Analysis

  • max time kernel
    152s
  • max time network
    130s
  • platform
    windows7_x64
  • resource
    win7-en-20210920
  • submitted
    28-09-2021 09:29

General

  • Target

    853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe

  • Size

    192KB

  • MD5

    6b2c004ab77290fec33d460930d08844

  • SHA1

    3b5cfc88baa8bf78ec0b45dc07b3bbea9cdf35dc

  • SHA256

    853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e

  • SHA512

    744e56785f42dea874cae577d59c93e14e538d920cb065acd74f9c67450d9d74ae70754c8aafe74d225b238e6b493a4b428098e1d75e6369356341a37fa49d5f

Score
10/10

Malware Config

Extracted

Path

C:\readme.txt

Family

conti

Ransom Note
All of your files are currently encrypted by CONTI ransomware. If you try to use any additional recovery software - the files might be damaged or lost. To make sure that we REALLY CAN recover data - we offer you to decrypt samples. You can contact us for further instructions through: Our website TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/ HTTPS VERSION : https://contirecovery.best YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded your data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us ASAP ---BEGIN ID--- 22Y1mPMG6Hsf8qKzztjCkWcjEoCd7cUpvH01kkvWfr7STb2e33hhoqWUvEskm8e7 ---END ID---
URLs

http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/

https://contirecovery.best

Signatures

  • Conti Ransomware

    Ransomware generally thought to be a successor to Ryuk.

  • Modifies extensions of user files 7 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Drops desktop.ini file(s) 38 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe
    "C:\Users\Admin\AppData\Local\Temp\853ee7f215135b9c0864bb442b19ce60bb02a27fd92220a07876d31fd097411e.bin.sample.exe"
    1⤵
    • Modifies extensions of user files
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2008
    • C:\Windows\system32\cmd.exe
      cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C42FD895-B421-4A33-8B73-34420B94C6C4}'" delete
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:320
      • C:\Windows\System32\wbem\WMIC.exe
        C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C42FD895-B421-4A33-8B73-34420B94C6C4}'" delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1276
    • C:\Windows\system32\cmd.exe
      cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{10A95FEA-CE68-4673-91E9-44796907EA8F}'" delete
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:552
      • C:\Windows\System32\wbem\WMIC.exe
        C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{10A95FEA-CE68-4673-91E9-44796907EA8F}'" delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:684
    • C:\Windows\system32\cmd.exe
      cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3F8D846B-9DD4-48C1-9EB7-331601E45A01}'" delete
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1176
      • C:\Windows\System32\wbem\WMIC.exe
        C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3F8D846B-9DD4-48C1-9EB7-331601E45A01}'" delete
        3⤵
          PID:436
      • C:\Windows\system32\cmd.exe
        cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{83DB695E-B6C4-4F19-94F5-5AB249FE6E4B}'" delete
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:952
        • C:\Windows\System32\wbem\WMIC.exe
          C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{83DB695E-B6C4-4F19-94F5-5AB249FE6E4B}'" delete
          3⤵
            PID:1960
        • C:\Windows\system32\cmd.exe
          cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6E98F490-EC90-48A3-8095-7CAB9F53C350}'" delete
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2044
          • C:\Windows\System32\wbem\WMIC.exe
            C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6E98F490-EC90-48A3-8095-7CAB9F53C350}'" delete
            3⤵
              PID:1460
          • C:\Windows\system32\cmd.exe
            cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{BE04AF18-D313-4450-8D00-0E635D2D4C97}'" delete
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1452
            • C:\Windows\System32\wbem\WMIC.exe
              C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{BE04AF18-D313-4450-8D00-0E635D2D4C97}'" delete
              3⤵
                PID:1676
            • C:\Windows\system32\cmd.exe
              cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CEE4CCBC-073C-4640-96A7-6BA7CCA7CF92}'" delete
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:1768
              • C:\Windows\System32\wbem\WMIC.exe
                C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CEE4CCBC-073C-4640-96A7-6BA7CCA7CF92}'" delete
                3⤵
                  PID:1672
              • C:\Windows\system32\cmd.exe
                cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{865F3304-51C3-4B8F-A536-F05EC48E587F}'" delete
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:1280
                • C:\Windows\System32\wbem\WMIC.exe
                  C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{865F3304-51C3-4B8F-A536-F05EC48E587F}'" delete
                  3⤵
                    PID:1428
                • C:\Windows\system32\cmd.exe
                  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F66D88E2-B57B-4989-8ED8-F69EC00D6AED}'" delete
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1808
                  • C:\Windows\System32\wbem\WMIC.exe
                    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F66D88E2-B57B-4989-8ED8-F69EC00D6AED}'" delete
                    3⤵
                      PID:588
                  • C:\Windows\system32\cmd.exe
                    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2D3F6F2F-1FEA-4EF5-B2F9-9AD4D3736A5B}'" delete
                    2⤵
                      PID:540
                      • C:\Windows\System32\wbem\WMIC.exe
                        C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2D3F6F2F-1FEA-4EF5-B2F9-9AD4D3736A5B}'" delete
                        3⤵
                          PID:1068
                      • C:\Windows\system32\cmd.exe
                        cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3AB2448F-F186-4CD1-8044-F01D62EBD5C3}'" delete
                        2⤵
                          PID:1044
                          • C:\Windows\System32\wbem\WMIC.exe
                            C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3AB2448F-F186-4CD1-8044-F01D62EBD5C3}'" delete
                            3⤵
                              PID:1092
                          • C:\Windows\system32\cmd.exe
                            cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5E61C5BD-F1FA-4763-95D9-47A0D7BD5FDD}'" delete
                            2⤵
                              PID:2040
                              • C:\Windows\System32\wbem\WMIC.exe
                                C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5E61C5BD-F1FA-4763-95D9-47A0D7BD5FDD}'" delete
                                3⤵
                                  PID:1524
                            • C:\Windows\system32\vssvc.exe
                              C:\Windows\system32\vssvc.exe
                              1⤵
                              • Suspicious use of AdjustPrivilegeToken
                              PID:1528

                            Network

                            MITRE ATT&CK Matrix

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • memory/320-55-0x0000000000000000-mapping.dmp

                            • memory/436-60-0x0000000000000000-mapping.dmp

                            • memory/540-73-0x0000000000000000-mapping.dmp

                            • memory/552-57-0x0000000000000000-mapping.dmp

                            • memory/588-72-0x0000000000000000-mapping.dmp

                            • memory/684-58-0x0000000000000000-mapping.dmp

                            • memory/952-61-0x0000000000000000-mapping.dmp

                            • memory/1044-75-0x0000000000000000-mapping.dmp

                            • memory/1068-74-0x0000000000000000-mapping.dmp

                            • memory/1092-76-0x0000000000000000-mapping.dmp

                            • memory/1176-59-0x0000000000000000-mapping.dmp

                            • memory/1276-56-0x0000000000000000-mapping.dmp

                            • memory/1280-69-0x0000000000000000-mapping.dmp

                            • memory/1428-70-0x0000000000000000-mapping.dmp

                            • memory/1452-65-0x0000000000000000-mapping.dmp

                            • memory/1460-64-0x0000000000000000-mapping.dmp

                            • memory/1524-78-0x0000000000000000-mapping.dmp

                            • memory/1672-68-0x0000000000000000-mapping.dmp

                            • memory/1676-66-0x0000000000000000-mapping.dmp

                            • memory/1768-67-0x0000000000000000-mapping.dmp

                            • memory/1808-71-0x0000000000000000-mapping.dmp

                            • memory/1960-62-0x0000000000000000-mapping.dmp

                            • memory/2008-54-0x0000000075C11000-0x0000000075C13000-memory.dmp

                              Filesize

                              8KB

                            • memory/2040-77-0x0000000000000000-mapping.dmp

                            • memory/2044-63-0x0000000000000000-mapping.dmp