Overview

overview

10

Static

static

64f1a2e5f5...c5.exe

windows7_x64

10

64f1a2e5f5...c5.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    06-03-2022 06:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    64f1a2e5f52292fba8f64a851c466d558f1607cac783f30015f6df9e0dbce1c5.exe

  • Size

    185KB

  • MD5

    3a3001ecddb08440a659d49e4e29a697

  • SHA1

    124d9ce50a4b0dfa0b150b44c77c85cd2589148c

  • SHA256

    64f1a2e5f52292fba8f64a851c466d558f1607cac783f30015f6df9e0dbce1c5

  • SHA512

    5b08e11eded00c94995c7d1d3e3ad195461dbe978618cdc638099dec8d52d39874b48cdfd4798ad82d3f3dc5cfaa4b5196c127c51a77779e20d6558a46f3275f

Score
10/10
contiransomware

Malware Config

Extracted

Path

C:\readme.txt

Family

conti

Ransom Note
All of your files are currently encrypted by CONTI strain. As you know (if you don't - just "google it"), all of the data that has been encrypted by our software cannot be recovered by any means without contacting our team directly. If you try to use any additional recovery software - the files might be damaged, so if you are willing to try - try it on the data of the lowest value. To make sure that we REALLY CAN get your data back - we offer you to decrypt 2 random files completely free of charge. You can contact our team directly for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://m232fdxbfmbrcehbrj5iayknxnggf6niqfj6x4iedrgtab4qupzjlaid.onion HTTPS VERSION : https://contirecovery.best YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded a pack of your internal data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us as soon as possible. ---BEGIN ID--- uG6KnsfcpKif5pdzeNG1nEacrfgfoJGhcGpa2cKwifp06Cr9jfTQdRHyOpquKrZU ---END ID---
URLs

http://m232fdxbfmbrcehbrj5iayknxnggf6niqfj6x4iedrgtab4qupzjlaid.onion

https://contirecovery.best

Signatures

  • Conti Ransomware

    Ransomware generally thought to be a successor to Ryuk.

    ransomwareconti
  • Modifies extensions of user files 13 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops desktop.ini file(s) 24 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 45 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\64f1a2e5f52292fba8f64a851c466d558f1607cac783f30015f6df9e0dbce1c5.exe
    "C:\Users\Admin\AppData\Local\Temp\64f1a2e5f52292fba8f64a851c466d558f1607cac783f30015f6df9e0dbce1c5.exe"
    1⤵
    • Modifies extensions of user files
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:224
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8D84F5DF-167E-44BC-B65F-610B82C3B339}'" delete
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1628
      • C:\Windows\System32\wbem\WMIC.exe
        C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8D84F5DF-167E-44BC-B65F-610B82C3B339}'" delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2472
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2456

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads