Analysis
-
max time kernel
69s -
max time network
72s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
20-01-2022 10:21
Static task
static1
Behavioral task
behavioral1
Sample
v2.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
v2.exe
Resource
win10v2004-en-20220113
General
-
Target
v2.exe
-
Size
170KB
-
MD5
6432b67fb54be5748571aba7b7cf3213
-
SHA1
6a17b61b7ed2b12ca424a88b3828a0b70855626a
-
SHA256
bc87bb72ce1ab19b2cff617a894fc1acf30bd3f9d2994235189ca8e5057fb354
-
SHA512
59646b41a47f2086ee1f47b0e3c7fb31752447364ffd7335cff2b4d09213be02d5758c15d4d86eb5109b45b112d9b3e38a64c55440039838623d552753548753
Malware Config
Extracted
C:\readme.txt
conti
http://contirec7nchr45rx6ympez5rjldibnqzh7lsa56lvjvaeywhvoj3wad.onion/jehZ00C9PrzdBeD0vmBk8EYUAmCctYHBJazVJraQGUMWmkWoaDUcndRgCHzKGsz5
Signatures
-
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
Modifies extensions of user files 8 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
v2.exedescription ioc process File renamed C:\Users\Admin\Pictures\GrantLock.crw => C:\Users\Admin\Pictures\GrantLock.crw.SQYZO v2.exe File renamed C:\Users\Admin\Pictures\GroupFind.crw => C:\Users\Admin\Pictures\GroupFind.crw.SQYZO v2.exe File renamed C:\Users\Admin\Pictures\MountJoin.png => C:\Users\Admin\Pictures\MountJoin.png.SQYZO v2.exe File renamed C:\Users\Admin\Pictures\RemoveDisable.png => C:\Users\Admin\Pictures\RemoveDisable.png.SQYZO v2.exe File renamed C:\Users\Admin\Pictures\SelectRepair.tif => C:\Users\Admin\Pictures\SelectRepair.tif.SQYZO v2.exe File opened for modification C:\Users\Admin\Pictures\UnregisterUse.tiff v2.exe File renamed C:\Users\Admin\Pictures\UnregisterUse.tiff => C:\Users\Admin\Pictures\UnregisterUse.tiff.SQYZO v2.exe File renamed C:\Users\Admin\Pictures\ConnectSet.tif => C:\Users\Admin\Pictures\ConnectSet.tif.SQYZO v2.exe -
Drops desktop.ini file(s) 24 IoCs
Processes:
v2.exedescription ioc process File opened for modification C:\Users\Admin\Videos\desktop.ini v2.exe File opened for modification C:\Users\Public\Desktop\desktop.ini v2.exe File opened for modification C:\Users\Public\Pictures\desktop.ini v2.exe File opened for modification C:\Program Files (x86)\desktop.ini v2.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini v2.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini v2.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini v2.exe File opened for modification C:\Users\Admin\Searches\desktop.ini v2.exe File opened for modification C:\Users\Public\Downloads\desktop.ini v2.exe File opened for modification C:\Users\Public\desktop.ini v2.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini v2.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini v2.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini v2.exe File opened for modification C:\Users\Public\Documents\desktop.ini v2.exe File opened for modification C:\Users\Public\Music\desktop.ini v2.exe File opened for modification C:\Program Files\desktop.ini v2.exe File opened for modification C:\Users\Admin\Documents\desktop.ini v2.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini v2.exe File opened for modification C:\Users\Admin\Links\desktop.ini v2.exe File opened for modification C:\Users\Admin\Music\desktop.ini v2.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini v2.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini v2.exe File opened for modification C:\Users\Public\Libraries\desktop.ini v2.exe File opened for modification C:\Users\Public\Videos\desktop.ini v2.exe -
Drops file in Program Files directory 64 IoCs
Processes:
v2.exedescription ioc process File created C:\Program Files (x86)\Common Files\Adobe\Reader\readme.txt v2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription3-ppd.xrm-ms v2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_OEM_Perp-ul-phn.xrm-ms v2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-ppd.xrm-ms v2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_PrepidBypass-ul-oob.xrm-ms v2.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\webcompat@mozilla.org.xpi v2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp-pl.xrm-ms v2.exe File opened for modification C:\Program Files\7-Zip\Lang\ca.txt v2.exe File opened for modification C:\Program Files\7-Zip\Lang\ku-ckb.txt v2.exe File opened for modification C:\Program Files\7-Zip\Lang\ta.txt v2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-ul-oob.xrm-ms v2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Grace-ul-oob.xrm-ms v2.exe File opened for modification C:\Program Files\Mozilla Firefox\precomplete v2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Trial-ul-oob.xrm-ms v2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_KMS_Client-ppd.xrm-ms v2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-pl.xrm-ms v2.exe File opened for modification C:\Program Files\7-Zip\Lang\et.txt v2.exe File created C:\Program Files\Internet Explorer\SIGNUP\readme.txt v2.exe File created C:\Program Files\Common Files\microsoft shared\ink\readme.txt v2.exe File created C:\Program Files\Microsoft Office\root\Client\readme.txt v2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_MAK-ppd.xrm-ms v2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription5-ppd.xrm-ms v2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Grace-ppd.xrm-ms v2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-ppd.xrm-ms v2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-ul-oob.xrm-ms v2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-pl.xrm-ms v2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-ul-oob.xrm-ms v2.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml v2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription5-ppd.xrm-ms v2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest2-ul-oob.xrm-ms v2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription3-ul-oob.xrm-ms v2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-ul-oob.xrm-ms v2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Grace-ul-oob.xrm-ms v2.exe File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\sqlxmlx.rll v2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-ul-phn.xrm-ms v2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Trial-ppd.xrm-ms v2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-pl.xrm-ms v2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ViewOnly_ZeroGrace-ppd.xrm-ms v2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-ul-oob.xrm-ms v2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-pl.xrm-ms v2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_KMS_ClientC2R-ul-oob.xrm-ms v2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\c2rpridslicensefiles_auto.xml v2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcDemoR_BypassTrial365-ppd.xrm-ms v2.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\OFFSYML.TTF v2.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsdeu.xml v2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_Subscription-ul-oob.xrm-ms v2.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MANIFEST.XML v2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-ul-oob.xrm-ms v2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Trial-ppd.xrm-ms v2.exe File created C:\Program Files (x86)\Google\readme.txt v2.exe File opened for modification C:\Program Files\7-Zip\Lang\fy.txt v2.exe File created C:\Program Files\Internet Explorer\es-ES\readme.txt v2.exe File opened for modification C:\Program Files\Internet Explorer\images\bing.ico v2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-ul-phn.xrm-ms v2.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\readme.txt v2.exe File opened for modification C:\Program Files\7-Zip\Lang\is.txt v2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-pl.xrm-ms v2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Grace-ppd.xrm-ms v2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_MAK-ppd.xrm-ms v2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTrial-ul-oob.xrm-ms v2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-ppd.xrm-ms v2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest5-pl.xrm-ms v2.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipshrv.xml v2.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\NOTICE v2.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
v2.exepid process 1296 v2.exe 1296 v2.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
vssvc.exeWMIC.exedescription pid process Token: SeBackupPrivilege 3292 vssvc.exe Token: SeRestorePrivilege 3292 vssvc.exe Token: SeAuditPrivilege 3292 vssvc.exe Token: SeIncreaseQuotaPrivilege 1272 WMIC.exe Token: SeSecurityPrivilege 1272 WMIC.exe Token: SeTakeOwnershipPrivilege 1272 WMIC.exe Token: SeLoadDriverPrivilege 1272 WMIC.exe Token: SeSystemProfilePrivilege 1272 WMIC.exe Token: SeSystemtimePrivilege 1272 WMIC.exe Token: SeProfSingleProcessPrivilege 1272 WMIC.exe Token: SeIncBasePriorityPrivilege 1272 WMIC.exe Token: SeCreatePagefilePrivilege 1272 WMIC.exe Token: SeBackupPrivilege 1272 WMIC.exe Token: SeRestorePrivilege 1272 WMIC.exe Token: SeShutdownPrivilege 1272 WMIC.exe Token: SeDebugPrivilege 1272 WMIC.exe Token: SeSystemEnvironmentPrivilege 1272 WMIC.exe Token: SeRemoteShutdownPrivilege 1272 WMIC.exe Token: SeUndockPrivilege 1272 WMIC.exe Token: SeManageVolumePrivilege 1272 WMIC.exe Token: 33 1272 WMIC.exe Token: 34 1272 WMIC.exe Token: 35 1272 WMIC.exe Token: 36 1272 WMIC.exe Token: SeIncreaseQuotaPrivilege 1272 WMIC.exe Token: SeSecurityPrivilege 1272 WMIC.exe Token: SeTakeOwnershipPrivilege 1272 WMIC.exe Token: SeLoadDriverPrivilege 1272 WMIC.exe Token: SeSystemProfilePrivilege 1272 WMIC.exe Token: SeSystemtimePrivilege 1272 WMIC.exe Token: SeProfSingleProcessPrivilege 1272 WMIC.exe Token: SeIncBasePriorityPrivilege 1272 WMIC.exe Token: SeCreatePagefilePrivilege 1272 WMIC.exe Token: SeBackupPrivilege 1272 WMIC.exe Token: SeRestorePrivilege 1272 WMIC.exe Token: SeShutdownPrivilege 1272 WMIC.exe Token: SeDebugPrivilege 1272 WMIC.exe Token: SeSystemEnvironmentPrivilege 1272 WMIC.exe Token: SeRemoteShutdownPrivilege 1272 WMIC.exe Token: SeUndockPrivilege 1272 WMIC.exe Token: SeManageVolumePrivilege 1272 WMIC.exe Token: 33 1272 WMIC.exe Token: 34 1272 WMIC.exe Token: 35 1272 WMIC.exe Token: 36 1272 WMIC.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
v2.execmd.exedescription pid process target process PID 1296 wrote to memory of 3812 1296 v2.exe cmd.exe PID 1296 wrote to memory of 3812 1296 v2.exe cmd.exe PID 3812 wrote to memory of 1272 3812 cmd.exe WMIC.exe PID 3812 wrote to memory of 1272 3812 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\v2.exe"C:\Users\Admin\AppData\Local\Temp\v2.exe"1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{17C5A010-80A0-4F9A-836F-BFCB14B6316C}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{17C5A010-80A0-4F9A-836F-BFCB14B6316C}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