Overview

overview

10

Static

static

v2.exe

windows7_x64

10

v2.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    69s
  • max time network
    72s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    20-01-2022 10:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    v2.exe

  • Size

    170KB

  • MD5

    6432b67fb54be5748571aba7b7cf3213

  • SHA1

    6a17b61b7ed2b12ca424a88b3828a0b70855626a

  • SHA256

    bc87bb72ce1ab19b2cff617a894fc1acf30bd3f9d2994235189ca8e5057fb354

  • SHA512

    59646b41a47f2086ee1f47b0e3c7fb31752447364ffd7335cff2b4d09213be02d5758c15d4d86eb5109b45b112d9b3e38a64c55440039838623d552753548753

Score
10/10
contiransomware

Malware Config

Extracted

Path

C:\readme.txt

Family

conti

Ransom Note
All of your files are currently encrypted by CONTI strain. As you know (if you don't - just "google it"), all of the data that has been encrypted by our software cannot be recovered by any means without contacting our team directly. If you try to use any additional recovery software - the files might be damaged, so if you are willing to try - try it on the data of the lowest value. To make sure that we REALLY CAN get your data back - we offer you to decrypt 2 random files completely free of charge. You can contact our team directly for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirec7nchr45rx6ympez5rjldibnqzh7lsa56lvjvaeywhvoj3wad.onion/jehZ00C9PrzdBeD0vmBk8EYUAmCctYHBJazVJraQGUMWmkWoaDUcndRgCHzKGsz5 YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded a pack of your internal data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us as soon as possible. ---BEGIN ID--- jehZ00C9PrzdBeD0vmBk8EYUAmCctYHBJazVJraQGUMWmkWoaDUcndRgCHzKGsz5 ---END ID---
URLs

http://contirec7nchr45rx6ympez5rjldibnqzh7lsa56lvjvaeywhvoj3wad.onion/jehZ00C9PrzdBeD0vmBk8EYUAmCctYHBJazVJraQGUMWmkWoaDUcndRgCHzKGsz5

Signatures

  • Conti Ransomware

    Ransomware generally thought to be a successor to Ryuk.

    ransomwareconti
  • Modifies extensions of user files 8 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops desktop.ini file(s) 24 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 45 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\v2.exe
    "C:\Users\Admin\AppData\Local\Temp\v2.exe"
    1⤵
    • Modifies extensions of user files
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1296
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{17C5A010-80A0-4F9A-836F-BFCB14B6316C}'" delete
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3812
      • C:\Windows\System32\wbem\WMIC.exe
        C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{17C5A010-80A0-4F9A-836F-BFCB14B6316C}'" delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1272
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3292
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:3116

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads