Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
16-11-2021 05:39
Static task
static1
Behavioral task
behavioral1
Sample
1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe
Resource
win10-en-20211014
General
-
Target
1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe
-
Size
194KB
-
MD5
a35a0ad3e3600c94e00f52dfb0d28103
-
SHA1
8c2af54642a32926dee8a2520d3d979d5f30ee27
-
SHA256
1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487
-
SHA512
4db5829a04fcfa7eed2b4159cd47336f2735826a950d4600e779cb9914964c5db54068498676e3820f2889a74c04660ae085d7e9d5efa773f70db9bef427bc3b
Malware Config
Extracted
C:\readme.txt
conti
http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/
https://contirecovery.click
Signatures
-
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exedescription ioc process File renamed C:\Users\Admin\Pictures\ConfirmSplit.crw => C:\Users\Admin\Pictures\ConfirmSplit.crw.XCDZI 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File renamed C:\Users\Admin\Pictures\RedoApprove.raw => C:\Users\Admin\Pictures\RedoApprove.raw.XCDZI 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File renamed C:\Users\Admin\Pictures\RenameCheckpoint.tif => C:\Users\Admin\Pictures\RenameCheckpoint.tif.XCDZI 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe -
Drops startup file 1 IoCs
Processes:
1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\readme.txt 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Banded Edge.eftx 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\en-GB.pak 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\rhp_world_icon.png 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\fontconfig.bfc 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_KMS_ClientC2R-ul.xrm-ms 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\adc_logo.png 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-ul-oob.xrm-ms 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\images\themes\dark\readme.txt 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\DataMatrix.pmp 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\readme.txt 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\it-it\ui-strings.js 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\fr-fr\ui-strings.js 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\sl-si\readme.txt 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-ppd.xrm-ms 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File created C:\Program Files\VideoLAN\VLC\locale\vi\readme.txt 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_OEM_Perp-pl.xrm-ms 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File created C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\readme.txt 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\create_stream.html 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\readme.txt 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\README_th_en_CA_v2.txt 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\da-dk\readme.txt 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files\7-Zip\Lang\sl.txt 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_KMS_Client_AE-ul.xrm-ms 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\readme.txt 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffd27a_256x240.png 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-right-pressed.gif 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART6.BDR 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\hive.xsl 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Help\NamedUrls.HxK 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Acrobat Pro DC.pdf 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\plugins\rhp\exportpdfupsell-app-tool-view.js 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\bun.png 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files\7-Zip\Lang\sq.txt 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\setNetworkClientCP 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\fi-fi\ui-strings.js 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\readme.txt 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_sortedby_up_selected_18.svg 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\SpreadsheetCompare_k_col.hxk 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\zh-tw\ui-strings.js 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\cs-cz\ui-strings.js 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files\7-Zip\Lang\pl.txt 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_KMS_Client_AE-ppd.xrm-ms 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\MS.WPG 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jmx_zh_CN.jar 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RMNSQUE\RMNSQUE.ELM 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Library\EUROTOOL.XLAM 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\about.html 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ro-ro\ui-strings.js 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\root\ui-strings.js 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp2-ul-oob.xrm-ms 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\inline-error-1x.png 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\fill-sign-2x.png 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\id_get.svg 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ro-ro\ui-strings.js 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files\7-Zip\Lang\ky.txt 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-io.xml 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\readme.txt 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\da-dk\readme.txt 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\fr-ma\readme.txt 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files\Common Files\Services\verisign.bmp 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\SY______.PFB 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-windows_zh_CN.jar 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\home-view\plugin.js 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Paper.xml 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exepid process 2708 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe 2708 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
vssvc.exeWMIC.exedescription pid process Token: SeBackupPrivilege 2260 vssvc.exe Token: SeRestorePrivilege 2260 vssvc.exe Token: SeAuditPrivilege 2260 vssvc.exe Token: SeIncreaseQuotaPrivilege 648 WMIC.exe Token: SeSecurityPrivilege 648 WMIC.exe Token: SeTakeOwnershipPrivilege 648 WMIC.exe Token: SeLoadDriverPrivilege 648 WMIC.exe Token: SeSystemProfilePrivilege 648 WMIC.exe Token: SeSystemtimePrivilege 648 WMIC.exe Token: SeProfSingleProcessPrivilege 648 WMIC.exe Token: SeIncBasePriorityPrivilege 648 WMIC.exe Token: SeCreatePagefilePrivilege 648 WMIC.exe Token: SeBackupPrivilege 648 WMIC.exe Token: SeRestorePrivilege 648 WMIC.exe Token: SeShutdownPrivilege 648 WMIC.exe Token: SeDebugPrivilege 648 WMIC.exe Token: SeSystemEnvironmentPrivilege 648 WMIC.exe Token: SeRemoteShutdownPrivilege 648 WMIC.exe Token: SeUndockPrivilege 648 WMIC.exe Token: SeManageVolumePrivilege 648 WMIC.exe Token: 33 648 WMIC.exe Token: 34 648 WMIC.exe Token: 35 648 WMIC.exe Token: 36 648 WMIC.exe Token: SeIncreaseQuotaPrivilege 648 WMIC.exe Token: SeSecurityPrivilege 648 WMIC.exe Token: SeTakeOwnershipPrivilege 648 WMIC.exe Token: SeLoadDriverPrivilege 648 WMIC.exe Token: SeSystemProfilePrivilege 648 WMIC.exe Token: SeSystemtimePrivilege 648 WMIC.exe Token: SeProfSingleProcessPrivilege 648 WMIC.exe Token: SeIncBasePriorityPrivilege 648 WMIC.exe Token: SeCreatePagefilePrivilege 648 WMIC.exe Token: SeBackupPrivilege 648 WMIC.exe Token: SeRestorePrivilege 648 WMIC.exe Token: SeShutdownPrivilege 648 WMIC.exe Token: SeDebugPrivilege 648 WMIC.exe Token: SeSystemEnvironmentPrivilege 648 WMIC.exe Token: SeRemoteShutdownPrivilege 648 WMIC.exe Token: SeUndockPrivilege 648 WMIC.exe Token: SeManageVolumePrivilege 648 WMIC.exe Token: 33 648 WMIC.exe Token: 34 648 WMIC.exe Token: 35 648 WMIC.exe Token: 36 648 WMIC.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.execmd.exedescription pid process target process PID 2708 wrote to memory of 3204 2708 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe cmd.exe PID 2708 wrote to memory of 3204 2708 1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe cmd.exe PID 3204 wrote to memory of 648 3204 cmd.exe WMIC.exe PID 3204 wrote to memory of 648 3204 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe"C:\Users\Admin\AppData\Local\Temp\1442db21423296acfbd729481cc5f3edb80591383a009f9feeb0ef2675cfc487.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{19CDF45A-AB26-4CD3-A80A-DC59EDB6A247}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{19CDF45A-AB26-4CD3-A80A-DC59EDB6A247}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken