Analysis
-
max time kernel
159s -
max time network
88s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
28-09-2021 08:23
Static task
static1
Behavioral task
behavioral1
Sample
3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe
Resource
win10v20210408
General
-
Target
3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe
-
Size
195KB
-
MD5
9656b98b10d645f1850030f461acdf7b
-
SHA1
f2253855fa2d400c92f819c6ffec73281ec7232f
-
SHA256
3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e
-
SHA512
17016e6d348761865c2c5fa82b94c94604cd819dc4ce0dad5ba2800e16d070eeb7ba261a68d37d4530adacdb955e0bfac42019ac432b1a22b60488f6387a1021
Malware Config
Extracted
C:\readme.txt
conti
http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/
https://contirecovery.xyz/
Signatures
-
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
Drops file in Program Files directory 64 IoCs
Processes:
3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exedescription ioc process File opened for modification C:\Program Files\RepairComplete.mp3 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File opened for modification C:\Program Files\7-Zip\History.txt 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File created C:\Program Files\Uninstall Information\readme.txt 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File created C:\Program Files (x86)\MSBuild\readme.txt 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\es.txt 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\hi.txt 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\sl.txt 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File opened for modification C:\Program Files\ReceiveDebug.rtf 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File opened for modification C:\Program Files\Mozilla Firefox\dependentlibs.list 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\kab.txt 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\ko.txt 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\ku-ckb.txt 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\mng.txt 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\sv.txt 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File opened for modification C:\Program Files\TestUse.avi 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File opened for modification C:\Program Files\7-Zip\7zCon.sfx 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File created C:\Program Files\VideoLAN\readme.txt 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\en.ttt 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File opened for modification C:\Program Files\MeasureUnregister.pcx 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File opened for modification C:\Program Files\Mozilla Firefox\Accessible.tlb 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File opened for modification C:\Program Files\Mozilla Firefox\omni.ja 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ie9props.propdesc 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\AppXManifest.xml 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\et.txt 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File opened for modification C:\Program Files\ReceiveConvertTo.contact 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File opened for modification C:\Program Files\7-Zip\7-zip.chm 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File created C:\Program Files\MSBuild\readme.txt 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\af.txt 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\fi.txt 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\ku.txt 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\fa.txt 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\is.txt 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File created C:\Program Files\Google\readme.txt 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\ar.txt 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\fur.txt 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\io.txt 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\mn.txt 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\mr.txt 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\ms.txt 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\si.txt 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\bn.txt 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\fy.txt 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\id.txt 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\kk.txt 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\cs.txt 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\da.txt 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\gu.txt 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\nl.txt 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File opened for modification C:\Program Files\ExportSend.bmp 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File created C:\Program Files (x86)\Internet Explorer\readme.txt 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\nn.txt 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\ru.txt 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File opened for modification C:\Program Files\DebugTest.wvx 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File opened for modification C:\Program Files\RenameConvertFrom.DVR 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File created C:\Program Files\Common Files\readme.txt 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File created C:\Program Files\Microsoft Office\readme.txt 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File created C:\Program Files\Mozilla Firefox\readme.txt 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\readme.txt 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\cy.txt 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\lv.txt 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\FileSystemMetadata.xml 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\ThinAppXManifest.xml 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\az.txt 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\br.txt 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exepid process 784 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe 784 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
vssvc.exeWMIC.exedescription pid process Token: SeBackupPrivilege 1816 vssvc.exe Token: SeRestorePrivilege 1816 vssvc.exe Token: SeAuditPrivilege 1816 vssvc.exe Token: SeIncreaseQuotaPrivilege 824 WMIC.exe Token: SeSecurityPrivilege 824 WMIC.exe Token: SeTakeOwnershipPrivilege 824 WMIC.exe Token: SeLoadDriverPrivilege 824 WMIC.exe Token: SeSystemProfilePrivilege 824 WMIC.exe Token: SeSystemtimePrivilege 824 WMIC.exe Token: SeProfSingleProcessPrivilege 824 WMIC.exe Token: SeIncBasePriorityPrivilege 824 WMIC.exe Token: SeCreatePagefilePrivilege 824 WMIC.exe Token: SeBackupPrivilege 824 WMIC.exe Token: SeRestorePrivilege 824 WMIC.exe Token: SeShutdownPrivilege 824 WMIC.exe Token: SeDebugPrivilege 824 WMIC.exe Token: SeSystemEnvironmentPrivilege 824 WMIC.exe Token: SeRemoteShutdownPrivilege 824 WMIC.exe Token: SeUndockPrivilege 824 WMIC.exe Token: SeManageVolumePrivilege 824 WMIC.exe Token: 33 824 WMIC.exe Token: 34 824 WMIC.exe Token: 35 824 WMIC.exe Token: 36 824 WMIC.exe Token: SeIncreaseQuotaPrivilege 824 WMIC.exe Token: SeSecurityPrivilege 824 WMIC.exe Token: SeTakeOwnershipPrivilege 824 WMIC.exe Token: SeLoadDriverPrivilege 824 WMIC.exe Token: SeSystemProfilePrivilege 824 WMIC.exe Token: SeSystemtimePrivilege 824 WMIC.exe Token: SeProfSingleProcessPrivilege 824 WMIC.exe Token: SeIncBasePriorityPrivilege 824 WMIC.exe Token: SeCreatePagefilePrivilege 824 WMIC.exe Token: SeBackupPrivilege 824 WMIC.exe Token: SeRestorePrivilege 824 WMIC.exe Token: SeShutdownPrivilege 824 WMIC.exe Token: SeDebugPrivilege 824 WMIC.exe Token: SeSystemEnvironmentPrivilege 824 WMIC.exe Token: SeRemoteShutdownPrivilege 824 WMIC.exe Token: SeUndockPrivilege 824 WMIC.exe Token: SeManageVolumePrivilege 824 WMIC.exe Token: 33 824 WMIC.exe Token: 34 824 WMIC.exe Token: 35 824 WMIC.exe Token: 36 824 WMIC.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.execmd.exedescription pid process target process PID 784 wrote to memory of 520 784 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe cmd.exe PID 784 wrote to memory of 520 784 3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe cmd.exe PID 520 wrote to memory of 824 520 cmd.exe WMIC.exe PID 520 wrote to memory of 824 520 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe"C:\Users\Admin\AppData\Local\Temp\3c014b34aa1179e1073766f8811577fece916cc14cafb6d6697ecad0466ef82e.bin.sample.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:784 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{493E2A7D-D35C-4823-8312-DB6A87B45E66}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:520 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{493E2A7D-D35C-4823-8312-DB6A87B45E66}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:824
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1816