Analysis
-
max time kernel
93s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
08-09-2024 19:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe
-
Size
514KB
-
MD5
3d8f8da9897e81121c83d0d17c560452
-
SHA1
9829e8264216726f69e731394c08354e74a3b1f8
-
SHA256
75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb
-
SHA512
de066843392b0fb410269142732885bb0e5f7cba8b78023d126d9ef14433451a8baa96b90091b9819d57a9e4cffd9ac44d733af46a4f70f5a0cc476f20293132
-
SSDEEP
3072:Qy3XfbBI4++rye6iLf2zKUAOe4UKXqlc8Lm87wgZPyzOmem0Oa9G8Y3:FXzin6raUKXSL/hIOH/
Score
10/10
Malware Config
Extracted
Path
C:\ProgramData\readme.txt
Family
conti
Ransom Note
All of your files are currently encrypted by CONTI strain.
As you know (if you don't - just "google it"), all of the data that has been encrypted by our software cannot be recovered by any means without contacting our team directly.
If you try to use any additional recovery software - the files might be damaged, so if you are willing to try - try it on the data of the lowest value.
To make sure that we REALLY CAN get your data back - we offer you to decrypt 2 random files completely free of charge.
You can contact our team directly for further instructions through our website :
TOR VERSION :
(you should download and install TOR browser first https://torproject.org)
http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/
HTTPS VERSION :
https://contirecovery.click
YOU SHOULD BE AWARE!
Just in case, if you try to ignore us. We've downloaded a pack of your internal data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us as soon as possible.
---BEGIN ID---
lWL5aqUDwBJQsqHmM6OkU1yOTGOiNHcCdTAyuj6A1xKUIz98qMCGpifNoPeYSXBA
---END ID---
URLs
http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/
https://contirecovery.click
Signatures
-
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
Renames multiple (52) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops file in Program Files directory 52 IoCs
description ioc Process File opened for modification C:\Program Files\HideInstall.vdw 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File opened for modification C:\Program Files\TestTrace.wvx 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File created C:\Program Files\Crashpad\readme.txt 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File created C:\Program Files\dotnet\readme.txt 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File created C:\Program Files\Microsoft Office 15\readme.txt 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File created C:\Program Files\readme.txt 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File opened for modification C:\Program Files\ConvertToClose.ocx 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File opened for modification C:\Program Files\UnregisterHide.vssm 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File created C:\Program Files\Java\readme.txt 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File created C:\Program Files\Microsoft Office\readme.txt 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.cfg 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File opened for modification C:\Program Files\MergeConvertFrom.css 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File opened for modification C:\Program Files\7-Zip\7-zip.chm 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File opened for modification C:\Program Files\7-Zip\7z.sfx 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File opened for modification C:\Program Files\7-Zip\History.txt 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File opened for modification C:\Program Files\7-Zip\License.txt 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File opened for modification C:\Program Files\Microsoft Office\ThinAppXManifest.xml 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File opened for modification C:\Program Files\AssertResize.ps1 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File opened for modification C:\Program Files\ExpandGet.dot 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File opened for modification C:\Program Files\ConvertRead.aif 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File opened for modification C:\Program Files\MountMeasure.jpe 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File opened for modification C:\Program Files\MoveTrace.vsdm 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File opened for modification C:\Program Files\7-Zip\7zCon.sfx 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File created C:\Program Files\Google\readme.txt 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File opened for modification C:\Program Files\Microsoft Office\AppXManifest.xml 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File opened for modification C:\Program Files\ConvertUse.php 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File opened for modification C:\Program Files\ProtectAssert.3gp2 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File opened for modification C:\Program Files\DebugMeasure.ex_ 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File opened for modification C:\Program Files\DisconnectTrace.rar 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File opened for modification C:\Program Files\JoinDeny.xls 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File opened for modification C:\Program Files\7-Zip\descript.ion 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File opened for modification C:\Program Files\Mozilla Firefox\install.log 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File created C:\Program Files\Common Files\readme.txt 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File opened for modification C:\Program Files\DisconnectInvoke.wav 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File opened for modification C:\Program Files\ExpandSet.ods 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File opened for modification C:\Program Files\dotnet\LICENSE.txt 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File created C:\Program Files\Internet Explorer\readme.txt 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File opened for modification C:\Program Files\Mozilla Firefox\dependentlibs.list 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File opened for modification C:\Program Files\DenyUnlock.fon 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File opened for modification C:\Program Files\Mozilla Firefox\installation_telemetry.json 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File opened for modification C:\Program Files\RegisterUse.xls 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.VisualElementsManifest.xml 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File opened for modification C:\Program Files\7-Zip\readme.txt 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File opened for modification C:\Program Files\Crashpad\metadata 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File opened for modification C:\Program Files\Microsoft Office\FileSystemMetadata.xml 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File opened for modification C:\Program Files\Mozilla Firefox\omni.ja 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File opened for modification C:\Program Files\StepRegister.m4v 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File created C:\Program Files (x86)\readme.txt 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File opened for modification C:\Program Files\dotnet\ThirdPartyNotices.txt 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File created C:\Program Files\Mozilla Firefox\readme.txt 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File opened for modification C:\Program Files\RedoWait.xps 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe File opened for modification C:\Program Files\Crashpad\settings.dat 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3964 2452 WerFault.exe 82 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2452 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe 2452 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeBackupPrivilege 4156 vssvc.exe Token: SeRestorePrivilege 4156 vssvc.exe Token: SeAuditPrivilege 4156 vssvc.exe Token: SeIncreaseQuotaPrivilege 880 WMIC.exe Token: SeSecurityPrivilege 880 WMIC.exe Token: SeTakeOwnershipPrivilege 880 WMIC.exe Token: SeLoadDriverPrivilege 880 WMIC.exe Token: SeSystemProfilePrivilege 880 WMIC.exe Token: SeSystemtimePrivilege 880 WMIC.exe Token: SeProfSingleProcessPrivilege 880 WMIC.exe Token: SeIncBasePriorityPrivilege 880 WMIC.exe Token: SeCreatePagefilePrivilege 880 WMIC.exe Token: SeBackupPrivilege 880 WMIC.exe Token: SeRestorePrivilege 880 WMIC.exe Token: SeShutdownPrivilege 880 WMIC.exe Token: SeDebugPrivilege 880 WMIC.exe Token: SeSystemEnvironmentPrivilege 880 WMIC.exe Token: SeRemoteShutdownPrivilege 880 WMIC.exe Token: SeUndockPrivilege 880 WMIC.exe Token: SeManageVolumePrivilege 880 WMIC.exe Token: 33 880 WMIC.exe Token: 34 880 WMIC.exe Token: 35 880 WMIC.exe Token: 36 880 WMIC.exe Token: SeIncreaseQuotaPrivilege 880 WMIC.exe Token: SeSecurityPrivilege 880 WMIC.exe Token: SeTakeOwnershipPrivilege 880 WMIC.exe Token: SeLoadDriverPrivilege 880 WMIC.exe Token: SeSystemProfilePrivilege 880 WMIC.exe Token: SeSystemtimePrivilege 880 WMIC.exe Token: SeProfSingleProcessPrivilege 880 WMIC.exe Token: SeIncBasePriorityPrivilege 880 WMIC.exe Token: SeCreatePagefilePrivilege 880 WMIC.exe Token: SeBackupPrivilege 880 WMIC.exe Token: SeRestorePrivilege 880 WMIC.exe Token: SeShutdownPrivilege 880 WMIC.exe Token: SeDebugPrivilege 880 WMIC.exe Token: SeSystemEnvironmentPrivilege 880 WMIC.exe Token: SeRemoteShutdownPrivilege 880 WMIC.exe Token: SeUndockPrivilege 880 WMIC.exe Token: SeManageVolumePrivilege 880 WMIC.exe Token: 33 880 WMIC.exe Token: 34 880 WMIC.exe Token: 35 880 WMIC.exe Token: 36 880 WMIC.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2452 wrote to memory of 4832 2452 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe 88 PID 2452 wrote to memory of 4832 2452 75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe 88 PID 4832 wrote to memory of 880 4832 cmd.exe 90 PID 4832 wrote to memory of 880 4832 cmd.exe 90 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe"C:\Users\Admin\AppData\Local\Temp\75684493a91c2b71fc7446d4a949eac03d26e7fc68ed9a19e3b3374fe4806dfb.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{760999F1-55EB-47DC-A1E2-9E60D81C5DB3}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:4832 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{760999F1-55EB-47DC-A1E2-9E60D81C5DB3}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:880
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 20322⤵
- Program crash
PID:3964
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4156
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2452 -ip 24521⤵PID:2844
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5306b84b6dfba111b3e824d86804998f1
SHA17c1cb91fc2b13ca9b6e96407e12e9811a245eab1
SHA2563d1d151274bffd401a292c2d6a9c165a757d60e9910e0a04b13ab2feb2655854
SHA512a0313e4a392aeeb17271d007eea708d19e598525f9a78a6c2aa1fb4485ca7b54686c4c0f87b41606729f1d42ee4419f5e25e56aaeddb887fd5f7e57ed200ea0b