conti | a47d7ff36064cab056d56dca4c466b4e98b331e4aed1d7aee2790cb9a94b1793

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-en-20211208
submitted
16/12/2021, 17:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a47d7ff36064cab056d56dca4c466b4e98b331e4aed1d7aee2790cb9a94b1793.bin.dll
Size

190KB
MD5

b1df6d854a85cc516b17c297e52961c7
SHA1

b63cca38c6d715f7614f4bce1dcca60585e90731
SHA256

a47d7ff36064cab056d56dca4c466b4e98b331e4aed1d7aee2790cb9a94b1793
SHA512

472f4370e311b56db229f212f122dd925294462f5d265eed4f711fcc2e2058ca47caa031010732c3156326ee29b2d0e41d7154b389d8b345ce0f0b05db6fc05e

Score

10^/10

conti ransomware

Malware Config

Extracted

Path

C:\readme.txt

Family

conti

Ransom Note

All of your files are currently encrypted by CONTI ransomware. If you try to use any additional recovery software - the files might be damaged or lost. To make sure that we REALLY CAN recover data - we offer you to decrypt samples. You can contact us for further instructions through: Our website TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/ HTTPS VERSION : https://contirecovery.click YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded your data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us ASAP ---BEGIN ID--- ooLEtq4RnoPZKxjArSg5my0k0vHQzC8h1DBCAikd1bSNyAhPoVlG2ENp7yAKbWbo ---END ID---

URLs

http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/

https://contirecovery.click

Signatures

Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
ransomware conti

Modifies extensions of user files 7 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\ReceiveRequest.tiff => C:\Users\Admin\Pictures\ReceiveRequest.tiff.GPCEL	regsvr32.exe
File renamed	C:\Users\Admin\Pictures\WaitRequest.png => C:\Users\Admin\Pictures\WaitRequest.png.GPCEL	regsvr32.exe
File renamed	C:\Users\Admin\Pictures\CompareStop.raw => C:\Users\Admin\Pictures\CompareStop.raw.GPCEL	regsvr32.exe
File renamed	C:\Users\Admin\Pictures\ConnectShow.png => C:\Users\Admin\Pictures\ConnectShow.png.GPCEL	regsvr32.exe
File renamed	C:\Users\Admin\Pictures\DebugUninstall.tif => C:\Users\Admin\Pictures\DebugUninstall.tif.GPCEL	regsvr32.exe
File renamed	C:\Users\Admin\Pictures\PushPublish.raw => C:\Users\Admin\Pictures\PushPublish.raw.GPCEL	regsvr32.exe
File opened for modification	C:\Users\Admin\Pictures\ReceiveRequest.tiff	regsvr32.exe

