conti | d21f53277c689939d94eced15e37c2f1e9bcbf547314ee26f4b21eee2102edbf

General

Target

d21f53277c689939d94eced15e37c2f1e9bcbf547314ee26f4b21eee2102edbf.bin.sample.dll
Size

191KB
MD5

562b147a42384349a13372a4aad34af9
SHA1

84a847ad5857035a18c2359c9e0265702ed0b027
SHA256

d21f53277c689939d94eced15e37c2f1e9bcbf547314ee26f4b21eee2102edbf
SHA512

54b27631f0ea91ed8093ea251290db91c531cfdb5ae468be2d2748d681c198778dc0905a511a276678eaf9ec2dc8369eb86e65d7af3785aaa17f96abec72b37e

Score

10^/10

conti ransomware

Malware Config

Extracted

Path

C:\readme.txt

Family

conti

Ransom Note

All of your files are currently encrypted by CONTI strain. As you know (if you don't - just "google it"), all of the data that has been encrypted by our software cannot be recovered by any means without contacting our team directly. If you try to use any additional recovery software - the files might be damaged, so if you are willing to try - try it on the data of the lowest value. To make sure that we REALLY CAN get your data back - we offer you to decrypt 2 random files completely free of charge. You can contact our team directly for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/ HTTPS VERSION : https://contirecovery.top/ YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded a pack of your internal data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us as soon as possible. ---BEGIN ID--- Ns5WQ4hUEqxZRO4Ls1WW8wn8K95FKrkEKLxyjXjdwmjb0NpLosviDzWlNlarhNiY ---END ID---

URLs

http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/

https://contirecovery.top/

Signatures

Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
ransomware conti

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

regsvr32.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\PingDisable.tif => C:\Users\Admin\Pictures\PingDisable.tif.SJEJN	regsvr32.exe
File renamed	C:\Users\Admin\Pictures\ProtectJoin.png => C:\Users\Admin\Pictures\ProtectJoin.png.SJEJN	regsvr32.exe
File renamed	C:\Users\Admin\Pictures\SuspendDebug.raw => C:\Users\Admin\Pictures\SuspendDebug.raw.SJEJN	regsvr32.exe
File renamed	C:\Users\Admin\Pictures\UnprotectGrant.crw => C:\Users\Admin\Pictures\UnprotectGrant.crw.SJEJN	regsvr32.exe

Drops startup file 1 IoCs

Processes:

regsvr32.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\readme.txt regsvr32.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\readme.txt	regsvr32.exe

Drops desktop.ini file(s) 32 IoCs

Processes:

regsvr32.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	regsvr32.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	regsvr32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	regsvr32.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	regsvr32.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	regsvr32.exe
File opened for modification	C:\Program Files\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	regsvr32.exe

Drops file in Program Files directory 64 IoCs

Processes:

regsvr32.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\sk-sk\ui-strings.js	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\zh-tw\AppStore_icon.svg	regsvr32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	regsvr32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Grace-ppd.xrm-ms	regsvr32.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\kn.pak	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\themes\dark\rhp_world_icon_hover.png	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\eu-es\ui-strings.js	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\hr-hr\ui-strings.js	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\it-it\ui-strings.js	regsvr32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.emf.common_2.10.1.v20140901-1043.jar	regsvr32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\sql120.xsl	regsvr32.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\images\readme.txt	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\optimize_poster.jpg	regsvr32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\BKANT.TTF	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\init.js	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT	regsvr32.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\eu-es\readme.txt	regsvr32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-pl.xrm-ms	regsvr32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-ppd.xrm-ms	regsvr32.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pa\readme.txt	regsvr32.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\logger\readme.txt	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ja-jp\ui-strings.js	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ca-es\ui-strings.js	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\pl-pl\PlayStore_icon.svg	regsvr32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.swt.win32.win32.x86_64.nl_zh_4.4.0.v20140623020002.jar	regsvr32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-ul-phn.xrm-ms	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\WordNet_license.txt	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\zh-tw\ui-strings.js	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\pt-br\ui-strings.js	regsvr32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Trial-pl.xrm-ms	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_hiContrast_wob.png	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\th_get.svg	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\s_listview_18.svg	regsvr32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-180.png	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\MinionPro-Bold.otf	regsvr32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-windows_ja.jar	regsvr32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLENDS\BLENDS.INF	regsvr32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\org.eclipse.equinox.p2.metadata.repository.prefs	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_nl_135x40.svg	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\3difr.x3d	regsvr32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_sv.properties	regsvr32.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\sl-si\ui-strings.js	regsvr32.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\he-il\readme.txt	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\fi-fi\ui-strings.js	regsvr32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Help\HxRuntime.HxS	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\file_info2x.png	regsvr32.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\readme.txt	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ru-ru\ui-strings.js	regsvr32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-ul-oob.xrm-ms	regsvr32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT.HXS	regsvr32.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\newgrounds.luac	regsvr32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\Informix.xsl	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\selector.js	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ui-strings.js	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\cs-cz\ui-strings.js	regsvr32.exe
File created	C:\Program Files (x86)\Google\Update\readme.txt	regsvr32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_KMS_Automation-ul-oob.xrm-ms	regsvr32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp-ul-oob.xrm-ms	regsvr32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Retail-ul-oob.xrm-ms	regsvr32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_es.properties	regsvr32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AFTRNOON\PREVIEW.GIF	regsvr32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-pl.xrm-ms	regsvr32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_Subscription-pl.xrm-ms	regsvr32.exe

Drops file in Windows directory 4 IoCs

Processes:

svchost.exeShellExperienceHost.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\ESE.TXT	svchost.exe
File created	C:\Windows\rescache\_merged\4183903823\1195458082.pri	ShellExperienceHost.exe
File created	C:\Windows\rescache\_merged\4032412167\2690874625.pri	ShellExperienceHost.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	svchost.exe

Modifies data under HKEY_USERS 4 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\16\52C64B7E	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

regsvr32.exe

pid	process
2620	regsvr32.exe
2620	regsvr32.exe
2620	regsvr32.exe
2620	regsvr32.exe
2620	regsvr32.exe
2620	regsvr32.exe
2620	regsvr32.exe
2620	regsvr32.exe
2620	regsvr32.exe
2620	regsvr32.exe
2620	regsvr32.exe
2620	regsvr32.exe
2620	regsvr32.exe
2620	regsvr32.exe
2620	regsvr32.exe
2620	regsvr32.exe
2620	regsvr32.exe
2620	regsvr32.exe
2620	regsvr32.exe
2620	regsvr32.exe
2620	regsvr32.exe
2620	regsvr32.exe
2620	regsvr32.exe
2620	regsvr32.exe
2620	regsvr32.exe
2620	regsvr32.exe
2620	regsvr32.exe
2620	regsvr32.exe
2620	regsvr32.exe
2620	regsvr32.exe
2620	regsvr32.exe
2620	regsvr32.exe
2620	regsvr32.exe
2620	regsvr32.exe
2620	regsvr32.exe
2620	regsvr32.exe
2620	regsvr32.exe
2620	regsvr32.exe
2620	regsvr32.exe
2620	regsvr32.exe
2620	regsvr32.exe
2620	regsvr32.exe
2620	regsvr32.exe
2620	regsvr32.exe
2620	regsvr32.exe
2620	regsvr32.exe
2620	regsvr32.exe
2620	regsvr32.exe
2620	regsvr32.exe
2620	regsvr32.exe
2620	regsvr32.exe
2620	regsvr32.exe
2620	regsvr32.exe
2620	regsvr32.exe
2620	regsvr32.exe
2620	regsvr32.exe
2620	regsvr32.exe
2620	regsvr32.exe
2620	regsvr32.exe
2620	regsvr32.exe
2620	regsvr32.exe
2620	regsvr32.exe
2620	regsvr32.exe
2620	regsvr32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

ShellExperienceHost.exe

pid process

1328 ShellExperienceHost.exe
1328 ShellExperienceHost.exe

pid	process
1328	ShellExperienceHost.exe
1328	ShellExperienceHost.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 2428 wrote to memory of 2620	2428	regsvr32.exe	regsvr32.exe
PID 2428 wrote to memory of 2620	2428	regsvr32.exe	regsvr32.exe
PID 2428 wrote to memory of 2620	2428	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\d21f53277c689939d94eced15e37c2f1e9bcbf547314ee26f4b21eee2102edbf.bin.sample.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2428

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\d21f53277c689939d94eced15e37c2f1e9bcbf547314ee26f4b21eee2102edbf.bin.sample.dll
2⤵
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:2620

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -s BITS
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:588

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1328

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
1⤵
- Drops file in Windows directory
PID:2524

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2524-116-0x0000024497140000-0x0000024497150000-memory.dmp

Filesize
64KB

Download
memory/2524-117-0x0000024497180000-0x0000024497190000-memory.dmp

Filesize
64KB

Download
memory/2524-118-0x00000244992B0000-0x00000244992B1000-memory.dmp

Filesize
4KB

Download
memory/2620-115-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads