Analysis

  • max time kernel
    96s
  • max time network
    136s
  • platform
    windows10_x64
  • resource
    win10-en
  • submitted
    20-09-2021 11:17

General

  • Target

    d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe

  • Size

    194KB

  • MD5

    b633567b5bcde20a1e18a0c35869ba07

  • SHA1

    18f052cb6f0cef8c4d7c4e3e60b8c91b10e4aa63

  • SHA256

    d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0

  • SHA512

    5feab5ee400d62192d6fd3a7e2d7a9ba62ca32bcbf0d11335fdcbd82f0d02d94ad44ef95bec76a88e5dbf8fe09d27b4648017cb707627fadb7d1f6449072be43

Malware Config

Extracted

Path

C:\readme.txt

Family

conti

Ransom Note
All of your files are currently encrypted by CONTI ransomware. If you try to use any additional recovery software - the files might be damaged or lost. To make sure that we REALLY CAN recover data - we offer you to decrypt samples. You can contact us for further instructions through: Our website TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/ HTTPS VERSION : https://contirecovery.click YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded your data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us ASAP. ---BEGIN ID--- 0Y2bUdHGJV86rTP8Tu27AgfN91oYLnc2GES6JjNUJY6Wy4r1DIzS2E7P7QpX2VVe ---END ID---
URLs

http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/

https://contirecovery.click

Signatures

  • Conti Ransomware

    Ransomware generally thought to be a successor to Ryuk.

  • Modifies extensions of user files 8 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in Program Files directory 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 45 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe
    "C:\Users\Admin\AppData\Local\Temp\d338295d50d5b39d8377c593f6d46feb512823e2724704448cc885b40c5056e0.bin.sample.exe"
    1⤵
    • Modifies extensions of user files
    • Drops startup file
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4008
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{15C15014-00CD-4D36-BD8D-1042E7A30F6F}'" delete
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2840
      • C:\Windows\System32\wbem\WMIC.exe
        C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{15C15014-00CD-4D36-BD8D-1042E7A30F6F}'" delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:976
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4052

Network

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

1
T1081

Collection

Data from Local System

1
T1005

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/976-116-0x0000000000000000-mapping.dmp
  • memory/2840-115-0x0000000000000000-mapping.dmp