General

  • Target

    5145222641254400.zip

  • Size

    565KB

  • Sample

    211111-hs3zbaahd3

  • MD5

    c6ab1be5e0a615b77d779ee231877d33

  • SHA1

    94c4e2cbd8370a37a4e1a2ceedb0b1fbc52b477c

  • SHA256

    495115de3059c77205e1f4d4acd2588834caa94873bd0465c385e96655751f99

  • SHA512

    1269d094cc07269edccad663f79c08401d39cdb926643783a3cd70f94bb41a5fd09dc572426b4c96ad596913f7576c9b3a697105d8fa44729764023b7995597c

Score
10/10

Malware Config

Extracted

Path

C:\readme.txt

Family

conti

Ransom Note
All of your files are currently encrypted by CONTI strain. As you know (if you don't - just "google it"), all of the data that has been encrypted by our software cannot be recovered by any means without contacting our team directly. If you try to use any additional recovery software - the files might be damaged, so if you are willing to try - try it on the data of the lowest value. To make sure that we REALLY CAN get your data back - we offer you to decrypt 2 random files completely free of charge. You can contact our team directly for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/ HTTPS VERSION : https://contirecovery.ws YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded a pack of your internal data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us as soon as possible. ---BEGIN ID--- nxGtsvw2bTXAT1KrASQNsiIDqMUk1njit8CpshTA40lnS7JPQpZTLdDQ1YYlM3YX ---END ID---
URLs

http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/

https://contirecovery.ws

Targets

    • Target

      37410f45bab40e0d5e8e2160b480d928c975fadbe423be884678b924d66871d2

    • Size

      901KB

    • MD5

      8371d1c15af2ffa8111deef437997d79

    • SHA1

      d4b427988b2876546c2e00329ac1b9ba3905c9b8

    • SHA256

      37410f45bab40e0d5e8e2160b480d928c975fadbe423be884678b924d66871d2

    • SHA512

      d09c4b72f2f9219d12cb2735a835382b1fb5c4e0f8487a5b025494a7576780c893e48f713b5986d93328fe92642ca47794d1fca95cf65c1cb1835daab17db23a

    Score
    10/10
    • Conti Ransomware

      Ransomware generally thought to be a successor to Ryuk.

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Drops startup file

    • Drops desktop.ini file(s)

MITRE ATT&CK Matrix

Tasks