conti | 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08-09-2024 19:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe
Size

514KB
MD5

3d8f8da9897e81121c83d0d17c560452
SHA1

9829e8264216726f69e731394c08354e74a3b1f8
SHA256

75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb
SHA512

de066843392b0fb410269142732885bb0e5f7cba8b78023d126d9ef14433451a8baa96b90091b9819d57a9e4cffd9ac44d733af46a4f70f5a0cc476f20293132
SSDEEP

3072:Qy3XfbBI4++rye6iLf2zKUAOe4UKXqlc8Lm87wgZPyzOmem0Oa9G8Y3:FXzin6raUKXSL/hIOH/

Score

10^/10

conti discovery ransomware

Malware Config

Extracted

Path

C:\Program Files (x86)\readme.txt

Family

conti

Ransom Note

All of your files are currently encrypted by CONTI strain. As you know (if you don't - just "google it"), all of the data that has been encrypted by our software cannot be recovered by any means without contacting our team directly. If you try to use any additional recovery software - the files might be damaged, so if you are willing to try - try it on the data of the lowest value. To make sure that we REALLY CAN get your data back - we offer you to decrypt 2 random files completely free of charge. You can contact our team directly for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/ HTTPS VERSION : https://contirecovery.click YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded a pack of your internal data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us as soon as possible. ---BEGIN ID--- lWL5aqUDwBJQsqHmM6OkU1yOTGOiNHcCdTAyuj6A1xKUIz98qMCGpifNoPeYSXBA ---END ID---

URLs

http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/

https://contirecovery.click

Signatures

Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
ransomware conti
Renames multiple (56) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\UnblockGrant.DVR-MS	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe
File created	C:\Program Files\Common Files\readme.txt	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe
File opened for modification	C:\Program Files\Internet Explorer\ie9props.propdesc	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe
File created	C:\Program Files\Microsoft Office\readme.txt	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe
File opened for modification	C:\Program Files\EnableConvertFrom.vsw	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe
File opened for modification	C:\Program Files\ProtectWrite.jpeg	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe
File opened for modification	C:\Program Files\SearchGet.nfo	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe
File opened for modification	C:\Program Files\ShowComplete.csv	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe
File opened for modification	C:\Program Files\UnlockWait.bmp	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe
File opened for modification	C:\Program Files\Mozilla Firefox\Accessible.tlb	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe
File opened for modification	C:\Program Files\SaveExit.wmx	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe
File opened for modification	C:\Program Files\DVD Maker\Eurosti.TTF	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe
File opened for modification	C:\Program Files\DVD Maker\fieldswitch.ax	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe
File opened for modification	C:\Program Files\Internet Explorer\Timeline.cpu.xml	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe
File opened for modification	C:\Program Files\UseUnpublish.WTV	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe
File opened for modification	C:\Program Files\DVD Maker\directshowtap.ax	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe
File opened for modification	C:\Program Files\Mozilla Firefox\installation_telemetry.json	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe
File opened for modification	C:\Program Files\ClearRead.xltm	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe
File opened for modification	C:\Program Files\ConvertFromPing.xltm	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe
File opened for modification	C:\Program Files\UnprotectClear.odp	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe
File created	C:\Program Files (x86)\readme.txt	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe
File opened for modification	C:\Program Files\BlockAssert.nfo	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe
File opened for modification	C:\Program Files\SyncExit.htm	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe
File opened for modification	C:\Program Files\DVD Maker\bod_r.TTF	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe
File opened for modification	C:\Program Files\DVD Maker\SecretST.TTF	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe
File opened for modification	C:\Program Files\ConvertGet.7z	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe
File created	C:\Program Files\DVD Maker\readme.txt	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe
File opened for modification	C:\Program Files\DVD Maker\soniccolorconverter.ax	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.VisualElementsManifest.xml	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe
File opened for modification	C:\Program Files\ConvertFromResolve.rmi	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe
File created	C:\Program Files\Internet Explorer\readme.txt	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.cfg	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe
File opened for modification	C:\Program Files\Mozilla Firefox\dependentlibs.list	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe
File opened for modification	C:\Program Files\AddImport.gif	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe
File opened for modification	C:\Program Files\InvokeDisconnect.mp4	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe
File opened for modification	C:\Program Files\UpdateTest.vdw	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe
File opened for modification	C:\Program Files\DVD Maker\rtstreamsource.ax	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe
File opened for modification	C:\Program Files\PublishExport.xml	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe
File opened for modification	C:\Program Files\StopRestore.htm	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe
File opened for modification	C:\Program Files\7-Zip\descript.ion	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe
File opened for modification	C:\Program Files\DVD Maker\sonicsptransform.ax	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe
File created	C:\Program Files\Mozilla Firefox\readme.txt	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe
File opened for modification	C:\Program Files\NewDisable.mp3	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe
File created	C:\Program Files\Google\readme.txt	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe
File opened for modification	C:\Program Files\Mozilla Firefox\omni.ja	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe
File opened for modification	C:\Program Files\DVD Maker\audiodepthconverter.ax	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe
File opened for modification	C:\Program Files\DVD Maker\rtstreamsink.ax	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe
File opened for modification	C:\Program Files\ConnectRename.dib	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe
File opened for modification	C:\Program Files\ProtectLimit.jpeg	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe
File opened for modification	C:\Program Files\RequestSubmit.vstm	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe
File opened for modification	C:\Program Files\UnprotectDisable.rtf	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe
File created	C:\Program Files\readme.txt	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe
File opened for modification	C:\Program Files\DenyRequest.asx	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe
File opened for modification	C:\Program Files\MountRegister.vsx	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe
File opened for modification	C:\Program Files\UndoResume.htm	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe
File opened for modification	C:\Program Files\StartUnblock.fon	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe
File opened for modification	C:\Program Files\DVD Maker\offset.ax	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe
File opened for modification	C:\Program Files\ConfirmLimit.easmx	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2672	2912	WerFault.exe	27

