Overview
overview
10Static
static
8b26138a0e...e7.exe
windows7_x64
108b26138a0e...e7.exe
windows10_x64
10afc65cb796...ce.dll
windows7_x64
10afc65cb796...ce.dll
windows10_x64
10b909f69f36...a9.dll
windows7_x64
10b909f69f36...a9.dll
windows10_x64
10c57d20e273...7b.exe
windows7_x64
10c57d20e273...7b.exe
windows10_x64
10Analysis
-
max time kernel
156s -
max time network
127s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
24-01-2022 04:24
Static task
static1
Behavioral task
behavioral1
Sample
8b26138a0e371f06fb51679c8d89f661c6ace3d35a90e569887a1b14ac5938e7.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
8b26138a0e371f06fb51679c8d89f661c6ace3d35a90e569887a1b14ac5938e7.exe
Resource
win10-en-20211208
Behavioral task
behavioral3
Sample
afc65cb796c07fb38254e466b2eea7e395c44341aee475cfbce0a5e2ac45b5ce.dll
Resource
win7-en-20211208
Behavioral task
behavioral4
Sample
afc65cb796c07fb38254e466b2eea7e395c44341aee475cfbce0a5e2ac45b5ce.dll
Resource
win10-en-20211208
Behavioral task
behavioral5
Sample
b909f69f36244617ab5fc0c2d80466daf4eea3c0e85aab5060ca7f1a122758a9.dll
Resource
win7-en-20211208
Behavioral task
behavioral6
Sample
b909f69f36244617ab5fc0c2d80466daf4eea3c0e85aab5060ca7f1a122758a9.dll
Resource
win10-en-20211208
Behavioral task
behavioral7
Sample
c57d20e273337da5239f1573212adc60eacf470873e67ea135508c7c749da37b.exe
Resource
win7-en-20211208
Behavioral task
behavioral8
Sample
c57d20e273337da5239f1573212adc60eacf470873e67ea135508c7c749da37b.exe
Resource
win10-en-20211208
General
-
Target
afc65cb796c07fb38254e466b2eea7e395c44341aee475cfbce0a5e2ac45b5ce.dll
-
Size
741KB
-
MD5
ecddcd31562620ef7b2547b98e27c29e
-
SHA1
e39bffe4dd0c9427c4a9e93f8040dd816aecba5c
-
SHA256
afc65cb796c07fb38254e466b2eea7e395c44341aee475cfbce0a5e2ac45b5ce
-
SHA512
ee3727e828982ad4c6ae33ed2fca23ebf3c9135471d1922a3c15d6bdcd489bf528af4d2911239444666d2e341a9ab6782eec6c357ac2f64f14b1d5bad741fe4f
Malware Config
Extracted
C:\readme.txt
conti
http://contirec7nchr45rx6ympez5rjldibnqzh7lsa56lvjvaeywhvoj3wad.onion/6gWoBbavBj4ezI9TljI0sgPxGfyUWuUCPVqXxUShAFvPm8CG3fFzPBsjBr10Wliv
Signatures
-
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
Modifies extensions of user files 10 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
regsvr32.exedescription ioc process File renamed C:\Users\Admin\Pictures\OutPublish.raw => C:\Users\Admin\Pictures\OutPublish.raw.TOSQG regsvr32.exe File opened for modification C:\Users\Admin\Pictures\SearchSync.tiff regsvr32.exe File renamed C:\Users\Admin\Pictures\SyncClear.crw => C:\Users\Admin\Pictures\SyncClear.crw.TOSQG regsvr32.exe File opened for modification C:\Users\Admin\Pictures\InvokePush.tiff regsvr32.exe File renamed C:\Users\Admin\Pictures\InvokePush.tiff => C:\Users\Admin\Pictures\InvokePush.tiff.TOSQG regsvr32.exe File renamed C:\Users\Admin\Pictures\SaveClear.tif => C:\Users\Admin\Pictures\SaveClear.tif.TOSQG regsvr32.exe File renamed C:\Users\Admin\Pictures\SearchSync.tiff => C:\Users\Admin\Pictures\SearchSync.tiff.TOSQG regsvr32.exe File renamed C:\Users\Admin\Pictures\UnblockDeny.png => C:\Users\Admin\Pictures\UnblockDeny.png.TOSQG regsvr32.exe File renamed C:\Users\Admin\Pictures\ConnectClose.tif => C:\Users\Admin\Pictures\ConnectClose.tif.TOSQG regsvr32.exe File renamed C:\Users\Admin\Pictures\RestoreStop.png => C:\Users\Admin\Pictures\RestoreStop.png.TOSQG regsvr32.exe -
Drops desktop.ini file(s) 31 IoCs
Processes:
