Analysis
-
max time kernel
152s -
max time network
147s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
28-09-2021 09:37
Static task
static1
Behavioral task
behavioral1
Sample
a8ad29bc65e063597eec3577358b68684be6a8d7010c5bfd713ad8f35cf1306d.bin.sample.dll
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
a8ad29bc65e063597eec3577358b68684be6a8d7010c5bfd713ad8f35cf1306d.bin.sample.dll
Resource
win10-en-20210920
General
-
Target
a8ad29bc65e063597eec3577358b68684be6a8d7010c5bfd713ad8f35cf1306d.bin.sample.dll
-
Size
197KB
-
MD5
786bdbe0b2b52039d3e912edd058361e
-
SHA1
53de202747bcf283fe25fa099641bc12d13bf7b2
-
SHA256
a8ad29bc65e063597eec3577358b68684be6a8d7010c5bfd713ad8f35cf1306d
-
SHA512
1209a29c6098739c2a2ca2ff6859f176ad7fbba17a820cf82b32428446e9e5fbf5921f743a9f4fdf471d9da73b72f0236528451859e2217275bc2d327775a309
Malware Config
Extracted
C:\readme.txt
conti
http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/
https://contirecovery.xyz/
Signatures
-
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
Modifies extensions of user files 10 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
regsvr32.exedescription ioc process File renamed C:\Users\Admin\Pictures\SubmitSwitch.png => C:\Users\Admin\Pictures\SubmitSwitch.png.VEORJ regsvr32.exe File renamed C:\Users\Admin\Pictures\CheckpointGroup.crw => C:\Users\Admin\Pictures\CheckpointGroup.crw.VEORJ regsvr32.exe File renamed C:\Users\Admin\Pictures\DismountLimit.raw => C:\Users\Admin\Pictures\DismountLimit.raw.VEORJ regsvr32.exe File renamed C:\Users\Admin\Pictures\InitializeUninstall.crw => C:\Users\Admin\Pictures\InitializeUninstall.crw.VEORJ regsvr32.exe File renamed C:\Users\Admin\Pictures\ResumeRename.crw => C:\Users\Admin\Pictures\ResumeRename.crw.VEORJ regsvr32.exe File renamed C:\Users\Admin\Pictures\ResumeWatch.tiff => C:\Users\Admin\Pictures\ResumeWatch.tiff.VEORJ regsvr32.exe File opened for modification C:\Users\Admin\Pictures\ResumeWatch.tiff regsvr32.exe File renamed C:\Users\Admin\Pictures\SuspendConvertTo.png => C:\Users\Admin\Pictures\SuspendConvertTo.png.VEORJ regsvr32.exe File opened for modification C:\Users\Admin\Pictures\UnlockBlock.tiff regsvr32.exe File renamed C:\Users\Admin\Pictures\UnlockBlock.tiff => C:\Users\Admin\Pictures\UnlockBlock.tiff.VEORJ regsvr32.exe -
Drops startup file 1 IoCs
Processes:
regsvr32.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\readme.txt regsvr32.exe -
Drops desktop.ini file(s) 31 IoCs
Processes:
regsvr32.exedescription ioc process File opened for modification C:\Users\Public\Videos\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Libraries\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Documents\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Searches\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Videos\desktop.ini regsvr32.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Desktop.ini regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI regsvr32.exe File opened for modification C:\Users\Public\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Links\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Music\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini regsvr32.exe File opened for modification C:\Program Files (x86)\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Documents\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Music\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Pictures\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini regsvr32.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini regsvr32.exe File opened for modification C:\Program Files\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Desktop\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Downloads\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini regsvr32.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini regsvr32.exe -
Drops file in Program Files directory 64 IoCs
Processes:
regsvr32.exedescription ioc process File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\org.eclipse.update\readme.txt regsvr32.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host_ja.jar regsvr32.exe File created C:\Program Files\Common Files\DESIGNER\readme.txt regsvr32.exe File created C:\Program Files\VideoLAN\VLC\plugins\audio_output\readme.txt regsvr32.exe File created C:\Program Files\Microsoft Office\root\Office16\FPA_f2\readme.txt regsvr32.exe File created C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\readme.txt regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-ul-phn.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-pl.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp-ul-phn.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_MAK_AE-pl.xrm-ms regsvr32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\cef_100_percent.pak regsvr32.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_pt_BR.properties regsvr32.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\release regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest1-ppd.xrm-ms regsvr32.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\anevia_streams.luac regsvr32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\readme.txt regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Grace-ul-oob.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\SkypeForBusinessVDI2019_eula.txt regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LEVEL\PREVIEW.GIF regsvr32.exe File created C:\Program Files (x86)\readme.txt regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Retail-pl.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-compat.xml regsvr32.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-api_ja.jar regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_KMS_Client_AE-ul.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-pl.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019DemoR_BypassTrial180-ppd.xrm-ms regsvr32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\CourierStd-BoldOblique.otf regsvr32.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64.nl_ja_4.4.0.v20140623020002.jar regsvr32.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\gimap.jar regsvr32.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-services_ja.jar regsvr32.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\assets\assets\readme.txt regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial1-ppd.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_OEM_Perp-ppd.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Retail-ul-oob.xrm-ms regsvr32.exe File created C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\readme.txt regsvr32.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\readme.txt regsvr32.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-options-api_ja.jar regsvr32.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-swing-plaf_ja.jar regsvr32.exe File opened for modification C:\Program Files\Google\Chrome\Application\master_preferences regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Grace-ppd.xrm-ms regsvr32.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\OrangeCircles.jpg regsvr32.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols.xml regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL086.XML regsvr32.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\javax.xml_1.3.4.v201005080400.jar regsvr32.exe File created C:\Program Files\VideoLAN\VLC\locale\wa\LC_MESSAGES\readme.txt regsvr32.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\js\controllers.js regsvr32.exe File created C:\Program Files\Common Files\microsoft shared\VSTO\readme.txt regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTest-ul-oob.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ExcelCtxUICellModel.bin regsvr32.exe File created C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\readme.txt regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUEPRNT\THMBNAIL.PNG regsvr32.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\currency.data regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_KMS_ClientC2R-ppd.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-pl.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_OEM_Perp-ppd.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_K_COL.HXK regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL110.XML regsvr32.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-changjei.xml regsvr32.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\readme.txt regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Retail-ul-oob.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Retail-ul-phn.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\triggerEvaluators.exsd regsvr32.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\images\cursors\win32_MoveDrop32x32.gif regsvr32.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\vlc.mo regsvr32.exe -
Drops file in Windows directory 3 IoCs
Processes:
ShellExperienceHost.exesvchost.exedescription ioc process File created C:\Windows\rescache\_merged\4183903823\1195458082.pri ShellExperienceHost.exe File created C:\Windows\rescache\_merged\4032412167\2690874625.pri ShellExperienceHost.exe File opened for modification C:\Windows\Debug\ESE.TXT svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
regsvr32.exepid process 4084 regsvr32.exe 4084 regsvr32.exe 4084 regsvr32.exe 4084 regsvr32.exe 4084 regsvr32.exe 4084 regsvr32.exe 4084 regsvr32.exe 4084 regsvr32.exe 4084 regsvr32.exe 4084 regsvr32.exe 4084 regsvr32.exe 4084 regsvr32.exe 4084 regsvr32.exe 4084 regsvr32.exe 4084 regsvr32.exe 4084 regsvr32.exe 4084 regsvr32.exe 4084 regsvr32.exe 4084 regsvr32.exe 4084 regsvr32.exe 4084 regsvr32.exe 4084 regsvr32.exe 4084 regsvr32.exe 4084 regsvr32.exe 4084 regsvr32.exe 4084 regsvr32.exe 4084 regsvr32.exe 4084 regsvr32.exe 4084 regsvr32.exe 4084 regsvr32.exe 4084 regsvr32.exe 4084 regsvr32.exe 4084 regsvr32.exe 4084 regsvr32.exe 4084 regsvr32.exe 4084 regsvr32.exe 4084 regsvr32.exe 4084 regsvr32.exe 4084 regsvr32.exe 4084 regsvr32.exe 4084 regsvr32.exe 4084 regsvr32.exe 4084 regsvr32.exe 4084 regsvr32.exe 4084 regsvr32.exe 4084 regsvr32.exe 4084 regsvr32.exe 4084 regsvr32.exe 4084 regsvr32.exe 4084 regsvr32.exe 4084 regsvr32.exe 4084 regsvr32.exe 4084 regsvr32.exe 4084 regsvr32.exe 4084 regsvr32.exe 4084 regsvr32.exe 4084 regsvr32.exe 4084 regsvr32.exe 4084 regsvr32.exe 4084 regsvr32.exe 4084 regsvr32.exe 4084 regsvr32.exe 4084 regsvr32.exe 4084 regsvr32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
ShellExperienceHost.exepid process 4036 ShellExperienceHost.exe 4036 ShellExperienceHost.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
regsvr32.exedescription pid process target process PID 4088 wrote to memory of 4084 4088 regsvr32.exe regsvr32.exe PID 4088 wrote to memory of 4084 4088 regsvr32.exe regsvr32.exe PID 4088 wrote to memory of 4084 4088 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\a8ad29bc65e063597eec3577358b68684be6a8d7010c5bfd713ad8f35cf1306d.bin.sample.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\a8ad29bc65e063597eec3577358b68684be6a8d7010c5bfd713ad8f35cf1306d.bin.sample.dll2⤵
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc1⤵
- Drops file in Windows directory