conti | 2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
31-05-2024 09:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
Size

398KB
MD5

b092f52111eafdb88d8cc5a8a824323c
SHA1

f99d0640653cf3a64deb8641c5aa46828c9cd031
SHA256

2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b
SHA512

b9e5d5cff8910773ce8a880858935bc1b8c635a8a00cc5c6804d527eead04505804c9fae62200abb997b99f744c0181479e973b6466d728a4abf1dea390f0906
SSDEEP

12288:9bPHdKYAO63nKT58kJl9Pzqf5u1G1IA6/PTN:979I3ng+00v1wrN

Score

10^/10

conti ransomware

Malware Config

Extracted

Path

C:\ProgramData\readme.txt

Family

conti

Ransom Note

All of your files are currently encrypted by CONTI strain. As you know (if you don't - just "google it"), all of the data that has been encrypted by our software cannot be recovered by any means without contacting our team directly. If you try to use any additional recovery software - the files might be damaged, so if you are willing to try - try it on the data of the lowest value. To make sure that we REALLY CAN get your data back - we offer you to decrypt 2 random files completely free of charge. You can contact our team directly for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/ HTTPS VERSION : https://contirecovery.click YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded a pack of your internal data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us as soon as possible. ---BEGIN ID--- Cs75p7DrFSPZ501MD5T6cQoibKxxO5GObAE6lQDGBzqb9gk6Ei0l4Mf2JWcIahw3 ---END ID---

URLs

http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/

https://contirecovery.click

Signatures

Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
ransomware conti
Renames multiple (143) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.cfg	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File created	C:\Program Files\Java\readme.txt	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files\CheckpointBlock.mov	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File created	C:\Program Files (x86)\Microsoft.NET\readme.txt	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nb.txt	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pa-in.txt	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files\dotnet\ThirdPartyNotices.txt	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files\Mozilla Firefox\dependentlibs.list	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files\EnableResize.docm	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files\ProtectOptimize.rle	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files\Mozilla Firefox\removed-files	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files\BlockUnlock.inf	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files\EnablePublish.ps1xml	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File created	C:\Program Files\Google\readme.txt	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files\Mozilla Firefox\precomplete	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lij.txt	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files\DisableExport.jpe	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File created	C:\Program Files (x86)\MSBuild\readme.txt	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lt.txt	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files\Mozilla Firefox\Accessible.tlb	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txt	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files\7-Zip\Lang\en.ttt	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File created	C:\Program Files\readme.txt	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File created	C:\Program Files\Common Files\readme.txt	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt-br.txt	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files\FormatCompare.ppsx	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File created	C:\Program Files\dotnet\readme.txt	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files\ExitSet.raw	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files\UpdateUnblock.vstm	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files\WriteOpen.odp	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File created	C:\Program Files\Internet Explorer\readme.txt	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kk.txt	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files\FormatSelect.otf	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files\ShowWatch.vstx	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files\Mozilla Firefox\install.log	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files\Mozilla Firefox\postSigningData	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files\InvokePing.fon	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File created	C:\Program Files (x86)\Common Files\readme.txt	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ps.txt	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
File created	C:\Program Files (x86)\Reference Assemblies\readme.txt	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
732	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
732	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeBackupPrivilege	3612	vssvc.exe
Token: SeRestorePrivilege	3612	vssvc.exe
Token: SeAuditPrivilege	3612	vssvc.exe
Token: SeIncreaseQuotaPrivilege	4468	WMIC.exe
Token: SeSecurityPrivilege	4468	WMIC.exe
Token: SeTakeOwnershipPrivilege	4468	WMIC.exe
Token: SeLoadDriverPrivilege	4468	WMIC.exe
Token: SeSystemProfilePrivilege	4468	WMIC.exe
Token: SeSystemtimePrivilege	4468	WMIC.exe
Token: SeProfSingleProcessPrivilege	4468	WMIC.exe
Token: SeIncBasePriorityPrivilege	4468	WMIC.exe
Token: SeCreatePagefilePrivilege	4468	WMIC.exe
Token: SeBackupPrivilege	4468	WMIC.exe
Token: SeRestorePrivilege	4468	WMIC.exe
Token: SeShutdownPrivilege	4468	WMIC.exe
Token: SeDebugPrivilege	4468	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4468	WMIC.exe
Token: SeRemoteShutdownPrivilege	4468	WMIC.exe
Token: SeUndockPrivilege	4468	WMIC.exe
Token: SeManageVolumePrivilege	4468	WMIC.exe
Token: 33	4468	WMIC.exe
Token: 34	4468	WMIC.exe
Token: 35	4468	WMIC.exe
Token: 36	4468	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4468	WMIC.exe
Token: SeSecurityPrivilege	4468	WMIC.exe
Token: SeTakeOwnershipPrivilege	4468	WMIC.exe
Token: SeLoadDriverPrivilege	4468	WMIC.exe
Token: SeSystemProfilePrivilege	4468	WMIC.exe
Token: SeSystemtimePrivilege	4468	WMIC.exe
Token: SeProfSingleProcessPrivilege	4468	WMIC.exe
Token: SeIncBasePriorityPrivilege	4468	WMIC.exe
Token: SeCreatePagefilePrivilege	4468	WMIC.exe
Token: SeBackupPrivilege	4468	WMIC.exe
Token: SeRestorePrivilege	4468	WMIC.exe
Token: SeShutdownPrivilege	4468	WMIC.exe
Token: SeDebugPrivilege	4468	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4468	WMIC.exe
Token: SeRemoteShutdownPrivilege	4468	WMIC.exe
Token: SeUndockPrivilege	4468	WMIC.exe
Token: SeManageVolumePrivilege	4468	WMIC.exe
Token: 33	4468	WMIC.exe
Token: 34	4468	WMIC.exe
Token: 35	4468	WMIC.exe
Token: 36	4468	WMIC.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 732 wrote to memory of 3208	732	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe	88
PID 732 wrote to memory of 3208	732	2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe	88
PID 3208 wrote to memory of 4468	3208	cmd.exe	90
PID 3208 wrote to memory of 4468	3208	cmd.exe	90

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe
"C:\Users\Admin\AppData\Local\Temp\2aff9f4b9a64168ce2b5a031f81ce35c759635091d15d54a03a3318babc6ec7b.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:732
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B5965F87-1B36-4D4D-8781-2CEF8B2CD033}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3208
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B5965F87-1B36-4D4D-8781-2CEF8B2CD033}'" delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4468

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3612

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\readme.txt

Filesize
1KB

MD5
c946a2fc2781077eef105ad2b9c5febd

SHA1
a8dfae2d48733af6e2dd628ce3a93760fa37dc5a

SHA256
2be6b3226513fe74e93e26e2051179e78ee722984713067c9835873904623803

SHA512
56d64d43a705d63fbfea2426d8d88bcbf71c3f1d4bc968d3d6f6e9d2ab414326a59a6ab676260c701ced0c28a7c3bc55ee639218a3699ebb693a4f575404f7c8

Download Submit
memory/732-24-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/732-1-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/732-7-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/732-5-0x0000000000401000-0x0000000000429000-memory.dmp

Filesize
160KB

Download
memory/732-45-0x0000000001FB0000-0x0000000001FED000-memory.dmp

Filesize
244KB

Download
memory/732-4-0x0000000001FB0000-0x0000000001FED000-memory.dmp

Filesize
244KB

Download
memory/732-6-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/732-0-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/732-2-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/732-46-0x0000000000401000-0x0000000000429000-memory.dmp

Filesize
160KB

Download
memory/732-67-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/732-86-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/732-3-0x00000000004F0000-0x00000000004F1000-memory.dmp

Filesize
4KB

Download
memory/732-114-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/732-143-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/732-182-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download