General

  • Target

    x64.zip

  • Size

    93KB

  • Sample

    220225-qxpaqagcd3

  • MD5

    aa4b5f6ca72888c44e66765398606707

  • SHA1

    632462b5969b79d43fd362f55b8f792148a8f51b

  • SHA256

    e298d3e4ea2610e43eedcdc3171998943d645c187779f431424b7c0b39650d05

  • SHA512

    cd36963e9fc252972514e2bc8e2de410f12aa710abdcc6b97dfecfb2e3afa759d6c1cd8584705c985581cedaf85400121b1d8948b0ae58c43593be555b07e598

Score
10/10

Malware Config

Extracted

Path

C:\readme.txt

Family

conti

Ransom Note
All of your files are currently encrypted by CONTI strain. As you know (if you don't - just "google it"), all of the data that has been encrypted by our software cannot be recovered by any means without contacting our team directly. If you try to use any additional recovery software - the files might be damaged, so if you are willing to try - try it on the data of the lowest value. To make sure that we REALLY CAN get your data back - we offer you to decrypt 2 random files completely free of charge. You can contact our team directly for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirec7nchr45rx6ympez5rjldibnqzh7lsa56lvjvaeywhvoj3wad.onion/H41hybMsOg3lWAh49kvUfF75bvw1cHvsUDtTIE4VPHSkaS50OApsHlq7b9ytRKzc YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded a pack of your internal data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us as soon as possible. ---BEGIN ID--- H41hybMsOg3lWAh49kvUfF75bvw1cHvsUDtTIE4VPHSkaS50OApsHlq7b9ytRKzc ---END ID---
URLs

http://contirec7nchr45rx6ympez5rjldibnqzh7lsa56lvjvaeywhvoj3wad.onion/H41hybMsOg3lWAh49kvUfF75bvw1cHvsUDtTIE4VPHSkaS50OApsHlq7b9ytRKzc

Targets

    • Target

      x64.dll

    • Size

      217KB

    • MD5

      ac6748ce106d8a640fd9b0767b5b54d5

    • SHA1

      a73a4cbd118e9b88a3ce69bff6a35848a0c41def

    • SHA256

      ae709940f51d9479a2006a194ca3938e938ab49b79675ff2679ec18f999f7c59

    • SHA512

      209e51bbe70965e9b50d027454d478fbd36344929edf69077cffc573485764d06ead40cf46a3ad06cf5c71d2303d6c69e3c98df5850c233a42f03e7b232a6901

    Score
    10/10
    • Conti Ransomware

      Ransomware generally thought to be a successor to Ryuk.

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Drops startup file

    • Drops desktop.ini file(s)

MITRE ATT&CK Matrix

Tasks