Overview
overview
10Static
static
8b26138a0e...e7.exe
windows7_x64
108b26138a0e...e7.exe
windows10_x64
10afc65cb796...ce.dll
windows7_x64
10afc65cb796...ce.dll
windows10_x64
10b909f69f36...a9.dll
windows7_x64
10b909f69f36...a9.dll
windows10_x64
10c57d20e273...7b.exe
windows7_x64
10c57d20e273...7b.exe
windows10_x64
10Analysis
-
max time kernel
152s -
max time network
139s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-01-2022 04:24
Static task
static1
Behavioral task
behavioral1
Sample
8b26138a0e371f06fb51679c8d89f661c6ace3d35a90e569887a1b14ac5938e7.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
8b26138a0e371f06fb51679c8d89f661c6ace3d35a90e569887a1b14ac5938e7.exe
Resource
win10-en-20211208
Behavioral task
behavioral3
Sample
afc65cb796c07fb38254e466b2eea7e395c44341aee475cfbce0a5e2ac45b5ce.dll
Resource
win7-en-20211208
Behavioral task
behavioral4
Sample
afc65cb796c07fb38254e466b2eea7e395c44341aee475cfbce0a5e2ac45b5ce.dll
Resource
win10-en-20211208
Behavioral task
behavioral5
Sample
b909f69f36244617ab5fc0c2d80466daf4eea3c0e85aab5060ca7f1a122758a9.dll
Resource
win7-en-20211208
Behavioral task
behavioral6
Sample
b909f69f36244617ab5fc0c2d80466daf4eea3c0e85aab5060ca7f1a122758a9.dll
Resource
win10-en-20211208
Behavioral task
behavioral7
Sample
c57d20e273337da5239f1573212adc60eacf470873e67ea135508c7c749da37b.exe
Resource
win7-en-20211208
Behavioral task
behavioral8
Sample
c57d20e273337da5239f1573212adc60eacf470873e67ea135508c7c749da37b.exe
Resource
win10-en-20211208
General
-
Target
b909f69f36244617ab5fc0c2d80466daf4eea3c0e85aab5060ca7f1a122758a9.dll
-
Size
217KB
-
MD5
ea4d8599ea2cafab27e0a55063d1fd0a
-
SHA1
421eadd117fc3a745a1c65d96b4423375913ca47
-
SHA256
b909f69f36244617ab5fc0c2d80466daf4eea3c0e85aab5060ca7f1a122758a9
-
SHA512
615cd31950b24d87e284b69e323148134d788ad6f87310a685736fad43d241ad78045f56dc160edec7f2b50bf99a8674b4b29644d3d616cdc8919c67d0163ee7
Malware Config
Extracted
C:\readme.txt
conti
http://contirec7nchr45rx6ympez5rjldibnqzh7lsa56lvjvaeywhvoj3wad.onion/lKxEJX4VWke6QNC7FFBmIXBMfS2ZbsYUE6bXeAejZHzF0myfRttss1O62ON5EHZe
Signatures
-
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
Modifies extensions of user files 5 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
regsvr32.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\EnterProtect.tiff regsvr32.exe File renamed C:\Users\Admin\Pictures\EnterProtect.tiff => C:\Users\Admin\Pictures\EnterProtect.tiff.YHXCK regsvr32.exe File renamed C:\Users\Admin\Pictures\GroupUndo.png => C:\Users\Admin\Pictures\GroupUndo.png.YHXCK regsvr32.exe File renamed C:\Users\Admin\Pictures\PublishBlock.png => C:\Users\Admin\Pictures\PublishBlock.png.YHXCK regsvr32.exe File renamed C:\Users\Admin\Pictures\SendUpdate.raw => C:\Users\Admin\Pictures\SendUpdate.raw.YHXCK regsvr32.exe -
Drops desktop.ini file(s) 24 IoCs
Processes:
regsvr32.exedescription ioc process File opened for modification C:\Users\Admin\Music\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Desktop\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Pictures\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Downloads\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Videos\desktop.ini regsvr32.exe File opened for modification C:\Program Files (x86)\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Documents\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Links\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Music\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Videos\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Documents\desktop.ini regsvr32.exe File opened for modification C:\Program Files\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Searches\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Libraries\desktop.ini regsvr32.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini regsvr32.exe -
Drops file in Program Files directory 64 IoCs
Processes:
regsvr32.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_OEM_Perp-ppd.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest-pl.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-ppd.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial4-pl.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-ul-phn.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Retail-ul-oob.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClientIsv.man regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp4-ul-phn.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Trial-ul-oob.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Grace-ppd.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Trial-ppd.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\calendars.properties regsvr32.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipssve.xml regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16EnterpriseVL_Bypass30-ppd.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest2-pl.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial5-ppd.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Trial-ppd.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-pl.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Grace-ppd.xrm-ms regsvr32.exe File opened for modification C:\Program Files\7-Zip\Lang\tt.txt regsvr32.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\Welcome.html regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-ul-phn.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Grace-ul-oob.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-ul-phn.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial1-ppd.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Retail-ul-oob.xrm-ms regsvr32.exe File opened for modification C:\Program Files\GroupConfirm.pcx regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Trial-ul-oob.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription1-ul-oob.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Retail-ul-oob.xrm-ms regsvr32.exe File opened for modification C:\Program Files\7-Zip\Lang\lij.txt regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ul-phn.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest1-ul-oob.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\uninstall.log regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_KMS_Client_AE-ul.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ViewOnly_ZeroGrace-ul-oob.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-pl.xrm-ms regsvr32.exe File opened for modification C:\Program Files\FormatAdd.xps regsvr32.exe File created C:\Program Files\Internet Explorer\en-US\readme.txt regsvr32.exe File opened for modification C:\Program Files\7-Zip\readme.txt regsvr32.exe File created C:\Program Files (x86)\Common Files\readme.txt regsvr32.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\release regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-ul.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_KMS_Client-ul.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_Subscription-ul-oob.xrm-ms regsvr32.exe File opened for modification C:\Program Files\InstallRestart.vsdx regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml regsvr32.exe File created C:\Program Files (x86)\Internet Explorer\en-US\readme.txt regsvr32.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientEventLogMessages.man regsvr32.exe File opened for modification C:\Program Files\Common Files\System\ado\msado60.tlb regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp4-ul-oob.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ConsumerSub_Bypass30-ul-oob.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription3-pl.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Common Files\Services\verisign.bmp regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial1-pl.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Trial-pl.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Trial-ul-oob.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription-ul-oob.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Common Files\System\ado\msado28.tlb regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription2-ppd.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Retail-pl.xrm-ms regsvr32.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Office Theme.thmx regsvr32.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\include\jawt.h regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
regsvr32.exepid process 3116 regsvr32.exe 3116 regsvr32.exe 3116 regsvr32.exe 3116 regsvr32.exe 3116 regsvr32.exe 3116 regsvr32.exe 3116 regsvr32.exe 3116 regsvr32.exe 3116 regsvr32.exe 3116 regsvr32.exe 3116 regsvr32.exe 3116 regsvr32.exe 3116 regsvr32.exe 3116 regsvr32.exe 3116 regsvr32.exe 3116 regsvr32.exe 3116 regsvr32.exe 3116 regsvr32.exe 3116 regsvr32.exe 3116 regsvr32.exe 3116 regsvr32.exe 3116 regsvr32.exe 3116 regsvr32.exe 3116 regsvr32.exe 3116 regsvr32.exe 3116 regsvr32.exe 3116 regsvr32.exe 3116 regsvr32.exe 3116 regsvr32.exe 3116 regsvr32.exe 3116 regsvr32.exe 3116 regsvr32.exe 3116 regsvr32.exe 3116 regsvr32.exe 3116 regsvr32.exe 3116 regsvr32.exe 3116 regsvr32.exe 3116 regsvr32.exe 3116 regsvr32.exe 3116 regsvr32.exe 3116 regsvr32.exe 3116 regsvr32.exe 3116 regsvr32.exe 3116 regsvr32.exe 3116 regsvr32.exe 3116 regsvr32.exe 3116 regsvr32.exe 3116 regsvr32.exe 3116 regsvr32.exe 3116 regsvr32.exe 3116 regsvr32.exe 3116 regsvr32.exe 3116 regsvr32.exe 3116 regsvr32.exe 3116 regsvr32.exe 3116 regsvr32.exe 3116 regsvr32.exe 3116 regsvr32.exe 3116 regsvr32.exe 3116 regsvr32.exe 3116 regsvr32.exe 3116 regsvr32.exe 3116 regsvr32.exe 3116 regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\b909f69f36244617ab5fc0c2d80466daf4eea3c0e85aab5060ca7f1a122758a9.dll1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:3116