Analysis

  • max time kernel
    159s
  • max time network
    169s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    15-02-2022 19:52

General

  • Target

    eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe

  • Size

    76KB

  • MD5

    f34052fe70c4ec35899aeaee7386f2e0

  • SHA1

    57b6cd016c158e15736969d63d8626af4b483d8d

  • SHA256

    eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371

  • SHA512

    478f0974ad408258f784fc897f9af76c3d37603b8cfd048132f13281ddf70fb60ded1b6f4b6d4a997b6ff71ed3be68f0659e35ed50ddefd0020a4634303bca13

Score
10/10

Malware Config

Extracted

Path

C:\readme.txt

Family

conti

Ransom Note
All of your files are currently encrypted by CONTI ransomware. If you try to use any additional recovery software - the files might be damaged or lost. To make sure that we REALLY CAN recover data - we offer you to decrypt samples. You can contact us for further instructions through: Our website TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/ HTTPS VERSION : https://contirecovery.top YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded your data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us ASAP. ---BEGIN ID--- LBCiop0VqOZuBBpA5nE826srUH9zTB8NeLk9dWX69K4nuopOjult1Wz9EY5DwmXn ---END ID---
URLs

http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/

https://contirecovery.top

Signatures

  • Conti Ransomware

    Ransomware generally thought to be a successor to Ryuk.

  • Drops desktop.ini file(s) 3 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 45 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe
    "C:\Users\Admin\AppData\Local\Temp\eacaab8d6520c9bf9dec6cbdffa7c4ad8c15fd57dd4165cf895a0aaae3ffe371.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3576
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8D84F5DF-167E-44BC-B65F-610B82C3B339}'" delete
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1828
      • C:\Windows\System32\wbem\WMIC.exe
        C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8D84F5DF-167E-44BC-B65F-610B82C3B339}'" delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1992
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:508
  • C:\Windows\system32\MusNotifyIcon.exe
    %systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
    1⤵
    • Checks processor information in registry
    PID:3716

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads