Analysis

  • max time kernel
    163s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    24-01-2022 04:24

General

  • Target

    b909f69f36244617ab5fc0c2d80466daf4eea3c0e85aab5060ca7f1a122758a9.dll

  • Size

    217KB

  • MD5

    ea4d8599ea2cafab27e0a55063d1fd0a

  • SHA1

    421eadd117fc3a745a1c65d96b4423375913ca47

  • SHA256

    b909f69f36244617ab5fc0c2d80466daf4eea3c0e85aab5060ca7f1a122758a9

  • SHA512

    615cd31950b24d87e284b69e323148134d788ad6f87310a685736fad43d241ad78045f56dc160edec7f2b50bf99a8674b4b29644d3d616cdc8919c67d0163ee7

Score
10/10

Malware Config

Extracted

Path

C:\readme.txt

Family

conti

Ransom Note
All of your files are currently encrypted by CONTI strain. As you know (if you don't - just "google it"), all of the data that has been encrypted by our software cannot be recovered by any means without contacting our team directly. If you try to use any additional recovery software - the files might be damaged, so if you are willing to try - try it on the data of the lowest value. To make sure that we REALLY CAN get your data back - we offer you to decrypt 2 random files completely free of charge. You can contact our team directly for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirec7nchr45rx6ympez5rjldibnqzh7lsa56lvjvaeywhvoj3wad.onion/lKxEJX4VWke6QNC7FFBmIXBMfS2ZbsYUE6bXeAejZHzF0myfRttss1O62ON5EHZe YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded a pack of your internal data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us as soon as possible. ---BEGIN ID--- lKxEJX4VWke6QNC7FFBmIXBMfS2ZbsYUE6bXeAejZHzF0myfRttss1O62ON5EHZe ---END ID---
URLs

http://contirec7nchr45rx6ympez5rjldibnqzh7lsa56lvjvaeywhvoj3wad.onion/lKxEJX4VWke6QNC7FFBmIXBMfS2ZbsYUE6bXeAejZHzF0myfRttss1O62ON5EHZe

Signatures

  • Conti Ransomware

    Ransomware generally thought to be a successor to Ryuk.

  • Modifies extensions of user files 12 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Drops desktop.ini file(s) 31 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\b909f69f36244617ab5fc0c2d80466daf4eea3c0e85aab5060ca7f1a122758a9.dll
    1⤵
    • Modifies extensions of user files
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    PID:268

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/268-54-0x000007FEFB591000-0x000007FEFB593000-memory.dmp

    Filesize

    8KB