conti | 8fd7c81d43f8469246321a90b8d4f7f7fd72beb01105241536f9a058f4a7f990

Analysis

max time kernel
192s
max time network
202s
platform
windows10-2004_x64
resource
win10v2004-20220331-en
submitted
27-03-2022 10:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8fd7c81d43f8469246321a90b8d4f7f7fd72beb01105241536f9a058f4a7f990.dll
Size

557KB
MD5

c2fba37cf1416e0f9b29b8fbd54d5374
SHA1

3761b6fe71d30ba3a2c9dfd87de851da4158f144
SHA256

8fd7c81d43f8469246321a90b8d4f7f7fd72beb01105241536f9a058f4a7f990
SHA512

405648da26330a273a21de4fe6427610028e47cebf03bd143f78da9c02dd07347ffae418d29e1968606c51bfac57ecb34f872187559e2804e1f00fe1f76615a8

Score

10^/10

conti ransomware

Malware Config

Extracted

Path

C:\readme.txt

Family

conti

Ransom Note

All of your files are currently encrypted by CONTI strain. If you don't know who we are - just "Google it." As you already know, all of your data has been encrypted by our software. It cannot be recovered by any means without contacting our team directly. DON'T TRY TO RECOVER your data by yourselves. Any attempt to recover your data (including the usage of the additional recovery software) can damage your files. However, if you want to try - we recommend choosing the data of the lowest value. DON'T TRY TO IGNORE us. We've downloaded a pack of your internal data and are ready to publish it on our news website if you do not respond. So it will be better for both sides if you contact us as soon as possible. DON'T TRY TO CONTACT feds or any recovery companies. We have our informants in these structures, so any of your complaints will be immediately directed to us. So if you will hire any recovery company for negotiations or send requests to the police/FBI/investigators, we will consider this as a hostile intent and initiate the publication of whole compromised data immediately. To prove that we REALLY CAN get your data back - we offer you to decrypt two random files completely free of charge. You can contact our team directly for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirec7nchr45rx6ympez5rjldibnqzh7lsa56lvjvaeywhvoj3wad.onion/dbhpSXxriapOZ0CtZJlI0jCeyittNdeDJOP0RrdpQmC5cYmmKmIP6dxY927fYDZS YOU SHOULD BE AWARE! We will speak only with an authorized person. It can be the CEO, top management, etc. In case you are not such a person - DON'T CONTACT US! Your decisions and action can result in serious harm to your company! Inform your supervisors and stay calm!

URLs

http://contirec7nchr45rx6ympez5rjldibnqzh7lsa56lvjvaeywhvoj3wad.onion/dbhpSXxriapOZ0CtZJlI0jCeyittNdeDJOP0RrdpQmC5cYmmKmIP6dxY927fYDZS

Signatures

Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
ransomware conti

Drops file in Program Files directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\CheckpointInitialize.vst	regsvr32.exe
File opened for modification	C:\Program Files\SelectNew.mpe	regsvr32.exe
File opened for modification	C:\Program Files\SplitRename.AAC	regsvr32.exe
File opened for modification	C:\Program Files\ResetJoin.mhtml	regsvr32.exe
File opened for modification	C:\Program Files\CheckpointSync.au3	regsvr32.exe
File opened for modification	C:\Program Files\EnterUnblock.avi	regsvr32.exe
File opened for modification	C:\Program Files\ExpandWatch.m3u	regsvr32.exe
File opened for modification	C:\Program Files\InitializeUndo.xls	regsvr32.exe
File opened for modification	C:\Program Files\PingSplit.jpeg	regsvr32.exe
File opened for modification	C:\Program Files\PushConnect.asp	regsvr32.exe
File opened for modification	C:\Program Files\RegisterGroup.eps	regsvr32.exe
File opened for modification	C:\Program Files\ResumeDisable.mpa	regsvr32.exe
File opened for modification	C:\Program Files\RevokeUnprotect.scf	regsvr32.exe
File opened for modification	C:\Program Files\CopyStart.odt	regsvr32.exe
File opened for modification	C:\Program Files\DenySend.emf	regsvr32.exe
File opened for modification	C:\Program Files\InstallReset.tiff	regsvr32.exe
File opened for modification	C:\Program Files\OutUninstall.vdx	regsvr32.exe
File opened for modification	C:\Program Files\RevokeWatch.docx	regsvr32.exe
File created	C:\Program Files\readme.txt	regsvr32.exe
File opened for modification	C:\Program Files\DisableEdit.pps	regsvr32.exe
File opened for modification	C:\Program Files\EditMount.png	regsvr32.exe
File opened for modification	C:\Program Files\MountStep.vdx	regsvr32.exe
File opened for modification	C:\Program Files\ResizeRestore.jtx	regsvr32.exe
File opened for modification	C:\Program Files\ShowSkip.iso	regsvr32.exe
File opened for modification	C:\Program Files\StartDeny.vbe	regsvr32.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4820	regsvr32.exe
4820	regsvr32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4544 wrote to memory of 4820	4544	regsvr32.exe	78
PID 4544 wrote to memory of 4820	4544	regsvr32.exe	78
PID 4544 wrote to memory of 4820	4544	regsvr32.exe	78
PID 4820 wrote to memory of 3896	4820	regsvr32.exe	81
PID 4820 wrote to memory of 3896	4820	regsvr32.exe	81
PID 4820 wrote to memory of 3896	4820	regsvr32.exe	81
PID 3896 wrote to memory of 4316	3896	cmd.exe	83
PID 3896 wrote to memory of 4316	3896	cmd.exe	83
PID 3896 wrote to memory of 4316	3896	cmd.exe	83
PID 4316 wrote to memory of 4000	4316	net.exe	84
PID 4316 wrote to memory of 4000	4316	net.exe	84
PID 4316 wrote to memory of 4000	4316	net.exe	84
PID 4820 wrote to memory of 1156	4820	regsvr32.exe	85
PID 4820 wrote to memory of 1156	4820	regsvr32.exe	85
PID 4820 wrote to memory of 1156	4820	regsvr32.exe	85
PID 1156 wrote to memory of 736	1156	cmd.exe	87
PID 1156 wrote to memory of 736	1156	cmd.exe	87
PID 1156 wrote to memory of 736	1156	cmd.exe	87
PID 736 wrote to memory of 4768	736	net.exe	88
PID 736 wrote to memory of 4768	736	net.exe	88
PID 736 wrote to memory of 4768	736	net.exe	88
PID 4820 wrote to memory of 540	4820	regsvr32.exe	89
PID 4820 wrote to memory of 540	4820	regsvr32.exe	89
PID 4820 wrote to memory of 540	4820	regsvr32.exe	89
PID 540 wrote to memory of 3712	540	cmd.exe	91
PID 540 wrote to memory of 3712	540	cmd.exe	91
PID 540 wrote to memory of 3712	540	cmd.exe	91
PID 3712 wrote to memory of 228	3712	net.exe	92
PID 3712 wrote to memory of 228	3712	net.exe	92
PID 3712 wrote to memory of 228	3712	net.exe	92
PID 4820 wrote to memory of 4024	4820	regsvr32.exe	93
PID 4820 wrote to memory of 4024	4820	regsvr32.exe	93
PID 4820 wrote to memory of 4024	4820	regsvr32.exe	93
PID 4024 wrote to memory of 3776	4024	cmd.exe	95
PID 4024 wrote to memory of 3776	4024	cmd.exe	95
PID 4024 wrote to memory of 3776	4024	cmd.exe	95
PID 3776 wrote to memory of 1844	3776	net.exe	96
PID 3776 wrote to memory of 1844	3776	net.exe	96
PID 3776 wrote to memory of 1844	3776	net.exe	96
PID 4820 wrote to memory of 2336	4820	regsvr32.exe	97
PID 4820 wrote to memory of 2336	4820	regsvr32.exe	97
PID 4820 wrote to memory of 2336	4820	regsvr32.exe	97
PID 2336 wrote to memory of 2656	2336	cmd.exe	99
PID 2336 wrote to memory of 2656	2336	cmd.exe	99
PID 2336 wrote to memory of 2656	2336	cmd.exe	99
PID 2656 wrote to memory of 2344	2656	net.exe	100
PID 2656 wrote to memory of 2344	2656	net.exe	100
PID 2656 wrote to memory of 2344	2656	net.exe	100
PID 4820 wrote to memory of 3868	4820	regsvr32.exe	101
PID 4820 wrote to memory of 3868	4820	regsvr32.exe	101
PID 4820 wrote to memory of 3868	4820	regsvr32.exe	101
PID 3868 wrote to memory of 4540	3868	cmd.exe	103
PID 3868 wrote to memory of 4540	3868	cmd.exe	103
PID 3868 wrote to memory of 4540	3868	cmd.exe	103
PID 4540 wrote to memory of 4960	4540	net.exe	104
PID 4540 wrote to memory of 4960	4540	net.exe	104
PID 4540 wrote to memory of 4960	4540	net.exe	104
PID 4820 wrote to memory of 3756	4820	regsvr32.exe	105
PID 4820 wrote to memory of 3756	4820	regsvr32.exe	105
PID 4820 wrote to memory of 3756	4820	regsvr32.exe	105
PID 3756 wrote to memory of 2908	3756	cmd.exe	107
PID 3756 wrote to memory of 2908	3756	cmd.exe	107
PID 3756 wrote to memory of 2908	3756	cmd.exe	107
PID 2908 wrote to memory of 3596	2908	net.exe	108

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\8fd7c81d43f8469246321a90b8d4f7f7fd72beb01105241536f9a058f4a7f990.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:4544
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\8fd7c81d43f8469246321a90b8d4f7f7fd72beb01105241536f9a058f4a7f990.dll
  2⤵
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4820
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c net stop "SQLsafe Backup Service" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3896
  - - C:\Windows\SysWOW64\net.exe
      net stop "SQLsafe Backup Service" /y
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4316
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "SQLsafe Backup Service" /y
        5⤵
        
        PID:4000
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c net stop "SQLsafe Filter Service" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1156
  - - C:\Windows\SysWOW64\net.exe
      net stop "SQLsafe Filter Service" /y
      4⤵
      Suspicious use of WriteProcessMemory
      PID:736
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "SQLsafe Filter Service" /y
        5⤵
        
        PID:4768
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c net stop MSOLAP$SQL_2008 /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:540
  - - C:\Windows\SysWOW64\net.exe
      net stop MSOLAP$SQL_2008 /y
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3712
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y
        5⤵
        
        PID:228
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c net stop MSSQL$BKUPEXEC /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4024
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQL$BKUPEXEC /y
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3776
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y
        5⤵
        
        PID:1844
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c net stop MSSQL$ECWDB2 /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2336
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQL$ECWDB2 /y
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2656
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$ECWDB2 /y
        5⤵
        
        PID:2344
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c net stop MSSQL$PRACTICEMGT /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3868
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQL$PRACTICEMGT /y
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4540
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y
        5⤵
        
        PID:4960
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c net stop MSSQL$PRACTTICEBGC /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3756
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQL$PRACTTICEBGC /y
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2908
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y
        5⤵
        
        PID:3596
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c net stop MSSQL$PROFXENGAGEMENT /y
    3⤵
    PID:4432
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQL$PROFXENGAGEMENT /y
      4⤵
      PID:4608
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y
        5⤵
        
        PID:3172
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c net stop MSSQL$SBSMONITORING /y
    3⤵
    PID:1744
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQL$SBSMONITORING /y
      4⤵
      PID:4240
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y
        5⤵
        
        PID:600
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c net stop MSSQL$SHAREPOINT /y
    3⤵
    PID:3260
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQL$SHAREPOINT /y
      4⤵
      PID:2660
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y
        5⤵
        
        PID:4176
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c net stop MSSQL$SQL_2008 /y
    3⤵
    PID:2228
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQL$SQL_2008 /y
      4⤵
      PID:3396
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y
        5⤵
        
        PID:3464
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c net stop MSSQL$SYSTEM_BGC /y
    3⤵
    PID:4080
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQL$SYSTEM_BGC /y
      4⤵
      PID:3252
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y
        5⤵
        
        PID:332
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c net stop MSSQL$TPS /y
    3⤵
    PID:4844
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQL$TPS /y
      4⤵
      PID:4780
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$TPS /y
        5⤵
        
        PID:1304
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c net stop MSSQL$TPSAMA /y
    3⤵
    PID:1352
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQL$TPSAMA /y
      4⤵
      PID:3592
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$TPSAMA /y
        5⤵
        
        PID:4140
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c net stop MSSQL$VEEAMSQL2008R2 /y
    3⤵
    PID:3104
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQL$VEEAMSQL2008R2 /y
      4⤵
      PID:656
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
        5⤵
        
        PID:4840
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c net stop MSSQL$VEEAMSQL2012 /y
    3⤵
    PID:4428
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQL$VEEAMSQL2012 /y
      4⤵
      PID:1332
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y
        5⤵
        
        PID:4468
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c net stop MSSQLSERVER /y
    3⤵
    PID:3652
  - - C:\Windows\SysWOW64\net.exe
      net stop MSSQLSERVER /y
      4⤵
      PID:4692
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MSSQLSERVER /y
        5⤵
        
        PID:5084
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c net stop SQLBrowser /y
    3⤵
    PID:3764
  - - C:\Windows\SysWOW64\net.exe
      net stop SQLBrowser /y
      4⤵
      PID:3952
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLBrowser /y
        5⤵
        
        PID:3996
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c net stop SQLWriter /y
    3⤵
    PID:4032
  - - C:\Windows\SysWOW64\net.exe
      net stop SQLWriter /y
      4⤵
      PID:2844
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SQLWriter /y
        5⤵
        
        PID:3912

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4820-125-0x0000000000650000-0x000000000067D000-memory.dmp

Filesize
180KB

Download