conti | 41324493142b10db127217274e21df37f6ccd13f01a8d29d2b23b7b1463423a7

Resubmissions

08/02/2023, 16:39

230208-t5xtlscc4z 10

02/03/2022, 15:02

220302-sefxqsghhm 10

Analysis

max time kernel
89s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
08/02/2023, 16:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64.dll
Size

929KB
MD5

d69589f5bd6c3c799be2d2fd2b718af1
SHA1

1c68264c9b7b4fef73cc231b944388b4abaa1962
SHA256

41324493142b10db127217274e21df37f6ccd13f01a8d29d2b23b7b1463423a7
SHA512

b7fd1f2d6aa4d541d023035913a649ca6f1c6beb3f4c6fce890cc511a08c901479f767164c20dc9cd5826dc7a8dcf47db0c813485aeffced17f55a2a06f4d392
SSDEEP

24576:GIZUIILUDJre+i4V7VywmxqKaH1S2Jl7SPFL3EOGTWqG5QVEzAJ24GOy2ipM8+ku:Z4oNe+i4V7VrmxqKaH1S237SPFL3EOGz

Score

10^/10

conti ransomware

Malware Config

Extracted

Path

C:\readme.txt

Family

conti

Ransom Note

All of your files are currently encrypted by CONTI strain. As you know (if you don't - just "google it"), all of the data that has been encrypted by our software cannot be recovered by any means without contacting our team directly. If you try to use any additional recovery software - the files might be damaged, so if you are willing to try - try it on the data of the lowest value. To make sure that we REALLY CAN get your data back - we offer you to decrypt 2 random files completely free of charge. You can contact our team directly for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirec7nchr45rx6ympez5rjldibnqzh7lsa56lvjvaeywhvoj3wad.onion/vVkTIwyrJF8FbLfvH4LNgCBIITvprltAkaGVrmoGkJq5ExpGS7eYQ3Mi1AOkkve6 YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded a pack of your internal data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us as soon as possible. ---BEGIN ID--- vVkTIwyrJF8FbLfvH4LNgCBIITvprltAkaGVrmoGkJq5ExpGS7eYQ3Mi1AOkkve6 ---END ID---

URLs

http://contirec7nchr45rx6ympez5rjldibnqzh7lsa56lvjvaeywhvoj3wad.onion/vVkTIwyrJF8FbLfvH4LNgCBIITvprltAkaGVrmoGkJq5ExpGS7eYQ3Mi1AOkkve6

Signatures

Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
ransomware conti

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\StepWait.crw => C:\Users\Admin\Pictures\StepWait.crw.FHTCY	regsvr32.exe
File renamed	C:\Users\Admin\Pictures\SyncEnable.tif => C:\Users\Admin\Pictures\SyncEnable.tif.FHTCY	regsvr32.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\readme.txt	regsvr32.exe

Drops desktop.ini file(s) 31 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	regsvr32.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	regsvr32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	regsvr32.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	regsvr32.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_SubTrial-ul-oob.xrm-ms	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\de-de\ui-strings.js	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\it-it\ui-strings.js	regsvr32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_OEM_Perp-pl.xrm-ms	regsvr32.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\en-US\sqloledb.rll.mui	regsvr32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.engine.nl_ja_4.4.0.v20140623020002.jar	regsvr32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.updatechecker_1.1.200.v20131119-0908.jar	regsvr32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-editor-mimelookup-impl.xml	regsvr32.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\he-il\readme.txt	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\sl-si\ui-strings.js	regsvr32.exe
File created	C:\Program Files\Common Files\microsoft shared\TextConv\en-US\readme.txt	regsvr32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.core.di_1.4.0.v20140414-1837.jar	regsvr32.exe
File created	C:\Program Files\VideoLAN\VLC\locale\th\LC_MESSAGES\readme.txt	regsvr32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\invalid32x32.gif	regsvr32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-ppd.xrm-ms	regsvr32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Retail-ppd.xrm-ms	regsvr32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-pl.xrm-ms	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\core_icons_retina.png	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ru-ru\PlayStore_icon.svg	regsvr32.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsel.xml	regsvr32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.core.di.extensions_0.12.0.v20140417-2033.jar	regsvr32.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\vlc.mo	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\AddressBook2x.png	regsvr32.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\cef\readme.txt	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\cstm_brand_preview.png	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\bg_patterns_header.png	regsvr32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue.xml	regsvr32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-180.png	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\pl-pl\ui-strings.js	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\warning.gif	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_hiContrast_wob.png	regsvr32.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\es-es\readme.txt	regsvr32.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\zh-cn\readme.txt	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\oledbjvs.inc	regsvr32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue II.xml	regsvr32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ql.nl_ja_4.4.0.v20140623020002.jar	regsvr32.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\meta\art\00_musicbrainz.luac	regsvr32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-swing-outline_ja.jar	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\help.svg	regsvr32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PAPYRUS\PAPYRUS.INF	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\eu-es\ui-strings.js	regsvr32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\MSUIGHUB.TTF	regsvr32.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\sl-sl\readme.txt	regsvr32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-ppd.xrm-ms	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\sk_get.svg	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\fr-ma\ui-strings.js	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\dark\share_icons2x.png	regsvr32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-sendopts.jar	regsvr32.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\readme.txt	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nb-no\ui-strings.js	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\sv-se\ui-strings.js	regsvr32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	regsvr32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Trial-ul-oob.xrm-ms	regsvr32.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\lt.pak	regsvr32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PIXEL\PIXEL.ELM	regsvr32.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-il\readme.txt	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\dd_arrow_small.png	regsvr32.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\jce.jar	regsvr32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\locale\jfluid-server_zh_CN.jar	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\css\main-selector.css	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\index_poster.jpg	regsvr32.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\da-dk\readme.txt	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\S_IlluNoSearchResults_180x160.svg	regsvr32.exe
File created	C:\Program Files (x86)\Microsoft\Edge\readme.txt	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4372	regsvr32.exe
4372	regsvr32.exe
4372	regsvr32.exe
4372	regsvr32.exe
4372	regsvr32.exe
4372	regsvr32.exe
4372	regsvr32.exe
4372	regsvr32.exe
4372	regsvr32.exe
4372	regsvr32.exe
4372	regsvr32.exe
4372	regsvr32.exe
4372	regsvr32.exe
4372	regsvr32.exe
4372	regsvr32.exe
4372	regsvr32.exe
4372	regsvr32.exe
4372	regsvr32.exe
4372	regsvr32.exe
4372	regsvr32.exe
4372	regsvr32.exe
4372	regsvr32.exe
4372	regsvr32.exe
4372	regsvr32.exe
4372	regsvr32.exe
4372	regsvr32.exe
4372	regsvr32.exe
4372	regsvr32.exe
4372	regsvr32.exe
4372	regsvr32.exe
4372	regsvr32.exe
4372	regsvr32.exe
4372	regsvr32.exe
4372	regsvr32.exe
4372	regsvr32.exe
4372	regsvr32.exe
4372	regsvr32.exe
4372	regsvr32.exe
4372	regsvr32.exe
4372	regsvr32.exe
4372	regsvr32.exe
4372	regsvr32.exe
4372	regsvr32.exe
4372	regsvr32.exe
4372	regsvr32.exe
4372	regsvr32.exe
4372	regsvr32.exe
4372	regsvr32.exe
4372	regsvr32.exe
4372	regsvr32.exe
4372	regsvr32.exe
4372	regsvr32.exe
4372	regsvr32.exe
4372	regsvr32.exe
4372	regsvr32.exe
4372	regsvr32.exe
4372	regsvr32.exe
4372	regsvr32.exe
4372	regsvr32.exe
4372	regsvr32.exe
4372	regsvr32.exe
4372	regsvr32.exe
4372	regsvr32.exe
4372	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\64.dll
1⤵
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:4372

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4372-132-0x0000000180000000-0x000000018003B000-memory.dmp

Filesize
236KB

Download
memory/4372-133-0x0000000180000000-0x000000018003B000-memory.dmp

Filesize
236KB

Download
memory/4372-134-0x0000000180000000-0x000000018003B000-memory.dmp

Filesize
236KB

Download
memory/4372-135-0x0000000180000000-0x000000018003B000-memory.dmp

Filesize
236KB

Download