Overview

overview

10

Static

static

3

Conti.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Conti

  • Size

    185KB

  • Sample

    240325-wlgpdshe7w

  • MD5

    7076f9674bc42536d1e0e2ca80d1e4f6

  • SHA1

    854485ee63e5a399fffe150f04cd038d6a5490ef

  • SHA256

    ebeca2df24a55c629cf0ce0d4b703ed632819d8ac101b1b930ec666760036124

  • SHA512

    71c507108cc0c8b5609076672bd0b64a42c015995fe7220aa97e273c1754e63271edb06b284f4fc01b71a4751c1bcac0f572339e94ff0fd538dc0250caa9181a

  • SSDEEP

    3072:+qS7gtGIeq8KxrvRp1MImcZeuLaxugfCJsOlq8WkJK0BOog/Tt3onM9kHpOBae4f:zS7gtyuzFxm16axugfqlMw5g5BkOdSlr

Score
10/10
contiransomwarespywarestealer

Malware Config

Extracted

Path

C:\Program Files (x86)\R3ADM3.txt

Family

conti

Ransom Note
All of your files are currently encrypted by CONTI ransomware. If you try to use any additional recovery software - the files might be damaged or lost. To make sure that we REALLY CAN recover data - we offer you to decrypt samples. You can contact us for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://m232fdxbfmbrcehbrj5iayknxnggf6niqfj6x4iedrgtab4qupzjlaid.onion HTTPS VERSION : https://contirecovery.info YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded your data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us ASAP. ---BEGIN ID--- V8gTskvaU8gGgzzk0qC2sM90noCXm1AgvCkADBk9JhxwjahEd2MSBLQ5sgBZOEkq ---END ID---
URLs

http://m232fdxbfmbrcehbrj5iayknxnggf6niqfj6x4iedrgtab4qupzjlaid.onion

https://contirecovery.info

Targets

    • Target

      Conti

    • Size

      185KB

    • MD5

      7076f9674bc42536d1e0e2ca80d1e4f6

    • SHA1

      854485ee63e5a399fffe150f04cd038d6a5490ef

    • SHA256

      ebeca2df24a55c629cf0ce0d4b703ed632819d8ac101b1b930ec666760036124

    • SHA512

      71c507108cc0c8b5609076672bd0b64a42c015995fe7220aa97e273c1754e63271edb06b284f4fc01b71a4751c1bcac0f572339e94ff0fd538dc0250caa9181a

    • SSDEEP

      3072:+qS7gtGIeq8KxrvRp1MImcZeuLaxugfCJsOlq8WkJK0BOog/Tt3onM9kHpOBae4f:zS7gtyuzFxm16axugfqlMw5g5BkOdSlr

    Score
    10/10
    contiransomwarespywarestealer

    • Conti Ransomware

      Ransomware generally thought to be a successor to Ryuk.

      ransomwareconti

    • Renames multiple (7313) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks