conti | 3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba

Analysis

max time kernel
32s
max time network
54s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-09-2024 15:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe
Size

514KB
MD5

a9989d691d4a509fba4fbc2a26bcb54f
SHA1

0e7e0d1ae5ec4d691de59892aa45ee80069e079d
SHA256

3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba
SHA512

eeae35103e66711cd8015ff4d0ee3c36eb030b5b6f326177075f5a02328ead68ebcad3f839ae3ef50bf8e4444aa9c597bd9b8ba25989ba1a2de9722d29f2b429
SSDEEP

3072:fvOXfbBI4++rye6iLfv7FizEPB5Oe4UKXqlc8Lm87wgZPyzOmem0:eXzin6jwUKXSL/hIOH

Score

10^/10

conti discovery ransomware

Malware Config

Extracted

Path

C:\Program Files (x86)\readme.txt

Family

conti

Ransom Note

All of your files are currently encrypted by CONTI strain. As you know (if you don't - just "google it"), all of the data that has been encrypted by our software cannot be recovered by any means without contacting our team directly. If you try to use any additional recovery software - the files might be damaged, so if you are willing to try - try it on the data of the lowest value. To make sure that we REALLY CAN get your data back - we offer you to decrypt 2 random files completely free of charge. You can contact our team directly for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/ HTTPS VERSION : https://contirecovery.click YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded a pack of your internal data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us as soon as possible. ---BEGIN ID--- lWL5aqUDwBJQsqHmM6OkU1yOTGOiNHcCdTAyuj6A1xKUIz98qMCGpifNoPeYSXBA ---END ID---

URLs

http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/

https://contirecovery.click

Signatures

Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
ransomware conti
Renames multiple (839) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe
File opened for modification	C:\Program Files\DismountOpen.m1v	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe
File created	C:\Program Files (x86)\readme.txt	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Oriel.thmx	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwresplm.dat	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\readme.txt	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Trek.thmx	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\sa-jdi.jar	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\MTEXTRA.TTF	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\README.html	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe
File opened for modification	C:\Program Files\Java\jre7\LICENSE	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ADVZIP.DIC	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\readme.txt	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Roses.htm	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Stars.htm	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\msadomd28.tlb	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\oledbjvs.inc	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lij.txt	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pa-in.txt	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_videoinset.png	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\readme.txt	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.htm	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Small_News.jpg	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe
File created	C:\Program Files\Microsoft Games\Solitaire\fr-FR\readme.txt	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00130_.WMF	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe
File created	C:\Program Files (x86)\Internet Explorer\en-US\readme.txt	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\EXLIRM.XML	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Executive.thmx	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\[email protected]	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\readme.txt	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Stars.jpg	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD19828_.WMF	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe
File created	C:\Program Files\Microsoft Games\Solitaire\en-US\readme.txt	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00174_.GIF	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\THOCR.PSP	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SegoeChess.ttf	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe
File opened for modification	C:\Program Files\Java\jre7\lib\management-agent.jar	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Garden.htm	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04196_.WMF	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe
File created	C:\Program Files\Mozilla Firefox\defaults\readme.txt	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Essential.thmx	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe
File created	C:\Program Files\Common Files\System\msadc\readme.txt	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\WhiteDot.png	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00390_.WMF	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nl.txt	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe
File created	C:\Program Files\DVD Maker\de-DE\readme.txt	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe
File opened for modification	C:\Program Files\Java\jre7\readme.txt	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\ChessMCE.png	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Origin.thmx	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\RELEASE-NOTES.html	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy.jar	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdater.cer	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku.txt	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe
File created	C:\Program Files\Common Files\Microsoft Shared\readme.txt	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\en-US\readme.txt	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN00965_.WMF	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00120_.GIF	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\menu_style_default_Thumbnail.png	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\pref\channel-prefs.js	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00234_.WMF	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Apex.thmx	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Cave_Drawings.gif	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1140	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	2280	vssvc.exe
Token: SeRestorePrivilege	2280	vssvc.exe
Token: SeAuditPrivilege	2280	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1856	WMIC.exe
Token: SeSecurityPrivilege	1856	WMIC.exe
Token: SeTakeOwnershipPrivilege	1856	WMIC.exe
Token: SeLoadDriverPrivilege	1856	WMIC.exe
Token: SeSystemProfilePrivilege	1856	WMIC.exe
Token: SeSystemtimePrivilege	1856	WMIC.exe
Token: SeProfSingleProcessPrivilege	1856	WMIC.exe
Token: SeIncBasePriorityPrivilege	1856	WMIC.exe
Token: SeCreatePagefilePrivilege	1856	WMIC.exe
Token: SeBackupPrivilege	1856	WMIC.exe
Token: SeRestorePrivilege	1856	WMIC.exe
Token: SeShutdownPrivilege	1856	WMIC.exe
Token: SeDebugPrivilege	1856	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1856	WMIC.exe
Token: SeRemoteShutdownPrivilege	1856	WMIC.exe
Token: SeUndockPrivilege	1856	WMIC.exe
Token: SeManageVolumePrivilege	1856	WMIC.exe
Token: 33	1856	WMIC.exe
Token: 34	1856	WMIC.exe
Token: 35	1856	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1856	WMIC.exe
Token: SeSecurityPrivilege	1856	WMIC.exe
Token: SeTakeOwnershipPrivilege	1856	WMIC.exe
Token: SeLoadDriverPrivilege	1856	WMIC.exe
Token: SeSystemProfilePrivilege	1856	WMIC.exe
Token: SeSystemtimePrivilege	1856	WMIC.exe
Token: SeProfSingleProcessPrivilege	1856	WMIC.exe
Token: SeIncBasePriorityPrivilege	1856	WMIC.exe
Token: SeCreatePagefilePrivilege	1856	WMIC.exe
Token: SeBackupPrivilege	1856	WMIC.exe
Token: SeRestorePrivilege	1856	WMIC.exe
Token: SeShutdownPrivilege	1856	WMIC.exe
Token: SeDebugPrivilege	1856	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1856	WMIC.exe
Token: SeRemoteShutdownPrivilege	1856	WMIC.exe
Token: SeUndockPrivilege	1856	WMIC.exe
Token: SeManageVolumePrivilege	1856	WMIC.exe
Token: 33	1856	WMIC.exe
Token: 34	1856	WMIC.exe
Token: 35	1856	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2896	WMIC.exe
Token: SeSecurityPrivilege	2896	WMIC.exe
Token: SeTakeOwnershipPrivilege	2896	WMIC.exe
Token: SeLoadDriverPrivilege	2896	WMIC.exe
Token: SeSystemProfilePrivilege	2896	WMIC.exe
Token: SeSystemtimePrivilege	2896	WMIC.exe
Token: SeProfSingleProcessPrivilege	2896	WMIC.exe
Token: SeIncBasePriorityPrivilege	2896	WMIC.exe
Token: SeCreatePagefilePrivilege	2896	WMIC.exe
Token: SeBackupPrivilege	2896	WMIC.exe
Token: SeRestorePrivilege	2896	WMIC.exe
Token: SeShutdownPrivilege	2896	WMIC.exe
Token: SeDebugPrivilege	2896	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2896	WMIC.exe
Token: SeRemoteShutdownPrivilege	2896	WMIC.exe
Token: SeUndockPrivilege	2896	WMIC.exe
Token: SeManageVolumePrivilege	2896	WMIC.exe
Token: 33	2896	WMIC.exe
Token: 34	2896	WMIC.exe
Token: 35	2896	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2896	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1140 wrote to memory of 2736	1140	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe	32
PID 1140 wrote to memory of 2736	1140	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe	32
PID 1140 wrote to memory of 2736	1140	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe	32
PID 1140 wrote to memory of 2736	1140	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe	32
PID 2736 wrote to memory of 1856	2736	cmd.exe	34
PID 2736 wrote to memory of 1856	2736	cmd.exe	34
PID 2736 wrote to memory of 1856	2736	cmd.exe	34
PID 1140 wrote to memory of 2832	1140	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe	35
PID 1140 wrote to memory of 2832	1140	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe	35
PID 1140 wrote to memory of 2832	1140	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe	35
PID 1140 wrote to memory of 2832	1140	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe	35
PID 2832 wrote to memory of 2896	2832	cmd.exe	37
PID 2832 wrote to memory of 2896	2832	cmd.exe	37
PID 2832 wrote to memory of 2896	2832	cmd.exe	37
PID 1140 wrote to memory of 2876	1140	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe	38
PID 1140 wrote to memory of 2876	1140	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe	38
PID 1140 wrote to memory of 2876	1140	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe	38
PID 1140 wrote to memory of 2876	1140	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe	38
PID 2876 wrote to memory of 2644	2876	cmd.exe	40
PID 2876 wrote to memory of 2644	2876	cmd.exe	40
PID 2876 wrote to memory of 2644	2876	cmd.exe	40
PID 1140 wrote to memory of 2620	1140	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe	41
PID 1140 wrote to memory of 2620	1140	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe	41
PID 1140 wrote to memory of 2620	1140	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe	41
PID 1140 wrote to memory of 2620	1140	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe	41
PID 2620 wrote to memory of 2712	2620	cmd.exe	43
PID 2620 wrote to memory of 2712	2620	cmd.exe	43
PID 2620 wrote to memory of 2712	2620	cmd.exe	43
PID 1140 wrote to memory of 2068	1140	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe	44
PID 1140 wrote to memory of 2068	1140	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe	44
PID 1140 wrote to memory of 2068	1140	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe	44
PID 1140 wrote to memory of 2068	1140	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe	44
PID 2068 wrote to memory of 3028	2068	cmd.exe	46
PID 2068 wrote to memory of 3028	2068	cmd.exe	46
PID 2068 wrote to memory of 3028	2068	cmd.exe	46
PID 1140 wrote to memory of 2840	1140	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe	47
PID 1140 wrote to memory of 2840	1140	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe	47
PID 1140 wrote to memory of 2840	1140	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe	47
PID 1140 wrote to memory of 2840	1140	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe	47
PID 2840 wrote to memory of 940	2840	cmd.exe	49
PID 2840 wrote to memory of 940	2840	cmd.exe	49
PID 2840 wrote to memory of 940	2840	cmd.exe	49
PID 1140 wrote to memory of 2056	1140	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe	50
PID 1140 wrote to memory of 2056	1140	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe	50
PID 1140 wrote to memory of 2056	1140	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe	50
PID 1140 wrote to memory of 2056	1140	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe	50
PID 2056 wrote to memory of 2188	2056	cmd.exe	52
PID 2056 wrote to memory of 2188	2056	cmd.exe	52
PID 2056 wrote to memory of 2188	2056	cmd.exe	52
PID 1140 wrote to memory of 3056	1140	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe	53
PID 1140 wrote to memory of 3056	1140	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe	53
PID 1140 wrote to memory of 3056	1140	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe	53
PID 1140 wrote to memory of 3056	1140	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe	53
PID 3056 wrote to memory of 2020	3056	cmd.exe	55
PID 3056 wrote to memory of 2020	3056	cmd.exe	55
PID 3056 wrote to memory of 2020	3056	cmd.exe	55
PID 1140 wrote to memory of 2680	1140	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe	56
PID 1140 wrote to memory of 2680	1140	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe	56
PID 1140 wrote to memory of 2680	1140	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe	56
PID 1140 wrote to memory of 2680	1140	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe	56
PID 2680 wrote to memory of 3044	2680	cmd.exe	58
PID 2680 wrote to memory of 3044	2680	cmd.exe	58
PID 2680 wrote to memory of 3044	2680	cmd.exe	58
PID 1140 wrote to memory of 2504	1140	3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe	59

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe
"C:\Users\Admin\AppData\Local\Temp\3dd56e8cb09469eeae1737ce1f7a2414ce7a2d019e685cd80f81e1fea56758ba.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1140
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A7AA3892-E0EC-457B-8FC5-DF358387B5BE}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A7AA3892-E0EC-457B-8FC5-DF358387B5BE}'" delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1856
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9CDB775E-A5D6-452B-A56A-BA620E0F7BFD}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9CDB775E-A5D6-452B-A56A-BA620E0F7BFD}'" delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2896
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9C1EF448-F6DA-47B6-A3EB-8C0870C4A941}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9C1EF448-F6DA-47B6-A3EB-8C0870C4A941}'" delete
    3⤵
    PID:2644
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{494C03C6-B7B7-4DF1-8FA1-7D53E03DDA63}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2620
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{494C03C6-B7B7-4DF1-8FA1-7D53E03DDA63}'" delete
    3⤵
    PID:2712
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F47BA72D-84E4-4D7E-BDAB-96318230ABB7}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2068
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F47BA72D-84E4-4D7E-BDAB-96318230ABB7}'" delete
    3⤵
    PID:3028
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8235A2B2-EED6-4D84-9B47-CD02BB13E9C1}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8235A2B2-EED6-4D84-9B47-CD02BB13E9C1}'" delete
    3⤵
    PID:940
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{82E6CBF7-34AA-420A-ACFA-78E6B16AD8C2}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2056
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{82E6CBF7-34AA-420A-ACFA-78E6B16AD8C2}'" delete
    3⤵
    PID:2188
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3CBCFC55-5255-4E65-8C94-0A792EA482BB}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3056
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3CBCFC55-5255-4E65-8C94-0A792EA482BB}'" delete
    3⤵
    PID:2020
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{45E828E2-3C55-49F9-825B-E01046E2A113}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{45E828E2-3C55-49F9-825B-E01046E2A113}'" delete
    3⤵
    PID:3044
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{76239064-3F5F-4D70-92A4-670F55591560}'" delete
  2⤵
  PID:2504
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{76239064-3F5F-4D70-92A4-670F55591560}'" delete
    3⤵
    PID:1388
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1B4EF978-E9B0-41CF-AAE2-776E38E9EDCE}'" delete
  2⤵
  PID:2184
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1B4EF978-E9B0-41CF-AAE2-776E38E9EDCE}'" delete
    3⤵
    PID:1644
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C840305C-0D8E-4B8B-BC6D-4003520487F0}'" delete
  2⤵
  PID:1084
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C840305C-0D8E-4B8B-BC6D-4003520487F0}'" delete
    3⤵
    PID:1100
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{048EB31A-BA93-40FE-9759-479CEEF5F9AF}'" delete
  2⤵
  PID:1556
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{048EB31A-BA93-40FE-9759-479CEEF5F9AF}'" delete
    3⤵
    PID:1160
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{469E3BBE-F71A-45E0-BD8F-4D2DC75A9037}'" delete
  2⤵
  PID:2140
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{469E3BBE-F71A-45E0-BD8F-4D2DC75A9037}'" delete
    3⤵
    PID:2164
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1E5E3EA6-3B5A-47E4-BB20-CAD4E6A45BA5}'" delete
  2⤵
  PID:2308
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1E5E3EA6-3B5A-47E4-BB20-CAD4E6A45BA5}'" delete
    3⤵
    PID:1056
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6FD06C77-DFAC-4B42-A173-D0BD649CD10A}'" delete
  2⤵
  PID:960
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6FD06C77-DFAC-4B42-A173-D0BD649CD10A}'" delete
    3⤵
    PID:536
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{68983E3D-3AC8-4B20-8338-F372835B7DB4}'" delete
  2⤵
  PID:1964
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{68983E3D-3AC8-4B20-8338-F372835B7DB4}'" delete
    3⤵
    PID:1520
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{FB19CD29-987A-4316-B729-A682ED3D39EE}'" delete
  2⤵
  PID:2440
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{FB19CD29-987A-4316-B729-A682ED3D39EE}'" delete
    3⤵
    PID:1784

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\readme.txt

Filesize
1KB

MD5
306b84b6dfba111b3e824d86804998f1

SHA1
7c1cb91fc2b13ca9b6e96407e12e9811a245eab1

SHA256
3d1d151274bffd401a292c2d6a9c165a757d60e9910e0a04b13ab2feb2655854

SHA512
a0313e4a392aeeb17271d007eea708d19e598525f9a78a6c2aa1fb4485ca7b54686c4c0f87b41606729f1d42ee4419f5e25e56aaeddb887fd5f7e57ed200ea0b

Download Submit