Overview

overview

10

Static

static

KMSAuto Net.exe

windows7_x64

10

KMSAuto Net.exe

windows10_x64

10

Resubmissions

03-03-2021 11:53

210303-jg1rqnnv7a 10

03-03-2021 11:35

210303-3hqbhblvcn 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    KMSAuto Net.exe

  • Size

    2.1MB

  • Sample

    210303-3hqbhblvcn

  • MD5

    26d067caae83528460ed322ae8cf7ab9

  • SHA1

    470f0522a5debbbeb0a8d5c3e0a3dc1af6a1344f

  • SHA256

    564c6d1973910e06c66670708fdc809d7391d03fd65d5e71d6d154f898429c93

  • SHA512

    7f8c96f52f9e01985da14169c836cf0a7878580c312b6ba4b22b7b36fd2324b64deedab8f21221cae744ce0c3c55e6e0bfbcb4c78ffd8cac03b2c1c5fa9e0e81

Score
10/10
ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HOW_TO_RESTORE_FILES.txt

Ransom Note
******************************ATTENTION!****************************** All your important files have been encrypted by STEEL Ransomware! For encryption we use reliable algorithms! You can read more here: https://en.wikipedia.org/wiki/RSA_(cryptosystem) https://en.wikipedia.org/wiki/Advanced_Encryption_Standard Many of your documents, photos, videos, images and other files are no longer accessible because they have been encrypted. It means that your files are not damaged, but modified. The reverse process is called decryption. We use strong algorithms so it impossible to crack key. You can easily restore all your files. We guarantee that all your files will be successfully decrypted after paying. We can decrypt 2 files for free (size <2mb) as proof that we can decrypt your files. Warning! After 7 days price will be doubled! How to decrypt files ? 1) Contact us via email x_coded@protonmail.com 2) Pay $350 on our monero wallet (we will send you wallet address) 3) Send your personal key to our email (It's located at the end of this document) 4) Get decryption key and program 5) Decrypt all your files ******************************????????!****************************** ??? ???? ????? ??????????? STEEL Ransomware! ??? ?????????? ???????????? ???????? ????????? ??????????. ?? ?????? ???????????? ????????? ?????: https://en.wikipedia.org/wiki/RSA_(cryptosystem) https://en.wikipedia.org/wiki/Advanced_Encryption_Standard ???? ?????????, ?????, ????, ???????? ? ?????? ????? ?????? ??????????, ?????? ??? ??? ???????????. ??? ??????, ??? ???? ????? ?? ??????????, ?? ??????????????. ???????? ??????? ?????????? ????????????. ???????? ??? ????????? ????? ???????????? ??????????! ?? ?????? ????? ???????????? ??? ?????. ?? ???????????, ??? ??? ???? ????? ????? ??????? ???????????? ????? ??????. ? ???????? ?????????????? ??????????? ?????- ??????? ?? ????? ????????? ???????????? 2 ????? ???????? ?? ????? 2 ??. ????????! ????? 7 ???? ???? ????? ???????! ??? ???????????? ?????? 1)????????? ? ???? ????? e-mail X_coded@protonmail.com 2)???????? 350 USD ?? monero ???????, ??????? ?? ?????? ??? 3)????????? ??? ????, ????????????? ? ????? ????? ?????????. 4)???????? ?????????-?????????? ? ???? 5)??????????? ???? ????? YOUR PERSONAL KEY HERE: ----------BEGIN STEEL KEY---------- jIgFJiJO2rEsYmb2jx4Lai+YULfjrckNUIzddiCO0iqCmulccws1ox1xIhEk6gYD V0Es4+377cAogDzxcCSqQ8xIqh/CY2aZ5ST0IZEM2/G5c2m6BjSArL863Bh9CA1j ot2z1K5b/FMimi5RA/y2pI7gy6qcquNrvOvnhpDqCglqRdR3glh+iixcdWKsl1KC KFKWsP9tUY1qcXMqTTjCzYc5z8A6QaUBkTbb5RUpM5HIDwJzSLfjWRsgksjuZXvQ 1xHZTjNWnzED0nwZDnYFdW2TfKgPpFfekPv71sesLmq/uVMLw6deCcYz2apTq4lu Xwe8Z5zTpLsT5qCop6qnJw== ----------END STEEL KEY----------
Emails

x_coded@protonmail.com

X_coded@protonmail.com

Extracted

Path

C:\Users\Admin\Desktop\HOW_TO_RESTORE_FILES.txt

Ransom Note
******************************ATTENTION!****************************** All your important files have been encrypted by STEEL Ransomware! For encryption we use reliable algorithms! You can read more here: https://en.wikipedia.org/wiki/RSA_(cryptosystem) https://en.wikipedia.org/wiki/Advanced_Encryption_Standard Many of your documents, photos, videos, images and other files are no longer accessible because they have been encrypted. It means that your files are not damaged, but modified. The reverse process is called decryption. We use strong algorithms so it impossible to crack key. You can easily restore all your files. We guarantee that all your files will be successfully decrypted after paying. We can decrypt 2 files for free (size <2mb) as proof that we can decrypt your files. Warning! After 7 days price will be doubled! How to decrypt files ? 1) Contact us via email x_coded@protonmail.com 2) Pay $350 on our monero wallet (we will send you wallet address) 3) Send your personal key to our email (It's located at the end of this document) 4) Get decryption key and program 5) Decrypt all your files ******************************????????!****************************** ??? ???? ????? ??????????? STEEL Ransomware! ??? ?????????? ???????????? ???????? ????????? ??????????. ?? ?????? ???????????? ????????? ?????: https://en.wikipedia.org/wiki/RSA_(cryptosystem) https://en.wikipedia.org/wiki/Advanced_Encryption_Standard ???? ?????????, ?????, ????, ???????? ? ?????? ????? ?????? ??????????, ?????? ??? ??? ???????????. ??? ??????, ??? ???? ????? ?? ??????????, ?? ??????????????. ???????? ??????? ?????????? ????????????. ???????? ??? ????????? ????? ???????????? ??????????! ?? ?????? ????? ???????????? ??? ?????. ?? ???????????, ??? ??? ???? ????? ????? ??????? ???????????? ????? ??????. ? ???????? ?????????????? ??????????? ?????- ??????? ?? ????? ????????? ???????????? 2 ????? ???????? ?? ????? 2 ??. ????????! ????? 7 ???? ???? ????? ???????! ??? ???????????? ?????? 1)????????? ? ???? ????? e-mail X_coded@protonmail.com 2)???????? 350 USD ?? monero ???????, ??????? ?? ?????? ??? 3)????????? ??? ????, ????????????? ? ????? ????? ?????????. 4)???????? ?????????-?????????? ? ???? 5)??????????? ???? ????? YOUR PERSONAL KEY HERE: ----------BEGIN STEEL KEY---------- qGvdxrk0NfZTQqo+N7RthrLJt5PIyGXekaZmZiq0xze80vhef12VqF3fMCtGUWi3 meW+f2EowzfSVzNDubXad682rg41rROf1RqCu8wxVNdKI5fJkqGAaJbTctp/UHE1 ycaL/gUmnYTUdsUigJa0Ih2IOmvW9nTMaRy1VseluAZ5kdBZOCZQVnelAJl2lou2 AayDpheBOhoEN+Q0obNOVy4tMJq9bSwuEcBuWt98u6WahP4XjYBih9ZjUtCl5v9S ENeth+yvYb4gCVmz+1oWaZuPhjLxhykzFQkMSMWODrHYZ1osR2fLiFtcsuAhwfeZ D1BiK/iFBykFYUawEI4Tew== ----------END STEEL KEY----------
Emails

x_coded@protonmail.com

X_coded@protonmail.com

Targets

    • Target

      KMSAuto Net.exe

    • Size

      2.1MB

    • MD5

      26d067caae83528460ed322ae8cf7ab9

    • SHA1

      470f0522a5debbbeb0a8d5c3e0a3dc1af6a1344f

    • SHA256

      564c6d1973910e06c66670708fdc809d7391d03fd65d5e71d6d154f898429c93

    • SHA512

      7f8c96f52f9e01985da14169c836cf0a7878580c312b6ba4b22b7b36fd2324b64deedab8f21221cae744ce0c3c55e6e0bfbcb4c78ffd8cac03b2c1c5fa9e0e81

    Score
    10/10
    ransomware

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks