conti | 45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
09-09-2024 14:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
Size

515KB
MD5

336ea498bb074c39bd64c3ed12105a69
SHA1

ca3db1d10a092fb7b82acd344ec9b25dfcb58e6e
SHA256

45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53
SHA512

4709a61942005c1df62484aaf3ba55d97533325f7c934fbdca62565c0081c3c807ef29d7983eb91b5409ec2ecfb02ff73f614e4c948f77cfa65b76a34a5410ed
SSDEEP

3072:wzyJa/EBc2jrORnQssIJZYKcgtHhGk528yJKY8/d7epmB98g89QP2EKOJjWk:wzymEBc2jMQsdJdBgHJ+/dB9rP2UjR

Score

10^/10

conti discovery ransomware

Malware Config

Extracted

Path

C:\Program Files (x86)\readme.txt

Family

conti

Ransom Note

All of your files are currently encrypted by CONTI strain. As you know (if you don't - just "google it"), all of the data that has been encrypted by our software cannot be recovered by any means without contacting our team directly. If you try to use any additional recovery software - the files might be damaged, so if you are willing to try - try it on the data of the lowest value. To make sure that we REALLY CAN get your data back - we offer you to decrypt 2 random files completely free of charge. You can contact our team directly for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/ HTTPS VERSION : https://contirecovery.xyz/ YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded a pack of your internal data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us as soon as possible. ---BEGIN ID--- 3E1hCSKyNKBvMOLagh7o4NWP6OEgobzNbxvAi5j7Fhn2e5XHbmjF95MOBU7NCbyG ---END ID---

URLs

http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/

https://contirecovery.xyz/

Signatures

Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
ransomware conti
Renames multiple (143) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\InitializeAdd.vsdm	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File opened for modification	C:\Program Files\UnregisterConvert.temp	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ie9props.propdesc	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File opened for modification	C:\Program Files\MergeWrite.wmv	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File opened for modification	C:\Program Files\UseWatch.vbe	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File created	C:\Program Files (x86)\Microsoft.NET\readme.txt	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File opened for modification	C:\Program Files\Mozilla Firefox\install.log	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File opened for modification	C:\Program Files\Mozilla Firefox\omni.ja	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft.Office.InfoPath.targets	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File opened for modification	C:\Program Files\ConvertFromStep.wps	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File opened for modification	C:\Program Files\ExportComplete.xlt	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File opened for modification	C:\Program Files\UnblockGrant.ps1	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File created	C:\Program Files\Internet Explorer\readme.txt	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File opened for modification	C:\Program Files\BlockRename.reg	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File opened for modification	C:\Program Files\FormatConvertTo.mp2v	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.VisualElementsManifest.xml	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\readme.txt	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File opened for modification	C:\Program Files\ConnectHide.tif	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File opened for modification	C:\Program Files\UnprotectSplit.ADTS	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File created	C:\Program Files\Microsoft Games\readme.txt	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File created	C:\Program Files\readme.txt	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File opened for modification	C:\Program Files\Internet Explorer\ie9props.propdesc	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File opened for modification	C:\Program Files\Mozilla Firefox\postSigningData	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\readme.txt	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File opened for modification	C:\Program Files\RegisterApprove.au	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File opened for modification	C:\Program Files\SaveBackup.dotx	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File created	C:\Program Files\DVD Maker\readme.txt	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File opened for modification	C:\Program Files\Mozilla Firefox\Accessible.tlb	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\readme.txt	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File opened for modification	C:\Program Files\AssertBackup.docx	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File opened for modification	C:\Program Files\WaitRestore.xls	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File opened for modification	C:\Program Files\DVD Maker\bod_r.TTF	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File created	C:\Program Files\Mozilla Firefox\readme.txt	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File created	C:\Program Files (x86)\Common Files\readme.txt	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File opened for modification	C:\Program Files\InitializeTest.dib	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File opened for modification	C:\Program Files\WaitUninstall.dotx	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File opened for modification	C:\Program Files\DVD Maker\SecretST.TTF	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File created	C:\Program Files\VideoLAN\readme.txt	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File created	C:\Program Files (x86)\MSBuild\readme.txt	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File created	C:\Program Files (x86)\Google\readme.txt	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File created	C:\Program Files (x86)\Internet Explorer\readme.txt	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File created	C:\Program Files (x86)\Uninstall Information\readme.txt	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File opened for modification	C:\Program Files\SendClear.rtf	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File opened for modification	C:\Program Files\Mozilla Firefox\removed-files	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File created	C:\Program Files\Uninstall Information\readme.txt	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File created	C:\Program Files (x86)\Adobe\readme.txt	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File opened for modification	C:\Program Files\ConvertUndo.ttf	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File created	C:\Program Files\Google\readme.txt	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.VisualElementsManifest.xml	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File created	C:\Program Files (x86)\Microsoft Office\readme.txt	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\readme.txt	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File opened for modification	C:\Program Files\RenameWatch.vsd	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File opened for modification	C:\Program Files\DVD Maker\soniccolorconverter.ax	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File created	C:\Program Files\Microsoft Office\readme.txt	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.cfg	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\readme.txt	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File opened for modification	C:\Program Files\DVD Maker\sonicsptransform.ax	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File opened for modification	C:\Program Files\Internet Explorer\Timeline.cpu.xml	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1196	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	2380	vssvc.exe
Token: SeRestorePrivilege	2380	vssvc.exe
Token: SeAuditPrivilege	2380	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2984	WMIC.exe
Token: SeSecurityPrivilege	2984	WMIC.exe
Token: SeTakeOwnershipPrivilege	2984	WMIC.exe
Token: SeLoadDriverPrivilege	2984	WMIC.exe
Token: SeSystemProfilePrivilege	2984	WMIC.exe
Token: SeSystemtimePrivilege	2984	WMIC.exe
Token: SeProfSingleProcessPrivilege	2984	WMIC.exe
Token: SeIncBasePriorityPrivilege	2984	WMIC.exe
Token: SeCreatePagefilePrivilege	2984	WMIC.exe
Token: SeBackupPrivilege	2984	WMIC.exe
Token: SeRestorePrivilege	2984	WMIC.exe
Token: SeShutdownPrivilege	2984	WMIC.exe
Token: SeDebugPrivilege	2984	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2984	WMIC.exe
Token: SeRemoteShutdownPrivilege	2984	WMIC.exe
Token: SeUndockPrivilege	2984	WMIC.exe
Token: SeManageVolumePrivilege	2984	WMIC.exe
Token: 33	2984	WMIC.exe
Token: 34	2984	WMIC.exe
Token: 35	2984	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2984	WMIC.exe
Token: SeSecurityPrivilege	2984	WMIC.exe
Token: SeTakeOwnershipPrivilege	2984	WMIC.exe
Token: SeLoadDriverPrivilege	2984	WMIC.exe
Token: SeSystemProfilePrivilege	2984	WMIC.exe
Token: SeSystemtimePrivilege	2984	WMIC.exe
Token: SeProfSingleProcessPrivilege	2984	WMIC.exe
Token: SeIncBasePriorityPrivilege	2984	WMIC.exe
Token: SeCreatePagefilePrivilege	2984	WMIC.exe
Token: SeBackupPrivilege	2984	WMIC.exe
Token: SeRestorePrivilege	2984	WMIC.exe
Token: SeShutdownPrivilege	2984	WMIC.exe
Token: SeDebugPrivilege	2984	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2984	WMIC.exe
Token: SeRemoteShutdownPrivilege	2984	WMIC.exe
Token: SeUndockPrivilege	2984	WMIC.exe
Token: SeManageVolumePrivilege	2984	WMIC.exe
Token: 33	2984	WMIC.exe
Token: 34	2984	WMIC.exe
Token: 35	2984	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2224	WMIC.exe
Token: SeSecurityPrivilege	2224	WMIC.exe
Token: SeTakeOwnershipPrivilege	2224	WMIC.exe
Token: SeLoadDriverPrivilege	2224	WMIC.exe
Token: SeSystemProfilePrivilege	2224	WMIC.exe
Token: SeSystemtimePrivilege	2224	WMIC.exe
Token: SeProfSingleProcessPrivilege	2224	WMIC.exe
Token: SeIncBasePriorityPrivilege	2224	WMIC.exe
Token: SeCreatePagefilePrivilege	2224	WMIC.exe
Token: SeBackupPrivilege	2224	WMIC.exe
Token: SeRestorePrivilege	2224	WMIC.exe
Token: SeShutdownPrivilege	2224	WMIC.exe
Token: SeDebugPrivilege	2224	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2224	WMIC.exe
Token: SeRemoteShutdownPrivilege	2224	WMIC.exe
Token: SeUndockPrivilege	2224	WMIC.exe
Token: SeManageVolumePrivilege	2224	WMIC.exe
Token: 33	2224	WMIC.exe
Token: 34	2224	WMIC.exe
Token: 35	2224	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2224	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1196 wrote to memory of 2804	1196	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe	33
PID 1196 wrote to memory of 2804	1196	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe	33
PID 1196 wrote to memory of 2804	1196	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe	33
PID 1196 wrote to memory of 2804	1196	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe	33
PID 2804 wrote to memory of 2984	2804	cmd.exe	35
PID 2804 wrote to memory of 2984	2804	cmd.exe	35
PID 2804 wrote to memory of 2984	2804	cmd.exe	35
PID 1196 wrote to memory of 2836	1196	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe	36
PID 1196 wrote to memory of 2836	1196	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe	36
PID 1196 wrote to memory of 2836	1196	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe	36
PID 1196 wrote to memory of 2836	1196	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe	36
PID 2836 wrote to memory of 2224	2836	cmd.exe	38
PID 2836 wrote to memory of 2224	2836	cmd.exe	38
PID 2836 wrote to memory of 2224	2836	cmd.exe	38
PID 1196 wrote to memory of 2956	1196	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe	39
PID 1196 wrote to memory of 2956	1196	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe	39
PID 1196 wrote to memory of 2956	1196	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe	39
PID 1196 wrote to memory of 2956	1196	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe	39
PID 2956 wrote to memory of 2744	2956	cmd.exe	41
PID 2956 wrote to memory of 2744	2956	cmd.exe	41
PID 2956 wrote to memory of 2744	2956	cmd.exe	41
PID 1196 wrote to memory of 2620	1196	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe	42
PID 1196 wrote to memory of 2620	1196	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe	42
PID 1196 wrote to memory of 2620	1196	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe	42
PID 1196 wrote to memory of 2620	1196	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe	42
PID 2620 wrote to memory of 2660	2620	cmd.exe	44
PID 2620 wrote to memory of 2660	2620	cmd.exe	44
PID 2620 wrote to memory of 2660	2620	cmd.exe	44
PID 1196 wrote to memory of 1820	1196	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe	45
PID 1196 wrote to memory of 1820	1196	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe	45
PID 1196 wrote to memory of 1820	1196	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe	45
PID 1196 wrote to memory of 1820	1196	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe	45
PID 1820 wrote to memory of 2300	1820	cmd.exe	47
PID 1820 wrote to memory of 2300	1820	cmd.exe	47
PID 1820 wrote to memory of 2300	1820	cmd.exe	47
PID 1196 wrote to memory of 1512	1196	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe	48
PID 1196 wrote to memory of 1512	1196	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe	48
PID 1196 wrote to memory of 1512	1196	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe	48
PID 1196 wrote to memory of 1512	1196	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe	48
PID 1512 wrote to memory of 108	1512	cmd.exe	50
PID 1512 wrote to memory of 108	1512	cmd.exe	50
PID 1512 wrote to memory of 108	1512	cmd.exe	50
PID 1196 wrote to memory of 2952	1196	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe	51
PID 1196 wrote to memory of 2952	1196	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe	51
PID 1196 wrote to memory of 2952	1196	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe	51
PID 1196 wrote to memory of 2952	1196	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe	51
PID 2952 wrote to memory of 1652	2952	cmd.exe	53
PID 2952 wrote to memory of 1652	2952	cmd.exe	53
PID 2952 wrote to memory of 1652	2952	cmd.exe	53
PID 1196 wrote to memory of 2912	1196	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe	54
PID 1196 wrote to memory of 2912	1196	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe	54
PID 1196 wrote to memory of 2912	1196	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe	54
PID 1196 wrote to memory of 2912	1196	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe	54
PID 2912 wrote to memory of 2304	2912	cmd.exe	56
PID 2912 wrote to memory of 2304	2912	cmd.exe	56
PID 2912 wrote to memory of 2304	2912	cmd.exe	56
PID 1196 wrote to memory of 264	1196	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe	57
PID 1196 wrote to memory of 264	1196	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe	57
PID 1196 wrote to memory of 264	1196	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe	57
PID 1196 wrote to memory of 264	1196	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe	57
PID 264 wrote to memory of 780	264	cmd.exe	59
PID 264 wrote to memory of 780	264	cmd.exe	59
PID 264 wrote to memory of 780	264	cmd.exe	59
PID 1196 wrote to memory of 312	1196	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe	60

