conti | 5958a33a2d901e4f1eb813d94b357f0d03a245826e9035568bb6459f69fbfaa8

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08-09-2024 15:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5958a33a2d901e4f1eb813d94b357f0d03a245826e9035568bb6459f69fbfaa8.dll
Size

510KB
MD5

d41cb45b5e29315b17cfca0e1a2dd822
SHA1

388dcf64aecd72748d479d9cf6adb0d0f390f873
SHA256

5958a33a2d901e4f1eb813d94b357f0d03a245826e9035568bb6459f69fbfaa8
SHA512

e9926f7b1ec9339f4c13c882bb981b74dee4a6a7f770a209025605cfffa68c4f6671cea6b5f308b3e2107504fbea524a0472ac89750a053b737aeac0667bec1a
SSDEEP

3072:ABj3/cAzJkv06HGYedCKODYwAM/cNfK89j8Qa34oYrxxtLEokHnU:A1cuVqq9bicDNxrxbd

Score

10^/10

conti discovery ransomware

Malware Config

Extracted

Path

C:\Program Files (x86)\readme.txt

Family

conti

Ransom Note

All of your files are currently encrypted by CONTI strain. As you know (if you don't - just "google it"), all of the data that has been encrypted by our software cannot be recovered by any means without contacting our team directly. If you try to use any additional recovery software - the files might be damaged, so if you are willing to try - try it on the data of the lowest value. To make sure that we REALLY CAN get your data back - we offer you to decrypt 2 random files completely free of charge. You can contact our team directly for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/ HTTPS VERSION : https://contirecovery.ws YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded a pack of your internal data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us as soon as possible. ---BEGIN ID--- XjezdRHFUimUr0tH8ArgmB2GSC70BzFRJYEeECCr4z5a0x6WoIRHtqlcNzOjkZOq ---END ID---

URLs

http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/

https://contirecovery.ws

Signatures

Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
ransomware conti

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\desktop.ini	regsvr32.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	regsvr32.exe

Drops file in Program Files directory 60 IoCs

description	ioc	Process
File created	C:\Program Files\readme.txt	regsvr32.exe
File opened for modification	C:\Program Files\OutCompress.odp	regsvr32.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx	regsvr32.exe
File opened for modification	C:\Program Files\DVD Maker\rtstreamsource.ax	regsvr32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\installation_telemetry.json	regsvr32.exe
File opened for modification	C:\Program Files\7-Zip\descript.ion	regsvr32.exe
File opened for modification	C:\Program Files\desktop.ini	regsvr32.exe
File opened for modification	C:\Program Files\DisconnectResume.jpg	regsvr32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\omni.ja	regsvr32.exe
File created	C:\Program Files (x86)\readme.txt	regsvr32.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	regsvr32.exe
File opened for modification	C:\Program Files\DVD Maker\Eurosti.TTF	regsvr32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.cfg	regsvr32.exe
File created	C:\Program Files\DVD Maker\readme.txt	regsvr32.exe
File opened for modification	C:\Program Files\DVD Maker\offset.ax	regsvr32.exe
File opened for modification	C:\Program Files\Internet Explorer\Timeline.cpu.xml	regsvr32.exe
File opened for modification	C:\Program Files\CompareRepair.js	regsvr32.exe
File opened for modification	C:\Program Files\DVD Maker\sonicsptransform.ax	regsvr32.exe
File created	C:\Program Files\Internet Explorer\readme.txt	regsvr32.exe
File created	C:\Program Files\Microsoft Office\readme.txt	regsvr32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaultagent_localized.ini	regsvr32.exe
File opened for modification	C:\Program Files\ReceiveNew.3gp	regsvr32.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	regsvr32.exe
File created	C:\Program Files\Microsoft Games\readme.txt	regsvr32.exe
File opened for modification	C:\Program Files\ConnectProtect.xlsm	regsvr32.exe
File opened for modification	C:\Program Files\ConvertToRequest.vsdm	regsvr32.exe
File opened for modification	C:\Program Files\RedoUninstall.3gpp	regsvr32.exe
File opened for modification	C:\Program Files\SetExport.au3	regsvr32.exe
File opened for modification	C:\Program Files\DVD Maker\rtstreamsink.ax	regsvr32.exe
File opened for modification	C:\Program Files\Internet Explorer\ie9props.propdesc	regsvr32.exe
File created	C:\Program Files\Java\readme.txt	regsvr32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.ini	regsvr32.exe
File opened for modification	C:\Program Files\MeasureDebug.xlsx	regsvr32.exe
File opened for modification	C:\Program Files\RestoreCopy.svg	regsvr32.exe
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	regsvr32.exe
File opened for modification	C:\Program Files\DVD Maker\audiodepthconverter.ax	regsvr32.exe
File opened for modification	C:\Program Files\DVD Maker\SecretST.TTF	regsvr32.exe
File opened for modification	C:\Program Files\DVD Maker\soniccolorconverter.ax	regsvr32.exe
File created	C:\Program Files\Google\readme.txt	regsvr32.exe
File created	C:\Program Files\Mozilla Firefox\readme.txt	regsvr32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\install.log	regsvr32.exe
File opened for modification	C:\Program Files\GrantPush.xsl	regsvr32.exe
File opened for modification	C:\Program Files\PopAdd.avi	regsvr32.exe
File created	C:\Program Files\Common Files\readme.txt	regsvr32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\locale.ini	regsvr32.exe
File opened for modification	C:\Program Files\DVD Maker\directshowtap.ax	regsvr32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaultagent.ini	regsvr32.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	regsvr32.exe
File opened for modification	C:\Program Files\PublishUse.pcx	regsvr32.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	regsvr32.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm	regsvr32.exe
File opened for modification	C:\Program Files\DVD Maker\fieldswitch.ax	regsvr32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\dependentlibs.list	regsvr32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\Accessible.tlb	regsvr32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.VisualElementsManifest.xml	regsvr32.exe
File opened for modification	C:\Program Files\GetUnlock.jfif	regsvr32.exe
File opened for modification	C:\Program Files\ProtectUnprotect.m3u	regsvr32.exe
File opened for modification	C:\Program Files\SearchPush.mp4	regsvr32.exe
File opened for modification	C:\Program Files\DVD Maker\bod_r.TTF	regsvr32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\application.ini	regsvr32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2944	2516	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2516	regsvr32.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 2516	1728	regsvr32.exe	30
PID 1728 wrote to memory of 2516	1728	regsvr32.exe	30
PID 1728 wrote to memory of 2516	1728	regsvr32.exe	30
PID 1728 wrote to memory of 2516	1728	regsvr32.exe	30
PID 1728 wrote to memory of 2516	1728	regsvr32.exe	30
PID 1728 wrote to memory of 2516	1728	regsvr32.exe	30
PID 1728 wrote to memory of 2516	1728	regsvr32.exe	30
PID 2516 wrote to memory of 2944	2516	regsvr32.exe	31
PID 2516 wrote to memory of 2944	2516	regsvr32.exe	31
PID 2516 wrote to memory of 2944	2516	regsvr32.exe	31
PID 2516 wrote to memory of 2944	2516	regsvr32.exe	31

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\5958a33a2d901e4f1eb813d94b357f0d03a245826e9035568bb6459f69fbfaa8.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\5958a33a2d901e4f1eb813d94b357f0d03a245826e9035568bb6459f69fbfaa8.dll
  2⤵
  - Drops desktop.ini file(s)
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2516 -s 1792
    3⤵
    - Program crash
    PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\readme.txt

Filesize
1KB

MD5
cc018ffba18aff631ff9554af7c09546

SHA1
6e779cbf40a8cef2045ea1bf67c9b6730b94c66e

SHA256
b1921403f7abde8d1d4485ce03ed3807a81517aec915e64ef3e5640cfece219c

SHA512
87f9309d34058ec0ac9c357d1b336b094556996fcebc9729820fe2c41f0413fde1995aab91f479c8228aa2bd0cb8ea5988ff3c61e74be3a7786f3a89511f82d8

Download Submit