conti | 96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
19-06-2024 00:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe
Size

79KB
MD5

09bf7675031e2b2d9ebff54b1bee8293
SHA1

340234e34e93cc2445105745dc04287b0dd40e4f
SHA256

96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c
SHA512

565d896268ea6b8e6f8bfcba63cf692fd7ae59a7323fddbd1909d6693c90ab7f0fac424400ccc163c9070f4a475308bc34c5e84724f788cf9975c03fd827cdf4
SSDEEP

1536:cGKKVxyAYCbnjzbYzWOnGWqr63X5nVEyMiyfq:nKeNbnDYzvGEX5XMZ

Score

10^/10

conti ransomware upx

Malware Config

Extracted

Path

C:\Program Files (x86)\readme.txt

Family

conti

Ransom Note

All of your files are currently encrypted by CONTI strain. As you know (if you don't - just "google it"), all of the data that has been encrypted by our software cannot be recovered by any means without contacting our team directly. If you try to use any additional recovery software - the files might be damaged, so if you are willing to try - try it on the data of the lowest value. To make sure that we REALLY CAN get your data back - we offer you to decrypt 2 random files completely free of charge. You can contact our team directly for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/ HTTPS VERSION : https://contirecovery.click YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded a pack of your internal data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us as soon as possible. ---BEGIN ID--- YOQttZVleIkJ2AhK4o9vF0dDcITDzFCB8yPriHeIwNgcrJmbzGK2ejixLM15WiEy ---END ID---

URLs

http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/

https://contirecovery.click

Signatures

Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
ransomware conti
Renames multiple (143) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1744-0-0x0000000000180000-0x00000000001B8000-memory.dmp	upx
behavioral1/memory/1744-17-0x0000000000180000-0x00000000001B8000-memory.dmp	upx
behavioral1/memory/1744-57-0x0000000000180000-0x00000000001B8000-memory.dmp	upx
behavioral1/memory/1744-96-0x0000000000180000-0x00000000001B8000-memory.dmp	upx
behavioral1/memory/1744-157-0x0000000000180000-0x00000000001B8000-memory.dmp	upx
behavioral1/memory/1744-178-0x0000000000180000-0x00000000001B8000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\MSBuild\readme.txt	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\readme.txt	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe
File created	C:\Program Files\7-Zip\Lang\readme.txt	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe
File opened for modification	C:\Program Files\InitializeSkip.DVR	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe
File opened for modification	C:\Program Files\JoinConvert.m4v	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe
File opened for modification	C:\Program Files\StepStart.cr2	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe
File opened for modification	C:\Program Files\DVD Maker\directshowtap.ax	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe
File created	C:\Program Files\Internet Explorer\readme.txt	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.cfg	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.VisualElementsManifest.xml	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe
File created	C:\Program Files (x86)\Adobe\readme.txt	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe
File created	C:\Program Files (x86)\Microsoft.NET\readme.txt	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe
File created	C:\Program Files\readme.txt	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe
File opened for modification	C:\Program Files\ApproveProtect.wax	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe
File created	C:\Program Files\DVD Maker\readme.txt	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe
File opened for modification	C:\Program Files\Mozilla Firefox\install.log	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe
File opened for modification	C:\Program Files\Mozilla Firefox\installation_telemetry.json	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\readme.txt	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe
File opened for modification	C:\Program Files\DVD Maker\offset.ax	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe
File created	C:\Program Files\Google\readme.txt	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe
File created	C:\Program Files\Mozilla Firefox\readme.txt	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe
File opened for modification	C:\Program Files\Mozilla Firefox\precomplete	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe
File created	C:\Program Files\Uninstall Information\readme.txt	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe
File created	C:\Program Files (x86)\Microsoft Office\readme.txt	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe
File opened for modification	C:\Program Files\OutConfirm.xps	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txt	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe
File opened for modification	C:\Program Files\Mozilla Firefox\removed-files	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe
File created	C:\Program Files (x86)\Internet Explorer\readme.txt	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\readme.txt	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe
File opened for modification	C:\Program Files\Mozilla Firefox\dependentlibs.list	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe
File created	C:\Program Files\VideoLAN\readme.txt	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\readme.txt	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe
File opened for modification	C:\Program Files\ImportNew.dib	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe
File opened for modification	C:\Program Files\RepairMount.mpe	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe
File opened for modification	C:\Program Files\DVD Maker\bod_r.TTF	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe
File opened for modification	C:\Program Files\DVD Maker\SecretST.TTF	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe
File opened for modification	C:\Program Files\DVD Maker\sonicsptransform.ax	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ie9props.propdesc	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe
File created	C:\Program Files (x86)\Uninstall Information\readme.txt	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe
File opened for modification	C:\Program Files\RequestDismount.mp4	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe
File opened for modification	C:\Program Files\DVD Maker\fieldswitch.ax	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe
File opened for modification	C:\Program Files\Internet Explorer\ie9props.propdesc	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft.Office.InfoPath.targets	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe
File opened for modification	C:\Program Files\UseTrace.lock	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe
File opened for modification	C:\Program Files\DVD Maker\Eurosti.TTF	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe
File opened for modification	C:\Program Files\Mozilla Firefox\Accessible.tlb	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe
File opened for modification	C:\Program Files\DVD Maker\soniccolorconverter.ax	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe
File created	C:\Program Files\Microsoft Games\readme.txt	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe
File created	C:\Program Files\Microsoft Office\readme.txt	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe
File opened for modification	C:\Program Files\Mozilla Firefox\postSigningData	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe
File created	C:\Program Files (x86)\Google\readme.txt	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1744	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	2964	vssvc.exe
Token: SeRestorePrivilege	2964	vssvc.exe
Token: SeAuditPrivilege	2964	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2648	WMIC.exe
Token: SeSecurityPrivilege	2648	WMIC.exe
Token: SeTakeOwnershipPrivilege	2648	WMIC.exe
Token: SeLoadDriverPrivilege	2648	WMIC.exe
Token: SeSystemProfilePrivilege	2648	WMIC.exe
Token: SeSystemtimePrivilege	2648	WMIC.exe
Token: SeProfSingleProcessPrivilege	2648	WMIC.exe
Token: SeIncBasePriorityPrivilege	2648	WMIC.exe
Token: SeCreatePagefilePrivilege	2648	WMIC.exe
Token: SeBackupPrivilege	2648	WMIC.exe
Token: SeRestorePrivilege	2648	WMIC.exe
Token: SeShutdownPrivilege	2648	WMIC.exe
Token: SeDebugPrivilege	2648	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2648	WMIC.exe
Token: SeRemoteShutdownPrivilege	2648	WMIC.exe
Token: SeUndockPrivilege	2648	WMIC.exe
Token: SeManageVolumePrivilege	2648	WMIC.exe
Token: 33	2648	WMIC.exe
Token: 34	2648	WMIC.exe
Token: 35	2648	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2648	WMIC.exe
Token: SeSecurityPrivilege	2648	WMIC.exe
Token: SeTakeOwnershipPrivilege	2648	WMIC.exe
Token: SeLoadDriverPrivilege	2648	WMIC.exe
Token: SeSystemProfilePrivilege	2648	WMIC.exe
Token: SeSystemtimePrivilege	2648	WMIC.exe
Token: SeProfSingleProcessPrivilege	2648	WMIC.exe
Token: SeIncBasePriorityPrivilege	2648	WMIC.exe
Token: SeCreatePagefilePrivilege	2648	WMIC.exe
Token: SeBackupPrivilege	2648	WMIC.exe
Token: SeRestorePrivilege	2648	WMIC.exe
Token: SeShutdownPrivilege	2648	WMIC.exe
Token: SeDebugPrivilege	2648	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2648	WMIC.exe
Token: SeRemoteShutdownPrivilege	2648	WMIC.exe
Token: SeUndockPrivilege	2648	WMIC.exe
Token: SeManageVolumePrivilege	2648	WMIC.exe
Token: 33	2648	WMIC.exe
Token: 34	2648	WMIC.exe
Token: 35	2648	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2672	WMIC.exe
Token: SeSecurityPrivilege	2672	WMIC.exe
Token: SeTakeOwnershipPrivilege	2672	WMIC.exe
Token: SeLoadDriverPrivilege	2672	WMIC.exe
Token: SeSystemProfilePrivilege	2672	WMIC.exe
Token: SeSystemtimePrivilege	2672	WMIC.exe
Token: SeProfSingleProcessPrivilege	2672	WMIC.exe
Token: SeIncBasePriorityPrivilege	2672	WMIC.exe
Token: SeCreatePagefilePrivilege	2672	WMIC.exe
Token: SeBackupPrivilege	2672	WMIC.exe
Token: SeRestorePrivilege	2672	WMIC.exe
Token: SeShutdownPrivilege	2672	WMIC.exe
Token: SeDebugPrivilege	2672	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2672	WMIC.exe
Token: SeRemoteShutdownPrivilege	2672	WMIC.exe
Token: SeUndockPrivilege	2672	WMIC.exe
Token: SeManageVolumePrivilege	2672	WMIC.exe
Token: 33	2672	WMIC.exe
Token: 34	2672	WMIC.exe
Token: 35	2672	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2672	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1744 wrote to memory of 2652	1744	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe	31
PID 1744 wrote to memory of 2652	1744	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe	31
PID 1744 wrote to memory of 2652	1744	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe	31
PID 1744 wrote to memory of 2652	1744	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe	31
PID 2652 wrote to memory of 2648	2652	cmd.exe	33
PID 2652 wrote to memory of 2648	2652	cmd.exe	33
PID 2652 wrote to memory of 2648	2652	cmd.exe	33
PID 1744 wrote to memory of 2720	1744	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe	34
PID 1744 wrote to memory of 2720	1744	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe	34
PID 1744 wrote to memory of 2720	1744	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe	34
PID 1744 wrote to memory of 2720	1744	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe	34
PID 2720 wrote to memory of 2672	2720	cmd.exe	36
PID 2720 wrote to memory of 2672	2720	cmd.exe	36
PID 2720 wrote to memory of 2672	2720	cmd.exe	36
PID 1744 wrote to memory of 2748	1744	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe	37
PID 1744 wrote to memory of 2748	1744	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe	37
PID 1744 wrote to memory of 2748	1744	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe	37
PID 1744 wrote to memory of 2748	1744	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe	37
PID 2748 wrote to memory of 2600	2748	cmd.exe	39
PID 2748 wrote to memory of 2600	2748	cmd.exe	39
PID 2748 wrote to memory of 2600	2748	cmd.exe	39
PID 1744 wrote to memory of 2436	1744	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe	40
PID 1744 wrote to memory of 2436	1744	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe	40
PID 1744 wrote to memory of 2436	1744	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe	40
PID 1744 wrote to memory of 2436	1744	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe	40
PID 2436 wrote to memory of 2456	2436	cmd.exe	42
PID 2436 wrote to memory of 2456	2436	cmd.exe	42
PID 2436 wrote to memory of 2456	2436	cmd.exe	42
PID 1744 wrote to memory of 2888	1744	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe	43
PID 1744 wrote to memory of 2888	1744	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe	43
PID 1744 wrote to memory of 2888	1744	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe	43
PID 1744 wrote to memory of 2888	1744	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe	43
PID 2888 wrote to memory of 3060	2888	cmd.exe	45
PID 2888 wrote to memory of 3060	2888	cmd.exe	45
PID 2888 wrote to memory of 3060	2888	cmd.exe	45
PID 1744 wrote to memory of 1912	1744	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe	46
PID 1744 wrote to memory of 1912	1744	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe	46
PID 1744 wrote to memory of 1912	1744	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe	46
PID 1744 wrote to memory of 1912	1744	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe	46
PID 1912 wrote to memory of 1660	1912	cmd.exe	48
PID 1912 wrote to memory of 1660	1912	cmd.exe	48
PID 1912 wrote to memory of 1660	1912	cmd.exe	48
PID 1744 wrote to memory of 1640	1744	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe	49
PID 1744 wrote to memory of 1640	1744	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe	49
PID 1744 wrote to memory of 1640	1744	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe	49
PID 1744 wrote to memory of 1640	1744	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe	49
PID 1640 wrote to memory of 1080	1640	cmd.exe	51
PID 1640 wrote to memory of 1080	1640	cmd.exe	51
PID 1640 wrote to memory of 1080	1640	cmd.exe	51
PID 1744 wrote to memory of 844	1744	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe	52
PID 1744 wrote to memory of 844	1744	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe	52
PID 1744 wrote to memory of 844	1744	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe	52
PID 1744 wrote to memory of 844	1744	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe	52
PID 844 wrote to memory of 1852	844	cmd.exe	54
PID 844 wrote to memory of 1852	844	cmd.exe	54
PID 844 wrote to memory of 1852	844	cmd.exe	54
PID 1744 wrote to memory of 656	1744	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe	55
PID 1744 wrote to memory of 656	1744	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe	55
PID 1744 wrote to memory of 656	1744	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe	55
PID 1744 wrote to memory of 656	1744	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe	55
PID 656 wrote to memory of 2612	656	cmd.exe	57
PID 656 wrote to memory of 2612	656	cmd.exe	57
PID 656 wrote to memory of 2612	656	cmd.exe	57
PID 1744 wrote to memory of 2752	1744	96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe	58

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe
"C:\Users\Admin\AppData\Local\Temp\96a174e37f1554061238bd3439d6cc54e7fe9a435ef01bb35239ea289a42723c.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1744
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4279E2FB-CD58-4D65-967F-05CF78BFFF17}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4279E2FB-CD58-4D65-967F-05CF78BFFF17}'" delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2648
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8CFBADD5-AE09-41A1-B528-BFF16D84D3E2}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8CFBADD5-AE09-41A1-B528-BFF16D84D3E2}'" delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2672
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B5937303-648A-4F4D-881C-71E168A7F6E0}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B5937303-648A-4F4D-881C-71E168A7F6E0}'" delete
    3⤵
    PID:2600
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3568ACFC-7F17-4F12-BDE7-C842F0547B9C}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3568ACFC-7F17-4F12-BDE7-C842F0547B9C}'" delete
    3⤵
    PID:2456
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D2BF6694-BC92-4381-BBA5-5B20324A70DD}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D2BF6694-BC92-4381-BBA5-5B20324A70DD}'" delete
    3⤵
    PID:3060
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{53F60648-6E91-44D7-B2DC-EBBFF5218FAF}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1912
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{53F60648-6E91-44D7-B2DC-EBBFF5218FAF}'" delete
    3⤵
    PID:1660
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1EDD7D81-ABE7-44A7-9E44-CFDDAED7FF68}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1640
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1EDD7D81-ABE7-44A7-9E44-CFDDAED7FF68}'" delete
    3⤵
    PID:1080
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6A85260A-7A2A-4640-A17E-91FE698B0006}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:844
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6A85260A-7A2A-4640-A17E-91FE698B0006}'" delete
    3⤵
    PID:1852
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9579A553-0263-4CE1-AD24-1B3F1F7A1D82}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:656
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9579A553-0263-4CE1-AD24-1B3F1F7A1D82}'" delete
    3⤵
    PID:2612
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{97FC7C0E-BDFD-4EB0-A04F-D77C0984EF7C}'" delete
  2⤵
  PID:2752
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{97FC7C0E-BDFD-4EB0-A04F-D77C0984EF7C}'" delete
    3⤵
    PID:2044
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B910CCE1-6B67-4BE0-BBD1-578251C4321D}'" delete
  2⤵
  PID:1264
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B910CCE1-6B67-4BE0-BBD1-578251C4321D}'" delete
    3⤵
    PID:1260
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{28E9B887-B496-410E-BB29-8EA9F33117EE}'" delete
  2⤵
  PID:2068
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{28E9B887-B496-410E-BB29-8EA9F33117EE}'" delete
    3⤵
    PID:2108
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8AFF4332-E085-48EB-B1FB-16F06F0BBE66}'" delete
  2⤵
  PID:2268
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8AFF4332-E085-48EB-B1FB-16F06F0BBE66}'" delete
    3⤵
    PID:1696
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{372D3718-306D-46FF-BBAE-7E2DEAEC3BD4}'" delete
  2⤵
  PID:1856
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{372D3718-306D-46FF-BBAE-7E2DEAEC3BD4}'" delete
    3⤵
    PID:264
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B7621A39-F5C3-438A-9A79-291343091BE7}'" delete
  2⤵
  PID:568
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B7621A39-F5C3-438A-9A79-291343091BE7}'" delete
    3⤵
    PID:1152
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F4AA7D9B-AACF-4FE3-BDBC-F4BD0679CF3D}'" delete
  2⤵
  PID:1644
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F4AA7D9B-AACF-4FE3-BDBC-F4BD0679CF3D}'" delete
    3⤵
    PID:1864
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{76DFA763-62B0-4719-837B-482A7DFCAD85}'" delete
  2⤵
  PID:1128
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{76DFA763-62B0-4719-837B-482A7DFCAD85}'" delete
    3⤵
    PID:296
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1F38B355-E378-40C3-800D-6123A3373CD6}'" delete
  2⤵
  PID:444
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1F38B355-E378-40C3-800D-6123A3373CD6}'" delete
    3⤵
    PID:2072

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2964

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\readme.txt

Filesize
1KB

MD5
289d65b925fe5786b4fa0777fb6c9c25

SHA1
1f197eb1167aba94f9209db9638022e368ab5de9

SHA256
c7bfbc0528e31ea5e0c00aba36f8d840019e53f3a2312303ac22042357bf91f3

SHA512
eb5a4d7246df13f47603dba937fd28c0f4e7a153d076ef0cc3056412976d1552a70bdb46c016f570b5bd643fa92abaca6aebf07f1a8265384be3e118255a44c9

Download Submit
memory/1744-0-0x0000000000180000-0x00000000001B8000-memory.dmp

Filesize
224KB

Download
memory/1744-17-0x0000000000180000-0x00000000001B8000-memory.dmp

Filesize
224KB

Download
memory/1744-57-0x0000000000180000-0x00000000001B8000-memory.dmp

Filesize
224KB

Download
memory/1744-96-0x0000000000180000-0x00000000001B8000-memory.dmp

Filesize
224KB

Download
memory/1744-157-0x0000000000180000-0x00000000001B8000-memory.dmp

Filesize
224KB

Download
memory/1744-178-0x0000000000180000-0x00000000001B8000-memory.dmp

Filesize
224KB

Download