Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2023 16:27
Static task
static1
Behavioral task
behavioral1
Sample
efc8f8172303ff78d207b2eb8c78511e.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
efc8f8172303ff78d207b2eb8c78511e.exe
Resource
win10v2004-20231215-en
General
-
Target
efc8f8172303ff78d207b2eb8c78511e.exe
-
Size
195KB
-
MD5
efc8f8172303ff78d207b2eb8c78511e
-
SHA1
bdf1d7e889905e4df8485fc7dfbb9bdfb91e676e
-
SHA256
7fbeac1dca907f4c04fec45a1228c9277f03930355eeac30d101bbce7e2733de
-
SHA512
056d2289776db4f7ede6076d5e932e9641f3885f6096c022a7d1d06662881d7bb464d3a0605c5b40e50175541d5b370f814a4c2900b9172156161b43a8bb7d67
-
SSDEEP
3072:6a/EBc2jrORnQssIJZYKcgtHhGk528yJKY8/d7epmB98g89QP2EKOjWk:7EBc2jMQsdJdBgHJ+/dB9rP2sR
Malware Config
Extracted
C:\Program Files (x86)\readme.txt
conti
http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/
https://contirecovery.xyz/
Signatures
-
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
Renames multiple (142) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\FileSystemMetadata.xml efc8f8172303ff78d207b2eb8c78511e.exe File opened for modification C:\Program Files\7-Zip\Lang\eu.txt efc8f8172303ff78d207b2eb8c78511e.exe File opened for modification C:\Program Files\7-Zip\Lang\fi.txt efc8f8172303ff78d207b2eb8c78511e.exe File opened for modification C:\Program Files\7-Zip\Lang\mng.txt efc8f8172303ff78d207b2eb8c78511e.exe File opened for modification C:\Program Files\ConvertSend.vb efc8f8172303ff78d207b2eb8c78511e.exe File opened for modification C:\Program Files\PingUnlock.avi efc8f8172303ff78d207b2eb8c78511e.exe File opened for modification C:\Program Files\ResetSet.vstm efc8f8172303ff78d207b2eb8c78511e.exe File opened for modification C:\Program Files\Microsoft Office\AppXManifest.xml efc8f8172303ff78d207b2eb8c78511e.exe File opened for modification C:\Program Files\UndoReceive.dib efc8f8172303ff78d207b2eb8c78511e.exe File opened for modification C:\Program Files\Mozilla Firefox\precomplete efc8f8172303ff78d207b2eb8c78511e.exe File opened for modification C:\Program Files\InstallConvertFrom.dib efc8f8172303ff78d207b2eb8c78511e.exe File opened for modification C:\Program Files\7-Zip\Lang\mk.txt efc8f8172303ff78d207b2eb8c78511e.exe File created C:\Program Files\Reference Assemblies\readme.txt efc8f8172303ff78d207b2eb8c78511e.exe File created C:\Program Files\7-Zip\Lang\readme.txt efc8f8172303ff78d207b2eb8c78511e.exe File opened for modification C:\Program Files\7-Zip\Lang\en.ttt efc8f8172303ff78d207b2eb8c78511e.exe File opened for modification C:\Program Files\7-Zip\Lang\kaa.txt efc8f8172303ff78d207b2eb8c78511e.exe File created C:\Program Files\readme.txt efc8f8172303ff78d207b2eb8c78511e.exe File opened for modification C:\Program Files\ResizeFormat.xlt efc8f8172303ff78d207b2eb8c78511e.exe File opened for modification C:\Program Files\SubmitUnregister.jpeg efc8f8172303ff78d207b2eb8c78511e.exe File created C:\Program Files\Internet Explorer\readme.txt efc8f8172303ff78d207b2eb8c78511e.exe File opened for modification C:\Program Files\7-Zip\Lang\ku-ckb.txt efc8f8172303ff78d207b2eb8c78511e.exe File opened for modification C:\Program Files\7-Zip\descript.ion efc8f8172303ff78d207b2eb8c78511e.exe File opened for modification C:\Program Files\7-Zip\Lang\cy.txt efc8f8172303ff78d207b2eb8c78511e.exe File opened for modification C:\Program Files\7-Zip\Lang\fur.txt efc8f8172303ff78d207b2eb8c78511e.exe File opened for modification C:\Program Files\7-Zip\Lang\mn.txt efc8f8172303ff78d207b2eb8c78511e.exe File opened for modification C:\Program Files\ClearDisconnect.xhtml efc8f8172303ff78d207b2eb8c78511e.exe File opened for modification C:\Program Files\MountRename.dxf efc8f8172303ff78d207b2eb8c78511e.exe File opened for modification C:\Program Files\UnblockComplete.3gp efc8f8172303ff78d207b2eb8c78511e.exe File opened for modification C:\Program Files\7-Zip\7z.sfx efc8f8172303ff78d207b2eb8c78511e.exe File opened for modification C:\Program Files\Mozilla Firefox\installation_telemetry.json efc8f8172303ff78d207b2eb8c78511e.exe File opened for modification C:\Program Files\7-Zip\Lang\es.txt efc8f8172303ff78d207b2eb8c78511e.exe File opened for modification C:\Program Files\7-Zip\Lang\fr.txt efc8f8172303ff78d207b2eb8c78511e.exe File opened for modification C:\Program Files\7-Zip\Lang\hi.txt efc8f8172303ff78d207b2eb8c78511e.exe File opened for modification C:\Program Files\RepairSuspend.xlsb efc8f8172303ff78d207b2eb8c78511e.exe File opened for modification C:\Program Files\Microsoft Office\ThinAppXManifest.xml efc8f8172303ff78d207b2eb8c78511e.exe File created C:\Program Files\Microsoft Office 15\readme.txt efc8f8172303ff78d207b2eb8c78511e.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.cfg efc8f8172303ff78d207b2eb8c78511e.exe File opened for modification C:\Program Files\7-Zip\Lang\ext.txt efc8f8172303ff78d207b2eb8c78511e.exe File opened for modification C:\Program Files\7-Zip\Lang\it.txt efc8f8172303ff78d207b2eb8c78511e.exe File opened for modification C:\Program Files\MoveInitialize.wma efc8f8172303ff78d207b2eb8c78511e.exe File opened for modification C:\Program Files\SearchApprove.xla efc8f8172303ff78d207b2eb8c78511e.exe File created C:\Program Files\Google\readme.txt efc8f8172303ff78d207b2eb8c78511e.exe File opened for modification C:\Program Files\7-Zip\Lang\ba.txt efc8f8172303ff78d207b2eb8c78511e.exe File created C:\Program Files\MSBuild\readme.txt efc8f8172303ff78d207b2eb8c78511e.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ie9props.propdesc efc8f8172303ff78d207b2eb8c78511e.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\readme.txt efc8f8172303ff78d207b2eb8c78511e.exe File opened for modification C:\Program Files\7-Zip\Lang\ka.txt efc8f8172303ff78d207b2eb8c78511e.exe File opened for modification C:\Program Files\7-Zip\Lang\ca.txt efc8f8172303ff78d207b2eb8c78511e.exe File opened for modification C:\Program Files\7-Zip\Lang\hy.txt efc8f8172303ff78d207b2eb8c78511e.exe File opened for modification C:\Program Files\CopySuspend.shtml efc8f8172303ff78d207b2eb8c78511e.exe File created C:\Program Files (x86)\Microsoft\readme.txt efc8f8172303ff78d207b2eb8c78511e.exe File opened for modification C:\Program Files\7-Zip\Lang\az.txt efc8f8172303ff78d207b2eb8c78511e.exe File opened for modification C:\Program Files\7-Zip\Lang\be.txt efc8f8172303ff78d207b2eb8c78511e.exe File opened for modification C:\Program Files\BlockWrite.wmv efc8f8172303ff78d207b2eb8c78511e.exe File opened for modification C:\Program Files\SyncUpdate.txt efc8f8172303ff78d207b2eb8c78511e.exe File opened for modification C:\Program Files\UnpublishSwitch.dib efc8f8172303ff78d207b2eb8c78511e.exe File opened for modification C:\Program Files\7-Zip\Lang\de.txt efc8f8172303ff78d207b2eb8c78511e.exe File opened for modification C:\Program Files\dotnet\LICENSE.txt efc8f8172303ff78d207b2eb8c78511e.exe File created C:\Program Files\Java\readme.txt efc8f8172303ff78d207b2eb8c78511e.exe File opened for modification C:\Program Files\7-Zip\Lang\ky.txt efc8f8172303ff78d207b2eb8c78511e.exe File opened for modification C:\Program Files\OpenReset.tif efc8f8172303ff78d207b2eb8c78511e.exe File created C:\Program Files (x86)\Microsoft.NET\readme.txt efc8f8172303ff78d207b2eb8c78511e.exe File opened for modification C:\Program Files\7-Zip\Lang\da.txt efc8f8172303ff78d207b2eb8c78511e.exe File opened for modification C:\Program Files\7-Zip\Lang\eo.txt efc8f8172303ff78d207b2eb8c78511e.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4792 efc8f8172303ff78d207b2eb8c78511e.exe 4792 efc8f8172303ff78d207b2eb8c78511e.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeBackupPrivilege 228 vssvc.exe Token: SeRestorePrivilege 228 vssvc.exe Token: SeAuditPrivilege 228 vssvc.exe Token: SeIncreaseQuotaPrivilege 2828 WMIC.exe Token: SeSecurityPrivilege 2828 WMIC.exe Token: SeTakeOwnershipPrivilege 2828 WMIC.exe Token: SeLoadDriverPrivilege 2828 WMIC.exe Token: SeSystemProfilePrivilege 2828 WMIC.exe Token: SeSystemtimePrivilege 2828 WMIC.exe Token: SeProfSingleProcessPrivilege 2828 WMIC.exe Token: SeIncBasePriorityPrivilege 2828 WMIC.exe Token: SeCreatePagefilePrivilege 2828 WMIC.exe Token: SeBackupPrivilege 2828 WMIC.exe Token: SeRestorePrivilege 2828 WMIC.exe Token: SeShutdownPrivilege 2828 WMIC.exe Token: SeDebugPrivilege 2828 WMIC.exe Token: SeSystemEnvironmentPrivilege 2828 WMIC.exe Token: SeRemoteShutdownPrivilege 2828 WMIC.exe Token: SeUndockPrivilege 2828 WMIC.exe Token: SeManageVolumePrivilege 2828 WMIC.exe Token: 33 2828 WMIC.exe Token: 34 2828 WMIC.exe Token: 35 2828 WMIC.exe Token: 36 2828 WMIC.exe Token: SeIncreaseQuotaPrivilege 2828 WMIC.exe Token: SeSecurityPrivilege 2828 WMIC.exe Token: SeTakeOwnershipPrivilege 2828 WMIC.exe Token: SeLoadDriverPrivilege 2828 WMIC.exe Token: SeSystemProfilePrivilege 2828 WMIC.exe Token: SeSystemtimePrivilege 2828 WMIC.exe Token: SeProfSingleProcessPrivilege 2828 WMIC.exe Token: SeIncBasePriorityPrivilege 2828 WMIC.exe Token: SeCreatePagefilePrivilege 2828 WMIC.exe Token: SeBackupPrivilege 2828 WMIC.exe Token: SeRestorePrivilege 2828 WMIC.exe Token: SeShutdownPrivilege 2828 WMIC.exe Token: SeDebugPrivilege 2828 WMIC.exe Token: SeSystemEnvironmentPrivilege 2828 WMIC.exe Token: SeRemoteShutdownPrivilege 2828 WMIC.exe Token: SeUndockPrivilege 2828 WMIC.exe Token: SeManageVolumePrivilege 2828 WMIC.exe Token: 33 2828 WMIC.exe Token: 34 2828 WMIC.exe Token: 35 2828 WMIC.exe Token: 36 2828 WMIC.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4792 wrote to memory of 2780 4792 efc8f8172303ff78d207b2eb8c78511e.exe 50 PID 4792 wrote to memory of 2780 4792 efc8f8172303ff78d207b2eb8c78511e.exe 50 PID 2780 wrote to memory of 2828 2780 cmd.exe 48 PID 2780 wrote to memory of 2828 2780 cmd.exe 48 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\efc8f8172303ff78d207b2eb8c78511e.exe"C:\Users\Admin\AppData\Local\Temp\efc8f8172303ff78d207b2eb8c78511e.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4792 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0B6DBF9C-8786-4D9D-B5D9-27A2D4F39AE3}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:2780
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:228
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0B6DBF9C-8786-4D9D-B5D9-27A2D4F39AE3}'" delete1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2828
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD50fcf534007952d7d5b15dcb256af5f26
SHA1ef9032bfdc14226fae860602fb45d3b9d70086a6
SHA256f872f34286d027bc229b27bceb753a8b7f6920a5891e3f5f9e1b50a4d0d279d1
SHA51217c74fa73663e9d236b3c77da668cd11202dca10ca059c22f6e6594b1111cb7116d4ae2ad0b0556dd9056a0b29866060bb84299660f253e816266692e60e013f