Overview

overview

10

Static

static

3

5958a33a2d...a8.dll

windows7-x64

10

5958a33a2d...a8.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    131s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-09-2024 15:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5958a33a2d901e4f1eb813d94b357f0d03a245826e9035568bb6459f69fbfaa8.dll

  • Size

    510KB

  • MD5

    d41cb45b5e29315b17cfca0e1a2dd822

  • SHA1

    388dcf64aecd72748d479d9cf6adb0d0f390f873

  • SHA256

    5958a33a2d901e4f1eb813d94b357f0d03a245826e9035568bb6459f69fbfaa8

  • SHA512

    e9926f7b1ec9339f4c13c882bb981b74dee4a6a7f770a209025605cfffa68c4f6671cea6b5f308b3e2107504fbea524a0472ac89750a053b737aeac0667bec1a

  • SSDEEP

    3072:ABj3/cAzJkv06HGYedCKODYwAM/cNfK89j8Qa34oYrxxtLEokHnU:A1cuVqq9bicDNxrxbd

Score
10/10
contidiscoveryransomware

Malware Config

Extracted

Path

C:\ProgramData\readme.txt

Family

conti

Ransom Note
All of your files are currently encrypted by CONTI strain. As you know (if you don't - just "google it"), all of the data that has been encrypted by our software cannot be recovered by any means without contacting our team directly. If you try to use any additional recovery software - the files might be damaged, so if you are willing to try - try it on the data of the lowest value. To make sure that we REALLY CAN get your data back - we offer you to decrypt 2 random files completely free of charge. You can contact our team directly for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/ HTTPS VERSION : https://contirecovery.ws YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded a pack of your internal data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us as soon as possible. ---BEGIN ID--- XjezdRHFUimUr0tH8ArgmB2GSC70BzFRJYEeECCr4z5a0x6WoIRHtqlcNzOjkZOq ---END ID---
URLs

http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/

https://contirecovery.ws

Signatures

  • Conti Ransomware

    Ransomware generally thought to be a successor to Ryuk.

    ransomwareconti
  • Renames multiple (71) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Drops desktop.ini file(s) 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\5958a33a2d901e4f1eb813d94b357f0d03a245826e9035568bb6459f69fbfaa8.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:964
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\5958a33a2d901e4f1eb813d94b357f0d03a245826e9035568bb6459f69fbfaa8.dll
      2⤵
      • Drops desktop.ini file(s)
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:5076
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 2144
        3⤵
        • Program crash
        PID:1684
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5076 -ip 5076
    1⤵
      PID:4092
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4360,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=4404 /prefetch:8
      1⤵
        PID:2244

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\readme.txt
        Filesize

        1KB

        MD5

        cc018ffba18aff631ff9554af7c09546

        SHA1

        6e779cbf40a8cef2045ea1bf67c9b6730b94c66e

        SHA256

        b1921403f7abde8d1d4485ce03ed3807a81517aec915e64ef3e5640cfece219c

        SHA512

        87f9309d34058ec0ac9c357d1b336b094556996fcebc9729820fe2c41f0413fde1995aab91f479c8228aa2bd0cb8ea5988ff3c61e74be3a7786f3a89511f82d8

        Download Submit