conti | 9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d

General

Target

9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
Size

195KB
MD5

bf4933f379b743cfbdcdfe78b7071749
SHA1

2ddaf5e2ee25ec75c2a4d0bd83097aa93d1de941
SHA256

9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d
SHA512

9fe5d25f97e600aa8f67302b6fa07e4246d9fb9bf1b0d24d1f5ce7038b0390089468956ffea5477fa18ca7009b5d9af37a710236eed0b051400a379ffb39586a

Score

10^/10

conti ransomware

Malware Config

Extracted

Path

C:\readme.txt

Family

conti

Ransom Note

All of your files are currently encrypted by CONTI strain. As you know (if you don't - just "google it"), all of the data that has been encrypted by our software cannot be recovered by any means without contacting our team directly. If you try to use any additional recovery software - the files might be damaged, so if you are willing to try - try it on the data of the lowest value. To make sure that we REALLY CAN get your data back - we offer you to decrypt 2 random files completely free of charge. You can contact our team directly for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/ HTTPS VERSION : https://contirecovery.click YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded a pack of your internal data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us as soon as possible. ---BEGIN ID--- yIe0BFhEGHFSJ8G0iEutn6kJm34kLTKKb79sUBcfYqbwlHXQ3vFPZTF0X23J76Y0 ---END ID---

URLs

http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/

https://contirecovery.click

Signatures

Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
ransomware conti

Drops file in Program Files directory 64 IoCs

Processes:

9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ja.txt	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\SaveDismount.xls	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\Mozilla Firefox\dependentlibs.list	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt-br.txt	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\UnregisterMove.ppsm	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File created	C:\Program Files\Google\readme.txt	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\Mozilla Firefox\precomplete	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\StartDisable.ps1	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\Mozilla Firefox\install.log	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\it.txt	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pa-in.txt	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ps.txt	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\OptimizeSwitch.ram	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\Mozilla Firefox\Accessible.tlb	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\CompareUnregister.asx	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\FindExport.clr	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\JoinDisconnect.mpeg2	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File created	C:\Program Files (x86)\Reference Assemblies\readme.txt	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\CloseConfirm.mp3	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\7-Zip\descript.ion	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File created	C:\Program Files\Java\readme.txt	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\Mozilla Firefox\omni.ja	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nl.txt	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\ResolveUnprotect.3gp	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\StartGrant.avi	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\UnprotectStep.i64	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File created	C:\Program Files\Uninstall Information\readme.txt	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng2.txt	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File created	C:\Program Files (x86)\MSBuild\readme.txt	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txt	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lt.txt	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File created	C:\Program Files (x86)\Google\readme.txt	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\InvokeConfirm.DVR	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\ReceiveSet.rmi	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.VisualElementsManifest.xml	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\en.ttt	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ro.txt	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mk.txt	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nb.txt	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\ReadReset.bmp	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\Mozilla Firefox\removed-files	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File created	C:\Program Files (x86)\Internet Explorer\readme.txt	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe

pid	process
5072	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
5072	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

vssvc.exeWMIC.exe

description	pid	process
Token: SeBackupPrivilege	1968	vssvc.exe
Token: SeRestorePrivilege	1968	vssvc.exe
Token: SeAuditPrivilege	1968	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1020	WMIC.exe
Token: SeSecurityPrivilege	1020	WMIC.exe
Token: SeTakeOwnershipPrivilege	1020	WMIC.exe
Token: SeLoadDriverPrivilege	1020	WMIC.exe
Token: SeSystemProfilePrivilege	1020	WMIC.exe
Token: SeSystemtimePrivilege	1020	WMIC.exe
Token: SeProfSingleProcessPrivilege	1020	WMIC.exe
Token: SeIncBasePriorityPrivilege	1020	WMIC.exe
Token: SeCreatePagefilePrivilege	1020	WMIC.exe
Token: SeBackupPrivilege	1020	WMIC.exe
Token: SeRestorePrivilege	1020	WMIC.exe
Token: SeShutdownPrivilege	1020	WMIC.exe
Token: SeDebugPrivilege	1020	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1020	WMIC.exe
Token: SeRemoteShutdownPrivilege	1020	WMIC.exe
Token: SeUndockPrivilege	1020	WMIC.exe
Token: SeManageVolumePrivilege	1020	WMIC.exe
Token: 33	1020	WMIC.exe
Token: 34	1020	WMIC.exe
Token: 35	1020	WMIC.exe
Token: 36	1020	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1020	WMIC.exe
Token: SeSecurityPrivilege	1020	WMIC.exe
Token: SeTakeOwnershipPrivilege	1020	WMIC.exe
Token: SeLoadDriverPrivilege	1020	WMIC.exe
Token: SeSystemProfilePrivilege	1020	WMIC.exe
Token: SeSystemtimePrivilege	1020	WMIC.exe
Token: SeProfSingleProcessPrivilege	1020	WMIC.exe
Token: SeIncBasePriorityPrivilege	1020	WMIC.exe
Token: SeCreatePagefilePrivilege	1020	WMIC.exe
Token: SeBackupPrivilege	1020	WMIC.exe
Token: SeRestorePrivilege	1020	WMIC.exe
Token: SeShutdownPrivilege	1020	WMIC.exe
Token: SeDebugPrivilege	1020	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1020	WMIC.exe
Token: SeRemoteShutdownPrivilege	1020	WMIC.exe
Token: SeUndockPrivilege	1020	WMIC.exe
Token: SeManageVolumePrivilege	1020	WMIC.exe
Token: 33	1020	WMIC.exe
Token: 34	1020	WMIC.exe
Token: 35	1020	WMIC.exe
Token: 36	1020	WMIC.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.execmd.exe

description	pid	process	target process
PID 5072 wrote to memory of 4336	5072	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe	cmd.exe
PID 5072 wrote to memory of 4336	5072	9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe	cmd.exe
PID 4336 wrote to memory of 1020	4336	cmd.exe	WMIC.exe
PID 4336 wrote to memory of 1020	4336	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe
"C:\Users\Admin\AppData\Local\Temp\9b10f53b6f73280f07efc10aae6d2d9a3bd9914add2d22ed95a89938e841726d.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5072

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{19CDF45A-AB26-4CD3-A80A-DC59EDB6A247}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:4336

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{19CDF45A-AB26-4CD3-A80A-DC59EDB6A247}'" delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1020

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1968

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads