Analysis
-
max time kernel
150s -
max time network
23s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
03-03-2021 11:35
Static task
static1
Behavioral task
behavioral1
Sample
KMSAuto Net.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
KMSAuto Net.exe
Resource
win10v20201028
General
-
Target
KMSAuto Net.exe
-
Size
2.1MB
-
MD5
26d067caae83528460ed322ae8cf7ab9
-
SHA1
470f0522a5debbbeb0a8d5c3e0a3dc1af6a1344f
-
SHA256
564c6d1973910e06c66670708fdc809d7391d03fd65d5e71d6d154f898429c93
-
SHA512
7f8c96f52f9e01985da14169c836cf0a7878580c312b6ba4b22b7b36fd2324b64deedab8f21221cae744ce0c3c55e6e0bfbcb4c78ffd8cac03b2c1c5fa9e0e81
Malware Config
Extracted
C:\Users\Admin\Desktop\HOW_TO_RESTORE_FILES.txt
x_coded@protonmail.com
X_coded@protonmail.com
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
SWEfghd678hfjbbhbGFrca.exeloader.exepid process 1640 SWEfghd678hfjbbhbGFrca.exe 1720 loader.exe -
Modifies extensions of user files 7 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
loader.exedescription ioc process File created C:\Users\Admin\Pictures\CompressStop.tif.ySabA6ghnJp loader.exe File created C:\Users\Admin\Pictures\RemoveStop.tiff.ySabA6ghnJp loader.exe File created C:\Users\Admin\Pictures\SetConvertFrom.raw.ySabA6ghnJp loader.exe File created C:\Users\Admin\Pictures\UninstallReceive.raw.ySabA6ghnJp loader.exe File created C:\Users\Admin\Pictures\WaitFind.tif.ySabA6ghnJp loader.exe File created C:\Users\Admin\Pictures\AddUnlock.tif.ySabA6ghnJp loader.exe File created C:\Users\Admin\Pictures\BackupInvoke.tiff.ySabA6ghnJp loader.exe -
Loads dropped DLL 6 IoCs
Processes:
KMSAuto Net.exeSWEfghd678hfjbbhbGFrca.exeloader.exepid process 2028 KMSAuto Net.exe 1640 SWEfghd678hfjbbhbGFrca.exe 1640 SWEfghd678hfjbbhbGFrca.exe 1640 SWEfghd678hfjbbhbGFrca.exe 1640 SWEfghd678hfjbbhbGFrca.exe 1720 loader.exe -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
loader.exedescription ioc process File opened (read-only) \??\A: loader.exe File opened (read-only) \??\B: loader.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Opens file in notepad (likely ransom note) 2 IoCs
Processes:
NOTEPAD.EXENOTEPAD.EXEpid process 1788 NOTEPAD.EXE 272 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
loader.exepid process 1720 loader.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
KMSAuto Net.exeSWEfghd678hfjbbhbGFrca.exedescription pid process target process PID 2028 wrote to memory of 1640 2028 KMSAuto Net.exe SWEfghd678hfjbbhbGFrca.exe PID 2028 wrote to memory of 1640 2028 KMSAuto Net.exe SWEfghd678hfjbbhbGFrca.exe PID 2028 wrote to memory of 1640 2028 KMSAuto Net.exe SWEfghd678hfjbbhbGFrca.exe PID 2028 wrote to memory of 1640 2028 KMSAuto Net.exe SWEfghd678hfjbbhbGFrca.exe PID 2028 wrote to memory of 788 2028 KMSAuto Net.exe cmd.exe PID 2028 wrote to memory of 788 2028 KMSAuto Net.exe cmd.exe PID 2028 wrote to memory of 788 2028 KMSAuto Net.exe cmd.exe PID 2028 wrote to memory of 788 2028 KMSAuto Net.exe cmd.exe PID 1640 wrote to memory of 1720 1640 SWEfghd678hfjbbhbGFrca.exe loader.exe PID 1640 wrote to memory of 1720 1640 SWEfghd678hfjbbhbGFrca.exe loader.exe PID 1640 wrote to memory of 1720 1640 SWEfghd678hfjbbhbGFrca.exe loader.exe PID 1640 wrote to memory of 1720 1640 SWEfghd678hfjbbhbGFrca.exe loader.