conti | 418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29-05-2024 11:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
Size

373KB
MD5

cd0795c8b2bb7a19e10f06f8d23face4
SHA1

3e73188e446dcdc5796fc904e8bb6768a787a9e0
SHA256

418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd
SHA512

4ebd157f5ceb4cf98c6e417ab38c547c4684c3063cc8cd3b6af47d6f5d2615257ac944a4bddc312dffeac6ee4ee4d55090f9cc5f973976e29ddf14775c3d30a7
SSDEEP

6144:4u3961zes6RBIkXi5ts0lnt4Zz4ByevEPzgpDxceGxImYMSbf/mEmbwX5elm7Dm:DJrB3SRt4ZzEiPzaFceG2DDX0F

Score

10^/10

conti ransomware spyware stealer

Malware Config

Extracted

Path

C:\ProgramData\readme.txt

Family

conti

Ransom Note

All of your files are currently encrypted by CONTI strain. As you know (if you don't - just "google it"), all of the data that has been encrypted by our software cannot be recovered by any means without contacting our team directly. If you try to use any additional recovery software - the files might be damaged, so if you are willing to try - try it on the data of the lowest value. To make sure that we REALLY CAN get your data back - we offer you to decrypt 2 random files completely free of charge. You can contact our team directly for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirec7nchr45rx6ympez5rjldibnqzh7lsa56lvjvaeywhvoj3wad.onion/jehZ00C9PrzdBeD0vmBk8EYUAmCctYHBJazVJraQGUMWmkWoaDUcndRgCHzKGsz5 YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded a pack of your internal data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us as soon as possible. ---BEGIN ID--- jehZ00C9PrzdBeD0vmBk8EYUAmCctYHBJazVJraQGUMWmkWoaDUcndRgCHzKGsz5 ---END ID---

URLs

http://contirec7nchr45rx6ympez5rjldibnqzh7lsa56lvjvaeywhvoj3wad.onion/jehZ00C9PrzdBeD0vmBk8EYUAmCctYHBJazVJraQGUMWmkWoaDUcndRgCHzKGsz5

Signatures

Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
ransomware conti
Renames multiple (7351) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\readme.txt	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 31 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files\desktop.ini	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Users\Public\desktop.ini	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_es_135x40.svg	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ul-phn.xrm-ms	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Grace-ppd.xrm-ms	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-ul-phn.xrm-ms	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.cpl	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\sqlxmlx.rll.mui	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.log	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgePackages.h	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\pt-br\readme.txt	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\fi_get.svg	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\S_IlluError_136x136.svg	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\tr-tr\ui-strings.js	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcDemoR_BypassTrial365-ppd.xrm-ms	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp3-ppd.xrm-ms	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File created	C:\Program Files\VideoLAN\VLC\locale\lg\readme.txt	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ms\readme.txt	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-ul-oob.xrm-ms	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\pt-BR.pak.DATA	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\fi-fi\readme.txt	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\sk-sk\ui-strings.js	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\MLModels\autofill_labeling.ort.DATA	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_newfolder-default.svg	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\[email protected]	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-rdr-en_us.gif	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\el_get.svg	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-ul-phn.xrm-ms	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Trial-pl.xrm-ms	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Grace-ul-oob.xrm-ms	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-gb\readme.txt	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\en-il\readme.txt	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f33\readme.txt	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Edit.png	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\download.svg	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\uk-ua\readme.txt	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f4\readme.txt	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_filterselected-dark-down_32.svg	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\css\main.css	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial5-pl.xrm-ms	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File created	C:\Program Files\VideoLAN\VLC\locale\co\readme.txt	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\MakeAccessible.api	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sk-sk\readme.txt	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\new_icons.png	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\javaws.jar	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\Default.dotx	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File created	C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\readme.txt	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\nl-nl\ui-strings.js	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\apple-touch-icon-114x114-precomposed.png	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\fi-fi\ui-strings.js	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\progress_spinner_dark2x.gif	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ui-strings.js	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\nb-no\ui-strings.js	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-root.xrm-ms	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_KMS_Client-ul-oob.xrm-ms	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\jdk\jopt-simple.md	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\js\common.js	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\DEEPBLUE\readme.txt	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART5.BDR	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nl\LC_MESSAGES\vlc.mo	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\readme.txt	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hu-hu\readme.txt	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTrial-ppd.xrm-ms	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\loc\AppXManifestLoc.16.en-us.xml	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4776	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
4776	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeBackupPrivilege	1580	vssvc.exe
Token: SeRestorePrivilege	1580	vssvc.exe
Token: SeAuditPrivilege	1580	vssvc.exe
Token: SeIncreaseQuotaPrivilege	3916	WMIC.exe
Token: SeSecurityPrivilege	3916	WMIC.exe
Token: SeTakeOwnershipPrivilege	3916	WMIC.exe
Token: SeLoadDriverPrivilege	3916	WMIC.exe
Token: SeSystemProfilePrivilege	3916	WMIC.exe
Token: SeSystemtimePrivilege	3916	WMIC.exe
Token: SeProfSingleProcessPrivilege	3916	WMIC.exe
Token: SeIncBasePriorityPrivilege	3916	WMIC.exe
Token: SeCreatePagefilePrivilege	3916	WMIC.exe
Token: SeBackupPrivilege	3916	WMIC.exe
Token: SeRestorePrivilege	3916	WMIC.exe
Token: SeShutdownPrivilege	3916	WMIC.exe
Token: SeDebugPrivilege	3916	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3916	WMIC.exe
Token: SeRemoteShutdownPrivilege	3916	WMIC.exe
Token: SeUndockPrivilege	3916	WMIC.exe
Token: SeManageVolumePrivilege	3916	WMIC.exe
Token: 33	3916	WMIC.exe
Token: 34	3916	WMIC.exe
Token: 35	3916	WMIC.exe
Token: 36	3916	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3916	WMIC.exe
Token: SeSecurityPrivilege	3916	WMIC.exe
Token: SeTakeOwnershipPrivilege	3916	WMIC.exe
Token: SeLoadDriverPrivilege	3916	WMIC.exe
Token: SeSystemProfilePrivilege	3916	WMIC.exe
Token: SeSystemtimePrivilege	3916	WMIC.exe
Token: SeProfSingleProcessPrivilege	3916	WMIC.exe
Token: SeIncBasePriorityPrivilege	3916	WMIC.exe
Token: SeCreatePagefilePrivilege	3916	WMIC.exe
Token: SeBackupPrivilege	3916	WMIC.exe
Token: SeRestorePrivilege	3916	WMIC.exe
Token: SeShutdownPrivilege	3916	WMIC.exe
Token: SeDebugPrivilege	3916	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3916	WMIC.exe
Token: SeRemoteShutdownPrivilege	3916	WMIC.exe
Token: SeUndockPrivilege	3916	WMIC.exe
Token: SeManageVolumePrivilege	3916	WMIC.exe
Token: 33	3916	WMIC.exe
Token: 34	3916	WMIC.exe
Token: 35	3916	WMIC.exe
Token: 36	3916	WMIC.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4776 wrote to memory of 848	4776	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe	88
PID 4776 wrote to memory of 848	4776	418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe	88
PID 848 wrote to memory of 3916	848	cmd.exe	90
PID 848 wrote to memory of 3916	848	cmd.exe	90

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe
"C:\Users\Admin\AppData\Local\Temp\418883200e3ba973c65013588c714abfa984e8fe1d9bc3697bb7796089ab9fbd.exe"
1⤵
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4776
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7F894500-B0D1-4FCE-86B1-EF282AFF96BE}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:848
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7F894500-B0D1-4FCE-86B1-EF282AFF96BE}'" delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3916

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\readme.txt

Filesize
1KB

MD5
d37ef45fe5c6586a80321288d58a5781

SHA1
9dfec63a05fff0bbd0b4098359ba955fe60cb760

SHA256
b88d37ddce9f4fcf798faaa27741331bec4cea80cdf0f287504e4238dae55259

SHA512
a709f8dd5d570e922901b9f7206e57f7631f85bebb4ad4861c7efb16cfe6ed911ee516b89d2f3a8a07524d63c364220171fe54910df2887537f3b3de73d5fe76

Download Submit
memory/4776-4-0x00000000020E0000-0x000000000211C000-memory.dmp

Filesize
240KB

Download
memory/4776-18442-0x00000000020E0000-0x000000000211C000-memory.dmp

Filesize
240KB

Download
memory/4776-9-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4776-5-0x0000000000401000-0x0000000000423000-memory.dmp

Filesize
136KB

Download
memory/4776-0-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4776-3-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/4776-1-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4776-8-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4776-6-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4776-7-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4776-7064-0x0000000000401000-0x0000000000423000-memory.dmp

Filesize
136KB

Download
memory/4776-3585-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4776-7061-0x00000000020E0000-0x000000000211C000-memory.dmp

Filesize
240KB

Download
memory/4776-7045-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4776-12210-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4776-18440-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4776-18441-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4776-18443-0x0000000000401000-0x0000000000423000-memory.dmp

Filesize
136KB

Download
memory/4776-2-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download