Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
14/03/2024, 14:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
Conti.exe
Resource
win7-20240221-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
Conti.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
Conti.exe
-
Size
56KB
-
MD5
1dee922fe62638c78c9cedb46dbeba2d
-
SHA1
c85f75cc9a37f190fe242e5c6f518be46ee66361
-
SHA256
fe08a3036d6573fb430a69485ebfe405aad2cffef415c6f0a82e1704abb1f801
-
SHA512
bc3e29e92a4e52d452b6d5bcca7c15f9e27157cd00c2ed2fcdc91f4b15dbb5748016e0e742ce71b825872e0b0fb41595ce41288542589340a86bc61c9a36b7ef
-
SSDEEP
768:+iJHRkQmAP4Fr8fj8fGETs1Nts5C2wZrzCYQtNQZZ9UI0Lb/3IY4WdO+5:tVaAPpLMGksRsE/CYCFv4b+
Score
9/10
Malware Config
Signatures
-
Renames multiple (7012) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\readme.txt Conti.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 31 IoCs
description ioc Process File opened for modification C:\Program Files\desktop.ini Conti.exe File opened for modification C:\Users\Admin\Searches\desktop.ini Conti.exe File opened for modification C:\Users\Public\Videos\desktop.ini Conti.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini Conti.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini Conti.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini Conti.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini Conti.exe File opened for modification C:\Users\Public\Desktop\desktop.ini Conti.exe File opened for modification C:\Users\Public\Documents\desktop.ini Conti.exe File opened for modification C:\Users\Public\Downloads\desktop.ini Conti.exe File opened for modification C:\Users\Public\Pictures\desktop.ini Conti.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI Conti.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini Conti.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini Conti.exe File opened for modification C:\Users\Admin\Documents\desktop.ini Conti.exe File opened for modification C:\Users\Admin\Links\desktop.ini Conti.exe File opened for modification C:\Users\Admin\Videos\desktop.ini Conti.exe File opened for modification C:\Users\Public\Music\desktop.ini Conti.exe File opened for modification C:\Program Files (x86)\desktop.ini Conti.exe File opened for modification C:\Users\Public\desktop.ini Conti.exe File opened for modification C:\Users\Admin\Music\desktop.ini Conti.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini Conti.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini Conti.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini Conti.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini Conti.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini Conti.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini Conti.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini Conti.exe File opened for modification C:\Users\Public\Libraries\desktop.ini Conti.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini Conti.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini Conti.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-pl.xrm-ms Conti.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-ae\readme.txt Conti.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\da-dk\ui-strings.js Conti.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\ui-strings.js Conti.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-pl.xrm-ms Conti.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\OneNote\prnSendToOneNote_win7.cat Conti.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_link_18.svg Conti.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\VisualElements\readme.txt Conti.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\fr-fr\readme.txt Conti.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Franklin Gothic.xml Conti.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\amd64\jvm.cfg Conti.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\meta\art\03_lastfm.luac Conti.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_COL.HXC Conti.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_auditreport_18.svg Conti.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\remove.svg Conti.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ru-ru\readme.txt Conti.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell Conti.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\FrameworkList.xml Conti.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\readme.txt Conti.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\css\main-selector.css Conti.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sl-si\ui-strings.js Conti.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\plugins\readme.txt Conti.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-ul-phn.xrm-ms Conti.exe File created C:\Program Files\VideoLAN\VLC\locale\be\readme.txt Conti.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\msql.xsl Conti.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\readme.txt Conti.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\en-us\AppStore_icon.svg Conti.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Retail-ul-oob.xrm-ms Conti.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PROOF\MSGR8FR.LEX Conti.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-warning.png Conti.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PAPYRUS\THMBNAIL.PNG Conti.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ja-jp\ui-strings.js Conti.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-ul-phn.xrm-ms Conti.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\adc_logo.png Conti.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\en-gb\ui-strings.js Conti.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ca-es\ui-strings.js Conti.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Retail-pl.xrm-ms Conti.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\hr-hr\ui-strings.js Conti.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\fr-fr\ui-strings.js Conti.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\cue.luac Conti.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\sk-sk\readme.txt Conti.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\sl-si\readme.txt Conti.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\de-de\ui-strings.js Conti.exe File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\icu.md Conti.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\AppCenter_R.aapp Conti.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] Conti.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_F_COL.HXK Conti.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\zh-tw\ui-strings.js Conti.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\pl-pl\ui-strings.js Conti.exe File created C:\Program Files\Common Files\System\ja-JP\readme.txt Conti.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\readme.txt Conti.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\readme.txt Conti.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\plugin.js Conti.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\fonts\LucidaSansDemiBold.ttf Conti.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Latn-RS\readme.txt Conti.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\FREESCPT.TTF Conti.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\s_filetype_xd.svg Conti.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_KMS_Client_AE-ppd.xrm-ms Conti.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\FrameworkList.xml Conti.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\vlc.mo Conti.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\SpreadsheetCompare.HxS Conti.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\Close.png Conti.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-ppd.xrm-ms Conti.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\submission_history.gif Conti.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3076 Conti.exe 3076 Conti.exe 3076 Conti.exe 3076 Conti.exe 3076 Conti.exe 3076 Conti.exe 3076 Conti.exe 3076 Conti.exe 3076 Conti.exe 3076 Conti.exe 3076 Conti.exe 3076 Conti.exe 3076 Conti.exe 3076 Conti.exe 3076 Conti.exe 3076 Conti.exe 3076 Conti.exe 3076 Conti.exe 3076 Conti.exe 3076 Conti.exe 3076 Conti.exe 3076 Conti.exe 3076 Conti.exe 3076 Conti.exe 3076 Conti.exe 3076 Conti.exe 3076 Conti.exe 3076 Conti.exe 3076 Conti.exe 3076 Conti.exe 3076 Conti.exe 3076 Conti.exe 3076 Conti.exe 3076 Conti.exe 3076 Conti.exe 3076 Conti.exe 3076 Conti.exe 3076 Conti.exe 3076 Conti.exe 3076 Conti.exe 3076 Conti.exe 3076 Conti.exe 3076 Conti.exe 3076 Conti.exe 3076 Conti.exe 3076 Conti.exe 3076 Conti.exe 3076 Conti.exe 3076 Conti.exe 3076 Conti.exe 3076 Conti.exe 3076 Conti.exe 3076 Conti.exe 3076 Conti.exe 3076 Conti.exe 3076 Conti.exe 3076 Conti.exe 3076 Conti.exe 3076 Conti.exe 3076 Conti.exe 3076 Conti.exe 3076 Conti.exe 3076 Conti.exe 3076 Conti.exe