Conti Ransomware

Tactical report of Conti Ransomware


Identification:

Vendor

Detection

TrendMicro

Ransom.Win32.CONTI.D

Microsoft

Ransom:Win32/Conti.SW!MSR

Symantec

Ransom.Conti

 

The following table contains a list of artifacts that had been analyzed within this document.

PE timestamp

MD5

Size in bytes

File name

Description

2020/06/04 Thu 00:02:10 UTC

B7B5E1253710D8927CBE07D52D2D2E10

101.00 KB (103424 bytes)

contuer.exe

Ransomware


Summary

Conti is ransomware which encrypts network files using AES algorithm and adds extension ”.CONTI” at the end of each encrypted file. It disables some important services like antiviruses services, sql services and backup services. Group called Carbon Black Threat Analysis Unit (TAU) discovered Conti ransomware.


Technical analysis:

Persistence

It creates mutex called _CONTI_ to ensure that there’s only version of ransomware running as shown in figure (1) , if it can’t so it closes immediately as shown in figure (2).


Figure (1)







It searches for resource “0x101”, gets size, loads in memory and locks as shown in figure (3). Resource contains message of ransomware when network already unlocked as shown in figure (4).


Figure (3)



Figure (4)


If it can’t find resource it will Release Mutex and exit code as shown in

 Figure (5).

Figure (5)

It creates thread which generates AES-256 encryption key to encrypt local and network files as shown in figure (6).


Figure (6)



It uses api called CreateIoCompletionPort to make encryption fast with the following parameters as shown in figure (7).


Figure (7)


It determines number of drivers in machine before starting encryption as shown in figure (8).


Figure (8)


It starts encryption of drivers based on random AES key as shown in figure (9). It adds extension “CONTI” at each encrypted file. It creates new called CONTI_README.txt file at directory of encrypted file as shown in figure (10).


Figure (9)



Figure (10)


Figure (11)


It enumerates resources of network for encryption as shown in figure (12).


Figure (12)



Important commands

It pushes some commands as shown in table below.

Commands

Purpose

vssadmin Delete Shadows /all /quiet

Delete volume shadow copy

net stop MSSQL$SQLEXPRESS

Stop sql service

stop avp service

Stop kaspersky service

net stop ESHASRV /y

Stop ESET endpoint security service

net1 stop ekrn /y

Stop ESET endpoint security service

net1 stop EhttpSrv /y

Stop ESET endpoint security service

stop "SQL Backups" /y

Stop Backups service of SQL

net stop Smcinst /y

Stop Symantec Endpoint Protection service

stop SAVService /y

Stop SOPHOS Endpoint Protection service

 

References

  • https://www.zdnet.com/article/conti-ryuk-joins-the-ranks-of-ransomware-gangs-operating-data-leak-sites/.
  • https://www.bleepingcomputer.com/news/security/conti-ransomware-shows-signs-of-being-ryuks-successor/.
  • https://cyberflorida.org/2020/07/14/conti-ransomware/.



If you wanna learn malware analysis you can check my YouTube channel I'm trying publish analysis of malware and some methods to analysis malwares.
Please don't forgot subscribe my channel Than you ♥  
YouTube channel 
https://www.youtube.com/channel/UCParXHaBXBmqRdHuVUg21pA

Malware Analyst : Mahmoud El Menshawy
Contact me : mahmoudmorsy372@gmail.com

Comments

Post a Comment

Popular posts from this blog

IOCs 7_8_2021

Image
  (1) File Name Netflix Checker AutoProxy.rar Created process Qsbb.exe Connected (Ip/Dns) Fhruhceio[.]eu5[.]org MD5 54407258f1e20055897fe7dad504a5dc SHA256 4c54592475d4636eb0fe0555dbe44813332059d787c755571797484b87983a50 Family njRAT   (2) File Name Start.exe Created process yGYkD7gHOX.exe Connected (Ip/Dns) Telete[.]in MD5 e123bd2a5d074027510e792b92bce913 SHA256 245c87b29983815f1bad519d8490e4fae064ec3f4788781f3944cbe4ad7e8e8b Family Raccoon   (3) File Name Banco do Brasil_eDeclaração_SMX_046_6-08-2021_SWIFT.COPY.exe Created process Banco do Brasil_eDeclaração_SMX_046_6-08-2021_SWIFT.COPY.exe Connected (Ip/Dns) www[.]transinta[.]com MD5 c5
Read more

Phishing Attacks 23_4_2022

Image
  If you wanna learn how to detect phishing emails  only by your eye , you can check my udemy course here  . My udemy course   (1) Sender ip 180.214.238.82 From "Dang Thi Thu Hien<hiendang@panpacific.co.kr>" Subject "RE: [SSC CS] F22 03/09 Buy Shipping request_04062022" Attachment "SEALOGISTICS DEBIT NOTE.zip" MD5 add8e964a595d7af30f02783943c3a00 SHA256 24f6485539bc5d700d17ec8d629827ea80dfae2eb2189e872f4b8ae0e7f1d66f Family AgentTesla   If you wanna know how to analysis AgentTesla Malware you can      check my analysis in YouTube   AgentTesla .         (2) Sender ip 138.197.200.182 From "Nguyen Thi Quy <nguyen@47.fximnii.sbs>" Subject "RE: Purchase Inquiry: KPC/PU-231(MECH)NBI/20-22"
Read more

Phishing Attacks 15_2_2021

Image
  If you wanna learn how to detect phishing emails  only by your eye , you can check my udemy course here  . My udemy course (1) Sender ip 137.184.90.200 From "<zita@anthonybirch.ml>" Subject "Attached our formal P/O : 4501226854." Attachment "PO - 4501226854,pdf (1).iso" MD5 9addd85060db79af3b0ac0e3011c69c1 SHA256 b0b0135c292340ab5993a9f2bea6f3f6e6478fb5883fe2e1ef67c60cf3dd0944 Family Formbook   (2) Sender ip 143.198.41.151 From "Gilbert Anderson <info@digimaincheckshower.com>" Subject "Please accept my applicant " Attachment "Approvald-32134.doc" MD5 40582aacc0f7f8a0946a64249dae4767 SHA256 1b97ac97a845c9f63cf7308e3f6f983
Read more