conti | b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3

General

Target

b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe
Size

515KB
MD5

a707de664b91d154b941c950986cf6c5
SHA1

003b38f8897911499c02903d8e62d847846e802d
SHA256

b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3
SHA512

c2a1a970ce5a9a40cdb81f4ce740285e678ce1584a2f592f3dcaf14a083ae212dfd7cf014ccbc716bd418613eb0f2a790a7eff16f810d8b6743c707ea8c98f31
SSDEEP

3072:x90uSaZEBc2jrORnQssIJMsaX52NJKY8/d7epmB98g89QP2EKOJjWk29YKvaEAJ:xKnWEBc2jMQsdJMsNNJ+/dB9rP2UjRS

Score

10^/10

conti discovery ransomware

Malware Config

Extracted

Path

C:\ProgramData\readme.txt

Family

conti

Ransom Note

All of your files are currently encrypted by CONTI strain. As you know (if you don't - just "google it"), all of the data that has been encrypted by our software cannot be recovered by any means without contacting our team directly. If you try to use any additional recovery software - the files might be damaged, so if you are willing to try - try it on the data of the lowest value. To make sure that we REALLY CAN get your data back - we offer you to decrypt 2 random files completely free of charge. You can contact our team directly for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/ HTTPS VERSION : https://contirecovery.xyz/ YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded a pack of your internal data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us as soon as possible. ---BEGIN ID--- 3E1hCSKyNKBvMOLagh7o4NWP6OEgobzNbxvAi5j7Fhn2e5XHbmjF95MOBU7NCbyG ---END ID---

URLs

http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/

https://contirecovery.xyz/

Signatures

Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
ransomware conti

Drops file in Program Files directory 41 IoCs

Processes:

b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe

description	ioc	process
File opened for modification	C:\Program Files\RevokeRemove.mov	b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe
File created	C:\Program Files\Microsoft Office\readme.txt	b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe
File opened for modification	C:\Program Files\Microsoft Office\AppXManifest.xml	b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.VisualElementsManifest.xml	b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe
File opened for modification	C:\Program Files\RegisterTrace.emz	b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe
File created	C:\Program Files\dotnet\readme.txt	b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe
File created	C:\Program Files\Google\readme.txt	b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe
File opened for modification	C:\Program Files\Mozilla Firefox\omni.ja	b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx	b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe
File opened for modification	C:\Program Files\Crashpad\settings.dat	b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe
File created	C:\Program Files\Java\readme.txt	b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe
File created	C:\Program Files\Microsoft Office 15\readme.txt	b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe
File opened for modification	C:\Program Files\ShowGroup.wmf	b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe
File opened for modification	C:\Program Files\Microsoft Office\FileSystemMetadata.xml	b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe
File opened for modification	C:\Program Files\Mozilla Firefox\installation_telemetry.json	b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe
File opened for modification	C:\Program Files\InstallFind.001	b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm	b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe
File created	C:\Program Files\Internet Explorer\readme.txt	b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe
File opened for modification	C:\Program Files\BlockBackup.otf	b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe
File opened for modification	C:\Program Files\TraceUnprotect.xlsm	b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe
File opened for modification	C:\Program Files\UnlockInvoke.mhtml	b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe
File opened for modification	C:\Program Files\Crashpad\metadata	b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.cfg	b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe
File created	C:\Program Files\Crashpad\readme.txt	b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe
File opened for modification	C:\Program Files\dotnet\ThirdPartyNotices.txt	b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe
File created	C:\Program Files\readme.txt	b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe
File opened for modification	C:\Program Files\PingDisable.inf	b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe
File opened for modification	C:\Program Files\RepairAssert.fon	b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe
File opened for modification	C:\Program Files\RevokeGroup.edrwx	b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe
File created	C:\Program Files (x86)\readme.txt	b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe
File opened for modification	C:\Program Files\Mozilla Firefox\dependentlibs.list	b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe
File opened for modification	C:\Program Files\Mozilla Firefox\install.log	b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe
File opened for modification	C:\Program Files\7-Zip\descript.ion	b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe
File created	C:\Program Files\Common Files\readme.txt	b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe
File opened for modification	C:\Program Files\dotnet\LICENSE.txt	b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe
File opened for modification	C:\Program Files\Microsoft Office\ThinAppXManifest.xml	b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe
File created	C:\Program Files\Mozilla Firefox\readme.txt	b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1584 1688 WerFault.exe b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe

pid	pid_target	process	target process
1584	1688	WerFault.exe	b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe

pid	process
1688	b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe
1688	b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

vssvc.exeWMIC.exe

description	pid	process
Token: SeBackupPrivilege	2244	vssvc.exe
Token: SeRestorePrivilege	2244	vssvc.exe
Token: SeAuditPrivilege	2244	vssvc.exe
Token: SeIncreaseQuotaPrivilege	320	WMIC.exe
Token: SeSecurityPrivilege	320	WMIC.exe
Token: SeTakeOwnershipPrivilege	320	WMIC.exe
Token: SeLoadDriverPrivilege	320	WMIC.exe
Token: SeSystemProfilePrivilege	320	WMIC.exe
Token: SeSystemtimePrivilege	320	WMIC.exe
Token: SeProfSingleProcessPrivilege	320	WMIC.exe
Token: SeIncBasePriorityPrivilege	320	WMIC.exe
Token: SeCreatePagefilePrivilege	320	WMIC.exe
Token: SeBackupPrivilege	320	WMIC.exe
Token: SeRestorePrivilege	320	WMIC.exe
Token: SeShutdownPrivilege	320	WMIC.exe
Token: SeDebugPrivilege	320	WMIC.exe
Token: SeSystemEnvironmentPrivilege	320	WMIC.exe
Token: SeRemoteShutdownPrivilege	320	WMIC.exe
Token: SeUndockPrivilege	320	WMIC.exe
Token: SeManageVolumePrivilege	320	WMIC.exe
Token: 33	320	WMIC.exe
Token: 34	320	WMIC.exe
Token: 35	320	WMIC.exe
Token: 36	320	WMIC.exe
Token: SeIncreaseQuotaPrivilege	320	WMIC.exe
Token: SeSecurityPrivilege	320	WMIC.exe
Token: SeTakeOwnershipPrivilege	320	WMIC.exe
Token: SeLoadDriverPrivilege	320	WMIC.exe
Token: SeSystemProfilePrivilege	320	WMIC.exe
Token: SeSystemtimePrivilege	320	WMIC.exe
Token: SeProfSingleProcessPrivilege	320	WMIC.exe
Token: SeIncBasePriorityPrivilege	320	WMIC.exe
Token: SeCreatePagefilePrivilege	320	WMIC.exe
Token: SeBackupPrivilege	320	WMIC.exe
Token: SeRestorePrivilege	320	WMIC.exe
Token: SeShutdownPrivilege	320	WMIC.exe
Token: SeDebugPrivilege	320	WMIC.exe
Token: SeSystemEnvironmentPrivilege	320	WMIC.exe
Token: SeRemoteShutdownPrivilege	320	WMIC.exe
Token: SeUndockPrivilege	320	WMIC.exe
Token: SeManageVolumePrivilege	320	WMIC.exe
Token: 33	320	WMIC.exe
Token: 34	320	WMIC.exe
Token: 35	320	WMIC.exe
Token: 36	320	WMIC.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.execmd.exe

description	pid	process	target process
PID 1688 wrote to memory of 4508	1688	b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe	cmd.exe
PID 1688 wrote to memory of 4508	1688	b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe	cmd.exe
PID 4508 wrote to memory of 320	4508	cmd.exe	WMIC.exe
PID 4508 wrote to memory of 320	4508	cmd.exe	WMIC.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe
"C:\Users\Admin\AppData\Local\Temp\b6a686a94338554421eb317735a30245658a6111e41bb33e4c1ba8ebd80ceef3.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8CEAFC9C-1C47-449E-BAA6-0A2B1C9185D1}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4508
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8CEAFC9C-1C47-449E-BAA6-0A2B1C9185D1}'" delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:320
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 1000
  2⤵
  - Program crash
  PID:1584

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 1688 -ip 1688
1⤵
PID:1576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\readme.txt

Filesize
1KB

MD5
72b95470eda8cc6ec169f6d81ccd795e

SHA1
75d4cb61136fc4ac3d99156f2d45422cd8fb3fc9

SHA256
5ebc94ed337175acb3845cb372849fd434b34eef6a80caa31e34093017ec0932

SHA512
25266e4d99b392a5a6fa68ef35fb271aa3c85b40d01efde859e24ca4f978cecccbb1d9eeffce5c98983fc80629ef145a688170b34f34937222b2c8aa69d1c7d8

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads