Overview

overview

10

Static

static

3

b6a686a943...f3.exe

windows7-x64

10

b6a686a943...f3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    52s
  • max time network
    55s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    08-09-2024 16:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe

  • Size

    515KB

  • MD5

    a707de664b91d154b941c950986cf6c5

  • SHA1

    003b38f8897911499c02903d8e62d847846e802d

  • SHA256

    b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3

  • SHA512

    c2a1a970ce5a9a40cdb81f4ce740285e678ce1584a2f592f3dcaf14a083ae212dfd7cf014ccbc716bd418613eb0f2a790a7eff16f810d8b6743c707ea8c98f31

  • SSDEEP

    3072:x90uSaZEBc2jrORnQssIJMsaX52NJKY8/d7epmB98g89QP2EKOJjWk29YKvaEAJ:xKnWEBc2jMQsdJMsNNJ+/dB9rP2UjRS

Score
10/10
contidiscoveryransomware

Malware Config

Extracted

Path

C:\Program Files (x86)\readme.txt

Family

conti

Ransom Note
All of your files are currently encrypted by CONTI strain. As you know (if you don't - just "google it"), all of the data that has been encrypted by our software cannot be recovered by any means without contacting our team directly. If you try to use any additional recovery software - the files might be damaged, so if you are willing to try - try it on the data of the lowest value. To make sure that we REALLY CAN get your data back - we offer you to decrypt 2 random files completely free of charge. You can contact our team directly for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/ HTTPS VERSION : https://contirecovery.xyz/ YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded a pack of your internal data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us as soon as possible. ---BEGIN ID--- 3E1hCSKyNKBvMOLagh7o4NWP6OEgobzNbxvAi5j7Fhn2e5XHbmjF95MOBU7NCbyG ---END ID---
URLs

http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/

https://contirecovery.xyz/

Signatures

  • Conti Ransomware

    Ransomware generally thought to be a successor to Ryuk.

    ransomwareconti
  • Drops file in Program Files directory 47 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe
    "C:\Users\Admin\AppData\Local\Temp\b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2984
    • C:\Windows\system32\cmd.exe
      cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A7AA3892-E0EC-457B-8FC5-DF358387B5BE}'" delete
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1968
      • C:\Windows\System32\wbem\WMIC.exe
        C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A7AA3892-E0EC-457B-8FC5-DF358387B5BE}'" delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3060
    • C:\Windows\system32\cmd.exe
      cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9CDB775E-A5D6-452B-A56A-BA620E0F7BFD}'" delete
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1128
      • C:\Windows\System32\wbem\WMIC.exe
        C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9CDB775E-A5D6-452B-A56A-BA620E0F7BFD}'" delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2672
    • C:\Windows\system32\cmd.exe
      cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9C1EF448-F6DA-47B6-A3EB-8C0870C4A941}'" delete
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2744
      • C:\Windows\System32\wbem\WMIC.exe
        C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9C1EF448-F6DA-47B6-A3EB-8C0870C4A941}'" delete
        3⤵
          PID:2248
      • C:\Windows\system32\cmd.exe
        cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{494C03C6-B7B7-4DF1-8FA1-7D53E03DDA63}'" delete
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:968
        • C:\Windows\System32\wbem\WMIC.exe
          C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{494C03C6-B7B7-4DF1-8FA1-7D53E03DDA63}'" delete
          3⤵
            PID:2648
        • C:\Windows\system32\cmd.exe
          cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F47BA72D-84E4-4D7E-BDAB-96318230ABB7}'" delete
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2556
          • C:\Windows\System32\wbem\WMIC.exe
            C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F47BA72D-84E4-4D7E-BDAB-96318230ABB7}'" delete
            3⤵
              PID:2336
          • C:\Windows\system32\cmd.exe
            cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8235A2B2-EED6-4D84-9B47-CD02BB13E9C1}'" delete
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2604
            • C:\Windows\System32\wbem\WMIC.exe
              C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8235A2B2-EED6-4D84-9B47-CD02BB13E9C1}'" delete
              3⤵
                PID:1688
            • C:\Windows\system32\cmd.exe
              cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{82E6CBF7-34AA-420A-ACFA-78E6B16AD8C2}'" delete
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:3068
              • C:\Windows\System32\wbem\WMIC.exe
                C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{82E6CBF7-34AA-420A-ACFA-78E6B16AD8C2}'" delete
                3⤵
                  PID:2940
              • C:\Windows\system32\cmd.exe
                cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3CBCFC55-5255-4E65-8C94-0A792EA482BB}'" delete
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:2308
                • C:\Windows\System32\wbem\WMIC.exe
                  C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3CBCFC55-5255-4E65-8C94-0A792EA482BB}'" delete
                  3⤵
                    PID:3028
                • C:\Windows\system32\cmd.exe
                  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{45E828E2-3C55-49F9-825B-E01046E2A113}'" delete
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2152
                  • C:\Windows\System32\wbem\WMIC.exe
                    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{45E828E2-3C55-49F9-825B-E01046E2A113}'" delete
                    3⤵
                      PID:2864
                  • C:\Windows\system32\cmd.exe
                    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{76239064-3F5F-4D70-92A4-670F55591560}'" delete
                    2⤵
                      PID:300
                      • C:\Windows\System32\wbem\WMIC.exe
                        C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{76239064-3F5F-4D70-92A4-670F55591560}'" delete
                        3⤵
                          PID:1072
                      • C:\Windows\system32\cmd.exe
                        cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1B4EF978-E9B0-41CF-AAE2-776E38E9EDCE}'" delete
                        2⤵
                          PID:1636
                          • C:\Windows\System32\wbem\WMIC.exe
                            C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1B4EF978-E9B0-41CF-AAE2-776E38E9EDCE}'" delete
                            3⤵
                              PID:1060
                          • C:\Windows\system32\cmd.exe
                            cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C840305C-0D8E-4B8B-BC6D-4003520487F0}'" delete
                            2⤵
                              PID:1988
                              • C:\Windows\System32\wbem\WMIC.exe
                                C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C840305C-0D8E-4B8B-BC6D-4003520487F0}'" delete
                                3⤵
                                  PID:2484
                              • C:\Windows\system32\cmd.exe
                                cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{048EB31A-BA93-40FE-9759-479CEEF5F9AF}'" delete
                                2⤵
                                  PID:2172
                                  • C:\Windows\System32\wbem\WMIC.exe
                                    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{048EB31A-BA93-40FE-9759-479CEEF5F9AF}'" delete
                                    3⤵
                                      PID:2364
                                  • C:\Windows\system32\cmd.exe
                                    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{469E3BBE-F71A-45E0-BD8F-4D2DC75A9037}'" delete
                                    2⤵
                                      PID:2104
                                      • C:\Windows\System32\wbem\WMIC.exe
                                        C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{469E3BBE-F71A-45E0-BD8F-4D2DC75A9037}'" delete
                                        3⤵
                                          PID:892
                                      • C:\Windows\system32\cmd.exe
                                        cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1E5E3EA6-3B5A-47E4-BB20-CAD4E6A45BA5}'" delete
                                        2⤵
                                          PID:1532
                                          • C:\Windows\System32\wbem\WMIC.exe
                                            C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1E5E3EA6-3B5A-47E4-BB20-CAD4E6A45BA5}'" delete
                                            3⤵
                                              PID:1652
                                          • C:\Windows\system32\cmd.exe
                                            cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6FD06C77-DFAC-4B42-A173-D0BD649CD10A}'" delete
                                            2⤵
                                              PID:1764
                                              • C:\Windows\System32\wbem\WMIC.exe
                                                C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6FD06C77-DFAC-4B42-A173-D0BD649CD10A}'" delete
                                                3⤵
                                                  PID:2148
                                              • C:\Windows\system32\cmd.exe
                                                cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{68983E3D-3AC8-4B20-8338-F372835B7DB4}'" delete
                                                2⤵
                                                  PID:1796
                                                  • C:\Windows\System32\wbem\WMIC.exe
                                                    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{68983E3D-3AC8-4B20-8338-F372835B7DB4}'" delete
                                                    3⤵
                                                      PID:2340
                                                  • C:\Windows\system32\cmd.exe
                                                    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{FB19CD29-987A-4316-B729-A682ED3D39EE}'" delete
                                                    2⤵
                                                      PID:1328
                                                      • C:\Windows\System32\wbem\WMIC.exe
                                                        C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{FB19CD29-987A-4316-B729-A682ED3D39EE}'" delete
                                                        3⤵
                                                          PID:2252
                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 1600
                                                        2⤵
                                                        • Program crash
                                                        PID:2556
                                                    • C:\Windows\system32\vssvc.exe
                                                      C:\Windows\system32\vssvc.exe
                                                      1⤵
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:2832

                                                    Network

                                                    MITRE ATT&CK Enterprise v15

                                                    Replay Monitor

                                                    Loading Replay Monitor...

                                                    Downloads

                                                    • C:\Program Files (x86)\readme.txt
                                                      Filesize

                                                      1KB

                                                      MD5

                                                      72b95470eda8cc6ec169f6d81ccd795e

                                                      SHA1

                                                      75d4cb61136fc4ac3d99156f2d45422cd8fb3fc9

                                                      SHA256

                                                      5ebc94ed337175acb3845cb372849fd434b34eef6a80caa31e34093017ec0932

                                                      SHA512

                                                      25266e4d99b392a5a6fa68ef35fb271aa3c85b40d01efde859e24ca4f978cecccbb1d9eeffce5c98983fc80629ef145a688170b34f34937222b2c8aa69d1c7d8

                                                      Download Submit