Analysis
-
max time kernel
113s -
max time network
122s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
05-11-2021 20:24
Static task
static1
Behavioral task
behavioral1
Sample
b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe
Resource
win10-en-20211014
General
-
Target
b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe
-
Size
984KB
-
MD5
d5830d258e4aa138b21a0841d85f4e2a
-
SHA1
d82f858eaac39c4ce5f20cf6db8414de7147b4e3
-
SHA256
b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f
-
SHA512
9cb37cc4e8292a189c390f6b0df912a24870e762f79a23c94a005c62e7b518f637b0de697a306b3543cda294b5ce9e45324edca3fc6f8c8b496d659dcb4a6e19
Malware Config
Extracted
C:\readme.txt
conti
http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/
https://contirecovery.ws
Signatures
-
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exedescription ioc process File renamed C:\Users\Admin\Pictures\RepairExit.png => C:\Users\Admin\Pictures\RepairExit.png.ZLAKO b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe File opened for modification C:\Users\Admin\Pictures\SaveExit.tiff b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe File renamed C:\Users\Admin\Pictures\SaveExit.tiff => C:\Users\Admin\Pictures\SaveExit.tiff.ZLAKO b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe -
Drops startup file 1 IoCs
Processes:
b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\readme.txt b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail2-ul-phn.xrm-ms b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTrial-ul-oob.xrm-ms b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\WordVL_KMS_Client-ppd.xrm-ms b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\zh-tw_get.svg b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sv-se\readme.txt b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\WordVL_MAK-ul-phn.xrm-ms b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe File created C:\Program Files\VideoLAN\VLC\lua\intf\modules\readme.txt b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_newfolder_18.svg b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ja-jp\readme.txt b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\fr-ma\ui-strings.js b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\eu-es\readme.txt b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe File created C:\Program Files\Java\jre1.8.0_66\lib\cmm\readme.txt b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\readme.txt b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help.webapp.nl_zh_4.4.0.v20140623020002.jar b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\pa\LC_MESSAGES\vlc.mo b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelGlyph.16.GrayF.png b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\no_get.svg b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\zh-cn\readme.txt b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\af_get.svg b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Office Setup Controller\Office.en-us\readme.txt b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\themes\dark\readme.txt b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\adobe_sign_tag_retina.png b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\readme.txt b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL083.XML b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\accessibility_poster.jpg b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\de-de\readme.txt b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\it-it\readme.txt b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\en-gb\readme.txt b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_KMS_ClientC2R-ppd.xrm-ms b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe File created C:\Program Files\Common Files\microsoft shared\ink\uk-UA\readme.txt b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-charts_zh_CN.jar b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-gb\readme.txt b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\nl-nl\ui-strings.js b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\it-it\ui-strings.js b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_OEM_Perp-pl.xrm-ms b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Configuration\card_terms_dict.txt b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\Office.Runtime.js b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-api-visual_ja.jar b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RICEPAPR\RICEPAPR.ELM b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\uk-ua\ui-strings.js b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\THIRDPARTYLICENSEREADME-JAVAFX.txt b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Redact_R_RHP.aapp b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\eclipse.inf b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\pl-pl\readme.txt b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\cs-cz\readme.txt b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\uk-ua\readme.txt b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\readme.txt b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\GRAPH.ICO b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\eu-es\readme.txt b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\offsymb.ttf b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-180.png b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe File created C:\Program Files\VideoLAN\VLC\locale\sr\LC_MESSAGES\readme.txt b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\css\main-selector.css b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\de-de\readme.txt b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad.xml b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\bwnumbered.dotx b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\plugins\rhp\pages-app-tool-view.js b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe File created C:\Program Files (x86)\MSBuild\Microsoft\readme.txt b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-pl.xrm-ms b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL112.XML b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\apple-touch-icon-57x57-precomposed.png b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\rhp_world_icon_hover_2x.png b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\uk\readme.txt b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\root\ui-strings.js b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exepid process 2636 b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe 2636 b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
vssvc.exeWMIC.exedescription pid process Token: SeBackupPrivilege 3988 vssvc.exe Token: SeRestorePrivilege 3988 vssvc.exe Token: SeAuditPrivilege 3988 vssvc.exe Token: SeIncreaseQuotaPrivilege 952 WMIC.exe Token: SeSecurityPrivilege 952 WMIC.exe Token: SeTakeOwnershipPrivilege 952 WMIC.exe Token: SeLoadDriverPrivilege 952 WMIC.exe Token: SeSystemProfilePrivilege 952 WMIC.exe Token: SeSystemtimePrivilege 952 WMIC.exe Token: SeProfSingleProcessPrivilege 952 WMIC.exe Token: SeIncBasePriorityPrivilege 952 WMIC.exe Token: SeCreatePagefilePrivilege 952 WMIC.exe Token: SeBackupPrivilege 952 WMIC.exe Token: SeRestorePrivilege 952 WMIC.exe Token: SeShutdownPrivilege 952 WMIC.exe Token: SeDebugPrivilege 952 WMIC.exe Token: SeSystemEnvironmentPrivilege 952 WMIC.exe Token: SeRemoteShutdownPrivilege 952 WMIC.exe Token: SeUndockPrivilege 952 WMIC.exe Token: SeManageVolumePrivilege 952 WMIC.exe Token: 33 952 WMIC.exe Token: 34 952 WMIC.exe Token: 35 952 WMIC.exe Token: 36 952 WMIC.exe Token: SeIncreaseQuotaPrivilege 952 WMIC.exe Token: SeSecurityPrivilege 952 WMIC.exe Token: SeTakeOwnershipPrivilege 952 WMIC.exe Token: SeLoadDriverPrivilege 952 WMIC.exe Token: SeSystemProfilePrivilege 952 WMIC.exe Token: SeSystemtimePrivilege 952 WMIC.exe Token: SeProfSingleProcessPrivilege 952 WMIC.exe Token: SeIncBasePriorityPrivilege 952 WMIC.exe Token: SeCreatePagefilePrivilege 952 WMIC.exe Token: SeBackupPrivilege 952 WMIC.exe Token: SeRestorePrivilege 952 WMIC.exe Token: SeShutdownPrivilege 952 WMIC.exe Token: SeDebugPrivilege 952 WMIC.exe Token: SeSystemEnvironmentPrivilege 952 WMIC.exe Token: SeRemoteShutdownPrivilege 952 WMIC.exe Token: SeUndockPrivilege 952 WMIC.exe Token: SeManageVolumePrivilege 952 WMIC.exe Token: 33 952 WMIC.exe Token: 34 952 WMIC.exe Token: 35 952 WMIC.exe Token: 36 952 WMIC.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.execmd.exedescription pid process target process PID 2636 wrote to memory of 1196 2636 b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe cmd.exe PID 2636 wrote to memory of 1196 2636 b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe cmd.exe PID 1196 wrote to memory of 952 1196 cmd.exe WMIC.exe PID 1196 wrote to memory of 952 1196 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe"C:\Users\Admin\AppData\Local\Temp\b2365e9dbed11615908276e371bb40400eea0563752527ef91aeb8105de1d16f.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{19CDF45A-AB26-4CD3-A80A-DC59EDB6A247}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{19CDF45A-AB26-4CD3-A80A-DC59EDB6A247}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken