conti | 3d08732963ffdae8596f89cdfd34a2ec24865278c0763221c003254eeaf67554

Analysis

max time kernel
94s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08-09-2024 15:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3d08732963ffdae8596f89cdfd34a2ec24865278c0763221c003254eeaf67554.dll
Size

510KB
MD5

8b61e82104aa373f668adcd01f4c060a
SHA1

9d1d4969b82eb562c5b3fa25551d83d5ab2fc1f9
SHA256

3d08732963ffdae8596f89cdfd34a2ec24865278c0763221c003254eeaf67554
SHA512

46f0965fcf0ec30f85b3226cd61225df93fe12a72a55aede85183418e3b8dd3461726828a2c3df6bb8049ce318f9ad6793f9f7c1f4ab2de2e2b96186e15fa8fc
SSDEEP

3072:Scb5hx6cAzJkv06HGiqeS3kDYwAM/cNfK89j8Qa34o7dVxtLEokHnU:SGF6cuVql/Y5icDNYVbd

Score

10^/10

conti discovery ransomware

Malware Config

Extracted

Path

C:\ProgramData\readme.txt

Family

conti

Ransom Note

All of your files are currently encrypted by CONTI strain. As you know (if you don't - just "google it"), all of the data that has been encrypted by our software cannot be recovered by any means without contacting our team directly. If you try to use any additional recovery software - the files might be damaged, so if you are willing to try - try it on the data of the lowest value. To make sure that we REALLY CAN get your data back - we offer you to decrypt 2 random files completely free of charge. You can contact our team directly for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/ HTTPS VERSION : https://contirecovery.ws YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded a pack of your internal data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us as soon as possible. ---BEGIN ID--- wSpHH7e2NMHQ5dF3CSF5k29fvPRrxASNCdHphh0cOIGmOYvJHhhhcCmIpcX9XbW9 ---END ID---

URLs

http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/

https://contirecovery.ws

Signatures

Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
ransomware conti

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\desktop.ini	regsvr32.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	regsvr32.exe

Drops file in Program Files directory 47 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\application.ini	regsvr32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\dependentlibs.list	regsvr32.exe
File opened for modification	C:\Program Files\RegisterTrace.emz	regsvr32.exe
File opened for modification	C:\Program Files\Microsoft Office\AppXManifest.xml	regsvr32.exe
File opened for modification	C:\Program Files\ShowGroup.wmf	regsvr32.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	regsvr32.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx	regsvr32.exe
File opened for modification	C:\Program Files\7-Zip\descript.ion	regsvr32.exe
File created	C:\Program Files\Google\readme.txt	regsvr32.exe
File created	C:\Program Files\Internet Explorer\readme.txt	regsvr32.exe
File created	C:\Program Files\readme.txt	regsvr32.exe
File opened for modification	C:\Program Files\RepairAssert.fon	regsvr32.exe
File created	C:\Program Files\Microsoft Office 15\readme.txt	regsvr32.exe
File created	C:\Program Files\Mozilla Firefox\readme.txt	regsvr32.exe
File opened for modification	C:\Program Files\Microsoft Office\ThinAppXManifest.xml	regsvr32.exe
File opened for modification	C:\Program Files\InstallFind.001	regsvr32.exe
File created	C:\Program Files\dotnet\readme.txt	regsvr32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\installation_telemetry.json	regsvr32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\locale.ini	regsvr32.exe
File opened for modification	C:\Program Files\desktop.ini	regsvr32.exe
File opened for modification	C:\Program Files\Microsoft Office\FileSystemMetadata.xml	regsvr32.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm	regsvr32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.ini	regsvr32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\omni.ja	regsvr32.exe
File opened for modification	C:\Program Files\BlockBackup.otf	regsvr32.exe
File opened for modification	C:\Program Files\TraceUnprotect.xlsm	regsvr32.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	regsvr32.exe
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	regsvr32.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	regsvr32.exe
File created	C:\Program Files\Common Files\readme.txt	regsvr32.exe
File created	C:\Program Files\Crashpad\readme.txt	regsvr32.exe
File opened for modification	C:\Program Files\Crashpad\settings.dat	regsvr32.exe
File opened for modification	C:\Program Files\PingDisable.inf	regsvr32.exe
File opened for modification	C:\Program Files\UnlockInvoke.mhtml	regsvr32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\install.log	regsvr32.exe
File opened for modification	C:\Program Files\dotnet\LICENSE.txt	regsvr32.exe
File created	C:\Program Files\Java\readme.txt	regsvr32.exe
File created	C:\Program Files (x86)\readme.txt	regsvr32.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	regsvr32.exe
File opened for modification	C:\Program Files\Crashpad\metadata	regsvr32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaultagent.ini	regsvr32.exe
File opened for modification	C:\Program Files\RevokeGroup.edrwx	regsvr32.exe
File opened for modification	C:\Program Files\RevokeRemove.mov	regsvr32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.cfg	regsvr32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.VisualElementsManifest.xml	regsvr32.exe
File opened for modification	C:\Program Files\dotnet\ThirdPartyNotices.txt	regsvr32.exe
File created	C:\Program Files\Microsoft Office\readme.txt	regsvr32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
928	1496	WerFault.exe	84

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1496	regsvr32.exe
1496	regsvr32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2816 wrote to memory of 1496	2816	regsvr32.exe	84
PID 2816 wrote to memory of 1496	2816	regsvr32.exe	84
PID 2816 wrote to memory of 1496	2816	regsvr32.exe	84

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\3d08732963ffdae8596f89cdfd34a2ec24865278c0763221c003254eeaf67554.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\3d08732963ffdae8596f89cdfd34a2ec24865278c0763221c003254eeaf67554.dll
  2⤵
  - Drops desktop.ini file(s)
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1496
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1496 -s 2136
    3⤵
    - Program crash
    PID:928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1496 -ip 1496
1⤵
PID:2128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\readme.txt

Filesize
1KB

MD5
df7b95b1555951e1c1095ec1a913f78a

SHA1
076812ba99a65a76f6510824f9317c85b7a65bdb

SHA256
15ac17280f7e4b43eb21c090792465494eede0937897c271eb1cc14733dc371e

SHA512
b85bee418326445ed0efd217cb92432138ad63b46ff41d98a85d2af648698448f1680a320669ec4d1a735c8a40d5747983652d02fafc5c9737747e659f4f8e30

Download Submit