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\KMSAuto Net.exe"C:\Users\Admin\AppData\Local\Temp\KMSAuto Net.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\SWEfghd678hfjbbhbGFrca.exe"C:\Users\Admin\AppData\Roaming\SWEfghd678hfjbbhbGFrca.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"3⤵
- Executes dropped EXE
- Modifies extensions of user files
- Loads dropped DLL
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\selfdstr.bat" "2⤵
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\HOW_TO_RESTORE_FILES.txt1⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\HOW_TO_RESTORE_FILES.txt1⤵
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\libeay32.dllMD5
ec82afce1ecb9ea8083e366ba4676762
SHA149c610f556e1ff28759448181dc3cfb378429134
SHA256a053c2efd71c874486ca0abd39cee5b07450cefe1e7723ce8813630b9ce1b9f1
SHA512be57b8ab59d7d725041eef30b08426cd4a2ff5aebbd00932ee55a11f88f8a0a6cffa4939669a0a35f395bd022ee388d01e9cce96e89516c1257d283135a649de
-
C:\Users\Admin\AppData\Local\Temp\loader.exeMD5
549e20cd5baca7c1b01209933b563e2a
SHA1a27d9eeffd06e35ef75ca1a7157340c11d426dad
SHA256b120e15d64df566cfddd73032c0338a6fe332d1a583282746e20e6c8a80edd6c
SHA51211be05ea25439ea490bdcc013ac48a62616ad5a4c384819bb9ac083f250f417072111e26b2e8be41b7f403c8ed1a8a37c6601ec22be6e9409a6b5e5703368218
-
C:\Users\Admin\AppData\Local\Temp\selfdstr.batMD5
988ec406a5c0022b37fd5a1d2b4edef9
SHA1a29c6a34c03bb184ae133364f0f6d1cf45932036
SHA2560ad086c508fbfcddf656e24bc88190ff070dccb5b88577e6514d164072ee3d85
SHA512a31778f252e810e22b367c05d4daeb53ad7c1aa28573f0c90a710d7227b9e431a78734dfc7745ad3b5e9fe4bfe6247dd0f44dc1d6791dab61c6fee7c6a6964ce
-
C:\Users\Admin\AppData\Roaming\SWEfghd678hfjbbhbGFrca.exeMD5
734ebe963716a9ba20ffb75dceff80ea
SHA18f98635aa27f50340ebd380ec4743855734f2a35
SHA25655388fde35f487317a3e763f706fe03e39a87d1ba35f40ac9ec85e589d175ebf
SHA51219fc995018a40a5a323cd962d991a83c58b170b1c6492b36cba85578d491465669666a002179aa2d461ab45bfbb568f6916ab04ea1dcd23778db3a0adb498d0a
-
C:\Users\Admin\AppData\Roaming\SWEfghd678hfjbbhbGFrca.exeMD5
734ebe963716a9ba20ffb75dceff80ea
SHA18f98635aa27f50340ebd380ec4743855734f2a35
SHA25655388fde35f487317a3e763f706fe03e39a87d1ba35f40ac9ec85e589d175ebf
SHA51219fc995018a40a5a323cd962d991a83c58b170b1c6492b36cba85578d491465669666a002179aa2d461ab45bfbb568f6916ab04ea1dcd23778db3a0adb498d0a
-
C:\Users\Admin\Desktop\HOW_TO_RESTORE_FILES.txtMD5
57b81ff3947a00e75ada61b035cfabe4
SHA1ce3608d6334a45fa6328334a802fd07278712819
SHA256947fdabf34cc08648850f006616166cd6561cced6304cdc207c0df1e0d41e113
SHA51231a1061a61eeb2564560b9ae770e87f4f36a24a422abae2a1c057d6f5051c2e4de4b02fa80a427639e9f32e5eb53be138c69a8041e251a6017cacf4fadc2ff2e
-
\Users\Admin\AppData\Local\Temp\libeay32.dllMD5
ec82afce1ecb9ea8083e366ba4676762
SHA149c610f556e1ff28759448181dc3cfb378429134
SHA256a053c2efd71c874486ca0abd39cee5b07450cefe1e7723ce8813630b9ce1b9f1
SHA512be57b8ab59d7d725041eef30b08426cd4a2ff5aebbd00932ee55a11f88f8a0a6cffa4939669a0a35f395bd022ee388d01e9cce96e89516c1257d283135a649de
-
\Users\Admin\AppData\Local\Temp\loader.exeMD5
549e20cd5baca7c1b01209933b563e2a
SHA1a27d9eeffd06e35ef75ca1a7157340c11d426dad
SHA256b120e15d64df566cfddd73032c0338a6fe332d1a583282746e20e6c8a80edd6c
SHA51211be05ea25439ea490bdcc013ac48a62616ad5a4c384819bb9ac083f250f417072111e26b2e8be41b7f403c8ed1a8a37c6601ec22be6e9409a6b5e5703368218
-
\Users\Admin\AppData\Local\Temp\loader.exeMD5
549e20cd5baca7c1b01209933b563e2a
SHA1a27d9eeffd06e35ef75ca1a7157340c11d426dad
SHA256b120e15d64df566cfddd73032c0338a6fe332d1a583282746e20e6c8a80edd6c
SHA51211be05ea25439ea490bdcc013ac48a62616ad5a4c384819bb9ac083f250f417072111e26b2e8be41b7f403c8ed1a8a37c6601ec22be6e9409a6b5e5703368218
-
\Users\Admin\AppData\Local\Temp\loader.exeMD5
549e20cd5baca7c1b01209933b563e2a
SHA1a27d9eeffd06e35ef75ca1a7157340c11d426dad
SHA256b120e15d64df566cfddd73032c0338a6fe332d1a583282746e20e6c8a80edd6c
SHA51211be05ea25439ea490bdcc013ac48a62616ad5a4c384819bb9ac083f250f417072111e26b2e8be41b7f403c8ed1a8a37c6601ec22be6e9409a6b5e5703368218
-
\Users\Admin\AppData\Local\Temp\loader.exeMD5
549e20cd5baca7c1b01209933b563e2a
SHA1a27d9eeffd06e35ef75ca1a7157340c11d426dad
SHA256b120e15d64df566cfddd73032c0338a6fe332d1a583282746e20e6c8a80edd6c
SHA51211be05ea25439ea490bdcc013ac48a62616ad5a4c384819bb9ac083f250f417072111e26b2e8be41b7f403c8ed1a8a37c6601ec22be6e9409a6b5e5703368218
-
\Users\Admin\AppData\Roaming\SWEfghd678hfjbbhbGFrca.exeMD5
734ebe963716a9ba20ffb75dceff80ea
SHA18f98635aa27f50340ebd380ec4743855734f2a35
SHA25655388fde35f487317a3e763f706fe03e39a87d1ba35f40ac9ec85e589d175ebf
SHA51219fc995018a40a5a323cd962d991a83c58b170b1c6492b36cba85578d491465669666a002179aa2d461ab45bfbb568f6916ab04ea1dcd23778db3a0adb498d0a
-
memory/788-8-0x0000000000000000-mapping.dmp
-
memory/1072-382-0x000007FEFC511000-0x000007FEFC513000-memory.dmpFilesize
8KB
-
memory/1620-385-0x000007FEF7E60000-0x000007FEF80DA000-memory.dmpFilesize
2.5MB
-
memory/1640-4-0x0000000000000000-mapping.dmp
-
memory/1720-27-0x00000000034F0000-0x0000000003501000-memory.dmpFilesize
68KB
-
memory/1720-23-0x00000000006BD000-0x00000000006BE000-memory.dmpFilesize
4KB
-
memory/1720-24-0x00000000001D0000-0x00000000001D1000-memory.dmpFilesize
4KB
-
memory/1720-25-0x00000000034F0000-0x0000000003501000-memory.dmpFilesize
68KB
-
memory/1720-26-0x0000000003900000-0x0000000003911000-memory.dmpFilesize
68KB
-
memory/1720-18-0x0000000000000000-mapping.dmp
-
memory/2028-13-0x00000000001C0000-0x00000000001C1000-memory.dmpFilesize
4KB
-
memory/2028-12-0x00000000007C0000-0x00000000007C1000-memory.dmpFilesize
4KB
-
memory/2028-2-0x0000000075C31000-0x0000000075C33000-memory.dmpFilesize
8KB