Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

KMSAuto Net.exe

windows7_x64

10

KMSAuto Net.exe

windows10_x64

10

Resubmissions

03/03/2021, 11:53

210303-jg1rqnnv7a 10

03/03/2021, 11:35

210303-3hqbhblvcn 10

Analysis

  • max time kernel
    150s
  • max time network
    23s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    03/03/2021, 11:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    KMSAuto Net.exe

  • Size

    2.1MB

  • MD5

    26d067caae83528460ed322ae8cf7ab9

  • SHA1

    470f0522a5debbbeb0a8d5c3e0a3dc1af6a1344f

  • SHA256

    564c6d1973910e06c66670708fdc809d7391d03fd65d5e71d6d154f898429c93

  • SHA512

    7f8c96f52f9e01985da14169c836cf0a7878580c312b6ba4b22b7b36fd2324b64deedab8f21221cae744ce0c3c55e6e0bfbcb4c78ffd8cac03b2c1c5fa9e0e81

Score
10/10
ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HOW_TO_RESTORE_FILES.txt

Ransom Note
******************************ATTENTION!****************************** All your important files have been encrypted by STEEL Ransomware! For encryption we use reliable algorithms! You can read more here: https://en.wikipedia.org/wiki/RSA_(cryptosystem) https://en.wikipedia.org/wiki/Advanced_Encryption_Standard Many of your documents, photos, videos, images and other files are no longer accessible because they have been encrypted. It means that your files are not damaged, but modified. The reverse process is called decryption. We use strong algorithms so it impossible to crack key. You can easily restore all your files. We guarantee that all your files will be successfully decrypted after paying. We can decrypt 2 files for free (size <2mb) as proof that we can decrypt your files. Warning! After 7 days price will be doubled! How to decrypt files ? 1) Contact us via email [email protected] 2) Pay $350 on our monero wallet (we will send you wallet address) 3) Send your personal key to our email (It's located at the end of this document) 4) Get decryption key and program 5) Decrypt all your files ******************************????????!****************************** ??? ???? ????? ??????????? STEEL Ransomware! ??? ?????????? ???????????? ???????? ????????? ??????????. ?? ?????? ???????????? ????????? ?????: https://en.wikipedia.org/wiki/RSA_(cryptosystem) https://en.wikipedia.org/wiki/Advanced_Encryption_Standard ???? ?????????, ?????, ????, ???????? ? ?????? ????? ?????? ??????????, ?????? ??? ??? ???????????. ??? ??????, ??? ???? ????? ?? ??????????, ?? ??????????????. ???????? ??????? ?????????? ????????????. ???????? ??? ????????? ????? ???????????? ??????????! ?? ?????? ????? ???????????? ??? ?????. ?? ???????????, ??? ??? ???? ????? ????? ??????? ???????????? ????? ??????. ? ???????? ?????????????? ??????????? ?????- ??????? ?? ????? ????????? ???????????? 2 ????? ???????? ?? ????? 2 ??. ????????! ????? 7 ???? ???? ????? ???????! ??? ???????????? ?????? 1)????????? ? ???? ????? e-mail [email protected] 2)???????? 350 USD ?? monero ???????, ??????? ?? ?????? ??? 3)????????? ??? ????, ????????????? ? ????? ????? ?????????. 4)???????? ?????????-?????????? ? ???? 5)??????????? ???? ????? YOUR PERSONAL KEY HERE: ----------BEGIN STEEL KEY---------- jIgFJiJO2rEsYmb2jx4Lai+YULfjrckNUIzddiCO0iqCmulccws1ox1xIhEk6gYD V0Es4+377cAogDzxcCSqQ8xIqh/CY2aZ5ST0IZEM2/G5c2m6BjSArL863Bh9CA1j ot2z1K5b/FMimi5RA/y2pI7gy6qcquNrvOvnhpDqCglqRdR3glh+iixcdWKsl1KC KFKWsP9tUY1qcXMqTTjCzYc5z8A6QaUBkTbb5RUpM5HIDwJzSLfjWRsgksjuZXvQ 1xHZTjNWnzED0nwZDnYFdW2TfKgPpFfekPv71sesLmq/uVMLw6deCcYz2apTq4lu Xwe8Z5zTpLsT5qCop6qnJw== ----------END STEEL KEY----------

Signatures

  • Executes dropped EXE 2 IoCs
  • Modifies extensions of user files 7 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Loads dropped DLL 6 IoCs
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Opens file in notepad (likely ransom note) 2 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\KMSAuto Net.exe
    "C:\Users\Admin\AppData\Local\Temp\KMSAuto Net.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2028
    • C:\Users\Admin\AppData\Roaming\SWEfghd678hfjbbhbGFrca.exe
      "C:\Users\Admin\AppData\Roaming\SWEfghd678hfjbbhbGFrca.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1640
      • C:\Users\Admin\AppData\Local\Temp\loader.exe
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        3⤵
        • Executes dropped EXE
        • Modifies extensions of user files
        • Loads dropped DLL
        • Enumerates connected drives
        • Suspicious behavior: EnumeratesProcesses
        PID:1720
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\selfdstr.bat" "
      2⤵
        PID:788
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      1⤵
        PID:1072
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\HOW_TO_RESTORE_FILES.txt
        1⤵
        • Opens file in notepad (likely ransom note)
        PID:272
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\HOW_TO_RESTORE_FILES.txt
        1⤵
        • Opens file in notepad (likely ransom note)
        PID:1788

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1072-382-0x000007FEFC511000-0x000007FEFC513000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1620-385-0x000007FEF7E60000-0x000007FEF80DA000-memory.dmp

        Filesize

        2.5MB

        Download

      • memory/1720-27-0x00000000034F0000-0x0000000003501000-memory.dmp

        Filesize

        68KB

        Download

      • memory/1720-23-0x00000000006BD000-0x00000000006BE000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1720-24-0x00000000001D0000-0x00000000001D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1720-25-0x00000000034F0000-0x0000000003501000-memory.dmp

        Filesize

        68KB

        Download

      • memory/1720-26-0x0000000003900000-0x0000000003911000-memory.dmp

        Filesize

        68KB

        Download

      • memory/2028-13-0x00000000001C0000-0x00000000001C1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2028-12-0x00000000007C0000-0x00000000007C1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2028-2-0x0000000075C31000-0x0000000075C33000-memory.dmp

        Filesize

        8KB

        Download