conti | 6eeefc25fe1d24d3f46b554a31aea357a4cd04635db5c32dfddf28b5446c09d3

Analysis

max time kernel
154s
max time network
160s
platform
windows10_x64
resource
win10v20210408
submitted
24-09-2021 10:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2ca4f97e15c6ddaa3276fbc56e716249dde1d2607f3b745933fedd9df3879751.exe
Size

195KB
MD5

2c550ec2c56516e19f88a5228b1e4555
SHA1

31801a310f5aad8154f8b3e69027f068c76152f4
SHA256

2ca4f97e15c6ddaa3276fbc56e716249dde1d2607f3b745933fedd9df3879751
SHA512

b52a93a5a8feeabc3c5f23a208c7cecfe8a619dd73c45c1126796269f5aa67e36594d9a47e1fca974ff9685d7421189a33fd33e1addd89e9bfbca3bca6573d45

Score

10^/10

conti ransomware

Malware Config

Extracted

Path

C:\readme.txt

Family

conti

Ransom Note

All of your files are currently encrypted by CONTI strain. As you know (if you don't - just "google it"), all of the data that has been encrypted by our software cannot be recovered by any means without contacting our team directly. If you try to use any additional recovery software - the files might be damaged, so if you are willing to try - try it on the data of the lowest value. To make sure that we REALLY CAN get your data back - we offer you to decrypt 2 random files completely free of charge. You can contact our team directly for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/ HTTPS VERSION : https://contirecovery.click YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded a pack of your internal data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us as soon as possible. ---BEGIN ID--- 09jQum57GEaC6dXINhoTySXIkkLxxkowWNebpY38DVj9GHasji8TrCvgizYnqkMa ---END ID---

URLs

http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/

https://contirecovery.click

Signatures

Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
ransomware conti

Drops file in Program Files directory 64 IoCs

Processes:

2ca4f97e15c6ddaa3276fbc56e716249dde1d2607f3b745933fedd9df3879751.exe

description	ioc	process
File opened for modification	C:\Program Files\EditClear.lock	2ca4f97e15c6ddaa3276fbc56e716249dde1d2607f3b745933fedd9df3879751.exe
File opened for modification	C:\Program Files\Mozilla Firefox\removed-files	2ca4f97e15c6ddaa3276fbc56e716249dde1d2607f3b745933fedd9df3879751.exe
File opened for modification	C:\Program Files\ConnectRead.asx	2ca4f97e15c6ddaa3276fbc56e716249dde1d2607f3b745933fedd9df3879751.exe
File opened for modification	C:\Program Files\UninstallBackup.js	2ca4f97e15c6ddaa3276fbc56e716249dde1d2607f3b745933fedd9df3879751.exe
File opened for modification	C:\Program Files\UnblockFind.xps	2ca4f97e15c6ddaa3276fbc56e716249dde1d2607f3b745933fedd9df3879751.exe
File opened for modification	C:\Program Files\SubmitLimit.rtf	2ca4f97e15c6ddaa3276fbc56e716249dde1d2607f3b745933fedd9df3879751.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	2ca4f97e15c6ddaa3276fbc56e716249dde1d2607f3b745933fedd9df3879751.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	2ca4f97e15c6ddaa3276fbc56e716249dde1d2607f3b745933fedd9df3879751.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mr.txt	2ca4f97e15c6ddaa3276fbc56e716249dde1d2607f3b745933fedd9df3879751.exe
File opened for modification	C:\Program Files\CompressReceive.cab	2ca4f97e15c6ddaa3276fbc56e716249dde1d2607f3b745933fedd9df3879751.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	2ca4f97e15c6ddaa3276fbc56e716249dde1d2607f3b745933fedd9df3879751.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt	2ca4f97e15c6ddaa3276fbc56e716249dde1d2607f3b745933fedd9df3879751.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt	2ca4f97e15c6ddaa3276fbc56e716249dde1d2607f3b745933fedd9df3879751.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	2ca4f97e15c6ddaa3276fbc56e716249dde1d2607f3b745933fedd9df3879751.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	2ca4f97e15c6ddaa3276fbc56e716249dde1d2607f3b745933fedd9df3879751.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	2ca4f97e15c6ddaa3276fbc56e716249dde1d2607f3b745933fedd9df3879751.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku-ckb.txt	2ca4f97e15c6ddaa3276fbc56e716249dde1d2607f3b745933fedd9df3879751.exe
File created	C:\Program Files\Reference Assemblies\readme.txt	2ca4f97e15c6ddaa3276fbc56e716249dde1d2607f3b745933fedd9df3879751.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ie9props.propdesc	2ca4f97e15c6ddaa3276fbc56e716249dde1d2607f3b745933fedd9df3879751.exe
File created	C:\Program Files (x86)\Microsoft.NET\readme.txt	2ca4f97e15c6ddaa3276fbc56e716249dde1d2607f3b745933fedd9df3879751.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	2ca4f97e15c6ddaa3276fbc56e716249dde1d2607f3b745933fedd9df3879751.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	2ca4f97e15c6ddaa3276fbc56e716249dde1d2607f3b745933fedd9df3879751.exe
File opened for modification	C:\Program Files\7-Zip\Lang\it.txt	2ca4f97e15c6ddaa3276fbc56e716249dde1d2607f3b745933fedd9df3879751.exe
File opened for modification	C:\Program Files\InvokeSet.easmx	2ca4f97e15c6ddaa3276fbc56e716249dde1d2607f3b745933fedd9df3879751.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	2ca4f97e15c6ddaa3276fbc56e716249dde1d2607f3b745933fedd9df3879751.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	2ca4f97e15c6ddaa3276fbc56e716249dde1d2607f3b745933fedd9df3879751.exe
File opened for modification	C:\Program Files\Mozilla Firefox\install.log	2ca4f97e15c6ddaa3276fbc56e716249dde1d2607f3b745933fedd9df3879751.exe
File opened for modification	C:\Program Files\Microsoft Office\FileSystemMetadata.xml	2ca4f97e15c6ddaa3276fbc56e716249dde1d2607f3b745933fedd9df3879751.exe
File opened for modification	C:\Program Files\Microsoft Office\ThinAppXManifest.xml	2ca4f97e15c6ddaa3276fbc56e716249dde1d2607f3b745933fedd9df3879751.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	2ca4f97e15c6ddaa3276fbc56e716249dde1d2607f3b745933fedd9df3879751.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	2ca4f97e15c6ddaa3276fbc56e716249dde1d2607f3b745933fedd9df3879751.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	2ca4f97e15c6ddaa3276fbc56e716249dde1d2607f3b745933fedd9df3879751.exe
File opened for modification	C:\Program Files\UnregisterResume.vsdx	2ca4f97e15c6ddaa3276fbc56e716249dde1d2607f3b745933fedd9df3879751.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	2ca4f97e15c6ddaa3276fbc56e716249dde1d2607f3b745933fedd9df3879751.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	2ca4f97e15c6ddaa3276fbc56e716249dde1d2607f3b745933fedd9df3879751.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	2ca4f97e15c6ddaa3276fbc56e716249dde1d2607f3b745933fedd9df3879751.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ka.txt	2ca4f97e15c6ddaa3276fbc56e716249dde1d2607f3b745933fedd9df3879751.exe
File opened for modification	C:\Program Files\BlockReceive.pub	2ca4f97e15c6ddaa3276fbc56e716249dde1d2607f3b745933fedd9df3879751.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	2ca4f97e15c6ddaa3276fbc56e716249dde1d2607f3b745933fedd9df3879751.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	2ca4f97e15c6ddaa3276fbc56e716249dde1d2607f3b745933fedd9df3879751.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt	2ca4f97e15c6ddaa3276fbc56e716249dde1d2607f3b745933fedd9df3879751.exe
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt	2ca4f97e15c6ddaa3276fbc56e716249dde1d2607f3b745933fedd9df3879751.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	2ca4f97e15c6ddaa3276fbc56e716249dde1d2607f3b745933fedd9df3879751.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt	2ca4f97e15c6ddaa3276fbc56e716249dde1d2607f3b745933fedd9df3879751.exe
File opened for modification	C:\Program Files\ResetApprove.mov	2ca4f97e15c6ddaa3276fbc56e716249dde1d2607f3b745933fedd9df3879751.exe
File created	C:\Program Files\Common Files\readme.txt	2ca4f97e15c6ddaa3276fbc56e716249dde1d2607f3b745933fedd9df3879751.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	2ca4f97e15c6ddaa3276fbc56e716249dde1d2607f3b745933fedd9df3879751.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	2ca4f97e15c6ddaa3276fbc56e716249dde1d2607f3b745933fedd9df3879751.exe
File opened for modification	C:\Program Files\7-Zip\Lang\en.ttt	2ca4f97e15c6ddaa3276fbc56e716249dde1d2607f3b745933fedd9df3879751.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nl.txt	2ca4f97e15c6ddaa3276fbc56e716249dde1d2607f3b745933fedd9df3879751.exe
File opened for modification	C:\Program Files\DenyEnable.aif	2ca4f97e15c6ddaa3276fbc56e716249dde1d2607f3b745933fedd9df3879751.exe
File opened for modification	C:\Program Files\DenyDebug.doc	2ca4f97e15c6ddaa3276fbc56e716249dde1d2607f3b745933fedd9df3879751.exe
File opened for modification	C:\Program Files\RemoveConvertTo.WTV	2ca4f97e15c6ddaa3276fbc56e716249dde1d2607f3b745933fedd9df3879751.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	2ca4f97e15c6ddaa3276fbc56e716249dde1d2607f3b745933fedd9df3879751.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	2ca4f97e15c6ddaa3276fbc56e716249dde1d2607f3b745933fedd9df3879751.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	2ca4f97e15c6ddaa3276fbc56e716249dde1d2607f3b745933fedd9df3879751.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	2ca4f97e15c6ddaa3276fbc56e716249dde1d2607f3b745933fedd9df3879751.exe
File opened for modification	C:\Program Files\BackupCompress.tiff	2ca4f97e15c6ddaa3276fbc56e716249dde1d2607f3b745933fedd9df3879751.exe
File created	C:\Program Files\Java\readme.txt	2ca4f97e15c6ddaa3276fbc56e716249dde1d2607f3b745933fedd9df3879751.exe
File created	C:\Program Files\VideoLAN\readme.txt	2ca4f97e15c6ddaa3276fbc56e716249dde1d2607f3b745933fedd9df3879751.exe
File created	C:\Program Files (x86)\MSBuild\readme.txt	2ca4f97e15c6ddaa3276fbc56e716249dde1d2607f3b745933fedd9df3879751.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	2ca4f97e15c6ddaa3276fbc56e716249dde1d2607f3b745933fedd9df3879751.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ja.txt	2ca4f97e15c6ddaa3276fbc56e716249dde1d2607f3b745933fedd9df3879751.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	2ca4f97e15c6ddaa3276fbc56e716249dde1d2607f3b745933fedd9df3879751.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

2ca4f97e15c6ddaa3276fbc56e716249dde1d2607f3b745933fedd9df3879751.exe

pid	process
640	2ca4f97e15c6ddaa3276fbc56e716249dde1d2607f3b745933fedd9df3879751.exe
640	2ca4f97e15c6ddaa3276fbc56e716249dde1d2607f3b745933fedd9df3879751.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

vssvc.exeWMIC.exe

description	pid	process
Token: SeBackupPrivilege	1160	vssvc.exe
Token: SeRestorePrivilege	1160	vssvc.exe
Token: SeAuditPrivilege	1160	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1784	WMIC.exe
Token: SeSecurityPrivilege	1784	WMIC.exe
Token: SeTakeOwnershipPrivilege	1784	WMIC.exe
Token: SeLoadDriverPrivilege	1784	WMIC.exe
Token: SeSystemProfilePrivilege	1784	WMIC.exe
Token: SeSystemtimePrivilege	1784	WMIC.exe
Token: SeProfSingleProcessPrivilege	1784	WMIC.exe
Token: SeIncBasePriorityPrivilege	1784	WMIC.exe
Token: SeCreatePagefilePrivilege	1784	WMIC.exe
Token: SeBackupPrivilege	1784	WMIC.exe
Token: SeRestorePrivilege	1784	WMIC.exe
Token: SeShutdownPrivilege	1784	WMIC.exe
Token: SeDebugPrivilege	1784	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1784	WMIC.exe
Token: SeRemoteShutdownPrivilege	1784	WMIC.exe
Token: SeUndockPrivilege	1784	WMIC.exe
Token: SeManageVolumePrivilege	1784	WMIC.exe
Token: 33	1784	WMIC.exe
Token: 34	1784	WMIC.exe
Token: 35	1784	WMIC.exe
Token: 36	1784	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1784	WMIC.exe
Token: SeSecurityPrivilege	1784	WMIC.exe
Token: SeTakeOwnershipPrivilege	1784	WMIC.exe
Token: SeLoadDriverPrivilege	1784	WMIC.exe
Token: SeSystemProfilePrivilege	1784	WMIC.exe
Token: SeSystemtimePrivilege	1784	WMIC.exe
Token: SeProfSingleProcessPrivilege	1784	WMIC.exe
Token: SeIncBasePriorityPrivilege	1784	WMIC.exe
Token: SeCreatePagefilePrivilege	1784	WMIC.exe
Token: SeBackupPrivilege	1784	WMIC.exe
Token: SeRestorePrivilege	1784	WMIC.exe
Token: SeShutdownPrivilege	1784	WMIC.exe
Token: SeDebugPrivilege	1784	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1784	WMIC.exe
Token: SeRemoteShutdownPrivilege	1784	WMIC.exe
Token: SeUndockPrivilege	1784	WMIC.exe
Token: SeManageVolumePrivilege	1784	WMIC.exe
Token: 33	1784	WMIC.exe
Token: 34	1784	WMIC.exe
Token: 35	1784	WMIC.exe
Token: 36	1784	WMIC.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

2ca4f97e15c6ddaa3276fbc56e716249dde1d2607f3b745933fedd9df3879751.execmd.exe

description	pid	process	target process
PID 640 wrote to memory of 1608	640	2ca4f97e15c6ddaa3276fbc56e716249dde1d2607f3b745933fedd9df3879751.exe	cmd.exe
PID 640 wrote to memory of 1608	640	2ca4f97e15c6ddaa3276fbc56e716249dde1d2607f3b745933fedd9df3879751.exe	cmd.exe
PID 1608 wrote to memory of 1784	1608	cmd.exe	WMIC.exe
PID 1608 wrote to memory of 1784	1608	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\2ca4f97e15c6ddaa3276fbc56e716249dde1d2607f3b745933fedd9df3879751.exe
"C:\Users\Admin\AppData\Local\Temp\2ca4f97e15c6ddaa3276fbc56e716249dde1d2607f3b745933fedd9df3879751.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:640

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{493E2A7D-D35C-4823-8312-DB6A87B45E66}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1608

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{493E2A7D-D35C-4823-8312-DB6A87B45E66}'" delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1784

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1160

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads