conti | 58ca4e482db7cf5c924256e53d8516d422e76cf4b85b43dc2b9ba0c7cb471ff7

Resubmissions

16-03-2024 19:39

240316-yc7kkaae5w 10

10-03-2024 13:40

240310-qykzpadh8w 10

10-03-2024 12:36

240310-psyg6acg33 10

Analysis

max time kernel
658s
max time network
656s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10-03-2024 13:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CONTI.exe
Size

196KB
MD5

58b16b1ea734d18960927cd68040c72d
SHA1

ab31613ceb08db6aea6b90370e259be1e9243070
SHA256

58ca4e482db7cf5c924256e53d8516d422e76cf4b85b43dc2b9ba0c7cb471ff7
SHA512

7b2b180005974afef8be76431c06eb22910d67863d80f738999030aa0a9707421ecb847a864b9a1c2a4fd03909fd35377d44276e69586a33c2fcb8ce4c8371f1
SSDEEP

3072:CLJGBP1t82ETTwPAobQ3tOqmb14Gul22QZkN7S44EXZ50Rx6:gJEPCTwPp03YqyNulakHu6

Score

10^/10

conti ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files (x86)\readme.txt

Family

conti

Ransom Note

All of your files are currently encrypted by CONTI strain. As you know (if you don't - just "google it"), all of the data that has been encrypted by our software cannot be recovered by any means without contacting our team directly. If you try to use any additional recovery software - the files might be damaged, so if you are willing to try - try it on the data of the lowest value. To make sure that we REALLY CAN get your data back - we offer you to decrypt 2 random files completely free of charge. You can contact our team directly for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/ HTTPS VERSION : https://contirecovery.top/ YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded a pack of your internal data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us as soon as possible. ---BEGIN ID--- 3oGjGn43irQZrKl1Tykk77x4alv7UkOkD9ru3aywuSN0ufrLAF1rZS40oEtMRe2j ---END ID---

URLs

http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/

https://contirecovery.top/

Signatures

Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
ransomware conti

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	4736	2736	OfficeC2RClient.exe	128

Renames multiple (7355) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\readme.txt	CONTI.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 31 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Music\desktop.ini	CONTI.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	CONTI.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	CONTI.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	CONTI.exe
File opened for modification	C:\Program Files\desktop.ini	CONTI.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	CONTI.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	CONTI.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	CONTI.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	CONTI.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	CONTI.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	CONTI.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	CONTI.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	CONTI.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	CONTI.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	CONTI.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	CONTI.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	CONTI.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	CONTI.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	CONTI.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	CONTI.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	CONTI.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	CONTI.exe
File opened for modification	C:\Users\Public\desktop.ini	CONTI.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	CONTI.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	CONTI.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	CONTI.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	CONTI.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	CONTI.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	CONTI.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	CONTI.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	CONTI.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\System\uk-UA\readme.txt	CONTI.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\salesforce.ini	CONTI.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\OneNote\prnms006.inf	CONTI.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pl\readme.txt	CONTI.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\check-mark-2x.png	CONTI.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msadox28.tlb	CONTI.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest1-pl.xrm-ms	CONTI.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\Products.txt	CONTI.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\css\main.css	CONTI.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\root\readme.txt	CONTI.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\uk-ua\ui-strings.js	CONTI.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\en-ae\ui-strings.js	CONTI.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\default.vlt	CONTI.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\catalog.json	CONTI.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui.xml	CONTI.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\tool-search-2x.png	CONTI.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\it-it\readme.txt	CONTI.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\zh-cn\readme.txt	CONTI.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_MAK_AE-ul-oob.xrm-ms	CONTI.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\msado21.tlb	CONTI.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\dark\progress.gif	CONTI.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-ul-oob.xrm-ms	CONTI.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ja\readme.txt	CONTI.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\et.pak	CONTI.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ANTQUAB.TTF	CONTI.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\digsig_icons_2x.png	CONTI.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-ppd.xrm-ms	CONTI.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_F_COL.HXK	CONTI.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_KMS_Client_AE-ul.xrm-ms	CONTI.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\OpenSSL64.DllA\readme.txt	CONTI.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\SEGOEUISL.TTF	CONTI.exe
File created	C:\Program Files\VideoLAN\VLC\locale\tr\LC_MESSAGES\readme.txt	CONTI.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProMSDNR_Retail-pl.xrm-ms	CONTI.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-pl.xrm-ms	CONTI.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\pl-pl\readme.txt	CONTI.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipscat.xml	CONTI.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_KMS_Client-ul.xrm-ms	CONTI.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CASCADE\readme.txt	CONTI.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\ca-es\readme.txt	CONTI.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Grace-ppd.xrm-ms	CONTI.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\hr-hr\readme.txt	CONTI.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\MLModels\autofill_labeling_features_email.txt.DATA	CONTI.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\readme.txt	CONTI.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\vlc.mo	CONTI.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-fr\readme.txt	CONTI.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Resources\1033\readme.txt	CONTI.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_sv_135x40.svg	CONTI.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\[email protected]	CONTI.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\pkeyconfig-office.xrm-ms	CONTI.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AGMGPUOptIn.ini	CONTI.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sv-se\ui-strings.js	CONTI.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\nb-no\ui-strings.js	CONTI.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\zh-cn\ui-strings.js	CONTI.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_KMS_ClientC2R-ppd.xrm-ms	CONTI.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\readme.txt	CONTI.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Retail-ul-oob.xrm-ms	CONTI.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ENFR\MSB1ENFR.ITS	CONTI.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\createpdf.svg	CONTI.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\readme.txt	CONTI.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\zh-tw\readme.txt	CONTI.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Cloud Services.pdf	CONTI.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp-ul-phn.xrm-ms	CONTI.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription5-ul-oob.xrm-ms	CONTI.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\dark\readme.txt	CONTI.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4216	2436	WerFault.exe	86

