Analysis
-
max time kernel
146s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
29-02-2024 08:06
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ContiLocker.exe
Resource
win7-20240221-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
ContiLocker.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
10 signatures
150 seconds
General
-
Target
ContiLocker.exe
-
Size
191KB
-
MD5
732a229132d455b98038e5a23432385d
-
SHA1
d0fb9051f8f4a9063b9f19841182b1707527f89f
-
SHA256
2fc6d7df9252b1e2c4eb3ad7d0d29c188d87548127c44cebc40db9abe8e5aa35
-
SHA512
3b10b9530094986882d90bf048d0cf80330d85fc6e680cc3a918d336405e235cb03b159b69d5bbba1e846e674d1db2ce5f71e85ea269aff6db963a0ebf1771f1
-
SSDEEP
3072:QmFTIW6NmG0jQm78u+aXJzuDyyUmaP/E61VoMU9FLBD9PKigvPXNYzA9:QoTIt0GkQ2JziBUma0oVmJDhKku
Score
10/10
Malware Config
Extracted
Path
C:\Program Files (x86)\readme.txt
Family
conti
Ransom Note
All of your files are currently encrypted by CONTI strain.
As you know (if you don't - just "google it"), all of the data that has been encrypted by our software cannot be recovered by any means without contacting our team directly.
If you try to use any additional recovery software - the files might be damaged, so if you are willing to try - try it on the data of the lowest value.
To make sure that we REALLY CAN get your data back - we offer you to decrypt 2 random files completely free of charge.
You can contact our team directly for further instructions through our website :
TOR VERSION :
(you should download and install TOR browser first https://torproject.org)
http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/
HTTPS VERSION :
https://contirecovery.best
YOU SHOULD BE AWARE!
Just in case, if you try to ignore us. We've downloaded a pack of your internal data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us as soon as possible.
---BEGIN ID---
WIzXR2lGvuQk29m1PY7u4rlctcqqD9r7P8cxcChaQuFbVn9c3SEhznrejtQj3jBf
---END ID---
URLs
http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/
https://contirecovery.best
Signatures
-
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
Renames multiple (7322) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\readme.txt ContiLocker.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 31 IoCs
description ioc Process File opened for modification C:\Users\Admin\3D Objects\desktop.ini ContiLocker.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini ContiLocker.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini ContiLocker.exe File opened for modification C:\Users\Public\Music\desktop.ini ContiLocker.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini ContiLocker.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini ContiLocker.exe File opened for modification C:\Users\Public\Documents\desktop.ini ContiLocker.exe File opened for modification C:\Users\Public\Pictures\desktop.ini ContiLocker.exe File opened for modification C:\Users\Public\Videos\desktop.ini ContiLocker.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini ContiLocker.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini ContiLocker.exe File opened for modification C:\Program Files\desktop.ini ContiLocker.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini ContiLocker.exe File opened for modification C:\Users\Admin\Videos\desktop.ini ContiLocker.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini ContiLocker.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini ContiLocker.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini ContiLocker.exe File opened for modification C:\Users\Public\Downloads\desktop.ini ContiLocker.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini ContiLocker.exe File opened for modification C:\Users\Admin\Searches\desktop.ini ContiLocker.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini ContiLocker.exe File opened for modification C:\Users\Public\Libraries\desktop.ini ContiLocker.exe File opened for modification C:\Program Files (x86)\desktop.ini ContiLocker.exe File opened for modification C:\Users\Admin\Documents\desktop.ini ContiLocker.exe File opened for modification C:\Users\Admin\Links\desktop.ini ContiLocker.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini ContiLocker.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini ContiLocker.exe File opened for modification C:\Users\Public\desktop.ini ContiLocker.exe File opened for modification C:\Users\Admin\Music\desktop.ini ContiLocker.exe File opened for modification C:\Users\Public\Desktop\desktop.ini ContiLocker.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI ContiLocker.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\rhp_world_icon_hover_2x.png ContiLocker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\faf_field_grabber.png ContiLocker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\fr-ma\ui-strings.js ContiLocker.