Analysis
-
max time kernel
119s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
08-09-2024 15:29
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe
Resource
win7-20240708-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe
-
Size
490KB
-
MD5
5c543db6d893af1e320bec4787490e70
-
SHA1
17b911525e0dc7c7c188dcfa8c376ad729b27a59
-
SHA256
ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da
-
SHA512
ff81bac8728b6bc6a4b5787bbbc2cb16f39a2f092e4fa9b09bae01671a5eb6c4dd2f0bb5dfc59f7b893181cedd1b816bf866f4f823e05ee3073f6f1eb1d6cffc
-
SSDEEP
3072:D1ywyQ5Q6Bro3zJHfzypOH+xzVXpVHkK4jzeTCxaBgeU:MwyI5o3zJWPzTBOzeOahU
Score
10/10
Malware Config
Extracted
Path
C:\ProgramData\readme.txt
Family
conti
Ransom Note
All of your files are currently encrypted by CONTI strain.
As you know (if you don't - just "google it"), all of the data that has been encrypted by our software cannot be recovered by any means without contacting our team directly.
If you try to use any additional recovery software - the files might be damaged, so if you are willing to try - try it on the data of the lowest value.
To make sure that we REALLY CAN get your data back - we offer you to decrypt 2 random files completely free of charge.
You can contact our team directly for further instructions through our website :
TOR VERSION :
(you should download and install TOR browser first https://torproject.org)
http://contirec7nchr45rx6ympez5rjldibnqzh7lsa56lvjvaeywhvoj3wad.onion/CRYw7aW6XKQVmbX2DmsLsHyLJJifiT4XLWmSv3Eo5V4pwDkcy6JhL2Y6T2pWXY5g
YOU SHOULD BE AWARE!
Just in case, if you try to ignore us. We've downloaded a pack of your internal data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us as soon as possible.
---BEGIN ID---
CRYw7aW6XKQVmbX2DmsLsHyLJJifiT4XLWmSv3Eo5V4pwDkcy6JhL2Y6T2pWXY5g
---END ID---
URLs
http://contirec7nchr45rx6ympez5rjldibnqzh7lsa56lvjvaeywhvoj3wad.onion/CRYw7aW6XKQVmbX2DmsLsHyLJJifiT4XLWmSv3Eo5V4pwDkcy6JhL2Y6T2pWXY5g
Signatures
-
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
Drops desktop.ini file(s) 2 IoCs
Processes:
ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exedescription ioc Process File opened for modification C:\Program Files\desktop.ini ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe File opened for modification C:\Program Files (x86)\desktop.ini ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe -
Drops file in Program Files directory 47 IoCs
Processes:
ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exedescription ioc Process File opened for modification C:\Program Files\ConvertJoin.odt ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe File opened for modification C:\Program Files\LimitUse.ico ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe File opened for modification C:\Program Files\7-Zip\7z.sfx ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe File opened for modification C:\Program Files\Mozilla Firefox\installation_telemetry.json ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe File opened for modification C:\Program Files\MeasureExport.docx ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe File opened for modification C:\Program Files (x86)\desktop.ini ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe File created C:\Program Files\Microsoft Office\readme.txt ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe File opened for modification C:\Program Files\Microsoft Office\AppXManifest.xml ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe File opened for modification C:\Program Files\Microsoft Office\FileSystemMetadata.xml ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe File created C:\Program Files\Mozilla Firefox\readme.txt ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.cfg ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe File opened for modification C:\Program Files\RestoreBlock.jpg ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe File opened for modification C:\Program Files\7-Zip\7zCon.sfx ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe File created C:\Program Files\Common Files\readme.txt ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe File created C:\Program Files\Crashpad\readme.txt ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe File created C:\Program Files\Microsoft Office 15\readme.txt ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.ini ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe File opened for modification C:\Program Files\Mozilla Firefox\install.log ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe File opened for modification C:\Program Files\CloseUnlock.wps ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe File opened for modification C:\Program Files\7-Zip\History.txt ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe File opened for modification C:\Program Files\Crashpad\metadata ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe File opened for modification C:\Program Files\StepRestart.ppsx ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe File opened for modification C:\Program Files\7-Zip\readme.txt ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe File opened for modification C:\Program Files\dotnet\ThirdPartyNotices.txt ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe File opened for modification C:\Program Files\Mozilla Firefox\dependentlibs.list ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe File opened for modification C:\Program Files\Mozilla Firefox\defaultagent.ini ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe File opened for modification C:\Program Files\StopSync.jpe ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe File opened for modification C:\Program Files\UnregisterUnblock.lock ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe File created C:\Program Files (x86)\readme.txt ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe File opened for modification C:\Program Files\Crashpad\settings.dat ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe File opened for modification C:\Program Files\dotnet\LICENSE.txt ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe File created C:\Program Files\Java\readme.txt ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe File opened for modification C:\Program Files\Microsoft Office\ThinAppXManifest.xml ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.VisualElementsManifest.xml ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe File opened for modification C:\Program Files\Mozilla Firefox\locale.ini ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe File opened for modification C:\Program Files\RemoveRead.asx ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe File opened for modification C:\Program Files\7-Zip\7-zip.chm ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe File opened for modification C:\Program Files\7-Zip\License.txt ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe File created C:\Program Files\dotnet\readme.txt ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe File created C:\Program Files\Google\readme.txt ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe File created C:\Program Files\Internet Explorer\readme.txt ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe File created C:\Program Files\readme.txt ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe File opened for modification C:\Program Files\desktop.ini ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe File opened for modification C:\Program Files\SyncUnprotect.vstm ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe File opened for modification C:\Program Files\7-Zip\descript.ion ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe File opened for modification C:\Program Files\Mozilla Firefox\application.ini ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe File opened for modification C:\Program Files\Mozilla Firefox\omni.ja ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 3572 3012 WerFault.exe 82 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exepid Process 3012 ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe 3012 ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
vssvc.exeWMIC.exedescription pid Process Token: SeBackupPrivilege 1948 vssvc.exe Token: SeRestorePrivilege 1948 vssvc.exe Token: SeAuditPrivilege 1948 vssvc.exe Token: SeIncreaseQuotaPrivilege 3488 WMIC.exe Token: SeSecurityPrivilege 3488 WMIC.exe Token: SeTakeOwnershipPrivilege 3488 WMIC.exe Token: SeLoadDriverPrivilege 3488 WMIC.exe Token: SeSystemProfilePrivilege 3488 WMIC.exe Token: SeSystemtimePrivilege 3488 WMIC.exe Token: SeProfSingleProcessPrivilege 3488 WMIC.exe Token: SeIncBasePriorityPrivilege 3488 WMIC.exe Token: SeCreatePagefilePrivilege 3488 WMIC.exe Token: SeBackupPrivilege 3488 WMIC.exe Token: SeRestorePrivilege 3488 WMIC.exe Token: SeShutdownPrivilege 3488 WMIC.exe Token: SeDebugPrivilege 3488 WMIC.exe Token: SeSystemEnvironmentPrivilege 3488 WMIC.exe Token: SeRemoteShutdownPrivilege 3488 WMIC.exe Token: SeUndockPrivilege 3488 WMIC.exe Token: SeManageVolumePrivilege 3488 WMIC.exe Token: 33 3488 WMIC.exe Token: 34 3488 WMIC.exe Token: 35 3488 WMIC.exe Token: 36 3488 WMIC.exe Token: SeIncreaseQuotaPrivilege 3488 WMIC.exe Token: SeSecurityPrivilege 3488 WMIC.exe Token: SeTakeOwnershipPrivilege 3488 WMIC.exe Token: SeLoadDriverPrivilege 3488 WMIC.exe Token: SeSystemProfilePrivilege 3488 WMIC.exe Token: SeSystemtimePrivilege 3488 WMIC.exe Token: SeProfSingleProcessPrivilege 3488 WMIC.exe Token: SeIncBasePriorityPrivilege 3488 WMIC.exe Token: SeCreatePagefilePrivilege 3488 WMIC.exe Token: SeBackupPrivilege 3488 WMIC.exe Token: SeRestorePrivilege 3488 WMIC.exe Token: SeShutdownPrivilege 3488 WMIC.exe Token: SeDebugPrivilege 3488 WMIC.exe Token: SeSystemEnvironmentPrivilege 3488 WMIC.exe Token: SeRemoteShutdownPrivilege 3488 WMIC.exe Token: SeUndockPrivilege 3488 WMIC.exe Token: SeManageVolumePrivilege 3488 WMIC.exe Token: 33 3488 WMIC.exe Token: 34 3488 WMIC.exe Token: 35 3488 WMIC.exe Token: 36 3488 WMIC.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.execmd.exedescription pid Process procid_target PID 3012 wrote to memory of 2600 3012 ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe 87 PID 3012 wrote to memory of 2600 3012 ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe 87 PID 2600 wrote to memory of 3488 2600 cmd.exe 90 PID 2600 wrote to memory of 3488 2600 cmd.exe 90 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe"C:\Users\Admin\AppData\Local\Temp\ba1f830702f0444eefb6cebfa052af5e6c2c6cfb6c2052cbbbe62ea0be05b9da.exe"1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{760999F1-55EB-47DC-A1E2-9E60D81C5DB3}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{760999F1-55EB-47DC-A1E2-9E60D81C5DB3}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3488
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3012 -s 20362⤵
- Program crash
PID:3572
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1948
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3012 -ip 30121⤵PID:4852
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5cd5bd2556f45ff81cdd6bb80c603254f
SHA16619f302809bb04d9b587bd6868a50485b6eb98b
SHA2565587545c8e5bf66f3c4b45bfd127a1f5487d93038233d86ffab2a4542cce66d7
SHA51214a972981d08cacef6aab37c766272f3ca24a3628046f7a18bc685264a7ec55d875f3b5494ebd49a2f50b8c14d1d230cc60003fac5e35fd13b5a6eb60a8ec050