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings	OpenWith.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2376	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5088	CONTI.exe
5088	CONTI.exe
5088	CONTI.exe
5088	CONTI.exe
5088	CONTI.exe
5088	CONTI.exe
5088	CONTI.exe
5088	CONTI.exe
5088	CONTI.exe
5088	CONTI.exe
5088	CONTI.exe
5088	CONTI.exe
5088	CONTI.exe
5088	CONTI.exe
5088	CONTI.exe
5088	CONTI.exe
5088	CONTI.exe
5088	CONTI.exe
5088	CONTI.exe
5088	CONTI.exe
5088	CONTI.exe
5088	CONTI.exe
5088	CONTI.exe
5088	CONTI.exe
5088	CONTI.exe
5088	CONTI.exe
5088	CONTI.exe
5088	CONTI.exe
5088	CONTI.exe
5088	CONTI.exe
5088	CONTI.exe
5088	CONTI.exe
5088	CONTI.exe
5088	CONTI.exe
5088	CONTI.exe
5088	CONTI.exe
5088	CONTI.exe
5088	CONTI.exe
5088	CONTI.exe
5088	CONTI.exe
5088	CONTI.exe
5088	CONTI.exe
5088	CONTI.exe
5088	CONTI.exe
5088	CONTI.exe
5088	CONTI.exe
5088	CONTI.exe
5088	CONTI.exe
5088	CONTI.exe
5088	CONTI.exe
5088	CONTI.exe
5088	CONTI.exe
5088	CONTI.exe
5088	CONTI.exe
5088	CONTI.exe
5088	CONTI.exe
5088	CONTI.exe
5088	CONTI.exe
5088	CONTI.exe
5088	CONTI.exe
5088	CONTI.exe
5088	CONTI.exe
5088	CONTI.exe
5088	CONTI.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeBackupPrivilege	3236	vssvc.exe
Token: SeRestorePrivilege	3236	vssvc.exe
Token: SeAuditPrivilege	3236	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2908	WMIC.exe
Token: SeSecurityPrivilege	2908	WMIC.exe
Token: SeTakeOwnershipPrivilege	2908	WMIC.exe
Token: SeLoadDriverPrivilege	2908	WMIC.exe
Token: SeSystemProfilePrivilege	2908	WMIC.exe
Token: SeSystemtimePrivilege	2908	WMIC.exe
Token: SeProfSingleProcessPrivilege	2908	WMIC.exe
Token: SeIncBasePriorityPrivilege	2908	WMIC.exe
Token: SeCreatePagefilePrivilege	2908	WMIC.exe
Token: SeBackupPrivilege	2908	WMIC.exe
Token: SeRestorePrivilege	2908	WMIC.exe
Token: SeShutdownPrivilege	2908	WMIC.exe
Token: SeDebugPrivilege	2908	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2908	WMIC.exe
Token: SeRemoteShutdownPrivilege	2908	WMIC.exe
Token: SeUndockPrivilege	2908	WMIC.exe
Token: SeManageVolumePrivilege	2908	WMIC.exe
Token: 33	2908	WMIC.exe
Token: 34	2908	WMIC.exe
Token: 35	2908	WMIC.exe
Token: 36	2908	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2908	WMIC.exe
Token: SeSecurityPrivilege	2908	WMIC.exe
Token: SeTakeOwnershipPrivilege	2908	WMIC.exe
Token: SeLoadDriverPrivilege	2908	WMIC.exe
Token: SeSystemProfilePrivilege	2908	WMIC.exe
Token: SeSystemtimePrivilege	2908	WMIC.exe
Token: SeProfSingleProcessPrivilege	2908	WMIC.exe
Token: SeIncBasePriorityPrivilege	2908	WMIC.exe
Token: SeCreatePagefilePrivilege	2908	WMIC.exe
Token: SeBackupPrivilege	2908	WMIC.exe
Token: SeRestorePrivilege	2908	WMIC.exe
Token: SeShutdownPrivilege	2908	WMIC.exe
Token: SeDebugPrivilege	2908	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2908	WMIC.exe
Token: SeRemoteShutdownPrivilege	2908	WMIC.exe
Token: SeUndockPrivilege	2908	WMIC.exe
Token: SeManageVolumePrivilege	2908	WMIC.exe
Token: 33	2908	WMIC.exe
Token: 34	2908	WMIC.exe
Token: 35	2908	WMIC.exe
Token: 36	2908	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4736	OfficeC2RClient.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2108	OpenWith.exe
4736	OfficeC2RClient.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5088 wrote to memory of 664	5088	CONTI.exe	120
PID 5088 wrote to memory of 664	5088	CONTI.exe	120
PID 664 wrote to memory of 2908	664	cmd.exe	122
PID 664 wrote to memory of 2908	664	cmd.exe	122
PID 2736 wrote to memory of 4736	2736	WINWORD.EXE	129
PID 2736 wrote to memory of 4736	2736	WINWORD.EXE	129

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\CONTI.exe
"C:\Users\Admin\AppData\Local\Temp\CONTI.exe"
1⤵
PID:2436
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2436 -s 292
  2⤵
  - Program crash
  PID:4216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2436 -ip 2436
1⤵
PID:4320

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2452

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2108

C:\Users\Admin\AppData\Local\Temp\CONTI.exe
"C:\Users\Admin\AppData\Local\Temp\CONTI.exe"
1⤵
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5088
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D4DF5D4A-8D43-46DC-A4CE-B74ED9BE0069}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:664
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D4DF5D4A-8D43-46DC-A4CE-B74ED9BE0069}'" delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2908

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3236

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\readme.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2376

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\These.docx" /o ""
1⤵
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe
  OfficeC2RClient.exe /error PID=2736 ProcessName="Microsoft Word" UIType=3 ErrorSource=0x8b10082a ErrorCode=0x80004005 ShowUI=1
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:4736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\readme.txt

Filesize
1KB

MD5
b87b63355379f17bb06a2570c8d88b04

SHA1
84d6a08e78da221fea6ec46fe7b7ac87412e23c2

SHA256
284959ed3f68fb912cb141ef31b4ad4b53147bd1082ec1ed83bd08af729d09d1

SHA512
bad79ae1efc718a90e089b9cdea8bfb149adbcddfc79cef529ab11055ce723a23608402b78e2655e5d5f9c72e26726390a1dbb24a2abfaca6e964e26e36c275e

Download Submit