Analysis
-
max time kernel
120s -
max time network
129s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
27-10-2021 05:03
Static task
static1
Behavioral task
behavioral1
Sample
locker.bin.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
locker.bin.exe
Resource
win10-en-20211014
General
-
Target
locker.bin.exe
-
Size
194KB
-
MD5
f784984a20b4e58d6301bfef1f4c13b8
-
SHA1
512754b0f5bbd204dd26fadf20982f9babd45576
-
SHA256
d417f3785a33da8b26ce68b62e66bdf7d46869b692fe325541a7be2b98119bd1
-
SHA512
af085f96ab972df9661036efcdd626718dabf94e969559b243e1bf367f19aa047d442e6384136a59a1d833462a74a0c906e4b1e87f4cf76aec0287fd5f3738e5
Malware Config
Extracted
C:\readme.txt
conti
http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/
https://contirecovery.click
Signatures
-
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
Modifies extensions of user files 6 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
locker.bin.exedescription ioc process File renamed C:\Users\Admin\Pictures\StartMerge.crw => C:\Users\Admin\Pictures\StartMerge.crw.YDNPB locker.bin.exe File renamed C:\Users\Admin\Pictures\GrantUndo.tif => C:\Users\Admin\Pictures\GrantUndo.tif.YDNPB locker.bin.exe File renamed C:\Users\Admin\Pictures\PublishConvertFrom.png => C:\Users\Admin\Pictures\PublishConvertFrom.png.YDNPB locker.bin.exe File opened for modification C:\Users\Admin\Pictures\RedoUnpublish.tiff locker.bin.exe File renamed C:\Users\Admin\Pictures\RedoUnpublish.tiff => C:\Users\Admin\Pictures\RedoUnpublish.tiff.YDNPB locker.bin.exe File renamed C:\Users\Admin\Pictures\SendRevoke.png => C:\Users\Admin\Pictures\SendRevoke.png.YDNPB locker.bin.exe -
Drops startup file 1 IoCs
Processes:
locker.bin.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\readme.txt locker.bin.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
locker.bin.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp-ul-oob.xrm-ms locker.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial2-pl.xrm-ms locker.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MEDIA\VOLTAGE.WAV locker.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\create_form.gif locker.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\about.html locker.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-api-caching.xml locker.bin.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\affDescription.txt locker.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_SubTrial-ul-oob.xrm-ms locker.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office15\pkeyconfig-office.xrm-ms locker.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding_1.4.2.v20140729-1044.jar locker.bin.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\ru\readme.txt locker.bin.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\readme.txt locker.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_company.png locker.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STRTEDGE\THMBNAIL.PNG locker.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019DemoR_BypassTrial180-ul-oob.xrm-ms locker.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Retail-ppd.xrm-ms locker.bin.exe File created C:\Program Files\Common Files\microsoft shared\ink\zh-CN\readme.txt locker.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\de-de\ui-strings.js locker.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\nb-no\ui-strings.js locker.bin.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AuthoredExtensions.16.xml locker.bin.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\deployed\jdk16\readme.txt locker.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ko-kr\ui-strings.js locker.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\de-de\ui-strings.js locker.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.repository_1.2.100.v20131209-2144.jar locker.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\zh-tw\ui-strings.js locker.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\SearchEmail.png locker.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-140.png locker.bin.exe File created C:\Program Files\VideoLAN\VLC\locale\ca\readme.txt locker.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CANYON\CANYON.INF locker.bin.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\nl-nl\readme.txt locker.bin.exe File opened for modification C:\Program Files\MountPing.rtf locker.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host-remote_zh_CN.jar locker.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntryR_PrepidBypass-ul-oob.xrm-ms locker.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\EScript.api locker.bin.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\id.pak locker.bin.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt locker.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\pt-br\ui-strings.js locker.