Analysis
-
max time kernel
191s -
max time network
137s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
16-04-2024 11:09
General
-
Target
96812dc56ffc07d9260b60dadd9729b1aaf29d426970f9385fad87d99d4578c2.exe
-
Size
185KB
-
MD5
fe788ba47f0a49329fd241a942bab938
-
SHA1
186e444c12d81a6c18e2f8eb66459a354c2ed25b
-
SHA256
96812dc56ffc07d9260b60dadd9729b1aaf29d426970f9385fad87d99d4578c2
-
SHA512
673f9770ff7e7e1ac39b33513959f78298df4102e4322dddd2e745a313c0ecbab2ca732d14e6a916ba2165c40a5e6e48d1377618ff3a7d73085ac860be4340de
-
SSDEEP
3072:XqS7gtGIeq8KxrvRp1MImcZeuLaxugfCJsOlq8WkJK0BOog/Tt3onM9kHpOBae4/:aS7gtyuzFxm16axugfqlMw5g5BkOdSlr
Score
10/10
Malware Config
Extracted
Path
C:\Program Files (x86)\R3ADM3.txt
Family
conti
Ransom Note
All of your files are currently encrypted by CONTI ransomware.
If you try to use any additional recovery software - the files might be damaged or lost.
To make sure that we REALLY CAN recover data - we offer you to decrypt samples.
You can contact us for further instructions through our website :
TOR VERSION :
(you should download and install TOR browser first https://torproject.org)
http://m232fdxbfmbrcehbrj5iayknxnggf6niqfj6x4iedrgtab4qupzjlaid.onion
HTTPS VERSION :
https://contirecovery.info
YOU SHOULD BE AWARE!
Just in case, if you try to ignore us. We've downloaded your data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us ASAP.
---BEGIN ID---
zJDnMLlK6tLZXk1WL8IzzvpbV1mgmIHZOkF25hbQIFEDjCA0navQ0z9H4n3QtAmB
---END ID---
URLs
http://m232fdxbfmbrcehbrj5iayknxnggf6niqfj6x4iedrgtab4qupzjlaid.onion
https://contirecovery.info
Signatures
-
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
Renames multiple (7955) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 46 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\96812dc56ffc07d9260b60dadd9729b1aaf29d426970f9385fad87d99d4578c2.exe"C:\Users\Admin\AppData\Local\Temp\96812dc56ffc07d9260b60dadd9729b1aaf29d426970f9385fad87d99d4578c2.exe"1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{EFEC896E-B8B0-438A-9EE8-D170D121BF16}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{EFEC896E-B8B0-438A-9EE8-D170D121BF16}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5E590083-238F-4C62-B7AA-879901885D03}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5E590083-238F-4C62-B7AA-879901885D03}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1560DEBB-796E-45DD-8E59-41AEBCFF317D}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1560DEBB-796E-45DD-8E59-41AEBCFF317D}'" delete3⤵
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{577F18B6-B703-4463-B987-7DB378C2C720}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{577F18B6-B703-4463-B987-7DB378C2C720}'" delete3⤵
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1B6887A2-62D1-442B-BFC3-8F1509D58113}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1B6887A2-62D1-442B-BFC3-8F1509D58113}'" delete3⤵
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0A9C8F0A-5C21-46DA-A280-F9C8563A1D33}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0A9C8F0A-5C21-46DA-A280-F9C8563A1D33}'" delete3⤵
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{EAC5C4B9-A630-49FF-A6FD-338AA76B6389}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{EAC5C4B9-A630-49FF-A6FD-338AA76B6389}'" delete3⤵
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{16944CD2-5BF0-4C73-9E88-DEC08BCBF6A4}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{16944CD2-5BF0-4C73-9E88-DEC08BCBF6A4}'" delete3⤵
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{947F8720-5BD7-4FDA-9EC6-5D4FA1862651}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{947F8720-5BD7-4FDA-9EC6-5D4FA1862651}'" delete3⤵
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3FE26E64-95BA-45D4-ACBA-E83EFACF64A1}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3FE26E64-95BA-45D4-ACBA-E83EFACF64A1}'" delete3⤵
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C44D6103-1AEE-4D36-9CAC-3C47783BA1C6}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C44D6103-1AEE-4D36-9CAC-3C47783BA1C6}'" delete3⤵
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E8AF5878-BBB7-4B81-ACAB-C1E45C500F21}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E8AF5878-BBB7-4B81-ACAB-C1E45C500F21}'" delete3⤵
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{00E5B278-6BF0-4721-87F3-4A9DD11F0405}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{00E5B278-6BF0-4721-87F3-4A9DD11F0405}'" delete3⤵
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3737B366-2C07-4157-880F-0BD00F79B589}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3737B366-2C07-4157-880F-0BD00F79B589}'" delete3⤵
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D338F28F-1914-4D9A-9B20-25504581CE12}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D338F28F-1914-4D9A-9B20-25504581CE12}'" delete3⤵
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{AA6642C6-2ADB-4CB1-A6F1-C58D87E54DAE}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{AA6642C6-2ADB-4CB1-A6F1-C58D87E54DAE}'" delete3⤵
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{02A23EE7-80B9-4021-BE3C-926444EA4DB0}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{02A23EE7-80B9-4021-BE3C-926444EA4DB0}'" delete3⤵
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{72E69C31-FBAB-41AE-BA18-44633531E684}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{72E69C31-FBAB-41AE-BA18-44633531E684}'" delete3⤵
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
846B
MD51faf49045a09c14d8540fb0d9d595de4
SHA1bbf25516d2d69d397f1eabcc0c128b29f0627cc6
SHA25690a3c5e5ecd61cfc66f58049ddeb5b6c13c4b9eee78443778c5e57ee59fb2252
SHA512e38301a45bbf5c04542a52c677d7be4c66d2d44a284788a102139e05920ba4cb164e13dc77ada3fb326032223b554da3421334ba53abb87b85e2869e71dcef1e