Analysis
-
max time kernel
123s -
max time network
139s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
11-11-2021 07:00
Static task
static1
Behavioral task
behavioral1
Sample
37410f45bab40e0d5e8e2160b480d928c975fadbe423be884678b924d66871d2.dll
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
37410f45bab40e0d5e8e2160b480d928c975fadbe423be884678b924d66871d2.dll
Resource
win10-en-20211104
General
-
Target
37410f45bab40e0d5e8e2160b480d928c975fadbe423be884678b924d66871d2.dll
-
Size
901KB
-
MD5
8371d1c15af2ffa8111deef437997d79
-
SHA1
d4b427988b2876546c2e00329ac1b9ba3905c9b8
-
SHA256
37410f45bab40e0d5e8e2160b480d928c975fadbe423be884678b924d66871d2
-
SHA512
d09c4b72f2f9219d12cb2735a835382b1fb5c4e0f8487a5b025494a7576780c893e48f713b5986d93328fe92642ca47794d1fca95cf65c1cb1835daab17db23a
Malware Config
Extracted
C:\readme.txt
conti
http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/
https://contirecovery.ws
Signatures
-
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
Modifies extensions of user files 9 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
regsvr32.exedescription ioc process File renamed C:\Users\Admin\Pictures\CompareSwitch.raw => C:\Users\Admin\Pictures\CompareSwitch.raw.MUUAZ regsvr32.exe File renamed C:\Users\Admin\Pictures\ExitImport.crw => C:\Users\Admin\Pictures\ExitImport.crw.MUUAZ regsvr32.exe File renamed C:\Users\Admin\Pictures\GetSkip.crw => C:\Users\Admin\Pictures\GetSkip.crw.MUUAZ regsvr32.exe File opened for modification C:\Users\Admin\Pictures\SwitchGroup.tiff regsvr32.exe File opened for modification C:\Users\Admin\Pictures\UnregisterDisable.tiff regsvr32.exe File renamed C:\Users\Admin\Pictures\UnregisterDisable.tiff => C:\Users\Admin\Pictures\UnregisterDisable.tiff.MUUAZ regsvr32.exe File renamed C:\Users\Admin\Pictures\WatchWait.tif => C:\Users\Admin\Pictures\WatchWait.tif.MUUAZ regsvr32.exe File renamed C:\Users\Admin\Pictures\SwitchGroup.tiff => C:\Users\Admin\Pictures\SwitchGroup.tiff.MUUAZ regsvr32.exe File renamed C:\Users\Admin\Pictures\UnblockConvertFrom.crw => C:\Users\Admin\Pictures\UnblockConvertFrom.crw.MUUAZ regsvr32.exe -
Drops startup file 1 IoCs
Processes:
regsvr32.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\readme.txt regsvr32.exe -
Drops desktop.ini file(s) 32 IoCs
Processes:
regsvr32.exedescription ioc process File opened for modification C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI regsvr32.exe File opened for modification C:\Users\Public\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini regsvr32.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Desktop.ini regsvr32.exe File opened for modification C:\Program Files (x86)\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Searches\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Desktop\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Videos\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini regsvr32.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini regsvr32.exe File opened for modification C:\Program Files\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Videos\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Links\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Pictures\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Documents\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Documents\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Downloads\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Libraries\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Music\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Music\desktop.ini regsvr32.exe -
Drops file in Program Files directory 64 IoCs
Processes:
regsvr32.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessDemoR_BypassTrial365-ppd.xrm-ms regsvr32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\tr-tr\readme.txt regsvr32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\es-es\readme.txt regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-pl.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrome.7z regsvr32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_cs_135x40.svg regsvr32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ca-es\readme.txt regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Trial-pl.xrm-ms regsvr32.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\mobile_view.html regsvr32.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.osgi.nl_ja_4.4.0.v20140623020002.jar regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\IRIS\IRIS.INF regsvr32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons.png regsvr32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\plugins\rhp\readme.txt regsvr32.exe File created C:\Program Files\VideoLAN\VLC\locale\ru\readme.txt regsvr32.exe File created C:\Program Files\VideoLAN\VLC\lua\http\readme.txt regsvr32.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\hr.pak regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RIPPLE\THMBNAIL.PNG regsvr32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\nb-no\readme.txt regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MEDIA\ARROW.WAV regsvr32.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\feature.properties regsvr32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-ma\ui-strings.js regsvr32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\sv-se\readme.txt regsvr32.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\vlc.mo regsvr32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\de-de\ui-strings.js regsvr32.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\nb\LC_MESSAGES\vlc.mo regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelFluent@3x.png regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-ul-oob.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial3-pl.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_KMS_Client_AE-ul.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Modeler.UI.rll regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\SEGOEUISL.TTF regsvr32.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\readme.txt regsvr32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\misc\load-typekit.js regsvr32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\sl-si\ui-strings.js regsvr32.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\COPYRIGHT regsvr32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\it-it\readme.txt regsvr32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\zx______.pfm regsvr32.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\readme.txt regsvr32.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\cmm\LINEAR_RGB.pf regsvr32.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-sa.xml regsvr32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\close_x.png regsvr32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\fi-fi\ui-strings.js regsvr32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\uk-ua\readme.txt regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTest-pl.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\core\locale\core_ja.jar regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ENFR\MSB1ENFR.ITS regsvr32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover.png regsvr32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\css\readme.txt regsvr32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\pt-br\ui-strings.js regsvr32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\it-it\ui-strings.js regsvr32.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-awt.xml regsvr32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\SearchEmail.png regsvr32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\it-it\ui-strings.js regsvr32.exe File created C:\Program Files\VideoLAN\VLC\locale\ia\LC_MESSAGES\readme.txt regsvr32.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\VSTOFiles.cat regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MEDIA\PUSH.WAV regsvr32.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\javax.el_2.2.0.v201303151357.jar regsvr32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_ellipses_selected-hover.svg regsvr32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sl-sl\readme.txt regsvr32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ru-ru\ui-strings.js regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTest-ppd.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml regsvr32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_reject_18.svg regsvr32.exe File created C:\Program Files\VideoLAN\readme.txt regsvr32.exe -
Drops file in Windows directory 3 IoCs
Processes:
ShellExperienceHost.exesvchost.exedescription ioc process File created C:\Windows\rescache\_merged\4183903823\1195458082.pri ShellExperienceHost.exe File created C:\Windows\rescache\_merged\4032412167\2690874625.pri ShellExperienceHost.exe File opened for modification C:\Windows\Debug\ESE.TXT svchost.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1732 4004 WerFault.exe regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
regsvr32.exepid process 4004 regsvr32.exe 4004 regsvr32.exe 4004 regsvr32.exe 4004 regsvr32.exe 4004 regsvr32.exe 4004 regsvr32.exe 4004 regsvr32.exe 4004 regsvr32.exe 4004 regsvr32.exe 4004 regsvr32.exe 4004 regsvr32.exe 4004 regsvr32.exe 4004 regsvr32.exe 4004 regsvr32.exe 4004 regsvr32.exe 4004 regsvr32.exe 4004 regsvr32.exe 4004 regsvr32.exe 4004 regsvr32.exe 4004 regsvr32.exe 4004 regsvr32.exe 4004 regsvr32.exe 4004 regsvr32.exe 4004 regsvr32.exe 4004 regsvr32.exe 4004 regsvr32.exe 4004 regsvr32.exe 4004 regsvr32.exe 4004 regsvr32.exe 4004 regsvr32.exe 4004 regsvr32.exe 4004 regsvr32.exe 4004 regsvr32.exe 4004 regsvr32.exe 4004 regsvr32.exe 4004 regsvr32.exe 4004 regsvr32.exe 4004 regsvr32.exe 4004 regsvr32.exe 4004 regsvr32.exe 4004 regsvr32.exe 4004 regsvr32.exe 4004 regsvr32.exe 4004 regsvr32.exe 4004 regsvr32.exe 4004 regsvr32.exe 4004 regsvr32.exe 4004 regsvr32.exe 4004 regsvr32.exe 4004 regsvr32.exe 4004 regsvr32.exe 4004 regsvr32.exe 4004 regsvr32.exe 4004 regsvr32.exe 4004 regsvr32.exe 4004 regsvr32.exe 4004 regsvr32.exe 4004 regsvr32.exe 4004 regsvr32.exe 4004 regsvr32.exe 4004 regsvr32.exe 4004 regsvr32.exe 4004 regsvr32.exe 4004 regsvr32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1732 WerFault.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
ShellExperienceHost.exepid process 3868 ShellExperienceHost.exe 3868 ShellExperienceHost.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\37410f45bab40e0d5e8e2160b480d928c975fadbe423be884678b924d66871d2.dll1⤵
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4004 -s 15002⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc1⤵
- Drops file in Windows directory
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3972-121-0x000002D270490000-0x000002D2704A0000-memory.dmpFilesize
64KB
-
memory/3972-122-0x000002D270740000-0x000002D270750000-memory.dmpFilesize
64KB
-
memory/3972-123-0x000002D270D10000-0x000002D270D11000-memory.dmpFilesize
4KB
-
memory/3972-124-0x000002D273360000-0x000002D273361000-memory.dmpFilesize
4KB
-
memory/3972-125-0x000002D273350000-0x000002D273351000-memory.dmpFilesize
4KB
-
memory/4004-119-0x0000000000FB0000-0x0000000000FB2000-memory.dmpFilesize
8KB
-
memory/4004-118-0x0000000000FB0000-0x0000000000FB2000-memory.dmpFilesize
8KB
-
memory/4004-120-0x0000000000FF0000-0x000000000102F000-memory.dmpFilesize
252KB