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2912	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	2280	vssvc.exe
Token: SeRestorePrivilege	2280	vssvc.exe
Token: SeAuditPrivilege	2280	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1936	WMIC.exe
Token: SeSecurityPrivilege	1936	WMIC.exe
Token: SeTakeOwnershipPrivilege	1936	WMIC.exe
Token: SeLoadDriverPrivilege	1936	WMIC.exe
Token: SeSystemProfilePrivilege	1936	WMIC.exe
Token: SeSystemtimePrivilege	1936	WMIC.exe
Token: SeProfSingleProcessPrivilege	1936	WMIC.exe
Token: SeIncBasePriorityPrivilege	1936	WMIC.exe
Token: SeCreatePagefilePrivilege	1936	WMIC.exe
Token: SeBackupPrivilege	1936	WMIC.exe
Token: SeRestorePrivilege	1936	WMIC.exe
Token: SeShutdownPrivilege	1936	WMIC.exe
Token: SeDebugPrivilege	1936	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1936	WMIC.exe
Token: SeRemoteShutdownPrivilege	1936	WMIC.exe
Token: SeUndockPrivilege	1936	WMIC.exe
Token: SeManageVolumePrivilege	1936	WMIC.exe
Token: 33	1936	WMIC.exe
Token: 34	1936	WMIC.exe
Token: 35	1936	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1936	WMIC.exe
Token: SeSecurityPrivilege	1936	WMIC.exe
Token: SeTakeOwnershipPrivilege	1936	WMIC.exe
Token: SeLoadDriverPrivilege	1936	WMIC.exe
Token: SeSystemProfilePrivilege	1936	WMIC.exe
Token: SeSystemtimePrivilege	1936	WMIC.exe
Token: SeProfSingleProcessPrivilege	1936	WMIC.exe
Token: SeIncBasePriorityPrivilege	1936	WMIC.exe
Token: SeCreatePagefilePrivilege	1936	WMIC.exe
Token: SeBackupPrivilege	1936	WMIC.exe
Token: SeRestorePrivilege	1936	WMIC.exe
Token: SeShutdownPrivilege	1936	WMIC.exe
Token: SeDebugPrivilege	1936	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1936	WMIC.exe
Token: SeRemoteShutdownPrivilege	1936	WMIC.exe
Token: SeUndockPrivilege	1936	WMIC.exe
Token: SeManageVolumePrivilege	1936	WMIC.exe
Token: 33	1936	WMIC.exe
Token: 34	1936	WMIC.exe
Token: 35	1936	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2268	WMIC.exe
Token: SeSecurityPrivilege	2268	WMIC.exe
Token: SeTakeOwnershipPrivilege	2268	WMIC.exe
Token: SeLoadDriverPrivilege	2268	WMIC.exe
Token: SeSystemProfilePrivilege	2268	WMIC.exe
Token: SeSystemtimePrivilege	2268	WMIC.exe
Token: SeProfSingleProcessPrivilege	2268	WMIC.exe
Token: SeIncBasePriorityPrivilege	2268	WMIC.exe
Token: SeCreatePagefilePrivilege	2268	WMIC.exe
Token: SeBackupPrivilege	2268	WMIC.exe
Token: SeRestorePrivilege	2268	WMIC.exe
Token: SeShutdownPrivilege	2268	WMIC.exe
Token: SeDebugPrivilege	2268	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2268	WMIC.exe
Token: SeRemoteShutdownPrivilege	2268	WMIC.exe
Token: SeUndockPrivilege	2268	WMIC.exe
Token: SeManageVolumePrivilege	2268	WMIC.exe
Token: 33	2268	WMIC.exe
Token: 34	2268	WMIC.exe
Token: 35	2268	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2268	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2912 wrote to memory of 2420	2912	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe	31
PID 2912 wrote to memory of 2420	2912	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe	31
PID 2912 wrote to memory of 2420	2912	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe	31
PID 2912 wrote to memory of 2420	2912	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe	31
PID 2420 wrote to memory of 1936	2420	cmd.exe	33
PID 2420 wrote to memory of 1936	2420	cmd.exe	33
PID 2420 wrote to memory of 1936	2420	cmd.exe	33
PID 2912 wrote to memory of 2292	2912	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe	34
PID 2912 wrote to memory of 2292	2912	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe	34
PID 2912 wrote to memory of 2292	2912	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe	34
PID 2912 wrote to memory of 2292	2912	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe	34
PID 2292 wrote to memory of 2268	2292	cmd.exe	36
PID 2292 wrote to memory of 2268	2292	cmd.exe	36
