conti | 63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10-04-2024 11:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe
Size

1.0MB
MD5

d3d9ad65fb3fb6f1eae29527b61ae7c0
SHA1

cdaaa01b42d3b4a325c11fdd7779ade9044e9946
SHA256

63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6
SHA512

171b12d4e345e67a4bfa43e2be66b5e18ccd61d2dee0f7b520c995595d62c258f1a4a865c8b8cdf6a9aa0c7b467eb10989b3ddc5291f4196e95276b94ba1cb7c
SSDEEP

24576:nZeCB1cqVAtVi+0ZMdbIudTkvk7WCuwJLMBhRCLlX:n8UTMdkGBuHKX

Score

10^/10

conti ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files (x86)\readme.txt

Family

conti

Ransom Note

All of your files are currently encrypted by CONTI ransomware. If you try to use any additional recovery software - the files might be damaged or lost. To make sure that we REALLY CAN recover data - we offer you to decrypt samples. You can contact us for further instructions through: Our website TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/ HTTPS VERSION : https://contirecovery.click YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded your data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us ASAP ---BEGIN ID--- 8MGCXlEjLLwou0tFoQYUZj9ZTcMQsceR7KKS8uxqdm5vRusaXoRbuMayM1sxKpc8 ---END ID---

URLs

http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/

https://contirecovery.click

Signatures

Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
ransomware conti
Renames multiple (7914) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Clarity.eftx	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Couture.xml	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe
File created	C:\Program Files\7-Zip\Lang\readme.txt	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\de-DE\readme.txt	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCDRESNL.ICO	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0212701.WMF	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ENES\MSB1ENES.ITS	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans.nl_ja_4.4.0.v20140623020002.jar	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.services_1.1.0.v20140328-1925.jar	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe
File created	C:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\readme.txt	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightOrange\tab_off.gif	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00413_.WMF	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0186360.WMF	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WEBPAGE.XML	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\TASKREQL.ICO	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_splitter\readme.txt	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\HEADER.GIF	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00442_.WMF	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\EXCEL_F_COL.HXK	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME13.CSS	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Formal.dotx	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winClassicTSFrame.png	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\readme.txt	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21308_.GIF	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\vlc.mo	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OUTLFLTR.DAT	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\JAVA_01.MID	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Places\LASER.WAV	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\ct.sym	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationLeft_ButtonGraphic.png	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\readme.txt	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\readme.txt	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\readme.txt	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00256_.WMF	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.nl_ja_4.4.0.v20140623020002.jar	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Seoul	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\readme.txt	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\REFINED\REFINED.ELM	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\mset7es.kic	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152602.WMF	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153508.WMF	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386270.JPG	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.CO.ID.XML	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe
File created	C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\readme.txt	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Atlantic\South_Georgia	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sr\LC_MESSAGES\vlc.mo	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\js\readme.txt	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe
File created	C:\Program Files\DVD Maker\es-ES\readme.txt	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Oriel.thmx	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21333_.GIF	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\readme.txt	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Baku	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-execution.jar	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00255_.WMF	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH_COL.HXT	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\readme.txt	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kn\LC_MESSAGES\vlc.mo	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\CircleIconsMask.bmp	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\STS2\header.gif	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107516.WMF	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0216112.JPG	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\readme.txt	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00130_.WMF	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2276	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	2700	vssvc.exe
Token: SeRestorePrivilege	2700	vssvc.exe
Token: SeAuditPrivilege	2700	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2484	WMIC.exe
Token: SeSecurityPrivilege	2484	WMIC.exe
Token: SeTakeOwnershipPrivilege	2484	WMIC.exe
Token: SeLoadDriverPrivilege	2484	WMIC.exe
Token: SeSystemProfilePrivilege	2484	WMIC.exe
Token: SeSystemtimePrivilege	2484	WMIC.exe
Token: SeProfSingleProcessPrivilege	2484	WMIC.exe
Token: SeIncBasePriorityPrivilege	2484	WMIC.exe
Token: SeCreatePagefilePrivilege	2484	WMIC.exe
Token: SeBackupPrivilege	2484	WMIC.exe
Token: SeRestorePrivilege	2484	WMIC.exe
Token: SeShutdownPrivilege	2484	WMIC.exe
Token: SeDebugPrivilege	2484	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2484	WMIC.exe
Token: SeRemoteShutdownPrivilege	2484	WMIC.exe
