Analysis
-
max time kernel
144s -
max time network
147s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
29-09-2021 19:35
Static task
static1
Behavioral task
behavioral1
Sample
4b2358bac7fac727d1587365e2d91660b1ed44d1be95c6ff8c61e2cb9e747f19.bin.sample.dll
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
4b2358bac7fac727d1587365e2d91660b1ed44d1be95c6ff8c61e2cb9e747f19.bin.sample.dll
Resource
win10-en-20210920
General
-
Target
4b2358bac7fac727d1587365e2d91660b1ed44d1be95c6ff8c61e2cb9e747f19.bin.sample.dll
-
Size
230KB
-
MD5
ae1397fc1412a7d64c649dd6d9903bf7
-
SHA1
d729ace39e2bf9010b0af00309a9cf6f471c6685
-
SHA256
4b2358bac7fac727d1587365e2d91660b1ed44d1be95c6ff8c61e2cb9e747f19
-
SHA512
44c6b48c91fe5e0c58e587ded40f1bd1820a04b2a8e6b4ce9e3a2dd443d2fd96713c14e84d3b8bdc79a54a655e83d2e1aaa229fed8f5c58c4d879708236fcb96
Malware Config
Extracted
C:\readme.txt
conti
http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/
https://contirecovery.click
Signatures
-
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
Drops startup file 1 IoCs
Processes:
regsvr32.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\readme.txt regsvr32.exe -
Drops desktop.ini file(s) 32 IoCs
Processes:
regsvr32.exedescription ioc process File opened for modification C:\Users\Admin\Saved Games\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Videos\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Downloads\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI regsvr32.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Links\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Music\desktop.ini regsvr32.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini regsvr32.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Libraries\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Documents\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Documents\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Pictures\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Music\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Desktop\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Videos\desktop.ini regsvr32.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini regsvr32.exe File opened for modification C:\Program Files (x86)\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Searches\desktop.ini regsvr32.exe File opened for modification C:\Program Files\desktop.ini regsvr32.exe -
Drops file in Program Files directory 64 IoCs
Processes:
regsvr32.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.equinox.nl_ja_4.4.0.v20140623020002.jar regsvr32.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.nl_zh_4.4.0.v20140623020002.jar regsvr32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ko-kr\readme.txt regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Trial-pl.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-US\boxed-join.avi regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\System\VEN2232.OLB regsvr32.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-io.xml regsvr32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ui-strings.js regsvr32.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-actions_zh_CN.jar regsvr32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-fr\ui-strings.js regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcDemoR_BypassTrial365-ppd.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\fr-FR\sqloledb.rll.mui regsvr32.exe File created C:\Program Files\VideoLAN\VLC\locale\it\readme.txt regsvr32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\core_icons__retina_hiContrast_wob.png regsvr32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\en-ae\readme.txt regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusDemoR_BypassTrial180-ppd.xrm-ms regsvr32.exe File created C:\Program Files (x86)\Common Files\System\de-DE\readme.txt regsvr32.exe File created C:\Program Files\VideoLAN\VLC\locale\hi\readme.txt regsvr32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\version.js regsvr32.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-attach.xml regsvr32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\readme.txt regsvr32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\zh-cn\readme.txt regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Trial-ppd.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-ppd.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\license.html regsvr32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_empty_state.svg regsvr32.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\QUAD\readme.txt regsvr32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\tr-tr\readme.txt regsvr32.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Stationery\Green Bubbles.htm regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial2-pl.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue Green.xml regsvr32.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\readme.txt regsvr32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\spectrum_spinner.svg regsvr32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\hu-hu\readme.txt regsvr32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\fr-ma\readme.txt regsvr32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\zh-tw\ui-strings.js regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial5-ppd.xrm-ms regsvr32.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\readme.txt regsvr32.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\vlc.mo regsvr32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\cs-cz\readme.txt regsvr32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-gb\readme.txt regsvr32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\tr-tr\readme.txt regsvr32.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\content-types.properties regsvr32.exe File created C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\readme.txt regsvr32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\readme.txt regsvr32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\check-mark-1x.png regsvr32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ro-ro\ui-strings.js regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription3-ppd.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_MAK-ul-oob.xrm-ms regsvr32.exe File created C:\Program Files\Java\jre1.8.0_66\lib\ext\readme.txt regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_K_COL.HXK regsvr32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\readme.txt regsvr32.exe File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\sqloledb.rll.mui regsvr32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\css\readme.txt regsvr32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\new_icons.png regsvr32.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-US\boxed-correct.avi regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ARCTIC\ARCTIC.ELM regsvr32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ko-kr\readme.txt regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-ppd.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.ui.zh_CN_5.5.0.165303.jar regsvr32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\readme.txt regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial4-ul-oob.xrm-ms regsvr32.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\vlc.mo regsvr32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\hscroll-thumb.png regsvr32.exe -
Drops file in Windows directory 4 IoCs
Processes:
svchost.exeShellExperienceHost.exesvchost.exedescription ioc process File opened for modification C:\Windows\Debug\ESE.TXT svchost.exe File created C:\Windows\rescache\_merged\4183903823\1195458082.pri ShellExperienceHost.exe File created C:\Windows\rescache\_merged\4032412167\2690874625.pri ShellExperienceHost.exe File opened for modification C:\Windows\Debug\ESE.TXT svchost.exe -
Modifies data under HKEY_USERS 4 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\16\52C64B7E svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
regsvr32.exepid process 2384 regsvr32.exe 2384 regsvr32.exe 2384 regsvr32.exe 2384 regsvr32.exe 2384 regsvr32.exe 2384 regsvr32.exe 2384 regsvr32.exe 2384 regsvr32.exe 2384 regsvr32.exe 2384 regsvr32.exe 2384 regsvr32.exe 2384 regsvr32.exe 2384 regsvr32.exe 2384 regsvr32.exe 2384 regsvr32.exe 2384 regsvr32.exe 2384 regsvr32.exe 2384 regsvr32.exe 2384 regsvr32.exe 2384 regsvr32.exe 2384 regsvr32.exe 2384 regsvr32.exe 2384 regsvr32.exe 2384 regsvr32.exe 2384 regsvr32.exe 2384 regsvr32.exe 2384 regsvr32.exe 2384 regsvr32.exe 2384 regsvr32.exe 2384 regsvr32.exe 2384 regsvr32.exe 2384 regsvr32.exe 2384 regsvr32.exe 2384 regsvr32.exe 2384 regsvr32.exe 2384 regsvr32.exe 2384 regsvr32.exe 2384 regsvr32.exe 2384 regsvr32.exe 2384 regsvr32.exe 2384 regsvr32.exe 2384 regsvr32.exe 2384 regsvr32.exe 2384 regsvr32.exe 2384 regsvr32.exe 2384 regsvr32.exe 2384 regsvr32.exe 2384 regsvr32.exe 2384 regsvr32.exe 2384 regsvr32.exe 2384 regsvr32.exe 2384 regsvr32.exe 2384 regsvr32.exe 2384 regsvr32.exe 2384 regsvr32.exe 2384 regsvr32.exe 2384 regsvr32.exe 2384 regsvr32.exe 2384 regsvr32.exe 2384 regsvr32.exe 2384 regsvr32.exe 2384 regsvr32.exe 2384 regsvr32.exe 2384 regsvr32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
ShellExperienceHost.exepid process 1264 ShellExperienceHost.exe 1264 ShellExperienceHost.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\4b2358bac7fac727d1587365e2d91660b1ed44d1be95c6ff8c61e2cb9e747f19.bin.sample.dll1⤵
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -s BITS1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc1⤵
- Drops file in Windows directory