Analysis
-
max time kernel
73s -
max time network
40s -
platform
windows7_x64 -
resource
win7-en-20210916 -
submitted
17-09-2021 05:41
Static task
static1
Behavioral task
behavioral1
Sample
0407468ec50f7f553be379d9c7042560f443c8f40919309a771a210dc34823cf.dll
Resource
win7-en-20210916
Behavioral task
behavioral2
Sample
0407468ec50f7f553be379d9c7042560f443c8f40919309a771a210dc34823cf.dll
Resource
win10v20210408
General
-
Target
0407468ec50f7f553be379d9c7042560f443c8f40919309a771a210dc34823cf.dll
-
Size
215KB
-
MD5
ae5cab1c2ef1b24bb3a998737229427b
-
SHA1
271a5a395e974dcc9c0b6e25d66631ff42dd777f
-
SHA256
0407468ec50f7f553be379d9c7042560f443c8f40919309a771a210dc34823cf
-
SHA512
231b157899aa5f59085131c66fd99558490e88a55efe5bb0f7ddbf7a162d3abcffbdf13d4a023d7e55fa5b883dccc96640865ddc73a4baf5669bf5f4fedb1813
Malware Config
Extracted
C:\readme.txt
conti
http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/
https://contirecovery.xyz/
Signatures
-
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
Modifies extensions of user files 7 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
regsvr32.exedescription ioc process File renamed C:\Users\Admin\Pictures\ClearDisable.crw => C:\Users\Admin\Pictures\ClearDisable.crw.FCGQR regsvr32.exe File renamed C:\Users\Admin\Pictures\CompareUnregister.png => C:\Users\Admin\Pictures\CompareUnregister.png.FCGQR regsvr32.exe File renamed C:\Users\Admin\Pictures\InvokeTest.crw => C:\Users\Admin\Pictures\InvokeTest.crw.FCGQR regsvr32.exe File renamed C:\Users\Admin\Pictures\RegisterBackup.tif => C:\Users\Admin\Pictures\RegisterBackup.tif.FCGQR regsvr32.exe File renamed C:\Users\Admin\Pictures\RenameSelect.png => C:\Users\Admin\Pictures\RenameSelect.png.FCGQR regsvr32.exe File opened for modification C:\Users\Admin\Pictures\ResumeUnregister.tiff regsvr32.exe File renamed C:\Users\Admin\Pictures\ResumeUnregister.tiff => C:\Users\Admin\Pictures\ResumeUnregister.tiff.FCGQR regsvr32.exe -
Drops desktop.ini file(s) 46 IoCs
Processes:
regsvr32.exedescription ioc process File opened for modification C:\Users\Admin\Music\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Searches\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Videos\desktop.ini regsvr32.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini regsvr32.exe File opened for modification C:\Program Files (x86)\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Documents\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Documents\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Music\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini regsvr32.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini regsvr32.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Pictures\desktop.ini regsvr32.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI regsvr32.exe File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini regsvr32.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini regsvr32.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini regsvr32.exe File opened for modification C:\Program Files\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\OC03JHER\desktop.ini regsvr32.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Desktop\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Videos\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\DYYROSXG\desktop.ini regsvr32.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Links\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Downloads\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Libraries\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Recorded TV\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\ZJQIP8WR\desktop.ini regsvr32.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\BSAJ56BB\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini regsvr32.exe -
Drops file in Program Files directory 64 IoCs
Processes:
regsvr32.exedescription ioc process File created C:\Program Files\VideoLAN\VLC\locale\sv\readme.txt regsvr32.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.commands_5.5.0.165303.jar regsvr32.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-swing-plaf.jar regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Essential.thmx regsvr32.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Bears.htm regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0217872.WMF regsvr32.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\performance.png regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME05.CSS regsvr32.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.application_5.5.0.165303.jar regsvr32.exe File opened for modification C:\Program Files\7-Zip\Lang\id.txt regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Mso Example Setup File A.txt regsvr32.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AXIS\AXIS.ELM regsvr32.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.swt.nl_ja_4.4.0.v20140623020002.jar regsvr32.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\readme.txt regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\RTF_BOLD.GIF regsvr32.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_150.png regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107152.WMF regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21423_.GIF regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GreenTea.css regsvr32.exe File created C:\Program Files\VideoLAN\VLC\locale\ro\readme.txt regsvr32.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BOLDSTRI\readme.txt regsvr32.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.util_1.0.500.v20130404-1337.jar regsvr32.exe File opened for modification C:\Program Files\VideoLAN\VLC\VideoLAN Website.url regsvr32.exe File opened for modification C:\Program Files\Java\jre7\lib\fontconfig.bfc regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152894.WMF regsvr32.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STRTEDGE\STRTEDGE.INF regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\SessionMember.ico regsvr32.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Monterrey regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00289_.WMF regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGACCBAR.DPV regsvr32.exe File opened for modification C:\Program Files\7-Zip\Lang\hu.txt regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02218_.GIF regsvr32.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro_5.5.0.165303.jar regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Swirl\background.gif regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSSP7ES.dub regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Thatch.dotx regsvr32.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-editor-mimelookup-impl.jar regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGPICCAP.DPV regsvr32.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SATIN\THMBNAIL.PNG regsvr32.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\ko.pak regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02443_.WMF regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00686_.WMF regsvr32.exe File opened for modification C:\Program Files\Java\jre7\lib\deploy\messages_pt_BR.properties regsvr32.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata.ja_5.5.0.165303.jar regsvr32.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Sofia regsvr32.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\circle_glass_Thumbnail.bmp regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGREPFRM.XML regsvr32.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\readme.txt regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\EN00320_.WMF regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\Microsoft.Office.InfoPath.xml regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\SAVE.GIF regsvr32.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\ECLIPSE_.SF regsvr32.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_ButtonGraphic.png regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02253_.WMF regsvr32.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\button-highlight.png regsvr32.exe File created C:\Program Files\VideoLAN\VLC\locale\cgg\LC_MESSAGES\readme.txt regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Verve.xml regsvr32.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Urumqi regsvr32.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\jawt.h regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21400_.GIF regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMV12\Microsoft.Office.InfoPath.xml regsvr32.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-uihandler_ja.jar regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00142_.GIF regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\MSTORE_COL.HXC regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
regsvr32.exepid process 1620 regsvr32.exe 1620 regsvr32.exe 1620 regsvr32.exe 1620 regsvr32.exe 1620 regsvr32.exe 1620 regsvr32.exe 1620 regsvr32.exe 1620 regsvr32.exe 1620 regsvr32.exe 1620 regsvr32.exe 1620 regsvr32.exe 1620 regsvr32.exe 1620 regsvr32.exe 1620 regsvr32.exe 1620 regsvr32.exe 1620 regsvr32.exe 1620 regsvr32.exe 1620 regsvr32.exe 1620 regsvr32.exe 1620 regsvr32.exe 1620 regsvr32.exe 1620 regsvr32.exe 1620 regsvr32.exe 1620 regsvr32.exe 1620 regsvr32.exe 1620 regsvr32.exe 1620 regsvr32.exe 1620 regsvr32.exe 1620 regsvr32.exe 1620 regsvr32.exe 1620 regsvr32.exe 1620 regsvr32.exe 1620 regsvr32.exe 1620 regsvr32.exe 1620 regsvr32.exe 1620 regsvr32.exe 1620 regsvr32.exe 1620 regsvr32.exe 1620 regsvr32.exe 1620 regsvr32.exe 1620 regsvr32.exe 1620 regsvr32.exe 1620 regsvr32.exe 1620 regsvr32.exe 1620 regsvr32.exe 1620 regsvr32.exe 1620 regsvr32.exe 1620 regsvr32.exe 1620 regsvr32.exe 1620 regsvr32.exe 1620 regsvr32.exe 1620 regsvr32.exe 1620 regsvr32.exe 1620 regsvr32.exe 1620 regsvr32.exe 1620 regsvr32.exe 1620 regsvr32.exe 1620 regsvr32.exe 1620 regsvr32.exe 1620 regsvr32.exe 1620 regsvr32.exe 1620 regsvr32.exe 1620 regsvr32.exe 1620 regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\0407468ec50f7f553be379d9c7042560f443c8f40919309a771a210dc34823cf.dll1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1620-53-0x000007FEFB7F1000-0x000007FEFB7F3000-memory.dmpFilesize
8KB