Overview
overview
10Static
static
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
7Resubmissions
28-07-2024 16:38
240728-t5tryssgmm 1007-07-2024 14:07
240707-rfgd8atekm 1007-07-2024 14:07
240707-re689awdpe 1013-09-2022 17:54
220913-wg1lpsgbg7 10Analysis
-
max time kernel
121s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
28-07-2024 16:38
Static task
static1
Behavioral task
behavioral1
Sample
RansomwareSamples/Avaddon_09_06_2020_1054KB.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
RansomwareSamples/Avaddon_09_06_2020_1054KB.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral3
Sample
RansomwareSamples/Avos_18_07_2021_403KB.exe
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
RansomwareSamples/Avos_18_07_2021_403KB.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral5
Sample
RansomwareSamples/Babik_04_01_2021_31KB.exe
Resource
win7-20240708-en
Behavioral task
behavioral6
Sample
RansomwareSamples/Babik_04_01_2021_31KB.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral7
Sample
RansomwareSamples/Babuk_20_04_2021_79KB.exe
Resource
win7-20240705-en
Behavioral task
behavioral8
Sample
RansomwareSamples/Babuk_20_04_2021_79KB.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral9
Sample
RansomwareSamples/BlackKingdom_23_03_2021_12460KB.exe
Resource
win7-20240704-en
Behavioral task
behavioral10
Sample
RansomwareSamples/BlackKingdom_23_03_2021_12460KB.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral11
Sample
RansomwareSamples/BlackMatter_02_08_2021_67KB.exe
Resource
win7-20240704-en
Behavioral task
behavioral12
Sample
RansomwareSamples/BlackMatter_02_08_2021_67KB.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral13
Sample
RansomwareSamples/Conti_22_12_2020_186KB.exe
Resource
win7-20240708-en
Behavioral task
behavioral14
Sample
RansomwareSamples/Conti_22_12_2020_186KB.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral15
Sample
RansomwareSamples/Cuba_08_03_2021_1130KB.exe
Resource
win7-20240708-en
Behavioral task
behavioral16
Sample
RansomwareSamples/Cuba_08_03_2021_1130KB.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral17
Sample
RansomwareSamples/DarkSide_01_05_2021_30KB.exe
Resource
win7-20240704-en
Behavioral task
behavioral18
Sample
RansomwareSamples/DarkSide_01_05_2021_30KB.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral19
Sample
RansomwareSamples/DarkSide_16_01_2021_59KB.exe
Resource
win7-20240708-en
Behavioral task
behavioral20
Sample
RansomwareSamples/DarkSide_16_01_2021_59KB.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral21
Sample
RansomwareSamples/DarkSide_18_11_2020_17KB.exe
Resource
win7-20240705-en
Behavioral task
behavioral22
Sample
RansomwareSamples/DarkSide_18_11_2020_17KB.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral23
Sample
RansomwareSamples/DearCry_13_03_2021_1292KB.exe
Resource
win7-20240704-en
Behavioral task
behavioral24
Sample
RansomwareSamples/DearCry_13_03_2021_1292KB.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral25
Sample
RansomwareSamples/Hades_29_03_2021_1909KB.exe
Resource
win7-20240705-en
Behavioral task
behavioral26
Sample
RansomwareSamples/Hades_29_03_2021_1909KB.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral27
Sample
RansomwareSamples/Hive_17_07_2021_808KB.exe
Resource
win7-20240704-en
Behavioral task
behavioral28
Sample
RansomwareSamples/Hive_17_07_2021_808KB.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral29
Sample
RansomwareSamples/LockBit_14_02_2021_146KB.exe
Resource
win7-20240708-en
Behavioral task
behavioral30
Sample
RansomwareSamples/LockBit_14_02_2021_146KB.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral31
Sample
RansomwareSamples/MAKOP_27_10_2020_115KB.exe
Resource
win7-20240705-en
Behavioral task
behavioral32
Sample
RansomwareSamples/MAKOP_27_10_2020_115KB.exe
Resource
win10v2004-20240709-en
General
-
Target
RansomwareSamples/Conti_22_12_2020_186KB.exe
-
Size
185KB
-
MD5
7076f9674bc42536d1e0e2ca80d1e4f6
-
SHA1
854485ee63e5a399fffe150f04cd038d6a5490ef
-
SHA256
ebeca2df24a55c629cf0ce0d4b703ed632819d8ac101b1b930ec666760036124
-
SHA512
71c507108cc0c8b5609076672bd0b64a42c015995fe7220aa97e273c1754e63271edb06b284f4fc01b71a4751c1bcac0f572339e94ff0fd538dc0250caa9181a
-
SSDEEP
3072:+qS7gtGIeq8KxrvRp1MImcZeuLaxugfCJsOlq8WkJK0BOog/Tt3onM9kHpOBae4f:zS7gtyuzFxm16axugfqlMw5g5BkOdSlr
Malware Config
Extracted
C:\Program Files\R3ADM3.txt
conti
http://m232fdxbfmbrcehbrj5iayknxnggf6niqfj6x4iedrgtab4qupzjlaid.onion
https://contirecovery.info
Signatures
-
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Renames multiple (8072) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\R3ADM3.txt Conti_22_12_2020_186KB.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 46 IoCs
description ioc Process File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini Conti_22_12_2020_186KB.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini Conti_22_12_2020_186KB.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini Conti_22_12_2020_186KB.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini Conti_22_12_2020_186KB.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini Conti_22_12_2020_186KB.exe File opened for modification C:\Users\Admin\Searches\desktop.ini Conti_22_12_2020_186KB.exe File opened for modification C:\Users\Public\Desktop\desktop.ini Conti_22_12_2020_186KB.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\ZO1X14N3\desktop.ini Conti_22_12_2020_186KB.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini Conti_22_12_2020_186KB.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini Conti_22_12_2020_186KB.exe File opened for modification C:\Users\Public\Documents\desktop.ini Conti_22_12_2020_186KB.exe File opened for modification C:\Users\Public\Pictures\desktop.ini Conti_22_12_2020_186KB.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini Conti_22_12_2020_186KB.exe File opened for modification C:\Users\Public\Downloads\desktop.ini Conti_22_12_2020_186KB.exe File opened for modification C:\Users\Public\Recorded TV\desktop.ini Conti_22_12_2020_186KB.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files\desktop.ini Conti_22_12_2020_186KB.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini Conti_22_12_2020_186KB.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini Conti_22_12_2020_186KB.exe File opened for modification C:\Users\Public\Libraries\desktop.ini Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI Conti_22_12_2020_186KB.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\MN6S8FGK\desktop.ini Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files (x86)\desktop.ini Conti_22_12_2020_186KB.exe File opened for modification C:\Users\Public\desktop.ini Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini Conti_22_12_2020_186KB.exe File opened for modification C:\Users\Admin\Links\desktop.ini Conti_22_12_2020_186KB.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\N7ZQRMOO\desktop.ini Conti_22_12_2020_186KB.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini Conti_22_12_2020_186KB.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini Conti_22_12_2020_186KB.exe File opened for modification C:\Users\Public\Music\desktop.ini Conti_22_12_2020_186KB.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini Conti_22_12_2020_186KB.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini Conti_22_12_2020_186KB.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini Conti_22_12_2020_186KB.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\C906A748\desktop.ini Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini Conti_22_12_2020_186KB.exe File opened for modification C:\Users\Admin\Documents\desktop.ini Conti_22_12_2020_186KB.exe File opened for modification C:\Users\Admin\Music\desktop.ini Conti_22_12_2020_186KB.exe File opened for modification C:\Users\Admin\Videos\desktop.ini Conti_22_12_2020_186KB.exe File opened for modification C:\Users\Public\Videos\desktop.ini Conti_22_12_2020_186KB.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler.xml Conti_22_12_2020_186KB.exe File created C:\Program Files (x86)\Common Files\System\ado\ja-JP\R3ADM3.txt Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01931J.JPG Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Atlantic\Azores Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\PST8 Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CGMIMP32.HLP Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0150861.WMF Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Yekaterinburg Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Flow.xml Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02097_.WMF Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14866_.GIF Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME30.CSS Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\sw\LC_MESSAGES\vlc.mo Conti_22_12_2020_186KB.exe File created C:\Program Files (x86)\Common Files\Adobe\Acrobat\R3ADM3.txt Conti_22_12_2020_186KB.exe File created C:\Program Files\VideoLAN\VLC\locale\uz\LC_MESSAGES\R3ADM3.txt Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PRRT.WMF Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Yellowknife Conti_22_12_2020_186KB.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\GrayCheck\R3ADM3.txt Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DVDHM.POC Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR21F.GIF Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\Discussion.gta Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Chihuahua Conti_22_12_2020_186KB.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SoftBlue\R3ADM3.txt Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Winnipeg Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Reykjavik Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\setEmbeddedCP.bat Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\MSOINTL.REST.IDX_DLL Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\vlc.mo Conti_22_12_2020_186KB.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\R3ADM3.txt Conti_22_12_2020_186KB.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\R3ADM3.txt Conti_22_12_2020_186KB.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\R3ADM3.txt Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Waveform.eftx Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-previous-static.png Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_precomp_matte.wmv Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-spi-quicksearch_ja.jar Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert.css Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\README-JDK.html Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN03500_.WMF Conti_22_12_2020_186KB.exe File created C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\R3ADM3.txt Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_spellcheck.gif Conti_22_12_2020_186KB.exe File created C:\Program