Analysis
-
max time kernel
142s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
08-09-2024 17:01
Static task
static1
Behavioral task
behavioral1
Sample
75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe
Resource
win10v2004-20240802-en
General
-
Target
75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe
-
Size
514KB
-
MD5
3d8f8da9897e81121c83d0d17c560452
-
SHA1
9829e8264216726f69e731394c08354e74a3b1f8
-
SHA256
75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb
-
SHA512
de066843392b0fb410269142732885bb0e5f7cba8b78023d126d9ef14433451a8baa96b90091b9819d57a9e4cffd9ac44d733af46a4f70f5a0cc476f20293132
-
SSDEEP
3072:Qy3XfbBI4++rye6iLf2zKUAOe4UKXqlc8Lm87wgZPyzOmem0Oa9G8Y3:FXzin6raUKXSL/hIOH/
Malware Config
Extracted
C:\ProgramData\readme.txt
conti
http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/
https://contirecovery.click
Signatures
-
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
Renames multiple (52) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops file in Program Files directory 52 IoCs
description ioc Process File opened for modification C:\Program Files\CloseMove.rar 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File opened for modification C:\Program Files\UseConvertTo.wma 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File created C:\Program Files (x86)\readme.txt 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File created C:\Program Files\Google\readme.txt 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File opened for modification C:\Program Files\Mozilla Firefox\omni.ja 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File opened for modification C:\Program Files\SendResume.m4a 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File opened for modification C:\Program Files\WaitMeasure.jpg 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File opened for modification C:\Program Files\Microsoft Office\AppXManifest.xml 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File opened for modification C:\Program Files\StartOptimize.vssm 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File opened for modification C:\Program Files\7-Zip\7-zip.chm 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File opened for modification C:\Program Files\dotnet\ThirdPartyNotices.txt 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File opened for modification C:\Program Files\GroupDismount.docx 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File opened for modification C:\Program Files\RevokeWatch.DVR-MS 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File opened for modification C:\Program Files\7-Zip\7z.sfx 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File opened for modification C:\Program Files\7-Zip\7zCon.sfx 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File created C:\Program Files\Java\readme.txt 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File opened for modification C:\Program Files\Microsoft Office\FileSystemMetadata.xml 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.VisualElementsManifest.xml 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File opened for modification C:\Program Files\7-Zip\descript.ion 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File opened for modification C:\Program Files\Mozilla Firefox\installation_telemetry.json 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File opened for modification C:\Program Files\ConvertUninstall.txt 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File opened for modification C:\Program Files\ReadUpdate.dotm 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File opened for modification C:\Program Files\7-Zip\License.txt 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File opened for modification C:\Program Files\ResumeConvertTo.pps 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File created C:\Program Files\Internet Explorer\readme.txt 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.cfg 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File opened for modification C:\Program Files\TraceUnpublish.m3u 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File opened for modification C:\Program Files\Crashpad\settings.dat 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File created C:\Program Files\Mozilla Firefox\readme.txt 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File opened for modification C:\Program Files\Mozilla Firefox\install.log 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File created C:\Program Files\readme.txt 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File opened for modification C:\Program Files\ReadStop.mpeg 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File opened for modification C:\Program Files\ResizeSubmit.ex_ 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File opened for modification C:\Program Files\UnlockSend.mpeg 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File opened for modification C:\Program Files\Crashpad\metadata 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File opened for modification C:\Program Files\SaveInvoke.js 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File opened for modification C:\Program Files\7-Zip\readme.txt 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File opened for modification C:\Program Files\NewInvoke.3gpp 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File opened for modification C:\Program Files\7-Zip\History.txt 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File created C:\Program Files\Microsoft Office 15\readme.txt 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File opened for modification C:\Program Files\ExportInstall.png 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File opened for modification C:\Program Files\ImportFormat.htm 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File opened for modification C:\Program Files\UnpublishJoin.wps 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File created C:\Program Files\Common Files\readme.txt 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File opened for modification C:\Program Files\dotnet\LICENSE.txt 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File opened for modification C:\Program Files\Microsoft Office\ThinAppXManifest.xml 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File opened for modification C:\Program Files\Mozilla Firefox\dependentlibs.list 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File opened for modification C:\Program Files\InvokeDebug.rar 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File created C:\Program Files\dotnet\readme.txt 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File created C:\Program Files\Microsoft Office\readme.txt 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File opened for modification C:\Program Files\GetRedo.dwfx 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File created C:\Program Files\Crashpad\readme.txt 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4544 3048 WerFault.exe 91 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3048 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe 3048 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeBackupPrivilege 1140 vssvc.exe Token: SeRestorePrivilege 1140 vssvc.exe Token: SeAuditPrivilege 1140 vssvc.exe Token: SeIncreaseQuotaPrivilege 2444 WMIC.exe Token: SeSecurityPrivilege 2444 WMIC.exe Token: SeTakeOwnershipPrivilege 2444 WMIC.exe Token: SeLoadDriverPrivilege 2444 WMIC.exe Token: SeSystemProfilePrivilege 2444 WMIC.exe Token: SeSystemtimePrivilege 2444 WMIC.exe Token: SeProfSingleProcessPrivilege 2444 WMIC.exe Token: SeIncBasePriorityPrivilege 2444 WMIC.exe Token: SeCreatePagefilePrivilege 2444 WMIC.exe Token: SeBackupPrivilege 2444 WMIC.exe Token: SeRestorePrivilege 2444 WMIC.exe Token: SeShutdownPrivilege 2444 WMIC.exe Token: SeDebugPrivilege 2444 WMIC.exe Token: SeSystemEnvironmentPrivilege 2444 WMIC.exe Token: SeRemoteShutdownPrivilege 2444 WMIC.exe Token: SeUndockPrivilege 2444 WMIC.exe Token: SeManageVolumePrivilege 2444 WMIC.exe Token: 33 2444 WMIC.exe Token: 34 2444 WMIC.exe Token: 35 2444 WMIC.exe Token: 36 2444 WMIC.exe Token: SeIncreaseQuotaPrivilege 2444 WMIC.exe Token: SeSecurityPrivilege 2444 WMIC.exe Token: SeTakeOwnershipPrivilege 2444 WMIC.exe Token: SeLoadDriverPrivilege 2444 WMIC.exe Token: SeSystemProfilePrivilege 2444 WMIC.exe Token: SeSystemtimePrivilege 2444 WMIC.exe Token: SeProfSingleProcessPrivilege 2444 WMIC.exe Token: SeIncBasePriorityPrivilege 2444 WMIC.exe Token: SeCreatePagefilePrivilege 2444 WMIC.exe Token: SeBackupPrivilege 2444 WMIC.exe Token: SeRestorePrivilege 2444 WMIC.exe Token: SeShutdownPrivilege 2444 WMIC.exe Token: SeDebugPrivilege 2444 WMIC.exe Token: SeSystemEnvironmentPrivilege 2444 WMIC.exe Token: SeRemoteShutdownPrivilege 2444 WMIC.exe Token: SeUndockPrivilege 2444 WMIC.exe Token: SeManageVolumePrivilege 2444 WMIC.exe Token: 33 2444 WMIC.exe Token: 34 2444 WMIC.exe Token: 35 2444 WMIC.exe Token: 36 2444 WMIC.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3048 wrote to memory of 3336 3048 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe 96 PID 3048 wrote to memory of 3336 3048 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe 96 PID 3336 wrote to memory of 2444 3336 cmd.exe 98 PID 3336 wrote to memory of 2444 3336 cmd.exe 98 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe"C:\Users\Admin\AppData\Local\Temp\75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CA4F2488-C812-4D6A-99DF-8A006EE3F21F}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:3336 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CA4F2488-C812-4D6A-99DF-8A006EE3F21F}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2444
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 20322⤵
- Program crash
PID:4544
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1140
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3048 -ip 30481⤵PID:2972
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4120,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=4440 /prefetch:81⤵PID:712
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5306b84b6dfba111b3e824d86804998f1
SHA17c1cb91fc2b13ca9b6e96407e12e9811a245eab1
SHA2563d1d151274bffd401a292c2d6a9c165a757d60e9910e0a04b13ab2feb2655854
SHA512a0313e4a392aeeb17271d007eea708d19e598525f9a78a6c2aa1fb4485ca7b54686c4c0f87b41606729f1d42ee4419f5e25e56aaeddb887fd5f7e57ed200ea0b