Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
09-09-2024 16:00
Static task
static1
Behavioral task
behavioral1
Sample
19054042f099955c1a9672d87cf43275e48d0797a39f11dc8aad7e35233186b4.dll
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
19054042f099955c1a9672d87cf43275e48d0797a39f11dc8aad7e35233186b4.dll
Resource
win10v2004-20240802-en
General
-
Target
19054042f099955c1a9672d87cf43275e48d0797a39f11dc8aad7e35233186b4.dll
-
Size
510KB
-
MD5
760992a7845d46bf001c18a945f5894c
-
SHA1
3ba9b53bffb29f4c6f0cce90fca953d31b101542
-
SHA256
19054042f099955c1a9672d87cf43275e48d0797a39f11dc8aad7e35233186b4
-
SHA512
601b3621be17768be4f8dd4b6a943f6822ba8b6db981d88e112c7cbe5f91bb1493c10b1fdb543e16077ef08e433102eb6390985a29282f621e6fc20f3f766614
-
SSDEEP
3072:1Qkg5cAzJkv06HGaVpiehqpGDYwAM/cNfK89j8Qa34oYrxxt:1EcuVqTATicDNxrxb
Malware Config
Extracted
C:\Program Files (x86)\readme.txt
conti
http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/
https://contirecovery.ws
Signatures
-
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Renames multiple (8008) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Drops desktop.ini file(s) 46 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini regsvr32.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Videos\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\ALUNAOYI\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\GGQPDAP3\desktop.ini regsvr32.exe File opened for modification C:\Program Files\desktop.ini regsvr32.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI regsvr32.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Documents\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\488LG1SI\desktop.ini regsvr32.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Links\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Music\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Videos\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Libraries\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini regsvr32.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Desktop\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Documents\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Music\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini regsvr32.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini regsvr32.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini regsvr32.exe File opened for modification C:\Program Files (x86)\desktop.ini regsvr32.exe File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini regsvr32.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Searches\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Downloads\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Pictures\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Recorded TV\desktop.ini regsvr32.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\WO2S841R\desktop.ini regsvr32.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini regsvr32.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14981_.GIF regsvr32.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app_1.0.300.v20140228-1829.jar regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\TEXTAREA.JPG regsvr32.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\chapters-static.png regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382965.JPG regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Grayscale.xml regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\GostTitle.XSL regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD19563_.GIF regsvr32.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\readme.txt regsvr32.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Search.api regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SMSL.ICO regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\utilityfunctions.js regsvr32.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\mix.gif regsvr32.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeAUM_rootCert.cer regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00419_.WMF regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGREPFRM.DPV regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18212_.WMF regsvr32.exe File created C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\readme.txt regsvr32.exe File opened for modification C:\Program Files\7-Zip\Lang\ky.txt regsvr32.exe File created C:\Program Files (x86)\Common Files\System\ado\de-DE\readme.txt regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\SUBMIT.JS regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01358_.WMF regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\SpaceSelector.ico regsvr32.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Guadalcanal regsvr32.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\Video-48.png regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\XLINTL32.REST.IDX_DLL regsvr32.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\readme.txt regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10336_.GIF regsvr32.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\PST8PDT regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0232795.WMF regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02075_.WMF regsvr32.exe File opened for modification C:\Program Files\7-Zip\Lang\el.txt regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.IT.XML regsvr32.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SATIN\THMBNAIL.PNG regsvr32.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.fca regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01158_.WMF regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21519_.GIF regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD10358_.GIF regsvr32.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Ust-Nera regsvr32.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\v8_context_snapshot.bin regsvr32.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Cape_Verde regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10297_.GIF regsvr32.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt.win32.win32.x86_64.nl_ja_4.4.0.v20140623020002.jar regsvr32.exe File opened for modification C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk\M1033DSK.UNT regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_TexturedBlue.gif regsvr32.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\core_ja.jar regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00367_.WMF regsvr32.exe File created C:\Program Files\VideoLAN\VLC\locale\gd\LC_MESSAGES\readme.txt regsvr32.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ne\LC_MESSAGES\vlc.mo regsvr32.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\QuickTime.mpp regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH.HXS regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Origin.eftx regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21518_.GIF regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\StarterToolTemplates.xml regsvr32.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Desert\readme.txt regsvr32.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\conticon.gif regsvr32.exe File created C:\Program Files\Microsoft Games\Hearts\de-DE\readme.txt regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00443_.WMF regsvr32.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\readme.txt regsvr32.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\readme.txt regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341554.JPG regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18244_.WMF regsvr32.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.mbeanbrowser.ja_5.5.0.165303.jar regsvr32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105292.WMF regsvr32.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 548 regsvr32.exe 548 regsvr32.exe 548 regsvr32.exe 548 regsvr32.exe 548 regsvr32.exe 548 regsvr32.exe 548 regsvr32.exe 548 regsvr32.exe 548 regsvr32.exe 548 regsvr32.exe 548 regsvr32.exe 548 regsvr32.exe 548 regsvr32.exe 548 regsvr32.exe 548 regsvr32.exe 548 regsvr32.exe 548 regsvr32.exe 548 regsvr32.exe 548 regsvr32.exe 548 regsvr32.exe 548 regsvr32.exe 548 regsvr32.exe 548 regsvr32.exe 548 regsvr32.exe 548 regsvr32.exe 548 regsvr32.exe 548 regsvr32.exe 548 regsvr32.exe 548 regsvr32.exe 548 regsvr32.exe 548 regsvr32.exe 548 regsvr32.exe 548 regsvr32.exe 548 regsvr32.exe 548 regsvr32.exe 548 regsvr32.exe 548 regsvr32.exe 548 regsvr32.exe 548 regsvr32.exe 548 regsvr32.exe 548 regsvr32.exe 548 regsvr32.exe 548 regsvr32.exe 548 regsvr32.exe 548 regsvr32.exe 548 regsvr32.exe 548 regsvr32.exe 548 regsvr32.exe 548 regsvr32.exe 548 regsvr32.exe 548 regsvr32.exe 548 regsvr32.exe 548 regsvr32.exe 548 regsvr32.exe 548 regsvr32.exe 548 regsvr32.exe 548 regsvr32.exe 548 regsvr32.exe 548 regsvr32.exe 548 regsvr32.exe 548 regsvr32.exe 548 regsvr32.exe 548 regsvr32.exe 548 regsvr32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1604 wrote to memory of 548 1604 regsvr32.exe 28 PID 1604 wrote to memory of 548 1604 regsvr32.exe 28 PID 1604 wrote to memory of 548 1604 regsvr32.exe 28 PID 1604 wrote to memory of 548 1604 regsvr32.exe 28 PID 1604 wrote to memory of 548 1604 regsvr32.exe 28 PID 1604 wrote to memory of 548 1604 regsvr32.exe 28 PID 1604 wrote to memory of 548 1604 regsvr32.exe 28
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\19054042f099955c1a9672d87cf43275e48d0797a39f11dc8aad7e35233186b4.dll1⤵
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\19054042f099955c1a9672d87cf43275e48d0797a39f11dc8aad7e35233186b4.dll2⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:548
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5cc018ffba18aff631ff9554af7c09546
SHA16e779cbf40a8cef2045ea1bf67c9b6730b94c66e
SHA256b1921403f7abde8d1d4485ce03ed3807a81517aec915e64ef3e5640cfece219c
SHA51287f9309d34058ec0ac9c357d1b336b094556996fcebc9729820fe2c41f0413fde1995aab91f479c8228aa2bd0cb8ea5988ff3c61e74be3a7786f3a89511f82d8