Drops desktop.ini file(s) 46 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	regsvr32.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	regsvr32.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\ZZZ3YRT4\desktop.ini	regsvr32.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	regsvr32.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	regsvr32.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\E16QEJ8K\desktop.ini	regsvr32.exe
File opened for modification	C:\Program Files\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	regsvr32.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\VL9MRVWS\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	regsvr32.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\H2R8HLJC\desktop.ini	regsvr32.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	regsvr32.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	regsvr32.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0150150.WMF	regsvr32.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mn\readme.txt	regsvr32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.greychartplugin_5.5.0.165303.jar	regsvr32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.filetransfer_5.0.0.v20140827-1444.jar	regsvr32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\LICENSE	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107658.WMF	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL020.XML	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15061_.GIF	regsvr32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Novokuznetsk	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\STS2\TAB_OFF.GIF	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00121_.WMF	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01166_.WMF	regsvr32.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ks_IN\readme.txt	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14531_.GIF	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ENGLISH.LNG	regsvr32.exe
File created	C:\Program Files\VideoLAN\VLC\locale\kk\readme.txt	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Opulent.xml	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\DESKSAM.SAM	regsvr32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\win32\readme.txt	regsvr32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench3.nl_ja_4.4.0.v20140623020002.jar	regsvr32.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\UCT	regsvr32.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\readme.txt	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145895.JPG	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0183574.WMF	regsvr32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\readme.txt	regsvr32.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwrusash.dat	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ACCWIZ\ACWZUSR12.ACCDU	regsvr32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.sat4j.pb_2.3.5.v201404071733.jar	regsvr32.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\readme.txt	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239063.WMF	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02742G.GIF	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TR00006_.WMF	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\VDK10.CMP	regsvr32.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\photoedge_selectionsubpicture.png	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\msado20.tlb	regsvr32.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Chatham	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\OIS_F_COL.HXK	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\3difr.x3d	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14691_.GIF	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\WSSFilesToolHomePageBackground.jpg	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Teal.css	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01178_.WMF	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02369_.WMF	regsvr32.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\ShadesOfBlue.jpg	regsvr32.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\readme.txt	regsvr32.exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy\ffjcext.zip	regsvr32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Kuala_Lumpur	regsvr32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Danmarkshavn	regsvr32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Panama	regsvr32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\readme.txt	regsvr32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\plugin.xml	regsvr32.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECHO\readme.txt	regsvr32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer.httpclient4.ssl_1.0.0.v20140827-1444.jar	regsvr32.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Casablanca	regsvr32.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Grand_Turk	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\ONENOTE.HXS	regsvr32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net.win32.x86_64.nl_ja_4.4.0.v20140623020002.jar	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239935.WMF	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0313974.JPG	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.swf	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Publisher.en-us\SETUP.XML	regsvr32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-loaders.xml	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\mscss7wre_es.dub	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FLAP.WMF	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1636	regsvr32.exe
1636	regsvr32.exe
1636	regsvr32.exe
1636	regsvr32.exe
1636	regsvr32.exe
1636	regsvr32.exe
1636	regsvr32.exe
1636	regsvr32.exe
1636	regsvr32.exe
1636	regsvr32.exe
1636	regsvr32.exe
1636	regsvr32.exe
1636	regsvr32.exe
1636	regsvr32.exe
1636	regsvr32.exe
1636	regsvr32.exe
1636	regsvr32.exe
1636	regsvr32.exe
1636	regsvr32.exe
1636	regsvr32.exe
1636	regsvr32.exe
1636	regsvr32.exe
1636	regsvr32.exe
1636	regsvr32.exe
1636	regsvr32.exe
1636	regsvr32.exe
1636	regsvr32.exe
1636	regsvr32.exe
1636	regsvr32.exe
1636	regsvr32.exe
1636	regsvr32.exe
1636	regsvr32.exe
1636	regsvr32.exe
1636	regsvr32.exe
1636	regsvr32.exe
1636	regsvr32.exe
1636	regsvr32.exe
1636	regsvr32.exe
1636	regsvr32.exe
1636	regsvr32.exe
1636	regsvr32.exe
1636	regsvr32.exe
1636	regsvr32.exe
1636	regsvr32.exe
1636	regsvr32.exe
1636	regsvr32.exe
1636	regsvr32.exe
1636	regsvr32.exe
1636	regsvr32.exe
1636	regsvr32.exe
1636	regsvr32.exe
1636	regsvr32.exe
1636	regsvr32.exe
1636	regsvr32.exe
1636	regsvr32.exe
1636	regsvr32.exe
1636	regsvr32.exe
1636	regsvr32.exe
1636	regsvr32.exe
1636	regsvr32.exe
1636	regsvr32.exe
1636	regsvr32.exe
1636	regsvr32.exe
1636	regsvr32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1648 wrote to memory of 1636	1648	regsvr32.exe	27
PID 1648 wrote to memory of 1636	1648	regsvr32.exe	27
PID 1648 wrote to memory of 1636	1648	regsvr32.exe	27
PID 1648 wrote to memory of 1636	1648	regsvr32.exe	27
PID 1648 wrote to memory of 1636	1648	regsvr32.exe	27
PID 1648 wrote to memory of 1636	1648	regsvr32.exe	27
PID 1648 wrote to memory of 1636	1648	regsvr32.exe	27

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\a47d7ff36064cab056d56dca4c466b4e98b331e4aed1d7aee2790cb9a94b1793.bin.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1648
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\a47d7ff36064cab056d56dca4c466b4e98b331e4aed1d7aee2790cb9a94b1793.bin.dll
  2⤵
  - Modifies extensions of user files
  - Drops desktop.ini file(s)
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1636

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1636-56-0x0000000075021000-0x0000000075023000-memory.dmp

Filesize
8KB

Download
memory/1648-54-0x000007FEFB791000-0x000007FEFB793000-memory.dmp

Filesize
8KB

Download