conti | 4594624a828fe7704559f90a45cf1db38a22ddb5e856a2003f15a3789d75e1ce

General

Target

6e169583dad1106fb369fd9b6ebc0beb_JaffaCakes118
Size

212KB
Sample

240725-evn2dsyaln
MD5

6e169583dad1106fb369fd9b6ebc0beb
SHA1

c4bc5650e26855bc7b54da693ffbbb90c088268e
SHA256

4594624a828fe7704559f90a45cf1db38a22ddb5e856a2003f15a3789d75e1ce
SHA512

11c62dec0223d7249fe8f5b2716582703fe9c052d80772358c8b0f3aa27607940f446fc7146731a9f7a8e14541ee3b99848db7679199ab96d948c0c0a079aa3d
SSDEEP

3072:9qKXlgNpgKCfzCLfDLG9dRdHkWqmXKipBAI/xRfvDMTo2tc:zKgVfGLfPG9dE4pBAoxuc

Score

10^/10

Malware Config

Extracted

Path

C:\Program Files (x86)\readme.txt

Family

conti

Ransom Note

All of your files are currently encrypted by CONTI ransomware. If you try to use any additional recovery software - the files might be damaged or lost. To make sure that we REALLY CAN recover data - we offer you to decrypt samples. You can contact us for further instructions through: Our website TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/ HTTPS VERSION : https://contirecovery.best YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded your data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us ASAP ---BEGIN ID--- g1lTzZjVPrqCZPVYj1UwpeupnaGidaVdVAVF8QyXhd5MeNX2bcl2zZYyzkMNUVUh ---END ID---

URLs

http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/

https://contirecovery.best

Targets

- Target
  
  6e169583dad1106fb369fd9b6ebc0beb_JaffaCakes118
- Size
  
  212KB
- MD5
  
  6e169583dad1106fb369fd9b6ebc0beb
- SHA1
  
  c4bc5650e26855bc7b54da693ffbbb90c088268e
- SHA256
  
  4594624a828fe7704559f90a45cf1db38a22ddb5e856a2003f15a3789d75e1ce
- SHA512
  
  11c62dec0223d7249fe8f5b2716582703fe9c052d80772358c8b0f3aa27607940f446fc7146731a9f7a8e14541ee3b99848db7679199ab96d948c0c0a079aa3d
- SSDEEP
  
  3072:9qKXlgNpgKCfzCLfDLG9dRdHkWqmXKipBAI/xRfvDMTo2tc:zKgVfGLfPG9dE4pBAoxuc
Score

10^/10

conti credential_access discovery ransomware stealer
- Conti Ransomware
  Ransomware generally thought to be a successor to Ryuk.
  ransomware conti
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Renames multiple (7977) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Drops startup file
- Drops desktop.ini file(s)
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

2

T1555

Credentials from Web Browsers

1

T1555.003

Windows Credential Manager

1

T1555.004

Discovery

Browser Information Discovery

1

T1217

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Conti Ransomware

Credentials from Password Stores: Credentials from Web Browsers

Renames multiple (7977) files with added filename extension

Credentials from Password Stores: Windows Credential Manager

Drops startup file

Drops desktop.ini file(s)

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2