PID 2292 wrote to memory of 2268	2292	cmd.exe	36
PID 2912 wrote to memory of 752	2912	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe	37
PID 2912 wrote to memory of 752	2912	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe	37
PID 2912 wrote to memory of 752	2912	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe	37
PID 2912 wrote to memory of 752	2912	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe	37
PID 752 wrote to memory of 2624	752	cmd.exe	39
PID 752 wrote to memory of 2624	752	cmd.exe	39
PID 752 wrote to memory of 2624	752	cmd.exe	39
PID 2912 wrote to memory of 2752	2912	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe	40
PID 2912 wrote to memory of 2752	2912	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe	40
PID 2912 wrote to memory of 2752	2912	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe	40
PID 2912 wrote to memory of 2752	2912	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe	40
PID 2752 wrote to memory of 2636	2752	cmd.exe	42
PID 2752 wrote to memory of 2636	2752	cmd.exe	42
PID 2752 wrote to memory of 2636	2752	cmd.exe	42
PID 2912 wrote to memory of 2720	2912	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe	43
PID 2912 wrote to memory of 2720	2912	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe	43
PID 2912 wrote to memory of 2720	2912	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe	43
PID 2912 wrote to memory of 2720	2912	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe	43
PID 2720 wrote to memory of 2760	2720	cmd.exe	45
PID 2720 wrote to memory of 2760	2720	cmd.exe	45
PID 2720 wrote to memory of 2760	2720	cmd.exe	45
PID 2912 wrote to memory of 2808	2912	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe	46
PID 2912 wrote to memory of 2808	2912	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe	46
PID 2912 wrote to memory of 2808	2912	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe	46
PID 2912 wrote to memory of 2808	2912	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe	46
PID 2808 wrote to memory of 2616	2808	cmd.exe	48
PID 2808 wrote to memory of 2616	2808	cmd.exe	48
PID 2808 wrote to memory of 2616	2808	cmd.exe	48
PID 2912 wrote to memory of 2380	2912	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe	49
PID 2912 wrote to memory of 2380	2912	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe	49
PID 2912 wrote to memory of 2380	2912	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe	49
PID 2912 wrote to memory of 2380	2912	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe	49
PID 2380 wrote to memory of 2492	2380	cmd.exe	51
PID 2380 wrote to memory of 2492	2380	cmd.exe	51
PID 2380 wrote to memory of 2492	2380	cmd.exe	51
PID 2912 wrote to memory of 2944	2912	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe	52
PID 2912 wrote to memory of 2944	2912	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe	52
PID 2912 wrote to memory of 2944	2912	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe	52
PID 2912 wrote to memory of 2944	2912	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe	52
PID 2944 wrote to memory of 2236	2944	cmd.exe	54
PID 2944 wrote to memory of 2236	2944	cmd.exe	54
PID 2944 wrote to memory of 2236	2944	cmd.exe	54
PID 2912 wrote to memory of 1304	2912	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe	55
PID 2912 wrote to memory of 1304	2912	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe	55
PID 2912 wrote to memory of 1304	2912	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe	55
PID 2912 wrote to memory of 1304	2912	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe	55
PID 1304 wrote to memory of 1800	1304	cmd.exe	57
PID 1304 wrote to memory of 1800	1304	cmd.exe	57
PID 1304 wrote to memory of 1800	1304	cmd.exe	57
PID 2912 wrote to memory of 1664	2912	75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe	58

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe
"C:\Users\Admin\AppData\Local\Temp\75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2912
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C0A7565B-A19F-4402-9B8C-EE58F5677206}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2420
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C0A7565B-A19F-4402-9B8C-EE58F5677206}'" delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1936
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4EEC8685-DBBC-40B7-83F7-EBE9F961E50A}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2292
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4EEC8685-DBBC-40B7-83F7-EBE9F961E50A}'" delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2268
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D3EF019B-3827-46D5-AAE6-7A5F9B72E352}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:752
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D3EF019B-3827-46D5-AAE6-7A5F9B72E352}'" delete
    3⤵
    PID:2624
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C46025E1-89AE-4E89-A6B2-627BD36BEBA7}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C46025E1-89AE-4E89-A6B2-627BD36BEBA7}'" delete
    3⤵
    PID:2636
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7FEB2B6D-C65D-4F8B-96F4-5C290BF1392E}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7FEB2B6D-C65D-4F8B-96F4-5C290BF1392E}'" delete
    3⤵
    PID:2760
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{38024B4B-EA00-4E0B-9254-7847544CB184}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{38024B4B-EA00-4E0B-9254-7847544CB184}'" delete
    3⤵
    PID:2616
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{070F76DF-8D94-4D9C-8D5E-8288E6D99D33}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2380
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{070F76DF-8D94-4D9C-8D5E-8288E6D99D33}'" delete
    3⤵
    PID:2492
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0DBC292F-1D3D-47BB-98CD-05C9763CDD70}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0DBC292F-1D3D-47BB-98CD-05C9763CDD70}'" delete
    3⤵
    PID:2236
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{BFDEA41B-0C5B-4A69-8904-D0D8C8B4BD52}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1304
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{BFDEA41B-0C5B-4A69-8904-D0D8C8B4BD52}'" delete
    3⤵
    PID:1800
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{661ADE96-9D98-4439-A4A3-21497C149A84}'" delete
  2⤵
  PID:1664
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{661ADE96-9D98-4439-A4A3-21497C149A84}'" delete
    3⤵
    PID:1660
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{49F9E8B9-5C23-4EFC-922F-403BF3CF1CD8}'" delete
  2⤵
  PID:1704
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{49F9E8B9-5C23-4EFC-922F-403BF3CF1CD8}'" delete
    3⤵
    PID:1672
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B00B17C0-9080-4AFD-B9FE-5625D3C964B6}'" delete
  2⤵
  PID:1616
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B00B17C0-9080-4AFD-B9FE-5625D3C964B6}'" delete
    3⤵
    PID:1596
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B42A6924-C6F8-405C-A922-10D4551D692A}'" delete
  2⤵
  PID:828
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B42A6924-C6F8-405C-A922-10D4551D692A}'" delete
    3⤵
    PID:1420
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4EE259E2-D2AC-45D1-9714-41C32E03FEA5}'" delete
  2⤵
  PID:744
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4EE259E2-D2AC-45D1-9714-41C32E03FEA5}'" delete
    3⤵
    PID:2548
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{06EF4E8E-D39F-475F-AFE4-9F81C5C17F7B}'" delete
  2⤵
  PID:2464
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{06EF4E8E-D39F-475F-AFE4-9F81C5C17F7B}'" delete
    3⤵
    PID:2792
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B30B3BC9-99AA-45F9-A653-DBB54ECA8A3A}'" delete
  2⤵
  PID:2928
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B30B3BC9-99AA-45F9-A653-DBB54ECA8A3A}'" delete
    3⤵
    PID:2784
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{BD7099CD-3DAF-4D00-874E-B6365BD7580B}'" delete
  2⤵
  PID:1112
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{BD7099CD-3DAF-4D00-874E-B6365BD7580B}'" delete
    3⤵
    PID:680
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{AA251BFA-C949-4FDE-98A2-277792D6DA8E}'" delete
  2⤵
  PID:2996
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{AA251BFA-C949-4FDE-98A2-277792D6DA8E}'" delete
    3⤵
    PID:1908
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2912 -s 1592
  2⤵
  - Program crash
  PID:2672

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\readme.txt

Filesize
1KB

MD5
306b84b6dfba111b3e824d86804998f1

SHA1
7c1cb91fc2b13ca9b6e96407e12e9811a245eab1

SHA256
3d1d151274bffd401a292c2d6a9c165a757d60e9910e0a04b13ab2feb2655854

SHA512
a0313e4a392aeeb17271d007eea708d19e598525f9a78a6c2aa1fb4485ca7b54686c4c0f87b41606729f1d42ee4419f5e25e56aaeddb887fd5f7e57ed200ea0b

Download Submit