Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-ltsc_2021-x64
10Ransomware...KB.exe
windows11-21h2-x64
10Ransomware...KB.exe
windows10-2004-x64
3Ransomware...KB.exe
windows7-x64
7Ransomware...KB.exe
windows10-2004-x64
3Ransomware...KB.exe
windows10-ltsc_2021-x64
3Ransomware...KB.exe
windows11-21h2-x64
3Ransomware...KB.exe
windows11-21h2-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-ltsc_2021-x64
10Ransomware...KB.exe
windows11-21h2-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-ltsc_2021-x64
10Ransomware...KB.exe
windows11-21h2-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-ltsc_2021-x64
10Ransomware...KB.exe
windows11-21h2-x64
10Ransomware...KB.exe
windows10-ltsc_2021-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-ltsc_2021-x64
10Ransomware...KB.exe
windows11-21h2-x64
10Resubmissions
25/03/2025, 15:11
250325-skmbpsxzaw 1025/03/2025, 15:06
250325-sg1d6a1px2 1025/03/2025, 15:01
250325-sd5jpsxyct 1025/03/2025, 14:56
250325-sbdcfaxxgs 1025/03/2025, 14:50
250325-r7ve6a1nv3 1025/03/2025, 14:46
250325-r5ab7sxwhx 1025/03/2025, 14:40
250325-r2c9paxwe1 1005/02/2025, 10:25
250205-mgcefaslhw 1005/02/2025, 10:17
250205-mbs51atmbk 1005/02/2025, 09:15
250205-k785zs1pfn 10Analysis
-
max time kernel
103s -
max time network
105s -
platform
windows11-21h2_x64 -
resource
win11-20250314-en -
resource tags
arch:x64arch:x86image:win11-20250314-enlocale:en-usos:windows11-21h2-x64system -
submitted
25/03/2025, 14:50
Static task
static1
Behavioral task
behavioral1
Sample
RansomwareSamples/Conti_22_12_2020_186KB.exe
Resource
win10v2004-20250314-en
windows10-2004-x64
Behavioral task
behavioral2
Sample
RansomwareSamples/Conti_22_12_2020_186KB.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral3
Sample
RansomwareSamples/Conti_22_12_2020_186KB.exe
Resource
win10v2004-20250314-en
windows10-2004-x64
Behavioral task
behavioral4
Sample
RansomwareSamples/Conti_22_12_2020_186KB.exe
Resource
win10ltsc2021-20250314-en
windows10-ltsc_2021-x64
Behavioral task
behavioral5
Sample
RansomwareSamples/Conti_22_12_2020_186KB.exe
Resource
win11-20250314-en
windows11-21h2-x64
Behavioral task
behavioral6
Sample
RansomwareSamples/Cuba_08_03_2021_1130KB.exe
Resource
win10v2004-20250314-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
RansomwareSamples/Cuba_08_03_2021_1130KB.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral8
Sample
RansomwareSamples/Cuba_08_03_2021_1130KB.exe
Resource
win10v2004-20250314-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
RansomwareSamples/Cuba_08_03_2021_1130KB.exe
Resource
win10ltsc2021-20250314-en
windows10-ltsc_2021-x64
Behavioral task
behavioral10
Sample
RansomwareSamples/Cuba_08_03_2021_1130KB.exe
Resource
win11-20250314-en
windows11-21h2-x64
Behavioral task
behavioral11
Sample
RansomwareSamples/DarkSide_01_05_2021_30KB.exe
Resource
win11-20250314-en
windows11-21h2-x64
Behavioral task
behavioral12
Sample
RansomwareSamples/DarkSide_01_05_2021_30KB.exe
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral13
Sample
RansomwareSamples/DarkSide_01_05_2021_30KB.exe
Resource
win10v2004-20250314-en
windows10-2004-x64
Behavioral task
behavioral14
Sample
RansomwareSamples/DarkSide_01_05_2021_30KB.exe
Resource
win10ltsc2021-20250314-en
windows10-ltsc_2021-x64
Behavioral task
behavioral15
Sample
RansomwareSamples/DarkSide_01_05_2021_30KB.exe
Resource
win11-20250314-en
windows11-21h2-x64
Behavioral task
behavioral16
Sample
RansomwareSamples/DarkSide_16_01_2021_59KB.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral17
Sample
RansomwareSamples/DarkSide_16_01_2021_59KB.exe
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral18
Sample
RansomwareSamples/DarkSide_16_01_2021_59KB.exe
Resource
win10v2004-20250314-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
RansomwareSamples/DarkSide_16_01_2021_59KB.exe
Resource
win10ltsc2021-20250314-en
windows10-ltsc_2021-x64
Behavioral task
behavioral20
Sample
RansomwareSamples/DarkSide_16_01_2021_59KB.exe
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral21
Sample
RansomwareSamples/DarkSide_18_11_2020_17KB.exe
Resource
win10v2004-20250314-en
windows10-2004-x64
Behavioral task
behavioral22
Sample
RansomwareSamples/DarkSide_18_11_2020_17KB.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral23
Sample
RansomwareSamples/DarkSide_18_11_2020_17KB.exe
Resource
win10v2004-20250314-en
windows10-2004-x64
Behavioral task
behavioral24
Sample
RansomwareSamples/DarkSide_18_11_2020_17KB.exe
Resource
win10ltsc2021-20250314-en
windows10-ltsc_2021-x64
Behavioral task
behavioral25
Sample
RansomwareSamples/DarkSide_18_11_2020_17KB.exe
Resource
win11-20250314-en
windows11-21h2-x64
Behavioral task
behavioral26
Sample
RansomwareSamples/DearCry_13_03_2021_1292KB.exe
Resource
win10ltsc2021-20250314-en
windows10-ltsc_2021-x64
Behavioral task
behavioral27
Sample
RansomwareSamples/DearCry_13_03_2021_1292KB.exe
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral28
Sample
RansomwareSamples/DearCry_13_03_2021_1292KB.exe
Resource
win10v2004-20250314-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
RansomwareSamples/DearCry_13_03_2021_1292KB.exe
Resource
win10ltsc2021-20250314-en
windows10-ltsc_2021-x64
Behavioral task
behavioral30
Sample
RansomwareSamples/DearCry_13_03_2021_1292KB.exe
Resource
win11-20250313-en
windows11-21h2-x64
General
-
Target
RansomwareSamples/Conti_22_12_2020_186KB.exe
-
Size
185KB
-
MD5
7076f9674bc42536d1e0e2ca80d1e4f6
-
SHA1
854485ee63e5a399fffe150f04cd038d6a5490ef
-
SHA256
ebeca2df24a55c629cf0ce0d4b703ed632819d8ac101b1b930ec666760036124
-
SHA512
71c507108cc0c8b5609076672bd0b64a42c015995fe7220aa97e273c1754e63271edb06b284f4fc01b71a4751c1bcac0f572339e94ff0fd538dc0250caa9181a
-
SSDEEP
3072:+qS7gtGIeq8KxrvRp1MImcZeuLaxugfCJsOlq8WkJK0BOog/Tt3onM9kHpOBae4f:zS7gtyuzFxm16axugfqlMw5g5BkOdSlr
Malware Config
Extracted
C:\Program Files\R3ADM3.txt
conti
http://m232fdxbfmbrcehbrj5iayknxnggf6niqfj6x4iedrgtab4qupzjlaid.onion
https://contirecovery.info
Signatures
-
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
Conti family
-
Renames multiple (8999) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\R3ADM3.txt Conti_22_12_2020_186KB.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 30 IoCs
description ioc Process File opened for modification C:\Program Files\desktop.ini Conti_22_12_2020_186KB.exe File opened for modification C:\Users\Admin\Links\desktop.ini Conti_22_12_2020_186KB.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini Conti_22_12_2020_186KB.exe File opened for modification C:\Users\Admin\Videos\desktop.ini Conti_22_12_2020_186KB.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI Conti_22_12_2020_186KB.exe File opened for modification C:\Users\Public\Pictures\desktop.ini Conti_22_12_2020_186KB.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini Conti_22_12_2020_186KB.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini Conti_22_12_2020_186KB.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini Conti_22_12_2020_186KB.exe File opened for modification C:\Users\Public\Music\desktop.ini Conti_22_12_2020_186KB.exe File opened for modification C:\Users\Admin\Music\desktop.ini Conti_22_12_2020_186KB.exe File opened for modification C:\Users\Public\Desktop\desktop.ini Conti_22_12_2020_186KB.exe File opened for modification C:\Users\Public\Downloads\desktop.ini Conti_22_12_2020_186KB.exe File opened for modification C:\Users\Public\Videos\desktop.ini Conti_22_12_2020_186KB.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini Conti_22_12_2020_186KB.exe File opened for modification C:\Users\Public\desktop.ini Conti_22_12_2020_186KB.exe File opened for modification C:\Users\Admin\Documents\desktop.ini Conti_22_12_2020_186KB.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini Conti_22_12_2020_186KB.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files (x86)\desktop.ini Conti_22_12_2020_186KB.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini Conti_22_12_2020_186KB.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini Conti_22_12_2020_186KB.exe File opened for modification C:\Users\Admin\Searches\desktop.ini Conti_22_12_2020_186KB.exe File opened for modification C:\Users\Public\Documents\desktop.ini Conti_22_12_2020_186KB.exe File opened for modification C:\Users\Public\Libraries\desktop.ini Conti_22_12_2020_186KB.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini Conti_22_12_2020_186KB.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini Conti_22_12_2020_186KB.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini Conti_22_12_2020_186KB.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini Conti_22_12_2020_186KB.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\VideoLAN\VLC\locale\sr\LC_MESSAGES\R3ADM3.txt Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\deploy\splash_11-lic.gif Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\fonts\LucidaSansDemiBold.ttf Conti_22_12_2020_186KB.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\images\themeless\R3ADM3.txt Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\themes\dark\rhp_world_icon.png Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-ul-phn.xrm-ms Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN081.XML Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\de-de\ui-strings.js Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\s_thumbnailview_18.svg Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest-ppd.xrm-ms Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-ul-oob.xrm-ms Conti_22_12_2020_186KB.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sv-se\R3ADM3.txt Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STRTEDGE\PREVIEW.GIF Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\inline-error-2x.png Conti_22_12_2020_186KB.exe File created C:\Program Files\Common Files\microsoft shared\ink\pl-PL\R3ADM3.txt Conti_22_12_2020_186KB.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\deploy\R3ADM3.txt Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial2-pl.xrm-ms Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-180.png Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PG_INDEX.XML Conti_22_12_2020_186KB.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\uk-ua\R3ADM3.txt Conti_22_12_2020_186KB.exe File created C:\Program Files (x86)\Internet Explorer\SIGNUP\R3ADM3.txt Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.XLS Conti_22_12_2020_186KB.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\zh-cn\R3ADM3.txt Conti_22_12_2020_186KB.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\cs-cz\R3ADM3.txt Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ui-strings.js Conti_22_12_2020_186KB.exe File created C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\AdSelectionAttestationsPreloaded\R3ADM3.txt Conti_22_12_2020_186KB.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\R3ADM3.txt Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\selector.js Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Scan_visual.svg Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fr-ma\ui-strings.js Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OneNoteFreeR_Bypass-ppd.xrm-ms Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Retail-ul-phn.xrm-ms Conti_22_12_2020_186KB.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ca-es\R3ADM3.txt Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\ResiliencyLinks\Locales\sq.pak.DATA Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\ResiliencyLinks\Trust Protection Lists\Mu\LICENSE.DATA Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_MAK_AE-pl.xrm-ms Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp6-ul-phn.xrm-ms Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_K_COL.HXK Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_COL.HXC Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\arrow-right.png Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_sortedby_up_selected_18.svg Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-il\ui-strings.js Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\nb-no\ui-strings.js Conti_22_12_2020_186KB.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\R3ADM3.txt Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_KMS_ClientC2R-ul-oob.xrm-ms Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\af.pak Conti_22_12_2020_186KB.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\sv-se\R3ADM3.txt Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\bg_pattern_RHP.png Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\da-dk\ui-strings.js Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\notice.txt Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\forms_super.gif Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\MS.POWERPNT.16.1033.hxn Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\Locales\sv.pak Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\illustrations_retina.png Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\sk-sk\ui-strings.js Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_nb_135x40.svg Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\da-dk\ui-strings.js Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\da-dk\AppStore_icon.svg Conti_22_12_2020_186KB.exe File created C:\Program Files\VideoLAN\VLC\locale\uz\LC_MESSAGES\R3ADM3.txt Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\zu\LC_MESSAGES\vlc.mo Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\AdobePDF417.pmp Conti_22_12_2020_186KB.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\de-de\R3ADM3.txt Conti_22_12_2020_186KB.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Retail-ppd.xrm-ms Conti_22_12_2020_186KB.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\nl-nl\R3ADM3.txt Conti_22_12_2020_186KB.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Conti_22_12_2020_186KB.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5320 Conti_22_12_2020_186KB.exe 5320 Conti_22_12_2020_186KB.exe 5320 Conti_22_12_2020_186KB.exe 5320 Conti_22_12_2020_186KB.exe 5320 Conti_22_12_2020_186KB.exe 5320 Conti_22_12_2020_186KB.exe 5320 Conti_22_12_2020_186KB.exe 5320 Conti_22_12_2020_186KB.exe 5320 Conti_22_12_2020_186KB.exe 5320 Conti_22_12_2020_186KB.exe 5320 Conti_22_12_2020_186KB.exe 5320 Conti_22_12_2020_186KB.exe 5320 Conti_22_12_2020_186KB.exe 5320 Conti_22_12_2020_186KB.exe 5320 Conti_22_12_2020_186KB.exe 5320 Conti_22_12_2020_186KB.exe 5320 Conti_22_12_2020_186KB.exe 5320 Conti_22_12_2020_186KB.exe 5320 Conti_22_12_2020_186KB.exe 5320 Conti_22_12_2020_186KB.exe 5320 Conti_22_12_2020_186KB.exe 5320 Conti_22_12_2020_186KB.exe 5320 Conti_22_12_2020_186KB.exe 5320 Conti_22_12_2020_186KB.exe 5320 Conti_22_12_2020_186KB.exe 5320 Conti_22_12_2020_186KB.exe 5320 Conti_22_12_2020_186KB.exe 5320 Conti_22_12_2020_186KB.exe 5320 Conti_22_12_2020_186KB.exe 5320 Conti_22_12_2020_186KB.exe 5320 Conti_22_12_2020_186KB.exe 5320 Conti_22_12_2020_186KB.exe 5320 Conti_22_12_2020_186KB.exe 5320 Conti_22_12_2020_186KB.exe 5320 Conti_22_12_2020_186KB.exe 5320 Conti_22_12_2020_186KB.exe 5320 Conti_22_12_2020_186KB.exe 5320 Conti_22_12_2020_186KB.exe 5320 Conti_22_12_2020_186KB.exe 5320 Conti_22_12_2020_186KB.exe 5320 Conti_22_12_2020_186KB.exe 5320 Conti_22_12_2020_186KB.exe 5320 Conti_22_12_2020_186KB.exe 5320 Conti_22_12_2020_186KB.exe 5320 Conti_22_12_2020_186KB.exe 5320 Conti_22_12_2020_186KB.exe 5320 Conti_22_12_2020_186KB.exe 5320 Conti_22_12_2020_186KB.exe 5320 Conti_22_12_2020_186KB.exe 5320 Conti_22_12_2020_186KB.exe 5320 Conti_22_12_2020_186KB.exe 5320 Conti_22_12_2020_186KB.exe 5320 Conti_22_12_2020_186KB.exe 5320 Conti_22_12_2020_186KB.exe 5320 Conti_22_12_2020_186KB.exe 5320 Conti_22_12_2020_186KB.exe 5320 Conti_22_12_2020_186KB.exe 5320 Conti_22_12_2020_186KB.exe 5320 Conti_22_12_2020_186KB.exe 5320 Conti_22_12_2020_186KB.exe 5320 Conti_22_12_2020_186KB.exe 5320 Conti_22_12_2020_186KB.exe 5320 Conti_22_12_2020_186KB.exe 5320 Conti_22_12_2020_186KB.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeBackupPrivilege 1896 vssvc.exe Token: SeRestorePrivilege 1896 vssvc.exe Token: SeAuditPrivilege 1896 vssvc.exe Token: SeIncreaseQuotaPrivilege 1940 WMIC.exe Token: SeSecurityPrivilege 1940 WMIC.exe Token: SeTakeOwnershipPrivilege 1940 WMIC.exe Token: SeLoadDriverPrivilege 1940 WMIC.exe Token: SeSystemProfilePrivilege 1940 WMIC.exe Token: SeSystemtimePrivilege 1940 WMIC.exe Token: SeProfSingleProcessPrivilege 1940 WMIC.exe Token: SeIncBasePriorityPrivilege 1940 WMIC.exe Token: SeCreatePagefilePrivilege 1940 WMIC.exe Token: SeBackupPrivilege 1940 WMIC.exe Token: SeRestorePrivilege 1940 WMIC.exe Token: SeShutdownPrivilege 1940 WMIC.exe Token: SeDebugPrivilege 1940 WMIC.exe Token: SeSystemEnvironmentPrivilege 1940 WMIC.exe Token: SeRemoteShutdownPrivilege 1940 WMIC.exe Token: SeUndockPrivilege 1940 WMIC.exe Token: SeManageVolumePrivilege 1940 WMIC.exe Token: 33 1940 WMIC.exe Token: 34 1940 WMIC.exe Token: 35 1940 WMIC.exe Token: 36 1940 WMIC.exe Token: SeIncreaseQuotaPrivilege 1940 WMIC.exe Token: SeSecurityPrivilege 1940 WMIC.exe Token: SeTakeOwnershipPrivilege 1940 WMIC.exe Token: SeLoadDriverPrivilege 1940 WMIC.exe Token: SeSystemProfilePrivilege 1940 WMIC.exe Token: SeSystemtimePrivilege 1940 WMIC.exe Token: SeProfSingleProcessPrivilege 1940 WMIC.exe Token: SeIncBasePriorityPrivilege 1940 WMIC.exe Token: SeCreatePagefilePrivilege 1940 WMIC.exe Token: SeBackupPrivilege 1940 WMIC.exe Token: SeRestorePrivilege 1940 WMIC.exe Token: SeShutdownPrivilege 1940 WMIC.exe Token: SeDebugPrivilege 1940 WMIC.exe Token: SeSystemEnvironmentPrivilege 1940 WMIC.exe Token: SeRemoteShutdownPrivilege 1940 WMIC.exe Token: SeUndockPrivilege 1940 WMIC.exe Token: SeManageVolumePrivilege 1940 WMIC.exe Token: 33 1940 WMIC.exe Token: 34 1940 WMIC.exe Token: 35 1940 WMIC.exe Token: 36 1940 WMIC.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 5320 wrote to memory of 1328 5320 Conti_22_12_2020_186KB.exe 81 PID 5320 wrote to memory of 1328 5320 Conti_22_12_2020_186KB.exe 81 PID 1328 wrote to memory of 1940 1328 cmd.exe 83 PID 1328 wrote to memory of 1940 1328 cmd.exe 83 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exeC:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe bcdedit /set shutdown /r /f /t 21⤵
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5320 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C5A2D6F3-A191-4477-9ED4-72E3AB55572A}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C5A2D6F3-A191-4477-9ED4-72E3AB55572A}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1940
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1896
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
846B
MD5e6f001fc98cb51a0429ca5dc95f6a950
SHA116a73b95d0b5408fa95c97bc9f314f1eff4902b4
SHA256acf1bb83790c25806dd3c29e0b453002397c7fe7abc25a3470ae4e3164f9f31b
SHA51211e65ed0e80aedb497ab40edf5d3f756b121527cb1102408cdd9f146549c849a41a16fc908bb284c920b061c6b37723117b929de150a62cd61273c40e660168c