regsvr32.exedescription ioc process File opened for modification C:\Program Files\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Music\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Videos\desktop.ini regsvr32.exe File opened for modification C:\Program Files (x86)\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\desktop.ini regsvr32.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini regsvr32.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Videos\desktop.ini regsvr32.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Documents\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Recorded TV\desktop.ini regsvr32.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Links\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Music\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Downloads\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Libraries\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Pictures\desktop.ini regsvr32.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Documents\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Searches\desktop.ini regsvr32.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini regsvr32.exe File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini regsvr32.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini regsvr32.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Desktop\desktop.ini regsvr32.exe -
Drops file in Program Files directory 64 IoCs
Processes:
regsvr32.exedescription ioc process File opened for modification C:\Program Files\7-Zip\Lang\lv.txt regsvr32.exe File opened for modification C:\Program Files\7-Zip\Lang\an.txt regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Trek.thmx regsvr32.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\circle_glass_Thumbnail.bmp regsvr32.exe File created C:\Program Files\Java\jdk1.7.0_80\include\readme.txt regsvr32.exe File created C:\Program Files\Microsoft Games\Solitaire\en-US\readme.txt regsvr32.exe File created C:\Program Files\Mozilla Firefox\uninstall\readme.txt regsvr32.exe File created C:\Program Files\Microsoft Games\Minesweeper\en-US\readme.txt regsvr32.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Orange Circles.htm regsvr32.exe File created C:\Program Files\Common Files\System\es-ES\readme.txt regsvr32.exe File created C:\Program Files\Microsoft Games\Minesweeper\es-ES\readme.txt regsvr32.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\readme.txt regsvr32.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.log regsvr32.exe File opened for modification C:\Program Files (x86)\Internet Explorer\en-US\eula.rtf regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Foundry.thmx regsvr32.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\GreenBubbles.jpg regsvr32.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\menu_style_default_Thumbnail.png regsvr32.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\readme.txt regsvr32.exe File created C:\Program Files\DVD Maker\es-ES\readme.txt regsvr32.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Dotted_Lines.emf regsvr32.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Help\NamedURLs.HxK regsvr32.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Triedit\readme.txt regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN02724_.WMF regsvr32.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGMGPUOptIn.ini regsvr32.exe File opened for modification C:\Program Files\7-Zip\Lang\nl.txt regsvr32.exe File opened for modification C:\Program Files\7-Zip\Lang\sr-spc.txt regsvr32.exe File opened for modification C:\Program Files\Common Files\Services\verisign.bmp regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\mset7es.kic regsvr32.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\orb.idl regsvr32.exe File created C:\Program Files\Microsoft Games\SpiderSolitaire\ja-JP\readme.txt regsvr32.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\[email protected] regsvr32.exe File created C:\Program Files\Internet Explorer\readme.txt regsvr32.exe File created C:\Program Files\VideoLAN\readme.txt regsvr32.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ie9props.propdesc regsvr32.exe File opened for modification C:\Program Files\7-Zip\Lang\fur.txt regsvr32.exe File created C:\Program Files\Microsoft Games\Hearts\readme.txt regsvr32.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationRight_ButtonGraphic.png regsvr32.exe File created C:\Program Files (x86)\Common Files\System\Ole DB\readme.txt regsvr32.exe File opened for modification C:\Program Files\7-Zip\Lang\ug.txt regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\subscription.xsd regsvr32.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\hwresmlm.dat regsvr32.exe File created C:\Program Files\Common Files\Microsoft Shared\VGX\readme.txt regsvr32.exe File created C:\Program Files\Java\jdk1.7.0_80\bin\readme.txt regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04174_.WMF regsvr32.exe File opened for modification C:\Program Files\DVD Maker\fieldswitch.ax regsvr32.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04195_.WMF regsvr32.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeAUM_rootCert.cer regsvr32.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\readme.txt regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN01174_.WMF regsvr32.exe File opened for modification C:\Program Files\Java\jre7\LICENSE regsvr32.exe File created C:\Program Files\Common Files\System\ja-JP\readme.txt regsvr32.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\jdwpTransport.h regsvr32.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\ant-javafx.jar regsvr32.exe File created C:\Program Files\Microsoft Games\Hearts\fr-FR\readme.txt regsvr32.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Help\Keywords.HxK regsvr32.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Connectivity.gif regsvr32.exe File created C:\Program Files\Java\readme.txt regsvr32.exe File opened for modification C:\Program Files\7-Zip\Lang\pt-br.txt regsvr32.exe File created C:\Program Files\Common Files\Microsoft Shared\TextConv\readme.txt regsvr32.exe File created C:\Program Files\Mozilla Firefox\readme.txt regsvr32.exe File opened for modification C:\Program Files\7-Zip\Lang\co.txt regsvr32.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Solstice.thmx regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
regsvr32.exepid process 1668 regsvr32.exe 1668 regsvr32.exe 1668 regsvr32.exe 1668 regsvr32.exe 1668 regsvr32.exe 1668 regsvr32.exe 1668 regsvr32.exe 1668 regsvr32.exe 1668 regsvr32.exe 1668 regsvr32.exe 1668 regsvr32.exe 1668 regsvr32.exe 1668 regsvr32.exe 1668 regsvr32.exe 1668 regsvr32.exe 1668 regsvr32.exe 1668 regsvr32.exe 1668 regsvr32.exe 1668 regsvr32.exe 1668 regsvr32.exe 1668 regsvr32.exe 1668 regsvr32.exe 1668 regsvr32.exe 1668 regsvr32.exe 1668 regsvr32.exe 1668 regsvr32.exe 1668 regsvr32.exe 1668 regsvr32.exe 1668 regsvr32.exe 1668 regsvr32.exe 1668 regsvr32.exe 1668 regsvr32.exe 1668 regsvr32.exe 1668 regsvr32.exe 1668 regsvr32.exe 1668 regsvr32.exe 1668 regsvr32.exe 1668 regsvr32.exe 1668 regsvr32.exe 1668 regsvr32.exe 1668 regsvr32.exe 1668 regsvr32.exe 1668 regsvr32.exe 1668 regsvr32.exe 1668 regsvr32.exe 1668 regsvr32.exe 1668 regsvr32.exe 1668 regsvr32.exe 1668 regsvr32.exe 1668 regsvr32.exe 1668 regsvr32.exe 1668 regsvr32.exe 1668 regsvr32.exe 1668 regsvr32.exe 1668 regsvr32.exe 1668 regsvr32.exe 1668 regsvr32.exe 1668 regsvr32.exe 1668 regsvr32.exe 1668 regsvr32.exe 1668 regsvr32.exe 1668 regsvr32.exe 1668 regsvr32.exe 1668 regsvr32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
regsvr32.exedescription pid process target process PID 1724 wrote to memory of 1668 1724 regsvr32.exe regsvr32.exe PID 1724 wrote to memory of 1668 1724 regsvr32.exe regsvr32.exe PID 1724 wrote to memory of 1668 1724 regsvr32.exe regsvr32.exe PID 1724 wrote to memory of 1668 1724 regsvr32.exe regsvr32.exe PID 1724 wrote to memory of 1668 1724 regsvr32.exe regsvr32.exe PID 1724 wrote to memory of 1668 1724 regsvr32.exe regsvr32.exe PID 1724 wrote to memory of 1668 1724 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\afc65cb796c07fb38254e466b2eea7e395c44341aee475cfbce0a5e2ac45b5ce.dll1⤵
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\afc65cb796c07fb38254e466b2eea7e395c44341aee475cfbce0a5e2ac45b5ce.dll2⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:1668