cea9e19da81a781af2c.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.VisualElementsManifest.xml	290c7dfb01e50cea9e19da81a781af2c.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_KMS_Client_AE-ppd.xrm-ms	290c7dfb01e50cea9e19da81a781af2c.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-ul-phn.xrm-ms	290c7dfb01e50cea9e19da81a781af2c.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_KMS_Client-ul-oob.xrm-ms	290c7dfb01e50cea9e19da81a781af2c.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial2-pl.xrm-ms	290c7dfb01e50cea9e19da81a781af2c.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Retail-ppd.xrm-ms	290c7dfb01e50cea9e19da81a781af2c.exe
File created	C:\Program Files (x86)\Common Files\Oracle\Java\readme.txt	290c7dfb01e50cea9e19da81a781af2c.exe
File created	C:\Program Files\Google\Chrome\Application\readme.txt	290c7dfb01e50cea9e19da81a781af2c.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Retail-pl.xrm-ms	290c7dfb01e50cea9e19da81a781af2c.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Retail-ul-phn.xrm-ms	290c7dfb01e50cea9e19da81a781af2c.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail2-pl.xrm-ms	290c7dfb01e50cea9e19da81a781af2c.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-pl.xrm-ms	290c7dfb01e50cea9e19da81a781af2c.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial-pl.xrm-ms	290c7dfb01e50cea9e19da81a781af2c.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription1-ul-oob.xrm-ms	290c7dfb01e50cea9e19da81a781af2c.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Trial-ul-oob.xrm-ms	290c7dfb01e50cea9e19da81a781af2c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\hwrusash.dat	290c7dfb01e50cea9e19da81a781af2c.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_SubTrial-pl.xrm-ms	290c7dfb01e50cea9e19da81a781af2c.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_KMS_Client-ul.xrm-ms	290c7dfb01e50cea9e19da81a781af2c.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\readme.txt	290c7dfb01e50cea9e19da81a781af2c.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\SLERROR.XML	290c7dfb01e50cea9e19da81a781af2c.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019DemoR_BypassTrial180-ppd.xrm-ms	290c7dfb01e50cea9e19da81a781af2c.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-ul-phn.xrm-ms	290c7dfb01e50cea9e19da81a781af2c.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Grace-ppd.xrm-ms	290c7dfb01e50cea9e19da81a781af2c.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Subscription-pl.xrm-ms	290c7dfb01e50cea9e19da81a781af2c.exe
File created	C:\Program Files\Microsoft Office\Updates\Apply\readme.txt	290c7dfb01e50cea9e19da81a781af2c.exe
File created	C:\Program Files (x86)\Reference Assemblies\readme.txt	290c7dfb01e50cea9e19da81a781af2c.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-ul-oob.xrm-ms	290c7dfb01e50cea9e19da81a781af2c.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-ppd.xrm-ms	290c7dfb01e50cea9e19da81a781af2c.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessDemoR_BypassTrial365-ppd.xrm-ms	290c7dfb01e50cea9e19da81a781af2c.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial-ppd.xrm-ms	290c7dfb01e50cea9e19da81a781af2c.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription5-pl.xrm-ms	290c7dfb01e50cea9e19da81a781af2c.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_MAK-ppd.xrm-ms	290c7dfb01e50cea9e19da81a781af2c.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_KMS_ClientC2R-ul-oob.xrm-ms	290c7dfb01e50cea9e19da81a781af2c.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Trial-ppd.xrm-ms	290c7dfb01e50cea9e19da81a781af2c.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-ul-oob.xrm-ms	290c7dfb01e50cea9e19da81a781af2c.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-ul-oob.xrm-ms	290c7dfb01e50cea9e19da81a781af2c.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Grace-ppd.xrm-ms	290c7dfb01e50cea9e19da81a781af2c.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-ul-phn.xrm-ms	290c7dfb01e50cea9e19da81a781af2c.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_EnterpriseSub_Bypass30-ul-oob.xrm-ms	290c7dfb01e50cea9e19da81a781af2c.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Retail-pl.xrm-ms	290c7dfb01e50cea9e19da81a781af2c.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-ul-phn.xrm-ms	290c7dfb01e50cea9e19da81a781af2c.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail-ul-oob.xrm-ms	290c7dfb01e50cea9e19da81a781af2c.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-pl.xrm-ms	290c7dfb01e50cea9e19da81a781af2c.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Retail-ppd.xrm-ms	290c7dfb01e50cea9e19da81a781af2c.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	290c7dfb01e50cea9e19da81a781af2c.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ug.txt	290c7dfb01e50cea9e19da81a781af2c.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\readme.txt	290c7dfb01e50cea9e19da81a781af2c.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_KMS_Client-ul.xrm-ms	290c7dfb01e50cea9e19da81a781af2c.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_OEM_Perp-pl.xrm-ms	290c7dfb01e50cea9e19da81a781af2c.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\readme.txt	290c7dfb01e50cea9e19da81a781af2c.exe
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\TwemojiMozilla.ttf	290c7dfb01e50cea9e19da81a781af2c.exe
File created	C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\readme.txt	290c7dfb01e50cea9e19da81a781af2c.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-pl.xrm-ms	290c7dfb01e50cea9e19da81a781af2c.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Grace-ppd.xrm-ms	290c7dfb01e50cea9e19da81a781af2c.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1952	290c7dfb01e50cea9e19da81a781af2c.exe
1952	290c7dfb01e50cea9e19da81a781af2c.exe
1952	290c7dfb01e50cea9e19da81a781af2c.exe
1952	290c7dfb01e50cea9e19da81a781af2c.exe
1952	290c7dfb01e50cea9e19da81a781af2c.exe
1952	290c7dfb01e50cea9e19da81a781af2c.exe
1952	290c7dfb01e50cea9e19da81a781af2c.exe
1952	290c7dfb01e50cea9e19da81a781af2c.exe
1952	290c7dfb01e50cea9e19da81a781af2c.exe
1952	290c7dfb01e50cea9e19da81a781af2c.exe
1952	290c7dfb01e50cea9e19da81a781af2c.exe
1952	290c7dfb01e50cea9e19da81a781af2c.exe
1952	290c7dfb01e50cea9e19da81a781af2c.exe
1952	290c7dfb01e50cea9e19da81a781af2c.exe
1952	290c7dfb01e50cea9e19da81a781af2c.exe
1952	290c7dfb01e50cea9e19da81a781af2c.exe
1952	290c7dfb01e50cea9e19da81a781af2c.exe
1952	290c7dfb01e50cea9e19da81a781af2c.exe
1952	290c7dfb01e50cea9e19da81a781af2c.exe
1952	290c7dfb01e50cea9e19da81a781af2c.exe
1952	290c7dfb01e50cea9e19da81a781af2c.exe
1952	290c7dfb01e50cea9e19da81a781af2c.exe
1952	290c7dfb01e50cea9e19da81a781af2c.exe
1952	290c7dfb01e50cea9e19da81a781af2c.exe
1952	290c7dfb01e50cea9e19da81a781af2c.exe
1952	290c7dfb01e50cea9e19da81a781af2c.exe
1952	290c7dfb01e50cea9e19da81a781af2c.exe
1952	290c7dfb01e50cea9e19da81a781af2c.exe
1952	290c7dfb01e50cea9e19da81a781af2c.exe
1952	290c7dfb01e50cea9e19da81a781af2c.exe
1952	290c7dfb01e50cea9e19da81a781af2c.exe
1952	290c7dfb01e50cea9e19da81a781af2c.exe
1952	290c7dfb01e50cea9e19da81a781af2c.exe
1952	290c7dfb01e50cea9e19da81a781af2c.exe
1952	290c7dfb01e50cea9e19da81a781af2c.exe
1952	290c7dfb01e50cea9e19da81a781af2c.exe
1952	290c7dfb01e50cea9e19da81a781af2c.exe
1952	290c7dfb01e50cea9e19da81a781af2c.exe
1952	290c7dfb01e50cea9e19da81a781af2c.exe
1952	290c7dfb01e50cea9e19da81a781af2c.exe
1952	290c7dfb01e50cea9e19da81a781af2c.exe
1952	290c7dfb01e50cea9e19da81a781af2c.exe
1952	290c7dfb01e50cea9e19da81a781af2c.exe
1952	290c7dfb01e50cea9e19da81a781af2c.exe
1952	290c7dfb01e50cea9e19da81a781af2c.exe
1952	290c7dfb01e50cea9e19da81a781af2c.exe
1952	290c7dfb01e50cea9e19da81a781af2c.exe
1952	290c7dfb01e50cea9e19da81a781af2c.exe
1952	290c7dfb01e50cea9e19da81a781af2c.exe
1952	290c7dfb01e50cea9e19da81a781af2c.exe
1952	290c7dfb01e50cea9e19da81a781af2c.exe
1952	290c7dfb01e50cea9e19da81a781af2c.exe
1952	290c7dfb01e50cea9e19da81a781af2c.exe
1952	290c7dfb01e50cea9e19da81a781af2c.exe
1952	290c7dfb01e50cea9e19da81a781af2c.exe
1952	290c7dfb01e50cea9e19da81a781af2c.exe
1952	290c7dfb01e50cea9e19da81a781af2c.exe
1952	290c7dfb01e50cea9e19da81a781af2c.exe
1952	290c7dfb01e50cea9e19da81a781af2c.exe
1952	290c7dfb01e50cea9e19da81a781af2c.exe
1952	290c7dfb01e50cea9e19da81a781af2c.exe
1952	290c7dfb01e50cea9e19da81a781af2c.exe
1952	290c7dfb01e50cea9e19da81a781af2c.exe
1952	290c7dfb01e50cea9e19da81a781af2c.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeBackupPrivilege	3628	vssvc.exe
Token: SeRestorePrivilege	3628	vssvc.exe
Token: SeAuditPrivilege	3628	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2984	WMIC.exe
Token: SeSecurityPrivilege	2984	WMIC.exe
Token: SeTakeOwnershipPrivilege	2984	WMIC.exe
Token: SeLoadDriverPrivilege	2984	WMIC.exe
Token: SeSystemProfilePrivilege	2984	WMIC.exe
Token: SeSystemtimePrivilege	2984	WMIC.exe
Token: SeProfSingleProcessPrivilege	2984	WMIC.exe
Token: SeIncBasePriorityPrivilege	2984	WMIC.exe
Token: SeCreatePagefilePrivilege	2984	WMIC.exe
Token: SeBackupPrivilege	2984	WMIC.exe
Token: SeRestorePrivilege	2984	WMIC.exe
Token: SeShutdownPrivilege	2984	WMIC.exe
Token: SeDebugPrivilege	2984	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2984	WMIC.exe
Token: SeRemoteShutdownPrivilege	2984	WMIC.exe
Token: SeUndockPrivilege	2984	WMIC.exe
Token: SeManageVolumePrivilege	2984	WMIC.exe
Token: 33	2984	WMIC.exe
Token: 34	2984	WMIC.exe
Token: 35	2984	WMIC.exe
Token: 36	2984	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2984	WMIC.exe
Token: SeSecurityPrivilege	2984	WMIC.exe
Token: SeTakeOwnershipPrivilege	2984	WMIC.exe
Token: SeLoadDriverPrivilege	2984	WMIC.exe
Token: SeSystemProfilePrivilege	2984	WMIC.exe
Token: SeSystemtimePrivilege	2984	WMIC.exe
Token: SeProfSingleProcessPrivilege	2984	WMIC.exe
Token: SeIncBasePriorityPrivilege	2984	WMIC.exe
Token: SeCreatePagefilePrivilege	2984	WMIC.exe
Token: SeBackupPrivilege	2984	WMIC.exe
Token: SeRestorePrivilege	2984	WMIC.exe
Token: SeShutdownPrivilege	2984	WMIC.exe
Token: SeDebugPrivilege	2984	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2984	WMIC.exe
Token: SeRemoteShutdownPrivilege	2984	WMIC.exe
Token: SeUndockPrivilege	2984	WMIC.exe
Token: SeManageVolumePrivilege	2984	WMIC.exe
Token: 33	2984	WMIC.exe
Token: 34	2984	WMIC.exe
Token: 35	2984	WMIC.exe
Token: 36	2984	WMIC.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1952 wrote to memory of 4548	1952	290c7dfb01e50cea9e19da81a781af2c.exe	95
PID 1952 wrote to memory of 4548	1952	290c7dfb01e50cea9e19da81a781af2c.exe	95
PID 4548 wrote to memory of 2984	4548	cmd.exe	96
PID 4548 wrote to memory of 2984	4548	cmd.exe	96

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\290c7dfb01e50cea9e19da81a781af2c.exe
"C:\Users\Admin\AppData\Local\Temp\290c7dfb01e50cea9e19da81a781af2c.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C348255A-0CAD-4C1C-8CC4-563DC0EE61E5}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4548
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C348255A-0CAD-4C1C-8CC4-563DC0EE61E5}'" delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2984

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3628

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\readme.txt

Filesize
1KB

MD5
a48d7f2cbc55c406561016d717163111

SHA1
6cbc2ffadf3975cf9c8d24576fa4db9d7c3e9443

SHA256
f6c83d830b9375ec7bb8f3485d5cae945c6bf79d95a3909fb444a8078d081bdd

SHA512
88023e98ebff62ba2e9de1b61a4f20c93c54037ce06977327ebc3474546473ce23ed6211b7a8adebe2f3153be92509c95df3766ff018aa0f5311f6897388530b

Download Submit