Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
09-09-2024 16:03
Static task
static1
Behavioral task
behavioral1
Sample
d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe
Resource
win10v2004-20240802-en
General
-
Target
d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe
-
Size
515KB
-
MD5
3b99e833809115583f76a1d8637dcbaf
-
SHA1
e1b5e7a4486e63dad4bde2322f9d7725fbd2eb3b
-
SHA256
d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e
-
SHA512
aaaf4318ec34381f7cfa5d7908635082f7e4e7486649e9cafebfb1fb748028a7a18558ed51338f40f35daed86e5da39e39440cfe94c372c664ddeffab2f637b0
-
SSDEEP
3072:szyP/EBc2jrORnQssIJZYKcgtHhGk528yJKY8/d7epmB98g89QP2EKOBzWk2:szyXEBc2jMQsdJdBgHJ+/dB9rP2GR
Malware Config
Extracted
C:\Program Files (x86)\readme.txt
conti
http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/
https://contirecovery.xyz/
Signatures
-
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
Renames multiple (143) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\DVD Maker\rtstreamsource.ax d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe File opened for modification C:\Program Files\DVD Maker\soniccolorconverter.ax d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe File created C:\Program Files\Java\readme.txt d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe File created C:\Program Files\Microsoft Games\readme.txt d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe File created C:\Program Files (x86)\Common Files\readme.txt d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe File opened for modification C:\Program Files\UnprotectDeny.tiff d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe File opened for modification C:\Program Files\UnpublishAdd.001 d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe File created C:\Program Files\DVD Maker\readme.txt d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe File opened for modification C:\Program Files\DVD Maker\bod_r.TTF d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe File created C:\Program Files\Uninstall Information\readme.txt d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe File opened for modification C:\Program Files\PublishRead.vbe d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe File opened for modification C:\Program Files\SelectOpen.otf d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe File opened for modification C:\Program Files\7-Zip\7z.sfx d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe File opened for modification C:\Program Files\Mozilla Firefox\omni.ja d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe File created C:\Program Files (x86)\Microsoft Synchronization Services\readme.txt d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe File created C:\Program Files (x86)\Reference Assemblies\readme.txt d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe File created C:\Program Files (x86)\Uninstall Information\readme.txt d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe File opened for modification C:\Program Files\7-Zip\7-zip.chm d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe File opened for modification C:\Program Files\DVD Maker\offset.ax d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe File opened for modification C:\Program Files\Mozilla Firefox\Accessible.tlb d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe File opened for modification C:\Program Files\7-Zip\History.txt d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\readme.txt d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe File opened for modification C:\Program Files\Mozilla Firefox\install.log d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe File created C:\Program Files (x86)\Google\readme.txt d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe File opened for modification C:\Program Files\SetBackup.TS d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe File created C:\Program Files\Google\readme.txt d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe File opened for modification C:\Program Files\Internet Explorer\Timeline.cpu.xml d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe File opened for modification C:\Program Files\Mozilla Firefox\precomplete d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ie9props.propdesc d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe File created C:\Program Files (x86)\Microsoft Analysis Services\readme.txt d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe File created C:\Program Files (x86)\Microsoft.NET\readme.txt d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe File opened for modification C:\Program Files\ImportSkip.inf d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe File opened for modification C:\Program Files\DVD Maker\fieldswitch.ax d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe File created C:\Program Files\Mozilla Firefox\readme.txt d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe File created C:\Program Files\Reference Assemblies\readme.txt d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe File opened for modification C:\Program Files\MoveComplete.doc d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe File opened for modification C:\Program Files\7-Zip\License.txt d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe File opened for modification C:\Program Files\DVD Maker\sonicsptransform.ax d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe File opened for modification C:\Program Files\DVD Maker\rtstreamsink.ax d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe File opened for modification C:\Program Files\Mozilla Firefox\dependentlibs.list d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe File opened for modification C:\Program Files\Mozilla Firefox\installation_telemetry.json d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe File created C:\Program Files\MSBuild\readme.txt d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe File opened for modification C:\Program Files\BlockOpen.xlt d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe File opened for modification C:\Program Files\SelectRemove.aifc d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe File opened for modification C:\Program Files\WaitUnlock.DVR-MS d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe File opened for modification C:\Program Files\ExpandEnter.search-ms d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe File opened for modification C:\Program Files\Mozilla Firefox\postSigningData d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe File created C:\Program Files (x86)\Internet Explorer\readme.txt d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\readme.txt d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe File opened for modification C:\Program Files\RevokeHide.docm d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe File opened for modification C:\Program Files\DVD Maker\SecretST.TTF d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.cfg d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe File opened for modification C:\Program Files\RestoreExport.7z d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe File opened for modification C:\Program Files\Internet Explorer\ie9props.propdesc d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe File opened for modification C:\Program Files\LockImport.asf d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe File opened for modification C:\Program Files\OutCompare.shtml d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe File opened for modification C:\Program Files\PopLimit.easmx d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe File opened for modification C:\Program Files\7-Zip\Lang\af.txt d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe File opened for modification C:\Program Files\ExitJoin.xla d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe File created C:\Program Files (x86)\readme.txt d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe File opened for modification C:\Program Files\7-Zip\7zCon.sfx d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe File opened for modification C:\Program Files\DVD Maker\Eurosti.TTF d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.VisualElementsManifest.xml d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.VisualElementsManifest.xml d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1532 d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeBackupPrivilege 1720 vssvc.exe Token: SeRestorePrivilege 1720 vssvc.exe Token: SeAuditPrivilege 1720 vssvc.exe Token: SeIncreaseQuotaPrivilege 2968 WMIC.exe Token: SeSecurityPrivilege 2968 WMIC.exe Token: SeTakeOwnershipPrivilege 2968 WMIC.exe Token: SeLoadDriverPrivilege 2968 WMIC.exe Token: SeSystemProfilePrivilege 2968 WMIC.exe Token: SeSystemtimePrivilege 2968 WMIC.exe Token: SeProfSingleProcessPrivilege 2968 WMIC.exe Token: SeIncBasePriorityPrivilege 2968 WMIC.exe Token: SeCreatePagefilePrivilege 2968 WMIC.exe Token: SeBackupPrivilege 2968 WMIC.exe Token: SeRestorePrivilege 2968 WMIC.exe Token: SeShutdownPrivilege 2968 WMIC.exe Token: SeDebugPrivilege 2968 WMIC.exe Token: SeSystemEnvironmentPrivilege 2968 WMIC.exe Token: SeRemoteShutdownPrivilege 2968 WMIC.exe Token: SeUndockPrivilege 2968 WMIC.exe Token: SeManageVolumePrivilege 2968 WMIC.exe Token: 33 2968 WMIC.exe Token: 34 2968 WMIC.exe Token: 35 2968 WMIC.exe Token: SeIncreaseQuotaPrivilege 2968 WMIC.exe Token: SeSecurityPrivilege 2968 WMIC.exe Token: SeTakeOwnershipPrivilege 2968 WMIC.exe Token: SeLoadDriverPrivilege 2968 WMIC.exe Token: SeSystemProfilePrivilege 2968 WMIC.exe Token: SeSystemtimePrivilege 2968 WMIC.exe Token: SeProfSingleProcessPrivilege 2968 WMIC.exe Token: SeIncBasePriorityPrivilege 2968 WMIC.exe Token: SeCreatePagefilePrivilege 2968 WMIC.exe Token: SeBackupPrivilege 2968 WMIC.exe Token: SeRestorePrivilege 2968 WMIC.exe Token: SeShutdownPrivilege 2968 WMIC.exe Token: SeDebugPrivilege 2968 WMIC.exe Token: SeSystemEnvironmentPrivilege 2968 WMIC.exe Token: SeRemoteShutdownPrivilege 2968 WMIC.exe Token: SeUndockPrivilege 2968 WMIC.exe Token: SeManageVolumePrivilege 2968 WMIC.exe Token: 33 2968 WMIC.exe Token: 34 2968 WMIC.exe Token: 35 2968 WMIC.exe Token: SeIncreaseQuotaPrivilege 3040 WMIC.exe Token: SeSecurityPrivilege 3040 WMIC.exe Token: SeTakeOwnershipPrivilege 3040 WMIC.exe Token: SeLoadDriverPrivilege 3040 WMIC.exe Token: SeSystemProfilePrivilege 3040 WMIC.exe Token: SeSystemtimePrivilege 3040 WMIC.exe Token: SeProfSingleProcessPrivilege 3040 WMIC.exe Token: SeIncBasePriorityPrivilege 3040 WMIC.exe Token: SeCreatePagefilePrivilege 3040 WMIC.exe Token: SeBackupPrivilege 3040 WMIC.exe Token: SeRestorePrivilege 3040 WMIC.exe Token: SeShutdownPrivilege 3040 WMIC.exe Token: SeDebugPrivilege 3040 WMIC.exe Token: SeSystemEnvironmentPrivilege 3040 WMIC.exe Token: SeRemoteShutdownPrivilege 3040 WMIC.exe Token: SeUndockPrivilege 3040 WMIC.exe Token: SeManageVolumePrivilege 3040 WMIC.exe Token: 33 3040 WMIC.exe Token: 34 3040 WMIC.exe Token: 35 3040 WMIC.exe Token: SeIncreaseQuotaPrivilege 3040 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1532 wrote to memory of 2076 1532 d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe 31 PID 1532 wrote to memory of 2076 1532 d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe 31 PID 1532 wrote to memory of 2076 1532 d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe 31 PID 1532 wrote to memory of 2076 1532 d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe 31 PID 2076 wrote to memory of 2968 2076 cmd.exe 33 PID 2076 wrote to memory of 2968 2076 cmd.exe 33 PID 2076 wrote to memory of 2968 2076 cmd.exe 33 PID 1532 wrote to memory of 2116 1532 d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe 34 PID 1532 wrote to memory of 2116 1532 d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe 34 PID 1532 wrote to memory of 2116 1532 d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe 34 PID 1532 wrote to memory of 2116 1532 d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe 34 PID 2116 wrote to memory of 3040 2116 cmd.exe 36 PID 2116 wrote to memory of 3040 2116 cmd.exe 36 PID 2116 wrote to memory of 3040 2116 cmd.exe 36 PID 1532 wrote to memory of 2708 1532 d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe 37 PID 1532 wrote to memory of 2708 1532 d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe 37 PID 1532 wrote to memory of 2708 1532 d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe 37 PID 1532 wrote to memory of 2708 1532 d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe 37 PID 2708 wrote to memory of 2712 2708 cmd.exe 39 PID 2708 wrote to memory of 2712 2708 cmd.exe 39 PID 2708 wrote to memory of 2712 2708 cmd.exe 39 PID 1532 wrote to memory of 2592 1532 d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe 40 PID 1532 wrote to memory of 2592 1532 d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe 40 PID 1532 wrote to memory of 2592 1532 d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe 40 PID 1532 wrote to memory of 2592 1532 d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe 40 PID 2592 wrote to memory of 2684 2592 cmd.exe 42 PID 2592 wrote to memory of 2684 2592 cmd.exe 42 PID 2592 wrote to memory of 2684 2592 cmd.exe 42 PID 1532 wrote to memory of 2720 1532 d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe 43 PID 1532 wrote to memory of 2720 1532 d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe 43 PID 1532 wrote to memory of 2720 1532 d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe 43 PID 1532 wrote to memory of 2720 1532 d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe 43 PID 2720 wrote to memory of 760 2720 cmd.exe 45 PID 2720 wrote to memory of 760 2720 cmd.exe 45 PID 2720 wrote to memory of 760 2720 cmd.exe 45 PID 1532 wrote to memory of 1764 1532 d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe 46 PID 1532 wrote to memory of 1764 1532 d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe 46 PID 1532 wrote to memory of 1764 1532 d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe 46 PID 1532 wrote to memory of 1764 1532 d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe 46 PID 1764 wrote to memory of 1184 1764 cmd.exe 48 PID 1764 wrote to memory of 1184 1764 cmd.exe 48 PID 1764 wrote to memory of 1184 1764 cmd.exe 48 PID 1532 wrote to memory of 2500 1532 d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe 49 PID 1532 wrote to memory of 2500 1532 d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe 49 PID 1532 wrote to memory of 2500 1532 d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe 49 PID 1532 wrote to memory of 2500 1532 d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe 49 PID 2500 wrote to memory of 2552 2500 cmd.exe 51 PID 2500 wrote to memory of 2552 2500 cmd.exe 51 PID 2500 wrote to memory of 2552 2500 cmd.exe 51 PID 1532 wrote to memory of 2240 1532 d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe 52 PID 1532 wrote to memory of 2240 1532 d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe 52 PID 1532 wrote to memory of 2240 1532 d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe 52 PID 1532 wrote to memory of 2240 1532 d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe 52 PID 2240 wrote to memory of 1856 2240 cmd.exe 54 PID 2240 wrote to memory of 1856 2240 cmd.exe 54 PID 2240 wrote to memory