Analysis
-
max time kernel
122s -
max time network
227s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
18-11-2021 09:45
Static task
static1
Behavioral task
behavioral1
Sample
x64.dll
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
x64.dll
Resource
win10-en-20211104
General
-
Target
x64.dll
-
Size
230KB
-
MD5
81b3b6eb0ffb0d14494b17c833281676
-
SHA1
a6669ac884c1fb52769bd6dd5f961fec4daa2fe1
-
SHA256
e422aa32b5f26a15aedba1bf597a163cd99c4c7777608bf05c8be3b404d825a1
-
SHA512
cc20b2411eb2e44ab8e001cb49bd98d9ad0fc581ce56c9aff866ed87db2b2e4574ada835d4666991324d052e6f75affdaa8ab6e1dba646f81da8143bbc9daa15
Malware Config
Extracted
C:\readme.txt
conti
http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/
https://contirecovery.ws
Signatures
-
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
Modifies extensions of user files 7 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
regsvr32.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\ImportShow.tiff regsvr32.exe File renamed C:\Users\Admin\Pictures\ImportShow.tiff => C:\Users\Admin\Pictures\ImportShow.tiff.APOSV regsvr32.exe File opened for modification C:\Users\Admin\Pictures\ProtectReset.tiff regsvr32.exe File renamed C:\Users\Admin\Pictures\ProtectReset.tiff => C:\Users\Admin\Pictures\ProtectReset.tiff.APOSV regsvr32.exe File renamed C:\Users\Admin\Pictures\ResetSend.tif => C:\Users\Admin\Pictures\ResetSend.tif.APOSV regsvr32.exe File renamed C:\Users\Admin\Pictures\SendInitialize.raw => C:\Users\Admin\Pictures\SendInitialize.raw.APOSV regsvr32.exe File renamed C:\Users\Admin\Pictures\TestConfirm.png => C:\Users\Admin\Pictures\TestConfirm.png.APOSV regsvr32.exe -
Drops startup file 1 IoCs
Processes:
regsvr32.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\readme.txt regsvr32.exe -
Drops desktop.ini file(s) 32 IoCs
Processes:
regsvr32.exedescription ioc process File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Pictures\desktop.ini regsvr32.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Documents\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Documents\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Music\desktop.ini regsvr32.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini regsvr32.exe File opened for modification C:\Program Files\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Searches\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Links\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Videos\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Downloads\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Libraries\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Videos\desktop.ini regsvr32.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI regsvr32.exe File opened for modification C:\Users\Admin\Music\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Desktop\desktop.ini regsvr32.exe File opened for modification C:\Program Files (x86)\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini regsvr32.exe -
Drops file in Program Files directory 64 IoCs
Processes:
regsvr32.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_MAKC2R-ul-phn.xrm-ms regsvr32.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\readme.txt regsvr32.exe File opened for modification C:\Program Files\UnregisterWrite.ppsx regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial1-ppd.xrm-ms regsvr32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fi-fi\readme.txt regsvr32.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-coredump_ja.jar regsvr32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\readme.txt regsvr32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\readme.txt regsvr32.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\index.html regsvr32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_organize_18.svg regsvr32.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\readme.txt regsvr32.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\readme.txt regsvr32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\readme.txt regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\SkypeForBusinessBasic2019_eula.txt regsvr32.exe File created C:\Program Files\Microsoft Office\root\Office16\AugLoop\readme.txt regsvr32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\readme.txt regsvr32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\pt-br\ui-strings.js regsvr32.exe File created C:\Program Files (x86)\MSBuild\readme.txt regsvr32.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SKY\readme.txt regsvr32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\da-dk\ui-strings.js regsvr32.exe File opened for modification C:\Program Files\Common Files\System\ado\adovbs.inc regsvr32.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\include\jvmti.h regsvr32.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\readme.txt regsvr32.exe File created C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\readme.txt regsvr32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ja-jp\ui-strings.js regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Retail-ul-phn.xrm-ms regsvr32.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\readme.txt regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL010.XML regsvr32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_reject_18.svg regsvr32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\no_get.svg regsvr32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\zh-cn\readme.txt regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-ul-oob.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTrial-ppd.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-lib-uihandler.jar regsvr32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\css\main-selector.css regsvr32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\fullscreen-hover.svg regsvr32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\pt-br\ui-strings.js regsvr32.exe File created C:\Program Files\VideoLAN\readme.txt regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp6-ul-oob.xrm-ms regsvr32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\readme.txt regsvr32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons_retina.png regsvr32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ko-kr\ui-strings.js regsvr32.exe File created C:\Program Files (x86)\Internet Explorer\fr-FR\readme.txt regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp3-ul-oob.xrm-ms regsvr32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\Close2x.png regsvr32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ru-ru\ui-strings.js regsvr32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ca-es\ui-strings.js regsvr32.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\feature.properties regsvr32.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-tools.jar regsvr32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_forward_18.svg regsvr32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT regsvr32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\de-de\readme.txt regsvr32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\nb-no\readme.txt regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL118.XML regsvr32.exe File created C:\Program Files\Java\jdk1.8.0_66\jre\lib\jfr\readme.txt regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial2-ul-oob.xrm-ms regsvr32.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\readme.txt regsvr32.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-lib-uihandler_zh_CN.jar regsvr32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\cloud_icon.png regsvr32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\plugin.js regsvr32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\hr-hr\ui-strings.js regsvr32.exe File created C:\Program Files (x86)\readme.txt regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp4-ul-oob.xrm-ms regsvr32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\hr-hr\ui-strings.js regsvr32.exe -
Drops file in Windows directory 3 IoCs
Processes:
ShellExperienceHost.exesvchost.exedescription ioc process File created C:\Windows\rescache\_merged\4032412167\2690874625.pri ShellExperienceHost.exe File opened for modification C:\Windows\Debug\ESE.TXT svchost.exe File created C:\Windows\rescache\_merged\4183903823\1195458082.pri ShellExperienceHost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
regsvr32.exepid process 3064 regsvr32.exe 3064 regsvr32.exe 3064 regsvr32.exe 3064 regsvr32.exe 3064 regsvr32.exe 3064 regsvr32.exe 3064 regsvr32.exe 3064 regsvr32.exe 3064 regsvr32.exe 3064 regsvr32.exe 3064 regsvr32.exe 3064 regsvr32.exe 3064 regsvr32.exe 3064 regsvr32.exe 3064 regsvr32.exe 3064 regsvr32.exe 3064 regsvr32.exe 3064 regsvr32.exe 3064 regsvr32.exe 3064 regsvr32.exe 3064 regsvr32.exe 3064 regsvr32.exe 3064 regsvr32.exe 3064 regsvr32.exe 3064 regsvr32.exe 3064 regsvr32.exe 3064 regsvr32.exe 3064 regsvr32.exe 3064 regsvr32.exe 3064 regsvr32.exe 3064 regsvr32.exe 3064 regsvr32.exe 3064 regsvr32.exe 3064 regsvr32.exe 3064 regsvr32.exe 3064 regsvr32.exe 3064 regsvr32.exe 3064 regsvr32.exe 3064 regsvr32.exe 3064 regsvr32.exe 3064 regsvr32.exe 3064 regsvr32.exe 3064 regsvr32.exe 3064 regsvr32.exe 3064 regsvr32.exe 3064 regsvr32.exe 3064 regsvr32.exe 3064 regsvr32.exe 3064 regsvr32.exe 3064 regsvr32.exe 3064 regsvr32.exe 3064 regsvr32.exe 3064 regsvr32.exe 3064 regsvr32.exe 3064 regsvr32.exe 3064 regsvr32.exe 3064 regsvr32.exe 3064 regsvr32.exe 3064 regsvr32.exe 3064 regsvr32.exe 3064 regsvr32.exe 3064 regsvr32.exe 3064 regsvr32.exe 3064 regsvr32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
ShellExperienceHost.exepid process 1888 ShellExperienceHost.exe 1888 ShellExperienceHost.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\x64.dll1⤵
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc1⤵
- Drops file in Windows directory
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3516-118-0x000001B28CBB0000-0x000001B28CBC0000-memory.dmpFilesize
64KB
-
memory/3516-119-0x000001B28CF10000-0x000001B28CF20000-memory.dmpFilesize
64KB
-
memory/3516-120-0x000001B28F5B0000-0x000001B28F5B1000-memory.dmpFilesize
4KB
-
memory/3516-121-0x000001B28F710000-0x000001B28F711000-memory.dmpFilesize
4KB
-
memory/3516-122-0x000001B28F900000-0x000001B28F901000-memory.dmpFilesize
4KB
-
memory/3516-123-0x000001B28F7B0000-0x000001B28F7B1000-memory.dmpFilesize
4KB