Overview

overview

10

Static

static

KMSAuto Net.exe

windows7_x64

10

KMSAuto Net.exe

windows10_x64

10

Resubmissions

03-03-2021 11:53

210303-jg1rqnnv7a 10

03-03-2021 11:35

210303-3hqbhblvcn 10

Analysis

  • max time kernel
    150s
  • max time network
    23s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    03-03-2021 11:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    KMSAuto Net.exe

  • Size

    2.1MB

  • MD5

    26d067caae83528460ed322ae8cf7ab9

  • SHA1

    470f0522a5debbbeb0a8d5c3e0a3dc1af6a1344f

  • SHA256

    564c6d1973910e06c66670708fdc809d7391d03fd65d5e71d6d154f898429c93

  • SHA512

    7f8c96f52f9e01985da14169c836cf0a7878580c312b6ba4b22b7b36fd2324b64deedab8f21221cae744ce0c3c55e6e0bfbcb4c78ffd8cac03b2c1c5fa9e0e81

Score
10/10
ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HOW_TO_RESTORE_FILES.txt

Ransom Note
******************************ATTENTION!****************************** All your important files have been encrypted by STEEL Ransomware! For encryption we use reliable algorithms! You can read more here: https://en.wikipedia.org/wiki/RSA_(cryptosystem) https://en.wikipedia.org/wiki/Advanced_Encryption_Standard Many of your documents, photos, videos, images and other files are no longer accessible because they have been encrypted. It means that your files are not damaged, but modified. The reverse process is called decryption. We use strong algorithms so it impossible to crack key. You can easily restore all your files. We guarantee that all your files will be successfully decrypted after paying. We can decrypt 2 files for free (size <2mb) as proof that we can decrypt your files. Warning! After 7 days price will be doubled! How to decrypt files ? 1) Contact us via email x_coded@protonmail.com 2) Pay $350 on our monero wallet (we will send you wallet address) 3) Send your personal key to our email (It's located at the end of this document) 4) Get decryption key and program 5) Decrypt all your files ******************************????????!****************************** ??? ???? ????? ??????????? STEEL Ransomware! ??? ?????????? ???????????? ???????? ????????? ??????????. ?? ?????? ???????????? ????????? ?????: https://en.wikipedia.org/wiki/RSA_(cryptosystem) https://en.wikipedia.org/wiki/Advanced_Encryption_Standard ???? ?????????, ?????, ????, ???????? ? ?????? ????? ?????? ??????????, ?????? ??? ??? ???????????. ??? ??????, ??? ???? ????? ?? ??????????, ?? ??????????????. ???????? ??????? ?????????? ????????????. ???????? ??? ????????? ????? ???????????? ??????????! ?? ?????? ????? ???????????? ??? ?????. ?? ???????????, ??? ??? ???? ????? ????? ??????? ???????????? ????? ??????. ? ???????? ?????????????? ??????????? ?????- ??????? ?? ????? ????????? ???????????? 2 ????? ???????? ?? ????? 2 ??. ????????! ????? 7 ???? ???? ????? ???????! ??? ???????????? ?????? 1)????????? ? ???? ????? e-mail X_coded@protonmail.com 2)???????? 350 USD ?? monero ???????, ??????? ?? ?????? ??? 3)????????? ??? ????, ????????????? ? ????? ????? ?????????. 4)???????? ?????????-?????????? ? ???? 5)??????????? ???? ????? YOUR PERSONAL KEY HERE: ----------BEGIN STEEL KEY---------- jIgFJiJO2rEsYmb2jx4Lai+YULfjrckNUIzddiCO0iqCmulccws1ox1xIhEk6gYD V0Es4+377cAogDzxcCSqQ8xIqh/CY2aZ5ST0IZEM2/G5c2m6BjSArL863Bh9CA1j ot2z1K5b/FMimi5RA/y2pI7gy6qcquNrvOvnhpDqCglqRdR3glh+iixcdWKsl1KC KFKWsP9tUY1qcXMqTTjCzYc5z8A6QaUBkTbb5RUpM5HIDwJzSLfjWRsgksjuZXvQ 1xHZTjNWnzED0nwZDnYFdW2TfKgPpFfekPv71sesLmq/uVMLw6deCcYz2apTq4lu Xwe8Z5zTpLsT5qCop6qnJw== ----------END STEEL KEY----------
Emails

x_coded@protonmail.com

X_coded@protonmail.com

Signatures

  • Executes dropped EXE 2 IoCs
  • Modifies extensions of user files 7 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Loads dropped DLL 6 IoCs
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Opens file in notepad (likely ransom note) 2 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\KMSAuto Net.exe
    "C:\Users\Admin\AppData\Local\Temp\KMSAuto Net.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2028
    • C:\Users\Admin\AppData\Roaming\SWEfghd678hfjbbhbGFrca.exe
      "C:\Users\Admin\AppData\Roaming\SWEfghd678hfjbbhbGFrca.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1640
      • C:\Users\Admin\AppData\Local\Temp\loader.exe
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        3⤵
        • Executes dropped EXE
        • Modifies extensions of user files
        • Loads dropped DLL
        • Enumerates connected drives
        • Suspicious behavior: EnumeratesProcesses
        PID:1720
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\selfdstr.bat" "
      2⤵
        PID:788
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      1⤵
        PID:1072
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\HOW_TO_RESTORE_FILES.txt
        1⤵
        • Opens file in notepad (likely ransom note)
        PID:272
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\HOW_TO_RESTORE_FILES.txt
        1⤵
        • Opens file in notepad (likely ransom note)
        PID:1788

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      Peripheral Device Discovery

      1
      T1120

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\libeay32.dll
        MD5

        ec82afce1ecb9ea8083e366ba4676762

        SHA1

        49c610f556e1ff28759448181dc3cfb378429134

        SHA256

        a053c2efd71c874486ca0abd39cee5b07450cefe1e7723ce8813630b9ce1b9f1

        SHA512

        be57b8ab59d7d725041eef30b08426cd4a2ff5aebbd00932ee55a11f88f8a0a6cffa4939669a0a35f395bd022ee388d01e9cce96e89516c1257d283135a649de

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\loader.exe
        MD5

        549e20cd5baca7c1b01209933b563e2a

        SHA1

        a27d9eeffd06e35ef75ca1a7157340c11d426dad

        SHA256

        b120e15d64df566cfddd73032c0338a6fe332d1a583282746e20e6c8a80edd6c

        SHA512

        11be05ea25439ea490bdcc013ac48a62616ad5a4c384819bb9ac083f250f417072111e26b2e8be41b7f403c8ed1a8a37c6601ec22be6e9409a6b5e5703368218

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\selfdstr.bat
        MD5

        988ec406a5c0022b37fd5a1d2b4edef9

        SHA1

        a29c6a34c03bb184ae133364f0f6d1cf45932036

        SHA256

        0ad086c508fbfcddf656e24bc88190ff070dccb5b88577e6514d164072ee3d85

        SHA512

        a31778f252e810e22b367c05d4daeb53ad7c1aa28573f0c90a710d7227b9e431a78734dfc7745ad3b5e9fe4bfe6247dd0f44dc1d6791dab61c6fee7c6a6964ce

        Download Submit
      • C:\Users\Admin\AppData\Roaming\SWEfghd678hfjbbhbGFrca.exe
        MD5

        734ebe963716a9ba20ffb75dceff80ea

        SHA1

        8f98635aa27f50340ebd380ec4743855734f2a35

        SHA256

        55388fde35f487317a3e763f706fe03e39a87d1ba35f40ac9ec85e589d175ebf

        SHA512

        19fc995018a40a5a323cd962d991a83c58b170b1c6492b36cba85578d491465669666a002179aa2d461ab45bfbb568f6916ab04ea1dcd23778db3a0adb498d0a

        Download Submit
      • C:\Users\Admin\AppData\Roaming\SWEfghd678hfjbbhbGFrca.exe
        MD5

        734ebe963716a9ba20ffb75dceff80ea

        SHA1

        8f98635aa27f50340ebd380ec4743855734f2a35

        SHA256

        55388fde35f487317a3e763f706fe03e39a87d1ba35f40ac9ec85e589d175ebf

        SHA512

        19fc995018a40a5a323cd962d991a83c58b170b1c6492b36cba85578d491465669666a002179aa2d461ab45bfbb568f6916ab04ea1dcd23778db3a0adb498d0a

        Download Submit
      • C:\Users\Admin\Desktop\HOW_TO_RESTORE_FILES.txt
        MD5

        57b81ff3947a00e75ada61b035cfabe4

        SHA1

        ce3608d6334a45fa6328334a802fd07278712819

        SHA256

        947fdabf34cc08648850f006616166cd6561cced6304cdc207c0df1e0d41e113

        SHA512

        31a1061a61eeb2564560b9ae770e87f4f36a24a422abae2a1c057d6f5051c2e4de4b02fa80a427639e9f32e5eb53be138c69a8041e251a6017cacf4fadc2ff2e

