Overview

overview

10

Static

static

KMSAuto Net.exe

windows7_x64

10

KMSAuto Net.exe

windows10_x64

10

Resubmissions

03-03-2021 11:53

210303-jg1rqnnv7a 10

03-03-2021 11:35

210303-3hqbhblvcn 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    KMSAuto Net.exe

  • Size

    2.1MB

  • Sample

    210303-jg1rqnnv7a

  • MD5

    26d067caae83528460ed322ae8cf7ab9

  • SHA1

    470f0522a5debbbeb0a8d5c3e0a3dc1af6a1344f

  • SHA256

    564c6d1973910e06c66670708fdc809d7391d03fd65d5e71d6d154f898429c93

  • SHA512

    7f8c96f52f9e01985da14169c836cf0a7878580c312b6ba4b22b7b36fd2324b64deedab8f21221cae744ce0c3c55e6e0bfbcb4c78ffd8cac03b2c1c5fa9e0e81

Score
10/10
ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HOW_TO_RESTORE_FILES.txt

Ransom Note
******************************ATTENTION!****************************** All your important files have been encrypted by STEEL Ransomware! For encryption we use reliable algorithms! You can read more here: https://en.wikipedia.org/wiki/RSA_(cryptosystem) https://en.wikipedia.org/wiki/Advanced_Encryption_Standard Many of your documents, photos, videos, images and other files are no longer accessible because they have been encrypted. It means that your files are not damaged, but modified. The reverse process is called decryption. We use strong algorithms so it impossible to crack key. You can easily restore all your files. We guarantee that all your files will be successfully decrypted after paying. We can decrypt 2 files for free (size <2mb) as proof that we can decrypt your files. Warning! After 7 days price will be doubled! How to decrypt files ? 1) Contact us via email x_coded@protonmail.com 2) Pay $350 on our monero wallet (we will send you wallet address) 3) Send your personal key to our email (It's located at the end of this document) 4) Get decryption key and program 5) Decrypt all your files ******************************????????!****************************** ??? ???? ????? ??????????? STEEL Ransomware! ??? ?????????? ???????????? ???????? ????????? ??????????. ?? ?????? ???????????? ????????? ?????: https://en.wikipedia.org/wiki/RSA_(cryptosystem) https://en.wikipedia.org/wiki/Advanced_Encryption_Standard ???? ?????????, ?????, ????, ???????? ? ?????? ????? ?????? ??????????, ?????? ??? ??? ???????????. ??? ??????, ??? ???? ????? ?? ??????????, ?? ??????????????. ???????? ??????? ?????????? ????????????. ???????? ??? ????????? ????? ???????????? ??????????! ?? ?????? ????? ???????????? ??? ?????. ?? ???????????, ??? ??? ???? ????? ????? ??????? ???????????? ????? ??????. ? ???????? ?????????????? ??????????? ?????- ??????? ?? ????? ????????? ???????????? 2 ????? ???????? ?? ????? 2 ??. ????????! ????? 7 ???? ???? ????? ???????! ??? ???????????? ?????? 1)????????? ? ???? ????? e-mail X_coded@protonmail.com 2)???????? 350 USD ?? monero ???????, ??????? ?? ?????? ??? 3)????????? ??? ????, ????????????? ? ????? ????? ?????????. 4)???????? ?????????-?????????? ? ???? 5)??????????? ???? ????? YOUR PERSONAL KEY HERE: ----------BEGIN STEEL KEY---------- m7uF2wMnEjZPWZk77en5lFKHnG8KBKeyUEWu+GtXV78SwEe8zRQuZTzzUdMTqqzo E2I6x+m2H7qwwjjz0jgLsosvd4/NCsHkiFvUlBolGNVljggix9dsPP9pXtoHSGCA ZCl0l/uBXuWxKWoWbwg5Ng6jP2B7Px1HaNxnXrI5X/YDqN+YamL4soTKtxV+HXa0 g4DOIIBnaNx6btQx/9+lu4GAEcxnhnkb3eB5s1t3gpBcvgnz6FDItM0Pz7evQDPL qUQJLJDtSofdkF5xfCEDSTDpxnhWf31R9WODWL7zNFi/njGEaslO13tuvj1OiDRM MCUf5o0FB5W5U5eXxB7fBw== ----------END STEEL KEY----------
Emails

