ID | X0050 |
Aliases | None |
Platforms | Windows |
Year | 2019 |
Associated ATT&CK Software | Conti |
Conti is a Ransomware-as-a-Service (RaaS) malware.
See ATT&CK: Conti - Techniques Used.
Name | Use |
---|---|
Process Injection::Process Hollowing (E1055.012) | Conti creates a process in a suspended state and unmaps or removes the PE image layout from a given process space. [1] |
Name | Use |
---|---|
Process::Create Process (C0017) | As a part of process hollowing, Conti creates a process in a suspended state. [1] |
Process::Resume Thread (C0054) | As part of process hollowing, Conti resumes the execution of the suspended process. [1] |
Process::Set Thread Context (C0072) | As part of process hollowing, Conti sets thread context. [1] |
Process::Unmap Section View (C0070) | As part of process hollowing, Conti unmaps a view of a section from the virtual address space of a subject process. [1] |
Process::Write Process Memory (C0071) | As part of process hollowing, Conti writes data to an area of memory in a specified process. [1] |
A partial attack flow for Conti Ransomware based on [1], which shows micro-behaviors associated with Conti's Process Injection::Process Hollowing (E1055.012) behavior.
[1] https://labs.vipre.com/how-conti-ransomware-works-and-our-analysis/