Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
30-11-2021 10:14
Static task
static1
Behavioral task
behavioral1
Sample
28fea198b1a127ecc10411d711c4df087fc2aa371223a02c13cad92dc465fc69.bin.sample.exe
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
28fea198b1a127ecc10411d711c4df087fc2aa371223a02c13cad92dc465fc69.bin.sample.exe
Resource
win10-en-20211014
General
-
Target
28fea198b1a127ecc10411d711c4df087fc2aa371223a02c13cad92dc465fc69.bin.sample.exe
-
Size
195KB
-
MD5
2d5445247a4502864d05b71537b7b516
-
SHA1
fbf278fcc0d0e88fb0ee280b5085a7fb23a84f2b
-
SHA256
28fea198b1a127ecc10411d711c4df087fc2aa371223a02c13cad92dc465fc69
-
SHA512
2218efc1264d63583bd07c46f3d6a2a61c61d870b60a9776f374c76737bc1b5cc3d340a11a6c0fafd336939ef31f9395204238b7e98e1635b796e403c059b1fa
Malware Config
Extracted
C:\readme.txt
conti
http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/
https://contirecovery.xyz/
Signatures
-
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
Drops file in Program Files directory 64 IoCs
Processes:
28fea198b1a127ecc10411d711c4df087fc2aa371223a02c13cad92dc465fc69.bin.sample.exedescription ioc process File opened for modification C:\Program Files\DebugGet.xml 28fea198b1a127ecc10411d711c4df087fc2aa371223a02c13cad92dc465fc69.bin.sample.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ie9props.propdesc 28fea198b1a127ecc10411d711c4df087fc2aa371223a02c13cad92dc465fc69.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\de.txt 28fea198b1a127ecc10411d711c4df087fc2aa371223a02c13cad92dc465fc69.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\el.txt 28fea198b1a127ecc10411d711c4df087fc2aa371223a02c13cad92dc465fc69.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\pa-in.txt 28fea198b1a127ecc10411d711c4df087fc2aa371223a02c13cad92dc465fc69.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\ru.txt 28fea198b1a127ecc10411d711c4df087fc2aa371223a02c13cad92dc465fc69.bin.sample.exe File opened for modification C:\Program Files\MoveUndo.bmp 28fea198b1a127ecc10411d711c4df087fc2aa371223a02c13cad92dc465fc69.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\bg.txt 28fea198b1a127ecc10411d711c4df087fc2aa371223a02c13cad92dc465fc69.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\lt.txt 28fea198b1a127ecc10411d711c4df087fc2aa371223a02c13cad92dc465fc69.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\mn.txt 28fea198b1a127ecc10411d711c4df087fc2aa371223a02c13cad92dc465fc69.bin.sample.exe File created C:\Program Files\Mozilla Firefox\readme.txt 28fea198b1a127ecc10411d711c4df087fc2aa371223a02c13cad92dc465fc69.bin.sample.exe File created C:\Program Files (x86)\Microsoft.NET\readme.txt 28fea198b1a127ecc10411d711c4df087fc2aa371223a02c13cad92dc465fc69.bin.sample.exe File created C:\Program Files\7-Zip\Lang\readme.txt 28fea198b1a127ecc10411d711c4df087fc2aa371223a02c13cad92dc465fc69.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\fr.txt 28fea198b1a127ecc10411d711c4df087fc2aa371223a02c13cad92dc465fc69.