conti | e422aa32b5f26a15aedba1bf597a163cd99c4c7777608bf05c8be3b404d825a1

General

Target

x64.dll
Size

230KB
MD5

81b3b6eb0ffb0d14494b17c833281676
SHA1

a6669ac884c1fb52769bd6dd5f961fec4daa2fe1
SHA256

e422aa32b5f26a15aedba1bf597a163cd99c4c7777608bf05c8be3b404d825a1
SHA512

cc20b2411eb2e44ab8e001cb49bd98d9ad0fc581ce56c9aff866ed87db2b2e4574ada835d4666991324d052e6f75affdaa8ab6e1dba646f81da8143bbc9daa15

Score

10^/10

conti ransomware

Malware Config

Extracted

Path

C:\readme.txt

Family

conti

Ransom Note

All of your files are currently encrypted by CONTI strain. As you know (if you don't - just "google it"), all of the data that has been encrypted by our software cannot be recovered by any means without contacting our team directly. If you try to use any additional recovery software - the files might be damaged, so if you are willing to try - try it on the data of the lowest value. To make sure that we REALLY CAN get your data back - we offer you to decrypt 2 random files completely free of charge. You can contact our team directly for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/ HTTPS VERSION : https://contirecovery.ws YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded a pack of your internal data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us as soon as possible. ---BEGIN ID--- ntR80BkpFFUDBmqQrukwVEZkxEQ5D34RVUAeZSRe86lRSjY6u0SNL9Dm67PK7DDy ---END ID---

URLs

http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/

https://contirecovery.ws

Signatures

Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
ransomware conti

Modifies extensions of user files 10 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

regsvr32.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\PushUnregister.raw => C:\Users\Admin\Pictures\PushUnregister.raw.APOSV	regsvr32.exe
File renamed	C:\Users\Admin\Pictures\ShowGrant.tiff => C:\Users\Admin\Pictures\ShowGrant.tiff.APOSV	regsvr32.exe
File opened for modification	C:\Users\Admin\Pictures\StopSet.tiff	regsvr32.exe
File opened for modification	C:\Users\Admin\Pictures\UpdateGet.tiff	regsvr32.exe
File renamed	C:\Users\Admin\Pictures\UpdateGet.tiff => C:\Users\Admin\Pictures\UpdateGet.tiff.APOSV	regsvr32.exe
File renamed	C:\Users\Admin\Pictures\ExpandGet.png => C:\Users\Admin\Pictures\ExpandGet.png.APOSV	regsvr32.exe
File renamed	C:\Users\Admin\Pictures\MountGrant.raw => C:\Users\Admin\Pictures\MountGrant.raw.APOSV	regsvr32.exe
File opened for modification	C:\Users\Admin\Pictures\ShowGrant.tiff	regsvr32.exe
File renamed	C:\Users\Admin\Pictures\StopSet.tiff => C:\Users\Admin\Pictures\StopSet.tiff.APOSV	regsvr32.exe
File renamed	C:\Users\Admin\Pictures\UnblockExit.tif => C:\Users\Admin\Pictures\UnblockExit.tif.APOSV	regsvr32.exe

Drops desktop.ini file(s) 46 IoCs

Processes:

regsvr32.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\ZTH0NOOE\desktop.ini	regsvr32.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	regsvr32.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	regsvr32.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	regsvr32.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\0WAF332L\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	regsvr32.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\ORVXVB76\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	regsvr32.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	regsvr32.exe
File opened for modification	C:\Program Files\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	regsvr32.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	regsvr32.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	regsvr32.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\UUBNW27H\desktop.ini	regsvr32.exe

Drops file in Program Files directory 64 IoCs

Processes:

regsvr32.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\PAB.SAM	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14870_.GIF	regsvr32.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Goose_Bay	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\Vdk10.rst	regsvr32.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\readme.txt	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\UnreadIconImagesMask.bmp	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02071_.WMF	regsvr32.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationUp_SelectionSubpicture.png	regsvr32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.filesystem_1.4.100.v20140514-1614.jar	regsvr32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-masterfs-nio2.xml	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\ENV98.POC	regsvr32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench3_0.12.0.v20140227-2118.jar	regsvr32.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+11	regsvr32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7Handle.png	regsvr32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host_zh_CN.jar	regsvr32.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Whitehorse	regsvr32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-explorer_zh_CN.jar	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\HEADER.GIF	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341645.JPG	regsvr32.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsScenesBackground.wmv	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18192_.WMF	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\WSS_DocLib.ico	regsvr32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ui_5.5.0.165303.jar	regsvr32.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\circleround_videoinset.png	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107264.WMF	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk\M1033DSK.CRT	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FORM.ICO	regsvr32.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.log	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00449_.WMF	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0183168.WMF	regsvr32.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\readme.txt	regsvr32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\La_Paz	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME55.CSS	regsvr32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-io-ui_ja.jar	regsvr32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-dialogs_ja.jar	regsvr32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata.zh_CN_5.5.0.165303.jar	regsvr32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Sitka	regsvr32.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Rainy_River	regsvr32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-execution.xml	regsvr32.exe
File opened for modification	C:\Program Files\RevokeDebug.rtf	regsvr32.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msado21.tlb	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\BREEZE.WAV	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\MENU.DPV	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STUDIO\PREVIEW.GIF	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\EN00902_.WMF	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BRCHUR98.POC	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18181_.WMF	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\J0115876.GIF	regsvr32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Puerto_Rico	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152688.WMF	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18244_.WMF	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR9B.GIF	regsvr32.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Ulaanbaatar	regsvr32.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-back-static.png	regsvr32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application_ja.jar	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02404_.WMF	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB1B.BDR	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\NEWS11.POC	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\APPTS.ICO	regsvr32.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Nome	regsvr32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\.lastModified	regsvr32.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\readme.txt	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

regsvr32.exe

pid	process
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe
1508	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\x64.dll
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:1508

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1508-55-0x000007FEFBAB1000-0x000007FEFBAB3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads