Overview

overview

10

Static

static

d3c75c5bc4...4c.exe

windows7_x64

10

d3c75c5bc4...4c.exe

windows10_x64

10

Resubmissions

21-01-2021 15:41

210121-3mlv3q5jpj 10

18-01-2021 10:58

210118-jg3a8twq6n 10

Analysis

  • max time kernel
    150s
  • max time network
    92s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    18-01-2021 10:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe

  • Size

    208KB

  • MD5

    b3d6ba0aa663f699283d25ddcb6561b9

  • SHA1

    a1f27e6be62bf0af7d5bff447156b3413f0d97c8

  • SHA256

    d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c

  • SHA512

    6d3b5f75169243f44247bb6ad32d6f68d937240e0d1711373012d696729a3e44ad21336e96a5548e11605412365ad4f53d2f5c798e74f204be2c16df5ae610ef

Score
10/10
ransomwarespyware

Malware Config

Extracted

Path

C:\readme.txt

Ransom Note
Аll оf уоur files аrе currеntlу еncrуptеd bу CОNTI rаnsоmwаrе. If you try to use any additional recovery software - the files might be damaged or lost. To make sure that we REALLY CAN recover data - we offer you to decrypt samples. You can contact us for further instructions through: Our email [email protected] Our website TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://m232fdxbfmbrcehbrj5iayknxnggf6niqfj6x4iedrgtab4qupzjlaid.onion HTTPS VERSION : contirecovery.best YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded your data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us ASAP ---BEGIN ID--- sRttGzzkzsoiC9s8LgcrQk64ew7H47a5JSjCsLGbwdijogjulfu3RO9XBJbfEgCZ ---END ID---
URLs

http://m232fdxbfmbrcehbrj5iayknxnggf6niqfj6x4iedrgtab4qupzjlaid.onion

Signatures

  • Modifies extensions of user files 3 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Drops desktop.ini file(s) 39 IoCs
  • Drops file in Program Files directory 8854 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 193 IoCs
  • Suspicious use of AdjustPrivilegeToken 444 IoCs
  • Suspicious use of WriteProcessMemory 80 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe
    "C:\Users\Admin\AppData\Local\Temp\d3c75c5bc4ae087d547bd722bd84478ee6baf8c3355b930f26cc19777cd39d4c.exe"
    1⤵
    • Modifies extensions of user files
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1924
    • C:\Windows\system32\cmd.exe
      cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6C94F5DE-71AA-4748-A6E4-65D732C8E17B}'" delete
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:284
      • C:\Windows\System32\wbem\WMIC.exe
        C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6C94F5DE-71AA-4748-A6E4-65D732C8E17B}'" delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1176
    • C:\Windows\system32\cmd.exe
      cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{AEAC8CFA-3DBF-4075-86C2-AEB4E13B8C8D}'" delete
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:840
      • C:\Windows\System32\wbem\WMIC.exe
        C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{AEAC8CFA-3DBF-4075-86C2-AEB4E13B8C8D}'" delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:320
    • C:\Windows\system32\cmd.exe
      cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C0A63CD4-7BC9-443E-B08E-F75B9AAA7BEE}'" delete
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1956
      • C:\Windows\System32\wbem\WMIC.exe
        C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C0A63CD4-7BC9-443E-B08E-F75B9AAA7BEE}'" delete
        3⤵
          PID:2012
      • C:\Windows\system32\cmd.exe
        cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A8F9DEFE-0315-4860-BBD3-3EA51B04277B}'" delete
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2008
        • C:\Windows\System32\wbem\WMIC.exe
          C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A8F9DEFE-0315-4860-BBD3-3EA51B04277B}'" delete
          3⤵
            PID:1620
        • C:\Windows\system32\cmd.exe
          cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F485DFB7-940C-445F-89B0-830CD4C0C6AA}'" delete
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:820
          • C:\Windows\System32\wbem\WMIC.exe
            C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F485DFB7-940C-445F-89B0-830CD4C0C6AA}'" delete
            3⤵
              PID:964
          • C:\Windows\system32\cmd.exe
            cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{62B550E8-FBB1-4E5A-8A36-2AD110607E82}'" delete
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1840
            • C:\Windows\System32\wbem\WMIC.exe
              C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{62B550E8-FBB1-4E5A-8A36-2AD110607E82}'" delete
              3⤵
                PID:596
            • C:\Windows\system32\cmd.exe
              cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F5012BF2-8EBD-43FA-9BD9-AAC31516894B}'" delete
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:1108
              • C:\Windows\System32\wbem\WMIC.exe
                C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F5012BF2-8EBD-43FA-9BD9-AAC31516894B}'" delete
                3⤵
                  PID:1084
              • C:\Windows\system32\cmd.exe
                cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9311D394-0691-49F4-9843-4698E19D71B7}'" delete
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:1712
                • C:\Windows\System32\wbem\WMIC.exe
                  C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9311D394-0691-49F4-9843-4698E19D71B7}'" delete
                  3⤵
                    PID:1624
                • C:\Windows\system32\cmd.exe
                  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{114C0DA1-C29B-46BD-B65D-DC42616CE6F9}'" delete
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:456
                  • C:\Windows\System32\wbem\WMIC.exe
                    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{114C0DA1-C29B-46BD-B65D-DC42616CE6F9}'" delete
                    3⤵
                      PID:528
                  • C:\Windows\system32\cmd.exe
                    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{DCC28F2F-1AB0-404A-9561-EB252EC404F1}'" delete
                    2⤵
                      PID:436
                      • C:\Windows\System32\wbem\WMIC.exe
                        C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{DCC28F2F-1AB0-404A-9561-EB252EC404F1}'" delete
                        3⤵
                          PID:320
                      • C:\Windows\system32\cmd.exe
                        cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{07E5D5E7-4EB4-4081-AC00-CF87FFD39B2C}'" delete
                        2⤵
                          PID:328
                          • C:\Windows\System32\wbem\WMIC.exe
                            C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{07E5D5E7-4EB4-4081-AC00-CF87FFD39B2C}'" delete
                            3⤵
                              PID:844
                        • C:\Windows\system32\vssvc.exe
                          C:\Windows\system32\vssvc.exe
                          1⤵
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1652
                        • C:\Windows\system32\NOTEPAD.EXE
                          "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\readme.txt
                          1⤵
                          • Opens file in notepad (likely ransom note)
                          PID:1840
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe"
                          1⤵
                            PID:1076
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xbc,0xc0,0xc4,0x90,0xc8,0x7fef7ba6e00,0x7fef7ba6e10,0x7fef7ba6e20
                              2⤵
                                PID:1072

                            Network

                            MITRE ATT&CK Enterprise v6

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • memory/1048-27-0x000007FEF6680000-0x000007FEF68FA000-memory.dmp

                              Filesize

                              2.5MB

                              Download

                            • memory/1840-25-0x000007FEFC021000-0x000007FEFC023000-memory.dmp

                              Filesize

                              8KB

                              Download

                            • memory/1924-2-0x0000000075AE1000-0x0000000075AE3000-memory.dmp

                              Filesize

                              8KB

                              Download