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\ja.txt 28fea198b1a127ecc10411d711c4df087fc2aa371223a02c13cad92dc465fc69.bin.sample.exe File opened for modification C:\Program Files\EditOpen.WTV 28fea198b1a127ecc10411d711c4df087fc2aa371223a02c13cad92dc465fc69.bin.sample.exe File opened for modification C:\Program Files\UnprotectSave.001 28fea198b1a127ecc10411d711c4df087fc2aa371223a02c13cad92dc465fc69.bin.sample.exe File opened for modification C:\Program Files\Mozilla Firefox\dependentlibs.list 28fea198b1a127ecc10411d711c4df087fc2aa371223a02c13cad92dc465fc69.bin.sample.exe File created C:\Program Files\VideoLAN\readme.txt 28fea198b1a127ecc10411d711c4df087fc2aa371223a02c13cad92dc465fc69.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\mk.txt 28fea198b1a127ecc10411d711c4df087fc2aa371223a02c13cad92dc465fc69.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\fy.txt 28fea198b1a127ecc10411d711c4df087fc2aa371223a02c13cad92dc465fc69.bin.sample.exe File opened for modification C:\Program Files\ClearRestore.docx 28fea198b1a127ecc10411d711c4df087fc2aa371223a02c13cad92dc465fc69.bin.sample.exe File created C:\Program Files (x86)\readme.txt 28fea198b1a127ecc10411d711c4df087fc2aa371223a02c13cad92dc465fc69.bin.sample.exe File opened for modification C:\Program Files\7-Zip\7zCon.sfx 28fea198b1a127ecc10411d711c4df087fc2aa371223a02c13cad92dc465fc69.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\ast.txt 28fea198b1a127ecc10411d711c4df087fc2aa371223a02c13cad92dc465fc69.bin.sample.exe File created C:\Program Files\readme.txt 28fea198b1a127ecc10411d711c4df087fc2aa371223a02c13cad92dc465fc69.bin.sample.exe File opened for modification C:\Program Files\7-Zip\License.txt 28fea198b1a127ecc10411d711c4df087fc2aa371223a02c13cad92dc465fc69.bin.sample.exe File created C:\Program Files\Reference Assemblies\readme.txt 28fea198b1a127ecc10411d711c4df087fc2aa371223a02c13cad92dc465fc69.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\nn.txt 28fea198b1a127ecc10411d711c4df087fc2aa371223a02c13cad92dc465fc69.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\id.txt 28fea198b1a127ecc10411d711c4df087fc2aa371223a02c13cad92dc465fc69.bin.sample.exe File opened for modification C:\Program Files\7-Zip\7-zip.chm 28fea198b1a127ecc10411d711c4df087fc2aa371223a02c13cad92dc465fc69.bin.sample.exe File opened for modification C:\Program Files\Mozilla Firefox\omni.ja 28fea198b1a127ecc10411d711c4df087fc2aa371223a02c13cad92dc465fc69.bin.sample.exe File created C:\Program Files (x86)\Google\readme.txt 28fea198b1a127ecc10411d711c4df087fc2aa371223a02c13cad92dc465fc69.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\bn.txt 28fea198b1a127ecc10411d711c4df087fc2aa371223a02c13cad92dc465fc69.bin.sample.exe File created C:\Program Files (x86)\Common Files\readme.txt 28fea198b1a127ecc10411d711c4df087fc2aa371223a02c13cad92dc465fc69.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\fur.txt 28fea198b1a127ecc10411d711c4df087fc2aa371223a02c13cad92dc465fc69.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\hi.txt 28fea198b1a127ecc10411d711c4df087fc2aa371223a02c13cad92dc465fc69.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\he.txt 28fea198b1a127ecc10411d711c4df087fc2aa371223a02c13cad92dc465fc69.bin.sample.exe File opened for modification C:\Program Files\SyncTrace.eprtx 28fea198b1a127ecc10411d711c4df087fc2aa371223a02c13cad92dc465fc69.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\ba.txt 28fea198b1a127ecc10411d711c4df087fc2aa371223a02c13cad92dc465fc69.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\be.txt 28fea198b1a127ecc10411d711c4df087fc2aa371223a02c13cad92dc465fc69.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\br.txt 28fea198b1a127ecc10411d711c4df087fc2aa371223a02c13cad92dc465fc69.bin.sample.exe File created C:\Program Files (x86)\Reference Assemblies\readme.txt 28fea198b1a127ecc10411d711c4df087fc2aa371223a02c13cad92dc465fc69.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\ro.txt 28fea198b1a127ecc10411d711c4df087fc2aa371223a02c13cad92dc465fc69.bin.sample.exe File opened for modification C:\Program Files\ConvertReceive.asp 28fea198b1a127ecc10411d711c4df087fc2aa371223a02c13cad92dc465fc69.bin.sample.exe File opened for modification C:\Program Files\UnprotectSplit.001 28fea198b1a127ecc10411d711c4df087fc2aa371223a02c13cad92dc465fc69.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\AppXManifest.xml 28fea198b1a127ecc10411d711c4df087fc2aa371223a02c13cad92dc465fc69.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\ThinAppXManifest.xml 28fea198b1a127ecc10411d711c4df087fc2aa371223a02c13cad92dc465fc69.bin.sample.exe File opened for modification C:\Program Files\LimitSelect.dotm 28fea198b1a127ecc10411d711c4df087fc2aa371223a02c13cad92dc465fc69.bin.sample.exe File opened for modification C:\Program Files\PushEnter.xht 28fea198b1a127ecc10411d711c4df087fc2aa371223a02c13cad92dc465fc69.bin.sample.exe File created C:\Program Files (x86)\Adobe\readme.txt 28fea198b1a127ecc10411d711c4df087fc2aa371223a02c13cad92dc465fc69.bin.sample.exe File opened for modification C:\Program Files\InvokeEnter.gif 28fea198b1a127ecc10411d711c4df087fc2aa371223a02c13cad92dc465fc69.bin.sample.exe File opened for modification C:\Program Files\ResetRemove.mpe 28fea198b1a127ecc10411d711c4df087fc2aa371223a02c13cad92dc465fc69.bin.sample.exe File created C:\Program Files\Internet Explorer\readme.txt 28fea198b1a127ecc10411d711c4df087fc2aa371223a02c13cad92dc465fc69.bin.sample.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\readme.txt 28fea198b1a127ecc10411d711c4df087fc2aa371223a02c13cad92dc465fc69.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\cs.txt 28fea198b1a127ecc10411d711c4df087fc2aa371223a02c13cad92dc465fc69.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\eo.txt 28fea198b1a127ecc10411d711c4df087fc2aa371223a02c13cad92dc465fc69.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\ga.txt 28fea198b1a127ecc10411d711c4df087fc2aa371223a02c13cad92dc465fc69.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\gl.txt 28fea198b1a127ecc10411d711c4df087fc2aa371223a02c13cad92dc465fc69.bin.sample.exe File opened for modification C:\Program Files\DenyCopy.pub 28fea198b1a127ecc10411d711c4df087fc2aa371223a02c13cad92dc465fc69.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\fi.txt 28fea198b1a127ecc10411d711c4df087fc2aa371223a02c13cad92dc465fc69.bin.sample.exe File opened for modification C:\Program Files\NewHide.ps1 28fea198b1a127ecc10411d711c4df087fc2aa371223a02c13cad92dc465fc69.bin.sample.exe File opened for modification C:\Program Files\ResumeUnlock.xlt 28fea198b1a127ecc10411d711c4df087fc2aa371223a02c13cad92dc465fc69.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\is.txt 28fea198b1a127ecc10411d711c4df087fc2aa371223a02c13cad92dc465fc69.bin.sample.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
28fea198b1a127ecc10411d711c4df087fc2aa371223a02c13cad92dc465fc69.bin.sample.exepid process 4212 28fea198b1a127ecc10411d711c4df087fc2aa371223a02c13cad92dc465fc69.bin.sample.exe 4212 28fea198b1a127ecc10411d711c4df087fc2aa371223a02c13cad92dc465fc69.bin.sample.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
vssvc.exeWMIC.exedescription pid process Token: SeBackupPrivilege 3728 vssvc.exe Token: SeRestorePrivilege 3728 vssvc.exe Token: SeAuditPrivilege 3728 vssvc.exe Token: SeIncreaseQuotaPrivilege 4364 WMIC.exe Token: SeSecurityPrivilege 4364 WMIC.exe Token: SeTakeOwnershipPrivilege 4364 WMIC.exe Token: SeLoadDriverPrivilege 4364 WMIC.exe Token: SeSystemProfilePrivilege 4364 WMIC.exe Token: SeSystemtimePrivilege 4364 WMIC.exe Token: SeProfSingleProcessPrivilege 4364 WMIC.exe Token: SeIncBasePriorityPrivilege 4364 WMIC.exe Token: SeCreatePagefilePrivilege 4364 WMIC.exe Token: SeBackupPrivilege 4364 WMIC.exe Token: SeRestorePrivilege 4364 WMIC.exe Token: SeShutdownPrivilege 4364 WMIC.exe Token: SeDebugPrivilege 4364 WMIC.exe Token: SeSystemEnvironmentPrivilege 4364 WMIC.exe Token: SeRemoteShutdownPrivilege 4364 WMIC.exe Token: SeUndockPrivilege 4364 WMIC.exe Token: SeManageVolumePrivilege 4364 WMIC.exe Token: 33 4364 WMIC.exe Token: 34 4364 WMIC.exe Token: 35 4364 WMIC.exe Token: 36 4364 WMIC.exe Token: SeIncreaseQuotaPrivilege 4364 WMIC.exe Token: SeSecurityPrivilege 4364 WMIC.exe Token: SeTakeOwnershipPrivilege 4364 WMIC.exe Token: SeLoadDriverPrivilege 4364 WMIC.exe Token: SeSystemProfilePrivilege 4364 WMIC.exe Token: SeSystemtimePrivilege 4364 WMIC.exe Token: SeProfSingleProcessPrivilege 4364 WMIC.exe Token: SeIncBasePriorityPrivilege 4364 WMIC.exe Token: SeCreatePagefilePrivilege 4364 WMIC.exe Token: SeBackupPrivilege 4364 WMIC.exe Token: SeRestorePrivilege 4364 WMIC.exe Token: SeShutdownPrivilege 4364 WMIC.exe Token: SeDebugPrivilege 4364 WMIC.exe Token: SeSystemEnvironmentPrivilege 4364 WMIC.exe Token: SeRemoteShutdownPrivilege 4364 WMIC.exe Token: SeUndockPrivilege 4364 WMIC.exe Token: SeManageVolumePrivilege 4364 WMIC.exe Token: 33 4364 WMIC.exe Token: 34 4364 WMIC.exe Token: 35 4364 WMIC.exe Token: 36 4364 WMIC.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
28fea198b1a127ecc10411d711c4df087fc2aa371223a02c13cad92dc465fc69.bin.sample.execmd.exedescription pid process target process PID 4212 wrote to memory of 4388 4212 28fea198b1a127ecc10411d711c4df087fc2aa371223a02c13cad92dc465fc69.bin.sample.exe cmd.exe PID 4212 wrote to memory of 4388 4212 28fea198b1a127ecc10411d711c4df087fc2aa371223a02c13cad92dc465fc69.bin.sample.exe cmd.exe PID 4388 wrote to memory of 4364 4388 cmd.exe WMIC.exe PID 4388 wrote to memory of 4364 4388 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\28fea198b1a127ecc10411d711c4df087fc2aa371223a02c13cad92dc465fc69.bin.sample.exe"C:\Users\Admin\AppData\Local\Temp\28fea198b1a127ecc10411d711c4df087fc2aa371223a02c13cad92dc465fc69.bin.sample.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{19CDF45A-AB26-4CD3-A80A-DC59EDB6A247}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{19CDF45A-AB26-4CD3-A80A-DC59EDB6A247}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken