Overview

overview

10

Static

static

e7969800b4...c7.exe

windows7_x64

10

e7969800b4...c7.exe

windows7_x64

10

e7969800b4...c7.exe

windows7_x64

10

e7969800b4...c7.exe

windows11_x64

10

e7969800b4...c7.exe

windows10_x64

10

e7969800b4...c7.exe

windows10_x64

10

e7969800b4...c7.exe

windows10_x64

10

e7969800b4...c7.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7

  • Size

    1.6MB

  • Sample

    211005-nqgwysaaap

  • MD5

    520d488564da102f5482fcfdcdbd266a

  • SHA1

    45deee8360e5af17ca04f4bc0fd2c52ae92eb9f0

  • SHA256

    e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7

  • SHA512

    e2c4f46dcf40b8f03bc9fbe0f0cecf933d2825788b0e9f270e7e7ae8a60174d1b7fc778870aa7ce7ba5cb464f28cc5842d043fc93535921749d186e414f51906

Score
10/10
contipersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\readme.txt

Family

conti

Ransom Note
All of your files are currently encrypted by CONTI ransomware. If you try to use any additional recovery software - the files might be damaged or lost. To make sure that we REALLY CAN recover data - we offer you to decrypt samples. You can contact us for further instructions through: Our website TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/ HTTPS VERSION : https://contirecovery.click YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded your data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us ASAP ---BEGIN ID--- gufrazxanJ7rgxARuOTCYpFqVJnyoZuShdALs3PjCnANuWY0pSpb7JFDTaK78q9g ---END ID---
URLs

http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/

https://contirecovery.click

Targets

    • Target

      e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7

    • Size

      1.6MB

    • MD5

      520d488564da102f5482fcfdcdbd266a

    • SHA1

      45deee8360e5af17ca04f4bc0fd2c52ae92eb9f0

    • SHA256

      e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7

    • SHA512

      e2c4f46dcf40b8f03bc9fbe0f0cecf933d2825788b0e9f270e7e7ae8a60174d1b7fc778870aa7ce7ba5cb464f28cc5842d043fc93535921749d186e414f51906

    Score
    10/10
    contiransomwarespywarestealerpersistence

    • Conti Ransomware

      Ransomware generally thought to be a successor to Ryuk.

      ransomwareconti

    • Registers COM server for autorun

      persistence

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer
    behavioral1behavioral2behavioral3behavioral4behavioral5behavioral6behavioral7behavioral8

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks