Resubmissions

27-01-2022 18:30

220127-w5lsfshfb8 10

27-01-2022 18:25

220127-w2vwysghbr 10

27-01-2022 18:21

220127-wzqjfshef7 8

Analysis

  • max time kernel
    90s
  • max time network
    65s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    27-01-2022 18:30

General

  • Target

    2f76c2801b2bac498e94d68e99117c5367af97e0.dll

  • Size

    678KB

  • MD5

    7ff8505ce55eaf44baf843d3683c5e39

  • SHA1

    2f76c2801b2bac498e94d68e99117c5367af97e0

  • SHA256

    5e54dfc50c22a8cd92c5d05598bbafc75b999b93224d900017b892a4d9f22077

  • SHA512

    bf51272fcf62d9ed3d33718cb1fb707794680b65ea9dcd22f5b5cb28441e7b2423d6bfe43407b2adf4556a88058b5fbc757da6e961d57d34003f15548d2628f0

Score
10/10

Malware Config

Extracted

Path

C:\readme.txt

Family

conti

Ransom Note
All of your files are currently encrypted by CONTI strain. As you know (if you don't - just "google it"), all of the data that has been encrypted by our software cannot be recovered by any means without contacting our team directly. If you try to use any additional recovery software - the files might be damaged, so if you are willing to try - try it on the data of the lowest value. To make sure that we REALLY CAN get your data back - we offer you to decrypt 2 random files completely free of charge. You can contact our team directly for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirec7nchr45rx6ympez5rjldibnqzh7lsa56lvjvaeywhvoj3wad.onion/8LijJVnUPEWEaSDvo6Ho56xzmhj8AwiSqncJYX3Hhd3hLoOajUpUdvIF4GHP69AP YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded a pack of your internal data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us as soon as possible. ---BEGIN ID--- 8LijJVnUPEWEaSDvo6Ho56xzmhj8AwiSqncJYX3Hhd3hLoOajUpUdvIF4GHP69AP ---END ID---
URLs

http://contirec7nchr45rx6ympez5rjldibnqzh7lsa56lvjvaeywhvoj3wad.onion/8LijJVnUPEWEaSDvo6Ho56xzmhj8AwiSqncJYX3Hhd3hLoOajUpUdvIF4GHP69AP

Signatures

  • Conti Ransomware

    Ransomware generally thought to be a successor to Ryuk.

  • Modifies extensions of user files 9 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Drops desktop.ini file(s) 25 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 5 IoCs
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\2f76c2801b2bac498e94d68e99117c5367af97e0.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3772
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\2f76c2801b2bac498e94d68e99117c5367af97e0.dll
      2⤵
      • Modifies extensions of user files
      • Drops desktop.ini file(s)
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      PID:1956
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Drops file in Windows directory
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:3472
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Drops file in Windows directory
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2160
  • C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\readme.txt
    1⤵
    • Opens file in notepad (likely ransom note)
    PID:3676

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PRICache\1601268389\1361672858.pri

    MD5

    050f862ebe4280881ec261b7de17a5eb

    SHA1

    f88837dcc7727abd92298f2868a4e603e36dd4ae

    SHA256

    5a9ee4039e88417093c55cfb4c7b7aea8c5f09695a111fd1c2a78b170536afb4

    SHA512

    b77852e2179808744c1d0234d93f6a11dc7c1b74f2f2951af6b21bce10a0fba95b643af159c64ab3168074855cd26aa30aa625a8363f69b1dd98ca49c90b14b3

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PRICache\4183903823\97717462.pri

    MD5

    b6001b9e5fc5c3d537375f572212762b

    SHA1

    f03b0351d2730994e847d9afcf118395c331e400

    SHA256

    0ee6fb6ae927f06a3f74721d0a2be1d7b2158e171e9d32b68747121054e7f910

    SHA512

    918db362fd4f49d8720c34299dcc1f119bc7a0981f48d9939fcad29e14c58262daab23a131cd386437587bf8084a1dce43a58218dec757074e0004794db1129b

  • C:\Users\Public\Desktop\readme.txt

    MD5

    88bdb9eca36eab3488a6b2d0d438649a

    SHA1

    b3d2cf9f51684391fa7e588d3c57b717fcde3b58

    SHA256

    0f0a21dc72dac030b89d30ec2f2d078efac053e5b2ecaab4be843d35a0721121

    SHA512

    8bcaab91cef1c4a1135a27a32f55b34c2d2d16dad483f1a8ca02f51ee50f739d4335bdaa5ccc64f247926f33b715092672bfa1d346192775d2c5964afa7f7e87

  • memory/1956-183-0x0000000010000000-0x00000000100D3000-memory.dmp

    Filesize

    844KB