Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
08-09-2024 17:01
General
-
Target
75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe
-
Size
514KB
-
MD5
3d8f8da9897e81121c83d0d17c560452
-
SHA1
9829e8264216726f69e731394c08354e74a3b1f8
-
SHA256
75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb
-
SHA512
de066843392b0fb410269142732885bb0e5f7cba8b78023d126d9ef14433451a8baa96b90091b9819d57a9e4cffd9ac44d733af46a4f70f5a0cc476f20293132
-
SSDEEP
3072:Qy3XfbBI4++rye6iLf2zKUAOe4UKXqlc8Lm87wgZPyzOmem0Oa9G8Y3:FXzin6raUKXSL/hIOH/
Score
10/10
Malware Config
Extracted
Path
C:\Program Files (x86)\readme.txt
Family
conti
Ransom Note
All of your files are currently encrypted by CONTI strain.
As you know (if you don't - just "google it"), all of the data that has been encrypted by our software cannot be recovered by any means without contacting our team directly.
If you try to use any additional recovery software - the files might be damaged, so if you are willing to try - try it on the data of the lowest value.
To make sure that we REALLY CAN get your data back - we offer you to decrypt 2 random files completely free of charge.
You can contact our team directly for further instructions through our website :
TOR VERSION :
(you should download and install TOR browser first https://torproject.org)
http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/
HTTPS VERSION :
https://contirecovery.click
YOU SHOULD BE AWARE!
Just in case, if you try to ignore us. We've downloaded a pack of your internal data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us as soon as possible.
---BEGIN ID---
lWL5aqUDwBJQsqHmM6OkU1yOTGOiNHcCdTAyuj6A1xKUIz98qMCGpifNoPeYSXBA
---END ID---
URLs
http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/
https://contirecovery.click
Signatures
-
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
Drops file in Program Files directory 59 IoCs
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe"C:\Users\Admin\AppData\Local\Temp\75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2BD6FB29-189E-4F99-9F99-651A72FEBF02}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2BD6FB29-189E-4F99-9F99-651A72FEBF02}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2D818798-4B47-458C-8916-CBECAE43B4FB}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2D818798-4B47-458C-8916-CBECAE43B4FB}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1BB337A5-A97C-4E3B-A953-6F743F6A68A9}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1BB337A5-A97C-4E3B-A953-6F743F6A68A9}'" delete3⤵
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6477892D-EC9E-4CBF-B454-FA61DC46F5FA}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6477892D-EC9E-4CBF-B454-FA61DC46F5FA}'" delete3⤵
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{56351986-B650-4647-8784-B3B760645DA4}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{56351986-B650-4647-8784-B3B760645DA4}'" delete3⤵
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2265C065-B6B0-4775-9799-36B9FEE32622}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2265C065-B6B0-4775-9799-36B9FEE32622}'" delete3⤵
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1FABF953-9C39-45E5-BBE9-8EA6C9C47AFC}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1FABF953-9C39-45E5-BBE9-8EA6C9C47AFC}'" delete3⤵
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8B936CD8-A865-4FAC-8D84-CBCB07B701E1}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8B936CD8-A865-4FAC-8D84-CBCB07B701E1}'" delete3⤵
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6309368E-BFB6-486E-98FD-95DB63CF8CCD}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6309368E-BFB6-486E-98FD-95DB63CF8CCD}'" delete3⤵
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C86CD55D-C4A7-41EE-9996-50648480DCD1}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C86CD55D-C4A7-41EE-9996-50648480DCD1}'" delete3⤵
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F1EC04A3-70A5-446C-82A7-F72478B1F67F}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F1EC04A3-70A5-446C-82A7-F72478B1F67F}'" delete3⤵
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D0EA2D8B-0324-4D6B-B67E-47501DE36B0D}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D0EA2D8B-0324-4D6B-B67E-47501DE36B0D}'" delete3⤵
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{BF511B92-0D8F-4A7D-8D02-DBF4F564E117}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{BF511B92-0D8F-4A7D-8D02-DBF4F564E117}'" delete3⤵
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{49B72978-0008-434A-B917-90D3B1C2A77E}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{49B72978-0008-434A-B917-90D3B1C2A77E}'" delete3⤵
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CA9990C9-A884-4636-9E67-9D57557C520F}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CA9990C9-A884-4636-9E67-9D57557C520F}'" delete3⤵
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{BDBC865F-CD95-469C-87CB-A93B7E42F6FC}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{BDBC865F-CD95-469C-87CB-A93B7E42F6FC}'" delete3⤵
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F2239B57-C45C-479E-80DD-8AD930A4200B}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F2239B57-C45C-479E-80DD-8AD930A4200B}'" delete3⤵
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2ECE20AD-81EF-4472-98D5-76CDE183AA48}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2ECE20AD-81EF-4472-98D5-76CDE183AA48}'" delete3⤵
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2368 -s 15922⤵
- Program crash
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5306b84b6dfba111b3e824d86804998f1
SHA17c1cb91fc2b13ca9b6e96407e12e9811a245eab1
SHA2563d1d151274bffd401a292c2d6a9c165a757d60e9910e0a04b13ab2feb2655854
SHA512a0313e4a392aeeb17271d007eea708d19e598525f9a78a6c2aa1fb4485ca7b54686c4c0f87b41606729f1d42ee4419f5e25e56aaeddb887fd5f7e57ed200ea0b