Analysis

  • max time kernel
    90s
  • max time network
    92s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    30-12-2023 15:37

Errors

Reason
Machine shutdown

General

  • Target

    0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe

  • Size

    434KB

  • MD5

    9eb1d5dbe3722be30545c9b63565d2eb

  • SHA1

    78adabc1ac2c1cf58a30ac7bea53062a1e11c9b4

  • SHA256

    0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862

  • SHA512

    2360ab53c10995daafdd118755b98439baba79232865d8daf10a97bfb9e136f16e49ab315ae804a768593d27f7dc86e8e1708385a13653fad4a850de7c56400b

  • SSDEEP

    6144:ud8FpUeW9Xb7cE4luAoF6hS1g0cmpSZ/gdRKOMsaVGKMBaoU2x0jPX3lAa/ac:u39XbgE/AMLLSZId/adpr7/ac

Malware Config

Extracted

Path

C:\Program Files (x86)\R3ADM3.txt

Family

conti

Ransom Note
All of your files are currently encrypted by CONTI ransomware. If you try to use any additional recovery software - the files might be damaged or lost. To make sure that we REALLY CAN recover data - we offer you to decrypt samples. You can contact us for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://m232fdxbfmbrcehbrj5iayknxnggf6niqfj6x4iedrgtab4qupzjlaid.onion HTTPS VERSION : https://contirecovery.info YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded your data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us ASAP. ---BEGIN ID--- zJDnMLlK6tLZXk1WL8IzzvpbV1mgmIHZOkF25hbQIFEDjCA0navQ0z9H4n3QtAmB ---END ID---
URLs

http://m232fdxbfmbrcehbrj5iayknxnggf6niqfj6x4iedrgtab4qupzjlaid.onion

https://contirecovery.info

Signatures

  • Conti Ransomware

    Ransomware generally thought to be a successor to Ryuk.

  • Renames multiple (7984) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Dave packer 1 IoCs

    Detects executable using a packer named 'Dave' by the community, based on a string at the end.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 46 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 12 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe
    "C:\Users\Admin\AppData\Local\Temp\0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1976
    • C:\Windows\system32\cmd.exe
      cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8FA44BFD-FA1F-4DCD-A4F6-14CC53CAD6FF}'" delete
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1776
      • C:\Windows\System32\wbem\WMIC.exe
        C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8FA44BFD-FA1F-4DCD-A4F6-14CC53CAD6FF}'" delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2572
    • C:\Windows\system32\cmd.exe
      cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{AFE72AC8-3EBD-47B2-92F7-E77F60ACD00D}'" delete
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2624
      • C:\Windows\System32\wbem\WMIC.exe
        C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{AFE72AC8-3EBD-47B2-92F7-E77F60ACD00D}'" delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3064
    • C:\Windows\system32\cmd.exe
      cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2AEC120D-3A20-40DC-A758-BE46F7792880}'" delete
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2124
      • C:\Windows\System32\wbem\WMIC.exe
        C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2AEC120D-3A20-40DC-A758-BE46F7792880}'" delete
        3⤵
          PID:1208
      • C:\Windows\system32\cmd.exe
        cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{73972E8B-40C0-45C3-BA36-3BB62C9895BB}'" delete
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1648
        • C:\Windows\System32\wbem\WMIC.exe
          C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{73972E8B-40C0-45C3-BA36-3BB62C9895BB}'" delete
          3⤵
            PID:1128
        • C:\Windows\system32\cmd.exe
          cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{14C3B7BB-E3D1-4A7F-B9D5-965B30494446}'" delete
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2236
          • C:\Windows\System32\wbem\WMIC.exe
            C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{14C3B7BB-E3D1-4A7F-B9D5-965B30494446}'" delete
            3⤵
              PID:2892
          • C:\Windows\system32\cmd.exe
            cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{FFAE94FE-C833-4E3E-B01A-AB3865C49748}'" delete
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2940
            • C:\Windows\System32\wbem\WMIC.exe
              C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{FFAE94FE-C833-4E3E-B01A-AB3865C49748}'" delete
              3⤵
                PID:2936
            • C:\Windows\system32\cmd.exe
              cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E8B94EBC-20A3-4F89-BBBE-7A96F17986E1}'" delete
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:948
              • C:\Windows\System32\wbem\WMIC.exe
                C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E8B94EBC-20A3-4F89-BBBE-7A96F17986E1}'" delete
                3⤵
                  PID:1952
              • C:\Windows\system32\cmd.exe
                cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A96262D3-497F-4A7D-ADF1-16344B4C765A}'" delete
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:2208
                • C:\Windows\System32\wbem\WMIC.exe
                  C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A96262D3-497F-4A7D-ADF1-16344B4C765A}'" delete
                  3⤵
                    PID:1592
                • C:\Windows\system32\cmd.exe
                  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{79946AB7-635B-4BD2-B65D-B0F433D5F532}'" delete
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1984
                  • C:\Windows\System32\wbem\WMIC.exe
                    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{79946AB7-635B-4BD2-B65D-B0F433D5F532}'" delete
                    3⤵
                      PID:1588
                  • C:\Windows\system32\cmd.exe
                    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{34FB718A-E541-46AC-AC9B-BDE963BA4D66}'" delete
                    2⤵
                      PID:1084
                      • C:\Windows\System32\wbem\WMIC.exe
                        C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{34FB718A-E541-46AC-AC9B-BDE963BA4D66}'" delete
                        3⤵
                          PID:1688
                      • C:\Windows\system32\cmd.exe
                        cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{22BA0FD3-BE37-4C17-B5C1-843082C12E98}'" delete
                        2⤵
                          PID:1596
                          • C:\Windows\System32\wbem\WMIC.exe
                            C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{22BA0FD3-BE37-4C17-B5C1-843082C12E98}'" delete
                            3⤵
                              PID:1528
                          • C:\Windows\system32\cmd.exe
                            cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2CA557A7-8492-4072-B050-1535C2EB536D}'" delete
                            2⤵
                              PID:324
                              • C:\Windows\System32\wbem\WMIC.exe
                                C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2CA557A7-8492-4072-B050-1535C2EB536D}'" delete
                                3⤵
                                  PID:2480
                              • C:\Windows\system32\cmd.exe
                                cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{39226352-220B-4092-B154-9C7E9DB7975F}'" delete
                                2⤵
                                  PID:3012
                                  • C:\Windows\System32\wbem\WMIC.exe
                                    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{39226352-220B-4092-B154-9C7E9DB7975F}'" delete
                                    3⤵
                                      PID:3008
                                  • C:\Windows\system32\cmd.exe
                                    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B70D1643-3808-4053-81F7-D9906B42477B}'" delete
                                    2⤵
                                      PID:2060
                                      • C:\Windows\System32\wbem\WMIC.exe
                                        C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B70D1643-3808-4053-81F7-D9906B42477B}'" delete
                                        3⤵
                                          PID:528
                                      • C:\Windows\system32\cmd.exe
                                        cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8161F8C4-8FCF-400F-A1A4-FFB329479019}'" delete
                                        2⤵
                                          PID:1620
                                          • C:\Windows\System32\wbem\WMIC.exe
                                            C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8161F8C4-8FCF-400F-A1A4-FFB329479019}'" delete
                                            3⤵
                                              PID:2348
                                          • C:\Windows\system32\cmd.exe
                                            cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D23619ED-D012-4195-AD2F-8E6B2C41E6FB}'" delete
                                            2⤵
                                              PID:2008
                                              • C:\Windows\System32\wbem\WMIC.exe
                                                C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D23619ED-D012-4195-AD2F-8E6B2C41E6FB}'" delete
                                                3⤵
                                                  PID:1420
                                              • C:\Windows\system32\cmd.exe
                                                cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4BB2020C-8D1D-4D87-B2B3-DB0468A02E37}'" delete
                                                2⤵
                                                  PID:2880
                                                  • C:\Windows\System32\wbem\WMIC.exe
                                                    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4BB2020C-8D1D-4D87-B2B3-DB0468A02E37}'" delete
                                                    3⤵
                                                      PID:1552
                                                  • C:\Windows\system32\cmd.exe
                                                    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A9502DCE-BF82-44AA-8729-B59C9539DE36}'" delete
                                                    2⤵
                                                      PID:1800
                                                      • C:\Windows\System32\wbem\WMIC.exe
                                                        C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A9502DCE-BF82-44AA-8729-B59C9539DE36}'" delete
                                                        3⤵
                                                          PID:1916
                                                    • C:\Windows\system32\vssvc.exe
                                                      C:\Windows\system32\vssvc.exe
                                                      1⤵
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:1744
                                                    • C:\Windows\system32\rundll32.exe
                                                      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\UndoOut.shtml.ITTZN
                                                      1⤵
                                                      • Modifies registry class
                                                      • Suspicious behavior: GetForegroundWindowSpam
                                                      PID:804
                                                      • C:\Windows\system32\NOTEPAD.EXE
                                                        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\UndoOut.shtml.ITTZN
                                                        2⤵
                                                        • Opens file in notepad (likely ransom note)
                                                        PID:3812
                                                    • C:\Windows\system32\LogonUI.exe
                                                      "LogonUI.exe" /flags:0x0
                                                      1⤵
                                                        PID:3532
                                                      • C:\Windows\system32\LogonUI.exe
                                                        "LogonUI.exe" /flags:0x1
                                                        1⤵
                                                          PID:3784

                                                        Network

                                                        MITRE ATT&CK Enterprise v15

                                                        Replay Monitor

                                                        Loading Replay Monitor...

                                                        Downloads

                                                        • C:\Program Files (x86)\R3ADM3.txt

                                                          Filesize

                                                          846B

                                                          MD5

                                                          1faf49045a09c14d8540fb0d9d595de4

                                                          SHA1

                                                          bbf25516d2d69d397f1eabcc0c128b29f0627cc6

                                                          SHA256

                                                          90a3c5e5ecd61cfc66f58049ddeb5b6c13c4b9eee78443778c5e57ee59fb2252

                                                          SHA512

                                                          e38301a45bbf5c04542a52c677d7be4c66d2d44a284788a102139e05920ba4cb164e13dc77ada3fb326032223b554da3421334ba53abb87b85e2869e71dcef1e

                                                        • C:\Users\Admin\Desktop\UndoOut.shtml.ITTZN

                                                          Filesize

                                                          448KB

                                                          MD5

                                                          c2a611ab27848429a366d59a3197653e

                                                          SHA1

                                                          19f46276e993ce72f6f4696de453485906e199ab

                                                          SHA256

                                                          8d2882a36d5b3d3c6486afb395e78600ef9a4f13172305b35ddefd91b2753a05

                                                          SHA512

                                                          14c6c344372e02444d88277e7e5e2ea81f2945d567ced8b57155fe9432ed90e683f8242c33c93ce7dbf83e4d44c8fb83c2f4d3fba3b01c8a9c7f8aabcd943705

                                                        • memory/1976-0-0x00000000003C0000-0x00000000003F4000-memory.dmp

                                                          Filesize

                                                          208KB

                                                        • memory/1976-3-0x0000000000240000-0x0000000000271000-memory.dmp

                                                          Filesize

                                                          196KB

                                                        • memory/1976-5-0x0000000000480000-0x00000000004B3000-memory.dmp

                                                          Filesize

                                                          204KB

                                                        • memory/3532-17701-0x00000000029C0000-0x00000000029C1000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/3784-17702-0x00000000026E0000-0x00000000026E1000-memory.dmp

                                                          Filesize

                                                          4KB