Files\VideoLAN\VLC\locale\sq\LC_MESSAGES\R3ADM3.txt Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00453_.WMF Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18201_.WMF Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ie9props.propdesc Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files\7-Zip\Lang\eu.txt Conti_22_12_2020_186KB.exe File created C:\Program Files\VideoLAN\VLC\lua\extensions\R3ADM3.txt Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Slate.css Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files\Java\jre7\lib\net.properties Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00014_.WMF Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Tbilisi Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Discussion\DiscussionToolIconImages.jpg Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files\7-Zip\Lang\zh-tw.txt Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files\Java\jre7\COPYRIGHT Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Nassau Conti_22_12_2020_186KB.exe File created C:\Program Files\Mozilla Firefox\browser\VisualElements\R3ADM3.txt Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02578_.WMF Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\epl-v10.html Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-lib-uihandler_zh_CN.jar Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\BUTTON.GIF Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\grid_(cm).wmf Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0174635.WMF Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\vlc.mo Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FORM.JS Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files\7-Zip\Lang\be.txt Conti_22_12_2020_186KB.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Conti_22_12_2020_186KB.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 536 Conti_22_12_2020_186KB.exe 536 Conti_22_12_2020_186KB.exe 536 Conti_22_12_2020_186KB.exe 536 Conti_22_12_2020_186KB.exe 536 Conti_22_12_2020_186KB.exe 536 Conti_22_12_2020_186KB.exe 536 Conti_22_12_2020_186KB.exe 536 Conti_22_12_2020_186KB.exe 536 Conti_22_12_2020_186KB.exe 536 Conti_22_12_2020_186KB.exe 536 Conti_22_12_2020_186KB.exe 536 Conti_22_12_2020_186KB.exe 536 Conti_22_12_2020_186KB.exe 536 Conti_22_12_2020_186KB.exe 536 Conti_22_12_2020_186KB.exe 536 Conti_22_12_2020_186KB.exe 536 Conti_22_12_2020_186KB.exe 536 Conti_22_12_2020_186KB.exe 536 Conti_22_12_2020_186KB.exe 536 Conti_22_12_2020_186KB.exe 536 Conti_22_12_2020_186KB.exe 536 Conti_22_12_2020_186KB.exe 536 Conti_22_12_2020_186KB.exe 536 Conti_22_12_2020_186KB.exe 536 Conti_22_12_2020_186KB.exe 536 Conti_22_12_2020_186KB.exe 536 Conti_22_12_2020_186KB.exe 536 Conti_22_12_2020_186KB.exe 536 Conti_22_12_2020_186KB.exe 536 Conti_22_12_2020_186KB.exe 536 Conti_22_12_2020_186KB.exe 536 Conti_22_12_2020_186KB.exe 536 Conti_22_12_2020_186KB.exe 536 Conti_22_12_2020_186KB.exe 536 Conti_22_12_2020_186KB.exe 536 Conti_22_12_2020_186KB.exe 536 Conti_22_12_2020_186KB.exe 536 Conti_22_12_2020_186KB.exe 536 Conti_22_12_2020_186KB.exe 536 Conti_22_12_2020_186KB.exe 536 Conti_22_12_2020_186KB.exe 536 Conti_22_12_2020_186KB.exe 536 Conti_22_12_2020_186KB.exe 536 Conti_22_12_2020_186KB.exe 536 Conti_22_12_2020_186KB.exe 536 Conti_22_12_2020_186KB.exe 536 Conti_22_12_2020_186KB.exe 536 Conti_22_12_2020_186KB.exe 536 Conti_22_12_2020_186KB.exe 536 Conti_22_12_2020_186KB.exe 536 Conti_22_12_2020_186KB.exe 536 Conti_22_12_2020_186KB.exe 536 Conti_22_12_2020_186KB.exe 536 Conti_22_12_2020_186KB.exe 536 Conti_22_12_2020_186KB.exe 536 Conti_22_12_2020_186KB.exe 536 Conti_22_12_2020_186KB.exe 536 Conti_22_12_2020_186KB.exe 536 Conti_22_12_2020_186KB.exe 536 Conti_22_12_2020_186KB.exe 536 Conti_22_12_2020_186KB.exe 536 Conti_22_12_2020_186KB.exe 536 Conti_22_12_2020_186KB.exe 536 Conti_22_12_2020_186KB.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeBackupPrivilege 2752 vssvc.exe Token: SeRestorePrivilege 2752 vssvc.exe Token: SeAuditPrivilege 2752 vssvc.exe Token: SeIncreaseQuotaPrivilege 2824 WMIC.exe Token: SeSecurityPrivilege 2824 WMIC.exe Token: SeTakeOwnershipPrivilege 2824 WMIC.exe Token: SeLoadDriverPrivilege 2824 WMIC.exe Token: SeSystemProfilePrivilege 2824 WMIC.exe Token: SeSystemtimePrivilege 2824 WMIC.exe Token: SeProfSingleProcessPrivilege 2824 WMIC.exe Token: SeIncBasePriorityPrivilege 2824 WMIC.exe Token: SeCreatePagefilePrivilege 2824 WMIC.exe Token: SeBackupPrivilege 2824 WMIC.exe Token: SeRestorePrivilege 2824 WMIC.exe Token: SeShutdownPrivilege 2824 WMIC.exe Token: SeDebugPrivilege 2824 WMIC.exe Token: SeSystemEnvironmentPrivilege 2824 WMIC.exe Token: SeRemoteShutdownPrivilege 2824 WMIC.exe Token: SeUndockPrivilege 2824 WMIC.exe Token: SeManageVolumePrivilege 2824 WMIC.exe Token: 33 2824 WMIC.exe Token: 34 2824 WMIC.exe Token: 35 2824 WMIC.exe Token: SeIncreaseQuotaPrivilege 2824 WMIC.exe Token: SeSecurityPrivilege 2824 WMIC.exe Token: SeTakeOwnershipPrivilege 2824 WMIC.exe Token: SeLoadDriverPrivilege 2824 WMIC.exe Token: SeSystemProfilePrivilege 2824 WMIC.exe Token: SeSystemtimePrivilege 2824 WMIC.exe Token: SeProfSingleProcessPrivilege 2824 WMIC.exe Token: SeIncBasePriorityPrivilege 2824 WMIC.exe Token: SeCreatePagefilePrivilege 2824 WMIC.exe Token: SeBackupPrivilege 2824 WMIC.exe Token: SeRestorePrivilege 2824 WMIC.exe Token: SeShutdownPrivilege 2824 WMIC.exe Token: SeDebugPrivilege 2824 WMIC.exe Token: SeSystemEnvironmentPrivilege 2824 WMIC.exe Token: SeRemoteShutdownPrivilege 2824 WMIC.exe Token: SeUndockPrivilege 2824 WMIC.exe Token: SeManageVolumePrivilege 2824 WMIC.exe Token: 33 2824 WMIC.exe Token: 34 2824 WMIC.exe Token: 35 2824 WMIC.exe Token: SeIncreaseQuotaPrivilege 2708 WMIC.exe Token: SeSecurityPrivilege 2708 WMIC.exe Token: SeTakeOwnershipPrivilege 2708 WMIC.exe Token: SeLoadDriverPrivilege 2708 WMIC.exe Token: SeSystemProfilePrivilege 2708 WMIC.exe Token: SeSystemtimePrivilege 2708 WMIC.exe Token: SeProfSingleProcessPrivilege 2708 WMIC.exe Token: SeIncBasePriorityPrivilege 2708 WMIC.exe Token: SeCreatePagefilePrivilege 2708 WMIC.exe Token: SeBackupPrivilege 2708 WMIC.exe Token: SeRestorePrivilege 2708 WMIC.exe Token: SeShutdownPrivilege 2708 WMIC.exe Token: SeDebugPrivilege 2708 WMIC.exe Token: SeSystemEnvironmentPrivilege 2708 WMIC.exe Token: SeRemoteShutdownPrivilege 2708 WMIC.exe Token: SeUndockPrivilege 2708 WMIC.exe Token: SeManageVolumePrivilege 2708 WMIC.exe Token: 33 2708 WMIC.exe Token: 34 2708 WMIC.exe Token: 35 2708 WMIC.exe Token: SeIncreaseQuotaPrivilege 2708 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 536 wrote to memory of 2676 536 Conti_22_12_2020_186KB.exe 34 PID 536 wrote to memory of 2676 536 Conti_22_12_2020_186KB.exe 34 PID 536 wrote to memory of 2676 536 Conti_22_12_2020_186KB.exe 34 PID 536 wrote to memory of 2676 536 Conti_22_12_2020_186KB.exe 34 PID 2676 wrote to memory of 2824 2676 cmd.exe 36 PID 2676 wrote to memory of 2824 2676 cmd.exe 36 PID 2676 wrote to memory of 2824 2676 cmd.exe 36 PID 536 wrote to memory of 2844 536 Conti_22_12_2020_186KB.exe 37 PID 536 wrote to memory of 2844 536 Conti_22_12_2020_186KB.exe 37 PID 536 wrote to memory of 2844 536 Conti_22_12_2020_186KB.exe 37 PID 536 wrote to memory of 2844 536 Conti_22_12_2020_186KB.exe 37 PID 2844 wrote to memory of 2708 2844 cmd.exe 39 PID 2844 wrote to memory of 2708 2844 cmd.exe 39 PID 2844 wrote to memory of 2708 2844 cmd.exe 39 PID 536 wrote to memory of 2556 536 Conti_22_12_2020_186KB.exe 40 PID 536 wrote to memory of 2556 536 Conti_22_12_2020_186KB.exe 40 PID 536 wrote to memory of 2556 536 Conti_22_12_2020_186KB.exe 40 PID 536 wrote to memory of 2556 536 Conti_22_12_2020_186KB.exe 40 PID 2556 wrote to memory of 2608 2556 cmd.exe 42 PID 2556 wrote to memory of 2608 2556 cmd.exe 42 PID 2556 wrote to memory of 2608 2556 cmd.exe 42 PID 536 wrote to memory of 2592 536 Conti_22_12_2020_186KB.exe 43 PID 536 wrote to memory of 2592 536 Conti_22_12_2020_186KB.exe 43 PID 536 wrote to memory of 2592 536 Conti_22_12_2020_186KB.exe 43 PID 536 wrote to memory of 2592 536 Conti_22_12_2020_186KB.exe 43 PID 2592 wrote to memory of 2972 2592 cmd.exe 45 PID 2592 wrote to memory of 2972 2592 cmd.exe 45 PID 2592 wrote to memory of 2972 2592 cmd.exe 45 PID 536 wrote to memory of 1800 536 Conti_22_12_2020_186KB.exe 46 PID 536 wrote to memory of 1800 536 Conti_22_12_2020_186KB.exe 46 PID 536 wrote to memory of 1800 536 Conti_22_12_2020_186KB.exe 46 PID 536 wrote to memory of 1800 536 Conti_22_12_2020_186KB.exe 46 PID 1800 wrote to memory of 352 1800 cmd.exe 48 PID 1800 wrote to memory of 352 1800 cmd.exe 48 PID 1800 wrote to memory of 352 1800 cmd.exe 48 PID 536 wrote to memory of 592 536 Conti_22_12_2020_186KB.exe 49 PID 536 wrote to memory of 592 536 Conti_22_12_2020_186KB.exe 49 PID 536 wrote to memory of 592 536 Conti_22_12_2020_186KB.exe 49 PID 536 wrote to memory of 592 536 Conti_22_12_2020_186KB.exe 49 PID 592 wrote to memory of 2040 592 cmd.exe 51 PID 592 wrote to memory of 2040 592 cmd.exe 51 PID 592 wrote to memory of 2040 592 cmd.exe 51 PID 536 wrote to memory of 1916 536 Conti_22_12_2020_186KB.exe 52 PID 536 wrote to memory of 1916 536 Conti_22_12_2020_186KB.exe 52 PID 536 wrote to memory of 1916 536 Conti_22_12_2020_186KB.exe 52 PID 536 wrote to memory of 1916 536 Conti_22_12_2020_186KB.exe 52 PID 1916 wrote to memory of 1696 1916 cmd.exe 54 PID 1916 wrote to memory of 1696 1916 cmd.exe 54 PID 1916 wrote to memory of 1696 1916 cmd.exe 54 PID 536 wrote to memory of 580 536 Conti_22_12_2020_186KB.exe 55 PID 536 wrote to memory of 580 536 Conti_22_12_2020_186KB.exe 55 PID 536 wrote to memory of 580 536 Conti_22_12_2020_186KB.exe 55 PID 536 wrote to memory of 580 536 Conti_22_12_2020_186KB.exe 55 PID 580 wrote to memory of 1040 580 cmd.exe 57 PID 580 wrote to memory of 1040 580 cmd.exe 57 PID 580 wrote to memory of 1040 580 cmd.exe 57 PID 536 wrote to memory of 2020 536 Conti_22_12_2020_186KB.exe 58 PID 536 wrote to memory of 2020 536 Conti_22_12_2020_186KB.exe 58 PID 536 wrote to memory of 2020 536 Conti_22_12_2020_186KB.exe 58 PID 536 wrote to memory of 2020 536 Conti_22_12_2020_186KB.exe 58 PID 2020 wrote to memory of 1044 2020 cmd.exe 60 PID 2020 wrote to memory of 1044 2020 cmd.exe 60 PID 2020 wrote to memory of 1044 2020 cmd.exe 60 PID 536 wrote to memory of 1296 536 Conti_22_12_2020_186KB.exe 61 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe"1⤵
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{74D38716-7030-4BFD-B927-115ECEA7C372}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{74D38716-7030-4BFD-B927-115ECEA7C372}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2824
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1B5750AE-3D19-4A1D-917C-FD657FD87F33}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1B5750AE-3D19-4A1D-917C-FD657FD87F33}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2708
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{63CC0077-C804-4837-84F2-5617DF29F4F7}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{63CC0077-C804-4837-84F2-5617DF29F4F7}'" delete3⤵PID:2608
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0EE84E8E-9CE9-4DE2-A7DD-EBBC3C42E703}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0EE84E8E-9CE9-4DE2-A7DD-EBBC3C42E703}'" delete3⤵PID:2972
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CD71E7E4-9980-4112-82CF-3554C09685EB}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CD71E7E4-9980-4112-82CF-3554C09685EB}'" delete3⤵PID:352
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7459311B-7CF8-41C9-9F6B-56B19AD27291}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:592 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7459311B-7CF8-41C9-9F6B-56B19AD27291}'" delete3⤵PID:2040
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8428BEA3-796B-41E7-8FDE-FF3F7A14B79E}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8428BEA3-796B-41E7-8FDE-FF3F7A14B79E}'" delete3⤵PID:1696
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{210E0F43-9FB8-40B5-9090-EC0EAC92CC6A}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:580 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{210E0F43-9FB8-40B5-9090-EC0EAC92CC6A}'" delete3⤵PID:1040
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F1E34A01-7A72-421C-9E4D-5DA5706A8784}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F1E34A01-7A72-421C-9E4D-5DA5706A8784}'" delete3⤵PID:1044
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{411231A5-4F54-4EE8-9679-AE46EFF66DCA}'" delete2⤵PID:1296
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{411231A5-4F54-4EE8-9679-AE46EFF66DCA}'" delete3⤵PID:1760
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{427F6911-4199-4894-9064-F24F0B79AB41}'" delete2⤵PID:2868
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{427F6911-4199-4894-9064-F24F0B79AB41}'" delete3⤵PID:2420
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{44535E90-C0F6-469D-B4BA-C34D5B335C90}'" delete2⤵PID:1284
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{44535E90-C0F6-469D-B4BA-C34D5B335C90}'" delete3⤵PID:1856
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7C225D06-D687-440D-8F1B-4D756E128942}'" delete2⤵PID:2528
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7C225D06-D687-440D-8F1B-4D756E128942}'" delete3⤵PID:1804
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B29E708E-242E-4A8C-9368-655124940DC4}'" delete2⤵PID:2532
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B29E708E-242E-4A8C-9368-655124940DC4}'" delete3⤵PID:1432
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{082411FE-9F57-42CA-A9FB-BB28AB90A0A4}'" delete2⤵PID:1372
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{082411FE-9F57-42CA-A9FB-BB28AB90A0A4}'" delete3⤵PID:1652
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{668B7956-B389-4B75-A59B-9171186F15AB}'" delete2⤵PID:784
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{668B7956-B389-4B75-A59B-9171186F15AB}'" delete3⤵PID:268
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A78157EC-FD2A-4CD1-B0BD-E828E80FEF0D}'" delete2⤵PID:1588
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A78157EC-FD2A-4CD1-B0BD-E828E80FEF0D}'" delete3⤵PID:1556
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4D1AD3DF-B27F-4B97-B1B1-35F98CCEA001}'" delete2⤵PID:2928
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4D1AD3DF-B27F-4B97-B1B1-35F98CCEA001}'" delete3⤵PID:2000
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2752
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
846B
MD5e6f001fc98cb51a0429ca5dc95f6a950
SHA116a73b95d0b5408fa95c97bc9f314f1eff4902b4
SHA256acf1bb83790c25806dd3c29e0b453002397c7fe7abc25a3470ae4e3164f9f31b
SHA51211e65ed0e80aedb497ab40edf5d3f756b121527cb1102408cdd9f146549c849a41a16fc908bb284c920b061c6b37723117b929de150a62cd61273c40e660168c