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\A12_Crossmark_White@1x.png locker.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\css\main.css locker.bin.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\deploy\messages_ko.properties locker.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN105.XML locker.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\management\management.properties locker.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\large_trefoil_2x.png locker.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\s_agreement_filetype.svg locker.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\css\main.css locker.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\css\main.css locker.bin.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-gb\readme.txt locker.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Grace-ppd.xrm-ms locker.bin.exe File created C:\Program Files\VideoLAN\VLC\locale\et\readme.txt locker.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_filterselected-default_32.svg locker.bin.exe File created C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\readme.txt locker.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-applemenu.xml locker.bin.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files-select\readme.txt locker.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\faf-main.js locker.bin.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\zh-cn\readme.txt locker.bin.exe File created C:\Program Files\VideoLAN\VLC\locale\hi\readme.txt locker.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-masterfs-nio2_ja.jar locker.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\S_IlluDCFilesEmpty_180x180.svg locker.bin.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\sk-sk\readme.txt locker.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\hr-hr\ui-strings.js locker.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_Subscription-ppd.xrm-ms locker.bin.exe File created C:\Program Files (x86)\Common Files\System\Ole DB\readme.txt locker.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue.xml locker.bin.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\sv-se\readme.txt locker.bin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
locker.bin.exepid process 1372 locker.bin.exe 1372 locker.bin.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
vssvc.exeWMIC.exedescription pid process Token: SeBackupPrivilege 3788 vssvc.exe Token: SeRestorePrivilege 3788 vssvc.exe Token: SeAuditPrivilege 3788 vssvc.exe Token: SeIncreaseQuotaPrivilege 3756 WMIC.exe Token: SeSecurityPrivilege 3756 WMIC.exe Token: SeTakeOwnershipPrivilege 3756 WMIC.exe Token: SeLoadDriverPrivilege 3756 WMIC.exe Token: SeSystemProfilePrivilege 3756 WMIC.exe Token: SeSystemtimePrivilege 3756 WMIC.exe Token: SeProfSingleProcessPrivilege 3756 WMIC.exe Token: SeIncBasePriorityPrivilege 3756 WMIC.exe Token: SeCreatePagefilePrivilege 3756 WMIC.exe Token: SeBackupPrivilege 3756 WMIC.exe Token: SeRestorePrivilege 3756 WMIC.exe Token: SeShutdownPrivilege 3756 WMIC.exe Token: SeDebugPrivilege 3756 WMIC.exe Token: SeSystemEnvironmentPrivilege 3756 WMIC.exe Token: SeRemoteShutdownPrivilege 3756 WMIC.exe Token: SeUndockPrivilege 3756 WMIC.exe Token: SeManageVolumePrivilege 3756 WMIC.exe Token: 33 3756 WMIC.exe Token: 34 3756 WMIC.exe Token: 35 3756 WMIC.exe Token: 36 3756 WMIC.exe Token: SeIncreaseQuotaPrivilege 3756 WMIC.exe Token: SeSecurityPrivilege 3756 WMIC.exe Token: SeTakeOwnershipPrivilege 3756 WMIC.exe Token: SeLoadDriverPrivilege 3756 WMIC.exe Token: SeSystemProfilePrivilege 3756 WMIC.exe Token: SeSystemtimePrivilege 3756 WMIC.exe Token: SeProfSingleProcessPrivilege 3756 WMIC.exe Token: SeIncBasePriorityPrivilege 3756 WMIC.exe Token: SeCreatePagefilePrivilege 3756 WMIC.exe Token: SeBackupPrivilege 3756 WMIC.exe Token: SeRestorePrivilege 3756 WMIC.exe Token: SeShutdownPrivilege 3756 WMIC.exe Token: SeDebugPrivilege 3756 WMIC.exe Token: SeSystemEnvironmentPrivilege 3756 WMIC.exe Token: SeRemoteShutdownPrivilege 3756 WMIC.exe Token: SeUndockPrivilege 3756 WMIC.exe Token: SeManageVolumePrivilege 3756 WMIC.exe Token: 33 3756 WMIC.exe Token: 34 3756 WMIC.exe Token: 35 3756 WMIC.exe Token: 36 3756 WMIC.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
locker.bin.execmd.exedescription pid process target process PID 1372 wrote to memory of 2628 1372 locker.bin.exe cmd.exe PID 1372 wrote to memory of 2628 1372 locker.bin.exe cmd.exe PID 2628 wrote to memory of 3756 2628 cmd.exe WMIC.exe PID 2628 wrote to memory of 3756 2628 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\locker.bin.exe"C:\Users\Admin\AppData\Local\Temp\locker.bin.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{19CDF45A-AB26-4CD3-A80A-DC59EDB6A247}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{19CDF45A-AB26-4CD3-A80A-DC59EDB6A247}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken