conti | 4594624a828fe7704559f90a45cf1db38a22ddb5e856a2003f15a3789d75e1ce

Analysis

max time kernel
125s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
30-11-2022 17:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4594624a828fe7704559f90a45cf1db38a22ddb5e856a2003f15a3789d75e1ce.dll
Size

212KB
MD5

6e169583dad1106fb369fd9b6ebc0beb
SHA1

c4bc5650e26855bc7b54da693ffbbb90c088268e
SHA256

4594624a828fe7704559f90a45cf1db38a22ddb5e856a2003f15a3789d75e1ce
SHA512

11c62dec0223d7249fe8f5b2716582703fe9c052d80772358c8b0f3aa27607940f446fc7146731a9f7a8e14541ee3b99848db7679199ab96d948c0c0a079aa3d
SSDEEP

3072:9qKXlgNpgKCfzCLfDLG9dRdHkWqmXKipBAI/xRfvDMTo2tc:zKgVfGLfPG9dE4pBAoxuc

Score

10^/10

conti ransomware

Malware Config

Extracted

Path

C:\readme.txt

Family

conti

Ransom Note

All of your files are currently encrypted by CONTI ransomware. If you try to use any additional recovery software - the files might be damaged or lost. To make sure that we REALLY CAN recover data - we offer you to decrypt samples. You can contact us for further instructions through: Our website TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/ HTTPS VERSION : https://contirecovery.best YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded your data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us ASAP ---BEGIN ID--- g1lTzZjVPrqCZPVYj1UwpeupnaGidaVdVAVF8QyXhd5MeNX2bcl2zZYyzkMNUVUh ---END ID---

URLs

http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/

https://contirecovery.best

Signatures

Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
ransomware conti

Modifies extensions of user files 10 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\DismountOpen.raw => C:\Users\Admin\Pictures\DismountOpen.raw.YXFDC	regsvr32.exe
File renamed	C:\Users\Admin\Pictures\EnableAssert.tif => C:\Users\Admin\Pictures\EnableAssert.tif.YXFDC	regsvr32.exe
File renamed	C:\Users\Admin\Pictures\GrantLimit.raw => C:\Users\Admin\Pictures\GrantLimit.raw.YXFDC	regsvr32.exe
File renamed	C:\Users\Admin\Pictures\ShowWait.png => C:\Users\Admin\Pictures\ShowWait.png.YXFDC	regsvr32.exe
File renamed	C:\Users\Admin\Pictures\SplitClear.png => C:\Users\Admin\Pictures\SplitClear.png.YXFDC	regsvr32.exe
File renamed	C:\Users\Admin\Pictures\InvokeExit.png => C:\Users\Admin\Pictures\InvokeExit.png.YXFDC	regsvr32.exe
File renamed	C:\Users\Admin\Pictures\ReadClose.crw => C:\Users\Admin\Pictures\ReadClose.crw.YXFDC	regsvr32.exe
File renamed	C:\Users\Admin\Pictures\ResumeConvertFrom.png => C:\Users\Admin\Pictures\ResumeConvertFrom.png.YXFDC	regsvr32.exe
File renamed	C:\Users\Admin\Pictures\UnregisterAssert.tif => C:\Users\Admin\Pictures\UnregisterAssert.tif.YXFDC	regsvr32.exe
File renamed	C:\Users\Admin\Pictures\UseAdd.png => C:\Users\Admin\Pictures\UseAdd.png.YXFDC	regsvr32.exe

Drops desktop.ini file(s) 46 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	regsvr32.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	regsvr32.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\16ZRL8F2\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\YZA8LC25\desktop.ini	regsvr32.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	regsvr32.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	regsvr32.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\NFAXYLRV\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	regsvr32.exe
File opened for modification	C:\Program Files\desktop.ini	regsvr32.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	regsvr32.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	regsvr32.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	regsvr32.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	regsvr32.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\G2GR9E4N\desktop.ini	regsvr32.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR40F.GIF	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\People\HICCUP.WAV	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00269_.WMF	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PSRCHPHN.DAT	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Austin.xml	regsvr32.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationRight_SelectionSubpicture.png	regsvr32.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Khartoum	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN01044_.WMF	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00253_.WMF	regsvr32.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\visualization\readme.txt	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Office Classic.xml	regsvr32.exe
File created	C:\Program Files\Java\jre7\lib\security\readme.txt	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\TAB_ON.GIF	regsvr32.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\reflect.png	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_OliveGreen.gif	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02093_.WMF	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21435_.GIF	regsvr32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Casey	regsvr32.exe
File opened for modification	C:\Program Files\UndoMove.xltx	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0198234.WMF	regsvr32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-heapwalker_ja.jar	regsvr32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\cpyr.htm	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099162.JPG	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0199423.WMF	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0293832.WMF	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02950_.WMF	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00017_.WMF	regsvr32.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationRight_ButtonGraphic.png	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Peacock.jpg	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\CLASSIC2.WMF	regsvr32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Tehran	regsvr32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Vilnius	regsvr32.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\Beulah	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145810.JPG	regsvr32.exe
File created	C:\Program Files\VideoLAN\VLC\locale\gu\readme.txt	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115841.GIF	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SpringGreen\TAB_ON.GIF	regsvr32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\dsn.jar	regsvr32.exe
File created	C:\Program Files\VideoLAN\VLC\locale\readme.txt	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00640_.WMF	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\RESUME.DPV	regsvr32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaBrightDemiItalic.ttf	regsvr32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\.eclipseproduct	regsvr32.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Cairo	regsvr32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Tashkent	regsvr32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Cape_Verde	regsvr32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-api-caching_ja.jar	regsvr32.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\readme.txt	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00428_.WMF	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0281632.WMF	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif	regsvr32.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\readme.txt	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Slate\TAB_OFF.GIF	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02075_.WMF	regsvr32.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\1047x576black.png	regsvr32.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToNotesBackground_PAL.wmv	regsvr32.exe
File created	C:\Program Files\VideoLAN\VLC\locale\da\readme.txt	regsvr32.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ko\readme.txt	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\INDUST\PREVIEW.GIF	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Formal.dotx	regsvr32.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-1	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY01252_.WMF	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0284916.JPG	regsvr32.exe
File created	C:\Program Files\Common Files\System\Ole DB\fr-FR\readme.txt	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1288	regsvr32.exe
1288	regsvr32.exe
1288	regsvr32.exe
1288	regsvr32.exe
1288	regsvr32.exe
1288	regsvr32.exe
1288	regsvr32.exe
1288	regsvr32.exe
1288	regsvr32.exe
1288	regsvr32.exe
1288	regsvr32.exe
1288	regsvr32.exe
1288	regsvr32.exe
1288	regsvr32.exe
1288	regsvr32.exe
1288	regsvr32.exe
1288	regsvr32.exe
1288	regsvr32.exe
1288	regsvr32.exe
1288	regsvr32.exe
1288	regsvr32.exe
1288	regsvr32.exe
1288	regsvr32.exe
1288	regsvr32.exe
1288	regsvr32.exe
1288	regsvr32.exe
1288	regsvr32.exe
1288	regsvr32.exe
1288	regsvr32.exe
1288	regsvr32.exe
1288	regsvr32.exe
1288	regsvr32.exe
1288	regsvr32.exe
1288	regsvr32.exe
1288	regsvr32.exe
1288	regsvr32.exe
1288	regsvr32.exe
1288	regsvr32.exe
1288	regsvr32.exe
1288	regsvr32.exe
1288	regsvr32.exe
1288	regsvr32.exe
1288	regsvr32.exe
1288	regsvr32.exe
1288	regsvr32.exe
1288	regsvr32.exe
1288	regsvr32.exe
1288	regsvr32.exe
1288	regsvr32.exe
1288	regsvr32.exe
1288	regsvr32.exe
1288	regsvr32.exe
1288	regsvr32.exe
1288	regsvr32.exe
1288	regsvr32.exe
1288	regsvr32.exe
1288	regsvr32.exe
1288	regsvr32.exe
1288	regsvr32.exe
1288	regsvr32.exe
1288	regsvr32.exe
1288	regsvr32.exe
1288	regsvr32.exe
1288	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\4594624a828fe7704559f90a45cf1db38a22ddb5e856a2003f15a3789d75e1ce.dll
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:1288

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1288-54-0x000007FEFB781000-0x000007FEFB783000-memory.dmp

Filesize
8KB

Download