        Download Submit
      • \Users\Admin\AppData\Local\Temp\libeay32.dll
        MD5

        ec82afce1ecb9ea8083e366ba4676762

        SHA1

        49c610f556e1ff28759448181dc3cfb378429134

        SHA256

        a053c2efd71c874486ca0abd39cee5b07450cefe1e7723ce8813630b9ce1b9f1

        SHA512

        be57b8ab59d7d725041eef30b08426cd4a2ff5aebbd00932ee55a11f88f8a0a6cffa4939669a0a35f395bd022ee388d01e9cce96e89516c1257d283135a649de

        Download Submit
      • \Users\Admin\AppData\Local\Temp\loader.exe
        MD5

        549e20cd5baca7c1b01209933b563e2a

        SHA1

        a27d9eeffd06e35ef75ca1a7157340c11d426dad

        SHA256

        b120e15d64df566cfddd73032c0338a6fe332d1a583282746e20e6c8a80edd6c

        SHA512

        11be05ea25439ea490bdcc013ac48a62616ad5a4c384819bb9ac083f250f417072111e26b2e8be41b7f403c8ed1a8a37c6601ec22be6e9409a6b5e5703368218

        Download Submit
      • \Users\Admin\AppData\Local\Temp\loader.exe
        MD5

        549e20cd5baca7c1b01209933b563e2a

        SHA1

        a27d9eeffd06e35ef75ca1a7157340c11d426dad

        SHA256

        b120e15d64df566cfddd73032c0338a6fe332d1a583282746e20e6c8a80edd6c

        SHA512

        11be05ea25439ea490bdcc013ac48a62616ad5a4c384819bb9ac083f250f417072111e26b2e8be41b7f403c8ed1a8a37c6601ec22be6e9409a6b5e5703368218

        Download Submit
      • \Users\Admin\AppData\Local\Temp\loader.exe
        MD5

        549e20cd5baca7c1b01209933b563e2a

        SHA1

        a27d9eeffd06e35ef75ca1a7157340c11d426dad

        SHA256

        b120e15d64df566cfddd73032c0338a6fe332d1a583282746e20e6c8a80edd6c

        SHA512

        11be05ea25439ea490bdcc013ac48a62616ad5a4c384819bb9ac083f250f417072111e26b2e8be41b7f403c8ed1a8a37c6601ec22be6e9409a6b5e5703368218

        Download Submit
      • \Users\Admin\AppData\Local\Temp\loader.exe
        MD5

        549e20cd5baca7c1b01209933b563e2a

        SHA1

        a27d9eeffd06e35ef75ca1a7157340c11d426dad

        SHA256

        b120e15d64df566cfddd73032c0338a6fe332d1a583282746e20e6c8a80edd6c

        SHA512

        11be05ea25439ea490bdcc013ac48a62616ad5a4c384819bb9ac083f250f417072111e26b2e8be41b7f403c8ed1a8a37c6601ec22be6e9409a6b5e5703368218

        Download Submit
      • \Users\Admin\AppData\Roaming\SWEfghd678hfjbbhbGFrca.exe
        MD5

        734ebe963716a9ba20ffb75dceff80ea

        SHA1

        8f98635aa27f50340ebd380ec4743855734f2a35

        SHA256

        55388fde35f487317a3e763f706fe03e39a87d1ba35f40ac9ec85e589d175ebf

        SHA512

        19fc995018a40a5a323cd962d991a83c58b170b1c6492b36cba85578d491465669666a002179aa2d461ab45bfbb568f6916ab04ea1dcd23778db3a0adb498d0a

        Download Submit
      • memory/788-8-0x0000000000000000-mapping.dmp
        Download
      • memory/1072-382-0x000007FEFC511000-0x000007FEFC513000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1620-385-0x000007FEF7E60000-0x000007FEF80DA000-memory.dmp
        Filesize

        2.5MB

        Download
      • memory/1640-4-0x0000000000000000-mapping.dmp
        Download
      • memory/1720-27-0x00000000034F0000-0x0000000003501000-memory.dmp
        Filesize

        68KB

        Download
      • memory/1720-23-0x00000000006BD000-0x00000000006BE000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1720-24-0x00000000001D0000-0x00000000001D1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1720-25-0x00000000034F0000-0x0000000003501000-memory.dmp
        Filesize

        68KB

        Download
      • memory/1720-26-0x0000000003900000-0x0000000003911000-memory.dmp
        Filesize

        68KB

        Download
      • memory/1720-18-0x0000000000000000-mapping.dmp
        Download
      • memory/2028-13-0x00000000001C0000-0x00000000001C1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2028-12-0x00000000007C0000-0x00000000007C1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2028-2-0x0000000075C31000-0x0000000075C33000-memory.dmp
        Filesize

        8KB

        Download