conti | 58ca4e482db7cf5c924256e53d8516d422e76cf4b85b43dc2b9ba0c7cb471ff7

Resubmissions

16-03-2024 19:39

240316-yc7kkaae5w 10

10-03-2024 13:40

240310-qykzpadh8w 10

10-03-2024 12:36

240310-psyg6acg33 10

Analysis

max time kernel
358s
max time network
363s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16-03-2024 19:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CONTI.exe
Size

196KB
MD5

58b16b1ea734d18960927cd68040c72d
SHA1

ab31613ceb08db6aea6b90370e259be1e9243070
SHA256

58ca4e482db7cf5c924256e53d8516d422e76cf4b85b43dc2b9ba0c7cb471ff7
SHA512

7b2b180005974afef8be76431c06eb22910d67863d80f738999030aa0a9707421ecb847a864b9a1c2a4fd03909fd35377d44276e69586a33c2fcb8ce4c8371f1
SSDEEP

3072:CLJGBP1t82ETTwPAobQ3tOqmb14Gul22QZkN7S44EXZ50Rx6:gJEPCTwPp03YqyNulakHu6

Score

10^/10

conti ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files (x86)\readme.txt

Family

conti

Ransom Note

All of your files are currently encrypted by CONTI strain. As you know (if you don't - just "google it"), all of the data that has been encrypted by our software cannot be recovered by any means without contacting our team directly. If you try to use any additional recovery software - the files might be damaged, so if you are willing to try - try it on the data of the lowest value. To make sure that we REALLY CAN get your data back - we offer you to decrypt 2 random files completely free of charge. You can contact our team directly for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/ HTTPS VERSION : https://contirecovery.top/ YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded a pack of your internal data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us as soon as possible. ---BEGIN ID--- 3oGjGn43irQZrKl1Tykk77x4alv7UkOkD9ru3aywuSN0ufrLAF1rZS40oEtMRe2j ---END ID---

URLs

http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/

https://contirecovery.top/

Signatures

Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
ransomware conti
Renames multiple (7915) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 46 IoCs

description	ioc	Process
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	CONTI.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	CONTI.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	CONTI.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	CONTI.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	CONTI.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	CONTI.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	CONTI.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\2Y0HPGOE\desktop.ini	CONTI.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	CONTI.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\266EQP1S\desktop.ini	CONTI.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\JP38OXIN\desktop.ini	CONTI.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	CONTI.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	CONTI.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	CONTI.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	CONTI.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	CONTI.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\AS4I30IR\desktop.ini	CONTI.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	CONTI.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	CONTI.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	CONTI.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	CONTI.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	CONTI.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	CONTI.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	CONTI.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	CONTI.exe
File opened for modification	C:\Program Files\desktop.ini	CONTI.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	CONTI.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	CONTI.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	CONTI.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	CONTI.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	CONTI.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	CONTI.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	CONTI.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	CONTI.exe
File opened for modification	C:\Users\Public\desktop.ini	CONTI.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	CONTI.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	CONTI.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	CONTI.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	CONTI.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	CONTI.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	CONTI.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	CONTI.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	CONTI.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	CONTI.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	CONTI.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	CONTI.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Author2XML.XSL	CONTI.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGTEAR.DPV	CONTI.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21398_.GIF	CONTI.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Honolulu	CONTI.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can03.ths	CONTI.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\EN00242_.WMF	CONTI.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.log	CONTI.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Paris	CONTI.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-io-ui_zh_CN.jar	CONTI.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-tw.txt	CONTI.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0174635.WMF	CONTI.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\DADSHIRT.GIF	CONTI.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\huemainsubpicture2.png	CONTI.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUEPRNT\BLUEPRNT.ELM	CONTI.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BOLDSTRI\BOLDSTRI.ELM	CONTI.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-keyring-fallback.jar	CONTI.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Biscay\TAB_ON.GIF	CONTI.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lt.txt	CONTI.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\readme.txt	CONTI.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178932.JPG	CONTI.exe
File created	C:\Program Files\VideoLAN\VLC\locale\tl\readme.txt	CONTI.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Cancun	CONTI.exe
File opened for modification	C:\Program Files\DVD Maker\Eurosti.TTF	CONTI.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0315612.JPG	CONTI.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\visualization\readme.txt	CONTI.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\DumontDUrville	CONTI.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-javahelp_ja.jar	CONTI.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00254_.WMF	CONTI.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.nl_ja_4.4.0.v20140623020002.jar	CONTI.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Nassau	CONTI.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\readme.txt	CONTI.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\readme.txt	CONTI.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\readme.txt	CONTI.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\readme.txt	CONTI.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-outline_ja.jar	CONTI.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0086428.WMF	CONTI.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15169_.GIF	CONTI.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.views.nl_zh_4.4.0.v20140623020002.jar	CONTI.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-jvm.jar	CONTI.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\stream_extractor\readme.txt	CONTI.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Grid.xml	CONTI.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\POWERPNT.DEV.HXS	CONTI.exe
File created	C:\Program Files\VideoLAN\VLC\locale\cgg\readme.txt	CONTI.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\CHICAGO.XSL	CONTI.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\TASK.CFG	CONTI.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02617_.WMF	CONTI.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107148.WMF	CONTI.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178459.JPG	CONTI.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287645.JPG	CONTI.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\modules\httprequests.luac	CONTI.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Wake	CONTI.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SlateBlue.css	CONTI.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099187.JPG	CONTI.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099145.JPG	CONTI.exe
File opened for modification	C:\Program Files\Java\jre7\lib\security\cacerts	CONTI.exe
File opened for modification	C:\Program Files\Java\jre7\lib\images\cursors\cursors.properties	CONTI.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\MST7MDT	CONTI.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\readme.txt	CONTI.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FRENCH.LNG	CONTI.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Author2String.XSL	CONTI.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\FLYER.DPV	CONTI.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ia\readme.txt	CONTI.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nl.txt	CONTI.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\bn.pak	CONTI.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2248	CONTI.exe
2248	CONTI.exe
2248	CONTI.exe
2248	CONTI.exe
2248	CONTI.exe
2248	CONTI.exe
2248	CONTI.exe
2248	CONTI.exe
2248	CONTI.exe
2248	CONTI.exe
2248	CONTI.exe
2248	CONTI.exe
2248	CONTI.exe
2248	CONTI.exe
2248	CONTI.exe
2248	CONTI.exe
2248	CONTI.exe
2248	CONTI.exe
2248	CONTI.exe
2248	CONTI.exe
2248	CONTI.exe
2248	CONTI.exe
2248	CONTI.exe
2248	CONTI.exe
2248	CONTI.exe
2248	CONTI.exe
2248	CONTI.exe
2248	CONTI.exe
2248	CONTI.exe
2248	CONTI.exe
2248	CONTI.exe
2248	CONTI.exe
2248	CONTI.exe
2248	CONTI.exe
2248	CONTI.exe
2248	CONTI.exe
2248	CONTI.exe
2248	CONTI.exe
2248	CONTI.exe
2248	CONTI.exe
2248	CONTI.exe
2248	CONTI.exe
2248	CONTI.exe
2248	CONTI.exe
2248	CONTI.exe
2248	CONTI.exe
2248	CONTI.exe
2248	CONTI.exe
2248	CONTI.exe
2248	CONTI.exe
2248	CONTI.exe
2248	CONTI.exe
2248	CONTI.exe
2248	CONTI.exe
2248	CONTI.exe
2248	CONTI.exe
2248	CONTI.exe
2248	CONTI.exe
2248	CONTI.exe
2248	CONTI.exe
2248	CONTI.exe
2248	CONTI.exe
2248	CONTI.exe
2248	CONTI.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	2832	vssvc.exe
Token: SeRestorePrivilege	2832	vssvc.exe
Token: SeAuditPrivilege	2832	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2572	WMIC.exe
Token: SeSecurityPrivilege	2572	WMIC.exe
Token: SeTakeOwnershipPrivilege	2572	WMIC.exe
Token: SeLoadDriverPrivilege	2572	WMIC.exe
Token: SeSystemProfilePrivilege	2572	WMIC.exe
Token: SeSystemtimePrivilege	2572	WMIC.exe
Token: SeProfSingleProcessPrivilege	2572	WMIC.exe
Token: SeIncBasePriorityPrivilege	2572	WMIC.exe
Token: SeCreatePagefilePrivilege	2572	WMIC.exe
Token: SeBackupPrivilege	2572	WMIC.exe
Token: SeRestorePrivilege	2572	WMIC.exe
Token: SeShutdownPrivilege	2572	WMIC.exe
Token: SeDebugPrivilege	2572	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2572	WMIC.exe
Token: SeRemoteShutdownPrivilege	2572	WMIC.exe
Token: SeUndockPrivilege	2572	WMIC.exe
Token: SeManageVolumePrivilege	2572	WMIC.exe
Token: 33	2572	WMIC.exe
Token: 34	2572	WMIC.exe
Token: 35	2572	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2572	WMIC.exe
Token: SeSecurityPrivilege	2572	WMIC.exe
Token: SeTakeOwnershipPrivilege	2572	WMIC.exe
Token: SeLoadDriverPrivilege	2572	WMIC.exe
Token: SeSystemProfilePrivilege	2572	WMIC.exe
Token: SeSystemtimePrivilege	2572	WMIC.exe
Token: SeProfSingleProcessPrivilege	2572	WMIC.exe
Token: SeIncBasePriorityPrivilege	2572	WMIC.exe
Token: SeCreatePagefilePrivilege	2572	WMIC.exe
Token: SeBackupPrivilege	2572	WMIC.exe
Token: SeRestorePrivilege	2572	WMIC.exe
Token: SeShutdownPrivilege	2572	WMIC.exe
Token: SeDebugPrivilege	2572	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2572	WMIC.exe
Token: SeRemoteShutdownPrivilege	2572	WMIC.exe
Token: SeUndockPrivilege	2572	WMIC.exe
Token: SeManageVolumePrivilege	2572	WMIC.exe
Token: 33	2572	WMIC.exe
Token: 34	2572	WMIC.exe
Token: 35	2572	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2692	WMIC.exe
Token: SeSecurityPrivilege	2692	WMIC.exe
Token: SeTakeOwnershipPrivilege	2692	WMIC.exe
Token: SeLoadDriverPrivilege	2692	WMIC.exe
Token: SeSystemProfilePrivilege	2692	WMIC.exe
Token: SeSystemtimePrivilege	2692	WMIC.exe
Token: SeProfSingleProcessPrivilege	2692	WMIC.exe
Token: SeIncBasePriorityPrivilege	2692	WMIC.exe
Token: SeCreatePagefilePrivilege	2692	WMIC.exe
Token: SeBackupPrivilege	2692	WMIC.exe
Token: SeRestorePrivilege	2692	WMIC.exe
Token: SeShutdownPrivilege	2692	WMIC.exe
Token: SeDebugPrivilege	2692	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2692	WMIC.exe
Token: SeRemoteShutdownPrivilege	2692	WMIC.exe
Token: SeUndockPrivilege	2692	WMIC.exe
Token: SeManageVolumePrivilege	2692	WMIC.exe
Token: 33	2692	WMIC.exe
Token: 34	2692	WMIC.exe
Token: 35	2692	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2692	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 2592	2248	CONTI.exe	31
PID 2248 wrote to memory of 2592	2248	CONTI.exe	31
PID 2248 wrote to memory of 2592	2248	CONTI.exe	31
PID 2248 wrote to memory of 2592	2248	CONTI.exe	31
PID 2592 wrote to memory of 2572	2592	cmd.exe	33
PID 2592 wrote to memory of 2572	2592	cmd.exe	33
PID 2592 wrote to memory of 2572	2592	cmd.exe	33
PID 2248 wrote to memory of 2552	2248	CONTI.exe	34
PID 2248 wrote to memory of 2552	2248	CONTI.exe	34
PID 2248 wrote to memory of 2552	2248	CONTI.exe	34
PID 2248 wrote to memory of 2552	2248	CONTI.exe	34
PID 2552 wrote to memory of 2692	2552	cmd.exe	36
PID 2552 wrote to memory of 2692	2552	cmd.exe	36
PID 2552 wrote to memory of 2692	2552	cmd.exe	36
PID 2248 wrote to memory of 2624	2248	CONTI.exe	37
PID 2248 wrote to memory of 2624	2248	CONTI.exe	37
PID 2248 wrote to memory of 2624	2248	CONTI.exe	37
PID 2248 wrote to memory of 2624	2248	CONTI.exe	37
PID 2624 wrote to memory of 1936	2624	cmd.exe	39
PID 2624 wrote to memory of 1936	2624	cmd.exe	39
PID 2624 wrote to memory of 1936	2624	cmd.exe	39
PID 2248 wrote to memory of 2348	2248	CONTI.exe	40
PID 2248 wrote to memory of 2348	2248	CONTI.exe	40
PID 2248 wrote to memory of 2348	2248	CONTI.exe	40
PID 2248 wrote to memory of 2348	2248	CONTI.exe	40
PID 2348 wrote to memory of 2368	2348	cmd.exe	42
PID 2348 wrote to memory of 2368	2348	cmd.exe	42
PID 2348 wrote to memory of 2368	2348	cmd.exe	42
PID 2248 wrote to memory of 2764	2248	CONTI.exe	43
PID 2248 wrote to memory of 2764	2248	CONTI.exe	43
PID 2248 wrote to memory of 2764	2248	CONTI.exe	43
PID 2248 wrote to memory of 2764	2248	CONTI.exe	43
PID 2764 wrote to memory of 2776	2764	cmd.exe	45
PID 2764 wrote to memory of 2776	2764	cmd.exe	45
PID 2764 wrote to memory of 2776	2764	cmd.exe	45
PID 2248 wrote to memory of 1212	2248	CONTI.exe	46
PID 2248 wrote to memory of 1212	2248	CONTI.exe	46
PID 2248 wrote to memory of 1212	2248	CONTI.exe	46
PID 2248 wrote to memory of 1212	2248	CONTI.exe	46
PID 1212 wrote to memory of 1448	1212	cmd.exe	48
PID 1212 wrote to memory of 1448	1212	cmd.exe	48
PID 1212 wrote to memory of 1448	1212	cmd.exe	48
PID 2248 wrote to memory of 1672	2248	CONTI.exe	49
PID 2248 wrote to memory of 1672	2248	CONTI.exe	49
PID 2248 wrote to memory of 1672	2248	CONTI.exe	49
PID 2248 wrote to memory of 1672	2248	CONTI.exe	49
PID 1672 wrote to memory of 1884	1672	cmd.exe	51
PID 1672 wrote to memory of 1884	1672	cmd.exe	51
PID 1672 wrote to memory of 1884	1672	cmd.exe	51
PID 2248 wrote to memory of 836	2248	CONTI.exe	52
PID 2248 wrote to memory of 836	2248	CONTI.exe	52
PID 2248 wrote to memory of 836	2248	CONTI.exe	52
PID 2248 wrote to memory of 836	2248	CONTI.exe	52
PID 836 wrote to memory of 1968	836	cmd.exe	54
PID 836 wrote to memory of 1968	836	cmd.exe	54
PID 836 wrote to memory of 1968	836	cmd.exe	54
PID 2248 wrote to memory of 2204	2248	CONTI.exe	55
PID 2248 wrote to memory of 2204	2248	CONTI.exe	55
PID 2248 wrote to memory of 2204	2248	CONTI.exe	55
PID 2248 wrote to memory of 2204	2248	CONTI.exe	55
PID 2204 wrote to memory of 2208	2204	cmd.exe	57
PID 2204 wrote to memory of 2208	2204	cmd.exe	57
PID 2204 wrote to memory of 2208	2204	cmd.exe	57
PID 2248 wrote to memory of 800	2248	CONTI.exe	58

