Analysis
-
max time kernel
115s -
max time network
119s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
17-09-2021 05:41
Static task
static1
Behavioral task
behavioral1
Sample
0407468ec50f7f553be379d9c7042560f443c8f40919309a771a210dc34823cf.dll
Resource
win7-en-20210916
Behavioral task
behavioral2
Sample
0407468ec50f7f553be379d9c7042560f443c8f40919309a771a210dc34823cf.dll
Resource
win10v20210408
General
-
Target
0407468ec50f7f553be379d9c7042560f443c8f40919309a771a210dc34823cf.dll
-
Size
215KB
-
MD5
ae5cab1c2ef1b24bb3a998737229427b
-
SHA1
271a5a395e974dcc9c0b6e25d66631ff42dd777f
-
SHA256
0407468ec50f7f553be379d9c7042560f443c8f40919309a771a210dc34823cf
-
SHA512
231b157899aa5f59085131c66fd99558490e88a55efe5bb0f7ddbf7a162d3abcffbdf13d4a023d7e55fa5b883dccc96640865ddc73a4baf5669bf5f4fedb1813
Malware Config
Extracted
C:\readme.txt
conti
http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/
https://contirecovery.xyz/
Signatures
-
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
regsvr32.exedescription ioc process File renamed C:\Users\Admin\Pictures\ImportSync.png => C:\Users\Admin\Pictures\ImportSync.png.FCGQR regsvr32.exe File opened for modification C:\Users\Admin\Pictures\InitializeFormat.tiff regsvr32.exe File renamed C:\Users\Admin\Pictures\InitializeFormat.tiff => C:\Users\Admin\Pictures\InitializeFormat.tiff.FCGQR regsvr32.exe File renamed C:\Users\Admin\Pictures\RestoreMove.png => C:\Users\Admin\Pictures\RestoreMove.png.FCGQR regsvr32.exe -
Drops startup file 1 IoCs
Processes:
regsvr32.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\readme.txt regsvr32.exe -
Drops desktop.ini file(s) 32 IoCs
Processes:
regsvr32.exedescription ioc process File opened for modification C:\Users\Admin\Desktop\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Videos\desktop.ini regsvr32.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Searches\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Downloads\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Music\desktop.ini regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI regsvr32.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Documents\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Libraries\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Videos\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Pictures\desktop.ini regsvr32.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini regsvr32.exe File opened for modification C:\Program Files (x86)\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Music\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini regsvr32.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini regsvr32.exe File opened for modification C:\Program Files\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Links\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Desktop\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Documents\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini regsvr32.exe -
Drops file in Program Files directory 64 IoCs
Processes:
regsvr32.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-editor-mimelookup-impl.xml regsvr32.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-heapdump.jar regsvr32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\fil_get.svg regsvr32.exe File created C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\readme.txt regsvr32.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.manipulator.nl_ja_4.4.0.v20140623020002.jar regsvr32.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-spi-actions.xml regsvr32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\adc_logo.png regsvr32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\hu-hu\ui-strings.js regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Grace-ppd.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-80.png regsvr32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\images\themeless\mobile_scan_logo.svg regsvr32.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\id\LC_MESSAGES\vlc.mo regsvr32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\fr-fr\ui-strings.js regsvr32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ro-ro\ui-strings.js regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-ppd.xrm-ms regsvr32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\warning.gif regsvr32.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\MANIFEST.MF regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SLATE\SLATE.INF regsvr32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\readme.txt regsvr32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\zh-tw\ui-strings.js regsvr32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\root\ui-strings.js regsvr32.exe File created C:\Program Files\Common Files\microsoft shared\ink\he-IL\readme.txt regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PROOF\MSGR8EN.LEX regsvr32.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\THIRDPARTYLICENSEREADME-JAVAFX.txt regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-ul-oob.xrm-ms regsvr32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\HomeBanner.png regsvr32.exe File opened for modification C:\Program Files\7-Zip\Lang\be.txt regsvr32.exe File opened for modification C:\Program Files\7-Zip\Lang\br.txt regsvr32.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\nashorn.jar regsvr32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\x_2x.png regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial-ul-oob.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\ext\cldrdata.jar regsvr32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\fr-fr\readme.txt regsvr32.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\gd\LC_MESSAGES\vlc.mo regsvr32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\S_IlluEmptyFolder_160.svg regsvr32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\rss.gif regsvr32.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-progress-ui_zh_CN.jar regsvr32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\readme.txt regsvr32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\plugin.js regsvr32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\root\ui-strings.js regsvr32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\css\tool-view.css regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial3-ul-oob.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Trial-ul-oob.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\MS.EXCEL.16.1033.hxn regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ANTQUAI.TTF regsvr32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\cstm_brand_preview2x.png regsvr32.exe File created C:\Program Files\Microsoft Office 15\ClientX64\readme.txt regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\GR8GALRY.GRA regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProDemoR_BypassTrial180-ppd.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\WordR_Retail-pl.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\officeinventoryagentlogon.xml regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-100.png regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MEDIA\CAMERA.WAV regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\PowerPivotExcelClientAddIn.tlb regsvr32.exe File opened for modification C:\Program Files\7-Zip\descript.ion regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial4-pl.xrm-ms regsvr32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_history_18.svg regsvr32.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\en_GB.dic regsvr32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\vi_get.svg regsvr32.exe File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\readme.txt regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] regsvr32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\cs-cz\readme.txt regsvr32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\readme.txt regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-ppd.xrm-ms regsvr32.exe -
Drops file in Windows directory 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\Debug\ESE.TXT svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
regsvr32.exepid process 3716 regsvr32.exe 3716 regsvr32.exe 3716 regsvr32.exe 3716 regsvr32.exe 3716 regsvr32.exe 3716 regsvr32.exe 3716 regsvr32.exe 3716 regsvr32.exe 3716 regsvr32.exe 3716 regsvr32.exe 3716 regsvr32.exe 3716 regsvr32.exe 3716 regsvr32.exe 3716 regsvr32.exe 3716 regsvr32.exe 3716 regsvr32.exe 3716 regsvr32.exe 3716 regsvr32.exe 3716 regsvr32.exe 3716 regsvr32.exe 3716 regsvr32.exe 3716 regsvr32.exe 3716 regsvr32.exe 3716 regsvr32.exe 3716 regsvr32.exe 3716 regsvr32.exe 3716 regsvr32.exe 3716 regsvr32.exe 3716 regsvr32.exe 3716 regsvr32.exe 3716 regsvr32.exe 3716 regsvr32.exe 3716 regsvr32.exe 3716 regsvr32.exe 3716 regsvr32.exe 3716 regsvr32.exe 3716 regsvr32.exe 3716 regsvr32.exe 3716 regsvr32.exe 3716 regsvr32.exe 3716 regsvr32.exe 3716 regsvr32.exe 3716 regsvr32.exe 3716 regsvr32.exe 3716 regsvr32.exe 3716 regsvr32.exe 3716 regsvr32.exe 3716 regsvr32.exe 3716 regsvr32.exe 3716 regsvr32.exe 3716 regsvr32.exe 3716 regsvr32.exe 3716 regsvr32.exe 3716 regsvr32.exe 3716 regsvr32.exe 3716 regsvr32.exe 3716 regsvr32.exe 3716 regsvr32.exe 3716 regsvr32.exe 3716 regsvr32.exe 3716 regsvr32.exe 3716 regsvr32.exe 3716 regsvr32.exe 3716 regsvr32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
ShellExperienceHost.exepid process 2256 ShellExperienceHost.exe 2256 ShellExperienceHost.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\0407468ec50f7f553be379d9c7042560f443c8f40919309a771a210dc34823cf.dll1⤵
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc1⤵
- Drops file in Windows directory