of 1856 2240 cmd.exe 54 PID 1532 wrote to memory of 464 1532 d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe 55 PID 1532 wrote to memory of 464 1532 d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe 55 PID 1532 wrote to memory of 464 1532 d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe 55 PID 1532 wrote to memory of 464 1532 d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe 55 PID 464 wrote to memory of 1860 464 cmd.exe 57 PID 464 wrote to memory of 1860 464 cmd.exe 57 PID 464 wrote to memory of 1860 464 cmd.exe 57 PID 1532 wrote to memory of 1872 1532 d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe 58 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe"C:\Users\Admin\AppData\Local\Temp\d8a82bc5e15394a711849b08da79e6c42c74092497a0ef6f623ea5e8b7c6d08e.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{114FEB11-1D2C-4EBD-9FE3-460FEDCE7D1C}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{114FEB11-1D2C-4EBD-9FE3-460FEDCE7D1C}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2968
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{DFB62530-39DF-4AF1-BA3F-5C49383B0D41}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{DFB62530-39DF-4AF1-BA3F-5C49383B0D41}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3040
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F2BDEC03-18F3-4EA9-ABD4-D53CDBF9E0AC}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F2BDEC03-18F3-4EA9-ABD4-D53CDBF9E0AC}'" delete3⤵PID:2712
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6F47B8E0-A76F-42B8-80C5-2B902F5E5749}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6F47B8E0-A76F-42B8-80C5-2B902F5E5749}'" delete3⤵PID:2684
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{021F038D-EF98-4277-807F-D9D2C31761FE}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{021F038D-EF98-4277-807F-D9D2C31761FE}'" delete3⤵PID:760
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{522CFB70-E966-4631-B951-39079840FC86}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{522CFB70-E966-4631-B951-39079840FC86}'" delete3⤵PID:1184
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{39A60542-2909-4674-A9B2-FCD89B71F373}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{39A60542-2909-4674-A9B2-FCD89B71F373}'" delete3⤵PID:2552
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{09D614CE-B995-49B2-AD78-718627D30B0D}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{09D614CE-B995-49B2-AD78-718627D30B0D}'" delete3⤵PID:1856
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9A213CE1-2A1D-4404-85E9-A877A57FF56E}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:464 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9A213CE1-2A1D-4404-85E9-A877A57FF56E}'" delete3⤵PID:1860
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{07126393-5C20-4FEC-84EB-08FDE444B0C2}'" delete2⤵PID:1872
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{07126393-5C20-4FEC-84EB-08FDE444B0C2}'" delete3⤵PID:1656
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{569F095D-1CBC-4EAB-A3CC-4EDACD8A6278}'" delete2⤵PID:1780
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{569F095D-1CBC-4EAB-A3CC-4EDACD8A6278}'" delete3⤵PID:1512
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{25D60D36-2134-4703-B70F-C1E5670E2758}'" delete2⤵PID:2392
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{25D60D36-2134-4703-B70F-C1E5670E2758}'" delete3⤵PID:1732
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E62387E8-4164-4550-873D-246FB783FDA4}'" delete2⤵PID:1828
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E62387E8-4164-4550-873D-246FB783FDA4}'" delete3⤵PID:344
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{EBF372D1-ABDA-4550-BCFA-E589781243CB}'" delete2⤵PID:2476
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{EBF372D1-ABDA-4550-BCFA-E589781243CB}'" delete3⤵PID:1596
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{223604F6-39C9-4351-83D1-90EEE67EC572}'" delete2⤵PID:2820
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{223604F6-39C9-4351-83D1-90EEE67EC572}'" delete3⤵PID:2584
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E3902E7F-7A32-4261-A3EE-B17FE1936361}'" delete2⤵PID:2772
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E3902E7F-7A32-4261-A3EE-B17FE1936361}'" delete3⤵PID:2336
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7CD00F17-C743-4154-B479-2E288FF81CB4}'" delete2⤵PID:440
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7CD00F17-C743-4154-B479-2E288FF81CB4}'" delete3⤵PID:480
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{47BC8E53-5A59-4C7C-AEF0-C0F1C41CFCA7}'" delete2⤵PID:1528
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{47BC8E53-5A59-4C7C-AEF0-C0F1C41CFCA7}'" delete3⤵PID:1336
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1720
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5701579edee1063d1b39f483e86fbed79
SHA1ba728b45f74c8fb9fe7cf1e9c01663283c3a06d2
SHA25693aed46310470f2aa10dd3626ed13ae15819c9417497c01b22865664ec01afc8
SHA5127e1ed8fab572f38325b1b0eb9e1b2afae438cf8387eb19d07481d2f09ed00416368701abec1d9c046947a42809ee83dd7859b159876837ff31ef2c23f2d67c96