564c6d1973910e06c66670708fdc809d7391d03fd65d5e71d6d154f898429c93

General

Target

KMSAuto Net.exe
Size

2.1MB
MD5

26d067caae83528460ed322ae8cf7ab9
SHA1

470f0522a5debbbeb0a8d5c3e0a3dc1af6a1344f
SHA256

564c6d1973910e06c66670708fdc809d7391d03fd65d5e71d6d154f898429c93
SHA512

7f8c96f52f9e01985da14169c836cf0a7878580c312b6ba4b22b7b36fd2324b64deedab8f21221cae744ce0c3c55e6e0bfbcb4c78ffd8cac03b2c1c5fa9e0e81

Score

10^/10

ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HOW_TO_RESTORE_FILES.txt

Ransom Note

******************************ATTENTION!****************************** All your important files have been encrypted by STEEL Ransomware! For encryption we use reliable algorithms! You can read more here: https://en.wikipedia.org/wiki/RSA_(cryptosystem) https://en.wikipedia.org/wiki/Advanced_Encryption_Standard Many of your documents, photos, videos, images and other files are no longer accessible because they have been encrypted. It means that your files are not damaged, but modified. The reverse process is called decryption. We use strong algorithms so it impossible to crack key. You can easily restore all your files. We guarantee that all your files will be successfully decrypted after paying. We can decrypt 2 files for free (size <2mb) as proof that we can decrypt your files. Warning! After 7 days price will be doubled! How to decrypt files ? 1) Contact us via email [email protected] 2) Pay $350 on our monero wallet (we will send you wallet address) 3) Send your personal key to our email (It's located at the end of this document) 4) Get decryption key and program 5) Decrypt all your files ******************************????????!****************************** ??? ???? ????? ??????????? STEEL Ransomware! ??? ?????????? ???????????? ???????? ????????? ??????????. ?? ?????? ???????????? ????????? ?????: https://en.wikipedia.org/wiki/RSA_(cryptosystem) https://en.wikipedia.org/wiki/Advanced_Encryption_Standard ???? ?????????, ?????, ????, ???????? ? ?????? ????? ?????? ??????????, ?????? ??? ??? ???????????. ??? ??????, ??? ???? ????? ?? ??????????, ?? ??????????????. ???????? ??????? ?????????? ????????????. ???????? ??? ????????? ????? ???????????? ??????????! ?? ?????? ????? ???????????? ??? ?????. ?? ???????????, ??? ??? ???? ????? ????? ??????? ???????????? ????? ??????. ? ???????? ?????????????? ??????????? ?????- ??????? ?? ????? ????????? ???????????? 2 ????? ???????? ?? ????? 2 ??. ????????! ????? 7 ???? ???? ????? ???????! ??? ???????????? ?????? 1)????????? ? ???? ????? e-mail [email protected] 2)???????? 350 USD ?? monero ???????, ??????? ?? ?????? ??? 3)????????? ??? ????, ????????????? ? ????? ????? ?????????. 4)???????? ?????????-?????????? ? ???? 5)??????????? ???? ????? YOUR PERSONAL KEY HERE: ----------BEGIN STEEL KEY---------- qGvdxrk0NfZTQqo+N7RthrLJt5PIyGXekaZmZiq0xze80vhef12VqF3fMCtGUWi3 meW+f2EowzfSVzNDubXad682rg41rROf1RqCu8wxVNdKI5fJkqGAaJbTctp/UHE1 ycaL/gUmnYTUdsUigJa0Ih2IOmvW9nTMaRy1VseluAZ5kdBZOCZQVnelAJl2lou2 AayDpheBOhoEN+Q0obNOVy4tMJq9bSwuEcBuWt98u6WahP4XjYBih9ZjUtCl5v9S ENeth+yvYb4gCVmz+1oWaZuPhjLxhykzFQkMSMWODrHYZ1osR2fLiFtcsuAhwfeZ D1BiK/iFBykFYUawEI4Tew== ----------END STEEL KEY----------

Emails

[email protected]

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3380	SWEfghd678hfjbbhbGFrca.exe
3140	loader.exe

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File created	C:\Users\Admin\Pictures\StopEnter.tiff.f56eMbr8CAJ	loader.exe
File created	C:\Users\Admin\Pictures\FormatUse.tif.f56eMbr8CAJ	loader.exe
File created	C:\Users\Admin\Pictures\ProtectTrace.png.f56eMbr8CAJ	loader.exe
File created	C:\Users\Admin\Pictures\SetSave.tiff.f56eMbr8CAJ	loader.exe

Loads dropped DLL 1 IoCs

pid	Process
3140	loader.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	loader.exe
File opened (read-only)	\??\B:	loader.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1136	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3140	loader.exe
3140	loader.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3920 wrote to memory of 3380	3920	KMSAuto Net.exe	75
PID 3920 wrote to memory of 3380	3920	KMSAuto Net.exe	75
PID 3920 wrote to memory of 3380	3920	KMSAuto Net.exe	75
PID 3920 wrote to memory of 3824	3920	KMSAuto Net.exe	76
PID 3920 wrote to memory of 3824	3920	KMSAuto Net.exe	76
PID 3920 wrote to memory of 3824	3920	KMSAuto Net.exe	76
PID 3380 wrote to memory of 3140	3380	SWEfghd678hfjbbhbGFrca.exe	78
PID 3380 wrote to memory of 3140	3380	SWEfghd678hfjbbhbGFrca.exe	78
PID 3380 wrote to memory of 3140	3380	SWEfghd678hfjbbhbGFrca.exe	78

C:\Users\Admin\AppData\Local\Temp\KMSAuto Net.exe
"C:\Users\Admin\AppData\Local\Temp\KMSAuto Net.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3920
- C:\Users\Admin\AppData\Roaming\SWEfghd678hfjbbhbGFrca.exe
  "C:\Users\Admin\AppData\Roaming\SWEfghd678hfjbbhbGFrca.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3380
- - C:\Users\Admin\AppData\Local\Temp\loader.exe
    "C:\Users\Admin\AppData\Local\Temp\loader.exe"
    3⤵
    - Executes dropped EXE
    - Modifies extensions of user files
    - Loads dropped DLL
    - Enumerates connected drives
    - Suspicious behavior: EnumeratesProcesses
    PID:3140
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\selfdstr.bat" "
  2⤵
  PID:3824

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\HOW_TO_RESTORE_FILES.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1136

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3140-168-0x00000000041F0000-0x00000000041F1000-memory.dmp

Filesize
4KB

Download
memory/3140-13-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/3140-15-0x00000000049F0000-0x00000000049F1000-memory.dmp

Filesize
4KB

Download
memory/3140-14-0x00000000041F0000-0x00000000041F1000-memory.dmp

Filesize
4KB

Download
memory/3140-16-0x00000000041F0000-0x00000000041F1000-memory.dmp

Filesize
4KB

Download
memory/3140-212-0x00000000041F0000-0x00000000041F1000-memory.dmp

Filesize
4KB

Download
memory/3140-215-0x00000000041F0000-0x00000000041F1000-memory.dmp

Filesize
4KB

Download
memory/3920-2-0x0000000000A50000-0x0000000000A51000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads