conti | ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da

Analysis

max time kernel
16s
max time network
17s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
08-09-2024 15:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe
Size

490KB
MD5

5c543db6d893af1e320bec4787490e70
SHA1

17b911525e0dc7c7c188dcfa8c376ad729b27a59
SHA256

ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da
SHA512

ff81bac8728b6bc6a4b5787bbbc2cb16f39a2f092e4fa9b09bae01671a5eb6c4dd2f0bb5dfc59f7b893181cedd1b816bf866f4f823e05ee3073f6f1eb1d6cffc
SSDEEP

3072:D1ywyQ5Q6Bro3zJHfzypOH+xzVXpVHkK4jzeTCxaBgeU:MwyI5o3zJWPzTBOzeOahU

Score

10^/10

conti discovery ransomware

Malware Config

Extracted

Path

C:\Program Files (x86)\readme.txt

Family

conti

Ransom Note

All of your files are currently encrypted by CONTI strain. As you know (if you don't - just "google it"), all of the data that has been encrypted by our software cannot be recovered by any means without contacting our team directly. If you try to use any additional recovery software - the files might be damaged, so if you are willing to try - try it on the data of the lowest value. To make sure that we REALLY CAN get your data back - we offer you to decrypt 2 random files completely free of charge. You can contact our team directly for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirec7nchr45rx6ympez5rjldibnqzh7lsa56lvjvaeywhvoj3wad.onion/CRYw7aW6XKQVmbX2DmsLsHyLJJifiT4XLWmSv3Eo5V4pwDkcy6JhL2Y6T2pWXY5g YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded a pack of your internal data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us as soon as possible. ---BEGIN ID--- CRYw7aW6XKQVmbX2DmsLsHyLJJifiT4XLWmSv3Eo5V4pwDkcy6JhL2Y6T2pWXY5g ---END ID---

URLs

http://contirec7nchr45rx6ympez5rjldibnqzh7lsa56lvjvaeywhvoj3wad.onion/CRYw7aW6XKQVmbX2DmsLsHyLJJifiT4XLWmSv3Eo5V4pwDkcy6JhL2Y6T2pWXY5g

Signatures

Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
ransomware conti
Renames multiple (57) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\desktop.ini	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\FormatSkip.au3	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe
File opened for modification	C:\Program Files\DVD Maker\audiodepthconverter.ax	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe
File opened for modification	C:\Program Files\Mozilla Firefox\application.ini	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe
File created	C:\Program Files\DVD Maker\readme.txt	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe
File created	C:\Program Files\Microsoft Office\readme.txt	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaultagent.ini	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.VisualElementsManifest.xml	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe
File opened for modification	C:\Program Files\RedoTrace.AAC	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe
File opened for modification	C:\Program Files\StopCheckpoint.asp	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe
File opened for modification	C:\Program Files\StopClear.xht	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.ini	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe
File opened for modification	C:\Program Files\ConvertFromWait.dxf	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe
File opened for modification	C:\Program Files\UndoClose.wmv	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe
File opened for modification	C:\Program Files\Mozilla Firefox\omni.ja	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe
File created	C:\Program Files\Common Files\readme.txt	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe
File created	C:\Program Files\Java\readme.txt	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.cfg	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe
File opened for modification	C:\Program Files\UnpublishEdit.mp4v	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe
File opened for modification	C:\Program Files\RenameTrace.mp3	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe
File opened for modification	C:\Program Files\DVD Maker\fieldswitch.ax	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe
File opened for modification	C:\Program Files\TraceRedo.contact	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe
File opened for modification	C:\Program Files\Mozilla Firefox\Accessible.tlb	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe
File opened for modification	C:\Program Files\BlockRestart.cfg	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe
File opened for modification	C:\Program Files\ResolveSend.au	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe
File opened for modification	C:\Program Files\SubmitStart.tif	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe
File opened for modification	C:\Program Files\DVD Maker\offset.ax	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe
File opened for modification	C:\Program Files\DVD Maker\SecretST.TTF	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe
File opened for modification	C:\Program Files\FormatExpand.rmi	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe
File opened for modification	C:\Program Files\OpenTest.emz	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe
File opened for modification	C:\Program Files\RevokeOut.css	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe
File created	C:\Program Files (x86)\readme.txt	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe
File opened for modification	C:\Program Files\Mozilla Firefox\installation_telemetry.json	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe
File opened for modification	C:\Program Files\Mozilla Firefox\dependentlibs.list	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe
File opened for modification	C:\Program Files\ResumeMerge.tiff	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe
File opened for modification	C:\Program Files\SelectSearch.AAC	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe
File created	C:\Program Files\Google\readme.txt	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe
File opened for modification	C:\Program Files\ConvertDeny.m3u	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe
File opened for modification	C:\Program Files\DVD Maker\soniccolorconverter.ax	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe
File opened for modification	C:\Program Files\7-Zip\descript.ion	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe
File opened for modification	C:\Program Files\DVD Maker\Eurosti.TTF	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe
File opened for modification	C:\Program Files\DVD Maker\sonicsptransform.ax	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe
File created	C:\Program Files\Internet Explorer\readme.txt	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe
File created	C:\Program Files\readme.txt	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe
File opened for modification	C:\Program Files\desktop.ini	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe
File opened for modification	C:\Program Files\ImportDismount.xml	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaultagent_localized.ini	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe
File opened for modification	C:\Program Files\CompleteUnregister.txt	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe
File opened for modification	C:\Program Files\Internet Explorer\ie9props.propdesc	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe
File created	C:\Program Files\Mozilla Firefox\readme.txt	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe
File opened for modification	C:\Program Files\DVD Maker\rtstreamsink.ax	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe
File created	C:\Program Files\Microsoft Games\readme.txt	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe
File opened for modification	C:\Program Files\SkipExport.ps1	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe
File opened for modification	C:\Program Files\DVD Maker\directshowtap.ax	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe
File opened for modification	C:\Program Files\DVD Maker\bod_r.TTF	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe
File opened for modification	C:\Program Files\DVD Maker\rtstreamsource.ax	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe
File opened for modification	C:\Program Files\Internet Explorer\Timeline.cpu.xml	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe
File opened for modification	C:\Program Files\Mozilla Firefox\install.log	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe
File opened for modification	C:\Program Files\DebugStep.mpp	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2720	1200	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1200	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	2812	vssvc.exe
Token: SeRestorePrivilege	2812	vssvc.exe
Token: SeAuditPrivilege	2812	vssvc.exe
Token: SeIncreaseQuotaPrivilege	764	WMIC.exe
Token: SeSecurityPrivilege	764	WMIC.exe
Token: SeTakeOwnershipPrivilege	764	WMIC.exe
Token: SeLoadDriverPrivilege	764	WMIC.exe
Token: SeSystemProfilePrivilege	764	WMIC.exe
Token: SeSystemtimePrivilege	764	WMIC.exe
Token: SeProfSingleProcessPrivilege	764	WMIC.exe
Token: SeIncBasePriorityPrivilege	764	WMIC.exe
Token: SeCreatePagefilePrivilege	764	WMIC.exe
Token: SeBackupPrivilege	764	WMIC.exe
Token: SeRestorePrivilege	764	WMIC.exe
Token: SeShutdownPrivilege	764	WMIC.exe
Token: SeDebugPrivilege	764	WMIC.exe
Token: SeSystemEnvironmentPrivilege	764	WMIC.exe
Token: SeRemoteShutdownPrivilege	764	WMIC.exe
Token: SeUndockPrivilege	764	WMIC.exe
Token: SeManageVolumePrivilege	764	WMIC.exe
Token: 33	764	WMIC.exe
Token: 34	764	WMIC.exe
Token: 35	764	WMIC.exe
Token: SeIncreaseQuotaPrivilege	764	WMIC.exe
Token: SeSecurityPrivilege	764	WMIC.exe
Token: SeTakeOwnershipPrivilege	764	WMIC.exe
Token: SeLoadDriverPrivilege	764	WMIC.exe
Token: SeSystemProfilePrivilege	764	WMIC.exe
Token: SeSystemtimePrivilege	764	WMIC.exe
Token: SeProfSingleProcessPrivilege	764	WMIC.exe
Token: SeIncBasePriorityPrivilege	764	WMIC.exe
Token: SeCreatePagefilePrivilege	764	WMIC.exe
Token: SeBackupPrivilege	764	WMIC.exe
Token: SeRestorePrivilege	764	WMIC.exe
Token: SeShutdownPrivilege	764	WMIC.exe
Token: SeDebugPrivilege	764	WMIC.exe
Token: SeSystemEnvironmentPrivilege	764	WMIC.exe
Token: SeRemoteShutdownPrivilege	764	WMIC.exe
Token: SeUndockPrivilege	764	WMIC.exe
Token: SeManageVolumePrivilege	764	WMIC.exe
Token: 33	764	WMIC.exe
Token: 34	764	WMIC.exe
Token: 35	764	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2836	WMIC.exe
Token: SeSecurityPrivilege	2836	WMIC.exe
Token: SeTakeOwnershipPrivilege	2836	WMIC.exe
Token: SeLoadDriverPrivilege	2836	WMIC.exe
Token: SeSystemProfilePrivilege	2836	WMIC.exe
Token: SeSystemtimePrivilege	2836	WMIC.exe
Token: SeProfSingleProcessPrivilege	2836	WMIC.exe
Token: SeIncBasePriorityPrivilege	2836	WMIC.exe
Token: SeCreatePagefilePrivilege	2836	WMIC.exe
Token: SeBackupPrivilege	2836	WMIC.exe
Token: SeRestorePrivilege	2836	WMIC.exe
Token: SeShutdownPrivilege	2836	WMIC.exe
Token: SeDebugPrivilege	2836	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2836	WMIC.exe
Token: SeRemoteShutdownPrivilege	2836	WMIC.exe
Token: SeUndockPrivilege	2836	WMIC.exe
Token: SeManageVolumePrivilege	2836	WMIC.exe
Token: 33	2836	WMIC.exe
Token: 34	2836	WMIC.exe
Token: 35	2836	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2836	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1200 wrote to memory of 2780	1200	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe	33
PID 1200 wrote to memory of 2780	1200	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe	33
PID 1200 wrote to memory of 2780	1200	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe	33
PID 1200 wrote to memory of 2780	1200	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe	33
PID 2780 wrote to memory of 764	2780	cmd.exe	35
PID 2780 wrote to memory of 764	2780	cmd.exe	35
PID 2780 wrote to memory of 764	2780	cmd.exe	35
PID 1200 wrote to memory of 2564	1200	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe	36
PID 1200 wrote to memory of 2564	1200	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe	36
PID 1200 wrote to memory of 2564	1200	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe	36
PID 1200 wrote to memory of 2564	1200	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe	36
PID 2564 wrote to memory of 2836	2564	cmd.exe	38
PID 2564 wrote to memory of 2836	2564	cmd.exe	38
PID 2564 wrote to memory of 2836	2564	cmd.exe	38
PID 1200 wrote to memory of 2664	1200	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe	39
PID 1200 wrote to memory of 2664	1200	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe	39
PID 1200 wrote to memory of 2664	1200	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe	39
PID 1200 wrote to memory of 2664	1200	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe	39
PID 2664 wrote to memory of 2704	2664	cmd.exe	41
PID 2664 wrote to memory of 2704	2664	cmd.exe	41
PID 2664 wrote to memory of 2704	2664	cmd.exe	41
PID 1200 wrote to memory of 2276	1200	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe	42
PID 1200 wrote to memory of 2276	1200	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe	42
PID 1200 wrote to memory of 2276	1200	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe	42
PID 1200 wrote to memory of 2276	1200	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe	42
PID 2276 wrote to memory of 2132	2276	cmd.exe	44
PID 2276 wrote to memory of 2132	2276	cmd.exe	44
PID 2276 wrote to memory of 2132	2276	cmd.exe	44
PID 1200 wrote to memory of 2936	1200	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe	45
PID 1200 wrote to memory of 2936	1200	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe	45
PID 1200 wrote to memory of 2936	1200	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe	45
PID 1200 wrote to memory of 2936	1200	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe	45
PID 2936 wrote to memory of 1604	2936	cmd.exe	47
PID 2936 wrote to memory of 1604	2936	cmd.exe	47
PID 2936 wrote to memory of 1604	2936	cmd.exe	47
PID 1200 wrote to memory of 760	1200	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe	48
PID 1200 wrote to memory of 760	1200	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe	48
PID 1200 wrote to memory of 760	1200	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe	48
PID 1200 wrote to memory of 760	1200	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe	48
PID 760 wrote to memory of 1288	760	cmd.exe	50
PID 760 wrote to memory of 1288	760	cmd.exe	50
PID 760 wrote to memory of 1288	760	cmd.exe	50
PID 1200 wrote to memory of 2568	1200	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe	51
PID 1200 wrote to memory of 2568	1200	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe	51
PID 1200 wrote to memory of 2568	1200	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe	51
PID 1200 wrote to memory of 2568	1200	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe	51
PID 2568 wrote to memory of 1908	2568	cmd.exe	53
PID 2568 wrote to memory of 1908	2568	cmd.exe	53
PID 2568 wrote to memory of 1908	2568	cmd.exe	53
PID 1200 wrote to memory of 2044	1200	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe	54
PID 1200 wrote to memory of 2044	1200	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe	54
PID 1200 wrote to memory of 2044	1200	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe	54
PID 1200 wrote to memory of 2044	1200	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe	54
PID 2044 wrote to memory of 2920	2044	cmd.exe	56
PID 2044 wrote to memory of 2920	2044	cmd.exe	56
PID 2044 wrote to memory of 2920	2044	cmd.exe	56
PID 1200 wrote to memory of 2732	1200	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe	57
PID 1200 wrote to memory of 2732	1200	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe	57
PID 1200 wrote to memory of 2732	1200	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe	57
PID 1200 wrote to memory of 2732	1200	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe	57
PID 2732 wrote to memory of 3004	2732	cmd.exe	59
PID 2732 wrote to memory of 3004	2732	cmd.exe	59
PID 2732 wrote to memory of 3004	2732	cmd.exe	59
PID 1200 wrote to memory of 3060	1200	ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe	60

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe
"C:\Users\Admin\AppData\Local\Temp\ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1200
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{114FEB11-1D2C-4EBD-9FE3-460FEDCE7D1C}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{114FEB11-1D2C-4EBD-9FE3-460FEDCE7D1C}'" delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:764
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{DFB62530-39DF-4AF1-BA3F-5C49383B0D41}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{DFB62530-39DF-4AF1-BA3F-5C49383B0D41}'" delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2836
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F2BDEC03-18F3-4EA9-ABD4-D53CDBF9E0AC}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F2BDEC03-18F3-4EA9-ABD4-D53CDBF9E0AC}'" delete
    3⤵
    PID:2704
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6F47B8E0-A76F-42B8-80C5-2B902F5E5749}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2276
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6F47B8E0-A76F-42B8-80C5-2B902F5E5749}'" delete
    3⤵
    PID:2132
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{021F038D-EF98-4277-807F-D9D2C31761FE}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{021F038D-EF98-4277-807F-D9D2C31761FE}'" delete
    3⤵
    PID:1604
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{522CFB70-E966-4631-B951-39079840FC86}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:760
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{522CFB70-E966-4631-B951-39079840FC86}'" delete
    3⤵
    PID:1288
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{39A60542-2909-4674-A9B2-FCD89B71F373}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2568
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{39A60542-2909-4674-A9B2-FCD89B71F373}'" delete
    3⤵
    PID:1908
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{09D614CE-B995-49B2-AD78-718627D30B0D}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{09D614CE-B995-49B2-AD78-718627D30B0D}'" delete
    3⤵
    PID:2920
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9A213CE1-2A1D-4404-85E9-A877A57FF56E}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9A213CE1-2A1D-4404-85E9-A877A57FF56E}'" delete
    3⤵
    PID:3004
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{07126393-5C20-4FEC-84EB-08FDE444B0C2}'" delete
  2⤵
  PID:3060
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{07126393-5C20-4FEC-84EB-08FDE444B0C2}'" delete
    3⤵
    PID:2180
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{569F095D-1CBC-4EAB-A3CC-4EDACD8A6278}'" delete
  2⤵
  PID:1852
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{569F095D-1CBC-4EAB-A3CC-4EDACD8A6278}'" delete
    3⤵
    PID:1980
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{25D60D36-2134-4703-B70F-C1E5670E2758}'" delete
  2⤵
  PID:940
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{25D60D36-2134-4703-B70F-C1E5670E2758}'" delete
    3⤵
    PID:2644
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E62387E8-4164-4550-873D-246FB783FDA4}'" delete
  2⤵
  PID:2640
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E62387E8-4164-4550-873D-246FB783FDA4}'" delete
    3⤵
    PID:2120
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{EBF372D1-ABDA-4550-BCFA-E589781243CB}'" delete
  2⤵
  PID:2168
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{EBF372D1-ABDA-4550-BCFA-E589781243CB}'" delete
    3⤵
    PID:2144
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{223604F6-39C9-4351-83D1-90EEE67EC572}'" delete
  2⤵
  PID:2128
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{223604F6-39C9-4351-83D1-90EEE67EC572}'" delete
    3⤵
    PID:2172
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E3902E7F-7A32-4261-A3EE-B17FE1936361}'" delete
  2⤵
  PID:1956
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E3902E7F-7A32-4261-A3EE-B17FE1936361}'" delete
    3⤵
    PID:2468
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7CD00F17-C743-4154-B479-2E288FF81CB4}'" delete
  2⤵
  PID:2624
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7CD00F17-C743-4154-B479-2E288FF81CB4}'" delete
    3⤵
    PID:492
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{47BC8E53-5A59-4C7C-AEF0-C0F1C41CFCA7}'" delete
  2⤵
  PID:1784
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{47BC8E53-5A59-4C7C-AEF0-C0F1C41CFCA7}'" delete
    3⤵
    PID:1516
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1200 -s 1604
  2⤵
  - Program crash
  PID:2720

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\readme.txt

Filesize
1KB

MD5
cd5bd2556f45ff81cdd6bb80c603254f

SHA1
6619f302809bb04d9b587bd6868a50485b6eb98b

SHA256
5587545c8e5bf66f3c4b45bfd127a1f5487d93038233d86ffab2a4542cce66d7

SHA512
14a972981d08cacef6aab37c766272f3ca24a3628046f7a18bc685264a7ec55d875f3b5494ebd49a2f50b8c14d1d230cc60003fac5e35fd13b5a6eb60a8ec050

Download Submit