conti | 41c56e92efd01a553d0faf39ccb440c7e84d32531335c262572d6a01bf7f70c8

General

Target

MFC_Stub.exe
Size

639KB
MD5

24095d5f0fb8533c72508fbecd40b516
SHA1

8203863af49219e132241d0ce4b4cee0d66c7fed
SHA256

41c56e92efd01a553d0faf39ccb440c7e84d32531335c262572d6a01bf7f70c8
SHA512

0e22c86923d439d54f917320b0f6f4602d3f6c0ac1aa3f702e48a55f24e3cbf198fce3c989d37e525e2eba9afe8a0eb60e3c15b2af662ee7fece7557a2f594b7

Score

10^/10

conti ransomware spyware stealer

Malware Config

Extracted

Path

C:\readme.txt

Family

conti

Ransom Note

All of your files are currently encrypted by CONTI ransomware. If you try to use any additional recovery software - the files might be damaged or lost. To make sure that we REALLY CAN recover data - we offer you to decrypt samples. You can contact us for further instructions through: Our website TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/ HTTPS VERSION : https://contirecovery.ws YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded your data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us ASAP ---BEGIN ID--- P9naBpvFModYOUO6KOdT1qyyFZuneeqjUZoYykxu8avGxV1rxugIPn13Yg1147un ---END ID---

URLs

http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/

https://contirecovery.ws

Signatures

Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
ransomware conti
Drops startup file 1 IoCs

Processes:

MFC_Stub.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\readme.txt MFC_Stub.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\readme.txt	MFC_Stub.exe

Drops file in Program Files directory 64 IoCs

Processes:

MFC_Stub.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.widgets_1.0.0.v20140514-1823.jar	MFC_Stub.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\readme.txt	MFC_Stub.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\HeartbeatConfig.xml	MFC_Stub.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\IRIS\readme.txt	MFC_Stub.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml	MFC_Stub.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-ul-oob.xrm-ms	MFC_Stub.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART4.BDR	MFC_Stub.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jvm.xml	MFC_Stub.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\charsets.jar	MFC_Stub.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-core-multitabs.jar	MFC_Stub.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\it\readme.txt	MFC_Stub.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SubsetList\Client.xml	MFC_Stub.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\editpdf.svg	MFC_Stub.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\readme.txt	MFC_Stub.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-stil.xrm-ms	MFC_Stub.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\cmm\sRGB.pf	MFC_Stub.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\tr\readme.txt	MFC_Stub.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\oskpredbase.xml	MFC_Stub.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\vstoee100.tlb	MFC_Stub.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\System\MSCOMCTL.OCX	MFC_Stub.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\REFSAN.TTF	MFC_Stub.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\DESIGNER\readme.txt	MFC_Stub.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_uinline_warning.svg	MFC_Stub.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	MFC_Stub.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt.txt	MFC_Stub.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProDemoR_BypassTrial180-ul-oob.xrm-ms	MFC_Stub.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\default.vlt	MFC_Stub.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\vlc.mo	MFC_Stub.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\readme.txt	MFC_Stub.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\readme.txt	MFC_Stub.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark_win.css	MFC_Stub.exe
File created	C:\Program Files (x86)\Internet Explorer\de-DE\readme.txt	MFC_Stub.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-ul-oob.xrm-ms	MFC_Stub.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial-ppd.xrm-ms	MFC_Stub.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\msado20.tlb	MFC_Stub.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\content-types.properties	MFC_Stub.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\management\snmp.acl.template	MFC_Stub.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Gothic-Palatino Linotype.xml	MFC_Stub.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ClientVolumeLicense_eula.txt	MFC_Stub.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku-ckb.txt	MFC_Stub.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Retail-ul-oob.xrm-ms	MFC_Stub.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-ul-phn.xrm-ms	MFC_Stub.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\ECLIPSE_.SF	MFC_Stub.exe
File created	C:\Program Files\Microsoft Office\root\Office16\SAMPLES\readme.txt	MFC_Stub.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ky\readme.txt	MFC_Stub.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.commands.nl_ja_4.4.0.v20140623020002.jar	MFC_Stub.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LEVEL\LEVEL.ELM	MFC_Stub.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Retail-pl.xrm-ms	MFC_Stub.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\mscss7cm_es.dub	MFC_Stub.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\InAppSign.aapp	MFC_Stub.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\vlm.html	MFC_Stub.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding.property.nl_ja_4.4.0.v20140623020002.jar	MFC_Stub.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help.webapp_3.6.300.v20140407-1855.jar	MFC_Stub.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes.nl_zh_4.4.0.v20140623020002.jar	MFC_Stub.exe
File created	C:\Program Files\VideoLAN\VLC\locale\az\LC_MESSAGES\readme.txt	MFC_Stub.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Trial-ppd.xrm-ms	MFC_Stub.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\offsymb.ttf	MFC_Stub.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Configuration\config.xml	MFC_Stub.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\back-arrow-hover.svg	MFC_Stub.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\ext\readme.txt	MFC_Stub.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Unlock.png	MFC_Stub.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\QUAD\readme.txt	MFC_Stub.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_Grace-ppd.xrm-ms	MFC_Stub.exe
File created	C:\Program Files (x86)\Common Files\System\msadc\de-DE\readme.txt	MFC_Stub.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1340 NOTEPAD.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

MFC_Stub.exe

pid process

4264 MFC_Stub.exe
4264 MFC_Stub.exe

pid	process
1340	NOTEPAD.EXE

pid	process
4264	MFC_Stub.exe
4264	MFC_Stub.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

vssvc.exeWMIC.exe

description	pid	process
Token: SeBackupPrivilege	4376	vssvc.exe
Token: SeRestorePrivilege	4376	vssvc.exe
Token: SeAuditPrivilege	4376	vssvc.exe
Token: SeIncreaseQuotaPrivilege	4496	WMIC.exe
Token: SeSecurityPrivilege	4496	WMIC.exe
Token: SeTakeOwnershipPrivilege	4496	WMIC.exe
Token: SeLoadDriverPrivilege	4496	WMIC.exe
Token: SeSystemProfilePrivilege	4496	WMIC.exe
Token: SeSystemtimePrivilege	4496	WMIC.exe
Token: SeProfSingleProcessPrivilege	4496	WMIC.exe
Token: SeIncBasePriorityPrivilege	4496	WMIC.exe
Token: SeCreatePagefilePrivilege	4496	WMIC.exe
Token: SeBackupPrivilege	4496	WMIC.exe
Token: SeRestorePrivilege	4496	WMIC.exe
Token: SeShutdownPrivilege	4496	WMIC.exe
Token: SeDebugPrivilege	4496	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4496	WMIC.exe
Token: SeRemoteShutdownPrivilege	4496	WMIC.exe
Token: SeUndockPrivilege	4496	WMIC.exe
Token: SeManageVolumePrivilege	4496	WMIC.exe
Token: 33	4496	WMIC.exe
Token: 34	4496	WMIC.exe
Token: 35	4496	WMIC.exe
Token: 36	4496	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4496	WMIC.exe
Token: SeSecurityPrivilege	4496	WMIC.exe
Token: SeTakeOwnershipPrivilege	4496	WMIC.exe
Token: SeLoadDriverPrivilege	4496	WMIC.exe
Token: SeSystemProfilePrivilege	4496	WMIC.exe
Token: SeSystemtimePrivilege	4496	WMIC.exe
Token: SeProfSingleProcessPrivilege	4496	WMIC.exe
Token: SeIncBasePriorityPrivilege	4496	WMIC.exe
Token: SeCreatePagefilePrivilege	4496	WMIC.exe
Token: SeBackupPrivilege	4496	WMIC.exe
Token: SeRestorePrivilege	4496	WMIC.exe
Token: SeShutdownPrivilege	4496	WMIC.exe
Token: SeDebugPrivilege	4496	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4496	WMIC.exe
Token: SeRemoteShutdownPrivilege	4496	WMIC.exe
Token: SeUndockPrivilege	4496	WMIC.exe
Token: SeManageVolumePrivilege	4496	WMIC.exe
Token: 33	4496	WMIC.exe
Token: 34	4496	WMIC.exe
Token: 35	4496	WMIC.exe
Token: 36	4496	WMIC.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

MFC_Stub.exe

pid process

4264 MFC_Stub.exe

pid	process
4264	MFC_Stub.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

MFC_Stub.execmd.exe

description	pid	process	target process
PID 4264 wrote to memory of 4628	4264	MFC_Stub.exe	cmd.exe
PID 4264 wrote to memory of 4628	4264	MFC_Stub.exe	cmd.exe
PID 4628 wrote to memory of 4496	4628	cmd.exe	WMIC.exe
PID 4628 wrote to memory of 4496	4628	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\MFC_Stub.exe
"C:\Users\Admin\AppData\Local\Temp\MFC_Stub.exe"
1⤵
- Drops startup file
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4264

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2D3E78C1-16F5-45C2-8C51-8B602BF398FB}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:4628

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2D3E78C1-16F5-45C2-8C51-8B602BF398FB}'" delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4496

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4376

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\readme.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1340

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Desktop\readme.txt
MD5
b04d96037907659b3408a42999d962b6

SHA1
60c94ca67e26125d077eba8f9aa95a992bb5270f

SHA256
a021523cfba50d5d80b983b663fafae79882d3321747a7df2eb7408f6520bd07

SHA512
cec34e60291499f3be4bc39be91d353f024b900d3ac33b579e6cac7280fd91bcbfd0d7817a1b77668bd8b864c00c14f9922e8091d595fd3d0cae3472b0ee7be2

Download Submit
memory/4264-115-0x00000000013A0000-0x00000000013D4000-memory.dmp

Filesize
208KB

Download
memory/4496-117-0x0000000000000000-mapping.dmp

Download
memory/4628-116-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads