Analysis
-
max time kernel
141s -
max time network
136s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
28-09-2021 09:38
Static task
static1
Behavioral task
behavioral1
Sample
d21f53277c689939d94eced15e37c2f1e9bcbf547314ee26f4b21eee2102edbf.bin.sample.dll
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
d21f53277c689939d94eced15e37c2f1e9bcbf547314ee26f4b21eee2102edbf.bin.sample.dll
Resource
win10-en-20210920
General
-
Target
d21f53277c689939d94eced15e37c2f1e9bcbf547314ee26f4b21eee2102edbf.bin.sample.dll
-
Size
191KB
-
MD5
562b147a42384349a13372a4aad34af9
-
SHA1
84a847ad5857035a18c2359c9e0265702ed0b027
-
SHA256
d21f53277c689939d94eced15e37c2f1e9bcbf547314ee26f4b21eee2102edbf
-
SHA512
54b27631f0ea91ed8093ea251290db91c531cfdb5ae468be2d2748d681c198778dc0905a511a276678eaf9ec2dc8369eb86e65d7af3785aaa17f96abec72b37e
Malware Config
Extracted
C:\readme.txt
conti
http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/
https://contirecovery.top/
Signatures
-
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
regsvr32.exedescription ioc process File renamed C:\Users\Admin\Pictures\ExitRestore.png => C:\Users\Admin\Pictures\ExitRestore.png.SJEJN regsvr32.exe File renamed C:\Users\Admin\Pictures\InitializeMount.crw => C:\Users\Admin\Pictures\InitializeMount.crw.SJEJN regsvr32.exe File renamed C:\Users\Admin\Pictures\InvokeGrant.raw => C:\Users\Admin\Pictures\InvokeGrant.raw.SJEJN regsvr32.exe -
Drops desktop.ini file(s) 46 IoCs
Processes:
regsvr32.exedescription ioc process File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Downloads\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Pictures\desktop.ini regsvr32.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Searches\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Libraries\desktop.ini regsvr32.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini regsvr32.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini regsvr32.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini regsvr32.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Links\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Videos\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\JPBNSXHB\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\MHZZT4MQ\desktop.ini regsvr32.exe File opened for modification C:\Program Files (x86)\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Documents\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Music\desktop.ini regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI regsvr32.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini regsvr32.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini regsvr32.exe File opened for modification C:\Program Files\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Documents\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Music\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Videos\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini regsvr32.exe File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Desktop\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Recorded TV\desktop.ini regsvr32.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini regsvr32.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\6TGGRK3W\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\Y8SPHBTY\desktop.ini regsvr32.exe -
Drops file in Program Files directory 64 IoCs
Processes:
regsvr32.exedescription ioc process File created C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\readme.txt regsvr32.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.ths regsvr32.exe File opened for modification C:\Program Files\Java\jre7\lib\jfxrt.jar regsvr32.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\mobile.css regsvr32.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\1033\DATES.XML regsvr32.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\readme.txt regsvr32.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-print.xml regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00392_.WMF regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\COUPON.POC regsvr32.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\javafx.properties regsvr32.exe File created C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\readme.txt regsvr32.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\epl-v10.html regsvr32.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\new-trigger-wiz.gif regsvr32.exe File opened for modification C:\Program Files\Internet Explorer\images\bing.ico regsvr32.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ENFR\MSB1ENFR.ITS regsvr32.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\external_extensions.json regsvr32.exe File created C:\Program Files\Common Files\Microsoft Shared\VGX\readme.txt regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH_F_COL.HXK regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\CHECKBOX.JPG regsvr32.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\bookbig.gif regsvr32.exe File created C:\Program Files\Common Files\System\de-DE\readme.txt regsvr32.exe File created C:\Program Files\Microsoft Games\Minesweeper\ja-JP\readme.txt regsvr32.exe File opened for modification C:\Program Files\Java\jre7\lib\management\snmp.acl.template regsvr32.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\readme.txt regsvr32.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.nl_ja_4.4.0.v20140623020002.jar regsvr32.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.intro_3.4.200.v20130326-1254.jar regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\STS2\TAB_OFF.GIF regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Foundry.thmx regsvr32.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.jpg regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN00015_.WMF regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099203.GIF regsvr32.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\nb.pak regsvr32.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Bahia regsvr32.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Hermosillo regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH_COL.HXT regsvr32.exe File created C:\Program Files\VideoLAN\VLC\locale\ro\readme.txt regsvr32.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\vlc.mo regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ERROR.GIF regsvr32.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\photoedge_buttongraphic.png regsvr32.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-templates.xml regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00898_.WMF regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01221K.JPG regsvr32.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_de_DE.jar regsvr32.exe File created C:\Program Files\VideoLAN\VLC\locale\mn\LC_MESSAGES\readme.txt regsvr32.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\larrow.gif regsvr32.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Pohnpei regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\MarkupIconImagesMask.bmp regsvr32.exe File opened for modification C:\Program Files\7-Zip\Lang\sl.txt regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01176_.WMF regsvr32.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif regsvr32.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.swf regsvr32.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\feature.properties regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\MSOUC.HXS regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14882_.GIF regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\OLR.SAM regsvr32.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.services.nl_zh_4.4.0.v20140623020002.jar regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormToolImages.jpg regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185774.WMF regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBCOLOR.SCM regsvr32.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\pagecurl.png regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15276_.GIF regsvr32.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\sl.pak regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00004_.GIF regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0174315.WMF regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
regsvr32.exepid process 1124 regsvr32.exe 1124 regsvr32.exe 1124 regsvr32.exe 1124 regsvr32.exe 1124 regsvr32.exe 1124 regsvr32.exe 1124 regsvr32.exe 1124 regsvr32.exe 1124 regsvr32.exe 1124 regsvr32.exe 1124 regsvr32.exe 1124 regsvr32.exe 1124 regsvr32.exe 1124 regsvr32.exe 1124 regsvr32.exe 1124 regsvr32.exe 1124 regsvr32.exe 1124 regsvr32.exe 1124 regsvr32.exe 1124 regsvr32.exe 1124 regsvr32.exe 1124 regsvr32.exe 1124 regsvr32.exe 1124 regsvr32.exe 1124 regsvr32.exe 1124 regsvr32.exe 1124 regsvr32.exe 1124 regsvr32.exe 1124 regsvr32.exe 1124 regsvr32.exe 1124 regsvr32.exe 1124 regsvr32.exe 1124 regsvr32.exe 1124 regsvr32.exe 1124 regsvr32.exe 1124 regsvr32.exe 1124 regsvr32.exe 1124 regsvr32.exe 1124 regsvr32.exe 1124 regsvr32.exe 1124 regsvr32.exe 1124 regsvr32.exe 1124 regsvr32.exe 1124 regsvr32.exe 1124 regsvr32.exe 1124 regsvr32.exe 1124 regsvr32.exe 1124 regsvr32.exe 1124 regsvr32.exe 1124 regsvr32.exe 1124 regsvr32.exe 1124 regsvr32.exe 1124 regsvr32.exe 1124 regsvr32.exe 1124 regsvr32.exe 1124 regsvr32.exe 1124 regsvr32.exe 1124 regsvr32.exe 1124 regsvr32.exe 1124 regsvr32.exe 1124 regsvr32.exe 1124 regsvr32.exe 1124 regsvr32.exe 1124 regsvr32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
regsvr32.exedescription pid process target process PID 1128 wrote to memory of 1124 1128 regsvr32.exe regsvr32.exe PID 1128 wrote to memory of 1124 1128 regsvr32.exe regsvr32.exe PID 1128 wrote to memory of 1124 1128 regsvr32.exe regsvr32.exe PID 1128 wrote to memory of 1124 1128 regsvr32.exe regsvr32.exe PID 1128 wrote to memory of 1124 1128 regsvr32.exe regsvr32.exe PID 1128 wrote to memory of 1124 1128 regsvr32.exe regsvr32.exe PID 1128 wrote to memory of 1124 1128 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\d21f53277c689939d94eced15e37c2f1e9bcbf547314ee26f4b21eee2102edbf.bin.sample.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\d21f53277c689939d94eced15e37c2f1e9bcbf547314ee26f4b21eee2102edbf.bin.sample.dll2⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses