conti | b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e

General

Target

b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe
Size

195KB
MD5

3a95880983f1e70cfcdb3845fa8f9e93
SHA1

b12b67fe123ac3d60057448c1b18b665ade41242
SHA256

b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e
SHA512

ec5599551c5c598b1dc1709b2c65d69cf6e7e76ade8786071ee3831a1ae9d2390f6c320abb9dfebee9386b138b85d435096aa8d0ff6769945cd05cc50724cb45

Score

10^/10

conti ransomware

Malware Config

Extracted

Path

C:\readme.txt

Family

conti

Ransom Note

All of your files are currently encrypted by CONTI strain. As you know (if you don't - just "google it"), all of the data that has been encrypted by our software cannot be recovered by any means without contacting our team directly. If you try to use any additional recovery software - the files might be damaged, so if you are willing to try - try it on the data of the lowest value. To make sure that we REALLY CAN get your data back - we offer you to decrypt 2 random files completely free of charge. You can contact our team directly for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/ HTTPS VERSION : https://contirecovery.click YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded a pack of your internal data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us as soon as possible. ---BEGIN ID--- YOQttZVleIkJ2AhK4o9vF0dDcITDzFCB8yPriHeIwNgcrJmbzGK2ejixLM15WiEy ---END ID---

URLs

http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/

https://contirecovery.click

Signatures

Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
ransomware conti

Drops file in Program Files directory 64 IoCs

Processes:

b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe

description	ioc	process
File opened for modification	C:\Program Files\Mozilla Firefox\omni.ja	b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe
File opened for modification	C:\Program Files\SetCompare.jpeg	b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe
File opened for modification	C:\Program Files\SubmitProtect.odt	b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe
File created	C:\Program Files\Reference Assemblies\readme.txt	b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe
File created	C:\Program Files\VideoLAN\readme.txt	b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ja.txt	b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe
File created	C:\Program Files\Internet Explorer\readme.txt	b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe
File created	C:\Program Files (x86)\Reference Assemblies\readme.txt	b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txt	b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt	b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe
File opened for modification	C:\Program Files\StepDebug.3gp2	b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe
File created	C:\Program Files\Java\readme.txt	b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng2.txt	b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe
File opened for modification	C:\Program Files\PublishWait.ttf	b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe
File opened for modification	C:\Program Files\UndoDisable.kix	b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe
File opened for modification	C:\Program Files\Mozilla Firefox\install.log	b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ka.txt	b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt.txt	b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe
File opened for modification	C:\Program Files\ResetExit.mpg	b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe
File created	C:\Program Files (x86)\Common Files\readme.txt	b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe
File created	C:\Program Files (x86)\Internet Explorer\readme.txt	b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku.txt	b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lij.txt	b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe
File opened for modification	C:\Program Files\SkipUnpublish.ocx	b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx	b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt	b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt	b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe
File opened for modification	C:\Program Files\SwitchRevoke.3gpp	b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe
File opened for modification	C:\Program Files\PopEnable.docm	b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe
File opened for modification	C:\Program Files\RemoveFormat.midi	b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe
File created	C:\Program Files\Common Files\readme.txt	b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe
File opened for modification	C:\Program Files\NewSet.fon	b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lt.txt	b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe
File created	C:\Program Files\readme.txt	b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe
File opened for modification	C:\Program Files\RedoUnpublish.rtf	b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\AppXManifest.xml	b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt	b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\ThinAppXManifest.xml	b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe
File opened for modification	C:\Program Files\ProtectStart.kix	b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe
File opened for modification	C:\Program Files\UpdateSwitch.bin	b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.VisualElementsManifest.xml	b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe
File opened for modification	C:\Program Files\Mozilla Firefox\removed-files	b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe
File opened for modification	C:\Program Files\CopyFind.bmp	b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe
File opened for modification	C:\Program Files\RegisterWatch.wmf	b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe

pid	process
3616	b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe
3616	b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

vssvc.exeWMIC.exe

description	pid	process
Token: SeBackupPrivilege	752	vssvc.exe
Token: SeRestorePrivilege	752	vssvc.exe
Token: SeAuditPrivilege	752	vssvc.exe
Token: SeIncreaseQuotaPrivilege	4216	WMIC.exe
Token: SeSecurityPrivilege	4216	WMIC.exe
Token: SeTakeOwnershipPrivilege	4216	WMIC.exe
Token: SeLoadDriverPrivilege	4216	WMIC.exe
Token: SeSystemProfilePrivilege	4216	WMIC.exe
Token: SeSystemtimePrivilege	4216	WMIC.exe
Token: SeProfSingleProcessPrivilege	4216	WMIC.exe
Token: SeIncBasePriorityPrivilege	4216	WMIC.exe
Token: SeCreatePagefilePrivilege	4216	WMIC.exe
Token: SeBackupPrivilege	4216	WMIC.exe
Token: SeRestorePrivilege	4216	WMIC.exe
Token: SeShutdownPrivilege	4216	WMIC.exe
Token: SeDebugPrivilege	4216	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4216	WMIC.exe
Token: SeRemoteShutdownPrivilege	4216	WMIC.exe
Token: SeUndockPrivilege	4216	WMIC.exe
Token: SeManageVolumePrivilege	4216	WMIC.exe
Token: 33	4216	WMIC.exe
Token: 34	4216	WMIC.exe
Token: 35	4216	WMIC.exe
Token: 36	4216	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4216	WMIC.exe
Token: SeSecurityPrivilege	4216	WMIC.exe
Token: SeTakeOwnershipPrivilege	4216	WMIC.exe
Token: SeLoadDriverPrivilege	4216	WMIC.exe
Token: SeSystemProfilePrivilege	4216	WMIC.exe
Token: SeSystemtimePrivilege	4216	WMIC.exe
Token: SeProfSingleProcessPrivilege	4216	WMIC.exe
Token: SeIncBasePriorityPrivilege	4216	WMIC.exe
Token: SeCreatePagefilePrivilege	4216	WMIC.exe
Token: SeBackupPrivilege	4216	WMIC.exe
Token: SeRestorePrivilege	4216	WMIC.exe
Token: SeShutdownPrivilege	4216	WMIC.exe
Token: SeDebugPrivilege	4216	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4216	WMIC.exe
Token: SeRemoteShutdownPrivilege	4216	WMIC.exe
Token: SeUndockPrivilege	4216	WMIC.exe
Token: SeManageVolumePrivilege	4216	WMIC.exe
Token: 33	4216	WMIC.exe
Token: 34	4216	WMIC.exe
Token: 35	4216	WMIC.exe
Token: 36	4216	WMIC.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.execmd.exe

description	pid	process	target process
PID 3616 wrote to memory of 4328	3616	b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe	cmd.exe
PID 3616 wrote to memory of 4328	3616	b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe	cmd.exe
PID 4328 wrote to memory of 4216	4328	cmd.exe	WMIC.exe
PID 4328 wrote to memory of 4216	4328	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\b6d909bb2315ec139fa4704eead928f140919a621e22234160c7a1bfc6d2529e.bin.sample.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3616

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{EF6BEA9C-45E8-4C04-814F-EBA74A04A6CD}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:4328

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{EF6BEA9C-45E8-4C04-814F-EBA74A04A6CD}'" delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4216

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:752

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads