Overview

overview

10

Static

static

e7969800b4...c7.exe

windows7_x64

10

e7969800b4...c7.exe

windows7_x64

10

e7969800b4...c7.exe

windows7_x64

10

e7969800b4...c7.exe

windows11_x64

10

e7969800b4...c7.exe

windows10_x64

10

e7969800b4...c7.exe

windows10_x64

10

e7969800b4...c7.exe

windows10_x64

10

e7969800b4...c7.exe

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows11_x64
  • resource
    win11
  • submitted
    05-10-2021 11:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe

  • Size

    1.6MB

  • MD5

    520d488564da102f5482fcfdcdbd266a

  • SHA1

    45deee8360e5af17ca04f4bc0fd2c52ae92eb9f0

  • SHA256

    e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7

  • SHA512

    e2c4f46dcf40b8f03bc9fbe0f0cecf933d2825788b0e9f270e7e7ae8a60174d1b7fc778870aa7ce7ba5cb464f28cc5842d043fc93535921749d186e414f51906

Score
10/10
contiransomware

Malware Config

Extracted

Path

C:\readme.txt

Family

conti

Ransom Note
All of your files are currently encrypted by CONTI ransomware. If you try to use any additional recovery software - the files might be damaged or lost. To make sure that we REALLY CAN recover data - we offer you to decrypt samples. You can contact us for further instructions through: Our website TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/ HTTPS VERSION : https://contirecovery.click YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded your data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us ASAP ---BEGIN ID--- gufrazxanJ7rgxARuOTCYpFqVJnyoZuShdALs3PjCnANuWY0pSpb7JFDTaK78q9g ---END ID---
URLs

http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/

https://contirecovery.click

Signatures

  • Conti Ransomware

    Ransomware generally thought to be a successor to Ryuk.

    ransomwareconti
  • Drops startup file 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe
    "C:\Users\Admin\AppData\Local\Temp\e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7.exe"
    1⤵
    • Drops startup file
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3848
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F27351B6-5948-4472-805E-D9351169C9F8}'" delete
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3988
      • C:\Windows\System32\wbem\WMIC.exe
        C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F27351B6-5948-4472-805E-D9351169C9F8}'" delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4604
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CA7578E7-C050-4203-8960-B7C1EEB3C154}'" delete
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4676
      • C:\Windows\System32\wbem\WMIC.exe
        C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CA7578E7-C050-4203-8960-B7C1EEB3C154}'" delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4252
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{AAF3D2D2-2F39-4D11-801A-DA2308899B7A}'" delete
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4412
      • C:\Windows\System32\wbem\WMIC.exe
        C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{AAF3D2D2-2F39-4D11-801A-DA2308899B7A}'" delete
        3⤵
          PID:5024
      • C:\Windows\SYSTEM32\cmd.exe
        cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{AA09823E-4D3B-48CC-A19F-0B0814E6BACE}'" delete
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:5028
        • C:\Windows\System32\wbem\WMIC.exe
          C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{AA09823E-4D3B-48CC-A19F-0B0814E6BACE}'" delete
          3⤵
            PID:5016
      • C:\Windows\System32\sihclient.exe
        C:\Windows\System32\sihclient.exe /cv lX+JvkxKV0GZd+6TsanO5Q.0.2
        1⤵
        • Modifies data under HKEY_USERS
        PID:3872
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:5032
      • C:\Windows\System32\svchost.exe
        C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
        1⤵
        • Modifies data under HKEY_USERS
        PID:4696
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
        1⤵
          PID:4604

        Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
          MD5

          5fc86e8162ad34cc11ea9cbca3118e0c

          SHA1

          5e1f776ec67c09da8def4d16091af67a8cac18d4

          SHA256

          ee768812f160218bca7b48fe191958fae5c4d5ae1cdc3173030b626fbc6f3bd4

          SHA512

          52c4d789e1d4e6df7b54e7ef7a98202cb120d3babb9c6f46a30c00d09e536b4ffb25dc8db91282148ce80a38946f0d14990b23468fe75dd612156c50db91ed5c

          Download Submit
        • memory/3848-146-0x0000000000400000-0x0000000000810000-memory.dmp
          Filesize

          4.1MB

          Download
        • memory/3988-147-0x0000000000000000-mapping.dmp
          Download
        • memory/4252-150-0x0000000000000000-mapping.dmp
          Download
        • memory/4412-151-0x0000000000000000-mapping.dmp
          Download
        • memory/4604-148-0x0000000000000000-mapping.dmp
          Download
        • memory/4676-149-0x0000000000000000-mapping.dmp
          Download
        • memory/4696-155-0x000001F13EB60000-0x000001F13EB70000-memory.dmp
          Filesize

          64KB

          Download
        • memory/4696-156-0x000001F13EDA0000-0x000001F13EDB0000-memory.dmp
          Filesize

          64KB

          Download
        • memory/4696-157-0x000001F13EF70000-0x000001F13EF74000-memory.dmp
          Filesize

          16KB

          Download
        • memory/5016-154-0x0000000000000000-mapping.dmp
          Download
        • memory/5024-152-0x0000000000000000-mapping.dmp
          Download
        • memory/5028-153-0x0000000000000000-mapping.dmp
          Download