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\CONTI.exe
"C:\Users\Admin\AppData\Local\Temp\CONTI.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E81ECA34-0487-4F22-84AF-24B24EFC10F5}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2592
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E81ECA34-0487-4F22-84AF-24B24EFC10F5}'" delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2572
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F3CA3636-424E-4EE7-AA3B-DD9FE71DB7EF}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F3CA3636-424E-4EE7-AA3B-DD9FE71DB7EF}'" delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2692
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{55EEE98E-8407-462D-BD0F-BB7B75CE31BD}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2624
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{55EEE98E-8407-462D-BD0F-BB7B75CE31BD}'" delete
    3⤵
    PID:1936
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{93CC03E3-6DF1-4637-BD22-4710443E5940}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2348
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{93CC03E3-6DF1-4637-BD22-4710443E5940}'" delete
    3⤵
    PID:2368
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{BF040487-4543-4ED1-ADEF-D3FDA4645F47}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{BF040487-4543-4ED1-ADEF-D3FDA4645F47}'" delete
    3⤵
    PID:2776
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{BF0E04A7-8711-402B-8C20-EEB832489320}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1212
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{BF0E04A7-8711-402B-8C20-EEB832489320}'" delete
    3⤵
    PID:1448
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F5EC4895-427C-4C2A-91E7-880BF2BDE1CC}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1672
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F5EC4895-427C-4C2A-91E7-880BF2BDE1CC}'" delete
    3⤵
    PID:1884
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{68712A02-8F02-4CD5-BDC3-49A46F7FCFAF}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:836
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{68712A02-8F02-4CD5-BDC3-49A46F7FCFAF}'" delete
    3⤵
    PID:1968
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D214B12C-18E5-4F9B-8285-2E67C974D5C6}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2204
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D214B12C-18E5-4F9B-8285-2E67C974D5C6}'" delete
    3⤵
    PID:2208
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E3B6FDDF-F69E-42D8-9784-6491C8FAF565}'" delete
  2⤵
  PID:800
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E3B6FDDF-F69E-42D8-9784-6491C8FAF565}'" delete
    3⤵
    PID:2228
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1D9F7447-5EF0-4664-B284-7F089E1F3046}'" delete
  2⤵
  PID:952
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1D9F7447-5EF0-4664-B284-7F089E1F3046}'" delete
    3⤵
    PID:1972
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{19173608-B2D7-4496-AF78-575677249E0D}'" delete
  2⤵
  PID:2056
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{19173608-B2D7-4496-AF78-575677249E0D}'" delete
    3⤵
    PID:1560
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{AA53263B-500C-44CA-9451-E02FC42C641C}'" delete
  2⤵
  PID:1624
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{AA53263B-500C-44CA-9451-E02FC42C641C}'" delete
    3⤵
    PID:1952
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{442F1A31-BF66-4847-8677-49387E6CF18D}'" delete
  2⤵
  PID:3032
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{442F1A31-BF66-4847-8677-49387E6CF18D}'" delete
    3⤵
    PID:2388
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C9AD2CD3-B216-4DA9-8395-7248C5BCB39F}'" delete
  2⤵
  PID:2132
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C9AD2CD3-B216-4DA9-8395-7248C5BCB39F}'" delete
    3⤵
    PID:2672
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{ED2ABB9C-6F00-40D8-B24C-9C055703EE86}'" delete
  2⤵
  PID:2408
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{ED2ABB9C-6F00-40D8-B24C-9C055703EE86}'" delete
    3⤵
    PID:2040
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B59BF6AD-AD3F-48D7-8AC5-C00E28BB661F}'" delete
  2⤵
  PID:324
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B59BF6AD-AD3F-48D7-8AC5-C00E28BB661F}'" delete
    3⤵
    PID:1992
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D7FFFCBE-24E2-4A8B-A802-375E6EC5AB99}'" delete
  2⤵
  PID:1904
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D7FFFCBE-24E2-4A8B-A802-375E6EC5AB99}'" delete
    3⤵
    PID:2160

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\readme.txt

Filesize
1KB

MD5
b87b63355379f17bb06a2570c8d88b04

SHA1
84d6a08e78da221fea6ec46fe7b7ac87412e23c2

SHA256
284959ed3f68fb912cb141ef31b4ad4b53147bd1082ec1ed83bd08af729d09d1

SHA512
bad79ae1efc718a90e089b9cdea8bfb149adbcddfc79cef529ab11055ce723a23608402b78e2655e5d5f9c72e26726390a1dbb24a2abfaca6e964e26e36c275e

Download Submit