Token: SeUndockPrivilege	2484	WMIC.exe
Token: SeManageVolumePrivilege	2484	WMIC.exe
Token: 33	2484	WMIC.exe
Token: 34	2484	WMIC.exe
Token: 35	2484	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2484	WMIC.exe
Token: SeSecurityPrivilege	2484	WMIC.exe
Token: SeTakeOwnershipPrivilege	2484	WMIC.exe
Token: SeLoadDriverPrivilege	2484	WMIC.exe
Token: SeSystemProfilePrivilege	2484	WMIC.exe
Token: SeSystemtimePrivilege	2484	WMIC.exe
Token: SeProfSingleProcessPrivilege	2484	WMIC.exe
Token: SeIncBasePriorityPrivilege	2484	WMIC.exe
Token: SeCreatePagefilePrivilege	2484	WMIC.exe
Token: SeBackupPrivilege	2484	WMIC.exe
Token: SeRestorePrivilege	2484	WMIC.exe
Token: SeShutdownPrivilege	2484	WMIC.exe
Token: SeDebugPrivilege	2484	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2484	WMIC.exe
Token: SeRemoteShutdownPrivilege	2484	WMIC.exe
Token: SeUndockPrivilege	2484	WMIC.exe
Token: SeManageVolumePrivilege	2484	WMIC.exe
Token: 33	2484	WMIC.exe
Token: 34	2484	WMIC.exe
Token: 35	2484	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2112	WMIC.exe
Token: SeSecurityPrivilege	2112	WMIC.exe
Token: SeTakeOwnershipPrivilege	2112	WMIC.exe
Token: SeLoadDriverPrivilege	2112	WMIC.exe
Token: SeSystemProfilePrivilege	2112	WMIC.exe
Token: SeSystemtimePrivilege	2112	WMIC.exe
Token: SeProfSingleProcessPrivilege	2112	WMIC.exe
Token: SeIncBasePriorityPrivilege	2112	WMIC.exe
Token: SeCreatePagefilePrivilege	2112	WMIC.exe
Token: SeBackupPrivilege	2112	WMIC.exe
Token: SeRestorePrivilege	2112	WMIC.exe
Token: SeShutdownPrivilege	2112	WMIC.exe
Token: SeDebugPrivilege	2112	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2112	WMIC.exe
Token: SeRemoteShutdownPrivilege	2112	WMIC.exe
Token: SeUndockPrivilege	2112	WMIC.exe
Token: SeManageVolumePrivilege	2112	WMIC.exe
Token: 33	2112	WMIC.exe
Token: 34	2112	WMIC.exe
Token: 35	2112	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2112	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 2452	2276	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe	31
PID 2276 wrote to memory of 2452	2276	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe	31
PID 2276 wrote to memory of 2452	2276	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe	31
PID 2276 wrote to memory of 2452	2276	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe	31
PID 2452 wrote to memory of 2484	2452	cmd.exe	33
PID 2452 wrote to memory of 2484	2452	cmd.exe	33
PID 2452 wrote to memory of 2484	2452	cmd.exe	33
PID 2276 wrote to memory of 2492	2276	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe	34
PID 2276 wrote to memory of 2492	2276	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe	34
PID 2276 wrote to memory of 2492	2276	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe	34
PID 2276 wrote to memory of 2492	2276	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe	34
PID 2492 wrote to memory of 2112	2492	cmd.exe	36
PID 2492 wrote to memory of 2112	2492	cmd.exe	36
PID 2492 wrote to memory of 2112	2492	cmd.exe	36
PID 2276 wrote to memory of 1548	2276	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe	37
PID 2276 wrote to memory of 1548	2276	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe	37
PID 2276 wrote to memory of 1548	2276	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe	37
PID 2276 wrote to memory of 1548	2276	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe	37
PID 1548 wrote to memory of 1464	1548	cmd.exe	39
PID 1548 wrote to memory of 1464	1548	cmd.exe	39
PID 1548 wrote to memory of 1464	1548	cmd.exe	39
PID 2276 wrote to memory of 2668	2276	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe	40
PID 2276 wrote to memory of 2668	2276	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe	40
PID 2276 wrote to memory of 2668	2276	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe	40
PID 2276 wrote to memory of 2668	2276	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe	40
PID 2668 wrote to memory of 2768	2668	cmd.exe	42
PID 2668 wrote to memory of 2768	2668	cmd.exe	42
PID 2668 wrote to memory of 2768	2668	cmd.exe	42
PID 2276 wrote to memory of 1744	2276	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe	43
PID 2276 wrote to memory of 1744	2276	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe	43
PID 2276 wrote to memory of 1744	2276	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe	43
PID 2276 wrote to memory of 1744	2276	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe	43
PID 1744 wrote to memory of 2228	1744	cmd.exe	45
PID 1744 wrote to memory of 2228	1744	cmd.exe	45
PID 1744 wrote to memory of 2228	1744	cmd.exe	45
PID 2276 wrote to memory of 1640	2276	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe	46
PID 2276 wrote to memory of 1640	2276	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe	46
PID 2276 wrote to memory of 1640	2276	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe	46
PID 2276 wrote to memory of 1640	2276	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe	46
PID 1640 wrote to memory of 1036	1640	cmd.exe	48
PID 1640 wrote to memory of 1036	1640	cmd.exe	48
PID 1640 wrote to memory of 1036	1640	cmd.exe	48
PID 2276 wrote to memory of 500	2276	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe	49
PID 2276 wrote to memory of 500	2276	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe	49
PID 2276 wrote to memory of 500	2276	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe	49
PID 2276 wrote to memory of 500	2276	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe	49
PID 500 wrote to memory of 2248	500	cmd.exe	51
PID 500 wrote to memory of 2248	500	cmd.exe	51
PID 500 wrote to memory of 2248	500	cmd.exe	51
PID 2276 wrote to memory of 1648	2276	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe	52
PID 2276 wrote to memory of 1648	2276	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe	52
PID 2276 wrote to memory of 1648	2276	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe	52
PID 2276 wrote to memory of 1648	2276	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe	52
PID 1648 wrote to memory of 2220	1648	cmd.exe	54
PID 1648 wrote to memory of 2220	1648	cmd.exe	54
PID 1648 wrote to memory of 2220	1648	cmd.exe	54
PID 2276 wrote to memory of 1348	2276	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe	55
PID 2276 wrote to memory of 1348	2276	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe	55
PID 2276 wrote to memory of 1348	2276	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe	55
PID 2276 wrote to memory of 1348	2276	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe	55
PID 1348 wrote to memory of 1240	1348	cmd.exe	57
PID 1348 wrote to memory of 1240	1348	cmd.exe	57
PID 1348 wrote to memory of 1240	1348	cmd.exe	57
PID 2276 wrote to memory of 2316	2276	63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe	58

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe
"C:\Users\Admin\AppData\Local\Temp\63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4CAEAF13-4826-4421-825E-BA845C1D8E46}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2452
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4CAEAF13-4826-4421-825E-BA845C1D8E46}'" delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2484
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CCB3571B-7BA6-4B37-AFFE-17356E5670F9}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2492
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CCB3571B-7BA6-4B37-AFFE-17356E5670F9}'" delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2112
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A3972B6B-946F-4910-A92F-ADF310231A24}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1548
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A3972B6B-946F-4910-A92F-ADF310231A24}'" delete
    3⤵
    PID:1464
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{861906C3-9C2E-4652-B87E-2AEEA61D4CC3}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{861906C3-9C2E-4652-B87E-2AEEA61D4CC3}'" delete
    3⤵
    PID:2768
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6FEB41CC-EF4C-4741-B148-8F420CDDBFE7}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1744
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6FEB41CC-EF4C-4741-B148-8F420CDDBFE7}'" delete
    3⤵
    PID:2228
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5B6F56B9-8BD7-4062-A0D4-165D4CC01A61}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1640
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5B6F56B9-8BD7-4062-A0D4-165D4CC01A61}'" delete
    3⤵
    PID:1036
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{04A8E7CA-DAF3-4C9C-A31B-202FD2AD3052}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:500
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{04A8E7CA-DAF3-4C9C-A31B-202FD2AD3052}'" delete
    3⤵
    PID:2248
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D491F645-097A-47D2-B1FE-B030ECA46B58}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1648
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D491F645-097A-47D2-B1FE-B030ECA46B58}'" delete
    3⤵
    PID:2220
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4F5AF87F-91B0-4148-8D25-A6E3C7D5261B}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1348
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4F5AF87F-91B0-4148-8D25-A6E3C7D5261B}'" delete
    3⤵
    PID:1240
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1EC354C0-E460-4212-9DBD-35887D7F039C}'" delete
  2⤵
  PID:2316
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1EC354C0-E460-4212-9DBD-35887D7F039C}'" delete
    3⤵
    PID:2292
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6AE5762F-D3E5-42E8-B593-27569CD51610}'" delete
  2⤵
  PID:1924
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6AE5762F-D3E5-42E8-B593-27569CD51610}'" delete
    3⤵
    PID:2816
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4CD08B63-DF1A-4905-975C-2C79D06AEF3B}'" delete
  2⤵
  PID:856
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4CD08B63-DF1A-4905-975C-2C79D06AEF3B}'" delete
    3⤵
    PID:784
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F78C8D4D-07A5-4C13-A91F-53E51AC04E47}'" delete
  2⤵
  PID:1320
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F78C8D4D-07A5-4C13-A91F-53E51AC04E47}'" delete
    3⤵
    PID:1664
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{47AE91EE-B05B-4A1E-8EFB-A033816B0334}'" delete
  2⤵
  PID:1868
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{47AE91EE-B05B-4A1E-8EFB-A033816B0334}'" delete
    3⤵
    PID:2752
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F4FC0231-DC89-4942-AF6C-12A842E588A8}'" delete
  2⤵
  PID:1800
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F4FC0231-DC89-4942-AF6C-12A842E588A8}'" delete
    3⤵
    PID:1156
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{EA8B0303-2EA2-4878-9F11-FCA6F8BF8696}'" delete
  2⤵
  PID:3040
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{EA8B0303-2EA2-4878-9F11-FCA6F8BF8696}'" delete
    3⤵
    PID:1792
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{032A655B-93A2-4C4E-B04D-2BE0BAF8010E}'" delete
  2⤵
  PID:1568
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{032A655B-93A2-4C4E-B04D-2BE0BAF8010E}'" delete
    3⤵
    PID:1372
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{42230C3C-1DDF-484B-89B7-EB2DB4CDF51D}'" delete
  2⤵
  PID:3000
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{42230C3C-1DDF-484B-89B7-EB2DB4CDF51D}'" delete
    3⤵
    PID:1368

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\readme.txt

Filesize
867B

MD5
3e9c3d04dab03530e2fc91b2370118b7

SHA1
e14b473b8415a54cdd0df5fce4fc2eb329145e86

SHA256
f4f6cc9d015f28fd0ee1ba639bd2770ef6cc6fa07d270e4df29f0d150d2e5605

SHA512
78d4db2f29afce504808f0621257d01240df5fb873775c6f44389a788ac39fd72a8fee3e76ea8d7fa5e5dc8a5eedcf95d170323a97a907dbd9d6c69ab6a9389b

Download Submit
memory/2276-17555-0x0000000000070000-0x00000000000A5000-memory.dmp

Filesize
212KB

Download
memory/2276-9-0x0000000000070000-0x00000000000A5000-memory.dmp

Filesize
212KB

Download
memory/2276-17-0x0000000000070000-0x00000000000A5000-memory.dmp

Filesize
212KB

Download
memory/2276-1-0x0000000000070000-0x00000000000A5000-memory.dmp

Filesize
212KB

Download
memory/2276-12078-0x0000000000070000-0x00000000000A5000-memory.dmp

Filesize
212KB

Download
memory/2276-0-0x0000000000070000-0x00000000000A5000-memory.dmp

Filesize
212KB

Download
memory/2276-17557-0x0000000000070000-0x00000000000A5000-memory.dmp

Filesize
212KB

Download
memory/2276-17564-0x0000000000070000-0x00000000000A5000-memory.dmp

Filesize
212KB

Download
memory/2276-17567-0x0000000000070000-0x00000000000A5000-memory.dmp

Filesize
212KB

Download
memory/2276-17566-0x0000000000070000-0x00000000000A5000-memory.dmp

Filesize
212KB

Download
memory/2276-17565-0x0000000000070000-0x00000000000A5000-memory.dmp

Filesize
212KB

Download
memory/2276-17568-0x0000000000070000-0x00000000000A5000-memory.dmp

Filesize
212KB

Download
memory/2276-17573-0x0000000000070000-0x00000000000A5000-memory.dmp

Filesize
212KB

Download