Overview

overview

10

Static

static

3

63061a372c...d6.exe

windows7-x64

10

63061a372c...d6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/04/2024, 11:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe

  • Size

    1.0MB

  • MD5

    d3d9ad65fb3fb6f1eae29527b61ae7c0

  • SHA1

    cdaaa01b42d3b4a325c11fdd7779ade9044e9946

  • SHA256

    63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6

  • SHA512

    171b12d4e345e67a4bfa43e2be66b5e18ccd61d2dee0f7b520c995595d62c258f1a4a865c8b8cdf6a9aa0c7b467eb10989b3ddc5291f4196e95276b94ba1cb7c

  • SSDEEP

    24576:nZeCB1cqVAtVi+0ZMdbIudTkvk7WCuwJLMBhRCLlX:n8UTMdkGBuHKX

Score
10/10
contiransomwarespywarestealer

Malware Config

Extracted

Path

C:\Program Files (x86)\readme.txt

Family

conti

Ransom Note
All of your files are currently encrypted by CONTI ransomware. If you try to use any additional recovery software - the files might be damaged or lost. To make sure that we REALLY CAN recover data - we offer you to decrypt samples. You can contact us for further instructions through: Our website TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/ HTTPS VERSION : https://contirecovery.click YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded your data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us ASAP ---BEGIN ID--- 8MGCXlEjLLwou0tFoQYUZj9ZTcMQsceR7KKS8uxqdm5vRusaXoRbuMayM1sxKpc8 ---END ID---
URLs

http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/

https://contirecovery.click

Signatures

  • Conti Ransomware

    Ransomware generally thought to be a successor to Ryuk.

    ransomwareconti
  • Renames multiple (7272) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 45 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe
    "C:\Users\Admin\AppData\Local\Temp\63061a372c41f5797f18dfeed166ec350e4029c46ad3c42ff79b8e284eb65ad6.exe"
    1⤵
    • Drops startup file
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4460
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A6C0CF18-2D40-4C7A-9249-7D5BB9CE2371}'" delete
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1592
      • C:\Windows\System32\wbem\WMIC.exe
        C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A6C0CF18-2D40-4C7A-9249-7D5BB9CE2371}'" delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:400
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1928

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\readme.txt
    Filesize

    867B

    MD5

    3e9c3d04dab03530e2fc91b2370118b7

    SHA1

    e14b473b8415a54cdd0df5fce4fc2eb329145e86

    SHA256

    f4f6cc9d015f28fd0ee1ba639bd2770ef6cc6fa07d270e4df29f0d150d2e5605

    SHA512

    78d4db2f29afce504808f0621257d01240df5fb873775c6f44389a788ac39fd72a8fee3e76ea8d7fa5e5dc8a5eedcf95d170323a97a907dbd9d6c69ab6a9389b

    Download Submit

  • memory/4460-0-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4460-1-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4460-2-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4460-10-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4460-18-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4460-3762-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4460-6080-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4460-6082-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4460-6083-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4460-18291-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4460-18300-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

    Download