conti | a8ad29bc65e063597eec3577358b68684be6a8d7010c5bfd713ad8f35cf1306d

General

Target

a8ad29bc65e063597eec3577358b68684be6a8d7010c5bfd713ad8f35cf1306d.bin.sample.dll
Size

197KB
MD5

786bdbe0b2b52039d3e912edd058361e
SHA1

53de202747bcf283fe25fa099641bc12d13bf7b2
SHA256

a8ad29bc65e063597eec3577358b68684be6a8d7010c5bfd713ad8f35cf1306d
SHA512

1209a29c6098739c2a2ca2ff6859f176ad7fbba17a820cf82b32428446e9e5fbf5921f743a9f4fdf471d9da73b72f0236528451859e2217275bc2d327775a309

Score

10^/10

conti ransomware

Malware Config

Extracted

Path

C:\readme.txt

Family

conti

Ransom Note

All of your files are currently encrypted by CONTI strain. As you know (if you don't - just "google it"), all of the data that has been encrypted by our software cannot be recovered by any means without contacting our team directly. If you try to use any additional recovery software - the files might be damaged, so if you are willing to try - try it on the data of the lowest value. To make sure that we REALLY CAN get your data back - we offer you to decrypt 2 random files completely free of charge. You can contact our team directly for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/ HTTPS VERSION : https://contirecovery.xyz/ YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded a pack of your internal data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us as soon as possible. ---BEGIN ID--- TSoxsb9nF1SSzOaxxFQ62ieqnBzhWe0TZQ70IXaLFKYhtXseVA6N4VCgzgVOa2mO ---END ID---

URLs

http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/

https://contirecovery.xyz/

Signatures

Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
ransomware conti

Modifies extensions of user files 7 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

regsvr32.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\HideReceive.tiff	regsvr32.exe
File renamed	C:\Users\Admin\Pictures\HideReceive.tiff => C:\Users\Admin\Pictures\HideReceive.tiff.VEORJ	regsvr32.exe
File renamed	C:\Users\Admin\Pictures\ProtectWatch.crw => C:\Users\Admin\Pictures\ProtectWatch.crw.VEORJ	regsvr32.exe
File opened for modification	C:\Users\Admin\Pictures\WaitSelect.tiff	regsvr32.exe
File renamed	C:\Users\Admin\Pictures\WaitSelect.tiff => C:\Users\Admin\Pictures\WaitSelect.tiff.VEORJ	regsvr32.exe
File renamed	C:\Users\Admin\Pictures\CompareJoin.raw => C:\Users\Admin\Pictures\CompareJoin.raw.VEORJ	regsvr32.exe
File renamed	C:\Users\Admin\Pictures\EnterRevoke.raw => C:\Users\Admin\Pictures\EnterRevoke.raw.VEORJ	regsvr32.exe

Drops desktop.ini file(s) 45 IoCs

Processes:

regsvr32.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	regsvr32.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	regsvr32.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	regsvr32.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	regsvr32.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	regsvr32.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\6TGGRK3W\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\MHZZT4MQ\desktop.ini	regsvr32.exe
File opened for modification	C:\Program Files\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	regsvr32.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	regsvr32.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\Y8SPHBTY\desktop.ini	regsvr32.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\JPBNSXHB\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	regsvr32.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	regsvr32.exe

Drops file in Program Files directory 64 IoCs

Processes:

regsvr32.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BIZCARD.XML	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21448_.GIF	regsvr32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\readme.txt	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Apothecary.xml	regsvr32.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\modules\dkjson.luac	regsvr32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-filesystems.xml	regsvr32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Sofia	regsvr32.exe
File created	C:\Program Files\Uninstall Information\readme.txt	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04196_.WMF	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0090390.WMF	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099162.JPG	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSACCESS_K_COL.HXK	regsvr32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.eclipse.nl_zh_4.4.0.v20140623020002.jar	regsvr32.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Barbados	regsvr32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\readme.txt	regsvr32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-profiler.jar	regsvr32.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Dot.png	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02068_.WMF	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0281640.WMF	regsvr32.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\appletrailers.luac	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR8F.GIF	regsvr32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.ja_5.5.0.165303.jar	regsvr32.exe
File opened for modification	C:\Program Files\PingDeny.vbe	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0196060.WMF	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\SIDEBARVERTBB.POC	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR14F.GIF	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\ISO690Nmerical.XSL	regsvr32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Lindeman	regsvr32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winClassicHandle.png	regsvr32.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\readme.txt	regsvr32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Cairo	regsvr32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\diagnostic-command-16.png	regsvr32.exe
File opened for modification	C:\Program Files\SwitchFormat.mpa	regsvr32.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\New_Skins.url	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.PPT	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PAPYRUS\PAPYRUS.INF	regsvr32.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\en-US.pak	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\validation.js	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.BusinessApplications.RuntimeUi.xml	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0281243.WMF	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Black Tie.eftx	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\EXPTOOWS.XLA	regsvr32.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\readme.txt	regsvr32.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-image-mask.png	regsvr32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes.nl_ja_4.4.0.v20140623020002.jar	regsvr32.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwruklm.dat	regsvr32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\plugin.properties	regsvr32.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\cloud_Thumbnail.bmp	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00336_.WMF	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0229389.WMF	regsvr32.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Title_select-highlight.png	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CONCRETE\CONCRETE.INF	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099195.GIF	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153313.WMF	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0324704.WMF	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\TipsImageMask.bmp	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\VeriSignLogo.jpg	regsvr32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.text.nl_ja_4.4.0.v20140623020002.jar	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\NETWORK\PREVIEW.GIF	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR6B.GIF	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00255_.WMF	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10299_.GIF	regsvr32.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_ButtonGraphic.png	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00161_.GIF	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

regsvr32.exe

pid	process
852	regsvr32.exe
852	regsvr32.exe
852	regsvr32.exe
852	regsvr32.exe
852	regsvr32.exe
852	regsvr32.exe
852	regsvr32.exe
852	regsvr32.exe
852	regsvr32.exe
852	regsvr32.exe
852	regsvr32.exe
852	regsvr32.exe
852	regsvr32.exe
852	regsvr32.exe
852	regsvr32.exe
852	regsvr32.exe
852	regsvr32.exe
852	regsvr32.exe
852	regsvr32.exe
852	regsvr32.exe
852	regsvr32.exe
852	regsvr32.exe
852	regsvr32.exe
852	regsvr32.exe
852	regsvr32.exe
852	regsvr32.exe
852	regsvr32.exe
852	regsvr32.exe
852	regsvr32.exe
852	regsvr32.exe
852	regsvr32.exe
852	regsvr32.exe
852	regsvr32.exe
852	regsvr32.exe
852	regsvr32.exe
852	regsvr32.exe
852	regsvr32.exe
852	regsvr32.exe
852	regsvr32.exe
852	regsvr32.exe
852	regsvr32.exe
852	regsvr32.exe
852	regsvr32.exe
852	regsvr32.exe
852	regsvr32.exe
852	regsvr32.exe
852	regsvr32.exe
852	regsvr32.exe
852	regsvr32.exe
852	regsvr32.exe
852	regsvr32.exe
852	regsvr32.exe
852	regsvr32.exe
852	regsvr32.exe
852	regsvr32.exe
852	regsvr32.exe
852	regsvr32.exe
852	regsvr32.exe
852	regsvr32.exe
852	regsvr32.exe
852	regsvr32.exe
852	regsvr32.exe
852	regsvr32.exe
852	regsvr32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 1144 wrote to memory of 852	1144	regsvr32.exe	regsvr32.exe
PID 1144 wrote to memory of 852	1144	regsvr32.exe	regsvr32.exe
PID 1144 wrote to memory of 852	1144	regsvr32.exe	regsvr32.exe
PID 1144 wrote to memory of 852	1144	regsvr32.exe	regsvr32.exe
PID 1144 wrote to memory of 852	1144	regsvr32.exe	regsvr32.exe
PID 1144 wrote to memory of 852	1144	regsvr32.exe	regsvr32.exe
PID 1144 wrote to memory of 852	1144	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\a8ad29bc65e063597eec3577358b68684be6a8d7010c5bfd713ad8f35cf1306d.bin.sample.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1144

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\a8ad29bc65e063597eec3577358b68684be6a8d7010c5bfd713ad8f35cf1306d.bin.sample.dll
2⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:852

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/852-55-0x0000000000000000-mapping.dmp

Download
memory/852-56-0x0000000075B11000-0x0000000075B13000-memory.dmp

Filesize
8KB

Download
memory/1144-54-0x000007FEFC011000-0x000007FEFC013000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads