Resubmissions
02-04-2023 18:02
230402-wmrkzsba5t 10Analysis
-
max time kernel
77s -
max time network
72s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
02-04-2023 18:02
Static task
static1
Behavioral task
behavioral1
Sample
Conti.exe
Resource
win10-20230220-en
windows10-1703-x64
12 signatures
150 seconds
General
-
Target
Conti.exe
-
Size
185KB
-
MD5
7076f9674bc42536d1e0e2ca80d1e4f6
-
SHA1
854485ee63e5a399fffe150f04cd038d6a5490ef
-
SHA256
ebeca2df24a55c629cf0ce0d4b703ed632819d8ac101b1b930ec666760036124
-
SHA512
71c507108cc0c8b5609076672bd0b64a42c015995fe7220aa97e273c1754e63271edb06b284f4fc01b71a4751c1bcac0f572339e94ff0fd538dc0250caa9181a
-
SSDEEP
3072:+qS7gtGIeq8KxrvRp1MImcZeuLaxugfCJsOlq8WkJK0BOog/Tt3onM9kHpOBae4f:zS7gtyuzFxm16axugfqlMw5g5BkOdSlr
Score
10/10
Malware Config
Extracted
Path
C:\Program Files (x86)\R3ADM3.txt
Family
conti
Ransom Note
All of your files are currently encrypted by CONTI ransomware.
If you try to use any additional recovery software - the files might be damaged or lost.
To make sure that we REALLY CAN recover data - we offer you to decrypt samples.
You can contact us for further instructions through our website :
TOR VERSION :
(you should download and install TOR browser first https://torproject.org)
http://m232fdxbfmbrcehbrj5iayknxnggf6niqfj6x4iedrgtab4qupzjlaid.onion
HTTPS VERSION :
https://contirecovery.info
YOU SHOULD BE AWARE!
Just in case, if you try to ignore us. We've downloaded your data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us ASAP.
---BEGIN ID---
V8gTskvaU8gGgzzk0qC2sM90noCXm1AgvCkADBk9JhxwjahEd2MSBLQ5sgBZOEkq
---END ID---
URLs
http://m232fdxbfmbrcehbrj5iayknxnggf6niqfj6x4iedrgtab4qupzjlaid.onion
https://contirecovery.info
Signatures
-
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
Modifies extensions of user files 6 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\RevokePublish.crw => C:\Users\Admin\Pictures\RevokePublish.crw.UWTJF Conti.exe File renamed C:\Users\Admin\Pictures\SwitchSend.raw => C:\Users\Admin\Pictures\SwitchSend.raw.UWTJF Conti.exe File renamed C:\Users\Admin\Pictures\UnprotectSet.raw => C:\Users\Admin\Pictures\UnprotectSet.raw.UWTJF Conti.exe File renamed C:\Users\Admin\Pictures\UpdateOut.png => C:\Users\Admin\Pictures\UpdateOut.png.UWTJF Conti.exe File renamed C:\Users\Admin\Pictures\MoveCompress.png => C:\Users\Admin\Pictures\MoveCompress.png.UWTJF Conti.exe File renamed C:\Users\Admin\Pictures\ConvertLock.crw => C:\Users\Admin\Pictures\ConvertLock.crw.UWTJF Conti.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\R3ADM3.txt Conti.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 32 IoCs
description ioc Process File opened for modification C:\Users\Public\Desktop\desktop.ini Conti.exe File opened for modification C:\Users\Public\Documents\desktop.ini Conti.exe File opened for modification C:\Users\Public\Pictures\desktop.ini Conti.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Desktop.ini Conti.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini Conti.exe File opened for modification C:\Users\Admin\Links\desktop.ini Conti.exe File opened for modification C:\Users\Admin\Music\desktop.ini Conti.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini Conti.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini Conti.exe File opened for modification C:\Users\Admin\Documents\desktop.ini Conti.exe File opened for modification C:\Users\Public\Music\desktop.ini Conti.exe File opened for modification C:\Users\Public\Videos\desktop.ini Conti.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini Conti.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini Conti.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini Conti.exe File opened for modification C:\Users\Admin\Videos\desktop.ini Conti.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini Conti.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini Conti.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini Conti.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini Conti.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini Conti.exe File opened for modification C:\Users\Admin\Searches\desktop.ini Conti.exe File opened for modification C:\Users\Public\Downloads\desktop.ini Conti.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini Conti.exe File opened for modification C:\Users\Public\Libraries\desktop.ini Conti.exe File opened for modification C:\Program Files\desktop.ini Conti.exe File opened for modification C:\Program Files (x86)\desktop.ini Conti.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini Conti.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI Conti.exe File opened for modification C:\Users\Public\desktop.ini Conti.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini Conti.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini Conti.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\Lang\is.txt Conti.exe File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\sqlxmlx.rll.mui Conti.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\CardViewIcon.png Conti.exe File created C:\Program Files\Common Files\microsoft shared\ink\es-ES\R3ADM3.txt Conti.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-options_zh_CN.jar Conti.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\large_trefoil.png Conti.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-pl.xrm-ms Conti.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\R3ADM3.txt Conti.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Grace-ppd.xrm-ms Conti.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-80.png Conti.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\images\R3ADM3.txt Conti.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\REFINED\REFINED.ELM Conti.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\HomeBanner-2x.png Conti.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\sv-se\ui-strings.js Conti.exe File opened for modification C:\Program Files\Common Files\System\ado\adojavas.inc Conti.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-ul-oob.xrm-ms Conti.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\WordR_Retail-ul-phn.xrm-ms Conti.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\adc_logo.png Conti.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\PipelineSegments.store Conti.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ru-ru\AppStore_icon.svg Conti.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\tools.jar Conti.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\fr-FR\R3ADM3.txt Conti.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_OEM_Perp-ppd.xrm-ms Conti.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_OEM_Perp-ppd.xrm-ms Conti.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECHO\R3ADM3.txt Conti.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\core\locale\core_visualvm.jar Conti.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\sl-si\R3ADM3.txt Conti.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TEXTCONV\WPFT632.CNV Conti.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host_ja.jar Conti.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_KMS_Client-ul.xrm-ms Conti.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\cef_200_percent.pak Conti.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\fr-ma\R3ADM3.txt Conti.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] Conti.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Georgia.xml Conti.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.ui.zh_CN_5.5.0.165303.jar Conti.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\Confirmation2x.png Conti.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Retail-ul-oob.xrm-ms Conti.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\it-it\R3ADM3.txt Conti.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\batch_window.html Conti.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\as90.xsl Conti.exe File created C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\R3ADM3.txt Conti.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O17EnterpriseVL_Bypass30-ppd.xrm-ms Conti.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ViewOnly_ZeroGrace-ppd.xrm-ms Conti.exe File created C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033\16\R3ADM3.txt Conti.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\s_agreement_filetype.svg Conti.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-addtotable-dark.png Conti.exe File created C:\Program Files (x86)\Internet Explorer\fr-FR\R3ADM3.txt Conti.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-pl.xrm-ms Conti.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_forward_18.svg Conti.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\1033\DATES.XML Conti.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\turnOffNotificationInTray.gif Conti.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-masterfs.jar Conti.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\core\locale\com-sun-tools-visualvm-modules-startup_zh_CN.jar Conti.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\comments.win32.bundle Conti.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\R3ADM3.txt Conti.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-pl.xrm-ms Conti.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\fr-fr\R3ADM3.txt Conti.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\css\R3ADM3.txt Conti.exe File created C:\Program Files\Common Files\microsoft shared\VGX\R3ADM3.txt Conti.exe File opened for modification C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\91741568-34F6-43DA-AC98-A4A5511FB516\root\vfs\Windows Conti.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Grace-ppd.xrm-ms Conti.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviews_super.gif Conti.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\nub.png Conti.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\cs-cz\ui-strings.js Conti.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\ESE.TXT svchost.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 1588 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4140 Conti.exe 4140 Conti.exe 4140 Conti.exe 4140 Conti.exe 4140 Conti.exe 4140 Conti.exe 4140 Conti.exe 4140 Conti.exe 4140 Conti.exe 4140 Conti.exe 4140 Conti.exe 4140 Conti.exe 4140 Conti.exe 4140 Conti.exe 4140 Conti.exe 4140 Conti.exe 4140 Conti.exe 4140 Conti.exe 4140 Conti.exe 4140 Conti.exe 4140 Conti.exe 4140 Conti.exe 4140 Conti.exe 4140 Conti.exe 4140 Conti.exe 4140 Conti.exe 4140 Conti.exe 4140 Conti.exe 4140 Conti.exe 4140 Conti.exe 4140 Conti.exe 4140 Conti.exe 4140 Conti.exe 4140 Conti.exe 4140 Conti.exe 4140 Conti.exe 4140 Conti.exe 4140 Conti.exe 4140 Conti.exe 4140 Conti.exe 4140 Conti.exe 4140 Conti.exe 4140 Conti.exe 4140 Conti.exe 4140 Conti.exe 4140 Conti.exe 4140 Conti.exe 4140 Conti.exe 4140 Conti.exe 4140 Conti.exe 4140 Conti.exe 4140 Conti.exe 4140 Conti.exe 4140 Conti.exe 4140 Conti.exe 4140 Conti.exe 4140 Conti.exe 4140 Conti.exe 4140 Conti.exe 4140 Conti.exe 4140 Conti.exe 4140 Conti.exe 4140 Conti.exe 4140 Conti.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeBackupPrivilege 2052 vssvc.exe Token: SeRestorePrivilege 2052 vssvc.exe Token: SeAuditPrivilege 2052 vssvc.exe Token: SeIncreaseQuotaPrivilege 4716 WMIC.exe Token: SeSecurityPrivilege 4716 WMIC.exe Token: SeTakeOwnershipPrivilege 4716 WMIC.exe Token: SeLoadDriverPrivilege 4716 WMIC.exe Token: SeSystemProfilePrivilege 4716 WMIC.exe Token: SeSystemtimePrivilege 4716 WMIC.exe Token: SeProfSingleProcessPrivilege 4716 WMIC.exe Token: SeIncBasePriorityPrivilege 4716 WMIC.exe Token: SeCreatePagefilePrivilege 4716 WMIC.exe Token: SeBackupPrivilege 4716 WMIC.exe Token: SeRestorePrivilege 4716 WMIC.exe Token: SeShutdownPrivilege 4716 WMIC.exe Token: SeDebugPrivilege 4716 WMIC.exe Token: SeSystemEnvironmentPrivilege 4716 WMIC.exe Token: SeRemoteShutdownPrivilege 4716 WMIC.exe Token: SeUndockPrivilege 4716 WMIC.exe Token: SeManageVolumePrivilege 4716 WMIC.exe Token: 33 4716 WMIC.exe Token: 34 4716 WMIC.exe Token: 35 4716 WMIC.exe Token: 36 4716 WMIC.exe Token: SeIncreaseQuotaPrivilege 4716 WMIC.exe Token: SeSecurityPrivilege 4716 WMIC.exe Token: SeTakeOwnershipPrivilege 4716 WMIC.exe Token: SeLoadDriverPrivilege 4716 WMIC.exe Token: SeSystemProfilePrivilege 4716 WMIC.exe Token: SeSystemtimePrivilege 4716 WMIC.exe Token: SeProfSingleProcessPrivilege 4716 WMIC.exe Token: SeIncBasePriorityPrivilege 4716 WMIC.exe Token: SeCreatePagefilePrivilege 4716 WMIC.exe Token: SeBackupPrivilege 4716 WMIC.exe Token: SeRestorePrivilege 4716 WMIC.exe Token: SeShutdownPrivilege 4716 WMIC.exe Token: SeDebugPrivilege 4716 WMIC.exe Token: SeSystemEnvironmentPrivilege 4716 WMIC.exe Token: SeRemoteShutdownPrivilege 4716 WMIC.exe Token: SeUndockPrivilege 4716 WMIC.exe Token: SeManageVolumePrivilege 4716 WMIC.exe Token: 33 4716 WMIC.exe Token: 34 4716 WMIC.exe Token: 35 4716 WMIC.exe Token: 36 4716 WMIC.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4140 wrote to memory of 3888 4140 Conti.exe 69 PID 4140 wrote to memory of 3888 4140 Conti.exe 69 PID 3888 wrote to memory of 4716 3888 cmd.exe 71 PID 3888 wrote to memory of 4716 3888 cmd.exe 71 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Conti.exe"C:\Users\Admin\AppData\Local\Temp\Conti.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4140 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2F5BFCE5-AF79-4C34-B943-BACF30ACBFEE}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:3888 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2F5BFCE5-AF79-4C34-B943-BACF30ACBFEE}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4716
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2052
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\R3ADM3.txt1⤵
- Opens file in notepad (likely ransom note)
PID:1588
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc1⤵
- Drops file in Windows directory
PID:3868
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
846B
MD5e6f001fc98cb51a0429ca5dc95f6a950
SHA116a73b95d0b5408fa95c97bc9f314f1eff4902b4
SHA256acf1bb83790c25806dd3c29e0b453002397c7fe7abc25a3470ae4e3164f9f31b
SHA51211e65ed0e80aedb497ab40edf5d3f756b121527cb1102408cdd9f146549c849a41a16fc908bb284c920b061c6b37723117b929de150a62cd61273c40e660168c
-
Filesize
846B
MD5e6f001fc98cb51a0429ca5dc95f6a950
SHA116a73b95d0b5408fa95c97bc9f314f1eff4902b4
SHA256acf1bb83790c25806dd3c29e0b453002397c7fe7abc25a3470ae4e3164f9f31b
SHA51211e65ed0e80aedb497ab40edf5d3f756b121527cb1102408cdd9f146549c849a41a16fc908bb284c920b061c6b37723117b929de150a62cd61273c40e660168c