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
"C:\Users\Admin\AppData\Local\Temp\45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1196
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A197463B-A376-47BF-9252-AC03BDD86B29}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A197463B-A376-47BF-9252-AC03BDD86B29}'" delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2984
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{15162EC0-9BB8-4BA5-BB8A-1A74E55EE8B7}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{15162EC0-9BB8-4BA5-BB8A-1A74E55EE8B7}'" delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2224
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{EB7D1831-8677-49CE-8B9F-6036FBF06989}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2956
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{EB7D1831-8677-49CE-8B9F-6036FBF06989}'" delete
    3⤵
    PID:2744
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{52C78F3C-4D8E-41CA-9A7B-DD9E7535A504}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2620
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{52C78F3C-4D8E-41CA-9A7B-DD9E7535A504}'" delete
    3⤵
    PID:2660
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{57CD2AD2-16CD-4365-9353-54F57220614D}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1820
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{57CD2AD2-16CD-4365-9353-54F57220614D}'" delete
    3⤵
    PID:2300
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F85F65B6-1A6B-46B3-8030-36CB284EF50F}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1512
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F85F65B6-1A6B-46B3-8030-36CB284EF50F}'" delete
    3⤵
    PID:108
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{FE1D49A5-E9F9-43B7-A188-1C7974ED3359}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2952
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{FE1D49A5-E9F9-43B7-A188-1C7974ED3359}'" delete
    3⤵
    PID:1652
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7692C5BD-1376-46F4-BA95-B65485010A9E}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7692C5BD-1376-46F4-BA95-B65485010A9E}'" delete
    3⤵
    PID:2304
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{26B368C9-C678-48C5-8143-4E0352D71193}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:264
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{26B368C9-C678-48C5-8143-4E0352D71193}'" delete
    3⤵
    PID:780
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{899BF3A8-876A-4423-B857-3FA5035D1EE9}'" delete
  2⤵
  PID:312
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{899BF3A8-876A-4423-B857-3FA5035D1EE9}'" delete
    3⤵
    PID:1836
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{38F589A0-9640-42AD-AC74-49B0D5AD0B2B}'" delete
  2⤵
  PID:1160
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{38F589A0-9640-42AD-AC74-49B0D5AD0B2B}'" delete
    3⤵
    PID:2316
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{132315B9-AC3F-4B5C-85AA-738E52159FA0}'" delete
  2⤵
  PID:2312
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{132315B9-AC3F-4B5C-85AA-738E52159FA0}'" delete
    3⤵
    PID:1244
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{904AFFAC-1BEB-41E8-845C-C71BB894D655}'" delete
  2⤵
  PID:992
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{904AFFAC-1BEB-41E8-845C-C71BB894D655}'" delete
    3⤵
    PID:2228
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{172961EA-D089-4FEF-AE67-1D972D9D6FFB}'" delete
  2⤵
  PID:1864
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{172961EA-D089-4FEF-AE67-1D972D9D6FFB}'" delete
    3⤵
    PID:2052
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{AB574FD9-4187-4615-90FC-AC3F7CF35CFF}'" delete
  2⤵
  PID:708
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{AB574FD9-4187-4615-90FC-AC3F7CF35CFF}'" delete
    3⤵
    PID:2468
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{63194A19-5387-4EB8-9A03-ED5E3694AA72}'" delete
  2⤵
  PID:956
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{63194A19-5387-4EB8-9A03-ED5E3694AA72}'" delete
    3⤵
    PID:2504
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E513FAEA-2632-418D-A58B-5A4C94A3DD05}'" delete
  2⤵
  PID:1760
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E513FAEA-2632-418D-A58B-5A4C94A3DD05}'" delete
    3⤵
    PID:988
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F685AE4C-4B41-4E43-B572-118869BE2603}'" delete
  2⤵
  PID:1784
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F685AE4C-4B41-4E43-B572-118869BE2603}'" delete
    3⤵
    PID:2988

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\readme.txt

Filesize
1KB

MD5
72b95470eda8cc6ec169f6d81ccd795e

SHA1
75d4cb61136fc4ac3d99156f2d45422cd8fb3fc9

SHA256
5ebc94ed337175acb3845cb372849fd434b34eef6a80caa31e34093017ec0932

SHA512
25266e4d99b392a5a6fa68ef35fb271aa3c85b40d01efde859e24ca4f978cecccbb1d9eeffce5c98983fc80629ef145a688170b34f34937222b2c8aa69d1c7d8

Download Submit