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_KMS_Automation-ppd.xrm-ms ContiLocker.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Professional2019DemoR_BypassTrial180-ppd.xrm-ms ContiLocker.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Sigma\Social ContiLocker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\illustrations_retina.png ContiLocker.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\readme.txt ContiLocker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\pt-br\ui-strings.js ContiLocker.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\deploy\messages_de.properties ContiLocker.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\System\VEN2232.OLB ContiLocker.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\trdtv2r41.xsl ContiLocker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\it-it\ui-strings.js ContiLocker.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-80.png ContiLocker.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\vlm.xml ContiLocker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_folder-down_32.svg ContiLocker.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-ul-phn.xrm-ms ContiLocker.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RICEPAPR\RICEPAPR.ELM ContiLocker.exe File created C:\Program Files\VideoLAN\VLC\locale\sv\LC_MESSAGES\readme.txt ContiLocker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\css\main.css ContiLocker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nb-no\ui-strings.js ContiLocker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\pt-br\ui-strings.js ContiLocker.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\uk-ua\readme.txt ContiLocker.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Extreme Shadow.eftx ContiLocker.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\casual.dotx ContiLocker.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI ContiLocker.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\MS.WINWORD.16.1033.hxn ContiLocker.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\intf\modules\host.luac ContiLocker.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\WATERMAR\readme.txt ContiLocker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\WelcomeCardRdr.png ContiLocker.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\plugins\rhp\readme.txt ContiLocker.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_KMS_Client-ul-oob.xrm-ms ContiLocker.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\AccessRuntime2019_eula.txt ContiLocker.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\da-dk\readme.txt ContiLocker.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\cs.pak.DATA ContiLocker.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\readme.txt ContiLocker.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\uk-ua\readme.txt ContiLocker.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTrial-pl.xrm-ms ContiLocker.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_KMS_Client-ul-oob.xrm-ms ContiLocker.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\si\LC_MESSAGES\vlc.mo ContiLocker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\nb-no\AppStore_icon.svg ContiLocker.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART2.BDR ContiLocker.exe File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\sqloledb.rll.mui ContiLocker.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\as90.xsl ContiLocker.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\sv-se\readme.txt ContiLocker.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\en-il\readme.txt ContiLocker.exe File opened for modification C:\Program Files\7-Zip\Lang\mn.txt ContiLocker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\sendforsignature.svg ContiLocker.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART4.BDR ContiLocker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\progress_spinner2x.gif ContiLocker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\images\avatar.jpg ContiLocker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\icons_ie8.gif ContiLocker.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Trial-ul-oob.xrm-ms ContiLocker.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\deploy\messages_zh_TW.properties ContiLocker.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\nb-no\readme.txt ContiLocker.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PROOF\msth8FR.LEX ContiLocker.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\vlc.mo ContiLocker.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\fr-fr\readme.txt ContiLocker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\zh-tw\PlayStore_icon.svg ContiLocker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\hr-hr\ui-strings.js ContiLocker.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ca-es\readme.txt ContiLocker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themeless\S_ThumbDownOutline_22_N1.svg ContiLocker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\cs-cz\ui-strings.js ContiLocker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ja-jp\PlayStore_icon.svg ContiLocker.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3972 ContiLocker.exe 3972 ContiLocker.exe 3972 ContiLocker.exe 3972 ContiLocker.exe 3972 ContiLocker.exe 3972 ContiLocker.exe 3972 ContiLocker.exe 3972 ContiLocker.exe 3972 ContiLocker.exe 3972 ContiLocker.exe 3972 ContiLocker.exe 3972 ContiLocker.exe 3972 ContiLocker.exe 3972 ContiLocker.exe 3972 ContiLocker.exe 3972 ContiLocker.exe 3972 ContiLocker.exe 3972 ContiLocker.exe 3972 ContiLocker.exe 3972 ContiLocker.exe 3972 ContiLocker.exe 3972 ContiLocker.exe 3972 ContiLocker.exe 3972 ContiLocker.exe 3972 ContiLocker.exe 3972 ContiLocker.exe 3972 ContiLocker.exe 3972 ContiLocker.exe 3972 ContiLocker.exe 3972 ContiLocker.exe 3972 ContiLocker.exe 3972 ContiLocker.exe 3972 ContiLocker.exe 3972 ContiLocker.exe 3972 ContiLocker.exe 3972 ContiLocker.exe 3972 ContiLocker.exe 3972 ContiLocker.exe 3972 ContiLocker.exe 3972 ContiLocker.exe 3972 ContiLocker.exe 3972 ContiLocker.exe 3972 ContiLocker.exe 3972 ContiLocker.exe 3972 ContiLocker.exe 3972 ContiLocker.exe 3972 ContiLocker.exe 3972 ContiLocker.exe 3972 ContiLocker.exe 3972 ContiLocker.exe 3972 ContiLocker.exe 3972 ContiLocker.exe 3972 ContiLocker.exe 3972 ContiLocker.exe 3972 ContiLocker.exe 3972 ContiLocker.exe 3972 ContiLocker.exe 3972 ContiLocker.exe 3972 ContiLocker.exe 3972 ContiLocker.exe 3972 ContiLocker.exe 3972 ContiLocker.exe 3972 ContiLocker.exe 3972 ContiLocker.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeBackupPrivilege 4176 vssvc.exe Token: SeRestorePrivilege 4176 vssvc.exe Token: SeAuditPrivilege 4176 vssvc.exe Token: SeIncreaseQuotaPrivilege 3976 WMIC.exe Token: SeSecurityPrivilege 3976 WMIC.exe Token: SeTakeOwnershipPrivilege 3976 WMIC.exe Token: SeLoadDriverPrivilege 3976 WMIC.exe Token: SeSystemProfilePrivilege 3976 WMIC.exe Token: SeSystemtimePrivilege 3976 WMIC.exe Token: SeProfSingleProcessPrivilege 3976 WMIC.exe Token: SeIncBasePriorityPrivilege 3976 WMIC.exe Token: SeCreatePagefilePrivilege 3976 WMIC.exe Token: SeBackupPrivilege 3976 WMIC.exe Token: SeRestorePrivilege 3976 WMIC.exe Token: SeShutdownPrivilege 3976 WMIC.exe Token: SeDebugPrivilege 3976 WMIC.exe Token: SeSystemEnvironmentPrivilege 3976 WMIC.exe Token: SeRemoteShutdownPrivilege 3976 WMIC.exe Token: SeUndockPrivilege 3976 WMIC.exe Token: SeManageVolumePrivilege 3976 WMIC.exe Token: 33 3976 WMIC.exe Token: 34 3976 WMIC.exe Token: 35 3976 WMIC.exe Token: 36 3976 WMIC.exe Token: SeIncreaseQuotaPrivilege 3976 WMIC.exe Token: SeSecurityPrivilege 3976 WMIC.exe Token: SeTakeOwnershipPrivilege 3976 WMIC.exe Token: SeLoadDriverPrivilege 3976 WMIC.exe Token: SeSystemProfilePrivilege 3976 WMIC.exe Token: SeSystemtimePrivilege 3976 WMIC.exe Token: SeProfSingleProcessPrivilege 3976 WMIC.exe Token: SeIncBasePriorityPrivilege 3976 WMIC.exe Token: SeCreatePagefilePrivilege 3976 WMIC.exe Token: SeBackupPrivilege 3976 WMIC.exe Token: SeRestorePrivilege 3976 WMIC.exe Token: SeShutdownPrivilege 3976 WMIC.exe Token: SeDebugPrivilege 3976 WMIC.exe Token: SeSystemEnvironmentPrivilege 3976 WMIC.exe Token: SeRemoteShutdownPrivilege 3976 WMIC.exe Token: SeUndockPrivilege 3976 WMIC.exe Token: SeManageVolumePrivilege 3976 WMIC.exe Token: 33 3976 WMIC.exe Token: 34 3976 WMIC.exe Token: 35 3976 WMIC.exe Token: 36 3976 WMIC.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3972 wrote to memory of 3708 3972 ContiLocker.exe 93 PID 3972 wrote to memory of 3708 3972 ContiLocker.exe 93 PID 3708 wrote to memory of 3976 3708 cmd.exe 95 PID 3708 wrote to memory of 3976 3708 cmd.exe 95 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ContiLocker.exe"C:\Users\Admin\AppData\Local\Temp\ContiLocker.exe"1⤵
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E1E556A4-64A2-49F2-9F43-131343388228}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:3708 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E1E556A4-64A2-49F2-9F43-131343388228}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3976
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4176
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD58f6296784a2d2a437c579768503f8737
SHA1937b7bab4c20d01d8c9d324c830a14f73cb534a8
SHA256946ca299d775712a93ca6d5daf44b96c986385a584001bf40730eebe86df9071
SHA512f798844b0b44ee8baeba06caf9ac994bc8ad454a9923894567f04154eeeaccd5a171262bf8d0f69356cbed40356f194bf0d7d069ab3c7ba6741642d1e0b0673d