conti | 2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
31-05-2024 09:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
Size

398KB
MD5

b092f52111eafdb88d8cc5a8a824323c
SHA1

f99d0640653cf3a64deb8641c5aa46828c9cd031
SHA256

2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b
SHA512

b9e5d5cff8910773ce8a880858935bc1b8c635a8a00cc5c6804d527eead04505804c9fae62200abb997b99f744c0181479e973b6466d728a4abf1dea390f0906
SSDEEP

12288:9bPHdKYAO63nKT58kJl9Pzqf5u1G1IA6/PTN:979I3ng+00v1wrN

Score

10^/10

conti ransomware

Malware Config

Extracted

Path

C:\Program Files (x86)\readme.txt

Family

conti

Ransom Note

All of your files are currently encrypted by CONTI strain. As you know (if you don't - just "google it"), all of the data that has been encrypted by our software cannot be recovered by any means without contacting our team directly. If you try to use any additional recovery software - the files might be damaged, so if you are willing to try - try it on the data of the lowest value. To make sure that we REALLY CAN get your data back - we offer you to decrypt 2 random files completely free of charge. You can contact our team directly for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/ HTTPS VERSION : https://contirecovery.click YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded a pack of your internal data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us as soon as possible. ---BEGIN ID--- Cs75p7DrFSPZ501MD5T6cQoibKxxO5GObAE6lQDGBzqb9gk6Ei0l4Mf2JWcIahw3 ---END ID---

URLs

http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/

https://contirecovery.click

Signatures

Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
ransomware conti
Renames multiple (129) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\EditStop.avi	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files\DVD Maker\sonicsptransform.ax	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File created	C:\Program Files\Internet Explorer\readme.txt	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File created	C:\Program Files\Microsoft Office\readme.txt	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File created	C:\Program Files (x86)\Adobe\readme.txt	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ie9props.propdesc	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files\DebugNew.docx	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File created	C:\Program Files (x86)\Microsoft.NET\readme.txt	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File created	C:\Program Files\Common Files\readme.txt	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files\DVD Maker\soniccolorconverter.ax	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File created	C:\Program Files (x86)\MSBuild\readme.txt	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files\ImportConnect.scf	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files\PushImport.inf	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files\Mozilla Firefox\Accessible.tlb	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files\Mozilla Firefox\install.log	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File created	C:\Program Files (x86)\Google\readme.txt	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files\HideSync.7z	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files\ExpandMerge.aif	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files\UndoSave.wmf	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File created	C:\Program Files (x86)\readme.txt	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files\Mozilla Firefox\dependentlibs.list	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files\Mozilla Firefox\removed-files	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\readme.txt	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files\EditOut.mpeg	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files\DVD Maker\offset.ax	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files\DVD Maker\rtstreamsource.ax	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.VisualElementsManifest.xml	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File created	C:\Program Files (x86)\Microsoft Office\readme.txt	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File created	C:\Program Files (x86)\Reference Assemblies\readme.txt	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files\GroupPush.reg	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File created	C:\Program Files\DVD Maker\readme.txt	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\readme.txt	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files\GroupStop.vdw	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files\DVD Maker\SecretST.TTF	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files\Mozilla Firefox\precomplete	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.VisualElementsManifest.xml	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File created	C:\Program Files (x86)\Internet Explorer\readme.txt	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File created	C:\Program Files (x86)\Uninstall Information\readme.txt	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files\ConvertFromUninstall.mid	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files\OutExport.M2V	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files\RenameDisconnect.wax	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files\UninstallOpen.vsdx	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files\DVD Maker\bod_r.TTF	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File created	C:\Program Files\Google\readme.txt	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File created	C:\Program Files\readme.txt	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File created	C:\Program Files\Mozilla Firefox\readme.txt	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files\Mozilla Firefox\installation_telemetry.json	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files\Mozilla Firefox\omni.ja	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\readme.txt	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files\DisconnectStart.vsd	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files\LimitUnregister.htm	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files\SplitInstall.odp	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files\DVD Maker\fieldswitch.ax	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files\Mozilla Firefox\postSigningData	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files\CompleteCheckpoint.wma	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files\7-Zip\descript.ion	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File created	C:\Program Files\Java\readme.txt	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File created	C:\Program Files\Uninstall Information\readme.txt	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2212	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	2708	vssvc.exe
Token: SeRestorePrivilege	2708	vssvc.exe
Token: SeAuditPrivilege	2708	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2488	WMIC.exe
Token: SeSecurityPrivilege	2488	WMIC.exe
Token: SeTakeOwnershipPrivilege	2488	WMIC.exe
Token: SeLoadDriverPrivilege	2488	WMIC.exe
Token: SeSystemProfilePrivilege	2488	WMIC.exe
Token: SeSystemtimePrivilege	2488	WMIC.exe
Token: SeProfSingleProcessPrivilege	2488	WMIC.exe
Token: SeIncBasePriorityPrivilege	2488	WMIC.exe
Token: SeCreatePagefilePrivilege	2488	WMIC.exe
Token: SeBackupPrivilege	2488	WMIC.exe
Token: SeRestorePrivilege	2488	WMIC.exe
Token: SeShutdownPrivilege	2488	WMIC.exe
Token: SeDebugPrivilege	2488	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2488	WMIC.exe
Token: SeRemoteShutdownPrivilege	2488	WMIC.exe
Token: SeUndockPrivilege	2488	WMIC.exe
Token: SeManageVolumePrivilege	2488	WMIC.exe
Token: 33	2488	WMIC.exe
Token: 34	2488	WMIC.exe
Token: 35	2488	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2488	WMIC.exe
Token: SeSecurityPrivilege	2488	WMIC.exe
Token: SeTakeOwnershipPrivilege	2488	WMIC.exe
Token: SeLoadDriverPrivilege	2488	WMIC.exe
Token: SeSystemProfilePrivilege	2488	WMIC.exe
Token: SeSystemtimePrivilege	2488	WMIC.exe
Token: SeProfSingleProcessPrivilege	2488	WMIC.exe
Token: SeIncBasePriorityPrivilege	2488	WMIC.exe
Token: SeCreatePagefilePrivilege	2488	WMIC.exe
Token: SeBackupPrivilege	2488	WMIC.exe
Token: SeRestorePrivilege	2488	WMIC.exe
Token: SeShutdownPrivilege	2488	WMIC.exe
Token: SeDebugPrivilege	2488	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2488	WMIC.exe
Token: SeRemoteShutdownPrivilege	2488	WMIC.exe
Token: SeUndockPrivilege	2488	WMIC.exe
Token: SeManageVolumePrivilege	2488	WMIC.exe
Token: 33	2488	WMIC.exe
Token: 34	2488	WMIC.exe
Token: 35	2488	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2360	WMIC.exe
Token: SeSecurityPrivilege	2360	WMIC.exe
Token: SeTakeOwnershipPrivilege	2360	WMIC.exe
Token: SeLoadDriverPrivilege	2360	WMIC.exe
Token: SeSystemProfilePrivilege	2360	WMIC.exe
Token: SeSystemtimePrivilege	2360	WMIC.exe
Token: SeProfSingleProcessPrivilege	2360	WMIC.exe
Token: SeIncBasePriorityPrivilege	2360	WMIC.exe
Token: SeCreatePagefilePrivilege	2360	WMIC.exe
Token: SeBackupPrivilege	2360	WMIC.exe
Token: SeRestorePrivilege	2360	WMIC.exe
Token: SeShutdownPrivilege	2360	WMIC.exe
Token: SeDebugPrivilege	2360	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2360	WMIC.exe
Token: SeRemoteShutdownPrivilege	2360	WMIC.exe
Token: SeUndockPrivilege	2360	WMIC.exe
Token: SeManageVolumePrivilege	2360	WMIC.exe
Token: 33	2360	WMIC.exe
Token: 34	2360	WMIC.exe
Token: 35	2360	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2360	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 2372	2212	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe	31
PID 2212 wrote to memory of 2372	2212	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe	31
PID 2212 wrote to memory of 2372	2212	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe	31
PID 2212 wrote to memory of 2372	2212	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe	31
PID 2372 wrote to memory of 2488	2372	cmd.exe	33
PID 2372 wrote to memory of 2488	2372	cmd.exe	33
PID 2372 wrote to memory of 2488	2372	cmd.exe	33
PID 2212 wrote to memory of 2616	2212	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe	34
PID 2212 wrote to memory of 2616	2212	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe	34
PID 2212 wrote to memory of 2616	2212	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe	34
PID 2212 wrote to memory of 2616	2212	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe	34
PID 2616 wrote to memory of 2360	2616	cmd.exe	36
PID 2616 wrote to memory of 2360	2616	cmd.exe	36
PID 2616 wrote to memory of 2360	2616	cmd.exe	36
PID 2212 wrote to memory of 2056	2212	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe	37
PID 2212 wrote to memory of 2056	2212	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe	37
PID 2212 wrote to memory of 2056	2212	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe	37
PID 2212 wrote to memory of 2056	2212	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe	37
PID 2056 wrote to memory of 2620	2056	cmd.exe	39
PID 2056 wrote to memory of 2620	2056	cmd.exe	39
PID 2056 wrote to memory of 2620	2056	cmd.exe	39
PID 2212 wrote to memory of 1124	2212	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe	40
PID 2212 wrote to memory of 1124	2212	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe	40
PID 2212 wrote to memory of 1124	2212	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe	40
PID 2212 wrote to memory of 1124	2212	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe	40
PID 1124 wrote to memory of 1480	1124	cmd.exe	42
PID 1124 wrote to memory of 1480	1124	cmd.exe	42
PID 1124 wrote to memory of 1480	1124	cmd.exe	42
PID 2212 wrote to memory of 1876	2212	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe	43
PID 2212 wrote to memory of 1876	2212	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe	43
PID 2212 wrote to memory of 1876	2212	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe	43
PID 2212 wrote to memory of 1876	2212	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe	43
PID 1876 wrote to memory of 1100	1876	cmd.exe	45
PID 1876 wrote to memory of 1100	1876	cmd.exe	45
PID 1876 wrote to memory of 1100	1876	cmd.exe	45
PID 2212 wrote to memory of 1508	2212	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe	46
PID 2212 wrote to memory of 1508	2212	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe	46
PID 2212 wrote to memory of 1508	2212	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe	46
PID 2212 wrote to memory of 1508	2212	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe	46
PID 1508 wrote to memory of 2448	1508	cmd.exe	48
PID 1508 wrote to memory of 2448	1508	cmd.exe	48
PID 1508 wrote to memory of 2448	1508	cmd.exe	48
PID 2212 wrote to memory of 2792	2212	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe	49
PID 2212 wrote to memory of 2792	2212	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe	49
PID 2212 wrote to memory of 2792	2212	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe	49
PID 2212 wrote to memory of 2792	2212	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe	49
PID 2792 wrote to memory of 2968	2792	cmd.exe	51
PID 2792 wrote to memory of 2968	2792	cmd.exe	51
PID 2792 wrote to memory of 2968	2792	cmd.exe	51
PID 2212 wrote to memory of 1304	2212	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe	52
PID 2212 wrote to memory of 1304	2212	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe	52
PID 2212 wrote to memory of 1304	2212	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe	52
PID 2212 wrote to memory of 1304	2212	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe	52
PID 1304 wrote to memory of 1996	1304	cmd.exe	54
PID 1304 wrote to memory of 1996	1304	cmd.exe	54
PID 1304 wrote to memory of 1996	1304	cmd.exe	54
PID 2212 wrote to memory of 1196	2212	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe	55
PID 2212 wrote to memory of 1196	2212	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe	55
PID 2212 wrote to memory of 1196	2212	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe	55
PID 2212 wrote to memory of 1196	2212	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe	55
PID 1196 wrote to memory of 1428	1196	cmd.exe	57
PID 1196 wrote to memory of 1428	1196	cmd.exe	57
PID 1196 wrote to memory of 1428	1196	cmd.exe	57
PID 2212 wrote to memory of 1088	2212	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe	58

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
"C:\Users\Admin\AppData\Local\Temp\2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E81ECA34-0487-4F22-84AF-24B24EFC10F5}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2372
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E81ECA34-0487-4F22-84AF-24B24EFC10F5}'" delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2488
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F3CA3636-424E-4EE7-AA3B-DD9FE71DB7EF}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2616
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F3CA3636-424E-4EE7-AA3B-DD9FE71DB7EF}'" delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2360
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{55EEE98E-8407-462D-BD0F-BB7B75CE31BD}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2056
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{55EEE98E-8407-462D-BD0F-BB7B75CE31BD}'" delete
    3⤵
    PID:2620
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{93CC03E3-6DF1-4637-BD22-4710443E5940}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1124
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{93CC03E3-6DF1-4637-BD22-4710443E5940}'" delete
    3⤵
    PID:1480
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{BF040487-4543-4ED1-ADEF-D3FDA4645F47}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1876
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{BF040487-4543-4ED1-ADEF-D3FDA4645F47}'" delete
    3⤵
    PID:1100
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{BF0E04A7-8711-402B-8C20-EEB832489320}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1508
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{BF0E04A7-8711-402B-8C20-EEB832489320}'" delete
    3⤵
    PID:2448
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F5EC4895-427C-4C2A-91E7-880BF2BDE1CC}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F5EC4895-427C-4C2A-91E7-880BF2BDE1CC}'" delete
    3⤵
    PID:2968
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{68712A02-8F02-4CD5-BDC3-49A46F7FCFAF}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1304
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{68712A02-8F02-4CD5-BDC3-49A46F7FCFAF}'" delete
    3⤵
    PID:1996
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D214B12C-18E5-4F9B-8285-2E67C974D5C6}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1196
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D214B12C-18E5-4F9B-8285-2E67C974D5C6}'" delete
    3⤵
    PID:1428
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E3B6FDDF-F69E-42D8-9784-6491C8FAF565}'" delete
  2⤵
  PID:1088
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E3B6FDDF-F69E-42D8-9784-6491C8FAF565}'" delete
    3⤵
    PID:928
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1D9F7447-5EF0-4664-B284-7F089E1F3046}'" delete
  2⤵
  PID:1092
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1D9F7447-5EF0-4664-B284-7F089E1F3046}'" delete
    3⤵
    PID:1936
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{19173608-B2D7-4496-AF78-575677249E0D}'" delete
  2⤵
  PID:1680
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{19173608-B2D7-4496-AF78-575677249E0D}'" delete
    3⤵
    PID:1752
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{AA53263B-500C-44CA-9451-E02FC42C641C}'" delete
  2⤵
  PID:2264
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{AA53263B-500C-44CA-9451-E02FC42C641C}'" delete
    3⤵
    PID:1916
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{442F1A31-BF66-4847-8677-49387E6CF18D}'" delete
  2⤵
  PID:324
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{442F1A31-BF66-4847-8677-49387E6CF18D}'" delete
    3⤵
    PID:2872
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C9AD2CD3-B216-4DA9-8395-7248C5BCB39F}'" delete
  2⤵
  PID:1764
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C9AD2CD3-B216-4DA9-8395-7248C5BCB39F}'" delete
    3⤵
    PID:280
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{ED2ABB9C-6F00-40D8-B24C-9C055703EE86}'" delete
  2⤵
  PID:2148
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{ED2ABB9C-6F00-40D8-B24C-9C055703EE86}'" delete
    3⤵
    PID:1048
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B59BF6AD-AD3F-48D7-8AC5-C00E28BB661F}'" delete
  2⤵
  PID:2268
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B59BF6AD-AD3F-48D7-8AC5-C00E28BB661F}'" delete
    3⤵
    PID:1788
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D7FFFCBE-24E2-4A8B-A802-375E6EC5AB99}'" delete
  2⤵
  PID:944
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D7FFFCBE-24E2-4A8B-A802-375E6EC5AB99}'" delete
    3⤵
    PID:1868

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2708

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\readme.txt

Filesize
1KB

MD5
c946a2fc2781077eef105ad2b9c5febd

SHA1
a8dfae2d48733af6e2dd628ce3a93760fa37dc5a

SHA256
2be6b3226513fe74e93e26e2051179e78ee722984713067c9835873904623803

SHA512
56d64d43a705d63fbfea2426d8d88bcbf71c3f1d4bc968d3d6f6e9d2ab414326a59a6ab676260c701ced0c28a7c3bc55ee639218a3699ebb693a4f575404f7c8

Download Submit
memory/2212-5-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/2212-3-0x0000000000401000-0x0000000000429000-memory.dmp

Filesize
160KB

Download
memory/2212-20-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2212-28-0x0000000000230000-0x000000000026D000-memory.dmp

Filesize
244KB

Download
memory/2212-8-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2212-7-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2212-6-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2212-0-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2212-254-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2212-2-0x0000000000230000-0x000000000026D000-memory.dmp

Filesize
244KB

Download
memory/2212-4-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2212-29-0x0000000000401000-0x0000000000429000-memory.dmp

Filesize
160KB

Download
memory/2212-69-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2212-92-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2212-1-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2212-145-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2212-186-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2212-9-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download