Conti
December 21, 2023 ยท View on GitHub
| ID | X0050 |
| Type | Ransomware |
| Aliases | None |
| Platforms | Windows |
| Year | 2019 |
| Associated ATT&CK Software | Conti |
Conti
Conti is a Ransomware-as-a-Service (RaaS) malware.
ATT&CK Techniques
See ATT&CK: Conti - Techniques Used.
Enhanced ATT&CK Techniques
| Name | Use |
|---|---|
| Process Injection::Process Hollowing (E1055.012) | Conti creates a process in a suspended state and unmaps or removes the PE image layout from a given process space. [1] |
MBC Behaviors
| Name | Use |
|---|---|
| Process::Create Process (C0017) | As a part of process hollowing, Conti creates a process in a suspended state. [1] |
| Process::Resume Thread (C0054) | As part of process hollowing, Conti resumes the execution of the suspended process. [1] |
| Process::Set Thread Context (C0072) | As part of process hollowing, Conti sets thread context. [1] |
| Process::Unmap Section View (C0070) | As part of process hollowing, Conti unmaps a view of a section from the virtual address space of a subject process. [1] |
| Process::Write Process Memory (C0071) | As part of process hollowing, Conti writes data to an area of memory in a specified process. [1] |
Attack Flow
A partial attack flow for Conti Ransomware based on [1], which shows micro-behaviors associated with Conti's Process Injection::Process Hollowing (E1055.012) behavior.
References
[1] https://labs.vipre.com/how-conti-ransomware-works-and-our-analysis/