Analysis
-
max time kernel
95s -
max time network
108s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
08-09-2024 16:49
Static task
static1
Behavioral task
behavioral1
Sample
b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe
Resource
win10v2004-20240802-en
General
-
Target
b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe
-
Size
515KB
-
MD5
a707de664b91d154b941c950986cf6c5
-
SHA1
003b38f8897911499c02903d8e62d847846e802d
-
SHA256
b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3
-
SHA512
c2a1a970ce5a9a40cdb81f4ce740285e678ce1584a2f592f3dcaf14a083ae212dfd7cf014ccbc716bd418613eb0f2a790a7eff16f810d8b6743c707ea8c98f31
-
SSDEEP
3072:x90uSaZEBc2jrORnQssIJMsaX52NJKY8/d7epmB98g89QP2EKOJjWk29YKvaEAJ:xKnWEBc2jMQsdJMsNNJ+/dB9rP2UjRS
Malware Config
Extracted
C:\ProgramData\readme.txt
conti
http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/
https://contirecovery.xyz/
Signatures
-
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
Drops file in Program Files directory 41 IoCs
description ioc Process File opened for modification C:\Program Files\RevokeRemove.mov b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe File opened for modification C:\Program Files\7-Zip\License.txt b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe File created C:\Program Files\Microsoft Office\readme.txt b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe File opened for modification C:\Program Files\Microsoft Office\AppXManifest.xml b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.VisualElementsManifest.xml b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe File opened for modification C:\Program Files\RegisterTrace.emz b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe File opened for modification C:\Program Files\7-Zip\readme.txt b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe File created C:\Program Files\dotnet\readme.txt b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe File created C:\Program Files\Google\readme.txt b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe File opened for modification C:\Program Files\Mozilla Firefox\omni.ja b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe File opened for modification C:\Program Files\7-Zip\7z.sfx b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe File opened for modification C:\Program Files\Crashpad\settings.dat b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe File created C:\Program Files\Java\readme.txt b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe File created C:\Program Files\Microsoft Office 15\readme.txt b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe File opened for modification C:\Program Files\ShowGroup.wmf b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe File opened for modification C:\Program Files\Microsoft Office\FileSystemMetadata.xml b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe File opened for modification C:\Program Files\Mozilla Firefox\installation_telemetry.json b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe File opened for modification C:\Program Files\InstallFind.001 b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe File opened for modification C:\Program Files\7-Zip\7-zip.chm b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe File opened for modification C:\Program Files\7-Zip\7zCon.sfx b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe File opened for modification C:\Program Files\7-Zip\History.txt b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe File created C:\Program Files\Internet Explorer\readme.txt b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe File opened for modification C:\Program Files\BlockBackup.otf b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe File opened for modification C:\Program Files\TraceUnprotect.xlsm b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe File opened for modification C:\Program Files\UnlockInvoke.mhtml b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe File opened for modification C:\Program Files\Crashpad\metadata b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.cfg b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe File created C:\Program Files\Crashpad\readme.txt b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe File opened for modification C:\Program Files\dotnet\ThirdPartyNotices.txt b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe File created C:\Program Files\readme.txt b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe File opened for modification C:\Program Files\PingDisable.inf b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe File opened for modification C:\Program Files\RepairAssert.fon b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe File opened for modification C:\Program Files\RevokeGroup.edrwx b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe File created C:\Program Files (x86)\readme.txt b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe File opened for modification C:\Program Files\Mozilla Firefox\dependentlibs.list b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe File opened for modification C:\Program Files\Mozilla Firefox\install.log b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe File opened for modification C:\Program Files\7-Zip\descript.ion b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe File created C:\Program Files\Common Files\readme.txt b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe File opened for modification C:\Program Files\dotnet\LICENSE.txt b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe File opened for modification C:\Program Files\Microsoft Office\ThinAppXManifest.xml b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe File created C:\Program Files\Mozilla Firefox\readme.txt b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1584 1688 WerFault.exe 83 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1688 b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe 1688 b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeBackupPrivilege 2244 vssvc.exe Token: SeRestorePrivilege 2244 vssvc.exe Token: SeAuditPrivilege 2244 vssvc.exe Token: SeIncreaseQuotaPrivilege 320 WMIC.exe Token: SeSecurityPrivilege 320 WMIC.exe Token: SeTakeOwnershipPrivilege 320 WMIC.exe Token: SeLoadDriverPrivilege 320 WMIC.exe Token: SeSystemProfilePrivilege 320 WMIC.exe Token: SeSystemtimePrivilege 320 WMIC.exe Token: SeProfSingleProcessPrivilege 320 WMIC.exe Token: SeIncBasePriorityPrivilege 320 WMIC.exe Token: SeCreatePagefilePrivilege 320 WMIC.exe Token: SeBackupPrivilege 320 WMIC.exe Token: SeRestorePrivilege 320 WMIC.exe Token: SeShutdownPrivilege 320 WMIC.exe Token: SeDebugPrivilege 320 WMIC.exe Token: SeSystemEnvironmentPrivilege 320 WMIC.exe Token: SeRemoteShutdownPrivilege 320 WMIC.exe Token: SeUndockPrivilege 320 WMIC.exe Token: SeManageVolumePrivilege 320 WMIC.exe Token: 33 320 WMIC.exe Token: 34 320 WMIC.exe Token: 35 320 WMIC.exe Token: 36 320 WMIC.exe Token: SeIncreaseQuotaPrivilege 320 WMIC.exe Token: SeSecurityPrivilege 320 WMIC.exe Token: SeTakeOwnershipPrivilege 320 WMIC.exe Token: SeLoadDriverPrivilege 320 WMIC.exe Token: SeSystemProfilePrivilege 320 WMIC.exe Token: SeSystemtimePrivilege 320 WMIC.exe Token: SeProfSingleProcessPrivilege 320 WMIC.exe Token: SeIncBasePriorityPrivilege 320 WMIC.exe Token: SeCreatePagefilePrivilege 320 WMIC.exe Token: SeBackupPrivilege 320 WMIC.exe Token: SeRestorePrivilege 320 WMIC.exe Token: SeShutdownPrivilege 320 WMIC.exe Token: SeDebugPrivilege 320 WMIC.exe Token: SeSystemEnvironmentPrivilege 320 WMIC.exe Token: SeRemoteShutdownPrivilege 320 WMIC.exe Token: SeUndockPrivilege 320 WMIC.exe Token: SeManageVolumePrivilege 320 WMIC.exe Token: 33 320 WMIC.exe Token: 34 320 WMIC.exe Token: 35 320 WMIC.exe Token: 36 320 WMIC.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1688 wrote to memory of 4508 1688 b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe 89 PID 1688 wrote to memory of 4508 1688 b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe 89 PID 4508 wrote to memory of 320 4508 cmd.exe 91 PID 4508 wrote to memory of 320 4508 cmd.exe 91 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe"C:\Users\Admin\AppData\Local\Temp\b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8CEAFC9C-1C47-449E-BAA6-0A2B1C9185D1}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:4508 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8CEAFC9C-1C47-449E-BAA6-0A2B1C9185D1}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:320
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 10002⤵
- Program crash
PID:1584
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2244
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 1688 -ip 16881⤵PID:1576
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD572b95470eda8cc6ec169f6d81ccd795e
SHA175d4cb61136fc4ac3d99156f2d45422cd8fb3fc9
SHA2565ebc94ed337175acb3845cb372849fd434b34eef6a80caa31e34093017ec0932
SHA51225266e4d99b392a5a6fa68ef35fb271aa3c85b40d01efde859e24ca4f978cecccbb1d9eeffce5c98983fc80629ef145a688170b34f34937222b2c8aa69d1c7d8