5cf0a6ac9786638a063eea9ab68508f31e537072bbcea27371f9121d2668a251

General
Target

5cf0a6ac9786638a063eea9ab68508f31e537072bbcea27371f9121d2668a251

Size

190KB

Sample

210926-qdyeaaehd3

Score
10 /10
MD5

6da5a1163c3c8264134b3366521ef78a

SHA1

8dc13c56d1998ab44176361fb8f9389eca75f415

SHA256

5cf0a6ac9786638a063eea9ab68508f31e537072bbcea27371f9121d2668a251

SHA512

5ead53b33ac55e2e14d64c14d6009d96dd62e468ad20270ca6b44658f557b91778b6a52a6124a9133d8d25a4d8155666f935c1c88b4650f3fd6738d0da4e7818

Malware Config

Extracted

Path C:\readme.txt
Family conti
Ransom Note
All of your files are currently encrypted by CONTI strain. As you know (if you don't - just "google it"), all of the data that has been encrypted by our software cannot be recovered by any means without contacting our team directly. If you try to use any additional recovery software - the files might be damaged, so if you are willing to try - try it on the data of the lowest value. To make sure that we REALLY CAN get your data back - we offer you to decrypt 2 random files completely free of charge. You can contact our team directly for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://m232fdxbfmbrcehbrj5iayknxnggf6niqfj6x4iedrgtab4qupzjlaid.onion HTTPS VERSION : https://contirecovery.info YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded a pack of your internal data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us as soon as possible. ---BEGIN ID--- mEL9Y7SC22f1JfKAJi5NlYC2aVZ82ImX9nR568r2hXw9tn1weDwEc8s2r2thduYr ---END ID---
URLs

http://m232fdxbfmbrcehbrj5iayknxnggf6niqfj6x4iedrgtab4qupzjlaid.onion

https://contirecovery.info

Targets
Target

5cf0a6ac9786638a063eea9ab68508f31e537072bbcea27371f9121d2668a251

MD5

6da5a1163c3c8264134b3366521ef78a

Filesize

190KB

Score
10 /10
SHA1

8dc13c56d1998ab44176361fb8f9389eca75f415

SHA256

5cf0a6ac9786638a063eea9ab68508f31e537072bbcea27371f9121d2668a251

SHA512

5ead53b33ac55e2e14d64c14d6009d96dd62e468ad20270ca6b44658f557b91778b6a52a6124a9133d8d25a4d8155666f935c1c88b4650f3fd6738d0da4e7818

Tags

Signatures

  • Conti Ransomware

    Description

    Ransomware generally thought to be a successor to Ryuk.

    Tags

  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • Drops startup file

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Drops desktop.ini file(s)

Related Tasks

MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
      Discovery
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                    Privilege Escalation
                      Tasks

                      static1

                      behavioral1

                      10/10

                      behavioral2

                      10/10