Analysis
-
max time kernel
96s -
max time network
72s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
01-11-2021 09:48
Static task
static1
Behavioral task
behavioral1
Sample
MFC_Stub.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
MFC_Stub.exe
Resource
win10-en-20210920
General
-
Target
MFC_Stub.exe
-
Size
639KB
-
MD5
24095d5f0fb8533c72508fbecd40b516
-
SHA1
8203863af49219e132241d0ce4b4cee0d66c7fed
-
SHA256
41c56e92efd01a553d0faf39ccb440c7e84d32531335c262572d6a01bf7f70c8
-
SHA512
0e22c86923d439d54f917320b0f6f4602d3f6c0ac1aa3f702e48a55f24e3cbf198fce3c989d37e525e2eba9afe8a0eb60e3c15b2af662ee7fece7557a2f594b7
Malware Config
Extracted
C:\readme.txt
conti
http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/
https://contirecovery.ws
Signatures
-
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
Drops startup file 1 IoCs
Processes:
MFC_Stub.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\readme.txt MFC_Stub.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
MFC_Stub.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.widgets_1.0.0.v20140514-1823.jar MFC_Stub.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\readme.txt MFC_Stub.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\HeartbeatConfig.xml MFC_Stub.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\IRIS\readme.txt MFC_Stub.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml MFC_Stub.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-ul-oob.xrm-ms MFC_Stub.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART4.BDR MFC_Stub.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jvm.xml MFC_Stub.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\charsets.jar MFC_Stub.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-core-multitabs.jar MFC_Stub.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\it\readme.txt MFC_Stub.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SubsetList\Client.xml MFC_Stub.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\editpdf.svg MFC_Stub.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\readme.txt MFC_Stub.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-stil.xrm-ms MFC_Stub.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\cmm\sRGB.pf MFC_Stub.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\tr\readme.txt MFC_Stub.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\oskpredbase.xml MFC_Stub.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\vstoee100.tlb MFC_Stub.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\System\MSCOMCTL.OCX MFC_Stub.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\REFSAN.TTF MFC_Stub.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\DESIGNER\readme.txt MFC_Stub.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_uinline_warning.svg MFC_Stub.exe File opened for modification C:\Program Files\7-Zip\Lang\af.txt MFC_Stub.exe File opened for modification C:\Program Files\7-Zip\Lang\pt.txt MFC_Stub.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProDemoR_BypassTrial180-ul-oob.xrm-ms MFC_Stub.exe File opened for modification C:\Program Files\VideoLAN\VLC\skins\default.vlt MFC_Stub.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\vlc.mo MFC_Stub.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\readme.txt MFC_Stub.exe File created C:\Program Files\Java\jdk1.8.0_66\jre\lib\readme.txt MFC_Stub.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark_win.css MFC_Stub.exe File created C:\Program Files (x86)\Internet Explorer\de-DE\readme.txt MFC_Stub.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-ul-oob.xrm-ms MFC_Stub.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial-ppd.xrm-ms MFC_Stub.exe File opened for modification C:\Program Files (x86)\Common Files\System\ado\msado20.tlb MFC_Stub.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\content-types.properties MFC_Stub.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\management\snmp.acl.template MFC_Stub.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Gothic-Palatino Linotype.xml MFC_Stub.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ClientVolumeLicense_eula.txt MFC_Stub.exe File opened for modification C:\Program Files\7-Zip\Lang\ku-ckb.txt MFC_Stub.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Retail-ul-oob.xrm-ms MFC_Stub.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-ul-phn.xrm-ms MFC_Stub.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\ECLIPSE_.SF MFC_Stub.exe File created C:\Program Files\Microsoft Office\root\Office16\SAMPLES\readme.txt MFC_Stub.exe File created C:\Program Files\VideoLAN\VLC\locale\ky\readme.txt MFC_Stub.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.commands.nl_ja_4.4.0.v20140623020002.jar MFC_Stub.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LEVEL\LEVEL.ELM MFC_Stub.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Retail-pl.xrm-ms MFC_Stub.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\mscss7cm_es.dub MFC_Stub.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\InAppSign.aapp MFC_Stub.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\vlm.html MFC_Stub.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding.property.nl_ja_4.4.0.v20140623020002.jar MFC_Stub.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help.webapp_3.6.300.v20140407-1855.jar MFC_Stub.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes.nl_zh_4.4.0.v20140623020002.jar MFC_Stub.exe File created C:\Program Files\VideoLAN\VLC\locale\az\LC_MESSAGES\readme.txt MFC_Stub.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Trial-ppd.xrm-ms MFC_Stub.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\offsymb.ttf MFC_Stub.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Configuration\config.xml MFC_Stub.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\back-arrow-hover.svg MFC_Stub.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\ext\readme.txt MFC_Stub.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Unlock.png MFC_Stub.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\QUAD\readme.txt MFC_Stub.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_Grace-ppd.xrm-ms MFC_Stub.exe File created C:\Program Files (x86)\Common Files\System\msadc\de-DE\readme.txt MFC_Stub.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 1340 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
MFC_Stub.exepid process 4264 MFC_Stub.exe 4264 MFC_Stub.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
vssvc.exeWMIC.exedescription pid process Token: SeBackupPrivilege 4376 vssvc.exe Token: SeRestorePrivilege 4376 vssvc.exe Token: SeAuditPrivilege 4376 vssvc.exe Token: SeIncreaseQuotaPrivilege 4496 WMIC.exe Token: SeSecurityPrivilege 4496 WMIC.exe Token: SeTakeOwnershipPrivilege 4496 WMIC.exe Token: SeLoadDriverPrivilege 4496 WMIC.exe Token: SeSystemProfilePrivilege 4496 WMIC.exe Token: SeSystemtimePrivilege 4496 WMIC.exe Token: SeProfSingleProcessPrivilege 4496 WMIC.exe Token: SeIncBasePriorityPrivilege 4496 WMIC.exe Token: SeCreatePagefilePrivilege 4496 WMIC.exe Token: SeBackupPrivilege 4496 WMIC.exe Token: SeRestorePrivilege 4496 WMIC.exe Token: SeShutdownPrivilege 4496 WMIC.exe Token: SeDebugPrivilege 4496 WMIC.exe Token: SeSystemEnvironmentPrivilege 4496 WMIC.exe Token: SeRemoteShutdownPrivilege 4496 WMIC.exe Token: SeUndockPrivilege 4496 WMIC.exe Token: SeManageVolumePrivilege 4496 WMIC.exe Token: 33 4496 WMIC.exe Token: 34 4496 WMIC.exe Token: 35 4496 WMIC.exe Token: 36 4496 WMIC.exe Token: SeIncreaseQuotaPrivilege 4496 WMIC.exe Token: SeSecurityPrivilege 4496 WMIC.exe Token: SeTakeOwnershipPrivilege 4496 WMIC.exe Token: SeLoadDriverPrivilege 4496 WMIC.exe Token: SeSystemProfilePrivilege 4496 WMIC.exe Token: SeSystemtimePrivilege 4496 WMIC.exe Token: SeProfSingleProcessPrivilege 4496 WMIC.exe Token: SeIncBasePriorityPrivilege 4496 WMIC.exe Token: SeCreatePagefilePrivilege 4496 WMIC.exe Token: SeBackupPrivilege 4496 WMIC.exe Token: SeRestorePrivilege 4496 WMIC.exe Token: SeShutdownPrivilege 4496 WMIC.exe Token: SeDebugPrivilege 4496 WMIC.exe Token: SeSystemEnvironmentPrivilege 4496 WMIC.exe Token: SeRemoteShutdownPrivilege 4496 WMIC.exe Token: SeUndockPrivilege 4496 WMIC.exe Token: SeManageVolumePrivilege 4496 WMIC.exe Token: 33 4496 WMIC.exe Token: 34 4496 WMIC.exe Token: 35 4496 WMIC.exe Token: 36 4496 WMIC.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
MFC_Stub.exepid process 4264 MFC_Stub.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
MFC_Stub.execmd.exedescription pid process target process PID 4264 wrote to memory of 4628 4264 MFC_Stub.exe cmd.exe PID 4264 wrote to memory of 4628 4264 MFC_Stub.exe cmd.exe PID 4628 wrote to memory of 4496 4628 cmd.exe WMIC.exe PID 4628 wrote to memory of 4496 4628 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\MFC_Stub.exe"C:\Users\Admin\AppData\Local\Temp\MFC_Stub.exe"1⤵
- Drops startup file
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2D3E78C1-16F5-45C2-8C51-8B602BF398FB}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2D3E78C1-16F5-45C2-8C51-8B602BF398FB}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\readme.txt1⤵
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\Desktop\readme.txtMD5
b04d96037907659b3408a42999d962b6
SHA160c94ca67e26125d077eba8f9aa95a992bb5270f
SHA256a021523cfba50d5d80b983b663fafae79882d3321747a7df2eb7408f6520bd07
SHA512cec34e60291499f3be4bc39be91d353f024b900d3ac33b579e6cac7280fd91bcbfd0d7817a1b77668bd8b864c00c14f9922e8091d595fd3d0cae3472b0ee7be2
-
memory/4264-115-0x00000000013A0000-0x00000000013D4000-memory.dmpFilesize
208KB
-
memory/4496-117-0x0000000000000000-mapping.dmp
-
memory/4628-116-0x0000000000000000-mapping.dmp