Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
09-09-2024 17:13
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
132f4e074a4739dfb574b8d32d3f9ddd70a1506dd76bae33ced3ed87d1f3695e.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
132f4e074a4739dfb574b8d32d3f9ddd70a1506dd76bae33ced3ed87d1f3695e.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
132f4e074a4739dfb574b8d32d3f9ddd70a1506dd76bae33ced3ed87d1f3695e.exe
-
Size
515KB
-
MD5
b9c56e7c05c5861cecbc3d99bf056c6a
-
SHA1
1306b87b4ffbe513e19225d0bf5719f5f078e077
-
SHA256
132f4e074a4739dfb574b8d32d3f9ddd70a1506dd76bae33ced3ed87d1f3695e
-
SHA512
846666b9c0dc106931e7cbca61d759bc75aac5083bed636b8f00a9d2649c2f0d428515fd0d38e8f9d5879994681c97ce7c7d56031e0e821702240f4a6f54a96a
-
SSDEEP
3072:HzyJa/EBc2jrORnQssIJZYKcgtHhGk528yJKY8/d7epmB98g89QP2EKO0+5Wk:HzymEBc2jMQsdJdBgHJ+/dB9rP2v+5R
Score
10/10
Malware Config
Extracted
Path
C:\ProgramData\readme.txt
Family
conti
Ransom Note
All of your files are currently encrypted by CONTI strain.
As you know (if you don't - just "google it"), all of the data that has been encrypted by our software cannot be recovered by any means without contacting our team directly.
If you try to use any additional recovery software - the files might be damaged, so if you are willing to try - try it on the data of the lowest value.
To make sure that we REALLY CAN get your data back - we offer you to decrypt 2 random files completely free of charge.
You can contact our team directly for further instructions through our website :
TOR VERSION :
(you should download and install TOR browser first https://torproject.org)
http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/
HTTPS VERSION :
https://contirecovery.xyz/
YOU SHOULD BE AWARE!
Just in case, if you try to ignore us. We've downloaded a pack of your internal data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us as soon as possible.
---BEGIN ID---
ec5sSORrGN3JYtjUtK7QvDv7ZtnFwgcUnCEmqJITc9YfyoAPydlyCoE1FHyB8wCq
---END ID---
URLs
http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/
https://contirecovery.xyz/
Signatures
-
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
Renames multiple (143) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops file in Program Files directory 64 IoCs
Processes:
132f4e074a4739dfb574b8d32d3f9ddd70a1506dd76bae33ced3ed87d1f3695e.exedescription ioc Process File opened for modification C:\Program Files\Microsoft Office\AppXManifest.xml 132f4e074a4739dfb574b8d32d3f9ddd70a1506dd76bae33ced3ed87d1f3695e.exe File opened for modification C:\Program Files\7-Zip\Lang\ca.txt 132f4e074a4739dfb574b8d32d3f9ddd70a1506dd76bae33ced3ed87d1f3695e.exe File opened for modification C:\Program Files\7-Zip\Lang\mr.txt 132f4e074a4739dfb574b8d32d3f9ddd70a1506dd76bae33ced3ed87d1f3695e.exe File opened for modification C:\Program Files\7-Zip\License.txt 132f4e074a4739dfb574b8d32d3f9ddd70a1506dd76bae33ced3ed87d1f3695e.