Analysis
-
max time kernel
76s -
max time network
50s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
28-09-2021 20:17
General
-
Target
3402d9d20bc4622a87c2533484fb98889a5a85bf3191192faf4ef8431f7a4b9c.bin.sample.exe
-
Size
185KB
-
MD5
1ac77c173fba7dd1475e84c50be35767
-
SHA1
3fd475ff9035742ff45d8a85c05e0c3fca453326
-
SHA256
3402d9d20bc4622a87c2533484fb98889a5a85bf3191192faf4ef8431f7a4b9c
-
SHA512
e02ad3865e5790c17636f661f2a2aaab2ce5dd3efb78cb3402604fbd8cd058714fdba6dd78071c2710e99d2944f6607cba3545d0ca252fbdda4878d0a017f90f
Score
10/10
Malware Config
Extracted
Path
C:\R3ADM3.txt
Family
conti
Ransom Note
All of your files are currently encrypted by CONTI strain.
You can contact our team directly for further instructions through our website :
TOR VERSION :
(you should download and install TOR browser first https://torproject.org)
http://m232fdxbfmbrcehbrj5iayknxnggf6niqfj6x4iedrgtab4qupzjlaid.onion
HTTPS VERSION :
https://contirecovery.info
YOU SHOULD BE AWARE!
Just in case, if you try to ignore us. We've downloaded a pack of your internal data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us as soon as possible.
---BEGIN ID---
KCunZoziQUNQoJta54VhbE7Y8PD8FPDSGWulQ3gvxuiG7SFE4tGY4mHcaYmlFZM2
---END ID---
URLs
http://m232fdxbfmbrcehbrj5iayknxnggf6niqfj6x4iedrgtab4qupzjlaid.onion
https://contirecovery.info
Signatures
-
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
Modifies extensions of user files 5 IoCs
Ransomware generally changes the extension on encrypted files.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 46 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\3402d9d20bc4622a87c2533484fb98889a5a85bf3191192faf4ef8431f7a4b9c.bin.sample.exe"C:\Users\Admin\AppData\Local\Temp\3402d9d20bc4622a87c2533484fb98889a5a85bf3191192faf4ef8431f7a4b9c.bin.sample.exe"1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C42FD895-B421-4A33-8B73-34420B94C6C4}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C42FD895-B421-4A33-8B73-34420B94C6C4}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{10A95FEA-CE68-4673-91E9-44796907EA8F}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{10A95FEA-CE68-4673-91E9-44796907EA8F}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3F8D846B-9DD4-48C1-9EB7-331601E45A01}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3F8D846B-9DD4-48C1-9EB7-331601E45A01}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{83DB695E-B6C4-4F19-94F5-5AB249FE6E4B}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{83DB695E-B6C4-4F19-94F5-5AB249FE6E4B}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6E98F490-EC90-48A3-8095-7CAB9F53C350}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6E98F490-EC90-48A3-8095-7CAB9F53C350}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{BE04AF18-D313-4450-8D00-0E635D2D4C97}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{BE04AF18-D313-4450-8D00-0E635D2D4C97}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CEE4CCBC-073C-4640-96A7-6BA7CCA7CF92}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CEE4CCBC-073C-4640-96A7-6BA7CCA7CF92}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{865F3304-51C3-4B8F-A536-F05EC48E587F}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{865F3304-51C3-4B8F-A536-F05EC48E587F}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F66D88E2-B57B-4989-8ED8-F69EC00D6AED}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F66D88E2-B57B-4989-8ED8-F69EC00D6AED}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2D3F6F2F-1FEA-4EF5-B2F9-9AD4D3736A5B}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2D3F6F2F-1FEA-4EF5-B2F9-9AD4D3736A5B}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3AB2448F-F186-4CD1-8044-F01D62EBD5C3}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3AB2448F-F186-4CD1-8044-F01D62EBD5C3}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5E61C5BD-F1FA-4763-95D9-47A0D7BD5FDD}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5E61C5BD-F1FA-4763-95D9-47A0D7BD5FDD}'" delete3⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/316-72-0x0000000000000000-mapping.dmp
-
memory/368-55-0x0000000000000000-mapping.dmp
-
memory/432-74-0x0000000000000000-mapping.dmp
-
memory/528-69-0x0000000000000000-mapping.dmp
-
memory/580-56-0x0000000000000000-mapping.dmp
-
memory/1116-62-0x0000000000000000-mapping.dmp
-
memory/1168-76-0x0000000000000000-mapping.dmp
-
memory/1424-64-0x0000000000000000-mapping.dmp
-
memory/1444-70-0x0000000000000000-mapping.dmp
-
memory/1448-71-0x0000000000000000-mapping.dmp
-
memory/1496-68-0x0000000000000000-mapping.dmp
-
memory/1540-65-0x0000000000000000-mapping.dmp
-
memory/1552-78-0x0000000000000000-mapping.dmp
-
memory/1556-54-0x00000000757B1000-0x00000000757B3000-memory.dmpFilesize
8KB
-
memory/1592-66-0x0000000000000000-mapping.dmp
-
memory/1608-67-0x0000000000000000-mapping.dmp
-
memory/1628-77-0x0000000000000000-mapping.dmp
-
memory/1652-57-0x0000000000000000-mapping.dmp
-
memory/1716-63-0x0000000000000000-mapping.dmp
-
memory/1724-59-0x0000000000000000-mapping.dmp
-
memory/1732-61-0x0000000000000000-mapping.dmp
-
memory/1804-58-0x0000000000000000-mapping.dmp
-
memory/1808-75-0x0000000000000000-mapping.dmp
-
memory/1972-73-0x0000000000000000-mapping.dmp
-
memory/1996-60-0x0000000000000000-mapping.dmp