conti | 45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53

Analysis

max time kernel
149s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09-09-2024 14:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
Size

515KB
MD5

336ea498bb074c39bd64c3ed12105a69
SHA1

ca3db1d10a092fb7b82acd344ec9b25dfcb58e6e
SHA256

45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53
SHA512

4709a61942005c1df62484aaf3ba55d97533325f7c934fbdca62565c0081c3c807ef29d7983eb91b5409ec2ecfb02ff73f614e4c948f77cfa65b76a34a5410ed
SSDEEP

3072:wzyJa/EBc2jrORnQssIJZYKcgtHhGk528yJKY8/d7epmB98g89QP2EKOJjWk:wzymEBc2jMQsdJdBgHJ+/dB9rP2UjR

Score

10^/10

conti discovery ransomware

Malware Config

Extracted

Path

C:\ProgramData\readme.txt

Family

conti

Ransom Note

All of your files are currently encrypted by CONTI strain. As you know (if you don't - just "google it"), all of the data that has been encrypted by our software cannot be recovered by any means without contacting our team directly. If you try to use any additional recovery software - the files might be damaged, so if you are willing to try - try it on the data of the lowest value. To make sure that we REALLY CAN get your data back - we offer you to decrypt 2 random files completely free of charge. You can contact our team directly for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/ HTTPS VERSION : https://contirecovery.xyz/ YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded a pack of your internal data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us as soon as possible. ---BEGIN ID--- 3E1hCSKyNKBvMOLagh7o4NWP6OEgobzNbxvAi5j7Fhn2e5XHbmjF95MOBU7NCbyG ---END ID---

URLs

http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/

https://contirecovery.xyz/

Signatures

Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
ransomware conti
Renames multiple (143) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\FileSystemMetadata.xml	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File opened for modification	C:\Program Files\Microsoft Office\ThinAppXManifest.xml	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ja.txt	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File opened for modification	C:\Program Files\dotnet\ThirdPartyNotices.txt	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File created	C:\Program Files\Java\readme.txt	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ro.txt	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File opened for modification	C:\Program Files\SplitDeny.mpa	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File opened for modification	C:\Program Files\7-Zip\descript.ion	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File created	C:\Program Files\Microsoft Office\readme.txt	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File created	C:\Program Files\VideoLAN\readme.txt	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File opened for modification	C:\Program Files\RegisterEnter.ppt	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File opened for modification	C:\Program Files\TestResolve.DVR-MS	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File created	C:\Program Files\Microsoft Office 15\readme.txt	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File opened for modification	C:\Program Files\UnpublishShow.mhtml	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File opened for modification	C:\Program Files\Mozilla Firefox\install.log	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File created	C:\Program Files (x86)\Google\readme.txt	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File opened for modification	C:\Program Files\7-Zip\Lang\en.ttt	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File opened for modification	C:\Program Files\CloseOptimize.cmd	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File opened for modification	C:\Program Files\HideMeasure.emf	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File opened for modification	C:\Program Files\OpenRename.m4v	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File created	C:\Program Files (x86)\Internet Explorer\readme.txt	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File opened for modification	C:\Program Files\SuspendUpdate.au3	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File opened for modification	C:\Program Files\Microsoft Office\AppXManifest.xml	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ps.txt	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File opened for modification	C:\Program Files\BlockInvoke.inf	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File created	C:\Program Files\Crashpad\readme.txt	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File created	C:\Program Files\Mozilla Firefox\readme.txt	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.VisualElementsManifest.xml	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mk.txt	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File opened for modification	C:\Program Files\PingShow.ico	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku.txt	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nb.txt	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File opened for modification	C:\Program Files\InitializeComplete.xls	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File opened for modification	C:\Program Files\dotnet\LICENSE.txt	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File opened for modification	C:\Program Files\Mozilla Firefox\postSigningData	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File opened for modification	C:\Program Files\RestoreEdit.png	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File opened for modification	C:\Program Files\SyncSkip.ods	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File created	C:\Program Files (x86)\Microsoft\readme.txt	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kab.txt	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ka.txt	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lt.txt	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\readme.txt	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4600	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
4600	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeBackupPrivilege	1604	vssvc.exe
Token: SeRestorePrivilege	1604	vssvc.exe
Token: SeAuditPrivilege	1604	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1352	WMIC.exe
Token: SeSecurityPrivilege	1352	WMIC.exe
Token: SeTakeOwnershipPrivilege	1352	WMIC.exe
Token: SeLoadDriverPrivilege	1352	WMIC.exe
Token: SeSystemProfilePrivilege	1352	WMIC.exe
Token: SeSystemtimePrivilege	1352	WMIC.exe
Token: SeProfSingleProcessPrivilege	1352	WMIC.exe
Token: SeIncBasePriorityPrivilege	1352	WMIC.exe
Token: SeCreatePagefilePrivilege	1352	WMIC.exe
Token: SeBackupPrivilege	1352	WMIC.exe
Token: SeRestorePrivilege	1352	WMIC.exe
Token: SeShutdownPrivilege	1352	WMIC.exe
Token: SeDebugPrivilege	1352	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1352	WMIC.exe
Token: SeRemoteShutdownPrivilege	1352	WMIC.exe
Token: SeUndockPrivilege	1352	WMIC.exe
Token: SeManageVolumePrivilege	1352	WMIC.exe
Token: 33	1352	WMIC.exe
Token: 34	1352	WMIC.exe
Token: 35	1352	WMIC.exe
Token: 36	1352	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1352	WMIC.exe
Token: SeSecurityPrivilege	1352	WMIC.exe
Token: SeTakeOwnershipPrivilege	1352	WMIC.exe
Token: SeLoadDriverPrivilege	1352	WMIC.exe
Token: SeSystemProfilePrivilege	1352	WMIC.exe
Token: SeSystemtimePrivilege	1352	WMIC.exe
Token: SeProfSingleProcessPrivilege	1352	WMIC.exe
Token: SeIncBasePriorityPrivilege	1352	WMIC.exe
Token: SeCreatePagefilePrivilege	1352	WMIC.exe
Token: SeBackupPrivilege	1352	WMIC.exe
Token: SeRestorePrivilege	1352	WMIC.exe
Token: SeShutdownPrivilege	1352	WMIC.exe
Token: SeDebugPrivilege	1352	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1352	WMIC.exe
Token: SeRemoteShutdownPrivilege	1352	WMIC.exe
Token: SeUndockPrivilege	1352	WMIC.exe
Token: SeManageVolumePrivilege	1352	WMIC.exe
Token: 33	1352	WMIC.exe
Token: 34	1352	WMIC.exe
Token: 35	1352	WMIC.exe
Token: 36	1352	WMIC.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4600 wrote to memory of 3340	4600	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe	87
PID 4600 wrote to memory of 3340	4600	45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe	87
PID 3340 wrote to memory of 1352	3340	cmd.exe	89
PID 3340 wrote to memory of 1352	3340	cmd.exe	89

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe
"C:\Users\Admin\AppData\Local\Temp\45eb2938a03741a1f75b9f193180c4d398b9ecec8e807d061174dc438c9d0f53.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4600
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9B1C0B51-DF9F-4F59-949C-517E6288FE02}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3340
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9B1C0B51-DF9F-4F59-949C-517E6288FE02}'" delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1352

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\readme.txt

Filesize
1KB

MD5
72b95470eda8cc6ec169f6d81ccd795e

SHA1
75d4cb61136fc4ac3d99156f2d45422cd8fb3fc9

SHA256
5ebc94ed337175acb3845cb372849fd434b34eef6a80caa31e34093017ec0932

SHA512
25266e4d99b392a5a6fa68ef35fb271aa3c85b40d01efde859e24ca4f978cecccbb1d9eeffce5c98983fc80629ef145a688170b34f34937222b2c8aa69d1c7d8

Download Submit