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.VisualElementsManifest.xml 132f4e074a4739dfb574b8d32d3f9ddd70a1506dd76bae33ced3ed87d1f3695e.exe File opened for modification C:\Program Files\Mozilla Firefox\postSigningData 132f4e074a4739dfb574b8d32d3f9ddd70a1506dd76bae33ced3ed87d1f3695e.exe File created C:\Program Files (x86)\Reference Assemblies\readme.txt 132f4e074a4739dfb574b8d32d3f9ddd70a1506dd76bae33ced3ed87d1f3695e.exe File opened for modification C:\Program Files\7-Zip\Lang\bg.txt 132f4e074a4739dfb574b8d32d3f9ddd70a1506dd76bae33ced3ed87d1f3695e.exe File opened for modification C:\Program Files\RepairStart.tif 132f4e074a4739dfb574b8d32d3f9ddd70a1506dd76bae33ced3ed87d1f3695e.exe File opened for modification C:\Program Files\7-Zip\Lang\eo.txt 132f4e074a4739dfb574b8d32d3f9ddd70a1506dd76bae33ced3ed87d1f3695e.exe File opened for modification C:\Program Files\7-Zip\Lang\ja.txt 132f4e074a4739dfb574b8d32d3f9ddd70a1506dd76bae33ced3ed87d1f3695e.exe File opened for modification C:\Program Files\7-Zip\Lang\ko.txt 132f4e074a4739dfb574b8d32d3f9ddd70a1506dd76bae33ced3ed87d1f3695e.exe File created C:\Program Files\VideoLAN\readme.txt 132f4e074a4739dfb574b8d32d3f9ddd70a1506dd76bae33ced3ed87d1f3695e.exe File created C:\Program Files (x86)\Adobe\readme.txt 132f4e074a4739dfb574b8d32d3f9ddd70a1506dd76bae33ced3ed87d1f3695e.exe File opened for modification C:\Program Files\7-Zip\Lang\ga.txt 132f4e074a4739dfb574b8d32d3f9ddd70a1506dd76bae33ced3ed87d1f3695e.exe File opened for modification C:\Program Files\7-Zip\Lang\he.txt 132f4e074a4739dfb574b8d32d3f9ddd70a1506dd76bae33ced3ed87d1f3695e.exe File opened for modification C:\Program Files\7-Zip\Lang\pl.txt 132f4e074a4739dfb574b8d32d3f9ddd70a1506dd76bae33ced3ed87d1f3695e.exe File opened for modification C:\Program Files\HideUse.M2V 132f4e074a4739dfb574b8d32d3f9ddd70a1506dd76bae33ced3ed87d1f3695e.exe File opened for modification C:\Program Files\7-Zip\History.txt 132f4e074a4739dfb574b8d32d3f9ddd70a1506dd76bae33ced3ed87d1f3695e.exe File opened for modification C:\Program Files\Crashpad\metadata 132f4e074a4739dfb574b8d32d3f9ddd70a1506dd76bae33ced3ed87d1f3695e.exe File opened for modification C:\Program Files\7-Zip\Lang\ar.txt 132f4e074a4739dfb574b8d32d3f9ddd70a1506dd76bae33ced3ed87d1f3695e.exe File opened for modification C:\Program Files\7-Zip\Lang\br.txt 132f4e074a4739dfb574b8d32d3f9ddd70a1506dd76bae33ced3ed87d1f3695e.exe File opened for modification C:\Program Files\7-Zip\Lang\fy.txt 132f4e074a4739dfb574b8d32d3f9ddd70a1506dd76bae33ced3ed87d1f3695e.exe File opened for modification C:\Program Files\7-Zip\Lang\ps.txt 132f4e074a4739dfb574b8d32d3f9ddd70a1506dd76bae33ced3ed87d1f3695e.exe File opened for modification C:\Program Files\SyncInvoke.xsl 132f4e074a4739dfb574b8d32d3f9ddd70a1506dd76bae33ced3ed87d1f3695e.exe File created C:\Program Files (x86)\Internet Explorer\readme.txt 132f4e074a4739dfb574b8d32d3f9ddd70a1506dd76bae33ced3ed87d1f3695e.exe File opened for modification C:\Program Files\7-Zip\Lang\bn.txt 132f4e074a4739dfb574b8d32d3f9ddd70a1506dd76bae33ced3ed87d1f3695e.exe File opened for modification C:\Program Files\7-Zip\Lang\mng.txt 132f4e074a4739dfb574b8d32d3f9ddd70a1506dd76bae33ced3ed87d1f3695e.exe File opened for modification C:\Program Files\7-Zip\Lang\nl.txt 132f4e074a4739dfb574b8d32d3f9ddd70a1506dd76bae33ced3ed87d1f3695e.exe File opened for modification C:\Program Files\7-Zip\Lang\pa-in.txt 132f4e074a4739dfb574b8d32d3f9ddd70a1506dd76bae33ced3ed87d1f3695e.exe File opened for modification C:\Program Files\Crashpad\settings.dat 132f4e074a4739dfb574b8d32d3f9ddd70a1506dd76bae33ced3ed87d1f3695e.exe File opened for modification C:\Program Files\7-Zip\Lang\et.txt 132f4e074a4739dfb574b8d32d3f9ddd70a1506dd76bae33ced3ed87d1f3695e.exe File opened for modification C:\Program Files\7-Zip\Lang\da.txt 132f4e074a4739dfb574b8d32d3f9ddd70a1506dd76bae33ced3ed87d1f3695e.exe File opened for modification C:\Program Files\RegisterRemove.pdf 132f4e074a4739dfb574b8d32d3f9ddd70a1506dd76bae33ced3ed87d1f3695e.exe File created C:\Program Files\Internet Explorer\readme.txt 132f4e074a4739dfb574b8d32d3f9ddd70a1506dd76bae33ced3ed87d1f3695e.exe File opened for modification C:\Program Files\Mozilla Firefox\installation_telemetry.json 132f4e074a4739dfb574b8d32d3f9ddd70a1506dd76bae33ced3ed87d1f3695e.exe File opened for modification C:\Program Files\JoinOptimize.pub 132f4e074a4739dfb574b8d32d3f9ddd70a1506dd76bae33ced3ed87d1f3695e.exe File opened for modification C:\Program Files\HideRemove.tmp 132f4e074a4739dfb574b8d32d3f9ddd70a1506dd76bae33ced3ed87d1f3695e.exe File created C:\Program Files (x86)\Google\readme.txt 132f4e074a4739dfb574b8d32d3f9ddd70a1506dd76bae33ced3ed87d1f3695e.exe File created C:\Program Files\readme.txt 132f4e074a4739dfb574b8d32d3f9ddd70a1506dd76bae33ced3ed87d1f3695e.exe File opened for modification C:\Program Files\RemoveBlock.mp4v 132f4e074a4739dfb574b8d32d3f9ddd70a1506dd76bae33ced3ed87d1f3695e.exe File opened for modification C:\Program Files\RequestSave.emz 132f4e074a4739dfb574b8d32d3f9ddd70a1506dd76bae33ced3ed87d1f3695e.exe File created C:\Program Files\Reference Assemblies\readme.txt 132f4e074a4739dfb574b8d32d3f9ddd70a1506dd76bae33ced3ed87d1f3695e.exe File opened for modification C:\Program Files\7-Zip\Lang\gu.txt 132f4e074a4739dfb574b8d32d3f9ddd70a1506dd76bae33ced3ed87d1f3695e.exe File opened for modification C:\Program Files\7-Zip\Lang\io.txt 132f4e074a4739dfb574b8d32d3f9ddd70a1506dd76bae33ced3ed87d1f3695e.exe File opened for modification C:\Program Files\ProtectConvert.wav 132f4e074a4739dfb574b8d32d3f9ddd70a1506dd76bae33ced3ed87d1f3695e.exe File opened for modification C:\Program Files\SaveSync.crw 132f4e074a4739dfb574b8d32d3f9ddd70a1506dd76bae33ced3ed87d1f3695e.exe File created C:\Program Files\Crashpad\readme.txt 132f4e074a4739dfb574b8d32d3f9ddd70a1506dd76bae33ced3ed87d1f3695e.exe File opened for modification C:\Program Files\7-Zip\Lang\af.txt 132f4e074a4739dfb574b8d32d3f9ddd70a1506dd76bae33ced3ed87d1f3695e.exe File opened for modification C:\Program Files\RemoveDismount.ico 132f4e074a4739dfb574b8d32d3f9ddd70a1506dd76bae33ced3ed87d1f3695e.exe File opened for modification C:\Program Files\7-Zip\Lang\it.txt 132f4e074a4739dfb574b8d32d3f9ddd70a1506dd76bae33ced3ed87d1f3695e.exe File opened for modification C:\Program Files\7-Zip\Lang\es.txt 132f4e074a4739dfb574b8d32d3f9ddd70a1506dd76bae33ced3ed87d1f3695e.exe File opened for modification C:\Program Files\7-Zip\readme.txt 132f4e074a4739dfb574b8d32d3f9ddd70a1506dd76bae33ced3ed87d1f3695e.exe File created C:\Program Files\dotnet\readme.txt 132f4e074a4739dfb574b8d32d3f9ddd70a1506dd76bae33ced3ed87d1f3695e.exe File opened for modification C:\Program Files\Microsoft Office\FileSystemMetadata.xml 132f4e074a4739dfb574b8d32d3f9ddd70a1506dd76bae33ced3ed87d1f3695e.exe File opened for modification C:\Program Files\Mozilla Firefox\removed-files 132f4e074a4739dfb574b8d32d3f9ddd70a1506dd76bae33ced3ed87d1f3695e.exe File opened for modification C:\Program Files\MountPing.xsl 132f4e074a4739dfb574b8d32d3f9ddd70a1506dd76bae33ced3ed87d1f3695e.exe File opened for modification C:\Program Files\UninstallCompare.rmi 132f4e074a4739dfb574b8d32d3f9ddd70a1506dd76bae33ced3ed87d1f3695e.exe File opened for modification C:\Program Files\7-Zip\7zCon.sfx 132f4e074a4739dfb574b8d32d3f9ddd70a1506dd76bae33ced3ed87d1f3695e.exe File opened for modification C:\Program Files\7-Zip\descript.ion 132f4e074a4739dfb574b8d32d3f9ddd70a1506dd76bae33ced3ed87d1f3695e.exe File opened for modification C:\Program Files\Mozilla Firefox\dependentlibs.list 132f4e074a4739dfb574b8d32d3f9ddd70a1506dd76bae33ced3ed87d1f3695e.exe File opened for modification C:\Program Files\7-Zip\Lang\cs.txt 132f4e074a4739dfb574b8d32d3f9ddd70a1506dd76bae33ced3ed87d1f3695e.exe File opened for modification C:\Program Files\7-Zip\Lang\gl.txt 132f4e074a4739dfb574b8d32d3f9ddd70a1506dd76bae33ced3ed87d1f3695e.exe File opened for modification C:\Program Files\7-Zip\Lang\hu.txt 132f4e074a4739dfb574b8d32d3f9ddd70a1506dd76bae33ced3ed87d1f3695e.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
132f4e074a4739dfb574b8d32d3f9ddd70a1506dd76bae33ced3ed87d1f3695e.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 132f4e074a4739dfb574b8d32d3f9ddd70a1506dd76bae33ced3ed87d1f3695e.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
132f4e074a4739dfb574b8d32d3f9ddd70a1506dd76bae33ced3ed87d1f3695e.exepid Process 1912 132f4e074a4739dfb574b8d32d3f9ddd70a1506dd76bae33ced3ed87d1f3695e.exe 1912 132f4e074a4739dfb574b8d32d3f9ddd70a1506dd76bae33ced3ed87d1f3695e.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
vssvc.exeWMIC.exedescription pid Process Token: SeBackupPrivilege 1560 vssvc.exe Token: SeRestorePrivilege 1560 vssvc.exe Token: SeAuditPrivilege 1560 vssvc.exe Token: SeIncreaseQuotaPrivilege 4860 WMIC.exe Token: SeSecurityPrivilege 4860 WMIC.exe Token: SeTakeOwnershipPrivilege 4860 WMIC.exe Token: SeLoadDriverPrivilege 4860 WMIC.exe Token: SeSystemProfilePrivilege 4860 WMIC.exe Token: SeSystemtimePrivilege 4860 WMIC.exe Token: SeProfSingleProcessPrivilege 4860 WMIC.exe Token: SeIncBasePriorityPrivilege 4860 WMIC.exe Token: SeCreatePagefilePrivilege 4860 WMIC.exe Token: SeBackupPrivilege 4860 WMIC.exe Token: SeRestorePrivilege 4860 WMIC.exe Token: SeShutdownPrivilege 4860 WMIC.exe Token: SeDebugPrivilege 4860 WMIC.exe Token: SeSystemEnvironmentPrivilege 4860 WMIC.exe Token: SeRemoteShutdownPrivilege 4860 WMIC.exe Token: SeUndockPrivilege 4860 WMIC.exe Token: SeManageVolumePrivilege 4860 WMIC.exe Token: 33 4860 WMIC.exe Token: 34 4860 WMIC.exe Token: 35 4860 WMIC.exe Token: 36 4860 WMIC.exe Token: SeIncreaseQuotaPrivilege 4860 WMIC.exe Token: SeSecurityPrivilege 4860 WMIC.exe Token: SeTakeOwnershipPrivilege 4860 WMIC.exe Token: SeLoadDriverPrivilege 4860 WMIC.exe Token: SeSystemProfilePrivilege 4860 WMIC.exe Token: SeSystemtimePrivilege 4860 WMIC.exe Token: SeProfSingleProcessPrivilege 4860 WMIC.exe Token: SeIncBasePriorityPrivilege 4860 WMIC.exe Token: SeCreatePagefilePrivilege 4860 WMIC.exe Token: SeBackupPrivilege 4860 WMIC.exe Token: SeRestorePrivilege 4860 WMIC.exe Token: SeShutdownPrivilege 4860 WMIC.exe Token: SeDebugPrivilege 4860 WMIC.exe Token: SeSystemEnvironmentPrivilege 4860 WMIC.exe Token: SeRemoteShutdownPrivilege 4860 WMIC.exe Token: SeUndockPrivilege 4860 WMIC.exe Token: SeManageVolumePrivilege 4860 WMIC.exe Token: 33 4860 WMIC.exe Token: 34 4860 WMIC.exe Token: 35 4860 WMIC.exe Token: 36 4860 WMIC.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
132f4e074a4739dfb574b8d32d3f9ddd70a1506dd76bae33ced3ed87d1f3695e.execmd.exedescription pid Process procid_target PID 1912 wrote to memory of 4864 1912 132f4e074a4739dfb574b8d32d3f9ddd70a1506dd76bae33ced3ed87d1f3695e.exe 86 PID 1912 wrote to memory of 4864 1912 132f4e074a4739dfb574b8d32d3f9ddd70a1506dd76bae33ced3ed87d1f3695e.exe 86 PID 4864 wrote to memory of 4860 4864 cmd.exe 88 PID 4864 wrote to memory of 4860 4864 cmd.exe 88 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\132f4e074a4739dfb574b8d32d3f9ddd70a1506dd76bae33ced3ed87d1f3695e.exe"C:\Users\Admin\AppData\Local\Temp\132f4e074a4739dfb574b8d32d3f9ddd70a1506dd76bae33ced3ed87d1f3695e.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{BA175DB9-2CF3-48F1-A672-0E52F9673828}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{BA175DB9-2CF3-48F1-A672-0E52F9673828}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4860
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1560
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5d030c401512051cf275eb9d2b61f327e
SHA1eaf4022b5b6cd27b9e4a833d4863a3de6f65b819
SHA2567d6b2b2e67b72d46d10f8dbf0233bd3fa94ac11d839148e305d0190268ca6edb
SHA512e4d6864c785da9d703cc298b31f94887b914950fdb2ed635232e35baa6c4d8674fe8d327c1cde2808cbceb922136fcfe46d6591d6988125a09f414c2ec07df9d