Overview

overview

10

Static

static

3

63061a372c...d6.exe

windows7-x64

10

63061a372c...d6.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6

  • Size

    1.0MB

  • Sample

    240410-nklmysdh65

  • MD5

    d3d9ad65fb3fb6f1eae29527b61ae7c0

  • SHA1

    cdaaa01b42d3b4a325c11fdd7779ade9044e9946

  • SHA256

    63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6

  • SHA512

    171b12d4e345e67a4bfa43e2be66b5e18ccd61d2dee0f7b520c995595d62c258f1a4a865c8b8cdf6a9aa0c7b467eb10989b3ddc5291f4196e95276b94ba1cb7c

  • SSDEEP

    24576:nZeCB1cqVAtVi+0ZMdbIudTkvk7WCuwJLMBhRCLlX:n8UTMdkGBuHKX

Score
10/10
contiransomwarespywarestealer

Malware Config

Extracted

Path

C:\Program Files (x86)\readme.txt

Family

conti

Ransom Note
All of your files are currently encrypted by CONTI ransomware. If you try to use any additional recovery software - the files might be damaged or lost. To make sure that we REALLY CAN recover data - we offer you to decrypt samples. You can contact us for further instructions through: Our website TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/ HTTPS VERSION : https://contirecovery.click YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded your data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us ASAP ---BEGIN ID--- 8MGCXlEjLLwou0tFoQYUZj9ZTcMQsceR7KKS8uxqdm5vRusaXoRbuMayM1sxKpc8 ---END ID---
URLs

http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/

https://contirecovery.click

Targets

    • Target

      63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6

    • Size

      1.0MB

    • MD5

      d3d9ad65fb3fb6f1eae29527b61ae7c0

    • SHA1

      cdaaa01b42d3b4a325c11fdd7779ade9044e9946

    • SHA256

      63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6

    • SHA512

      171b12d4e345e67a4bfa43e2be66b5e18ccd61d2dee0f7b520c995595d62c258f1a4a865c8b8cdf6a9aa0c7b467eb10989b3ddc5291f4196e95276b94ba1cb7c

    • SSDEEP

      24576:nZeCB1cqVAtVi+0ZMdbIudTkvk7WCuwJLMBhRCLlX:n8UTMdkGBuHKX

    Score
    10/10
    contiransomwarespywarestealer

    • Conti Ransomware

      Ransomware generally thought to be a successor to Ryuk.

      ransomwareconti

    • Renames multiple (7914) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks