Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Nov. 17, 2021, 5:22 p.m.	Nov. 17, 2021, 5:24 p.m.

Size	195.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`f5dab510fcdeda1d81e0ece63e302e75`
SHA256	`97469cb72db2b734861a1a7d27b2f90275b304ea87e5664cdfd75f2f4591922c`
CRC32	`6945B68A`
ssdeep	`3072:6a/EBc2jrORnQssIJZYKcgtHhGk528yJKY8/d7epmB98g89QP2EKOebWk:7EBc2jMQsdJdBgHJ+/dB9rP2hR`
Yara	PE_Header_Zero - PE File Signature OS_Processor_Check_Zero - OS Processor Check IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file

sample2-22c.exe "C:\Users\test22\AppData\Local\Temp\sample2-22c.exe"
2776

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Nov. 17, 2021, 5:22 p.m.	computer_name: TEST22-PC	1	1	0

A process attempted to delay the analysis task. (1 event)

description

sample2-22c.exe tried to sleep 361 seconds, actually delayed analysis time by 361 seconds

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (3 events)

Time & API	Arguments	Status	Return
Process32NextW Nov. 17, 2021, 5:22 p.m.	snapshot_handle: 0x0000009c process_name: taskhost.exe process_identifier: 2560	1	1
Process32NextW Nov. 17, 2021, 5:22 p.m.	snapshot_handle: 0x0000009c process_name: wsqmcons.exe process_identifier: 2568	1	1
Process32NextW Nov. 17, 2021, 5:22 p.m.	snapshot_handle: 0x0000009c process_name: SearchProtocolHost.exe process_identifier: 2692	1	1

Writes a potential ransom message to disk (1 event)

Time & API	Arguments	Status	Return	Repeated
NtWriteFile Nov. 17, 2021, 5:22 p.m.	buffer: All of your files are currently encrypted by CONTI strain. As you know (if you don't - just "google it"), all of the data that has been encrypted by our software cannot be recovered by any means without contacting our team directly. If you try to use any additional recovery software - the files might be damaged, so if you are willing to try - try it on the data of the lowest value. To make sure that we REALLY CAN get your data back - we offer you to decrypt 2 random files completely free of charge. You can contact our team directly for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/ HTTPS VERSION : https://contirecovery.click YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded a pack of your internal data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us as soon as possible. ---BEGIN ID--- Cs75p7DrFSPZ501MD5T6cQoibKxxO5GObAE6lQDGBzqb9gk6Ei0l4Mf2JWcIahw3 ---END ID--- offset: 0 file_handle: 0x00000608 filepath: C:\readme.txt	1	0	0

File has been identified by 51 AntiVirus engines on VirusTotal as malicious (50 out of 51 events)

Elastic	malicious (high confidence)
DrWeb	Trojan.MulDrop18.10095
MicroWorld-eScan	Trojan.GenericKD.47002141
FireEye	Generic.mg.f5dab510fcdeda1d
ALYac	Trojan.Ransom.Conti
Cylance	Unsafe
Zillya	Trojan.Crypmod.Win32.1428
K7AntiVirus	Trojan ( 0057b6f81 )
Alibaba	Ransom:Win32/generic.ali2000010
K7GW	Trojan ( 0057b6f81 )
Cybereason	malicious.0fcded
BitDefenderTheta	AI:Packer.BD8C3EC31F
Cyren	W32/Ransom.PT.gen!Eldorado
Symantec	Ransom.Conti
ESET-NOD32	a variant of Win32/Filecoder.Conti.R
Paloalto	generic.ml
Kaspersky	HEUR:Trojan-Ransom.Win32.Crypmod.gen
BitDefender	Trojan.GenericKD.47002141
NANO-Antivirus	Virus.Win32.Gen.ccmw
Avast	Win32:Conti-B [Ransom]
Tencent	Malware.Win32.Gencirc.10cee345
Ad-Aware	Trojan.GenericKD.47002141
Emsisoft	Trojan.GenericKD.47002141 (B)
Comodo	Malware@#2nljf6prrwjvp
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	Ransom.Win32.CONTI.SMYXBBU
McAfee-GW-Edition	GenericRXPQ-CI!F5DAB510FCDE
SentinelOne	Static AI - Malicious PE
Sophos	Mal/Generic-R + Troj/Ransom-GKE
Ikarus	Trojan-Ransom.Conti
Jiangmin	Trojan.Crypmod.abv
Webroot	W32.Ransom.Conti
Avira	TR/AD.ContiRansom.tqnoe
Antiy-AVL	Trojan/Generic.ASMalwS.348680D
Microsoft	Ransom:Win32/Conti.MAK!MTB
Gridinsoft	Ransom.Win32.AI.oa!s1
GData	Trojan.GenericKD.47002141
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.Generic.R441766
McAfee	GenericRXPQ-CI!F5DAB510FCDE
VBA32	BScope.Trojan.Winlock.9121
Malwarebytes	Malware.AI.4000793926
APEX	Malicious
Rising	Ransom.Conti!1.D637 (CLASSIC)
Yandex	Trojan.Filecoder!W9HMgCYt39g
MAX	malware (ai score=87)
eGambit	Unsafe.AI_Score_97%
Fortinet	W32/Conti.F!tr.ransom
AVG	Win32:Conti-B [Ransom]
Panda	Trj/GdSda.A

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 events)

dead_host	192.168.56.101:49162
dead_host	192.168.56.1:445

sample2-22c.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All