Overview

overview

10

Static

static

3

96812dc56f...c2.exe

windows7-x64

10

96812dc56f...c2.exe

windows7-x64

10

96812dc56f...c2.exe

windows10-1703-x64

10

96812dc56f...c2.exe

windows10-2004-x64

10

96812dc56f...c2.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    183s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    16-04-2024 11:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    96812dc56ffc07d9260b60dadd9729b1aaf29d426970f9385fad87d99d4578c2.exe

  • Size

    185KB

  • MD5

    fe788ba47f0a49329fd241a942bab938

  • SHA1

    186e444c12d81a6c18e2f8eb66459a354c2ed25b

  • SHA256

    96812dc56ffc07d9260b60dadd9729b1aaf29d426970f9385fad87d99d4578c2

  • SHA512

    673f9770ff7e7e1ac39b33513959f78298df4102e4322dddd2e745a313c0ecbab2ca732d14e6a916ba2165c40a5e6e48d1377618ff3a7d73085ac860be4340de

  • SSDEEP

    3072:XqS7gtGIeq8KxrvRp1MImcZeuLaxugfCJsOlq8WkJK0BOog/Tt3onM9kHpOBae4/:aS7gtyuzFxm16axugfqlMw5g5BkOdSlr

Score
10/10
contiransomwarespywarestealer

Malware Config

Extracted

Path

C:\Program Files (x86)\R3ADM3.txt

Family

conti

Ransom Note
All of your files are currently encrypted by CONTI ransomware. If you try to use any additional recovery software - the files might be damaged or lost. To make sure that we REALLY CAN recover data - we offer you to decrypt samples. You can contact us for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://m232fdxbfmbrcehbrj5iayknxnggf6niqfj6x4iedrgtab4qupzjlaid.onion HTTPS VERSION : https://contirecovery.info YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded your data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us ASAP. ---BEGIN ID--- zJDnMLlK6tLZXk1WL8IzzvpbV1mgmIHZOkF25hbQIFEDjCA0navQ0z9H4n3QtAmB ---END ID---
URLs

http://m232fdxbfmbrcehbrj5iayknxnggf6niqfj6x4iedrgtab4qupzjlaid.onion

https://contirecovery.info

Signatures

  • Conti Ransomware

    Ransomware generally thought to be a successor to Ryuk.

    ransomwareconti
  • Renames multiple (7956) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 46 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\96812dc56ffc07d9260b60dadd9729b1aaf29d426970f9385fad87d99d4578c2.exe
    "C:\Users\Admin\AppData\Local\Temp\96812dc56ffc07d9260b60dadd9729b1aaf29d426970f9385fad87d99d4578c2.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2368
    • C:\Windows\system32\cmd.exe
      cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2DF73169-0006-4B2B-804B-E7F9259F305A}'" delete
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2628
      • C:\Windows\System32\wbem\WMIC.exe
        C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2DF73169-0006-4B2B-804B-E7F9259F305A}'" delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2668
    • C:\Windows\system32\cmd.exe
      cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8D118557-05F4-49D2-92FD-D77C41B32532}'" delete
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2864
      • C:\Windows\System32\wbem\WMIC.exe
        C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8D118557-05F4-49D2-92FD-D77C41B32532}'" delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2724
    • C:\Windows\system32\cmd.exe
      cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3467631B-5862-4A7E-8AAC-24ABEF4F5D6D}'" delete
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2476
      • C:\Windows\System32\wbem\WMIC.exe
        C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3467631B-5862-4A7E-8AAC-24ABEF4F5D6D}'" delete
        3⤵
          PID:2932
      • C:\Windows\system32\cmd.exe
        cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8608DE0E-5675-4B3F-94F0-C764B306DAE5}'" delete
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1152
        • C:\Windows\System32\wbem\WMIC.exe
          C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8608DE0E-5675-4B3F-94F0-C764B306DAE5}'" delete
          3⤵
            PID:2440
        • C:\Windows\system32\cmd.exe
          cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F2CB1E0D-169E-498E-9157-512BECF0FF2F}'" delete
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2516
          • C:\Windows\System32\wbem\WMIC.exe
            C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F2CB1E0D-169E-498E-9157-512BECF0FF2F}'" delete
            3⤵
              PID:2824
          • C:\Windows\system32\cmd.exe
            cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7768B8FC-6054-41AA-840C-9ADB88BF3499}'" delete
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2388
            • C:\Windows\System32\wbem\WMIC.exe
              C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7768B8FC-6054-41AA-840C-9ADB88BF3499}'" delete
              3⤵
                PID:1224
            • C:\Windows\system32\cmd.exe
              cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{286949DC-EE30-4DC2-B6A7-FAADE546F8DC}'" delete
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:2020
              • C:\Windows\System32\wbem\WMIC.exe
                C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{286949DC-EE30-4DC2-B6A7-FAADE546F8DC}'" delete
                3⤵
                  PID:2704
              • C:\Windows\system32\cmd.exe
                cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C66759AF-7139-4DDE-82CF-D8D11D725CCE}'" delete
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:1040
                • C:\Windows\System32\wbem\WMIC.exe
                  C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C66759AF-7139-4DDE-82CF-D8D11D725CCE}'" delete
                  3⤵
                    PID:1968
                • C:\Windows\system32\cmd.exe
                  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0A76AABD-ED40-4C9F-BBB9-88C6F6146F31}'" delete
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2508
                  • C:\Windows\System32\wbem\WMIC.exe
                    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0A76AABD-ED40-4C9F-BBB9-88C6F6146F31}'" delete
                    3⤵
                      PID:2024
                  • C:\Windows\system32\cmd.exe
                    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{ACDEAC0C-97C8-4D5F-AA2E-0E231060C58B}'" delete
                    2⤵
                      PID:2756
                      • C:\Windows\System32\wbem\WMIC.exe
                        C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{ACDEAC0C-97C8-4D5F-AA2E-0E231060C58B}'" delete
                        3⤵
                          PID:2692
                      • C:\Windows\system32\cmd.exe
                        cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4E55A2AC-5B7E-4895-A99B-F6D62019BC9D}'" delete
                        2⤵
                          PID:1800
                          • C:\Windows\System32\wbem\WMIC.exe
                            C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4E55A2AC-5B7E-4895-A99B-F6D62019BC9D}'" delete
                            3⤵
                              PID:1900
                          • C:\Windows\system32\cmd.exe
                            cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{07BBA1F1-147D-428F-A19A-73C7A4A54BD0}'" delete
                            2⤵
                              PID:1740
                              • C:\Windows\System32\wbem\WMIC.exe
                                C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{07BBA1F1-147D-428F-A19A-73C7A4A54BD0}'" delete
                                3⤵
                                  PID:2100
                              • C:\Windows\system32\cmd.exe
                                cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8F5643F0-3CFF-4025-B03A-AEEF5E772C2F}'" delete
                                2⤵
                                  PID:2260
                                  • C:\Windows\System32\wbem\WMIC.exe
                                    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8F5643F0-3CFF-4025-B03A-AEEF5E772C2F}'" delete
                                    3⤵
                                      PID:1752
                                  • C:\Windows\system32\cmd.exe
                                    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{07583FE6-8F70-40F5-ABF4-AF27DF159CB2}'" delete
                                    2⤵
                                      PID:2304
                                      • C:\Windows\System32\wbem\WMIC.exe
                                        C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{07583FE6-8F70-40F5-ABF4-AF27DF159CB2}'" delete
                                        3⤵
                                          PID:1076
                                      • C:\Windows\system32\cmd.exe
                                        cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{EF669869-899E-4911-9280-F4C0A343936C}'" delete
                                        2⤵
                                          PID:776
                                          • C:\Windows\System32\wbem\WMIC.exe
                                            C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{EF669869-899E-4911-9280-F4C0A343936C}'" delete
                                            3⤵
                                              PID:696
                                          • C:\Windows\system32\cmd.exe
                                            cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{89DAC8CF-A341-44D8-A4F8-6376837FCD85}'" delete
                                            2⤵
                                              PID:956
                                              • C:\Windows\System32\wbem\WMIC.exe
                                                C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{89DAC8CF-A341-44D8-A4F8-6376837FCD85}'" delete
                                                3⤵
                                                  PID:2312
                                              • C:\Windows\system32\cmd.exe
                                                cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{AB9FF3A2-DD33-46E9-ABCA-D8D1DFF8A144}'" delete
                                                2⤵
                                                  PID:1036
                                                  • C:\Windows\System32\wbem\WMIC.exe
                                                    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{AB9FF3A2-DD33-46E9-ABCA-D8D1DFF8A144}'" delete
                                                    3⤵
                                                      PID:1496
                                                  • C:\Windows\system32\cmd.exe
                                                    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{FD53B4B8-F3C1-4179-860C-B8672CFF650D}'" delete
                                                    2⤵
                                                      PID:836
                                                      • C:\Windows\System32\wbem\WMIC.exe
                                                        C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{FD53B4B8-F3C1-4179-860C-B8672CFF650D}'" delete
                                                        3⤵
                                                          PID:2880
                                                    • C:\Windows\system32\vssvc.exe
                                                      C:\Windows\system32\vssvc.exe
                                                      1⤵
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:3052

                                                    Network

                                                    MITRE ATT&CK Matrix ATT&CK v13

                                                    Initial Access

                                                    Execution

                                                    Persistence

                                                    Privilege Escalation

                                                    Defense Evasion

                                                    Credential Access

                                                    Unsecured Credentials

                                                    1
                                                    T1552

                                                    Credentials In Files

                                                    1
                                                    T1552.001

                                                    Discovery

                                                    Lateral Movement

                                                    Collection

                                                    Data from Local System

                                                    1
                                                    T1005

                                                    Exfiltration

                                                    Command and Control

                                                    Impact

                                                    Resource Development

                                                    Reconnaissance

                                                    Replay Monitor

                                                    Loading Replay Monitor...

                                                    Downloads

                                                    • C:\Program Files (x86)\R3ADM3.txt
                                                      Filesize

                                                      846B

                                                      MD5

                                                      1faf49045a09c14d8540fb0d9d595de4

                                                      SHA1

                                                      bbf25516d2d69d397f1eabcc0c128b29f0627cc6

                                                      SHA256

                                                      90a3c5e5ecd61cfc66f58049ddeb5b6c13c4b9eee78443778c5e57ee59fb2252

                                                      SHA512

                                                      e38301a45bbf5c04542a52c677d7be4c66d2d44a284788a102139e05920ba4cb164e13dc77ada3fb326032223b554da3421334ba53abb87b85e2869e71dcef1e

                                                      Download Submit