Analysis

  • max time kernel
    156s
  • max time network
    128s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    24-01-2022 04:24

General

  • Target

    afc65cb796c07fb38254e466b2eea7e395c44341aee475cfbce0a5e2ac45b5ce.dll

  • Size

    741KB

  • MD5

    ecddcd31562620ef7b2547b98e27c29e

  • SHA1

    e39bffe4dd0c9427c4a9e93f8040dd816aecba5c

  • SHA256

    afc65cb796c07fb38254e466b2eea7e395c44341aee475cfbce0a5e2ac45b5ce

  • SHA512

    ee3727e828982ad4c6ae33ed2fca23ebf3c9135471d1922a3c15d6bdcd489bf528af4d2911239444666d2e341a9ab6782eec6c357ac2f64f14b1d5bad741fe4f

Score
10/10

Malware Config

Extracted

Path

C:\readme.txt

Family

conti

Ransom Note
All of your files are currently encrypted by CONTI strain. As you know (if you don't - just "google it"), all of the data that has been encrypted by our software cannot be recovered by any means without contacting our team directly. If you try to use any additional recovery software - the files might be damaged, so if you are willing to try - try it on the data of the lowest value. To make sure that we REALLY CAN get your data back - we offer you to decrypt 2 random files completely free of charge. You can contact our team directly for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirec7nchr45rx6ympez5rjldibnqzh7lsa56lvjvaeywhvoj3wad.onion/6gWoBbavBj4ezI9TljI0sgPxGfyUWuUCPVqXxUShAFvPm8CG3fFzPBsjBr10Wliv YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded a pack of your internal data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us as soon as possible. ---BEGIN ID--- 6gWoBbavBj4ezI9TljI0sgPxGfyUWuUCPVqXxUShAFvPm8CG3fFzPBsjBr10Wliv ---END ID---
URLs

http://contirec7nchr45rx6ympez5rjldibnqzh7lsa56lvjvaeywhvoj3wad.onion/6gWoBbavBj4ezI9TljI0sgPxGfyUWuUCPVqXxUShAFvPm8CG3fFzPBsjBr10Wliv

Signatures

  • Conti Ransomware

    Ransomware generally thought to be a successor to Ryuk.

  • Modifies extensions of user files 4 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Drops desktop.ini file(s) 25 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\afc65cb796c07fb38254e466b2eea7e395c44341aee475cfbce0a5e2ac45b5ce.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2752
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\afc65cb796c07fb38254e466b2eea7e395c44341aee475cfbce0a5e2ac45b5ce.dll
      2⤵
      • Modifies extensions of user files
      • Drops desktop.ini file(s)
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      PID:3412

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3412-118-0x0000000010000000-0x0000000010034000-memory.dmp

    Filesize

    208KB