x_coded@protonmail.com

X_coded@protonmail.com

Extracted

Path

C:\Users\Admin\Desktop\HOW_TO_RESTORE_FILES.txt

Ransom Note
******************************ATTENTION!****************************** All your important files have been encrypted by STEEL Ransomware! For encryption we use reliable algorithms! You can read more here: https://en.wikipedia.org/wiki/RSA_(cryptosystem) https://en.wikipedia.org/wiki/Advanced_Encryption_Standard Many of your documents, photos, videos, images and other files are no longer accessible because they have been encrypted. It means that your files are not damaged, but modified. The reverse process is called decryption. We use strong algorithms so it impossible to crack key. You can easily restore all your files. We guarantee that all your files will be successfully decrypted after paying. We can decrypt 2 files for free (size <2mb) as proof that we can decrypt your files. Warning! After 7 days price will be doubled! How to decrypt files ? 1) Contact us via email x_coded@protonmail.com 2) Pay $350 on our monero wallet (we will send you wallet address) 3) Send your personal key to our email (It's located at the end of this document) 4) Get decryption key and program 5) Decrypt all your files ******************************????????!****************************** ??? ???? ????? ??????????? STEEL Ransomware! ??? ?????????? ???????????? ???????? ????????? ??????????. ?? ?????? ???????????? ????????? ?????: https://en.wikipedia.org/wiki/RSA_(cryptosystem) https://en.wikipedia.org/wiki/Advanced_Encryption_Standard ???? ?????????, ?????, ????, ???????? ? ?????? ????? ?????? ??????????, ?????? ??? ??? ???????????. ??? ??????, ??? ???? ????? ?? ??????????, ?? ??????????????. ???????? ??????? ?????????? ????????????. ???????? ??? ????????? ????? ???????????? ??????????! ?? ?????? ????? ???????????? ??? ?????. ?? ???????????, ??? ??? ???? ????? ????? ??????? ???????????? ????? ??????. ? ???????? ?????????????? ??????????? ?????- ??????? ?? ????? ????????? ???????????? 2 ????? ???????? ?? ????? 2 ??. ????????! ????? 7 ???? ???? ????? ???????! ??? ???????????? ?????? 1)????????? ? ???? ????? e-mail X_coded@protonmail.com 2)???????? 350 USD ?? monero ???????, ??????? ?? ?????? ??? 3)????????? ??? ????, ????????????? ? ????? ????? ?????????. 4)???????? ?????????-?????????? ? ???? 5)??????????? ???? ????? YOUR PERSONAL KEY HERE: ----------BEGIN STEEL KEY---------- upzR+qIO3HME59GNFVElEGa8a9PBXEGejw42BTx5ztuRBUt4gBOTz8meGktshinw 5SMyIWq9p4Jy2Q8CP5jBSSlh5osQpL2OVrGxXjzibbZnKdbaJB1yZ3gyii3wkijX ru9CDIGVWfcyLnwDbvD3l05iVci2wC4tod6TB3oozbF/L2Y+uU/GHrRk/wIAupFD 7BIgyFrZm81PP2zQEq5tYRxoHcAY2HOkfvtLQcE+haqA8m3ZqKNmFwePU+zNdDDq iGEcD0QeajZpFOv8m+okJsIn4PJlZuBCroOUQa1TLUOjERbQYrmCJ5a3Z8qHdHYM oMdWjpfhe83hCxCQYwTkkQ== ----------END STEEL KEY----------
Emails

x_coded@protonmail.com

X_coded@protonmail.com

Targets

    • Target

      KMSAuto Net.exe

    • Size

      2.1MB

    • MD5

      26d067caae83528460ed322ae8cf7ab9

    • SHA1

      470f0522a5debbbeb0a8d5c3e0a3dc1af6a1344f

    • SHA256

      564c6d1973910e06c66670708fdc809d7391d03fd65d5e71d6d154f898429c93

    • SHA512

      7f8c96f52f9e01985da14169c836cf0a7878580c312b6ba4b22b7b36fd2324b64deedab8f21221cae744ce0c3c55e6e0bfbcb4c78ffd8cac03b2c1c5fa9e0e81

    Score
    10/10
    ransomware

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks