Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08-09-2024 15:32
Static task
static1
Behavioral task
behavioral1
Sample
3d08732963ffdae8596f89cdfd34a2ec24865278c0763221c003254eeaf67554.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
3d08732963ffdae8596f89cdfd34a2ec24865278c0763221c003254eeaf67554.dll
Resource
win10v2004-20240802-en
General
-
Target
3d08732963ffdae8596f89cdfd34a2ec24865278c0763221c003254eeaf67554.dll
-
Size
510KB
-
MD5
8b61e82104aa373f668adcd01f4c060a
-
SHA1
9d1d4969b82eb562c5b3fa25551d83d5ab2fc1f9
-
SHA256
3d08732963ffdae8596f89cdfd34a2ec24865278c0763221c003254eeaf67554
-
SHA512
46f0965fcf0ec30f85b3226cd61225df93fe12a72a55aede85183418e3b8dd3461726828a2c3df6bb8049ce318f9ad6793f9f7c1f4ab2de2e2b96186e15fa8fc
-
SSDEEP
3072:Scb5hx6cAzJkv06HGiqeS3kDYwAM/cNfK89j8Qa34o7dVxtLEokHnU:SGF6cuVql/Y5icDNYVbd
Malware Config
Extracted
C:\Program Files (x86)\readme.txt
conti
http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/
https://contirecovery.ws
Signatures
-
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
Renames multiple (64) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\Program Files\desktop.ini regsvr32.exe File opened for modification C:\Program Files (x86)\desktop.ini regsvr32.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Mozilla Firefox\dependentlibs.list regsvr32.exe File opened for modification C:\Program Files\Mozilla Firefox\omni.ja regsvr32.exe File opened for modification C:\Program Files\ConvertFromPing.xltm regsvr32.exe File opened for modification C:\Program Files\desktop.ini regsvr32.exe File opened for modification C:\Program Files\7-Zip\readme.txt regsvr32.exe File opened for modification C:\Program Files\DVD Maker\fieldswitch.ax regsvr32.exe File opened for modification C:\Program Files\DVD Maker\rtstreamsource.ax regsvr32.exe File created C:\Program Files\Java\readme.txt regsvr32.exe File opened for modification C:\Program Files\ProtectLimit.jpeg regsvr32.exe File opened for modification C:\Program Files\SearchGet.nfo regsvr32.exe File opened for modification C:\Program Files\SyncExit.htm regsvr32.exe File created C:\Program Files\Microsoft Office\readme.txt regsvr32.exe File opened for modification C:\Program Files\ClearRead.xltm regsvr32.exe File opened for modification C:\Program Files\DenyRequest.asx regsvr32.exe File opened for modification C:\Program Files\UnlockWait.bmp regsvr32.exe File opened for modification C:\Program Files\UnprotectClear.odp regsvr32.exe File opened for modification C:\Program Files\7-Zip\7zCon.sfx regsvr32.exe File opened for modification C:\Program Files\DVD Maker\Eurosti.TTF regsvr32.exe File opened for modification C:\Program Files\ConvertGet.7z regsvr32.exe File opened for modification C:\Program Files\ProtectWrite.jpeg regsvr32.exe File opened for modification C:\Program Files\DVD Maker\directshowtap.ax regsvr32.exe File opened for modification C:\Program Files\Mozilla Firefox\application.ini regsvr32.exe File opened for modification C:\Program Files\MountRegister.vsx regsvr32.exe File opened for modification C:\Program Files\DVD Maker\rtstreamsink.ax regsvr32.exe File opened for modification C:\Program Files\Mozilla Firefox\defaultagent.ini regsvr32.exe File opened for modification C:\Program Files\Mozilla Firefox\installation_telemetry.json regsvr32.exe File opened for modification C:\Program Files\Mozilla Firefox\locale.ini regsvr32.exe File opened for modification C:\Program Files\UndoResume.htm regsvr32.exe File opened for modification C:\Program Files\UnprotectDisable.rtf regsvr32.exe File opened for modification C:\Program Files\UpdateTest.vdw regsvr32.exe File created C:\Program Files\Common Files\readme.txt regsvr32.exe File opened for modification C:\Program Files\Internet Explorer\Timeline.cpu.xml regsvr32.exe File created C:\Program Files\Mozilla Firefox\readme.txt regsvr32.exe File created C:\Program Files\Microsoft Games\readme.txt regsvr32.exe File opened for modification C:\Program Files\ConfirmLimit.easmx regsvr32.exe File opened for modification C:\Program Files\ConnectRename.dib regsvr32.exe File opened for modification C:\Program Files\EnableConvertFrom.vsw regsvr32.exe File opened for modification C:\Program Files\PublishExport.xml regsvr32.exe File opened for modification C:\Program Files\SaveExit.wmx regsvr32.exe File opened for modification C:\Program Files\7-Zip\License.txt regsvr32.exe File opened for modification C:\Program Files\BlockAssert.nfo regsvr32.exe File opened for modification C:\Program Files\RequestSubmit.vstm regsvr32.exe File opened for modification C:\Program Files\7-Zip\descript.ion regsvr32.exe File opened for modification C:\Program Files\7-Zip\History.txt regsvr32.exe File created C:\Program Files\readme.txt regsvr32.exe File opened for modification C:\Program Files\UseUnpublish.WTV regsvr32.exe File created C:\Program Files\DVD Maker\readme.txt regsvr32.exe File opened for modification C:\Program Files\DVD Maker\audiodepthconverter.ax regsvr32.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.cfg regsvr32.exe File opened for modification C:\Program Files\InvokeDisconnect.mp4 regsvr32.exe File created C:\Program Files\Internet Explorer\readme.txt regsvr32.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.VisualElementsManifest.xml regsvr32.exe File opened for modification C:\Program Files\StopRestore.htm regsvr32.exe File opened for modification C:\Program Files\DVD Maker\offset.ax regsvr32.exe File opened for modification C:\Program Files\DVD Maker\soniccolorconverter.ax regsvr32.exe File opened for modification C:\Program Files\Internet Explorer\ie9props.propdesc regsvr32.exe File opened for modification C:\Program Files\NewDisable.mp3 regsvr32.exe File opened for modification C:\Program Files (x86)\desktop.ini regsvr32.exe File opened for modification C:\Program Files\DVD Maker\SecretST.TTF regsvr32.exe File opened for modification C:\Program Files\Mozilla Firefox\Accessible.tlb regsvr32.exe File opened for modification C:\Program Files\Mozilla Firefox\defaultagent_localized.ini regsvr32.exe File opened for modification C:\Program Files\Mozilla Firefox\install.log regsvr32.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.ini regsvr32.exe File opened for modification C:\Program Files\AddImport.gif regsvr32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1736 2384 WerFault.exe 28 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2384 regsvr32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2872 wrote to memory of 2384 2872 regsvr32.exe 28 PID 2872 wrote to memory of 2384 2872 regsvr32.exe 28 PID 2872 wrote to memory of 2384 2872 regsvr32.exe 28 PID 2872 wrote to memory of 2384 2872 regsvr32.exe 28 PID 2872 wrote to memory of 2384 2872 regsvr32.exe 28 PID 2872 wrote to memory of 2384 2872 regsvr32.exe 28 PID 2872 wrote to memory of 2384 2872 regsvr32.exe 28 PID 2384 wrote to memory of 1736 2384 regsvr32.exe 29 PID 2384 wrote to memory of 1736 2384 regsvr32.exe 29 PID 2384 wrote to memory of 1736 2384 regsvr32.exe 29 PID 2384 wrote to memory of 1736 2384 regsvr32.exe 29
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\3d08732963ffdae8596f89cdfd34a2ec24865278c0763221c003254eeaf67554.dll1⤵
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\3d08732963ffdae8596f89cdfd34a2ec24865278c0763221c003254eeaf67554.dll2⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 17963⤵
- Program crash
PID:1736
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5df7b95b1555951e1c1095ec1a913f78a
SHA1076812ba99a65a76f6510824f9317c85b7a65bdb
SHA25615ac17280f7e4b43eb21c090792465494eede0937897c271eb1cc14733dc371e
SHA512b85bee418326445ed0efd217cb92432138ad63b46ff41d98a85d2af648698448f1680a320669ec4d1a735c8a40d5747983652d02fafc5c9737747e659f4f8e30